diff --git a/Packer/scripts/install-aws-ena.ps1 b/Packer/scripts/install-aws-ena.ps1
new file mode 100644
index 0000000..34d03e9
--- /dev/null
+++ b/Packer/scripts/install-aws-ena.ps1
@@ -0,0 +1,10 @@
+# Installs the AWS Enhanced Networking for Windows
+ Write-Host "Installing the AWS Enhanced Networking Driver"
+ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+ $url="https://s3.amazonaws.com/ec2-windows-drivers-downloads/ENA/Latest/AwsEnaNetworkDriver.zip"
+ (New-Object System.Net.WebClient).DownloadFile($url, "$env:TEMP\AwsEnaNetworkDriver.zip")
+ Expand-Archive -Path $env:TEMP\AwsEnaNetworkDriver.zip -DestinationPath $env:TEMP -Force
+ . $env:TEMP\AwsEnaNetworkDriver\install.ps1
+
+ rm $env:TEMP\AwsEnaNetworkDriver.zip
+ rm -recurse $env:TEMP\AwsEnaNetworkDriver
\ No newline at end of file
diff --git a/Packer/windows_10.json b/Packer/windows_10.json
index 15bbdcc..9f5dce6 100644
--- a/Packer/windows_10.json
+++ b/Packer/windows_10.json
@@ -154,7 +154,8 @@
{
"type": "powershell",
"scripts": [
- "./scripts/debloat-windows.ps1"
+ "./scripts/debloat-windows.ps1",
+ "./scripts/install-aws-ena.ps1"
]
},
{
diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/manifest.xml b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/manifest.xml
deleted file mode 100755
index b4f25f3..0000000
--- a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/manifest.xml
+++ /dev/null
@@ -1 +0,0 @@
-
\ No newline at end of file
diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/Backup.xml b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/Backup.xml
deleted file mode 100644
index d35589a..0000000
--- a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/Backup.xml
+++ /dev/null
@@ -1,20 +0,0 @@
-
- 01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 13 3a 2e 03 43 8b 55 48 45 83 43 ed e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 13 3a 2e 03 43 8b 55 48 45 83 43 ed 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 13 3a 2e 03 43 8b 55 48 45 83 43 ed 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/bkupInfo.xml b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/bkupInfo.xml
deleted file mode 100644
index 7e2d87c..0000000
--- a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/bkupInfo.xml
+++ /dev/null
@@ -1 +0,0 @@
-
diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{D758182C-84C3-420D-806A-50664169D3B2}/Backup.xml b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{D758182C-84C3-420D-806A-50664169D3B2}/Backup.xml
new file mode 100644
index 0000000..6070986
--- /dev/null
+++ b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{D758182C-84C3-420D-806A-50664169D3B2}/Backup.xml
@@ -0,0 +1,20 @@
+
+ 01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 46 a1 81 16 63 39 76 70 96 4d 40 c9 e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 46 a1 81 16 63 39 76 70 96 4d 40 c9 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 46 a1 81 16 63 39 76 70 96 4d 40 c9 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{D758182C-84C3-420D-806A-50664169D3B2}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml
similarity index 100%
rename from Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml
rename to Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{D758182C-84C3-420D-806A-50664169D3B2}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml
diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/DomainSysvol/GPO/Machine/comment.cmtx b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{D758182C-84C3-420D-806A-50664169D3B2}/DomainSysvol/GPO/Machine/comment.cmtx
similarity index 100%
rename from Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/DomainSysvol/GPO/Machine/comment.cmtx
rename to Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{D758182C-84C3-420D-806A-50664169D3B2}/DomainSysvol/GPO/Machine/comment.cmtx
diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{D758182C-84C3-420D-806A-50664169D3B2}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv
similarity index 89%
rename from Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv
rename to Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{D758182C-84C3-420D-806A-50664169D3B2}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv
index 45b7eed..d87f92b 100644
--- a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv
+++ b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{D758182C-84C3-420D-806A-50664169D3B2}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv
@@ -28,11 +28,15 @@ Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclus
,System,Audit File System,{0cce921d-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Filtering Platform Connection,{0cce9226-69ae-11d9-bed3-505054503030},Failure,,2
,System,Audit Kernel Object,{0cce921f-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Registry,{0cce921e-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success,,1
,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit MPSSVC Rule-Level Policy Change,{0cce9232-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Non Sensitive Privilege Use,{0cce9229-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit IPsec Driver,{0cce9213-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3
diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{D758182C-84C3-420D-806A-50664169D3B2}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf
similarity index 91%
rename from Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf
rename to Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{D758182C-84C3-420D-806A-50664169D3B2}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf
index 30730f1..e933e92 100644
Binary files a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf and b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{D758182C-84C3-420D-806A-50664169D3B2}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf differ
diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/DomainSysvol/GPO/Machine/registry.pol b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{D758182C-84C3-420D-806A-50664169D3B2}/DomainSysvol/GPO/Machine/registry.pol
similarity index 100%
rename from Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/DomainSysvol/GPO/Machine/registry.pol
rename to Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{D758182C-84C3-420D-806A-50664169D3B2}/DomainSysvol/GPO/Machine/registry.pol
diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{D758182C-84C3-420D-806A-50664169D3B2}/bkupInfo.xml b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{D758182C-84C3-420D-806A-50664169D3B2}/bkupInfo.xml
new file mode 100644
index 0000000..b7fc2d1
--- /dev/null
+++ b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{D758182C-84C3-420D-806A-50664169D3B2}/bkupInfo.xml
@@ -0,0 +1 @@
+
diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/gpreport.xml b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{D758182C-84C3-420D-806A-50664169D3B2}/gpreport.xml
similarity index 92%
rename from Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/gpreport.xml
rename to Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{D758182C-84C3-420D-806A-50664169D3B2}/gpreport.xml
index 00be37a..69b283e 100644
Binary files a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/gpreport.xml and b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{D758182C-84C3-420D-806A-50664169D3B2}/gpreport.xml differ
diff --git a/Vagrant/resources/splunk_server/props.conf b/Vagrant/resources/splunk_server/props.conf
index 393bf08..bc6dcab 100644
--- a/Vagrant/resources/splunk_server/props.conf
+++ b/Vagrant/resources/splunk_server/props.conf
@@ -24,5 +24,4 @@ TRUNCATE = 0
TRANSFORMS-null = setnull
[WinEventLog]
-TRANSFORMS-null = osqueryd_wineventlog_null
TRANSFORMS-null = autoruns_wineventlog_null
\ No newline at end of file
diff --git a/Vagrant/resources/splunk_server/transforms.conf b/Vagrant/resources/splunk_server/transforms.conf
index 5e76d4c..7bc6532 100644
--- a/Vagrant/resources/splunk_server/transforms.conf
+++ b/Vagrant/resources/splunk_server/transforms.conf
@@ -19,11 +19,6 @@ REGEX = Error\scasting
DEST_KEY = queue
FORMAT = nullQueue
-[osqueryd_wineventlog_null]
-REGEX = "Process_Name=C:\\Program Files\\osquery\\osqueryd\\osqueryd.exe"
-DEST_KEY = queue
-FORMAT = nullQueue
-
[autoruns_wineventlog_null]
REGEX = "Script\sName\s=\sC\:\\Program Files\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1"
DEST_KEY = queue