# Infrastructure for ATT&CK Evaluations — Scattered Spider & Mustang Panda (2025)

Note: During development, the threat actors were referred to by the codenames "Demeter" (Scattered Spider) and "Hermes" (Mustang Panda). These codenames may still appear in internal documentation and configuration files outside of this public release.

Please see Getting Started for prerequisites, tooling, and setup guidance for the emulation of Scattered Spider and Mustang Panda.

Intermediate understanding of Terraform, Ansible, AWS, and AWS Billing are considered prerequisites to deploy the infrastructure configuration.

# Providers

NOTE: Access to at least two AWS accounts is required:

aws.default — an AWS account with cross-account permissions, where on-prem scenarios are emulated.
aws.cloud — an AWS account with organizations permissions, where cloud-based scenarios are emulated.

Alternatively, you can deploy the infrastructure with existing Detections/Protections accounts:

aws.default — an AWS account for emulating on-prem scenarios, with cross-account permissions into aws.cloud-detections and aws.cloud-protections.
aws.cloud-detections — an AWS account for emulating cloud-based Detections scenarios.
aws.cloud-protections — an AWS account for emulating cloud-based Protections scenarios.

Please see the orgs deployment for approaches to AWS Organizations & Accounts.

# Infrastructure Overview

The infrastructure below was staged for both Scattered Spider & Mustang Panda (2025).

Initial infrastructure was setup using Terraform, with configurations applied via scripts and configuration files. Please see the Deployment Overview and Configuration Overview for technical documentation.

For an overview of traffic redirection used for obfuscation during emulation of Scattered Spider and Mustang Panda adversaries, please see Traffic Redirection.

Infrastructure for ATT&CK Evaluations — Scattered Spider & Mustang Panda (2025)
- Scenario Domains & Hosts
  - Detections Domain — kingslanding[.]net
    - Detections On-Premises
    - Detections Cloud
  - Protections Domain — vale[.]net
    - Protections On-Premises
    - Protections Cloud
  - Support and Red Team Hosts
    - External Benevolent Hosts
    - Red Team Hosts
- Network Diagram

# Scenario Domains & Hosts

This document provides an overview of the infrastructure support used for the evaluation. In addition to setup and configuration of virtual machines, this document covers infrastructure support services — such as domain name services (DNS), mail, and traffic redirection — used to support the evaluation. Support services are used throughout the evaluation for resource efficiency.

The Game of Thrones television series inspired the naming scheme for this evaluation's infrastructure.

Enterprise 2025 infrastructure consists of an organization with on-premises resources and an AWS-provided cloud environment, with network isolation into two environments for Detections and Protections.

# Detections Domain — `kingslanding[.]net`

The Detections domain kingslanding[.]net contains fourteen (14) virtual machines.

# Detections On-Premises

The Detections On-Prem environment consists of eleven (11) virtual machines joined to the kingslanding[.]net Active Directory domain.

Detections On-Prem resources are provisioned under aws.default.

DMZ Subnet — 10.55.2.0/24

Hostname	OS	IP	Role
`kingswood`	Ubuntu 24.04 LTS	`10.55.2.100`	Guacamole Server

Servers Subnet — 10.55.3.0/24

Hostname	OS	IP	Role
`redkeep`	Windows Server 2022	`10.55.3.100`	AD Domain Controller
`sept`	Windows Server 2022	`10.55.3.101`	Exchange Server
`citywatch`	Ubuntu 24.04 LTS	`10.55.3.102`	Authentik IdP/SSO Server
`citadel`	Windows Server 2022	`10.55.3.103`	File Server
`dragongate`	Windows Server 2022	`10.55.3.104`	Remote Desktop Server
`conclave`	Windows Server 2022	`10.55.3.105`	File Server

Desktops Subnet — 10.55.4.0/24

Hostname	OS	IP	Role
`fleabottom`	Windows 11	`10.55.4.101`	Desktop
`fishmonger`	Windows 11	`10.55.4.102`	Desktop
`harrenhal`	Windows 11	`10.55.4.103`	Desktop
`stepstones`	Windows 11	`10.55.4.104`	Desktop

# Detections Cloud

The Detections Cloud environment consists of three (3) virtual machines joined to the kingslanding[.]net Active Directory domain.

Detections Cloud resources are provisioned under aws.cloud-detections.

Servers Subnet — 10.212.3.0/24

Hostname	OS	IP	Role
`dragonpit`	Ubuntu 24.04 LTS	`10.212.3.105`	Wekan Server
`guildhall`	Ubuntu 24.04 LTS	`10.212.3.106`	Gitlab Server
`rookery`	Ubuntu 24.04 LTS	`10.212.3.107`	Airbyte Server

# Protections Domain — `vale[.]net`

The Protections domain vale[.]net contains twelve (12) virtual machines.

# Protections On-Premises

The Protections On-Prem Scenario consists of twelve (12) virtual machines joined to the vale[.]net Active Directory domain.

Protections On-Prem resources are provisioned under aws.default.

Servers Subnet — 10.26.3.0/24

Hostname	OS	IP	Role
`eyrie`	Windows Server 2022	`10.26.3.100`	AD Domain Controller
`blacktyde`	Windows Server 2022	`10.26.3.101`	Remote Desktop Server
`godswood`	Windows Server 2022	`10.26.3.102`	Exchange Server
`knights`	Ubuntu 24.04 LTS	`10.26.3.103`	MDM Server (Fleet)
`redfort`	Windows Server 2022	`10.26.3.105`	File Server
`heartshome`	Windows Server 2022	`10.26.3.106`	File Server

Desktops Subnet — 10.26.4.0/24

Hostname	OS	IP	Role
`runestone`	Windows 11	`10.26.4.101`	Desktop
`tentowers`	Windows 11	`10.26.4.102`	Desktop
`bitterbridge`	Windows 11	`10.26.4.103`	Desktop
`ironoaks`	Windows 11	`10.26.4.104`	Desktop

DMZ Subnet — 10.26.5.0/24

Hostname	OS	IP	Role
`eastgate`	Ubuntu 24.04 LTS	`10.26.5.100`	Guacamole Server
`bloodygate`	Ubuntu 24.04 LTS	`10.26.5.101`	Authentik IdP/SSO Server

# Protections Cloud

Subnet — 10.115.5.0/24

The Protections Cloud Scenario does not involve any EC2 hosts.

Protections Cloud resources are provisioned under aws.cloud-protections.

# Support and Red Team Hosts

The following hosts are dedicated to networking support and red team use.

# Validation Hosts

The hosts below are used to perform validation on victim infrastructure in each scenario domain.

Hostname	OS	IP	Role
`preflights`	Kali Linux 2024.4	`10.55.4.120`	Detections Validation
`preflights2`	Kali Linux 2024.4	`10.26.4.120`	Protections Validation

# External Benevolent Hosts

The hosts below are not accessible by evaluation participants.

Support Subnet — 12.78.0.0/16

Hostname	OS	IP	Role
`twins`	Ubuntu 24.04 LTS	`12.78.0.60`	DNS Server
`volantis`	Ubuntu 24.04 LTS	`12.78.0.91`	RMM Server
`dorne`	Ubuntu 24.04 LTS	`12.78.0.92`	Chocolatey Mirror
`stonehedge`	Ubuntu 24.04 LTS	`12.78.0.93`	RustDesk Server
`sunspear`	Ubuntu 24.04 LTS	`12.78.0.94`	WSTunnel Server
`casterlyrock`	Windows	`12.78.44.201`	Unmanaged Desktop

Redirector Subnet — 86.234.0.0/16

Hostname	OS	IP	Role
`stormlands`	Ubuntu 24.04 LTS	`14.121.222.9`	Redirection Server 1
`stark`	Ubuntu 24.04 LTS	`49.67.12.9`	Redirection Server 2
`bolton`	Ubuntu 24.04 LTS	`10.44.44.9`	Redirection Server 3
`greyjoy`	Ubuntu 24.04 LTS	`10.44.44.9`	Redirection Server 4

For more about redirection, please see Traffic Redirection.

# Red Team Hosts

The hosts below are not accessible by evaluation participants.

Hostname	OS	IP	Scenario
`driftmark`	Kali Linux 2024.4	`174.3.0.70`	Attacker
`braavos`	Kali Linux 2024.4	`174.3.0.100`	Attacker IdP
`jumpbox`	Windows Server 2022	`12.78.110.37`	Detections Jumpbox
`dreadfort`	Windows Server 2022	`10.26.3.125`	Protections Jumpbox

# Network Diagram

The diagram below shows the layout of all victim hosts, attack platform, and support hosts.

# Notice

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.