Update Win10 to 1804 & Fixes

.gitignore

@@ -1,5 +1,5 @@
 Vagrant/.vagrant/*
-Vagrant/vagrant_build.log
+Vagrant/vagrant*.log
 Packer/packer_cache/*
 Packer/packer_build.log
 Boxes/*

Packer/scripts/MakeWindows10GreatAgain.ps1

@@ -3,10 +3,6 @@ Write-Host "Making Windows 10 Great again"
 Write-Host "Importing registry keys..."
 regedit /s a:\MakeWindows10GreatAgain.reg
 
-# Install Powershell Help items
-Write-Host "Updating Powershell Help Library..."
-Update-Help
-
 # Remove OneDrive from the System
 Write-Host "Removing OneDrive..."
 $onedrive = Get-Process onedrive -ErrorAction SilentlyContinue
@@ -14,3 +10,11 @@ if ($onedrive) {
   taskkill /f /im OneDrive.exe
 }
 c:\Windows\SysWOW64\OneDriveSetup.exe /uninstall
+
+Update-Help -Force -ErrorAction SilentlyContinue
+
+# Remove Microsoft Store and Edge shortcuts from the taskbar
+$appname = "Microsoft Edge"
+((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}
+$appname = "Microsoft Store"
+((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}

Packer/scripts/MakeWindows10GreatAgain.reg

@@ -43,3 +43,7 @@ Windows Registry Editor Version 5.00
 # Enable Developer Mode (prerequisite for Linux subsystem)
 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock]
 "AllowDevelopmentWithoutDevLicense"=dword:00000001
+
+# Disable Microsoft People icon from taskbar
+[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People]
+"PeopleBand"=dword:00000000

Packer/scripts/debloat-windows.ps1

@@ -14,9 +14,6 @@ if ($env:PACKER_BUILDER_TYPE -And $($env:PACKER_BUILDER_TYPE).startsWith("hyperv
   #. $env:TEMP\Debloat-Windows-10-master\scripts\block-telemetry.ps1
   #Write-Host Disable services
   #. $env:TEMP\Debloat-Windows-10-master\scripts\disable-services.ps1
-  Write-host Disable Windows Defender
-  #. $env:TEMP\Debloat-Windows-10-master\scripts\disable-windows-defender.ps1
-  Uninstall-WindowsFeature Windows-Defender-Features
   Write-host Optimize Windows Update
   . $env:TEMP\Debloat-Windows-10-master\scripts\optimize-windows-update.ps1
   #Write-host Disable Windows Update

Packer/scripts/enable-winrm.ps1

@@ -9,5 +9,6 @@ winrm set winrm/config/client/auth '@{Basic="true"}'
 winrm set winrm/config/listener?Address=*+Transport=HTTP '@{Port="5985"}'
 netsh advfirewall firewall set rule group="Windows Remote Administration" new enable=yes
 netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new enable=yes action=allow
-Set-Service winrm -startuptype "auto"
+sc config winrm start= disabled
+reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v StartWinRM /t REG_SZ /f /d "cmd.exe /c 'sc config winrm start= auto & sc start winrm'"
 Restart-Service winrm

Packer/scripts/vm-guest-tools.bat

@@ -1,6 +1,9 @@
 if not exist "C:\Windows\Temp\7z920-x64.msi" (
     powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://www.7-zip.org/a/7z920-x64.msi', 'C:\Windows\Temp\7z920-x64.msi')" <NUL
 )
+if not exist "C:\Windows\Temp\7z920-x64.msi" (
+    powershell -Command "Start-Sleep 5 ; (New-Object System.Net.WebClient).DownloadFile('http://www.7-zip.org/a/7z920-x64.msi', 'C:\Windows\Temp\7z920-x64.msi')" <NUL
+)
 msiexec /qb /i C:\Windows\Temp\7z920-x64.msi
 
 if "%PACKER_BUILDER_TYPE%" equ "vmware-iso" goto :vmware
@@ -36,7 +39,7 @@ if exist "C:\Users\vagrant\VBoxGuestAdditions.iso" (
 )
 
 if not exist "C:\Windows\Temp\VBoxGuestAdditions.iso" (
-    powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://download.virtualbox.org/virtualbox/5.2.4/VBoxGuestAdditions_5.2.4.iso', 'C:\Windows\Temp\VBoxGuestAdditions.iso')" <NUL
+    powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://download.virtualbox.org/virtualbox/5.2.10/VBoxGuestAdditions_5.2.10.iso', 'C:\Windows\Temp\VBoxGuestAdditions.iso')" <NUL
 )
 
 cmd /c ""C:\Program Files\7-Zip\7z.exe" x C:\Windows\Temp\VBoxGuestAdditions.iso -oC:\Windows\Temp\virtualbox"

Packer/windows_10.json

@@ -170,9 +170,9 @@
     }
   ],
   "variables": {
-    "iso_url": "http://care.dlservice.microsoft.com/dl/download/B/8/B/B8B452EC-DD2D-4A8F-A88C-D2180C177624/15063.0.170317-1834.RS2_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO",
+    "iso_checksum": "27e4feb9102f7f2b21ebdb364587902a70842fb550204019d1a14b120918e455",
-    "iso_checksum_type": "sha1",
+    "iso_checksum_type": "sha256",
-    "iso_checksum": "6c60f91bf0ad7b20f469ab8f80863035c517f34f",
+    "iso_url": "https://software-download.microsoft.com/download/pr/17134.1.180410-1804.rs4_release_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso",
     "autounattend": "./answer_files/10/Autounattend.xml",
     "disk_size": "61440"
   }

Vagrant/Vagrantfile

@@ -12,6 +12,12 @@ Vagrant.configure("2") do |config|
       v.gui = true
     end
 
+    cfg.vm.provider "vmware_desktop" do |v, override|
+      v.memory = 2048
+      v.cpus = 1
+      v.gui = true
+    end
+
     cfg.vm.provider "virtualbox" do |vb, override|
       vb.gui = true
       vb.customize ["modifyvm", :id, "--memory", 2048]
@@ -31,9 +37,10 @@ Vagrant.configure("2") do |config|
     #    after the domain controller is installed.
     #    see https://groups.google.com/forum/#!topic/vagrant-up/sZantuCM0q4
     cfg.winrm.transport = :plaintext
-    cfg.winrm.basic_auth_only = true
-
     cfg.vm.communicator = "winrm"
+    cfg.winrm.basic_auth_only = true
+    cfg.winrm.timeout = 300
+    cfg.winrm.retry_limit = 20
     cfg.vm.network :private_network, ip: "192.168.38.2", gateway: "192.168.38.1"
 
     cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "192.168.38.2"
@@ -51,8 +58,8 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/configure-ou.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/configure-powershelllogging.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/configure-AuditingPolicyGPOs.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true
     cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: true
 
     cfg.vm.provider "vmware_fusion" do |v, override|
@@ -62,6 +69,13 @@ Vagrant.configure("2") do |config|
       v.gui = true
     end
 
+    cfg.vm.provider "vmware_desktop" do |v, override|
+      override.vm.box = "../Boxes/windows_2016_vmware.box"
+      v.memory = 2560
+      v.cpus = 2
+      v.gui = true
+    end
+
     cfg.vm.provider "virtualbox" do |vb, override|
       vb.gui = true
       vb.customize ["modifyvm", :id, "--memory", 2560]
@@ -75,8 +89,10 @@ Vagrant.configure("2") do |config|
   config.vm.define "wef" do |cfg|
     cfg.vm.box = "../Boxes/windows_2016_virtualbox.box"
     cfg.vm.hostname = "wef"
-
     cfg.vm.communicator = "winrm"
+    cfg.winrm.basic_auth_only = true
+    cfg.winrm.timeout = 300
+    cfg.winrm.retry_limit = 20
     cfg.vm.network :private_network, ip: "192.168.38.3", gateway: "192.168.38.1", dns: "192.168.38.2"
 
     cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.3 -dns 192.168.38.2"
@@ -105,6 +121,13 @@ Vagrant.configure("2") do |config|
       v.gui = true
     end
 
+    cfg.vm.provider "vmware_desktop" do |v, override|
+      override.vm.box = "../Boxes/windows_2016_vmware.box"
+      v.memory = 2048
+      v.cpus = 2
+      v.gui = true
+    end
+
     cfg.vm.provider "virtualbox" do |vb, override|
       vb.gui = true
       vb.customize ["modifyvm", :id, "--memory", 2048]
@@ -118,8 +141,10 @@ Vagrant.configure("2") do |config|
   config.vm.define "win10" do |cfg|
     cfg.vm.box = "../Boxes/windows_10_virtualbox.box"
     cfg.vm.hostname = "win10"
-
     cfg.vm.communicator = "winrm"
+    cfg.winrm.basic_auth_only = true
+    cfg.winrm.timeout = 300
+    cfg.winrm.retry_limit = 20
     cfg.vm.network :private_network, ip: "192.168.38.4", gateway: "192.168.38.1", dns: "192.168.38.2"
 
     cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.4 -dns 192.168.38.2"
@@ -146,6 +171,15 @@ Vagrant.configure("2") do |config|
       v.gui = true
     end
 
+    cfg.vm.provider "vmware_desktop" do |v, override|
+      override.vm.box = "../Boxes/windows_10_vmware.box"
+      v.vmx["gui.fullscreenatpoweron"] = "FALSE"
+      v.vmx["gui.viewModeAtPowerOn"] = "windowed"
+      v.memory = 2048
+      v.cpus = 1
+      v.gui = true
+    end
+
     cfg.vm.provider "virtualbox" do |vb, override|
       vb.gui = true
       vb.customize ["modifyvm", :id, "--memory", 2048]

Vagrant/bootstrap.sh

@@ -8,6 +8,22 @@ echo "deb http://repo.mongodb.org/apt/ubuntu "$(lsb_release -sc)"/mongodb-org/3.
 apt-get update
 apt-get install -y jq whois build-essential git docker docker-compose unzip mongodb-org
 
+# Fix static IP if it's not set correctly
+ETH1_IP=$(ifconfig eth1 | grep 'inet addr' | cut -d ':' -f 2 | cut -d ' ' -f 1)
+if [ "$ETH1_IP" != "192.168.38.5" ]; then
+  echo "Incorrect IP Address settings detected. Attempting to fix."
+  ifdown eth1
+  ip addr flush dev eth1
+  ifup eth1
+  ETH1_IP=$(ifconfig eth1 | grep 'inet addr' | cut -d ':' -f 2 | cut -d ' ' -f 1)
+  if [ "$ETH1_IP" == "192.168.38.5" ]; then
+    echo "The static IP has been fixed and set to 192.168.38.5"
+  else
+    echo "Failed to fix the broken static IP for eth1. Exiting because this will cause problems with other VMs."
+    exit 1
+  fi
+fi
+
 # Install Python 3.6.4
 echo "Installing Python v3.6.4..."
 wget https://www.python.org/ftp/python/3.6.4/Python-3.6.4.tgz
@@ -41,9 +57,9 @@ else
   # Get Splunk.com into the DNS cache. Sometimes resolution randomly fails during wget below
   dig @8.8.8.8 splunk.com
   # Download Splunk
-  wget --progress=bar:force -O splunk-7.0.2-03bbabbd5c0f-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.0.2&product=splunk&filename=splunk-7.0.2-03bbabbd5c0f-linux-2.6-amd64.deb&wget=true'
+  wget --progress=bar:force -O splunk-7.1.1-8f0ead9ec3db-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.1.1&product=splunk&filename=splunk-7.1.1-8f0ead9ec3db-linux-2.6-amd64.deb&wget=true'
-  dpkg -i splunk-7.0.2-03bbabbd5c0f-linux-2.6-amd64.deb
+  dpkg -i splunk-7.1.1-8f0ead9ec3db-linux-2.6-amd64.deb
-  /opt/splunk/bin/splunk start --accept-license
+  /opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd changeme
   /opt/splunk/bin/splunk add index wineventlog -auth 'admin:changeme'
   /opt/splunk/bin/splunk add index osquery -auth 'admin:changeme'
   /opt/splunk/bin/splunk add index osquery-status -auth 'admin:changeme'
@@ -73,6 +89,7 @@ git clone https://github.com/kolide/kolide-quickstart.git
 cd kolide-quickstart
 cp /vagrant/resources/fleet/server.* .
 sed -i 's/ -it//g' demo.sh
+sed -i 's#kolide/fleet:latest#kolide/fleet:1.0.8#g' docker-compose.yml
 ./demo.sh up simple
 # Set the enrollment secret to match what we deploy to Windows hosts
 docker run --rm --network=kolidequickstart_default mysql:5.7 mysql -h mysql -u kolide --password=kolide -e 'update app_configs set osquery_enroll_secret = "enrollmentsecret" where id=1;' --batch kolide

Vagrant/scripts/configure-wef-gpo.ps1

@@ -67,7 +67,3 @@ else
 }
 
 gpupdate /force
-# Enable WinRM
-Write-Host "Enabling WinRM"
-winrm qc /q:true
-Write-Host "Rebooting to make settings take effect..."

Vagrant/scripts/download_palantir_osquery.ps1

@@ -1,4 +1,5 @@
 # Purpose: Downloads and unzips a copy of the Palantir osquery Github Repo. These configs are added to the Fleet server in bootstrap.sh.
+# The items from this config file are used later in install-osquery.ps1
 Write-Host "Downloading and unzipping the Palantir osquery Repo from Github..."
 
 $osqueryRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\osquery-Master.zip'
@@ -13,4 +14,4 @@ else
 {
     Write-Host "$osqueryRepoPath already exists. Moving On."
 }
-Write-Host "Palantir OSQuery download complete!"
+Write-Host "Palantir osquery config download complete!"

Vagrant/scripts/fix-second-network.ps1

@@ -1,31 +1,28 @@
 # Source: https://github.com/StefanScherer/adfs2
 param ([String] $ip, [String] $dns)
 
-if (Test-Path C:\Users\vagrant\enable-winrm-after-customization.bat) {
-  Write-Host "Nothing to do in vCloud."
-  exit 0
-}
 if (! (Test-Path 'C:\Program Files\VMware\VMware Tools')) {
   Write-Host "Nothing to do for other providers than VMware."
   exit 0
 }
+Write-Host "Setting IP address and DNS information for the second network adapter"
 
 $subnet = $ip -replace "\.\d+$", ""
-
+write-host "debug 1"
 $name = (Get-NetIPAddress -AddressFamily IPv4 `
    | Where-Object -FilterScript { ($_.IPAddress).StartsWith($subnet) } `
    ).InterfaceAlias
-
+write-host "debug 2"
 if (!$name) {
   $name = (Get-NetIPAddress -AddressFamily IPv4 `
      | Where-Object -FilterScript { ($_.IPAddress).StartsWith("169.254.") } `
      ).InterfaceAlias
 }
-
+write-host "debug 3"
 if ($name) {
   Write-Host "Set IP address to $ip of interface $name"
   & netsh.exe int ip set address "$name" static $ip 255.255.255.0 "$subnet.1"
-
+write-host "debug 4"
   if ($dns) {
     Write-Host "Set DNS server address to $dns of interface $name"
     & netsh.exe interface ipv4 add dnsserver "$name" address=$dns index=1

Vagrant/scripts/install-autorunstowineventlog.ps1

@@ -3,8 +3,7 @@
 Write-Host "Installing AutorunsToWinEventLog..."
 If ((Get-ScheduledTask -TaskName "AutorunsToWinEventLog" -ea silent) -eq $null)
 {
-    cd "c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog"
+    . c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog\Install.ps1
-    .\Install.ps1
     Write-Host "AutorunsToWinEventLog installed. Starting the scheduled task. Future runs will begin at 11am"
     Start-ScheduledTask -TaskName "AutorunsToWinEventLog"
     $Tsk = Get-ScheduledTask -TaskName "AutorunsToWinEventLog"

Vagrant/scripts/install-caldera-agent.ps1

@@ -1,7 +1,6 @@
 # Purpose: Installs the Caldera agent on the host
 
-if (-not (Test-Path 'C:\Program Files\cagent\cagent.exe'))
+If (-not (Test-Path 'C:\Program Files\cagent\cagent.exe')) {
-{
   # Add /etc/hosts entry
   Add-Content "c:\windows\system32\drivers\etc\hosts" "        192.168.38.5    logger"
 
@@ -21,13 +20,15 @@ if (-not (Test-Path 'C:\Program Files\cagent\cagent.exe'))
   # Ignore SSL warning for conf file download
   # https://stackoverflow.com/questions/34331206/ignore-ssl-warning-with-powershell-downloadstring
   [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;(New-Object System.Net.WebClient).DownloadFile('https://logger:8888/conf.yml', $cagentConfPath)
+  If (-not (Test-Path "$cagentConfPath" )) {
+    Write-Host "Caldera Agent configuration failed. Unable to retrieve config from logger"
+  }
   Start-Process -FilePath $cagentPath -ArgumentList '--startup', 'auto', 'install' -Wait
   Start-Process -FilePath $cagentPath -ArgumentList 'start' -Wait
 } Else {
   Write-Host "Caldera Agent is already installed. Moving on."
 }
-If ((Get-Service -name cagent).Status -ne "Running")
+If ((Get-Service -name cagent).Status -ne "Running") {
-{
   throw "Caldera Agent service not running"
 }
 Write-Host "Cagent installation complete!"

Vagrant/scripts/install-splunkuf.ps1

@@ -1,12 +1,12 @@
 # Purpose: Installs a Splunk Universal Forwader on the host
 
 If (-not (Test-Path "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe")) {
-  Write-Host "Downloading Splunk"
+  Write-Host "Downloading Splunk Universal Forwarder"
-  $msiFile = $env:Temp + "\splunkforwarder-6.5.2-67571ef4b87d-x64-release.msi"
+  $msiFile = $env:Temp + "\splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi"
 
   Write-Host "Installing & Starting Splunk"
-  (New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=6.5.2&product=universalforwarder&filename=splunkforwarder-6.5.2-67571ef4b87d-x64-release.msi&wget=true', $msiFile)
+  (New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=7.1.0&product=universalforwarder&filename=splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi&wget=true', $msiFile)
-  Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.5:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 /quiet' -Wait
+  Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.5:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 SPLUNKPASSWORD=changeme /quiet' -Wait
 } Else {
   Write-Host "Splunk is already installed. Moving on."
 }

Vagrant/scripts/install-sysinternals.ps1

@@ -24,23 +24,32 @@ $sysmonPath = "C:\Tools\Sysinternals\Sysmon64.exe"
 $tcpviewPath = "C:\Tools\Sysinternals\Tcpview.exe"
 $sysmonConfigPath = "$sysmonDir\sysmonConfig.xml"
 
+Write-Host "Downloading Autoruns64.exe..."
 Invoke-WebRequest -Uri "https://live.sysinternals.com/Autoruns64.exe" -OutFile $autorunsPath
+Write-Host "Downloading Procmon.exe..."
 Invoke-WebRequest -Uri "https://live.sysinternals.com/Procmon.exe" -OutFile $procmonPath
+Write-Host "Downloading PsExec64.exe..."
 Invoke-WebRequest -Uri "https://live.sysinternals.com/PsExec64.exe" -OutFile $psexecPath
+Write-Host "Downloading procexp64.exe..."
 Invoke-WebRequest -Uri "https://live.sysinternals.com/procexp64.exe" -OutFile $procexpPath
+Write-Host "Downloading Sysmon64.exe..."
 Invoke-WebRequest -Uri "https://live.sysinternals.com/Sysmon64.exe" -Outfile $sysmonPath
+Write-Host "Downloading Tcpview.exe..."
 Invoke-WebRequest -Uri "https://live.sysinternals.com/Tcpview.exe" -Outfile $tcpviewPath
 Copy-Item $sysmonPath $sysmonDir
 
 # Download SwiftOnSecurity's Sysmon config
+Write-Host "Downloading SwiftOnSecurity's Sysmon config..."
 Invoke-WebRequest -Uri "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml" -Outfile "$sysmonConfigPath"
+# Alternative: Download Olaf Hartong's Sysmon config (more CPU intensive)
+#Invoke-WebRequest -Uri "https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml" -Outfile "$sysmonConfigPath"
 
-# Convert Sysmon config schema from 3.30 to 4.0 per GitHub Issue #38
+# Start Sysmon
-(Get-Content $sysmonConfigPath) -replace 'schemaversion="3.30"', 'schemaversion="4.00"' | Set-Content $sysmonConfigPath
-
-# Convert Schema from 3.30 to 4.0 per GitHub Issue #38
-(Get-Content $sysmonConfigPath) -replace 'schemaversion="3.30"', 'schemaversion="4.00"' | Set-Content $sysmonConfigPath
-
-# Startup Sysmon
 Write-Host "Starting Sysmon..."
 Start-Process -FilePath "$sysmonDir\Sysmon64.exe" -ArgumentList "-accepteula -i $sysmonConfigPath"
+Write-Host "Verifying that the Sysmon service is running..."
+Start-Sleep 5 # Give the service time to start
+If ((Get-Service -name Sysmon64).Status -ne "Running")
+{
+  throw "The Sysmon service did not start successfully"
+}

Vagrant/scripts/install-utilities.ps1

@@ -3,24 +3,21 @@
 If (-not (Test-Path "C:\ProgramData\chocolatey")) {
   Write-Host "Installing Chocolatey"
   iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))
-}
+} else {
-else {
   Write-Host "Chocolatey is already installed."
 }
 
-Write-Host "Installing atom, Notepad++, Chrome, WinRar, and Mimikatz."
+Write-Host "Installing Notepad++, Chrome, WinRar, PowerSploit and Mimikatz."
-choco install -y atom
+If ($(hostname) -eq "win10") {
+  # Because the Windows10 start menu sucks
+  choco install -y classic-shell -installArgs ADDLOCAL=ClassicStartMenu
+}
 choco install -y NotepadPlusPlus
 choco install -y GoogleChrome
 choco install -y WinRar
-Write-Host $env:LOCALAPPDATA
-$env:PATH="$env:PATH;$env:LOCALAPPDATA\atom\bin"
-apm install language-powershell
-apm install language-batch
-apm install language-docker
 
 # Disable Windows Defender realtime scanning before downloading Mimikatz
-If ($env:computername -eq "WIN10") {
+If ($env:computername -eq "win10") {
   If (Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender")
   {
     Remove-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Recurse -Force
@@ -37,7 +34,6 @@ Write-Host "Determining latest release of Mimikatz..."
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 $tag = (Invoke-WebRequest "https://api.github.com/repos/gentilkiwi/mimikatz/releases" -UseBasicParsing | ConvertFrom-Json)[0].tag_name
 $mimikatzDownloadUrl = "https://github.com/gentilkiwi/mimikatz/releases/download/$tag/mimikatz_trunk.zip"
-
 $mimikatzRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\mimikatz_trunk.zip'
 if (-not (Test-Path $mimikatzRepoPath))
 {
@@ -48,8 +44,19 @@ else
 {
   Write-Host "Mimikatz was already installed. Moving On."
 }
-# Enable realtime monitoring again, now that exclusion is set for mimikatz
+
-If ($env:computername -eq "WIN10") {
+# Download and unzip a copy of PowerSploit
-  set-MpPreference -DisableRealtimeMonitoring $false
+Write-Host "Downloading Powersploit..."
+# GitHub requires TLS 1.2 as of 2/27
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+$powersploitDownloadUrl = "https://github.com/PowerShellMafia/PowerSploit/archive/master.zip"
+$powersploitRepoPath = "C:\Users\vagrant\AppData\Local\Temp\powersploit.zip"
+if (-not (Test-Path $powersploitRepoPath)) {
+  Invoke-WebRequest -Uri "$powersploitDownloadUrl" -OutFile $powersploitRepoPath
+  Expand-Archive -path "$powersploitRepoPath" -destinationpath 'c:\Tools\PowerSploit' -Force
+  Copy-Item "c:\Tools\PowerSploit\PowerSploit-master\*" "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" -Recurse -Force
+} else {
+  Write-Host "PowerSploit was already installed. Moving On."
 }
+
 Write-Host "Utilties installation complete!"

build.sh

@@ -233,7 +233,7 @@ vagrant_up_host() {
   HOST="$1"
   (echo >&2 "Attempting to bring up the $HOST host using Vagrant")
   cd "$DL_DIR"/Vagrant || exit 1
-  VAGRANT_LOG=info $(which vagrant) up "$HOST" --provider="$PROVIDER" 3>&1 1>&2 2>&3 | tee -a "$DL_DIR/Vagrant/vagrant_build.log"
+  $(which vagrant) up "$HOST" --provider="$PROVIDER" 2> "$DL_DIR/Vagrant/vagrant_up_$HOST.log"
   echo "$?"
 }
 
@@ -373,6 +373,7 @@ choose_md5_tool() {
 
 # Downloads pre-built Packer boxes from detectionlab.network to save time during CI builds
 download_boxes() {
+  choose_md5_tool
   if [ "$PROVIDER" == "virtualbox" ]; then
     wget "https://www.detectionlab.network/windows_2016_virtualbox.box" -O "$DL_DIR"/Boxes/windows_2016_virtualbox.box
     wget "https://www.detectionlab.network/windows_10_virtualbox.box" -O "$DL_DIR"/Boxes/windows_10_virtualbox.box