Adding ATA to Packer image, adding evtx-attack-samples

Packer/scripts/download-microsoft-ata.ps1

@@ -0,0 +1,44 @@
+# Purpose: Downloads, installs and configures Microsft ATA 1.9
+$title = "Microsoft ATA 1.9"
+$downloadUrl = "http://download.microsoft.com/download/4/9/1/491394D1-3F28-4261-ABC6-C836A301290E/ATA1.9.iso"
+$fileHash = "DC1070A9E8F84E75198A920A2E00DDC3CA8D12745AF64F6B161892D9F3975857" # Use Get-FileHash on a correct downloaded file to get the hash
+
+# Enable web requests to endpoints with invalid SSL certs (like self-signed certs)
+If (-not("SSLValidator" -as [type])) {
+    add-type -TypeDefinition @"
+using System;
+using System.Net;
+using System.Net.Security;
+using System.Security.Cryptography.X509Certificates;
+
+public static class SSLValidator {
+    public static bool ReturnTrue(object sender,
+        X509Certificate certificate,
+        X509Chain chain,
+        SslPolicyErrors sslPolicyErrors) { return true; }
+
+    public static RemoteCertificateValidationCallback GetDelegate() {
+        return new RemoteCertificateValidationCallback(SSLValidator.ReturnTrue);
+    }
+}
+"@
+}
+[System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate()
+
+
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading $title..."
+# Disabling the progress bar speeds up IWR https://github.com/PowerShell/PowerShell/issues/2138
+$ProgressPreference = 'SilentlyContinue'
+Invoke-WebRequest -Uri $downloadUrl -OutFile "c:\$title.iso"
+$actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash
+If (-not ($actualHash -eq $fileHash)) {
+    Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso was not downloaded correctly: hash from downloaded file: $actualHash, should've been: $fileHash. Re-trying using BitsAdmin now..."
+    Remove-Item -Path "c:\$title.iso" -Force
+    bitsadmin /Transfer ATA $downloadUrl "c:\$title.iso"
+    $actualHash = (Get-FileHash -Algorithm SHA256 -Path "c:\$title.iso").Hash
+    If (-not ($actualHash -eq $fileHash)) {
+        Throw "$title.iso was not downloaded correctly after a retry: hash from downloaded file: $actualHash, should've been: $fileHash - Giving up."
+    }
+}
+
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Microsoft ATA sucessfully downloaded to c:\$title.iso !"

Packer/scripts/vm-guest-tools.ps1

@@ -38,7 +38,16 @@ if ("$env:PACKER_BUILDER_TYPE" -eq "vmware-iso") {
     }
 
     cmd /c "C:\PROGRA~1\7-Zip\7z.exe" x "C:\Windows\Temp\windows.iso" -oC:\Windows\Temp\VMWare
-    cmd /c C:\Windows\Temp\VMWare\setup.exe /S /v"/qn REBOOT=R\"
+    cmd /c C:\Windows\Temp\VMWare\setup.exe /S /v "/qn REBOOT=R"
+    $software = "VMware Tools";
+    $installed = (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where { $_.DisplayName -eq $software }) -ne $null
+
+    If (-Not $installed) {
+        Write-Host "'$software' did not install successfully. Quitting.";
+        exit 1
+    } Else {
+        Write-Host "'$software' was installed successfully."
+    }
 
     Remove-Item -Force "C:\Windows\Temp\vmware-tools.tar"
     Remove-Item -Force "C:\Windows\Temp\windows.iso"

Packer/windows_2016.json

@@ -143,7 +143,8 @@
       "type": "powershell",
       "scripts": [
         "./scripts/vm-guest-tools.ps1",
-        "./scripts/debloat-windows.ps1"
+        "./scripts/debloat-windows.ps1",
+        "./scripts/download-microsoft-ata.ps1"
       ]
     },
     {