Add velociraptor

Azure/Ansible/roles/common/tasks/main.yml

@@ -27,6 +27,15 @@
 
 - debug: msg="{{ sysinternals.stdout_lines }}"
 
+- name: Installing Velociraptor
+  win_shell: ".\\install-velociraptor.ps1"
+  args:
+    chdir: 'c:\vagrant\scripts'
+  register: velociraptor
+  failed_when: "'Exception' in velociraptor.stdout"
+
+- debug: msg="{{ velociraptor.stdout_lines }}"
+
 - name: Installing AutorunsToWineventlog
   win_shell: ".\\install-autorunstowineventlog.ps1"
   args:

ESXi/ansible/roles/common/tasks/main.yml

@@ -27,6 +27,15 @@
 
 - debug: msg="{{ sysinternals.stdout_lines }}"
 
+- name: Installing Velociraptor
+  win_shell: ".\\install-velociraptor.ps1"
+  args:
+    chdir: 'c:\vagrant\scripts'
+  register: velociraptor
+  failed_when: "'Exception' in velociraptor.stdout"
+
+- debug: msg="{{ velociraptor.stdout_lines }}"
+
 - name: Installing AutorunsToWineventlog
   win_shell: ".\\install-autorunstowineventlog.ps1"
   args:

ESXi/ansible/roles/logger/tasks/main.yml

@@ -387,6 +387,14 @@
     suricata-update enable-source et/open
     suricata-update enable-source ptresearch/attackdetection
 
+    # Configure the Splunk inputs
+    mkdir -p /opt/splunk/etc/apps/SplunkLightForwarder/local && touch /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf
+    crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata index suricata
+    crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata sourcetype suricata:json
+    crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata whitelist 'eve.json'
+    crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata disabled 0
+    crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/props.conf json_suricata TRUNCATE 0
+
     # Update suricata and restart
     suricata-update
     service suricata stop
@@ -425,10 +433,6 @@
   shell: |
     # Environment variables
     NODECFG=/opt/zeek/etc/node.cfg
-    SPLUNK_ZEEK_JSON=/opt/splunk/etc/apps/Splunk_TA_bro
-    SPLUNK_ZEEK_MONITOR='monitor:///opt/zeek/spool/manager'
-    SPLUNK_SURICATA_MONITOR='monitor:///var/log/suricata'
-    SPLUNK_SURICATA_SOURCETYPE='json_suricata'
     export PATH=$PATH:/opt/zeek/bin
     pip install zkg==2.1.1
     zkg refresh
@@ -474,22 +478,16 @@
     systemctl enable zeek
     systemctl start zeek
 
-    mkdir -p $SPLUNK_ZEEK_JSON/local
-    cp $SPLUNK_ZEEK_JSON/default/inputs.conf $SPLUNK_ZEEK_JSON/local/inputs.conf
-
-    crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR index zeek
-    crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR sourcetype bro:json
-    crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR whitelist '.*\.log$'
-    crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR blacklist '.*(communication|stderr)\.log$'
-    crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR disabled 0
-    crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR index suricata
-    crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR sourcetype suricata:json
-    crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR whitelist 'eve.json'
-    crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR disabled 0
-    crudini --set $SPLUNK_ZEEK_JSON/local/props.conf $SPLUNK_SURICATA_SOURCETYPE TRUNCATE 0
+    # Configure the Splunk inputs 
+    mkdir -p /opt/splunk/etc/apps/Splunk_TA_bro/local && touch /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf
+    crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager index zeek
+    crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager sourcetype bro:json
+    crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager whitelist '.*\.log$'
+    crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager blacklist '.*(communication|stderr)\.log$'
+    crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager disabled 0
 
     # Ensure permissions are correct and restart splunk
-    chown -R splunk $SPLUNK_ZEEK_JSON
+    chown -R splunk:splunk /opt/splunk/etc/apps/Splunk_TA_bro
     /opt/splunk/bin/splunk restart
 
     # Verify that Zeek is running

Vagrant/Vagrantfile

@@ -68,6 +68,7 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-velociraptor.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/configure-ou.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/configure-powershelllogging.ps1", privileged: false
@@ -138,6 +139,7 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-velociraptor.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/configure-pslogstranscriptsshare.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
     cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false
@@ -198,6 +200,7 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-velociraptor.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
     cfg.vm.provision "shell", inline: 'cscript c:\windows\system32\slmgr.vbs /dlv', privileged: false
 

Vagrant/bootstrap.sh

@@ -351,7 +351,7 @@ install_zeek() {
   crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager disabled 0
 
   # Ensure permissions are correct and restart splunk
-  chown -R splunk /opt/splunk/etc/apps/Splunk_TA_bro
+  chown -R splunk:splunk /opt/splunk/etc/apps/Splunk_TA_bro
   /opt/splunk/bin/splunk restart
 
   # Verify that Zeek is running
@@ -361,6 +361,35 @@ install_zeek() {
   fi
 }
 
+install_velociraptor() {
+  echo "[$(date +%H:%M:%S)]: Installing Velociraptor..."
+  mkdir /opt/install_velociraptor
+  echo "[$(date +%H:%M:%S)]: Attempting to determine the URL for the latest release of Velociraptor"
+  LATEST_VELOCIRAPTOR_LINUX_URL=$(curl -sL https://github.com/Velocidex/velociraptor/releases/latest | grep 'linux-amd64' | grep -Eo "/(?[^\"]+)" | grep amd | sed 's#^#https://github.com#g')
+  echo "[$(date +%H:%M:%S)]: The URL for the latest release was extracted as $LATEST_VELOCIRAPTOR_LINUX_URL"
+  echo "[$(date +%H:%M:%S)]: Attempting to download..."
+  wget -P /opt/velociraptor "$LATEST_VELOCIRAPTOR_LINUX_URL"
+  if [ "$(file velociraptor*linux-amd64 | grep -c 'ELF 64-bit LSB executable')" -eq 1 ]; then
+    echo "[$(date +%H:%M:%S)]: Velociraptor successfully downloaded!"
+  else
+    echo "[$(date +%H:%M:%S)]: Failed to download the latest version of Velociraptor. Please open a DetectionLab issue on Github."
+    return
+  fi
+  
+  mv velociraptor-*-linux-amd64 velociraptor
+  chmod +x velociraptor
+  cp /vagrant/resources/velociraptor/server.config.yaml /opt/velociraptor
+  echo "[$(date +%H:%M:%S)]: Creating Velociraptor dpkg..."
+  ./velociraptor --config ~/server.config.yaml debian server
+  echo "[$(date +%H:%M:%S)]: Installing the dpkg..."
+  if dpkg -i velociraptor_*_server.deb > /dev/null; then
+    echo "[$(date +%H:%M:%S)]: Installation complete!"
+  else
+    echo "[$(date +%H:%M:%S)]: Failed to install the dpkg"
+    return
+  fi
+}
+
 install_suricata() {
   # Run iwr -Uri testmyids.com -UserAgent "BlackSun" in Powershell to generate test alerts from Windows
   echo "[$(date +%H:%M:%S)]: Installing Suricata..."
@@ -450,6 +479,7 @@ install_guacamole() {
 postinstall_tasks() {
   # Include Splunk and Zeek in the PATH
   echo export PATH="$PATH:/opt/splunk/bin:/opt/zeek/bin" >>~/.bashrc
+  echo "export SPLUNK_HOME=/opt/splunk" >>~/.bashrc
   # Ping DetectionLab server for usage statistics
   curl -s -A "DetectionLab-logger" "https://detectionlab.network/logger"
 }
@@ -463,6 +493,7 @@ main() {
   install_fleet
   download_palantir_osquery_config
   import_osquery_config_into_fleet
+  install_velociraptor
   install_suricata
   install_zeek
   install_guacamole

Vagrant/resources/velociraptor/Velociraptor.config.yaml

@@ -0,0 +1,54 @@
+version:
+  name: velociraptor
+  version: 0.4.5
+  commit: 17e0f0f
+  build_time: "2020-06-12T09:39:50+10:00"
+Client:
+  server_urls:
+  - https://logger:9000/
+  ca_certificate: |
+    -----BEGIN CERTIFICATE-----
+    MIIDKjCCAhKgAwIBAgIQJpjTbn3lIQ0+ApCGFx65ZDANBgkqhkiG9w0BAQsFADAa
+    MRgwFgYDVQQKEw9WZWxvY2lyYXB0b3IgQ0EwHhcNMjAwNjMwMDAxNTUyWhcNMzAw
+    NjI4MDAxNTUyWjAaMRgwFgYDVQQKEw9WZWxvY2lyYXB0b3IgQ0EwggEiMA0GCSqG
+    SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC85kV1Bq7AmCHEgPItAzKtdbmF/4usy9YH
+    KY1uSCo5i2wCpxGu+kyoyMd9REjXnfLvPxpSkeoV7uAPPiVnzWD43Du2f3b0Kh5x
+    ppTYH0pb60NVV5KqQd3HI0Gssa5VYqLRjSeb7SN/JNxRjWeVG0VpX9vDTlWcTJ11
+    n9/ZP3eYnPIuNmHdAiYe0EbN1Cbmkh6VFALofYnbHC5qqdq1aHtI4jvquqYoCYgc
+    y0b3GN00tuYLG7huu+G9Ng99aFjEfCD84eI//S2rLn/JaTHsYiqay+WDWHSwo0+4
+    nMuUtolMdvP5R/rOPNG7NuU/8lg8zgql+baZIFENlSohkQpetg8NAgMBAAGjbDBq
+    MA4GA1UdDwEB/wQEAwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
+    DwYDVR0TAQH/BAUwAwEB/zAoBgNVHREEITAfgh1WZWxvY2lyYXB0b3JfY2EudmVs
+    b2NpZGV4LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAmA1PR5GM/c4l0POFaZLdkVXC
+    LSMmPJaCu4TihgxtG+/noTR7fDiCWdjcS93Pc3YYMYYmFmZ86iwbOK3sFT8HWoFA
+    X03IyJyWKOAdgYioXYWoXjKI8QCFEVtYnZaxkI9On4zlYntadjJS/s8cFXlU2koZ
+    mF6YWQdC5wbA45FyUyCCbBQLlm91KejZK+8BvHkMvSfUWk0WIYV4bHH1MkEg/csU
+    /mw6N81dnaUZ7tWbPxGdtbY9+xTboygx7DlghykcI5wuWXJxm5K1vNj9dvCF4cUw
+    OuTkZ6ekn+anNLHBOs4u01kSplR++Jjf2rzlpkDN/ei4yJCkyM00MtbyTzM5zA==
+    -----END CERTIFICATE-----
+  nonce: fvKPYbt+0n0=
+  writeback_darwin: /etc/velociraptor.writeback.yaml
+  writeback_linux: /etc/velociraptor.writeback.yaml
+  writeback_windows: $ProgramFiles\Velociraptor\velociraptor.writeback.yaml
+  max_poll: 60
+  windows_installer:
+    service_name: Velociraptor
+    install_path: $ProgramFiles\Velociraptor\Velociraptor.exe
+    service_description: Velociraptor service
+  darwin_installer:
+    service_name: com.velocidex.velociraptor
+    install_path: /usr/local/sbin/velociraptor
+  version:
+    name: velociraptor
+    version: 0.4.5
+    commit: 17e0f0f
+    build_time: "2020-06-12T09:39:50+10:00"
+  use_self_signed_ssl: true
+  pinned_server_name: VelociraptorServer
+  max_upload_size: 5242880
+  local_buffer:
+    memory_size: 52428800
+    disk_size: 1073741824
+    filename_linux: /var/tmp/Velociraptor_Buffer.bin
+    filename_windows: $TEMP/Velociraptor_Buffer.bin
+    filename_darwin: /var/tmp/Velociraptor_Buffer.bin

Vagrant/resources/velociraptor/server.config.yaml

@@ -0,0 +1,175 @@
+version:
+  name: velociraptor
+  version: 0.4.5
+  commit: 17e0f0f
+  build_time: "2020-06-12T09:39:50+10:00"
+Client:
+  server_urls:
+  - https://logger:9000/
+  ca_certificate: |
+    -----BEGIN CERTIFICATE-----
+    MIIDKjCCAhKgAwIBAgIQJpjTbn3lIQ0+ApCGFx65ZDANBgkqhkiG9w0BAQsFADAa
+    MRgwFgYDVQQKEw9WZWxvY2lyYXB0b3IgQ0EwHhcNMjAwNjMwMDAxNTUyWhcNMzAw
+    NjI4MDAxNTUyWjAaMRgwFgYDVQQKEw9WZWxvY2lyYXB0b3IgQ0EwggEiMA0GCSqG
+    SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC85kV1Bq7AmCHEgPItAzKtdbmF/4usy9YH
+    KY1uSCo5i2wCpxGu+kyoyMd9REjXnfLvPxpSkeoV7uAPPiVnzWD43Du2f3b0Kh5x
+    ppTYH0pb60NVV5KqQd3HI0Gssa5VYqLRjSeb7SN/JNxRjWeVG0VpX9vDTlWcTJ11
+    n9/ZP3eYnPIuNmHdAiYe0EbN1Cbmkh6VFALofYnbHC5qqdq1aHtI4jvquqYoCYgc
+    y0b3GN00tuYLG7huu+G9Ng99aFjEfCD84eI//S2rLn/JaTHsYiqay+WDWHSwo0+4
+    nMuUtolMdvP5R/rOPNG7NuU/8lg8zgql+baZIFENlSohkQpetg8NAgMBAAGjbDBq
+    MA4GA1UdDwEB/wQEAwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
+    DwYDVR0TAQH/BAUwAwEB/zAoBgNVHREEITAfgh1WZWxvY2lyYXB0b3JfY2EudmVs
+    b2NpZGV4LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAmA1PR5GM/c4l0POFaZLdkVXC
+    LSMmPJaCu4TihgxtG+/noTR7fDiCWdjcS93Pc3YYMYYmFmZ86iwbOK3sFT8HWoFA
+    X03IyJyWKOAdgYioXYWoXjKI8QCFEVtYnZaxkI9On4zlYntadjJS/s8cFXlU2koZ
+    mF6YWQdC5wbA45FyUyCCbBQLlm91KejZK+8BvHkMvSfUWk0WIYV4bHH1MkEg/csU
+    /mw6N81dnaUZ7tWbPxGdtbY9+xTboygx7DlghykcI5wuWXJxm5K1vNj9dvCF4cUw
+    OuTkZ6ekn+anNLHBOs4u01kSplR++Jjf2rzlpkDN/ei4yJCkyM00MtbyTzM5zA==
+    -----END CERTIFICATE-----
+  nonce: fvKPYbt+0n0=
+  writeback_darwin: /etc/velociraptor.writeback.yaml
+  writeback_linux: /etc/velociraptor.writeback.yaml
+  writeback_windows: $ProgramFiles\Velociraptor\velociraptor.writeback.yaml
+  max_poll: 60
+  windows_installer:
+    service_name: Velociraptor
+    install_path: $ProgramFiles\Velociraptor\Velociraptor.exe
+    service_description: Velociraptor service
+  darwin_installer:
+    service_name: com.velocidex.velociraptor
+    install_path: /usr/local/sbin/velociraptor
+  version:
+    name: velociraptor
+    version: 0.4.5
+    commit: 17e0f0f
+    build_time: "2020-06-12T09:39:50+10:00"
+  use_self_signed
+    BQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEB
+    AEohrNAKjUcq2wNIiPX6tCRDLbzRB/qmf+GBbpslRTa7RQVvFOgtUVYejcnMYUBG
+    LEmL+uxACJNliCqjo76OkIPUbKj32CrKGU8Jj/dKCAK5PQW1kDEhdes61RA5TuAz
+    W/HC9iEuNHAZLmvjnoIOxM+tZgaf/KdOGWyyZaFKD+d+ojd9Y4I/FDXpng3DB26Q
+    xzS/vAKMrYq4LOnPtDdbJpUrVgm8Rw2T9oiV8aZxSR+EenjfvLywMRM4nJ8l1W4n
+    jJDmNzWmEHxShhCL7DEdnrFbq/HttI56b8L3CYqDZ5P5J3xTVchX6J2x71YrKRv1
+    7AaFjAISs3AbF0AOJ0PEbMQ=
+    -----END CERTIFICATE-----
+  gw_private_key: |
+    -----BEGIN RSA PRIVATE KEY-----
+    MIIEowIBAAKCAQEAl73NRkhNSd/kU13Jm7Vyua3mRsnUUii1jVFtdNW1j52Fm1Y1
+    3NSotSeQ3Mro9Pak2UkUYq/DVLzT1v/NEXXMhxAQqeVl+3ei4V3RfHTDG2afBqW2
+    m65/FFNHjRVTPsQ7CSJQdoxOcxINC3lStFojFLTpzvXZLJ9ID+vNkUjAGZY9QO5O
+    X2LyIIcWIKl3mGSN3TtLhGz276NSKIVwfXHSAIa1JbDKtgvwcImcmnL4ziPWuSO9
+    cVBW+jLIhn9PFl2+BauYWX/LvO4cZivCzPAqgvjJ4ETAURQlTDwkyAQlEH7h67Ti
+    JyZ+YZSEBA1cElRHsUscbK89gfTGx3VUyOfiLwIDAQABAoIBADj567oYK+0xRGqJ
+    LMpqt0lBItYxsqem4YTOrmrQU/w5CZHqLQ9eSnq7AInnJtHUStHLvvvPQ2jt/h0c
+    r8N+l+2e+qLQoBpsMZytvZsdvKTtQ4kbcBXEz7KyEovHFhrbU896MvxQcqSCgqNs
+    SsGtlr6Pr7smVQWMSWKxB98lkfwI+bMT8MLInDqjiUUtF/UCrz94CJKorSkWJpYW
+    rswOYoWK4XwmimZIsjH3mszLCItxL2blaX0plGzyT+K18kX4TKwCdLiaNVywHhLY
+    PoYq3Sc++vqthzCMJzckpYvq2mZgZ4vAO/spOE3aoDyceh0DkPEu5BF86WjBmpQS
+    vDM89QECgYEAw9uL+7NIZKoJhyv2yLTIHPinuIqWm1L6EqMtYAz7TZZzQqeS2CMN
+    JJL+pRyH+lZzREMloB3dtKPg7HRS9czY+kJGUiEcZdlX8oQDvN0/5plelCXt/YMc
+    5p/E/j2EGDGv5XvCOzdtux22ckiNtdVT1YwptY1vcPJQdhWykwIQsdMCgYEAxlZC
+    /YvhoxFKlYXxTFQv3w9x3hmdxEpmgU7G3nnQP6Eyqq34mDmUWLzRE2jicxTiOlMn
+    jnwyM5SAf6OW/cg+VDJtQZxvke0vBOaVsw+MnEaFjAPSP1RBkTLVZUlqA16yNjxE
+    dwv20AIW2TsIkVVT28qVXOGRvtpuBJFUuw58OLUCgYANAw7/v991YJ6VbmRM3UXW
+    Nubdqcdrtk2K43BmSzZ+5xntObjVxy5eWa21Rnn6Nbgett9PDezmzWRqEShZ0Cwy
+    JCkL18tNMO1Y3VBqQcC3D0VrTkHLb+SBpeeuhGO8P8DR3DEBQiN2JPk0CoHvrKaP
+    L2qt9yGKPW7/CV39yktVpQKBgQCnb18yaIpdfVV3kRG5nEClkIZSN1HmyeBrPTPJ
+    0RArB0ycpi19ZO6FUzE1r4+sE29ASb7VHKfMv4sTNelb6VYlAkUV5JiTmqXc/0RV
+    W8UakLZhE0DE0b5gc4eO8EEdAy5zdsFdtq3vwDPFw35iIqSeohEhzhOaCRBjrsTW
+    /U2FGQKBgGd5tkj+2epytsXjJ5akjpLFrNafNyrm6A1ereo2vA3qU8KBeXW9yzmg
+    4OuFkXh/saxcpumV/tgpdsdm6XZja7NhL26UxCMyecxbDMkHz4021beaW2xZnm9z
+    Za/VZdQOw217z20LYILOaPjH4Xsp9k3n8wQ+jq6yFCalbVSrFjfA
+    -----END RSA PRIVATE KEY-----
+  internal_cidr:
+  - 127.0.0.1/12
+  - 192.168.0.0/16
+  initial_users:
+  - name: admin
+    password_hash: 490d3f018f6f7ae2a7b2c839607d08098f07caa3e5d4ed451ce7e81d3ece1e33
+    password_salt: e32a6323b44a688cf277fec0d8a1f5cf21b2564a192289b1fcb7cad0f81360c9
+CA:
+  private_key: |
+    -----BEGIN RSA PRIVATE KEY-----
+    MIIEogIBAAKCAQEAvOZFdQauwJghxIDyLQMyrXW5hf+LrMvWBymNbkgqOYtsAqcR
+    rvpMqMjHfURI153y7z8aUpHqFe7gDz4lZ81g+Nw7tn929CoecaaU2B9KW+tDVVeS
+    qkHdxyNBrLGuVWKi0Y0nm+0jfyTcUY1nlRtFaV/bw05VnEyddZ/f2T93
+    hqlW3q6Pzs9bgTPybKRbWO9wszuzodwe2de70CHQUTp3tdvgUhYLdDqZb+n7cqpq
+    1JIqVoc2PBIdKpFWRPYTn0o1sGMnZb5c+V6y2BLt1LL8bwmmJeB0UNq4U7YAuV5w
+    MVIDAoGAGlYxLpCS8cv6TAwOxonJmC3EPAuvnF7SCzgfX1eB9PXL09jiMyq73V7U
+    ev0prSLunj56eI9hiA2Bv+QCP6+gjrijuQjuvPdW9P+ybxxy4Cl5+Mdqg7ZTf8UO
+    ewNfKk3/11/QbvmUsGWYvVPNExryBRumSKuh7Av0I+6xVc+cwUE=
+    -----END RSA PRIVATE KEY-----
+Frontend:
+  hostname: logger
+  bind_address: 0.0.0.0
+  bind_port: 9000
+  certificate: |
+    -----BEGIN CERTIFICATE-----
+    MIIDGDCCAgCgAwIBAgIRALbVSS1itQp9RsDmjJ3YECowDQYJKoZIhvcNAQELBQAw
+    GjEYMBYGA1UEChMPVmVsb2NpcmFwdG9yIENBMB4XDTIwMDYzMDAwMTU1MloXDTIx
+    MDYzMDAwMTU1MlowNDEVMBMGA1UEChMMVmVsb2NpcmFwdG9yMRswGQYDVQQDExJW
+    ZWxvY2lyYXB0b3JTZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+    AQCj2FgejZ4sb3CTDq/Ka0N/CBbwxbBXJMdoWDSG2ZB8HoJOETAIOwQkKQqaivn1
+    OtHU6lnxFKxJtD/s1GBkf2XpNOnaLJDY5PB74ZfLnBjGtaGoi+LVyjVv3ee3vKdD
+    yqnC0ew8ck4i2MiRR5v1Ho1TwohMsthHU4MyDjvbDMyNK1hlu5s9DsV/PYg6sdEN
+    aUcFG3ZG07g7b+u8/AUGSFMXXWw9hPj0AKz3Fat91A2BJE9NmLnpFXBUAKjfSGjo
+    NL50ETpc7GDt0iJ8si8WQP/Gj5znDW7hcvczfYq6xdE05Xo4rOLAvWxf+cOjGRk2
+    mbtjHBdjfSwNIxZ8xErk4QuLAgMBAAGjPzA9MA4GA1UdDwEB/wQEAwIFoDAdBgNV
+    HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADANBgkqhkiG
+    9w0BAQsFAAOCAQEArlVw9RRIC5J0eiZ4nETe+IO3xBz3uRuPM8R906cVg/vicUnv
+    DX6GGkq6GoQVpq5WcEObUt2kSPpyJZCNSRGNzeRI7VztmfJN+Gj5AZbSV1lUqHe/
+    ZmZ6Lcy03ZDs/WPUw5mHwerADDqN8w+yFKyQGXhoY3oH9MrvF9loiBiwAMHVBNkz
+    q54zQdpGURYLl34haZqHvmyrZGiAYxUMifT1MybXAiD4vQ0lmmgBgGW3DAeXZByU
+    UpKtEjA6JqJPB9EeZ7bbKYTvg7ZGyRF26ii90srfPZRI7IBGlPbRTjQqEIstfHH8
+    pfZ0QGAR8d6qfaCaySkEYX+aQpjwN+t9tBDp8g==
+    -----END CERTIFICATE-----
+  private_key: |
+    -----BEGIN RSA PRIVATE KEY-----
+    MIIEowIBAAKCAQEAo9hYHo2eLG9wkw6vymtDfwgW8MWwVyTHaFg0htmQfB6CThEw
+    CDsEJCkKmor59TrR1OpZ8RSsSbQ/7NRgZH9l6TTp2iyQ2OTwe+GXy5wYxrWhqIvi
+    1co1b93nt7ynQ8qpwtHsPHJOItjIkUeb9R6NU8KITLLYR1ODMg472wzMjStYZbub
+    PQ7Ffz2IOrHRDWlHBRt2RtO4O2/rvPwFBkhTF11sPYT49ACs9xWrfdQNgSRPTZi5
+    6RVwVACo30ho6DS+dBE6XOxg7dIifLIvFkD/xo+c5w1u4XL3M32KusXRNOV6OKzi
+    wL1sX/nDoxkZNpm7YxwXY30sDSMWfMRK5OELiwIDAQABAoIBAQCZ0UN4+47hPIW9
+    KW6TY/vryFZxF8ajKR4jsZsudhYU0DeYvr4PHAiZQgZ4a7yaIuxXLOPfVn8gep4A
+    4qjT8F5mf4yDjI83cEbspi9xsUv5UQ9BQoJkHv/n07X0YqHNHPgetCFJ5i3AvTAe
+    Y9HgXxxi5CA9kTFGVPq4BXDgBrYKWISLUn4YEBjrVAU2H5q9umvYX4T7sL8FB7cz
+    jPFpSRu7zD5rm0D2pZXc/Jiv7wp5iGiFpxaq4Gg4pLsj/bBW8z390id1kS/2KCcc
+    qdoJNrV9Kx48tYx3IC1hUEp8v+Fcu9MVC//EhQPjzbtCpFL7HfrWcou5Tmj/z4Zl
+    +dT2v3vxAoGBAMyC7BbWEbdc/YiYyQW8xT70evcccysWi4FSiJfUYJNu1nAdQtzL
+    e2l24YKVUWx4W1top6T690/lqL82G/0EUNBywTfqBwxrwGyDuiNsWDiQnDn9jNY+
+    l/SZcrm6OhiVXQxOFOsxy+F+nZG9eIFsEA9/I0nNYrUcnpQAuyxr6N09AoGBAM0Y
+    aiLz+2Ul0OsgkgD1mL/DSbAGgwZvAIrBxy4oP/zRpRM+iKzuWYXUoBXIZeR+7r3C
+    8OF17nJ6fTYgNBWXdzpaJ3xnfg9ZatKN20Qp3ESLTcEH9ekUPn5p8920e+r3gT19
+    JpBkbL5L7eDTWKdOG6JNWhl473CyhNVYeeHdAKhnAoGAM93cXGpMMfHOhw8gpGjc
+    qXu9l+BKQRpFpTW2WLNPDvUkQ2jYZUDh+rxgswqFjPn1SXiAU/ImOMgpBN2HOaMX
+    j9YatMCQqxDEy4CY+5Tlxuq+BGMOjeNwDGPCWeImC8gNwionWgLWD0laUvT3k/NB
+    G30GCRiiuQYaHbUVw01W0I0CgYA4JUfg+7PFk92mkIsHsjQ3wuloQ9AYsciPM88o
+    JqKlvmqXYxYdaT6esX+Flw+1xr3quvQgdJ1rP3cJmzVG9+kO02Fd4CMVZqAkterh
+    tSf0p8IIZvp97SnSh4TYG7GUuF7sC1fETYmrarPbSWBKpMpR2yUgNggubOCKWyc6
+    mrq0XwKBgAIf2gArbJbJGfAX0R7ncOIXAmSOqI9d2gVAcHISLrNG/jbebjBnCPsI
+    BDhYKebOJ5qJNQeNnD3FssFrYVC+BggHB86Q0vkqzTGmFPYG/L2Iz6ROm1WeRPY/
+    tZgsrKTDJ+G4aOH6tSXPX9ZKLcZ9Jz+p9X7NFnvWklOctQ9q12Yz
+    -----END RSA PRIVATE KEY-----
+  max_upload_size: 10485760
+  dyn_dns: {}
+  default_client_monitoring_artifacts:
+  - Generic.Client.Stats
+  expected_clients: 10000
+  GRPC_pool_max_size: 100
+  GRPC_pool_max_wait: 60
+Datastore:
+  implementation: FileBaseDataStore
+  location: /opt/velociraptor
+  filestore_directory: /opt/velociraptor
+Writeback: {}
+Mail: {}
+Logging:
+  output_directory: /opt/velociraptor/logs
+  separate_logs_per_component: true
+Monitoring:
+  bind_address: 127.0.0.1
+  bind_port: 8003
+api_config: {}
+server_type: linux
+obfuscation_nonce: ZcKwjHiIuWU=

Vagrant/scripts/fix-windows-expiration.ps1

@@ -1,38 +1,57 @@
 # Purpose: Re-arms the expiration timer on expiring Windows eval images and fixes activation issues
 
 # Check to see if there are days left on the timer or if it's just expired
-$regex = cscript c:\windows\system32\slmgr.vbs /dlv | select-string -Pattern "\((\d+) day\(s\)|grace time expired"
-if ($regex.Matches.Value -eq "grace time expired") {
+$regex = cscript c:\windows\system32\slmgr.vbs /dlv | select-string -Pattern "\((\d+) day\(s\)|grace time expired|0xC004D302|0xC004FC07"
+If ($regex.Matches.Value -eq "grace time expired" -or $regex.Matches.Value -eq "0xC004D302") {
   # If it shows expired, it's likely it wasn't properly activated
   Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) It appears Windows was not properly activated. Attempting to resolve..."
-  try {
+  Try {
     # The TrustedInstaller service MUST be running for activation to succeed
     Set-Service TrustedInstaller -StartupType Automatic
     Start-Service TrustedInstaller
     Start-Sleep 10
     # Attempt to activate
     cscript c:\windows\system32\slmgr.vbs /ato
-  } catch {
+  } Catch {
     Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Something went wrong trying to reactivate Windows..."
   }
-  # If activation was successful, the regex should match 90 or 180 (Win10 or Win2016)
-  $regex = cscript c:\windows\system32\slmgr.vbs /dlv | select-string -Pattern "\((\d+) day\(s\)"
-}  
-try {
+} 
+Elseif ($regex.Matches.Value -eq "0xC004FC07") {
+  Try {
+    cscript c:\windows\system32\slmgr.vbs /rearm
+  } Catch {
+    Write-Host "Something went wrong trying to re-arm the image..."
+  }
+}
+
+# If activation was successful, the regex should match 90 or 180 (Win10 or Win2016)
+$regex = cscript c:\windows\system32\slmgr.vbs /dlv | select-string -Pattern "\((\d+) day\(s\)"
+
+Try {
   $days_left = $regex.Matches.Groups[1].Value
-} catch {
+} Catch {
   Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Unable to successfully parse the output from slmgr, not rearming"
   $days_left = 90
 }
-
-if ($days_left -as [int] -lt 30) {
+  
+If ($days_left -as [int] -lt 30) {
   write-host "$('[{0:HH:mm}]' -f (Get-Date)) $days_left days remaining before expiration"
   write-host "$('[{0:HH:mm}]' -f (Get-Date)) Less than 30 days remaining before Windows expiration. Attempting to rearm..."
-  try {
-    cscript c:\windows\system32\slmgr.vbs /rearm
-  } catch {
-    Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Something went wrong trying to re-arm the image..."
+  Try {
+    # The TrustedInstaller service MUST be running for activation to succeed
+    Set-Service TrustedInstaller -StartupType Automatic
+    Start-Service TrustedInstaller
+    Start-Sleep 10
+    # Attempt to activate
+    cscript c:\windows\system32\slmgr.vbs /ato
+  } Catch {
+    Try {
+      cscript c:\windows\system32\slmgr.vbs /rearm
+    } Catch {
+      Write-Host "Something went wrong trying to re-arm the image..."
+    }
   }
-} else {
+} 
+Else {
   Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $days_left days left until expiration, no need to rearm."
 }

Vagrant/scripts/install-osquery.ps1

@@ -1,5 +1,4 @@
-# Purpose: Installs osquery on the host
-# Note: by default, osquery will be configured to connect to the Fleet server on the "logger" host via TLS.
+# Purpose: Installs osquery on the host. Osquery conntects to Fleet via TLS.
 
 Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing osquery..."
 $flagfile = "c:\Program Files\osquery\osquery.flags"
@@ -16,7 +15,12 @@ If (-not ($service)) {
 
   ## Use the TLS config
   ## Add entry to hosts file for Kolide for SSL validation
+  If (Select-String -Path "c:\windows\system32\drivers\etc\hosts" -Pattern "kolide") {
+    Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Hosts file already updated. Moving on."
+  } Else {
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Adding kolide to the hosts file"
   Add-Content "c:\windows\system32\drivers\etc\hosts" "        192.168.38.105    kolide"
+  }
   ## Add kolide secret and avoid BOM
   $Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
   [System.IO.File]::WriteAllLines("c:\Program Files\osquery\kolide_secret.txt", "enrollmentsecret", $Utf8NoBomEncoding)

Vagrant/scripts/install-velociraptor.ps1

@@ -0,0 +1,34 @@
+# Purpose: Installs velociraptor on the host
+
+# Add a hosts entry to avoid DNS issues
+If (Select-String -Path "c:\windows\system32\drivers\etc\hosts" -Pattern "logger") {
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Hosts file already updated. Moving on."
+} Else {
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Adding logger to the hosts file"
+  Add-Content "c:\windows\system32\drivers\etc\hosts" "        192.168.38.105    logger"
+}
+
+# Downloads and install the latest Velociraptor release
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Determining latest release of Velociraptor..."
+# GitHub requires TLS 1.2 as of 2/27
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+$tag = (Invoke-WebRequest "https://api.github.com/repos/Velocidex/velociraptor/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name
+$velociraptorDownloadUrl = "https://github.com/Velocidex/velociraptor/releases/download/$tag/velociraptor-$tag-windows-amd64.msi"
+$velociraptorMSIPath = 'C:\Users\vagrant\AppData\Local\Temp\velociraptor.msi'
+If (-not (Test-Path "C:\Program Files\Velociraptor")) {
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Velociraptor..."
+  Invoke-WebRequest -Uri "$velociraptorDownloadUrl" -OutFile $velociraptorMSIPath
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Velociraptor..."
+  msiexec /i $velociraptorMSIPath /quiet /qn /norestart /log c:\Users\vagrant\AppData\Local\Temp\velociraptor_install.log
+  Copy-File "c:\vagrant\resources\velociraptor\Velociraptor.config.yaml" "C:\Program Files\Velociraptor"
+  Restart-Service Velociraptor
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Velociraptor successfully installed!"
+} Else {
+  Write-Host "Velociraptor was already installed. Moving On."
+}
+If ((Get-Service -name Velociraptor).Status -ne "Running")
+{
+  Throw "Velociraptor service is not running"
+}
+
+