Update Win10 to 1804 & Fixes

Vagrant/Vagrantfile

@@ -12,6 +12,12 @@ Vagrant.configure("2") do |config|
       v.gui = true
     end
 
+    cfg.vm.provider "vmware_desktop" do |v, override|
+      v.memory = 2048
+      v.cpus = 1
+      v.gui = true
+    end
+
     cfg.vm.provider "virtualbox" do |vb, override|
       vb.gui = true
       vb.customize ["modifyvm", :id, "--memory", 2048]
@@ -31,9 +37,10 @@ Vagrant.configure("2") do |config|
     #    after the domain controller is installed.
     #    see https://groups.google.com/forum/#!topic/vagrant-up/sZantuCM0q4
     cfg.winrm.transport = :plaintext
-    cfg.winrm.basic_auth_only = true
-
     cfg.vm.communicator = "winrm"
+    cfg.winrm.basic_auth_only = true
+    cfg.winrm.timeout = 300
+    cfg.winrm.retry_limit = 20
     cfg.vm.network :private_network, ip: "192.168.38.2", gateway: "192.168.38.1"
 
     cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "192.168.38.2"
@@ -51,8 +58,8 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/configure-ou.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/configure-powershelllogging.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/configure-AuditingPolicyGPOs.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true
     cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: true
 
     cfg.vm.provider "vmware_fusion" do |v, override|
@@ -62,6 +69,13 @@ Vagrant.configure("2") do |config|
       v.gui = true
     end
 
+    cfg.vm.provider "vmware_desktop" do |v, override|
+      override.vm.box = "../Boxes/windows_2016_vmware.box"
+      v.memory = 2560
+      v.cpus = 2
+      v.gui = true
+    end
+
     cfg.vm.provider "virtualbox" do |vb, override|
       vb.gui = true
       vb.customize ["modifyvm", :id, "--memory", 2560]
@@ -75,8 +89,10 @@ Vagrant.configure("2") do |config|
   config.vm.define "wef" do |cfg|
     cfg.vm.box = "../Boxes/windows_2016_virtualbox.box"
     cfg.vm.hostname = "wef"
-
     cfg.vm.communicator = "winrm"
+    cfg.winrm.basic_auth_only = true
+    cfg.winrm.timeout = 300
+    cfg.winrm.retry_limit = 20
     cfg.vm.network :private_network, ip: "192.168.38.3", gateway: "192.168.38.1", dns: "192.168.38.2"
 
     cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.3 -dns 192.168.38.2"
@@ -105,6 +121,13 @@ Vagrant.configure("2") do |config|
       v.gui = true
     end
 
+    cfg.vm.provider "vmware_desktop" do |v, override|
+      override.vm.box = "../Boxes/windows_2016_vmware.box"
+      v.memory = 2048
+      v.cpus = 2
+      v.gui = true
+    end
+
     cfg.vm.provider "virtualbox" do |vb, override|
       vb.gui = true
       vb.customize ["modifyvm", :id, "--memory", 2048]
@@ -118,8 +141,10 @@ Vagrant.configure("2") do |config|
   config.vm.define "win10" do |cfg|
     cfg.vm.box = "../Boxes/windows_10_virtualbox.box"
     cfg.vm.hostname = "win10"
-
     cfg.vm.communicator = "winrm"
+    cfg.winrm.basic_auth_only = true
+    cfg.winrm.timeout = 300
+    cfg.winrm.retry_limit = 20
     cfg.vm.network :private_network, ip: "192.168.38.4", gateway: "192.168.38.1", dns: "192.168.38.2"
 
     cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.4 -dns 192.168.38.2"
@@ -146,6 +171,15 @@ Vagrant.configure("2") do |config|
       v.gui = true
     end
 
+    cfg.vm.provider "vmware_desktop" do |v, override|
+      override.vm.box = "../Boxes/windows_10_vmware.box"
+      v.vmx["gui.fullscreenatpoweron"] = "FALSE"
+      v.vmx["gui.viewModeAtPowerOn"] = "windowed"
+      v.memory = 2048
+      v.cpus = 1
+      v.gui = true
+    end
+
     cfg.vm.provider "virtualbox" do |vb, override|
       vb.gui = true
       vb.customize ["modifyvm", :id, "--memory", 2048]

Vagrant/bootstrap.sh

@@ -8,6 +8,22 @@ echo "deb http://repo.mongodb.org/apt/ubuntu "$(lsb_release -sc)"/mongodb-org/3.
 apt-get update
 apt-get install -y jq whois build-essential git docker docker-compose unzip mongodb-org
 
+# Fix static IP if it's not set correctly
+ETH1_IP=$(ifconfig eth1 | grep 'inet addr' | cut -d ':' -f 2 | cut -d ' ' -f 1)
+if [ "$ETH1_IP" != "192.168.38.5" ]; then
+  echo "Incorrect IP Address settings detected. Attempting to fix."
+  ifdown eth1
+  ip addr flush dev eth1
+  ifup eth1
+  ETH1_IP=$(ifconfig eth1 | grep 'inet addr' | cut -d ':' -f 2 | cut -d ' ' -f 1)
+  if [ "$ETH1_IP" == "192.168.38.5" ]; then
+    echo "The static IP has been fixed and set to 192.168.38.5"
+  else
+    echo "Failed to fix the broken static IP for eth1. Exiting because this will cause problems with other VMs."
+    exit 1
+  fi
+fi
+
 # Install Python 3.6.4
 echo "Installing Python v3.6.4..."
 wget https://www.python.org/ftp/python/3.6.4/Python-3.6.4.tgz
@@ -41,9 +57,9 @@ else
   # Get Splunk.com into the DNS cache. Sometimes resolution randomly fails during wget below
   dig @8.8.8.8 splunk.com
   # Download Splunk
-  wget --progress=bar:force -O splunk-7.0.2-03bbabbd5c0f-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.0.2&product=splunk&filename=splunk-7.0.2-03bbabbd5c0f-linux-2.6-amd64.deb&wget=true'
-  dpkg -i splunk-7.0.2-03bbabbd5c0f-linux-2.6-amd64.deb
-  /opt/splunk/bin/splunk start --accept-license
+  wget --progress=bar:force -O splunk-7.1.1-8f0ead9ec3db-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.1.1&product=splunk&filename=splunk-7.1.1-8f0ead9ec3db-linux-2.6-amd64.deb&wget=true'
+  dpkg -i splunk-7.1.1-8f0ead9ec3db-linux-2.6-amd64.deb
+  /opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd changeme
   /opt/splunk/bin/splunk add index wineventlog -auth 'admin:changeme'
   /opt/splunk/bin/splunk add index osquery -auth 'admin:changeme'
   /opt/splunk/bin/splunk add index osquery-status -auth 'admin:changeme'
@@ -73,6 +89,7 @@ git clone https://github.com/kolide/kolide-quickstart.git
 cd kolide-quickstart
 cp /vagrant/resources/fleet/server.* .
 sed -i 's/ -it//g' demo.sh
+sed -i 's#kolide/fleet:latest#kolide/fleet:1.0.8#g' docker-compose.yml
 ./demo.sh up simple
 # Set the enrollment secret to match what we deploy to Windows hosts
 docker run --rm --network=kolidequickstart_default mysql:5.7 mysql -h mysql -u kolide --password=kolide -e 'update app_configs set osquery_enroll_secret = "enrollmentsecret" where id=1;' --batch kolide

Vagrant/scripts/configure-wef-gpo.ps1

@@ -54,7 +54,7 @@ else
 {
     Write-Host "GpLink $GPOName already linked on $OU. Moving On."
 }
-$OU = "ou=Workstations,dc=windomain,dc=local" 
+$OU = "ou=Workstations,dc=windomain,dc=local"
 $gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
 $GPO = Get-GPO -Name $GPOName
 If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
@@ -67,7 +67,3 @@ else
 }
 
 gpupdate /force
-# Enable WinRM
-Write-Host "Enabling WinRM"
-winrm qc /q:true
-Write-Host "Rebooting to make settings take effect..."

Vagrant/scripts/download_palantir_osquery.ps1

@@ -1,4 +1,5 @@
 # Purpose: Downloads and unzips a copy of the Palantir osquery Github Repo. These configs are added to the Fleet server in bootstrap.sh.
+# The items from this config file are used later in install-osquery.ps1
 Write-Host "Downloading and unzipping the Palantir osquery Repo from Github..."
 
 $osqueryRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\osquery-Master.zip'
@@ -9,8 +10,8 @@ if (-not (Test-Path $osqueryRepoPath))
     Invoke-WebRequest -Uri "https://github.com/palantir/osquery-configuration/archive/master.zip" -OutFile $osqueryRepoPath
     Expand-Archive -path "$osqueryRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force
 }
-else 
+else
 {
     Write-Host "$osqueryRepoPath already exists. Moving On."
 }
-Write-Host "Palantir OSQuery download complete!"
+Write-Host "Palantir osquery config download complete!"

Vagrant/scripts/download_palantir_wef.ps1

@@ -15,4 +15,4 @@ else
 {
     Write-Host "$wefRepoPath already exists. Moving On."
 }
-Write-Host "Palantir WEF download complete!"
+Write-Host "Palantir WEF download complete!"

Vagrant/scripts/fix-second-network.ps1

@@ -1,31 +1,28 @@
 # Source: https://github.com/StefanScherer/adfs2
 param ([String] $ip, [String] $dns)
 
-if (Test-Path C:\Users\vagrant\enable-winrm-after-customization.bat) {
-  Write-Host "Nothing to do in vCloud."
-  exit 0
-}
 if (! (Test-Path 'C:\Program Files\VMware\VMware Tools')) {
   Write-Host "Nothing to do for other providers than VMware."
   exit 0
 }
+Write-Host "Setting IP address and DNS information for the second network adapter"
 
 $subnet = $ip -replace "\.\d+$", ""
-
+write-host "debug 1"
 $name = (Get-NetIPAddress -AddressFamily IPv4 `
    | Where-Object -FilterScript { ($_.IPAddress).StartsWith($subnet) } `
    ).InterfaceAlias
-
+write-host "debug 2"
 if (!$name) {
   $name = (Get-NetIPAddress -AddressFamily IPv4 `
      | Where-Object -FilterScript { ($_.IPAddress).StartsWith("169.254.") } `
      ).InterfaceAlias
 }
-
+write-host "debug 3"
 if ($name) {
   Write-Host "Set IP address to $ip of interface $name"
   & netsh.exe int ip set address "$name" static $ip 255.255.255.0 "$subnet.1"
-
+write-host "debug 4"
   if ($dns) {
     Write-Host "Set DNS server address to $dns of interface $name"
     & netsh.exe interface ipv4 add dnsserver "$name" address=$dns index=1

Vagrant/scripts/install-autorunstowineventlog.ps1

@@ -3,8 +3,7 @@
 Write-Host "Installing AutorunsToWinEventLog..."
 If ((Get-ScheduledTask -TaskName "AutorunsToWinEventLog" -ea silent) -eq $null)
 {
-    cd "c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog"
-    .\Install.ps1
+    . c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog\Install.ps1
     Write-Host "AutorunsToWinEventLog installed. Starting the scheduled task. Future runs will begin at 11am"
     Start-ScheduledTask -TaskName "AutorunsToWinEventLog"
     $Tsk = Get-ScheduledTask -TaskName "AutorunsToWinEventLog"
@@ -13,7 +12,7 @@ If ((Get-ScheduledTask -TaskName "AutorunsToWinEventLog" -ea silent) -eq $null)
         throw "AutorunsToWinEventLog scheduled tasks wasn't running after starting it"
     }
 }
-else 
+else
 {
     Write-Host "AutorunsToWinEventLog already installed. Moving On."
 }

Vagrant/scripts/install-caldera-agent.ps1

@@ -1,7 +1,6 @@
 # Purpose: Installs the Caldera agent on the host
 
-if (-not (Test-Path 'C:\Program Files\cagent\cagent.exe'))
-{
+If (-not (Test-Path 'C:\Program Files\cagent\cagent.exe')) {
   # Add /etc/hosts entry
   Add-Content "c:\windows\system32\drivers\etc\hosts" "        192.168.38.5    logger"
 
@@ -21,13 +20,15 @@ if (-not (Test-Path 'C:\Program Files\cagent\cagent.exe'))
   # Ignore SSL warning for conf file download
   # https://stackoverflow.com/questions/34331206/ignore-ssl-warning-with-powershell-downloadstring
   [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;(New-Object System.Net.WebClient).DownloadFile('https://logger:8888/conf.yml', $cagentConfPath)
+  If (-not (Test-Path "$cagentConfPath" )) {
+    Write-Host "Caldera Agent configuration failed. Unable to retrieve config from logger"
+  }
   Start-Process -FilePath $cagentPath -ArgumentList '--startup', 'auto', 'install' -Wait
-  Start-Process -FilePath $cagentPath -ArgumentList 'start' -Wait  
+  Start-Process -FilePath $cagentPath -ArgumentList 'start' -Wait
 } Else {
   Write-Host "Caldera Agent is already installed. Moving on."
 }
-If ((Get-Service -name cagent).Status -ne "Running")
-{
+If ((Get-Service -name cagent).Status -ne "Running") {
   throw "Caldera Agent service not running"
 }
 Write-Host "Cagent installation complete!"

Vagrant/scripts/install-splunkuf.ps1

@@ -1,12 +1,12 @@
 # Purpose: Installs a Splunk Universal Forwader on the host
 
 If (-not (Test-Path "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe")) {
-  Write-Host "Downloading Splunk"
-  $msiFile = $env:Temp + "\splunkforwarder-6.5.2-67571ef4b87d-x64-release.msi"
+  Write-Host "Downloading Splunk Universal Forwarder"
+  $msiFile = $env:Temp + "\splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi"
 
   Write-Host "Installing & Starting Splunk"
-  (New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=6.5.2&product=universalforwarder&filename=splunkforwarder-6.5.2-67571ef4b87d-x64-release.msi&wget=true', $msiFile)
-  Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.5:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 /quiet' -Wait
+  (New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=7.1.0&product=universalforwarder&filename=splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi&wget=true', $msiFile)
+  Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.5:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 SPLUNKPASSWORD=changeme /quiet' -Wait
 } Else {
   Write-Host "Splunk is already installed. Moving on."
 }

Vagrant/scripts/install-sysinternals.ps1

@@ -24,23 +24,32 @@ $sysmonPath = "C:\Tools\Sysinternals\Sysmon64.exe"
 $tcpviewPath = "C:\Tools\Sysinternals\Tcpview.exe"
 $sysmonConfigPath = "$sysmonDir\sysmonConfig.xml"
 
+Write-Host "Downloading Autoruns64.exe..."
 Invoke-WebRequest -Uri "https://live.sysinternals.com/Autoruns64.exe" -OutFile $autorunsPath
+Write-Host "Downloading Procmon.exe..."
 Invoke-WebRequest -Uri "https://live.sysinternals.com/Procmon.exe" -OutFile $procmonPath
+Write-Host "Downloading PsExec64.exe..."
 Invoke-WebRequest -Uri "https://live.sysinternals.com/PsExec64.exe" -OutFile $psexecPath
+Write-Host "Downloading procexp64.exe..."
 Invoke-WebRequest -Uri "https://live.sysinternals.com/procexp64.exe" -OutFile $procexpPath
+Write-Host "Downloading Sysmon64.exe..."
 Invoke-WebRequest -Uri "https://live.sysinternals.com/Sysmon64.exe" -Outfile $sysmonPath
+Write-Host "Downloading Tcpview.exe..."
 Invoke-WebRequest -Uri "https://live.sysinternals.com/Tcpview.exe" -Outfile $tcpviewPath
 Copy-Item $sysmonPath $sysmonDir
 
 # Download SwiftOnSecurity's Sysmon config
+Write-Host "Downloading SwiftOnSecurity's Sysmon config..."
 Invoke-WebRequest -Uri "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml" -Outfile "$sysmonConfigPath"
+# Alternative: Download Olaf Hartong's Sysmon config (more CPU intensive)
+#Invoke-WebRequest -Uri "https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml" -Outfile "$sysmonConfigPath"
 
-# Convert Sysmon config schema from 3.30 to 4.0 per GitHub Issue #38
-(Get-Content $sysmonConfigPath) -replace 'schemaversion="3.30"', 'schemaversion="4.00"' | Set-Content $sysmonConfigPath
-
-# Convert Schema from 3.30 to 4.0 per GitHub Issue #38
-(Get-Content $sysmonConfigPath) -replace 'schemaversion="3.30"', 'schemaversion="4.00"' | Set-Content $sysmonConfigPath
-
-# Startup Sysmon
+# Start Sysmon
 Write-Host "Starting Sysmon..."
 Start-Process -FilePath "$sysmonDir\Sysmon64.exe" -ArgumentList "-accepteula -i $sysmonConfigPath"
+Write-Host "Verifying that the Sysmon service is running..."
+Start-Sleep 5 # Give the service time to start
+If ((Get-Service -name Sysmon64).Status -ne "Running")
+{
+  throw "The Sysmon service did not start successfully"
+}

Vagrant/scripts/install-utilities.ps1

@@ -3,24 +3,21 @@
 If (-not (Test-Path "C:\ProgramData\chocolatey")) {
   Write-Host "Installing Chocolatey"
   iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))
-}
-else {
+} else {
   Write-Host "Chocolatey is already installed."
 }
 
-Write-Host "Installing atom, Notepad++, Chrome, WinRar, and Mimikatz."
-choco install -y atom
+Write-Host "Installing Notepad++, Chrome, WinRar, PowerSploit and Mimikatz."
+If ($(hostname) -eq "win10") {
+  # Because the Windows10 start menu sucks
+  choco install -y classic-shell -installArgs ADDLOCAL=ClassicStartMenu
+}
 choco install -y NotepadPlusPlus
 choco install -y GoogleChrome
 choco install -y WinRar
-Write-Host $env:LOCALAPPDATA
-$env:PATH="$env:PATH;$env:LOCALAPPDATA\atom\bin"
-apm install language-powershell
-apm install language-batch
-apm install language-docker
 
 # Disable Windows Defender realtime scanning before downloading Mimikatz
-If ($env:computername -eq "WIN10") {
+If ($env:computername -eq "win10") {
   If (Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender")
   {
     Remove-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Recurse -Force
@@ -28,7 +25,7 @@ If ($env:computername -eq "WIN10") {
   gpupdate /force | Out-String
   Set-MpPreference -ExclusionPath C:\commander.exe, C:\Tools
   set-MpPreference -DisableRealtimeMonitoring $true
-  
+
 }
 
 # Purpose: Downloads and unzips a copy of the latest Mimikatz trunk
@@ -37,7 +34,6 @@ Write-Host "Determining latest release of Mimikatz..."
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 $tag = (Invoke-WebRequest "https://api.github.com/repos/gentilkiwi/mimikatz/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name
 $mimikatzDownloadUrl = "https://github.com/gentilkiwi/mimikatz/releases/download/$tag/mimikatz_trunk.zip"
-
 $mimikatzRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\mimikatz_trunk.zip'
 if (-not (Test-Path $mimikatzRepoPath))
 {
@@ -48,8 +44,19 @@ else
 {
   Write-Host "Mimikatz was already installed. Moving On."
 }
-# Enable realtime monitoring again, now that exclusion is set for mimikatz
-If ($env:computername -eq "WIN10") {
-  set-MpPreference -DisableRealtimeMonitoring $false
+
+# Download and unzip a copy of PowerSploit
+Write-Host "Downloading Powersploit..."
+# GitHub requires TLS 1.2 as of 2/27
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+$powersploitDownloadUrl = "https://github.com/PowerShellMafia/PowerSploit/archive/master.zip"
+$powersploitRepoPath = "C:\Users\vagrant\AppData\Local\Temp\powersploit.zip"
+if (-not (Test-Path $powersploitRepoPath)) {
+  Invoke-WebRequest -Uri "$powersploitDownloadUrl" -OutFile $powersploitRepoPath
+  Expand-Archive -path "$powersploitRepoPath" -destinationpath 'c:\Tools\PowerSploit' -Force
+  Copy-Item "c:\Tools\PowerSploit\PowerSploit-master\*" "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" -Recurse -Force
+} else {
+  Write-Host "PowerSploit was already installed. Moving On."
 }
-Write-Host "Utilties installation complete!"
+
+Write-Host "Utilties installation complete!"