What's the resources for?

June 2, 2020 ยท View on GitHub

ARM does a lot of heavy lifting, but DSC does even more. In these DSC configurations, Choco is also leveraged on all the VMs.

ContosoDC

ContosoDC is the Domain Controller. It's default Forest is 'Contoso.Azure'. It also creates users, including:

UsernameRolePurpose
SamiraADomain AdminManages the domain
RonHDHelpdeskManages endpoints, but not Domain Controller
JeffLUnprivileged domain user, has admin access to VictimPCUser which is compromised, has admin access on own workstation to mimic local escalation
LisaVUnprivileged domain user, high impact userHas access to highly confidential data
JulianIUnprivileged domain user, high impact userMCAS Demo account
MeganBUnprivileged domain user, high impact userMCAS Demo account

VictimPC

This is where majority of attack tools are staged. VictimPC is where the adversary starts.

Note that these attack tools are for research purposes, and really aren't "malicious" but can be used maliciously based on intent. Those tools include:

Note

JoeWare's NetSess.exe explicitly prevents us from including this automatically in the build. You can however, add this yourself by grabbing it from their site.

AdminPC

This is where SamiraA operates from. This mimics a Privileged Admin Workstation (PAW). It also shows that these workstations also have to be managed, which is why RonHD is also an administrator of this machine.

Ubuntu-Katoolin

Ubuntu-Katoolin is a preconfigured Katoolin Ubuntu workstation to simulate attacks within the demo enviroment

UsernameRolePurpose
Cookies(adm),(dialout),(cdrom),(floppy),(sudo),(audio),(dip),(video),(plugdev),(netdev),(lxd)Root admin for Ubuntu Kali box

Kail-tools has been configured to the Ubuntu sources.list

Build configuration file has been stored within the '/' directory named Runcmd.txt from the Runcmd Cloud-init configuration from 'ProvisionKatoolin.Yaml'

Non-attack tools preinstalled:

Cloned the DefendTheFlag repository into /usr/bin/DefendTheFlag

Extracted and Unzipped Attack/Bash scripts into Cookies user directory '~'

Note that these attack tools are for research purposes, and really aren't "malicious" but can be used maliciously based on intent. Those tools include:

Note

Future updates of DefendTheFlag build with have automatic attacks for other boxes within the DTF build through automation of scheduled tasks

Client01

Has data on the machine which can be seen as confidential, including credit card information and social security data.