diff --git a/Vagrant/resources/GPO/disable_windows_defender/manifest.xml b/Vagrant/resources/GPO/disable_windows_defender/manifest.xml
deleted file mode 100755
index 2382df2a9..000000000
--- a/Vagrant/resources/GPO/disable_windows_defender/manifest.xml
+++ /dev/null
@@ -1 +0,0 @@
-<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst><GPOGuid><![CDATA[{288D6F79-F949-4C97-BE07-8997DBE821BC}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{d2ef48b7-bc16-4377-a67f-dbaab78aa80f}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2019-07-02T05:30:50]]></BackupTime><ID><![CDATA[{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Disable Windows Defender]]></GPODisplayName></BackupInst></Backups>
\ No newline at end of file
diff --git a/Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/Backup.xml b/Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/Backup.xml
deleted file mode 100755
index d5b772ce7..000000000
--- a/Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/Backup.xml
+++ /dev/null
@@ -1,18 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation.  All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
-    <GroupPolicyObject><SecurityGroups><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-535525547-1807146305-221323077-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-535525547-1807146305-221323077-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-535525547-1807146305-221323077-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{288D6F79-F949-4C97-BE07-8997DBE821BC}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 ab 78 eb 1f 41 dd b6 6b 45 1f 31 0d e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 ab 78 eb 1f 41 dd b6 6b 45 1f 31 0d 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 ab 78 eb 1f 41 dd b6 6b 45 1f 31 0d 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Disable Windows Defender]]></DisplayName><Options><![CDATA[0]]></Options><UserVersionNumber><![CDATA[65537]]></UserVersionNumber><MachineVersionNumber><![CDATA[196611]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> 
-        <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
-            <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{288D6F79-F949-4C97-BE07-8997DBE821BC}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/>
-            
-            <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{288D6F79-F949-4C97-BE07-8997DBE821BC}\Adm\*.*"/>
-        </GroupPolicyExtension>
-        
-        
-        
-        
-        
-        
-        
-        
-        
-    <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{288D6F79-F949-4C97-BE07-8997DBE821BC}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/></GroupPolicyExtension></GroupPolicyObject>
-</GroupPolicyBackupScheme>
\ No newline at end of file
diff --git a/Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/DomainSysvol/GPO/Machine/registry.pol b/Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/DomainSysvol/GPO/Machine/registry.pol
deleted file mode 100755
index 08a48aaaf..000000000
Binary files a/Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/DomainSysvol/GPO/Machine/registry.pol and /dev/null differ
diff --git a/Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/bkupInfo.xml b/Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/bkupInfo.xml
deleted file mode 100755
index 0e7c0a5ed..000000000
--- a/Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/bkupInfo.xml
+++ /dev/null
@@ -1 +0,0 @@
-<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{288D6F79-F949-4C97-BE07-8997DBE821BC}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{d2ef48b7-bc16-4377-a67f-dbaab78aa80f}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2019-07-02T05:30:50]]></BackupTime><ID><![CDATA[{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Disable Windows Defender]]></GPODisplayName></BackupInst>
diff --git a/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/Backup.xml b/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/Backup.xml
new file mode 100644
index 000000000..b376e3d03
--- /dev/null
+++ b/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/Backup.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation.  All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
+    <GroupPolicyObject><SecurityGroups><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2801704331-839121494-1579986156-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2801704331-839121494-1579986156-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2801704331-839121494-1579986156-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{87738413-6EB8-4AB6-ABA7-F8DFADB92E11}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 8b 9d fe a6 56 fa 03 32 ec ac 2c 5e e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 8b 9d fe a6 56 fa 03 32 ec ac 2c 5e 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 8b 9d fe a6 56 fa 03 32 ec ac 2c 5e 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Disable Windows Defender]]></DisplayName><Options><![CDATA[0]]></Options><UserVersionNumber><![CDATA[65537]]></UserVersionNumber><MachineVersionNumber><![CDATA[720907]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{00000000-0000-0000-0000-000000000000}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{B087BE9D-ED37-454F-AF9C-04291E351182}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> 
+        <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
+            <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{87738413-6EB8-4AB6-ABA7-F8DFADB92E11}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/>
+            
+            <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{87738413-6EB8-4AB6-ABA7-F8DFADB92E11}\Adm\*.*"/>
+        </GroupPolicyExtension>
+        
+        
+        
+        
+        
+        
+        
+        
+        
+    <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{87738413-6EB8-4AB6-ABA7-F8DFADB92E11}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{87738413-6EB8-4AB6-ABA7-F8DFADB92E11}\Machine\Preferences" bkp:Location="DomainSysvol\GPO\Machine\Preferences"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{87738413-6EB8-4AB6-ABA7-F8DFADB92E11}\Machine\Preferences\Registry" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry\Registry.xml" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{87738413-6EB8-4AB6-ABA7-F8DFADB92E11}\Machine\Preferences\Registry\Registry.xml" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry\Registry.xml"/></GroupPolicyExtension></GroupPolicyObject>
+</GroupPolicyBackupScheme>
\ No newline at end of file
diff --git a/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml b/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml
new file mode 100644
index 000000000..2f2034cd8
--- /dev/null
+++ b/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<RegistrySettings clsid="{A3CCFC41-DFDB-43a5-8D26-0FE8B954DA51}"><Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="EnableAmsi" status="EnableAmsi" image="10" changed="2020-12-02 21:13:55" uid="{7DF9C732-80E6-44B7-8803-5DFE6D7AAC8C}"><Properties action="C" displayDecimal="0" default="0" hive="HKEY_CURRENT_USER" key="SOFTWARE\Microsoft\Windows Script Host\Settings" name="EnableAmsi" type="REG_DWORD" value="00000000"/></Registry>
+</RegistrySettings>
diff --git a/Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/DomainSysvol/GPO/Machine/comment.cmtx b/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/DomainSysvol/GPO/Machine/comment.cmtx
old mode 100755
new mode 100644
similarity index 100%
rename from Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/DomainSysvol/GPO/Machine/comment.cmtx
rename to Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/DomainSysvol/GPO/Machine/comment.cmtx
diff --git a/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/DomainSysvol/GPO/Machine/registry.pol b/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/DomainSysvol/GPO/Machine/registry.pol
new file mode 100644
index 000000000..dc337571f
Binary files /dev/null and b/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/DomainSysvol/GPO/Machine/registry.pol differ
diff --git a/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/bkupInfo.xml b/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/bkupInfo.xml
new file mode 100644
index 000000000..6d0643d04
--- /dev/null
+++ b/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/bkupInfo.xml
@@ -0,0 +1 @@
+<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{87738413-6EB8-4AB6-ABA7-F8DFADB92E11}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{535d6ef4-51ff-40f0-bc21-076a19ea0caa}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2020-12-02T21:14:06]]></BackupTime><ID><![CDATA[{F2150233-4B8F-4347-8D70-23D3984D9B78}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Disable Windows Defender]]></GPODisplayName></BackupInst>
diff --git a/Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/gpreport.xml b/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/gpreport.xml
old mode 100755
new mode 100644
similarity index 53%
rename from Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/gpreport.xml
rename to Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/gpreport.xml
index 9a2740adc..86dd38461
Binary files a/Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/gpreport.xml and b/Vagrant/resources/GPO/disable_windows_defender/{F2150233-4B8F-4347-8D70-23D3984D9B78}/gpreport.xml differ
diff --git a/Vagrant/resources/windows/Microsoft.PowerShell_profile.ps1 b/Vagrant/resources/windows/Microsoft.PowerShell_profile.ps1
index 0da238869..5d6b30db7 100644
--- a/Vagrant/resources/windows/Microsoft.PowerShell_profile.ps1
+++ b/Vagrant/resources/windows/Microsoft.PowerShell_profile.ps1
@@ -1,5 +1,3 @@
-Write-Host "Invoke-AtomicTest has been loaded."
-Write-Host "Learn more about atomic tests here: https://git.io/Jed0L"
-Write-Host ""
 Import-Module "C:\Tools\Atomic Red Team\atomic-red-team-master\execution-frameworks\Invoke-AtomicRedTeam\Invoke-AtomicRedTeam\Invoke-AtomicRedTeam.psm1"
-$PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="C:\Tools\Atomic Red Team\atomic-red-team-master\atomics"}
\ No newline at end of file
+$PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="C:\Tools\Atomic Red Team\atomic-red-team-master\atomics"}
+$env:Path += ";c:\Program Files\osquery"
\ No newline at end of file
diff --git a/Vagrant/scripts/configure-disable-windows-defender-gpo.ps1 b/Vagrant/scripts/configure-disable-windows-defender-gpo.ps1
index fd5cf8470..793974288 100644
--- a/Vagrant/scripts/configure-disable-windows-defender-gpo.ps1
+++ b/Vagrant/scripts/configure-disable-windows-defender-gpo.ps1
@@ -1,4 +1,4 @@
-# Purpose: Install the GPO that disables Windows Defender
+# Purpose: Install the GPO that disables Windows Defender and AMSI
 Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing the GPO to disable Windows Defender..."
 Import-GPO -BackupGpoName 'Disable Windows Defender' -Path "c:\vagrant\resources\GPO\disable_windows_defender" -TargetName 'Disable Windows Defender' -CreateIfNeeded
 
diff --git a/Vagrant/scripts/install-evtx-attack-samples.ps1 b/Vagrant/scripts/install-evtx-attack-samples.ps1
index 71d987036..ef1734db1 100644
--- a/Vagrant/scripts/install-evtx-attack-samples.ps1
+++ b/Vagrant/scripts/install-evtx-attack-samples.ps1
@@ -67,7 +67,7 @@ sourcetype = preprocess-winevt'
         } Catch {
           Start-Sleep 10
           Stop-Service -Name SplunkForwarder -Force
-          Start-Service -Name SplunkForwarder -Force
+          Start-Service -Name SplunkForwarder
         }
         Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Done! Look in 'index=EVTX-ATTACK-SAMPLES' in Splunk to query these samples."
     }
diff --git a/Vagrant/scripts/install-splunkuf.ps1 b/Vagrant/scripts/install-splunkuf.ps1
index ed9f15f5b..10659e044 100755
--- a/Vagrant/scripts/install-splunkuf.ps1
+++ b/Vagrant/scripts/install-splunkuf.ps1
@@ -2,17 +2,17 @@
 
 If (-not (Test-Path "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe")) {
   Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Splunk Universal Forwarder..."
-  $msiFile = $env:Temp + "\splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi"
+  $msiFile = $env:Temp + "\splunkforwarder-8.1.0.1-24fd52428b5a-x64-release.msi"
 
   Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing & Starting Splunk"
   [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
-  (New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=7.1.0&product=universalforwarder&filename=splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi&wget=true', $msiFile)
-  Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.105:9997" WINEVENTLOG_SEC_ENABLE=0 WINEVENTLOG_SYS_ENABLE=0 WINEVENTLOG_APP_ENABLE=0 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 SPLUNKPASSWORD=changeme /quiet' -Wait
-} Else {
+  (New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=8.1.0.1&product=universalforwarder&filename=splunkforwarder-8.1.0.1-24fd52428b5a-x64-release.msi&wget=true', $msiFile)
+  Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.105:9997" WINEVENTLOG_SEC_ENABLE=0 WINEVENTLOG_SYS_ENABLE=0 WINEVENTLOG_APP_ENABLE=0 AGREETOLICENSE=Yes SERVICESTARTTYPE=AUTO LAUNCHSPLUNK=1 SPLUNKPASSWORD=changeme /quiet' -Wait
+}
+Else {
   Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Splunk is already installed. Moving on."
 }
-If ((Get-Service -name splunkforwarder).Status -ne "Running")
-{
+If ((Get-Service -name splunkforwarder).Status -ne "Running") {
   throw "Splunk forwarder service not running"
 }
 Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Splunk installation complete!"