2. Hey What’s up, I’m Jason
• Builder of things @SANS Institute
• Certified Instructor @SANS, SEC588 “Cloud Penetration Testing”
• Founder, Principal @Stora Security
• Community tool author
• Family, hockey, football
• I’m from DFW and I graduated from HS here. Hi Mom!
New tool! Cloud “edge” bug
bounty and recon tool
github.com/iknowjason/edge
5. Infrastructure as Code (IaC)
• Infrastructure as Code is the managing and provisioning of infrastructure
automated through code instead of manually.
• Configuration is code stored in a VCS (Github, Gitlab)
• Declarative, tracking desired state
• Benefits: Speed, consistency, repeatability, lower cost
• Each cloud provider has their own IaC service
• Two popular multi-cloud platform tools: Pulumi & Terraform
6. Terraform Overview
• Terraform is a free, universal, and popular IaC tool that can manage infrastructure
with declarative files
• Build, change, and version infrastructure in AWS, GCP, Azure
• Providers: plugins that talk to API for different cloud providers and can provision
Infrastructure, DNS, SaaS services, Kubernetes
1. terraform
CLI
2. Terraform
Provider 3. Target
API
$ terraform init
$ terraform plan
$ terraform apply
Terraform uses Hashicorp
Configuration Language
(HCL)
Terraform can also be used to auto provision resources in
Identity solutions such as Azure Active Directory!
Terraform
Registry
AWS
Azure
GCP
7. Pulumi Overview
• Pulumi is a free and universal IaC tool that leverages existing programming
languages to interact with cloud resources through the Pulumi SDK.
• Use Python, Go, JavaScript to to build, change, and version infrastructure in AWS, GCP, Azure
• Also uses the desired state model like Terraform
Pulumi CLI
&
Deploymen
t Engine Resource
Provider &
Plugin
Cloud
Providers
Python
Go
TypeScript
C#
Java
yaml
Pulumi SDK
AWS
Azure
GCP
8. Ansible Overview
• Ansible is a post-deployment Configuration Management (CM) tool
• Run YAML Ansible Playbooks using the Ansible tool for automation
• Pushes out small programs called modules
• Usually used after an OS has been deployed, for configuration of services
• Agentless: Uses SSH or WinRM to remotely access Windows or Linux systems
• Can be used to push changes across a fleet of hundreds or thousands of systems
for IT Automation
• Ansible can be used along with Terraform for cloud engineering use cases
9. Security as Code (SaC)
• Using code within a DevOps SDLC environment to help meet security
requirements.
Security Unit
Testing
within CI/CD
Security
Testing
Scripts
Security
Abuse
Stories
Security User
Stories
Security
Acceptance
Criteria for
Projects
11. Purple Teaming Overview (1)
• Purple Teaming: Red and Blue teams collaborating as a team to make defense
better
12. Purple Teaming Overview (2)
• Adversary Emulations run, from collaboration comes improvements:
• Adding better log sources
• Log Enrichment
• Improve Detection Engineering
• Process improvements
• Training for blue team
15. Why Simulation Labs?
• Learning a new technology
• Detection Engineering labs for properly instrumenting logs to detect attacks
• ”Detection as Code” as an ideal state
• Training Red and Blue teams, experimenting with a specific tool or
technique against a simulated EDR endpoint or AD environment
• Purple Teaming exercises
• R&D security research
• Malware lab
• Fun!
Purple Teaming: To test and improve
people, process, and technology. In
Cyber Ranges, the focus is on training
people and improving technology. The
Detection Engineering process is running
emulations in the Cyber Range to
improve logging and technology. These
changes eventually go into production.
17. DetectionLab
• Detection Engineering lab created by Chris Long automatically configured
with logging best practices
• https://detectionlab.network
• Great for endpoint security testing & logging research
• Packer, Vagrant, Powershell, Ansible, and Terraform scripts (AWS, Azure)
19. Splunk Attack Range
• Detection development platform featuring Splunk
• https://github.com/splunk/attack_range
• Creates a small lab with python scripts for remote management of attack
simulations using Atomic Red Team or PurpleSharp
• Docker container; AWS, Azure; Interactive CLI creates a custom range configuration
21. Adaz: Active Directory Hunting Lab in Azure
• Easily spin up a customizable Active Directory lab in Azure with domain-
joined workstations
• https://github.com/christophetd/Adaz
• Author: Christophe Tafani-Dereeper
• Use Cases: Detection engineering, Learn or test Active Directory
• ELK Server: Logs forwarded to ELK
• Other nice features
• A Domain configuration file in YAML that is very easy to customize
• Ansible playbooks for pushing AD changes or OS patches after deployment
• Windows Event Forwarding (WEF) with audit policies
• Sysmon
• Add multiple Windows 10 workstations with Domain Join
23. GHOSTS: User Simulation Framework (1)
• A user simulation framework for complex, realistic NPC orchestration
• NPC: Non-player characters: Realism of users and their behavior running
applications on an enterprise network
• Test skills and train network defenders with real NPC players operating on
the network creating static and background noise
Image Source: https://github.com/cmu-sei/GHOSTS
24. GHOSTS: User Simulation Framework (2)
• Grafana Dashboards and API
• GHOSTS Windows client binary runs user behavior based on JSON files
• Created by Carnegie Mellon University Software Engineering Institute:
https://github.com/cmu-sei/GHOSTS
• GHOSTS is a great tool for enhancing any Cyber Range with realistic, user
behavior
Image Source: https://github.com/cmu-sei/GHOSTS
27. Range Types by Focus Area
Detection Engineering is used to run emulations that improve logging and technology. The Ranges that include multi-host AD
will better inform complete attack coverage, exploiting trust relationships between domain joined systems and authenticated
sessions.
Detection Engineering
transforms an idea of how to
detect a specific condition or
activity into a concrete
description of how to detect
it.
Credit: Florian Roth
30. BlueCloud Cyber Range
• Easily spin up a small Detection Engineering lab in AWS or Azure
• Logging server runs Velociraptor + HELK (velocihelk)
• Windows endpoint instrumented with Velociraptor agent that auto-registers
• Windows endpoint instrumented with Winlogbeat that ships Sysmon logs
using Kafka transport to HELK
• Three tools on endpoint for adversary simulation
• Atomic Red Team, Elastic Detection RTA, and APTSimulator
BlueCloud is currently single Windows
host.
32. PurpleCloud Labs (1)
• PurpleCloud is an open-source Cyber Range that automates creation of
simulation labs in Azure
• Site: https://www.purplecloud.network
• Author: Jason Ostrom
• Terraform code generators that create unique ranges for different use
cases
33. PurpleCloud Labs (2)
• What it is
• “Build your own lab” style of lab creation
• For security researchers, Blue, Red, other security enthusiasts
• Run attack simulations and understand defenses
• Bug Bounty
• Mix and match labs to create a custom, Hybrid Identity enterprise
• User Story: used it for creating a Detection Engineering training class
• What it is not
• Guided vulnerability labs
37. Azure AD Lab Generator
• Creates an Azure Active Directory lab filled with Azure users, groups, and
applications
• Key Features
• Randomly generate Azure AD users using faker library for simulated users
• Customizable list of Groups Added (Default: 11)
• Customizable list of Azure AD Applications and Service Principals (Default: 7)
• Users auto-assigned randomly into Groups
• Includes a vulnerable privilege escalation scenario and attack scripts
• Example Usage
% python3 azure_ad.py --upn rtcfingroup.com --count 500 --apps 3 --groups 5
First of its kind Azure AD open-source tool to auto-generate Azure AD
lab
40. Create Azure Applications and Groups: Auto-
assign users into groups
100 users are randomly placed
into 5 different Azure AD
Groups.
41. Service Principal Abuse Attack Scenario Created
Hat tip and credit to security researchers (Andy Robbins, Dirk-jan
Mollema) for their writeups on this issue. Original articles are included
in references section.
42. Adversary Behaviors
• Simulate adversary techniques mapped to the Azure Threat Research
Matrix: https://microsoft.github.io/Azure-Threat-Research-Matrix/
43. Detection Engineering (1)
• Start the process of Detection Engineering with Adversary Emulations
• Password Spray: Attacker rotates IP addresses using Amazon API
Gateway
Adversary runs a Password
Spray and rotates their source
IP address using Amazon API
Gateway. Note the different
location and user in each
request.
44. Detection Engineering (2)
• Password Spraying using Amazon API Gateway can be detected and
blocked
• Use Amazon’s published IP prefixes to parse all API Gateway prefixes
• Lookup IP address of password attempt against the list
• Instrument SIEM, WAF, or Firewall to detect a threshold of password attempts and
block
curl https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.service=="API_GATEWAY") | .ip_prefix'
45. Sentinel Detections
• Use Azure Sentinel and KQL queries for detection improvement
• Example KQL: union SigninLogs Build KQL detections and
automate processes for
detection engineering.
Map Azure-specific TTPs
using the Azure Threat
Research Matrix.
47. Detection Engineering & Sentinel
• Example KQL
• Detect Service Principal Logins
• Detect changes to App Role Assignments
• Detect adding secrets to applications
AuditLogs
|where OperationName =="Update application – Certificates and secrets management" and
Category=="ApplicationManagement"
49. Active Directory + SIEM Lab Generator (1)
• ad.py is a Terraform generator for an Active Directory Lab created with Azure VMs
and includes support for Velociraptor and a SIEM using Hunting ELK
• Key Features
• Create a custom IaaS Active Directory environment with Azure VMs
• Deploys a SIEM (Hunting ELK) and endpoints instrumented with
Sysmon/Winlogbeat/Velociraptor/Atomic Red Team
• Endpoints include PurpleSharp
• Downloads Azure AD Connect msi installer onto DC’s desktop
• Example Usage
% python3 ad.py --domain_controller --ad_domain rtcfingroup.com --admin RTCAdmin --password
MyPassword012345 --csv users.csv --endpoints 2 --domain_join
50. Active Directory + SIEM Lab Generator (2)
• Create a customizable, realistic, large AD environment
• Import users from CSV, or randomly generate users
• Random Generator creates as many users as you desire
• Automatically creates OU, AD Groups, and assigns users into OU, Groups
• Automatic Domain Join: Configurable Domain Join per VM
• Auto-logon Domain users with Domain credentials, for realistic simulations
(Interactive Type 2 Logon, Mimikatz)
• Great for practicing or learning Active Directory
51. Simulate an On-Premise Active Directory Lab
Create an AD Domain with 500 AD users. Create
three Windows 10 Professional endpoints, joining
them to the domain.
55. Active Directory Created with 3 Domain Joined
500 Domain Users assigned
into different OU and AD
Groups.
Three Windows 10 Pro joined to the
domain based on Python script.
56. Auto Logon Domain Users with AD credentials
With this feature, you can
practice lateral movements
across domain joined systems
and extracting domain
credentials from LSASS
memory.
57. Passwords in AD default to Strong, but
customizable
Specify your desired password
for all users via command line
parameter.
Default behavior is to auto-
generate a strong password
and assign to all users, putting
into CSV file.
59. PupleCloud IaaS Advantage
• Advantage of PurpleCloud:
• Practice simulations against Domain Joined workstations with users logged
in with domain user credentials
• Simulate lateral movement in AD enterprise
• Simulate extraction of domain user credentials from memory
• Windows and Sysmon logs shipped to a SIEM (HELK)
• Sysmon v14
• Customize your XML (uses SwiftOnSecurity)
• Study forensic artifacts with Velociraptor
PurpleCloud is a solid lab to learn
Active Directory
60. HELK: The Hunting ELK (1)
• PurpleCloud automatically builds HELK as the SIEM
• https://github.com/Cyb3rWard0g/HELK
• Endpoints ship Sysmon logs via Winlogbeat agent
• HELK hardware option #4 is built for Jupyter Notebooks + ElastAlert
61. HELK: The Hunting ELK (2)
• Endpoints configured with Sysmon Version 14
• SwiftOnSecurity XML configuration
• Files included in Github repository and can be customized
• winlogbeat.yml
• Sysmon.zip
• Symonconfig-export.xml
user@host ad % cd files/velocihelk
user@host velocihelk %
user@host velocihelk % ls
helk.sh.tpl
sysmonconfig-export.xml
winlogbeat.yml.tpl
user@host velocihelk %
62. Velociraptor Live Response
• PurpleCloud automatically install a Velociraptor Server
• Deploys Velociraptor agent on Windows systems
• https://github.com/Velocidex/velociraptor
• Endpoint visibility tool for digital forensics and live response
• Uses Velociraptor Query Language (VQL) to interrogate hosts and pull
forensic artifacts
64. Hybrid Identity Lab
• Advantage of PurpleCloud
• Creates an Azure AD lab + On-Premise AD lab
• Automates creation of a mixed-use Hybrid Identity lab
• Drops latest Azure AD Connect on DC’s Desktop
• Use Azure AD Connect agent to synchronize users from on-premise to Azure AD
• Saves time and effort doing manual installation
• Attack simulations against Azure AD Joined Windows 10 and Hybrid Joined
devices that are also joined to On-Premise AD
We are seeing a large growth of
companies deploying Hybrid cloud,
mixing On-Premise with Cloud systems,
& synchronizing users into the Cloud.
66. Microsoft Sentinel Lab Generator
• Creates a Microsoft Sentinel and log analytics workspace lab with
endpoints
• Key Features
• Endpoints install Azure Monitoring agents and send logs to Log Analytics workspace
• Endpoints install Sysmon v14
• Sentinel Data Connector for Office
• Sentinel Data Connector for AAD
• Supports full Active Directory deployment with Domain Join (same as ad.py)
• Example Usage
% python3 sentinel.py --domain_controller --ad_domain rtcfingroup.com --admin RTCAdmin --password
MyPassword012345 --csv users.csv --endpoints 2 --domain_join
67. Detection Engineering & Sentinel
• Microsoft Sentinel KQL for Windows Event Logs:
• Windows Event Logs: union SecurityEvent
• Sysmon: union Event
• Run PurpleSharp
PurpleSharp is a C# adversary
simulation tool that executes
adversary techniques. It can
be used to generate and study
Sysmon logs that are shipped
to Sentinel.
https://github.com/mvelazc0/
PurpleSharp
PurpleSharp is downloaded to all
Windows 10 and can be accessed:
C:toolsPurpleSharp.exe
69. Application Consent Phishing Lab
• Creates a multi-tenant Azure AD application that can be used for consent
phishing attack and defense
• Key Features
• Multi-tenant Azure AD application that can be used to practice app consent phishing
• Customizable Graph API permissions (Default: Mail.Read, Files.Read)
• Script parameter to specify custom application name
• Script parameter to specify redirect_uri
• Example Usage
% python3 phishing_app.py --name PhishingApp --redirect_uri https://www.evilcorp.io/get_token
72. Detection Engineering & Sentinel
• Azure Portal: Audit Logs
• Example KQL: union AuditLogs
Audit logs can trigger alarms on
user behavior for application
consent to application permissions.
74. Managed Identity Lab Generator
• Creates a Managed Identity lab with an Azure VM Identity automatically
created and assigned
• Key Features
• Creates one Azure Virtual Machine with a managed identity assigned
• Default user assigned identity with role of reader on the subscription
• Script parameter to change role to owner or contributor
• Randomly generates one Azure AD user with a role of Virtual Machine Contributor
• Script parameter to add a system-assigned identity to the Virtual Machine
• Creates storage account, containers, blobs, shares, and key vaults
• Example Usage
% python3 managed_identity.py -u rtcfingroup.com -n rtcfin -l eastus -a RTCAdmin -p MyPassword012345 -ua reader -sa
76. Acquire an Identity Access Token
An attacker with RDP
access can acquire the
Identity’s access token or
use az vm run command.
An attacker can sign
into Azure AD using
the VM’s managed
identity. Sign in logs
can track this
behavior.
77. Detection Engineering & Sentinel
• Azure Portal: Managed Identity sign-ins
• Example KQL: union AADManagedIdentitySignInLogs
79. Storage Lab Generator
• Creates an Azure Storage security lab
• Azure Resources Created
• Storage account
• Three storage containers with different permission levels (private, blob, container)
• Two azure shares
• Upload of fake, sensitive files to shares and containers as blobs
• Key vault with secrets, private keys, and certificates
• Example Usage
% python3 storage.py
80. Security Testing for Anonymous Blob Access
The Container access
level enables indexing of
files.
The simulation lab
uploads sample files.
81. Appending a string of
“?comp=list” to a storage
container with “container”
access level will reveal all of
the files in the target
container.
83. ADFS Lab Generator
• Creates an Active Directory Federation Services (ADFS) lab.
• Key Features
• Deploys an ADFS server joined to a created Domain Controller with AD Domain
• Deploys Azure Sentinel
• Deploys Azure monitoring agent on ADFS server and ADFS Audit log best practices for
shipping logs into Sentinel
• Supports self-signed ADFS certificate deployment (Default)
• Supports ADFS trusted certificate import using optional script parameters
• Implements ADFS Audit log best practices
• Example Usage
% python3 adfs.py --trusted_cert adfs.pfx --pfx_password password
Credit to Roberto
Rodriguez and his Azure
Simuland tool. The ADFS
Lab Generator was inspired
by Simuland.
84. ADFS Security Auditing logs
• Generate authentication events for success and failure
Credit to Roberto
Rodriguez for his blog on
enabling ADFS Security
Auditing.
85. Detection Engineering & Sentinel
• Example KQL
SecurityEvent
| where TimeGenerated >= ago(1d)
| where EventSourceName == ‘AD FS Auditing’
86. Extract Token Signing Certificate Used in ADFS
• Golden SAML
Credit to Dr. Nestori
Syynimaa, his Golden SAML
research, and his
AADInternals tool.
https://aadinternals.com
89. Azure AD Join Lab Generator
• Creates an Azure AD Join security lab with Azure Virtual Machines joined
to Azure Active Directory.
• Key Features
• Creates optional number of Windows 10 Endpoints and automatically joins them to
Azure Active Directory
• Deploys a system assigned Identity and optional user assigned identity on all Azure
VMs
• Creates simulated Azure AD users with role of Virtual Machine Administrator Login and
Virtual Machine User Login
• Example Usage
% python3 aadjoin.py --endpoints 1 -u rtcfingroup.com
90. Detection Engineering & Sentinel
• Azure Portal: User sign-ins (non-interactive)
• Example KQL: union AADNonInteractiveUserSignInLogs
• Connection IP addresses appear sourced from an Azure data center IP
92. PurpleCloud Use Cases
• PurpleCloud enables anyone to auto-create an Azure AD security lab for a variety
of use cases:
• Create an Azure AD Lab mirroring customer tenant, to practice privilege escalation
• App Consent phishing campaigns + Social Engineering
• Create the lab with exact number of Azure AD users, to practice recon tooling,
username enumeration, password spraying behavior
• Blue teams to instrument Azure sign-in logs correctly + Detection Engineering +
Purple Teaming exercises
• R&D security research for new vulnerabilities or techniques
PurpleCloud can be used for Purple Teaming
exercises!
94. Free SANS Workshop: Building an Azure AD
Pentest lab for Red Teams
• Free guided scenario vulnerability lab with playbook
• Registration URL: https://www.sans.org/webcasts/sans-workshop-building-
azure-pentest-lab-red-teams
95. Thank you for joining! Thank you BSidesDFW!
• Contact Information
• Jason Ostrom
• @securitypuck
• jostrom@stora.io
Creating scripts or configuration files written as code, enabling automated rollout of infrastructure. Release infrastructure via CI/CD pipeline. In the old way of doing things, engineers had to manually install the OS and applications. Sit at multiple machines pressing the Next button, installing software with a CD. Does not scale very well at all. Manual tasks can be error-prone. Biggest advantage is repeatable. We have IaC tooling for infrastructure provisioning (terraform, pulumi) and for configuration management (Ansible, Chef, Puppet). IaC guarantees we can make perfect copies. If we ensure that IaC is secure, giant win for security team and organizations as a whole. Another huge advantage is using version control system for documentation and tracking of the changes. Configuration changes are recorded and then security testing performed on it in your CI/CD pipeline. IaC code is immutable infrastructure, which reduces risk. You do not add patches or change it while it is in place. Advantage is that you can’t accidentally corrupt your infrastructure images or break something while it is in production. Replace with something new that has already ensured to work via CI/CD testing. Source: Tanya Janka: Alice and Bob Learn Application Security.
Pulumi works differently than Terraform. Terraform CLI is a Go-based program that has its own configuration language, Hashicorp Configuration Language (HCL).
Pulumi, on the other hand, leverages existing programming languages – TypeScript, JavaScript, Python, Go, .NET, Java to interact with cloud resources through the Pulumi SDK. There is a downloadable CLI, runtime, libraries, and a hosted service that work together to deliver a robust way of provisioning.
Weaving security through DevOps. Using code. DevSecOps is all security activities that happen within a DevOps SDLC, Security as Code is only the codified portions. Examples include adding code to your Infrastructure as Code to enforce security policies, writing code to implement and/or automate your security requirements, creating negative unit tests (unit tests that ensure you fail gracefully – also known as security regression testing), and adding security testing scripts to your pipelines. Security User Stories, and acceptance criteria. User security stories should be based off of: ensuring your CIA are intacts, preventing threat models, enforcing any security-related standards or policies, and implanting your project’s security requirements. Source: Tanya Janka: Alice and Bob Learn Application Security. Source: Agile Application Security (O’Reilly)
An informative article by Florian Roth, “About Detection Engineering”https://cyb3rops.medium.com/about-detection-engineering-44d39e0755f0
An informative article by Florian Roth, “About Detection Engineering”https://cyb3rops.medium.com/about-detection-engineering-44d39e0755f0
Detection Lab is very mature and stable. Has been around the longest. Many community contributors (64) and 3.7k stars.
Original author is Chris Long
* Website: https://github.com/clong/DetectionLab
Designed for defenders in mind. Primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and best practices.
Weekly build testing with CircleCI
Splunk-centric (Splunk Server + Universal Forwarder)
Windows Event Logs with WEF Forwarding configuration and custom channels to the WEC server
In the usage guide, excellent step by step guide for building your own AWS AMIs for self-hosting.
In the usage guide, Boss of the SOC (bots) dataset is very nice too
Comes pre-loaded with BadBlood. All you have to do is run it. A bunch of tools in the tools directory. Including Mimikatz.
Splunk Enterprise dashboard really nice.
Tested out PurpleSharp. It automatically deploys into C;\Tools. You just run it.
Powershell transcription logging
Osquery agents and Fleet server. The logger has it and it is really nice. The osquery agents (total of three) are instrumented and register to fleet
Sysmon instrumented into Splunk as index “Sysmon”
Suricata NIDS engine is installed with log source going into Splunk
Velociraptor console is installed and the velociraptor agent installed on all three endpoints.
Microsoft Advanced Threat Analytics
Zeek and Suricata
Complete local build instructions with VMWare, VirtualBox, Packer + Vagrant
Also supports ESXi and HyperV
AWS and Azure support with terraform
Supports white-listing (but not automatic)
Instead of relying on third-party forwarders (e.g. Splunk, Beats), we can leverage native Windows components. Windows event forwarding subscriptions are XML documents that allow you to include or exclude events based on highly granular information. In DetectionLab, advanced Windows auditing is enabled and the WEF host is used as a Windows event collector. Windows endpoints pull event “subscriptions” from WEF, defining which events we want to collect. Once the events have been centralized on WEF, they are then sent to Splunk via a single Splunk forwarder.
Detection Lab is very mature and stable. Has been around the longest. Many community contributors (64) and 3.7k stars.
Original author is Chris Long
* Website: https://github.com/clong/DetectionLab
Designed for defenders in mind. Primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and best practices.
Weekly build testing with CircleCI
Splunk-centric (Splunk Server + Universal Forwarder)
Windows Event Logs with WEF Forwarding configuration and custom channels to the WEC server
In the usage guide, excellent step by step guide for building your own AWS AMIs for self-hosting.
In the usage guide, Boss of the SOC (bots) dataset is very nice too
Comes pre-loaded with BadBlood. All you have to do is run it. A bunch of tools in the tools directory. Including Mimikatz.
Splunk Enterprise dashboard really nice.
Tested out PurpleSharp. It automatically deploys into C;\Tools. You just run it.
Powershell transcription logging
Osquery agents and Fleet server. The logger has it and it is really nice. The osquery agents (total of three) are instrumented and register to fleet
Sysmon instrumented into Splunk as index “Sysmon”
Suricata NIDS engine is installed with log source going into Splunk
Velociraptor console is installed and the velociraptor agent installed on all three endpoints.
Microsoft Advanced Threat Analytics
Zeek and Suricata
Complete local build instructions with VMWare, VirtualBox, Packer + Vagrant
Also supports ESXi and HyperV
AWS and Azure support with terraform
Supports white-listing (but not automatic)
Instead of relying on third-party forwarders (e.g. Splunk, Beats), we can leverage native Windows components. Windows event forwarding subscriptions are XML documents that allow you to include or exclude events based on highly granular information. In DetectionLab, advanced Windows auditing is enabled and the WEF host is used as a Windows event collector. Windows endpoints pull event “subscriptions” from WEF, defining which events we want to collect. Once the events have been centralized on WEF, they are then sent to Splunk via a single Splunk forwarder.
Splunk Attack range is mature, been around for a long time. Many community contributors (32) and 1.1k stars.
Website: https://github.com/splunk/attack_range
Difference from DetectionLab. The attack simulations can be instrumented remotely through Ansible using their python scripts. For DetectionLab, you login to the server and run it.
Detection Development platform that creates a small lab, supports different engines for running attack simulations (ART, Prelude), and integrates into a CI/CD to automate detection rule testing process.
Docker container support is very nice.
You can run attack simulations with both Atomic Red Team or PurpleSharp
Nice python scripts for configuration, building, testing, and simulations
Nice Log sources from the machines (Windows events, windows powershell, Sysmon, Zeek)
Splunk Server + Splunk SOAR server
Supports aws, azure
Automatic white-listing of your source IP address – very nice - essential
Con: Windows client only supported in Azure (not the fault of the range)
Interactive menu asks you questions in order to build the range, writes the configuration to a file (attack_range.conf)
Prelude Operator launches attacks using the pre-installed Penuma agent.
Atomic Red Team
Note: The attack simulations failed (python attack_range.py simulate –e ART or –e PurpleSharp) using the default commands on main page
Attack simulation support with multiple engines
Cloud + terraform centric
Splunk Attack range is mature, been around for a long time. Many community contributors (32) and 1.1k stars.
Website: https://github.com/splunk/attack_range
Difference from DetectionLab. The attack simulations can be instrumented remotely through Ansible using their python scripts. For DetectionLab, you login to the server and run it.
Detection Development platform that creates a small lab, supports different engines for running attack simulations (ART, Prelude), and integrates into a CI/CD to automate detection rule testing process.
Docker container support is very nice.
You can run attack simulations with both Atomic Red Team or PurpleSharp
Nice python scripts for configuration, building, testing, and simulations
Nice Log sources from the machines (Windows events, windows powershell, Sysmon, Zeek)
Splunk Server + Splunk SOAR server
Supports aws, azure
Automatic white-listing of your source IP address – very nice - essential
Con: Windows client only supported in Azure (not the fault of the range)
Interactive menu asks you questions in order to build the range, writes the configuration to a file (attack_range.conf)
Prelude Operator launches attacks using the pre-installed Penuma agent.
Atomic Red Team
Note: The attack simulations failed (python attack_range.py simulate –e ART or –e PurpleSharp) using the default commands on main page
Attack simulation support with multiple engines
Cloud + terraform centric
Easily spin up Active Directory labs in Azure with domain-joined workstations, Windows Event Forwarding, Kibana, and Sysmon using Terraform/Ansible. Adaz is an Active Directory deployment lab that can also be used for threat hunting. It has some very nice features. It has a smaller number of contributors (4) in comparison to DetectionLab/Splunk Attack Range. It has 298 stars.
Original author is Christophe Tafani-Dereeper
Website: https://github.com/christophetd/Adaz
If you are looking for a nice, small Active Directory lab building as Azure IaaS, this is a great one. It also a lot of best practices configuration (WEF, Audit policies, Sysmon) with a customizable Domain configuration (yaml file) with automated domain join.
Logs are automatically sent to ELK
Windows Event Forwarding is pre-configured
A great Cyber Range for learning AD and for Detection Engineering of lateral movement techniques between systems
Uses Terraform and Ansible
Some really great features: Automated white listing with terraform. You run terraform apply when your IP address changes.
No dynamic naming of resource group supported
Flexible and customizable domain configuration with domain.yml file, which is used by Terraform to parse
Workstation logs forward events or WEF to the WEC which is the Domain Controller. DC has Winlogbeat to ship logs to ELK
Ansible playbooks are nice to run updates to users, groups, OUs after the lab has been created
To add or remove workstations, you change domain.yml configuration and then run terraform apply. That is nice.
Apply OS updates after lab is created, you can run dedicated ansible playbooks
Pretty sophisticated Ansible playbooks for desired domain configuration
The Elastic Kibana server is having an issue – unable to connect to the service.
Windows 10 workstations don’t show as domain joined and the DC doesn’t look right – no AD DS tools to look at domain users and computers
Easily spin up Active Directory labs in Azure with domain-joined workstations, Windows Event Forwarding, Kibana, and Sysmon using Terraform/Ansible. Adaz is an Active Directory deployment lab that can also be used for threat hunting. It has some very nice features. It has a smaller number of contributors (4) in comparison to DetectionLab/Splunk Attack Range. It has 298 stars.
Original author is Christophe Tafani-Dereeper
Website: https://github.com/christophetd/Adaz
If you are looking for a nice, small Active Directory lab building as Azure IaaS, this is a great one. It also a lot of best practices configuration (WEF, Audit policies, Sysmon) with a customizable Domain configuration (yaml file) with automated domain join.
Logs are automatically sent to ELK
Windows Event Forwarding is pre-configured
A great Cyber Range for learning AD and for Detection Engineering of lateral movement techniques between systems
Uses Terraform and Ansible
Some really great features: Automated white listing with terraform. You run terraform apply when your IP address changes.
No dynamic naming of resource group supported
Flexible and customizable domain configuration with domain.yml file, which is used by Terraform to parse
Workstation logs forward events or WEF to the WEC which is the Domain Controller. DC has Winlogbeat to ship logs to ELK
Ansible playbooks are nice to run updates to users, groups, OUs after the lab has been created
To add or remove workstations, you change domain.yml configuration and then run terraform apply. That is nice.
Apply OS updates after lab is created, you can run dedicated ansible playbooks
Pretty sophisticated Ansible playbooks for desired domain configuration
The Elastic Kibana server is having an issue – unable to connect to the service.
Windows 10 workstations don’t show as domain joined and the DC doesn’t look right – no AD DS tools to look at domain users and computers
GHOSTS is a user simulation framework for complex, realistic NPC orchestration
GHOSTS is a framework for highly-complex, realistic non-player character (NPC) orchestration. It essentially realistically mimics the behavior of the different types of people you might encounter on typical office or enterprise networks. The system makes it possible for cybersecurity experts to test their skills and realistically train to defend real networks with real NPC players operating on those networks doing the things we might expect them to do: Create documents, access systems, browse the web, click, run commands, and so on.
GHOSTS is a user simulation framework for complex, realistic NPC orchestration
GHOSTS is a framework for highly-complex, realistic non-player character (NPC) orchestration. It essentially realistically mimics the behavior of the different types of people you might encounter on typical office or enterprise networks. The system makes it possible for cybersecurity experts to test their skills and realistically train to defend real networks with real NPC players operating on those networks doing the things we might expect them to do: Create documents, access systems, browse the web, click, run commands, and so on.
An informative article by Florian Roth, “About Detection Engineering”https://cyb3rops.medium.com/about-detection-engineering-44d39e0755f0
We then start to build Detection Engineering rules and continuously test and improve the process.
MSRC has made a specific Azure Threat Research Matrix available to map TTPs specific to Azure cloud native services.
https://microsoft.github.io/Azure-Threat-Research-Matrix/
It is necessary to start the process of improving Detection Engineering. The first step is to instrument the logs by either exporting them out to a storage account, event hub to external SIEM, or configure a data connector to ingest the logs into a log analytics workspace with Azure Sentinel. In this example we can talk about Azure Sentinel. Let’s look at the native Azure Sign-In logs for a password spraying attack in which the attacker used Amazon API Gateway to rotate their IP addresses.
Take a look at this excellent blog by Florian Roth titled “About Detection Engineering”: https://medium.com/@cyb3rops/about-detection-engineering-44d39e0755f0
We then start to build Detection Engineering rules and continuously test and improve the process.
MSRC has made a specific Azure Threat Research Matrix available to map TTPs specific to Azure cloud native services.
https://microsoft.github.io/Azure-Threat-Research-Matrix/
Reference credit to the Azure Threat Research Matrix:https://microsoft.github.io/Azure-Threat-Research-Matrix/
Velociraptor - Digging Deeper!
Velociraptor is an advanced digital forensic and incident response tool that enhances your visibility into your endpoints.
/
/
Andy Robbins has a great three-part blog series on attacking Managed Identities:
https://posts.specterops.io/managed-identity-attack-paths-part-1-automation-accounts-82667d17187a
Other great references include “Abusing Managed Identities”
https://hackingthe.cloud/azure/abusing-managed-identities/
Lateral Movement with Managed Identities of Azure Virtual Machines:
https://m365internals.com/2021/11/30/lateral-movement-with-managed-identities-of-azure-virtual-machines/
Andy Robbins, “Azure Managed Identity Assignments are “secure by default””
https://twitter.com/_wald0/thread/1572283008840777728
The ADFS Lab Generator was inspired by Roberto Rodriguez’s Simuland tool:
https://github.com/Azure/SimuLand
The AD FS Security Auditing best practices logging configuration was created from Roberto Rodriguez’s blog post,
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/enabling-ad-fs-security-auditing-and-shipping-event-logs-to/ba-p/3610464
/
/
/
/
Terraform is increasingly used by Red Team Operators to build Red Team Infrastructure; DevOps for “Security as Code”. Now you can add Azure AD Red Team Lab as an option!