From c0370af30af288eb0647d44173da14bb67ac1385 Mon Sep 17 00:00:00 2001
From: Chris Long <clong@cl0ng.com>
Date: Wed, 5 Dec 2018 01:20:36 -0800
Subject: [PATCH 1/3] Updating CI Vagrant & Packer versions

---
 ci/build_machine_bootstrap.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ci/build_machine_bootstrap.sh b/ci/build_machine_bootstrap.sh
index 75f7d5f..e6eda45 100755
--- a/ci/build_machine_bootstrap.sh
+++ b/ci/build_machine_bootstrap.sh
@@ -51,8 +51,8 @@ if [ "$PACKER_ONLY" -eq 0 ]; then
   # Install Vagrant
   mkdir /opt/vagrant
   cd /opt/vagrant || exit 1
-  wget https://releases.hashicorp.com/vagrant/2.1.4/vagrant_2.1.4_x86_64.deb
-  dpkg -i vagrant_2.1.4_x86_64.deb
+  wget https://releases.hashicorp.com/vagrant/2.2.2/vagrant_2.2.2_x86_64.deb
+  dpkg -i vagrant_2.2.2_x86_64.deb
   vagrant plugin install vagrant-reload
 
   # Make the Vagrant instances headless
@@ -64,8 +64,8 @@ if [ "$VAGRANT_ONLY" -eq 0 ]; then
   # Install Packer
   mkdir /opt/packer
   cd /opt/packer || exit 1
-  wget https://releases.hashicorp.com/packer/1.2.5/packer_1.2.5_linux_amd64.zip
-  unzip packer_1.2.5_linux_amd64.zip
+  wget https://releases.hashicorp.com/packer/1.3.2/packer_1.3.2_linux_amd64.zip
+  unzip packer_1.3.2_linux_amd64.zip
   cp packer /usr/local/bin/packer
 
   # Make the Packer images headless

From e547dc1ff9a344719626b9ebe67307da763b00db Mon Sep 17 00:00:00 2001
From: Chris Long <clong@cl0ng.com>
Date: Wed, 5 Dec 2018 01:22:10 -0800
Subject: [PATCH 2/3] Set privilege to false for all windows shell cmds

https://github.com/clong/DetectionLab/issues/172
---
 Vagrant/Vagrantfile | 82 ++++++++++++++++++++++-----------------------
 1 file changed, 41 insertions(+), 41 deletions(-)

diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile
index 873e98d..7fd6b92 100644
--- a/Vagrant/Vagrantfile
+++ b/Vagrant/Vagrantfile
@@ -51,21 +51,21 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
     cfg.vm.provision "reload"
     cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/configure-ou.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/configure-powershelllogging.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/configure-AuditingPolicyGPOs.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true
-    cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl "$_"}', privileged: true
-    cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: true
+    cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/configure-ou.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/configure-powershelllogging.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/configure-AuditingPolicyGPOs.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
+    cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl "$_"}', privileged: false
+    cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false
 
     cfg.vm.provider "vmware_fusion" do |v, override|
       override.vm.box = "../Boxes/windows_2016_vmware.box"
@@ -109,21 +109,21 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
     cfg.vm.provision "reload"
     cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: true
-    cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl "$_"}', privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-wefsubscriptions.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/configure-pslogstranscriptsshare.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true
-    cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-microsoft-ata.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false
+    cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl "$_"}', privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-wefsubscriptions.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/configure-pslogstranscriptsshare.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
+    cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-microsoft-ata.ps1", privileged: false
 
     cfg.vm.provider "vmware_fusion" do |v, override|
       override.vm.box = "../Boxes/windows_2016_vmware.box"
@@ -167,17 +167,17 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
     cfg.vm.provision "reload"
     cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/MakeWindows10GreatAgain.ps1", privileged: true
-    cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl "$_"}', privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: true
-    cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true
+    cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/MakeWindows10GreatAgain.ps1", privileged: false
+    cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl "$_"}', privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
 
     cfg.vm.provider "vmware_fusion" do |v, override|
       override.vm.box = "../Boxes/windows_10_vmware.box"

From 9e193931387be5c5cafd28e51cb965236d00af79 Mon Sep 17 00:00:00 2001
From: Chris Long <clong@cl0ng.com>
Date: Wed, 5 Dec 2018 13:46:38 -0800
Subject: [PATCH 3/3] Ignore Microsoft-Windows-LiveId when clearing event
 channels

Addresses https://github.com/clong/DetectionLab/issues/171
---
 Vagrant/Vagrantfile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile
index 7fd6b92..8c29ffa 100644
--- a/Vagrant/Vagrantfile
+++ b/Vagrant/Vagrantfile
@@ -64,7 +64,7 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/configure-powershelllogging.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/configure-AuditingPolicyGPOs.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
-    cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl "$_"}', privileged: false
+    cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
     cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false
 
     cfg.vm.provider "vmware_fusion" do |v, override|
@@ -111,7 +111,7 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false
-    cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl "$_"}', privileged: false
+    cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
     cfg.vm.provision "shell", path: "scripts/install-wefsubscriptions.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: false
@@ -170,7 +170,7 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/MakeWindows10GreatAgain.ps1", privileged: false
-    cfg.vm.provision "shell", inline: 'wevtutil el | Foreach-Object {wevtutil cl "$_"}', privileged: false
+    cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
     cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false