From aa787f22c06e42c15918a4386c4b20497f62056c Mon Sep 17 00:00:00 2001
From: Chris Long <clong@cl0ng.com>
Date: Sat, 14 Nov 2020 23:39:36 -0800
Subject: [PATCH] Update install-evtx-attack-samples.ps1

---
 Vagrant/scripts/install-evtx-attack-samples.ps1 | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/Vagrant/scripts/install-evtx-attack-samples.ps1 b/Vagrant/scripts/install-evtx-attack-samples.ps1
index 1045be5..71d9870 100644
--- a/Vagrant/scripts/install-evtx-attack-samples.ps1
+++ b/Vagrant/scripts/install-evtx-attack-samples.ps1
@@ -62,9 +62,15 @@ index = evtx_attack_samples
 sourcetype = preprocess-winevt'
         # Restart the forwarder to pick up changes
         Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Restarting the Splunk Forwarder..."
-        Restart-Service SplunkForwarder
+        Try { 
+          Restart-Service -Name SplunkForwarder -Force -ErrorAction Stop 
+        } Catch {
+          Start-Sleep 10
+          Stop-Service -Name SplunkForwarder -Force
+          Start-Service -Name SplunkForwarder -Force
+        }
         Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Done! Look in 'index=EVTX-ATTACK-SAMPLES' in Splunk to query these samples."
     }
 } Else {
     Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) EVTX attack samples were already installed. Moving On."
-}
\ No newline at end of file
+}