Add velociraptor

Vagrant/scripts/fix-windows-expiration.ps1

@@ -1,38 +1,57 @@
 # Purpose: Re-arms the expiration timer on expiring Windows eval images and fixes activation issues
 
 # Check to see if there are days left on the timer or if it's just expired
-$regex = cscript c:\windows\system32\slmgr.vbs /dlv | select-string -Pattern "\((\d+) day\(s\)|grace time expired"
-if ($regex.Matches.Value -eq "grace time expired") {
+$regex = cscript c:\windows\system32\slmgr.vbs /dlv | select-string -Pattern "\((\d+) day\(s\)|grace time expired|0xC004D302|0xC004FC07"
+If ($regex.Matches.Value -eq "grace time expired" -or $regex.Matches.Value -eq "0xC004D302") {
   # If it shows expired, it's likely it wasn't properly activated
   Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) It appears Windows was not properly activated. Attempting to resolve..."
-  try {
+  Try {
     # The TrustedInstaller service MUST be running for activation to succeed
     Set-Service TrustedInstaller -StartupType Automatic
     Start-Service TrustedInstaller
     Start-Sleep 10
     # Attempt to activate
     cscript c:\windows\system32\slmgr.vbs /ato
-  } catch {
+  } Catch {
     Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Something went wrong trying to reactivate Windows..."
   }
-  # If activation was successful, the regex should match 90 or 180 (Win10 or Win2016)
-  $regex = cscript c:\windows\system32\slmgr.vbs /dlv | select-string -Pattern "\((\d+) day\(s\)"
-}  
-try {
+} 
+Elseif ($regex.Matches.Value -eq "0xC004FC07") {
+  Try {
+    cscript c:\windows\system32\slmgr.vbs /rearm
+  } Catch {
+    Write-Host "Something went wrong trying to re-arm the image..."
+  }
+}
+
+# If activation was successful, the regex should match 90 or 180 (Win10 or Win2016)
+$regex = cscript c:\windows\system32\slmgr.vbs /dlv | select-string -Pattern "\((\d+) day\(s\)"
+
+Try {
   $days_left = $regex.Matches.Groups[1].Value
-} catch {
+} Catch {
   Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Unable to successfully parse the output from slmgr, not rearming"
   $days_left = 90
 }
-
-if ($days_left -as [int] -lt 30) {
+  
+If ($days_left -as [int] -lt 30) {
   write-host "$('[{0:HH:mm}]' -f (Get-Date)) $days_left days remaining before expiration"
   write-host "$('[{0:HH:mm}]' -f (Get-Date)) Less than 30 days remaining before Windows expiration. Attempting to rearm..."
-  try {
-    cscript c:\windows\system32\slmgr.vbs /rearm
-  } catch {
-    Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Something went wrong trying to re-arm the image..."
+  Try {
+    # The TrustedInstaller service MUST be running for activation to succeed
+    Set-Service TrustedInstaller -StartupType Automatic
+    Start-Service TrustedInstaller
+    Start-Sleep 10
+    # Attempt to activate
+    cscript c:\windows\system32\slmgr.vbs /ato
+  } Catch {
+    Try {
+      cscript c:\windows\system32\slmgr.vbs /rearm
+    } Catch {
+      Write-Host "Something went wrong trying to re-arm the image..."
+    }
   }
-} else {
+} 
+Else {
   Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $days_left days left until expiration, no need to rearm."
 }

Vagrant/scripts/install-osquery.ps1

@@ -1,5 +1,4 @@
-# Purpose: Installs osquery on the host
-# Note: by default, osquery will be configured to connect to the Fleet server on the "logger" host via TLS.
+# Purpose: Installs osquery on the host. Osquery conntects to Fleet via TLS.
 
 Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing osquery..."
 $flagfile = "c:\Program Files\osquery\osquery.flags"
@@ -16,7 +15,12 @@ If (-not ($service)) {
 
   ## Use the TLS config
   ## Add entry to hosts file for Kolide for SSL validation
+  If (Select-String -Path "c:\windows\system32\drivers\etc\hosts" -Pattern "kolide") {
+    Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Hosts file already updated. Moving on."
+  } Else {
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Adding kolide to the hosts file"
   Add-Content "c:\windows\system32\drivers\etc\hosts" "        192.168.38.105    kolide"
+  }
   ## Add kolide secret and avoid BOM
   $Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
   [System.IO.File]::WriteAllLines("c:\Program Files\osquery\kolide_secret.txt", "enrollmentsecret", $Utf8NoBomEncoding)

Vagrant/scripts/install-velociraptor.ps1

@@ -0,0 +1,34 @@
+# Purpose: Installs velociraptor on the host
+
+# Add a hosts entry to avoid DNS issues
+If (Select-String -Path "c:\windows\system32\drivers\etc\hosts" -Pattern "logger") {
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Hosts file already updated. Moving on."
+} Else {
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Adding logger to the hosts file"
+  Add-Content "c:\windows\system32\drivers\etc\hosts" "        192.168.38.105    logger"
+}
+
+# Downloads and install the latest Velociraptor release
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Determining latest release of Velociraptor..."
+# GitHub requires TLS 1.2 as of 2/27
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+$tag = (Invoke-WebRequest "https://api.github.com/repos/Velocidex/velociraptor/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name
+$velociraptorDownloadUrl = "https://github.com/Velocidex/velociraptor/releases/download/$tag/velociraptor-$tag-windows-amd64.msi"
+$velociraptorMSIPath = 'C:\Users\vagrant\AppData\Local\Temp\velociraptor.msi'
+If (-not (Test-Path "C:\Program Files\Velociraptor")) {
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Velociraptor..."
+  Invoke-WebRequest -Uri "$velociraptorDownloadUrl" -OutFile $velociraptorMSIPath
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Velociraptor..."
+  msiexec /i $velociraptorMSIPath /quiet /qn /norestart /log c:\Users\vagrant\AppData\Local\Temp\velociraptor_install.log
+  Copy-File "c:\vagrant\resources\velociraptor\Velociraptor.config.yaml" "C:\Program Files\Velociraptor"
+  Restart-Service Velociraptor
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Velociraptor successfully installed!"
+} Else {
+  Write-Host "Velociraptor was already installed. Moving On."
+}
+If ((Get-Service -name Velociraptor).Status -ne "Running")
+{
+  Throw "Velociraptor service is not running"
+}
+
+