Merge pull request #210 from clong/march_update_1

Update Splunk apps, create vagrantfile_minimum, bugfixes

.github/issue_template.md

@@ -2,8 +2,7 @@
 * Provider (VirtualBox/VMWare):
 * Vagrant Version:
 * Packer Version:
+* Are you using stock boxes (downloaded) or were they built from scratch using Packer?
 * Is the issue reproducible or intermittent?
 
 ### Description of the issue:
-
-

README.md

@@ -177,10 +177,11 @@ suricata | Suricata IDS logs
   * Process Explorer
   * PsExec
   * TCPView
+  * Notepad++
   * Google Chrome
-  * Atom editor
   * WinRar
   * Mimikatz
+  * Wireshark
 
 ## Applied GPOs
 * [Custom Event Channel Permissions](https://rawgit.com/clong/DetectionLab/master/Vagrant/resources/GPO/reports/Custom%20Event%20Channel%20Permissions.htm)

Vagrant/Vagrantfile

@@ -56,6 +56,8 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
@@ -118,6 +120,8 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
@@ -175,6 +179,8 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
     cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false

Vagrant/Vagrantfile_Minimum

@@ -0,0 +1,216 @@
+Vagrant.configure("2") do |config|
+
+  config.vm.define "logger" do |cfg|
+    cfg.vm.box = "bento/ubuntu-16.04"
+    cfg.vm.hostname = "logger"
+    config.vm.provision :shell, path: "bootstrap.sh"
+    cfg.vm.network :private_network, ip: "192.168.38.105", gateway: "192.168.38.1", dns: "8.8.8.8"
+
+    cfg.vm.provider "vmware_fusion" do |v, override|
+      v.vmx["displayname"] = "logger"
+      v.memory = 2048
+      v.cpus = 1
+      v.gui = true
+    end
+
+    cfg.vm.provider "vmware_desktop" do |v, override|
+      v.vmx["displayname"] = "logger"
+      v.memory = 4096
+      v.cpus = 2
+      v.gui = true
+    end
+
+    cfg.vm.provider "virtualbox" do |vb, override|
+      vb.gui = true
+      vb.name = "logger"
+      vb.customize ["modifyvm", :id, "--memory", 4096]
+      vb.customize ["modifyvm", :id, "--cpus", 2]
+      vb.customize ["modifyvm", :id, "--vram", "32"]
+      vb.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"]
+      vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
+      vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
+    end
+  end
+
+  config.vm.define "dc" do |cfg|
+    cfg.vm.box = "../Boxes/windows_2016_virtualbox.box"
+    cfg.vm.hostname = "dc"
+    cfg.vm.boot_timeout = 600
+    # use the plaintext WinRM transport and force it to use basic authentication.
+    # NB this is needed because the default negotiate transport stops working
+    #    after the domain controller is installed.
+    #    see https://groups.google.com/forum/#!topic/vagrant-up/sZantuCM0q4
+    cfg.winrm.transport = :plaintext
+    cfg.vm.communicator = "winrm"
+    cfg.winrm.basic_auth_only = true
+    cfg.winrm.timeout = 300
+    cfg.winrm.retry_limit = 20
+    cfg.vm.network :private_network, ip: "192.168.38.102", gateway: "192.168.38.1"
+
+    cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "192.168.38.102"
+    cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
+    cfg.vm.provision "reload"
+    cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/configure-ou.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/configure-powershelllogging.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/configure-AuditingPolicyGPOs.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
+    cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
+    cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false
+
+    cfg.vm.provider "vmware_fusion" do |v, override|
+      override.vm.box = "../Boxes/windows_2016_vmware.box"
+      v.vmx["displayname"] = "dc.windomain.local"
+      v.memory = 2560
+      v.cpus = 2
+      v.gui = true
+    end
+
+    cfg.vm.provider "vmware_desktop" do |v, override|
+      override.vm.box = "../Boxes/windows_2016_vmware.box"
+      v.vmx["displayname"] = "dc.windomain.local"
+      v.memory = 2560
+      v.cpus = 2
+      v.gui = true
+      v.enable_vmrun_ip_lookup = false
+    end
+
+    cfg.vm.provider "virtualbox" do |vb, override|
+      vb.gui = true
+      vb.name = "dc.windomain.local"
+      vb.default_nic_type = "82545EM"
+      vb.customize ["modifyvm", :id, "--memory", 2560]
+      vb.customize ["modifyvm", :id, "--cpus", 2]
+      vb.customize ["modifyvm", :id, "--vram", "32"]
+      vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
+      vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
+    end
+  end
+
+  config.vm.define "wef" do |cfg|
+    cfg.vm.box = "../Boxes/windows_2016_virtualbox.box"
+    cfg.vm.hostname = "wef"
+    cfg.vm.boot_timeout = 600
+    cfg.vm.communicator = "winrm"
+    cfg.winrm.basic_auth_only = true
+    cfg.winrm.timeout = 300
+    cfg.winrm.retry_limit = 20
+    cfg.vm.network :private_network, ip: "192.168.38.103", gateway: "192.168.38.1", dns: "192.168.38.102"
+
+    cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.103 -dns 192.168.38.102"
+    cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
+    cfg.vm.provision "reload"
+    cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false
+    cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-wefsubscriptions.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/configure-pslogstranscriptsshare.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
+    cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false
+
+    cfg.vm.provider "vmware_fusion" do |v, override|
+      override.vm.box = "../Boxes/windows_2016_vmware.box"
+      v.vmx["displayname"] = "wef.windomain.local"
+      v.memory = 2048
+      v.cpus = 2
+      v.gui = true
+    end
+
+    cfg.vm.provider "vmware_desktop" do |v, override|
+      override.vm.box = "../Boxes/windows_2016_vmware.box"
+      v.vmx["displayname"] = "wef.windomain.local"
+      v.memory = 2048
+      v.cpus = 2
+      v.gui = true
+      v.enable_vmrun_ip_lookup = false
+    end
+
+    cfg.vm.provider "virtualbox" do |vb, override|
+      vb.gui = true
+      vb.name = "wef.windomain.local"
+      vb.default_nic_type = "82545EM"
+      vb.customize ["modifyvm", :id, "--memory", 2048]
+      vb.customize ["modifyvm", :id, "--cpus", 2]
+      vb.customize ["modifyvm", :id, "--vram", "32"]
+      vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
+      vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
+    end
+  end
+
+  config.vm.define "win10" do |cfg|
+    cfg.vm.box = "../Boxes/windows_10_virtualbox.box"
+    cfg.vm.hostname = "win10"
+    cfg.vm.boot_timeout = 600
+    cfg.vm.communicator = "winrm"
+    cfg.winrm.basic_auth_only = true
+    cfg.winrm.timeout = 300
+    cfg.winrm.retry_limit = 20
+    cfg.vm.network :private_network, ip: "192.168.38.104", gateway: "192.168.38.1", dns: "192.168.38.102"
+
+    cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.104 -dns 192.168.38.102"
+    cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
+    cfg.vm.provision "reload"
+    cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/MakeWindows10GreatAgain.ps1", privileged: false
+    cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
+
+    cfg.vm.provider "vmware_fusion" do |v, override|
+      override.vm.box = "../Boxes/windows_10_vmware.box"
+      v.vmx["displayname"] = "win10.windomain.local"
+      v.vmx["gui.fullscreenatpoweron"] = "FALSE"
+      v.vmx["gui.viewModeAtPowerOn"] = "windowed"
+      v.vmx["gui.fitguestusingnativedisplayresolution"] = "FALSE"
+      v.memory = 2048
+      v.cpus = 1
+      v.gui = true
+    end
+
+    cfg.vm.provider "vmware_desktop" do |v, override|
+      override.vm.box = "../Boxes/windows_10_vmware.box"
+      v.vmx["displayname"] = "win10.windomain.local"
+      v.vmx["gui.fullscreenatpoweron"] = "FALSE"
+      v.vmx["gui.viewModeAtPowerOn"] = "windowed"
+      v.memory = 2048
+      v.cpus = 1
+      v.gui = true
+      v.enable_vmrun_ip_lookup = false
+    end
+
+    cfg.vm.provider "virtualbox" do |vb, override|
+      vb.gui = true
+      vb.name = "win10.windomain.local"
+      vb.default_nic_type = "82545EM"
+      vb.customize ["modifyvm", :id, "--memory", 2048]
+      vb.customize ["modifyvm", :id, "--cpus", 1]
+      vb.customize ["modifyvm", :id, "--vram", "32"]
+      vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
+      vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
+    end
+  end
+end

Vagrant/bootstrap.sh

@@ -76,11 +76,11 @@ install_splunk() {
     /opt/splunk/bin/splunk add index threathunting -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_500.tgz -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_800.tgz -auth 'admin:changeme'
-    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_012.tgz -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_100.tgz -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz  -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz  -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz  -auth 'admin:changeme'
-    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_11.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_12.tgz  -auth 'admin:changeme'
     # Add custom Macro definitions for ThreatHunting App
     cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/local
 

Vagrant/scripts/install-choco-extras.ps1

@@ -0,0 +1,15 @@
+# Purpose: Install additional packages from Chocolatey.
+
+Write-Host "Installing additional Choco packages..."
+
+If (-not (Test-Path "C:\ProgramData\chocolatey")) {
+  Write-Host "Installing Chocolatey"
+  iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))
+} else {
+  Write-Host "Chocolatey is already installed."
+}
+
+Write-Host "Installing Chocolatey extras..."
+choco install -y wireshark
+
+Write-Host "Choco addons complete!"

Vagrant/scripts/install-redteam.ps1

@@ -0,0 +1,50 @@
+# Purpose: Installs Mimikatz and Powersploit into c:\Tools\Mimikatz. Used to install redteam related tooling.
+
+Write-Host "Installing Red Team Tooling..."
+
+
+# Disable Windows Defender realtime scanning before downloading Mimikatz and drop the firewall
+If ($env:computername -eq "win10") {
+  If (Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender")
+  {
+    Remove-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Recurse -Force
+  }
+  gpupdate /force | Out-String
+  Write-Host "Disabling Windows Defender Realtime Monitoring..."
+  Set-MpPreference -ExclusionPath C:\commander.exe, C:\Tools
+  set-MpPreference -DisableRealtimeMonitoring $true
+  Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
+}
+
+# Purpose: Downloads and unzips a copy of the latest Mimikatz trunk
+Write-Host "Determining latest release of Mimikatz..."
+# GitHub requires TLS 1.2 as of 2/27
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+$tag = (Invoke-WebRequest "https://api.github.com/repos/gentilkiwi/mimikatz/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name
+$mimikatzDownloadUrl = "https://github.com/gentilkiwi/mimikatz/releases/download/$tag/mimikatz_trunk.zip"
+$mimikatzRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\mimikatz_trunk.zip'
+if (-not (Test-Path $mimikatzRepoPath))
+{
+  Invoke-WebRequest -Uri "$mimikatzDownloadUrl" -OutFile $mimikatzRepoPath
+  Expand-Archive -path "$mimikatzRepoPath" -destinationpath 'c:\Tools\Mimikatz' -Force
+}
+else
+{
+  Write-Host "Mimikatz was already installed. Moving On."
+}
+
+# Download and unzip a copy of PowerSploit
+Write-Host "Downloading Powersploit..."
+# GitHub requires TLS 1.2 as of 2/27
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+$powersploitDownloadUrl = "https://github.com/PowerShellMafia/PowerSploit/archive/master.zip"
+$powersploitRepoPath = "C:\Users\vagrant\AppData\Local\Temp\powersploit.zip"
+if (-not (Test-Path $powersploitRepoPath)) {
+  Invoke-WebRequest -Uri "$powersploitDownloadUrl" -OutFile $powersploitRepoPath
+  Expand-Archive -path "$powersploitRepoPath" -destinationpath 'c:\Tools\PowerSploit' -Force
+  Copy-Item "c:\Tools\PowerSploit\PowerSploit-master\*" "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" -Recurse -Force
+} else {
+  Write-Host "PowerSploit was already installed. Moving On."
+}
+
+Write-Host "Red Team tooling installation complete!"

Vagrant/scripts/install-utilities.ps1

@@ -1,4 +1,4 @@
-# Purpose: Installs chocolatey package manager, then installs custom utilities from Choco and adds syntax highlighting for Powershell, Batch, and Docker. Also installs Mimikatz into c:\Tools\Mimikatz.
+# Purpose: Installs chocolatey package manager, then installs custom utilities from Choco.
 
 If (-not (Test-Path "C:\ProgramData\chocolatey")) {
   Write-Host "Installing Chocolatey"
@@ -7,7 +7,7 @@ If (-not (Test-Path "C:\ProgramData\chocolatey")) {
   Write-Host "Chocolatey is already installed."
 }
 
-Write-Host "Installing Notepad++, Chrome, WinRar, PowerSploit and Mimikatz."
+Write-Host "Installing utilities..."
 If ($(hostname) -eq "win10") {
   # Because the Windows10 start menu sucks
   choco install -y classic-shell -installArgs ADDLOCAL=ClassicStartMenu
@@ -16,47 +16,4 @@ choco install -y NotepadPlusPlus
 choco install -y GoogleChrome
 choco install -y WinRar
 
-# Disable Windows Defender realtime scanning before downloading Mimikatz and drop the firewall
-If ($env:computername -eq "win10") {
-  If (Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender")
-  {
-    Remove-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Recurse -Force
-  }
-  gpupdate /force | Out-String
-  Set-MpPreference -ExclusionPath C:\commander.exe, C:\Tools
-  set-MpPreference -DisableRealtimeMonitoring $true
-  Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
-}
-
-# Purpose: Downloads and unzips a copy of the latest Mimikatz trunk
-Write-Host "Determining latest release of Mimikatz..."
-# GitHub requires TLS 1.2 as of 2/27
-[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-$tag = (Invoke-WebRequest "https://api.github.com/repos/gentilkiwi/mimikatz/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name
-$mimikatzDownloadUrl = "https://github.com/gentilkiwi/mimikatz/releases/download/$tag/mimikatz_trunk.zip"
-$mimikatzRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\mimikatz_trunk.zip'
-if (-not (Test-Path $mimikatzRepoPath))
-{
-  Invoke-WebRequest -Uri "$mimikatzDownloadUrl" -OutFile $mimikatzRepoPath
-  Expand-Archive -path "$mimikatzRepoPath" -destinationpath 'c:\Tools\Mimikatz' -Force
-}
-else
-{
-  Write-Host "Mimikatz was already installed. Moving On."
-}
-
-# Download and unzip a copy of PowerSploit
-Write-Host "Downloading Powersploit..."
-# GitHub requires TLS 1.2 as of 2/27
-[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-$powersploitDownloadUrl = "https://github.com/PowerShellMafia/PowerSploit/archive/master.zip"
-$powersploitRepoPath = "C:\Users\vagrant\AppData\Local\Temp\powersploit.zip"
-if (-not (Test-Path $powersploitRepoPath)) {
-  Invoke-WebRequest -Uri "$powersploitDownloadUrl" -OutFile $powersploitRepoPath
-  Expand-Archive -path "$powersploitRepoPath" -destinationpath 'c:\Tools\PowerSploit' -Force
-  Copy-Item "c:\Tools\PowerSploit\PowerSploit-master\*" "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" -Recurse -Force
-} else {
-  Write-Host "PowerSploit was already installed. Moving On."
-}
-
 Write-Host "Utilties installation complete!"

Vagrant/scripts/install-wefsubscriptions.ps1

@@ -1,40 +1,43 @@
 # Purpose: Imports the custom Windows Event Channel and XML subscriptions on the WEF host
 # Note: This only needs to be installed on the WEF server
 
-Write-Host "Installing WEF Subscriptions"
+Write-Host "Installing WEF Subscriptions..."
 
-Write-Host "Copying Custom Event Channels DLL"
+Write-Host "Copying Custom Event Channels DLL..."
 if (-not (Test-Path "$env:windir\system32\CustomEventChannels.dll"))
 {
     Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.dll "$env:windir\system32"
     Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.man "$env:windir\system32"
 
-    Write-Host "Installing Custom Event Channels Manifest"
+    Write-Host "Installing Custom Event Channels Manifest..."
     wevtutil im "c:\windows\system32\CustomEventChannels.man"
-    Write-Host "Resizing Channels to 4GB"
+    Write-Host "Resizing Channels to 4GB..."
     $xml = wevtutil el | select-string -pattern "WEC"
     foreach ($subscription in $xml) { wevtutil sl $subscription /ms:4294967296 }
 
-    Write-Host "Starting the Windows Event Collector Service"
+    Write-Host "Starting the Windows Event Collector Service..."
     net start wecsvc
 
-    Write-Host "Creating custom event subscriptions"
+    Write-Host "Creating custom event subscriptions..."
     cd c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions
     cmd /c "for /r %i in (*.xml) do wecutil cs %i"
 
-    Write-Host "Enabling custom event subscriptions"
+    Write-Host "Enabling custom event subscriptions..."
     cmd /c "for /r %i in (*.xml) do wecutil ss %~ni /e:true"
 
-    Write-Host "Enabling WecUtil Quick Config"
+    Write-Host "Enabling WecUtil Quick Config..."
     wecutil qc /q:true
 }
-else 
+else
 {
-    Write-Host "WEF Subscriptions already installed, moving on"
+  Write-Host "WEF Subscriptions are already installed, moving on..."
+  if ((Get-Service -Name wecsvc).Status -ne "Running")
+  {
     net start wecsvc
+  }
 }
 Start-Sleep -Seconds 60
 if ((Get-Service -Name wecsvc).Status -ne "Running")
 {
-    throw "Windows Event Collector service was not running"
-}
+    throw "Windows Event Collector failed to start"
+}