Created
December 24, 2019 04:59
-
-
Save kafkaesqu3/047617086c7249c6c9f078b39d0463b2 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Bringing machine 'wef' up with 'vmware_desktop' provider... | |
| ==> wef: Cloning VMware VM: 'detectionlab/win2016'. This can take some time... | |
| ==> wef: Checking if box 'detectionlab/win2016' version '1.4' is up to date... | |
| ==> wef: Verifying vmnet devices are healthy... | |
| ==> wef: Preparing network adapters... | |
| WARNING: The VMX file for this box contains a setting that is automatically overwritten by Vagrant | |
| WARNING: when started. Vagrant will stop overwriting this setting in an upcoming release which may | |
| WARNING: prevent proper networking setup. Below is the detected VMX setting: | |
| WARNING: | |
| WARNING: ethernet0.pcislotnumber = "33" | |
| WARNING: | |
| WARNING: If networking fails to properly configure, it may require this VMX setting. It can be manually | |
| WARNING: applied via the Vagrantfile: | |
| WARNING: | |
| WARNING: Vagrant.configure(2) do |config| | |
| WARNING: config.vm.provider :vmware_desktop do |vmware| | |
| WARNING: vmware.vmx["ethernet0.pcislotnumber"] = "33" | |
| WARNING: end | |
| WARNING: end | |
| WARNING: | |
| WARNING: For more information: https://www.vagrantup.com/docs/vmware/boxes.html#vmx-whitelisting | |
| ==> wef: Fixed port collision for 5985 => 55985. Now on port 2201. | |
| ==> wef: Fixed port collision for 5986 => 55986. Now on port 2202. | |
| ==> wef: Fixed port collision for 22 => 2222. Now on port 2203. | |
| ==> wef: Starting the VMware VM... | |
| ==> wef: Waiting for the VM to receive an address... | |
| ==> wef: Forwarding ports... | |
| wef: -- 5985 => 2201 | |
| wef: -- 5986 => 2202 | |
| wef: -- 22 => 2203 | |
| ==> wef: Waiting for machine to boot. This may take a few minutes... | |
| wef: WinRM address: 127.0.0.1:2201 | |
| wef: WinRM username: vagrant | |
| wef: WinRM execution_time_limit: PT2H | |
| wef: WinRM transport: negotiate | |
| ==> wef: Machine booted and ready! | |
| ==> wef: Setting hostname... | |
| ==> wef: Waiting for machine to reboot... | |
| ==> wef: Configuring network adapters within the VM... | |
| ==> wef: Configuring secondary network adapters through VMware | |
| ==> wef: on Windows is not yet supported. You will need to manually | |
| ==> wef: configure the network adapter. | |
| ==> wef: Enabling and configuring shared folders... | |
| wef: -- /Users/dtulis144/DetectionLab/Vagrant: /vagrant | |
| ==> wef: Running provisioner: shell... | |
| wef: Running: scripts/fix-second-network.ps1 as c:\tmp\vagrant-shell.ps1 | |
| wef: [05:46] | |
| wef: Setting IP address and DNS information for the Ethernet1 interface | |
| wef: If this step times out, it's because vagrant is connecting to the VM on the wrong interface | |
| wef: See https://github.com/clong/DetectionLab/issues/114 for more information | |
| wef: Set IP address to 192.168.38.103 of interface Ethernet1 | |
| wef: Set DNS server address to 192.168.38.102 of interface Ethernet1 | |
| ==> wef: Running provisioner: shell... | |
| wef: Running: scripts/provision.ps1 as c:\tmp\vagrant-shell.ps1 | |
| wef: [05:46] Setting timezone to UTC... | |
| wef: [05:46] Disable IPv6 on all network adatpers... | |
| wef: Name DisplayName ComponentID | |
| wef: ---- ----------- ----------- | |
| wef: Ethernet1 Internet Protocol Version 6 (TCP/IPv6) ms_tcpip6 | |
| wef: Ethernet0 2 Internet Protocol Version 6 (TCP/IPv6) ms_tcpip6 | |
| wef: The operation completed successfully. | |
| wef: [05:46] Current domain is set to 'workgroup'. Time to join the domain! | |
| wef: Install bginfo | |
| wef: [05:46] Installing BGInfo... | |
| wef: PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Program Files\sysinternals | |
| wef: PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Program Files | |
| wef: PSChildName : sysinternals | |
| wef: PSDrive : C | |
| wef: PSProvider : Microsoft.PowerShell.Core\FileSystem | |
| wef: PSIsContainer : True | |
| wef: Name : sysinternals | |
| wef: Parent : Program Files | |
| wef: Exists : True | |
| wef: Root : C:\ | |
| wef: FullName : C:\Program Files\sysinternals | |
| wef: Extension : | |
| wef: CreationTime : 12/19/2019 5:46:45 AM | |
| wef: CreationTimeUtc : 12/19/2019 1:46:45 PM | |
| wef: LastAccessTime : 12/19/2019 5:46:45 AM | |
| wef: LastAccessTimeUtc : 12/19/2019 1:46:45 PM | |
| wef: LastWriteTime : 12/19/2019 5:46:45 AM | |
| wef: LastWriteTimeUtc : 12/19/2019 1:46:45 PM | |
| wef: Attributes : Directory | |
| wef: Mode : d----- | |
| wef: BaseName : sysinternals | |
| wef: Target : {} | |
| wef: LinkType : | |
| wef: [05:46] Joining the domain... | |
| wef: [05:46] First, set DNS to DC to join the domain... | |
| wef: __GENUS : 2 | |
| wef: __CLASS : __PARAMETERS | |
| wef: __SUPERCLASS : | |
| wef: __DYNASTY : __PARAMETERS | |
| wef: __RELPATH : | |
| wef: __PROPERTY_COUNT : 1 | |
| wef: __DERIVATION : {} | |
| wef: __SERVER : | |
| wef: __NAMESPACE : | |
| wef: __PATH : | |
| wef: ReturnValue : 0 | |
| wef: PSComputerName : | |
| wef: [05:46] Now join the domain... | |
| wef: HasSucceeded : True | |
| wef: ComputerName : wef | |
| wef: WARNING: The changes will take effect after you restart the computer wef. | |
| wef: Disabling Windows Updates and Windows Module Services | |
| wef: Hint: vagrant reload wef --provision | |
| ==> wef: Running provisioner: shell... | |
| wef: Running: inline PowerShell script | |
| wef: Microsoft (R) Windows Script Host Version 5.812 | |
| wef: Copyright (C) Microsoft Corporation. All rights reserved. | |
| wef: Command completed successfully. | |
| wef: Please restart the system for the changes to take effect. | |
| ==> wef: Running provisioner: reload... | |
| ==> wef: Attempting graceful shutdown of VM... | |
| ==> wef: Checking if box 'detectionlab/win2016' version '1.4' is up to date... | |
| ==> wef: Verifying vmnet devices are healthy... | |
| ==> wef: Preparing network adapters... | |
| WARNING: The VMX file for this box contains a setting that is automatically overwritten by Vagrant | |
| WARNING: when started. Vagrant will stop overwriting this setting in an upcoming release which may | |
| WARNING: prevent proper networking setup. Below is the detected VMX setting: | |
| WARNING: | |
| WARNING: ethernet1.pcislotnumber = "33" | |
| WARNING: | |
| WARNING: If networking fails to properly configure, it may require this VMX setting. It can be manually | |
| WARNING: applied via the Vagrantfile: | |
| WARNING: | |
| WARNING: Vagrant.configure(2) do |config| | |
| WARNING: config.vm.provider :vmware_desktop do |vmware| | |
| WARNING: vmware.vmx["ethernet1.pcislotnumber"] = "33" | |
| WARNING: end | |
| WARNING: end | |
| WARNING: | |
| WARNING: For more information: https://www.vagrantup.com/docs/vmware/boxes.html#vmx-whitelisting | |
| ==> wef: Starting the VMware VM... | |
| ==> wef: Waiting for the VM to receive an address... | |
| ==> wef: Forwarding ports... | |
| wef: -- 5985 => 2201 | |
| wef: -- 5986 => 2202 | |
| wef: -- 22 => 2203 | |
| ==> wef: Waiting for machine to boot. This may take a few minutes... | |
| wef: WinRM address: 127.0.0.1:2201 | |
| wef: WinRM username: vagrant | |
| wef: WinRM execution_time_limit: PT2H | |
| wef: WinRM transport: negotiate | |
| ==> wef: Machine booted and ready! | |
| ==> wef: Setting hostname... | |
| ==> wef: Configuring network adapters within the VM... | |
| ==> wef: Configuring secondary network adapters through VMware | |
| ==> wef: on Windows is not yet supported. You will need to manually | |
| ==> wef: configure the network adapter. | |
| ==> wef: Enabling and configuring shared folders... | |
| wef: -- /Users/dtulis144/DetectionLab/Vagrant: /vagrant | |
| ==> wef: Machine already provisioned. Run `vagrant provision` or use the `--provision` | |
| ==> wef: flag to force provisioning. Provisioners marked to run always will still run. | |
| ==> wef: Running provisioner: shell... | |
| wef: Running: scripts/provision.ps1 as c:\tmp\vagrant-shell.ps1 | |
| wef: [13:48] Setting timezone to UTC... | |
| wef: [13:48] Disable IPv6 on all network adatpers... | |
| wef: Name DisplayName ComponentID | |
| wef: ---- ----------- ----------- | |
| wef: Ethernet1 Internet Protocol Version 6 (TCP/IPv6) ms_tcpip6 | |
| wef: Ethernet0 2 Internet Protocol Version 6 (TCP/IPv6) ms_tcpip6 | |
| wef: The operation completed successfully. | |
| wef: [13:48] I am domain joined! | |
| wef: [13:48] Provisioning after joining domain... | |
| ==> wef: Running provisioner: shell... | |
| wef: Running: scripts/download_palantir_wef.ps1 as c:\tmp\vagrant-shell.ps1 | |
| wef: [13:49] Downloading and unzipping the Palantir Windows Event Forwarding Repo from Github... | |
| wef: [13:49] Palantir WEF download complete! | |
| ==> wef: Running provisioner: shell... | |
| wef: Running: scripts/download_palantir_osquery.ps1 as c:\tmp\vagrant-shell.ps1 | |
| wef: [13:49] Downloading and unzipping the Palantir osquery Repo from Github... | |
| wef: [13:49] Palantir osquery config download complete! | |
| ==> wef: Running provisioner: shell... | |
| wef: Running: inline PowerShell script | |
| ==> wef: Running provisioner: shell... | |
| wef: Running: scripts/install-wefsubscriptions.ps1 as c:\tmp\vagrant-shell.ps1 | |
| wef: [13:49] Installing WEF Subscriptions... | |
| wef: [13:49] Copying Custom Event Channels DLL... | |
| wef: [13:49] Installing Custom Event Channels Manifest... | |
| wef: Resizing Channels to 4GB... | |
| wef: [13:49] Starting the Windows Event Collector Service... | |
| wef: The Windows Event Collector service is starting. | |
| wef: The Windows Event Collector service was started successfully. | |
| wef: [13:50] Creating custom event subscriptions... | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Account-Lockout.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Account-Management.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Active-Directory.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\ADFS.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Application-Crashes.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Applocker.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Authentication.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Autoruns.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Bits-Client.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Certificate-Authority.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Code-Integrity.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Device-Guard.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\DNS.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Drivers.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Duo-Security.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\EMET.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Event-Log-Diagnostics.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Explicit-Credentials.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Exploit-Guard-ASR.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Exploit-Guard-CFA.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Exploit-Guard-EP.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Exploit-Guard-NP.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\External-Devices.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Firewall.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Group-Policy-Errors.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Kerberos.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Log-Deletion-Security.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Log-Deletion-System.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Microsoft-Office.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\MSI-Packages.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\NTLM.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Object-Manipulation.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Operating-System.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Powershell.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Print.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Privilege-Use.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Process-Execution.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Registry.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Services.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Shares.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Smart-Card.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Software-Restriction-Policies.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Sysmon.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\System-Time-Change.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Task-Scheduler.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Terminal-Services.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Windows-Defender.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Windows-Diagnostics.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Windows-Updates.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\Wireless.xml | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil cs C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions\WMI.xml | |
| wef: [13:50] Enabling custom event subscriptions... | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Account-Lockout /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Account-Management /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Active-Directory /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss ADFS /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Application-Crashes /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Applocker /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Authentication /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Autoruns /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Bits-Client /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Certificate-Authority /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Code-Integrity /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Device-Guard /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss DNS /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Drivers /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Duo-Security /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss EMET /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Event-Log-Diagnostics /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Explicit-Credentials /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Exploit-Guard-ASR /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Exploit-Guard-CFA /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Exploit-Guard-EP /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Exploit-Guard-NP /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss External-Devices /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Firewall /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Group-Policy-Errors /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Kerberos /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Log-Deletion-Security /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Log-Deletion-System /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Microsoft-Office /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss MSI-Packages /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss NTLM /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Object-Manipulation /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Operating-System /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Powershell /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Print /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Privilege-Use /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Process-Execution /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Registry /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Services /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Shares /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Smart-Card /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Software-Restriction-Policies /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Sysmon /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss System-Time-Change /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Task-Scheduler /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Terminal-Services /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Windows-Defender /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Windows-Diagnostics /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Windows-Updates /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss Wireless /e:true | |
| wef:  | |
| wef: C:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions>wecutil ss WMI /e:true | |
| wef: [13:50] Enabling WecUtil Quick Config... | |
| wef: Windows Event Collector service was configured successfully. | |
| ==> wef: Running provisioner: shell... | |
| wef: Running: scripts/install-splunkuf.ps1 as c:\tmp\vagrant-shell.ps1 | |
| wef: Downloading Splunk Universal Forwarder | |
| wef: [13:51] Installing & Starting Splunk | |
| wef: [13:51] Splunk installation complete! | |
| ==> wef: Running provisioner: shell... | |
| wef: Running: scripts/install-windows_ta.ps1 as c:\tmp\vagrant-shell.ps1 | |
| wef: [13:52] Installing the Windows TA for Splunk | |
| wef: [13:52] Installing the Windows TA | |
| wef: Directory: C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows | |
| wef: Mode LastWriteTime Length Name | |
| wef: ---- ------------- ------ ---- | |
| wef: d----- 12/19/2019 1:52 PM local | |
| wef: [13:52] Sleeping for 15 seconds | |
| wef: App 'C:\vagrant\resources\splunk_forwarder\splunk-add-on-for-microsoft-windows_500.tgz' installed | |
| wef: You need to restart the Splunk Server (splunkd) for your changes to take effect. | |
| wef: [13:52] Windows TA installed successfully. | |
| ==> wef: Running provisioner: shell... | |
| wef: Running: scripts/install-utilities.ps1 as c:\tmp\vagrant-shell.ps1 | |
| wef: Installing Chocolatey | |
| wef: Getting latest version of the Chocolatey package for download. | |
| wef: Getting Chocolatey from https://chocolatey.org/api/v2/package/chocolatey/0.10.15. | |
| wef: Downloading 7-Zip commandline tool prior to extraction. | |
| wef: Extracting C:\Users\vagrant\AppData\Local\Temp\chocolatey\chocInstall\chocolatey.zip to C:\Users\vagrant\AppData\Local\Temp\chocolatey\chocInstall... | |
| wef: Installing chocolatey on this machine | |
| wef: Creating ChocolateyInstall as an environment variable (targeting 'Machine') | |
| wef: Setting ChocolateyInstall to 'C:\ProgramData\chocolatey' | |
| wef: WARNING: It's very likely you will need to close and reopen your shell | |
| wef: before you can use choco. | |
| wef: Restricting write permissions to Administrators | |
| wef: We are setting up the Chocolatey package repository. | |
| wef: The packages themselves go to 'C:\ProgramData\chocolatey\lib' | |
| wef: (i.e. C:\ProgramData\chocolatey\lib\yourPackageName). | |
| wef: A shim file for the command line goes to 'C:\ProgramData\chocolatey\bin' | |
| wef: and points to an executable in 'C:\ProgramData\chocolatey\lib\yourPackageName'. | |
| wef: Creating Chocolatey folders if they do not already exist. | |
| wef: WARNING: You can safely ignore errors related to missing log files when | |
| wef: upgrading from a version of Chocolatey less than 0.9.9. | |
| wef: 'Batch file could not be found' is also safe to ignore. | |
| wef: 'The system cannot find the file specified' - also safe. | |
| wef: chocolatey.nupkg file not installed in lib. | |
| wef: Attempting to locate it from bootstrapper. | |
| wef: PATH environment variable does not have C:\ProgramData\chocolatey\bin in it. Adding... | |
| wef: WARNING: Not setting tab completion: Profile file does not exist at | |
| wef: 'C:\Users\vagrant\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1'. | |
| wef: Chocolatey (choco.exe) is now ready. | |
| wef: You can call choco from anywhere, command line or powershell by typing choco. | |
| wef: Run choco /? for a list of functions. | |
| wef: You may need to shut down and restart powershell and/or consoles | |
| wef: first prior to using choco. | |
| wef: Ensuring chocolatey commands are on the path | |
| wef: Ensuring chocolatey.nupkg is in the lib folder | |
| wef: [13:52] Installing utilities... | |
| wef: Installing the following packages: | |
| wef: NotepadPlusPlus | |
| wef: By installing you accept licenses for the packages. | |
| wef: chocolatey-core.extension v1.3.5.1 [Approved] | |
| wef: chocolatey-core.extension package files install completed. Performing other installation steps. | |
| wef: Installed/updated chocolatey-core extensions. | |
| wef: The install of chocolatey-core.extension was successful. | |
| wef: Software installed to 'C:\ProgramData\chocolatey\extensions\chocolatey-core' | |
| wef: notepadplusplus.install v7.8.2 [Approved] | |
| wef: notepadplusplus.install package files install completed. Performing other installation steps. | |
| wef: Installing 64-bit notepadplusplus.install... | |
| wef: notepadplusplus.install has been installed. | |
| wef: notepadplusplus.install installed to 'C:\Program Files\Notepad++' | |
| wef: Added C:\ProgramData\chocolatey\bin\notepad++.exe shim pointed to 'c:\program files\notepad++\notepad++.exe'. | |
| wef: notepadplusplus.install may be able to be automatically uninstalled. | |
| wef: The install of notepadplusplus.install was successful. | |
| wef: Software installed as 'exe', install location is likely default. | |
| wef: notepadplusplus v7.8.2 [Approved] | |
| wef: notepadplusplus package files install completed. Performing other installation steps. | |
| wef: The install of notepadplusplus was successful. | |
| wef: Software install location not explicitly set, could be in package or | |
| wef: default install location if installer. | |
| wef: Chocolatey installed 3/3 packages. | |
| wef: See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log). | |
| wef: Installing the following packages: | |
| wef: GoogleChrome | |
| wef: By installing you accept licenses for the packages. | |
| wef: GoogleChrome v79.0.3945.88 [Approved] | |
| wef: googlechrome package files install completed. Performing other installation steps. | |
| wef: Downloading googlechrome 64 bit | |
| wef: from 'https://dl.google.com/tag/s/dl/chrome/install/googlechromestandaloneenterprise64.msi' | |
| wef: Download of googlechromestandaloneenterprise64.msi (58.13 MB) completed. | |
| wef: Hashes match. | |
| wef: Installing googlechrome... | |
| wef: googlechrome has been installed. | |
| wef: googlechrome may be able to be automatically uninstalled. | |
| wef: The install of googlechrome was successful. | |
| wef: Software installed as 'MSI', install location is likely default. | |
| wef: Chocolatey installed 1/1 packages. | |
| wef: See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log). | |
| wef: Installing the following packages: | |
| wef: WinRar | |
| wef: By installing you accept licenses for the packages. | |
| wef: winrar v5.71 [Approved] | |
| wef: winrar package files install completed. Performing other installation steps. | |
| wef: Downloading winrar 64 bit | |
| wef: from 'https://www.rarlab.com/rar/winrar-x64-571.exe' | |
| wef: Download of winrar-x64-571.exe (3 MB) completed. | |
| wef: Hashes match. | |
| wef: Installing winrar... | |
| wef: winrar has been installed. | |
| wef: winrar may be able to be automatically uninstalled. | |
| wef: The install of winrar was successful. | |
| wef: Software installed to 'C:\Program Files\WinRAR\' | |
| wef: Chocolatey installed 1/1 packages. | |
| wef: See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log). | |
| wef: Utilties installation complete! | |
| ==> wef: Running provisioner: shell... | |
| wef: Running: scripts/install-redteam.ps1 as c:\tmp\vagrant-shell.ps1 | |
| wef: [13:54] Installing Red Team Tooling... | |
| wef: [13:54] Determining latest release of Mimikatz... | |
| wef: [13:54] Downloading Powersploit... | |
| wef: [13:55] Downloading Atomic Red Team... | |
| wef: [13:56] Red Team tooling installation complete! | |
| ==> wef: Running provisioner: shell... | |
| wef: Running: scripts/install-choco-extras.ps1 as c:\tmp\vagrant-shell.ps1 | |
| wef: [13:56] Installing additional Choco packages... | |
| wef: Chocolatey is already installed. | |
| wef: Installing Chocolatey extras... | |
| wef: Installing the following packages: | |
| wef: wireshark | |
| wef: By installing you accept licenses for the packages. | |
| wef: chocolatey-windowsupdate.extension v1.0.4 [Approved] | |
| wef: chocolatey-windowsupdate.extension package files install completed. Performing other installation steps. | |
| wef: Installed/updated chocolatey-windowsupdate extensions. | |
| wef: The install of chocolatey-windowsupdate.extension was successful. | |
| wef: Software installed to 'C:\ProgramData\chocolatey\extensions\chocolatey-windowsupdate' | |
| wef: KB3035131 v1.0.3 [Approved] | |
| wef: kb3035131 package files install completed. Performing other installation steps. | |
| wef: Skipping installation because update KB3035131 does not apply to this operating system (Microsoft Windows Server 2016 Standard Evaluation). | |
| wef: The install of kb3035131 was successful. | |
| wef: Software install location not explicitly set, could be in package or | |
| wef: default install location if installer. | |
| wef: KB3033929 v1.0.5 [Approved] | |
| wef: kb3033929 package files install completed. Performing other installation steps. | |
| wef: Skipping installation because update KB3033929 does not apply to this operating system (Microsoft Windows Server 2016 Standard Evaluation). | |
| wef: The install of kb3033929 was successful. | |
| wef: Software install location not explicitly set, could be in package or | |
| wef: default install location if installer. | |
| wef: KB2919442 v1.0.20160915 [Approved] | |
| wef: kb2919442 package files install completed. Performing other installation steps. | |
| wef: Skipping installation because this hotfix only applies to Windows 8.1 and Windows Server 2012 R2. | |
| wef: The install of kb2919442 was successful. | |
| wef: Software install location not explicitly set, could be in package or | |
| wef: default install location if installer. | |
| wef: KB2919355 v1.0.20160915 [Approved] | |
| wef: kb2919355 package files install completed. Performing other installation steps. | |
| wef: Skipping installation because this hotfix only applies to Windows 8.1 and Windows Server 2012 R2. | |
| wef: The install of kb2919355 was successful. | |
| wef: Software install location not explicitly set, could be in package or | |
| wef: default install location if installer. | |
| wef: KB2999226 v1.0.20181019 [Approved] | |
| wef: kb2999226 package files install completed. Performing other installation steps. | |
| wef: Skipping installation because update KB2999226 does not apply to this operating system (Microsoft Windows Server 2016 Standard Evaluation). | |
| wef: The install of kb2999226 was successful. | |
| wef: Software install location not explicitly set, could be in package or | |
| wef: default install location if installer. | |
| wef: vcredist140 v14.24.28127.4 [Approved] | |
| wef: vcredist140 package files install completed. Performing other installation steps. | |
| wef: Downloading vcredist140-x86 | |
| wef: from 'https://download.visualstudio.microsoft.com/download/pr/9307e627-aaac-42cb-a32a-a39e166ee8cb/E59AE3E886BD4571A811FE31A47959AE5C40D87C583F786816C60440252CD7EC/VC_redist.x86.exe' | |
| wef: Download of VC_redist.x86.exe (13.7 MB) completed. | |
| wef: Hashes match. | |
| wef: Installing vcredist140-x86... | |
| wef: vcredist140-x86 has been installed. | |
| wef: Downloading vcredist140-x64 64 bit | |
| wef: from 'https://download.visualstudio.microsoft.com/download/pr/3b070396-b7fb-4eee-aa8b-102a23c3e4f4/40EA2955391C9EAE3E35619C4C24B5AAF3D17AEAA6D09424EE9672AA9372AEED/VC_redist.x64.exe' | |
| wef: Download of VC_redist.x64.exe (14.36 MB) completed. | |
| wef: Hashes match. | |
| wef: Installing vcredist140-x64... | |
| wef: vcredist140-x64 has been installed. | |
| wef: vcredist140 may be able to be automatically uninstalled. | |
| wef: The install of vcredist140 was successful. | |
| wef: Software installed as 'exe', install location is likely default. | |
| wef: wireshark v3.2.0 [Approved] | |
| wef: wireshark package files install completed. Performing other installation steps. | |
| wef: Installing 64-bit wireshark... | |
| wef: wireshark has been installed. | |
| wef: wireshark can be automatically uninstalled. | |
| wef: The install of wireshark was successful. | |
| wef: Software installed to 'C:\Program Files\Wireshark' | |
| wef: Chocolatey installed 8/8 packages. | |
| wef: See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log). | |
| wef: Installed: | |
| wef: - kb2919355 v1.0.20160915 | |
| wef: - kb3033929 v1.0.5 | |
| wef: - kb2999226 v1.0.20181019 | |
| wef: - wireshark v3.2.0 | |
| wef: - kb2919442 v1.0.20160915 | |
| wef: - vcredist140 v14.24.28127.4 | |
| wef: - kb3035131 v1.0.3 | |
| wef: - chocolatey-windowsupdate.extension v1.0.4 | |
| wef: Installing the following packages: | |
| wef: winpcap | |
| wef: By installing you accept licenses for the packages. | |
| wef: autohotkey.portable v1.1.32.00 [Approved] | |
| wef: autohotkey.portable package files install completed. Performing other installation steps. | |
| wef: Extracting C:\ProgramData\chocolatey\lib\autohotkey.portable\tools\AutoHotkey_1.1.32.00.zip to C:\ProgramData\chocolatey\lib\autohotkey.portable\tools... | |
| wef: C:\ProgramData\chocolatey\lib\autohotkey.portable\tools | |
| wef: Removing ANSI-32 version | |
| wef: ShimGen has successfully created a shim for AutoHotkey.exe | |
| wef: ShimGen has successfully created a shim for Ahk2Exe.exe | |
| wef: The install of autohotkey.portable was successful. | |
| wef: Software installed to 'C:\ProgramData\chocolatey\lib\autohotkey.portable\tools' | |
| wef: WinPcap v4.1.3.20161116 [Approved] | |
| wef: winpcap package files install completed. Performing other installation steps. | |
| wef: Downloading WinPcap | |
| wef: from 'https://www.winpcap.org/install/bin/WinPcap_4_1_3.exe' | |
| wef: Download of WinPcapInstall.exe (893.68 KB) completed. | |
| wef: Hashes match. | |
| wef: C:\Users\vagrant\AppData\Local\Temp\chocolatey\WinPcap\4.1.3.20161116\WinPcapInstall.exe | |
| wef: Running Autohotkey installer | |
| wef: winpcap may be able to be automatically uninstalled. | |
| wef: The install of winpcap was successful. | |
| wef: Software install location not explicitly set, could be in package or | |
| wef: default install location if installer. | |
| wef: Chocolatey installed 2/2 packages. | |
| wef: See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log). | |
| wef: [13:59] Choco addons complete! | |
| ==> wef: Running provisioner: shell... | |
| wef: Running: scripts/install-osquery.ps1 as c:\tmp\vagrant-shell.ps1 | |
| wef: [13:59] Installing osquery... | |
| wef: Installing the following packages: | |
| wef: osquery | |
| wef: By installing you accept licenses for the packages. | |
| wef: osquery v4.0.2 [Approved] | |
| wef: osquery package files install completed. Performing other installation steps. | |
| wef: C:\Program Files\osquery\osqueryd | |
| wef: C:\Program Files\osquery\log | |
| wef: Extracting C:\ProgramData\chocolatey\lib\osquery\tools\\bin\\osquery.zip to C:\Program Files\osquery... | |
| wef: C:\Program Files\osquery | |
| wef: True | |
| wef: Environment Vars (like PATH) have changed. Close/reopen your shell to | |
| wef: see the changes (or in powershell/cmd.exe just type `refreshenv`). | |
| wef: The install of osquery was successful. | |
| wef: Software installed to 'C:\Program Files\osquery' | |
| wef: Chocolatey installed 1/1 packages. | |
| wef: See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log). | |
| wef: Setting osquery to run as a service | |
| wef: Status Name DisplayName | |
| wef: ------ ---- ----------- | |
| wef: Stopped osqueryd osqueryd | |
| ==> wef: Running provisioner: shell... | |
| wef: Running: scripts/install-sysinternals.ps1 as c:\tmp\vagrant-shell.ps1 | |
| wef: [13:59] Installing SysInternals Tooling... | |
| wef: Directory: C:\Tools | |
| wef: Mode LastWriteTime Length Name | |
| wef: ---- ------------- ------ ---- | |
| wef: d----- 12/19/2019 1:59 PM Sysinternals | |
| wef: Directory: C:\ProgramData | |
| wef: Mode LastWriteTime Length Name | |
| wef: ---- ------------- ------ ---- | |
| wef: d----- 12/19/2019 1:59 PM Sysmon | |
| wef: [13:59] Downloading Autoruns64.exe... | |
| wef: [13:59] Downloading Procmon.exe... | |
| wef: [13:59] Downloading PsExec64.exe... | |
| wef: [13:59] Downloading procexp64.exe... | |
| wef: [13:59] Downloading Sysmon64.exe... | |
| wef: [13:59] Downloading Tcpview.exe... | |
| wef: [13:59] Downloading Olaf Hartong's Sysmon config... | |
| wef: [13:59] Starting Sysmon... | |
| wef: [13:59] Verifying that the Sysmon service is running... | |
| ==> wef: Running provisioner: shell... | |
| wef: Running: scripts/configure-pslogstranscriptsshare.ps1 as c:\tmp\vagrant-shell.ps1 | |
| wef: [13:59] Configuring the Powershell Transcripts Share | |
| wef: Directory: C:\ | |
| wef: Mode LastWriteTime Length Name | |
| wef: ---- ------------- ------ ---- | |
| wef: d----- 12/19/2019 1:59 PM pslogs | |
| wef: AvailabilityType : NonClustered | |
| wef: CachingMode : Manual | |
| wef: CATimeout : 0 | |
| wef: ConcurrentUserLimit : 0 | |
| wef: ContinuouslyAvailable : False | |
| wef: CurrentUsers : 0 | |
| wef: Description : | |
| wef: EncryptData : False | |
| wef: FolderEnumerationMode : Unrestricted | |
| wef: Name : pslogs | |
| wef: Path : c:\pslogs | |
| wef: Scoped : False | |
| wef: ScopeName : * | |
| wef: SecurityDescriptor : O:SYG:SYD:(A;;0x1301bf;;;WD) | |
| wef: ShadowCopy : False | |
| wef: ShareState : Online | |
| wef: ShareType : FileSystemDirectory | |
| wef: SmbInstance : Default | |
| wef: Special : False | |
| wef: Temporary : False | |
| wef: Volume : \\?\Volume{81b50f68-0000-0000-0000-f01500000000}\ | |
| wef: PSComputerName : | |
| wef: PresetPathAcl : System.Security.AccessControl.DirectorySecurity | |
| ==> wef: Running provisioner: shell... | |
| wef: Running: scripts/install-autorunstowineventlog.ps1 as c:\tmp\vagrant-shell.ps1 | |
| wef: [14:00] Installing AutorunsToWinEventLog... | |
| wef: Directory: C:\Program Files | |
| wef: Mode LastWriteTime Length Name | |
| wef: ---- ------------- ------ ---- | |
| wef: d----- 12/19/2019 2:00 PM AutorunsToWinEventLog | |
| wef: Actions : {MSFT_TaskExecAction} | |
| wef: Author : | |
| wef: Date : | |
| wef: Description : | |
| wef: Documentation : | |
| wef: Principal : MSFT_TaskPrincipal2 | |
| wef: SecurityDescriptor : | |
| wef: Settings : MSFT_TaskSettings3 | |
| wef: Source : | |
| wef: State : Ready | |
| wef: TaskName : AutorunsToWinEventLog | |
| wef: TaskPath : \ | |
| wef: Triggers : {MSFT_TaskDailyTrigger} | |
| wef: URI : \AutorunsToWinEventLog | |
| wef: Version : | |
| wef: PSComputerName : | |
| wef: Actions : {MSFT_TaskExecAction} | |
| wef: Author : | |
| wef: Date : | |
| wef: Description : | |
| wef: Documentation : | |
| wef: Principal : MSFT_TaskPrincipal2 | |
| wef: SecurityDescriptor : | |
| wef: Settings : MSFT_TaskSettings3 | |
| wef: Source : | |
| wef: State : Ready | |
| wef: TaskName : AutorunsToWinEventLog | |
| wef: TaskPath : \ | |
| wef: Triggers : {MSFT_TaskDailyTrigger} | |
| wef: URI : \AutorunsToWinEventLog | |
| wef: Version : | |
| wef: PSComputerName : | |
| wef: AutorunsToWinEventLog installed. Starting the scheduled task. Future runs will begin at 11am | |
| ==> wef: Running provisioner: shell... | |
| wef: Running: inline PowerShell script | |
| ==> wef: Running provisioner: shell... | |
| wef: Running: scripts/install-microsoft-ata.ps1 as c:\tmp\vagrant-shell.ps1 | |
| wef: Microsoft ATA 1.9.iso doesn't exist yet, downloading... | |
| wef: Downloading Microsoft ATA 1.9... | |
| wef: Installing Microsoft ATA 1.9 | |
| wef: Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName | |
| wef: ------- ------ ----- ----- ------ -- -- ----------- | |
| wef: 0 0 0 0.25 1584 | |
| wef: [14:12] [DC] Installing ATA Lightweight gateway... | |
| wef: Sleeping 5 minutes to allow ATA gateway to start up... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment