# Getting Started

This document covers the infrastructure setup for emulating ATT&CK Evaluations — Scattered Spider and Mustang Panda (2025).

Getting Started
- Overview
- Prerequisites
  - Installation
  - Windows 11
- Deploy Infrastructure with Terraform
  - Amazon Marketplace Subscriptions
  - Deploy Environment
- Configure Infrastructure with Ansible
- Deploy Attack Platform Software

# Overview

ATT&CK Evaluations used the Amazon Web Services (AWS) cloud platform.

AWS Cost Estimate: A rough estimated cost for the environment is approximately $2500 per month, assuming the hosts are run 24/7.

To further reduce costs, EC2 instances should be shutdown and stopped when not in active use. Specific costs for AWS resources can vary greatly depending on your specific AWS account agreements, region, savings plans, reservations, how frequently the systems are online, and other cost reduction techniques you use.

# Prerequisites

It is assumed that you have a working knowledge of and access to the following concepts and tools:

Two (2) AWS Accounts with permissions to perform required actions, such as creating and managing:
- EC2 instances
- VPCs
- Internet Gateways
- Security Groups
- Cross-account IAM configurations
One (1) GitHub account with token-based Multifactor Authentication (MFA) enabled for the Mustang Panda scenario
Familiarity with common system administration concepts for Windows and Linux
Essential tools installed:
- ssh-keygen
- bash shell
- Terraform
- Ansible
- AWS CLI

# Installation

Please see Terraform, Ansible, and AWS CLI documentation for installation instructions.

# Windows 11

IMPORTANT: AWS does not currently provide a pre-built Windows 11 Amazon Machine Image (AMI), and the team is unable to share the image used for the evaluation. As a result, you must provide your own Windows 11 AMI for use in the environment. Please review the Amazon and Microsoft terms of service to ensure you are compliant with all licensing guidelines.

The included configuration uses Windows Server 2022 for all Windows 11 desktop systems to provide a convenient and functional deployment. References of module.amis.windows-desktop-11 is a lookup for the Windows Server 2022 AMI ID until you change this at the module level. It is not guaranteed that the emulation will operate as intended on Windows Server 2022 in instances where Windows 11 is expected.

It is strongly recommended that you BYO Windows 11 image, then see the amis module documentation to set and use your private Windows 11 AMI. The following steps provide guidance on building your own Windows 11 AMI, which uses:

Packer to automate the build of a Windows 11 VM from the installation image.
Packer to upload the virtual machine file to an AWS S3 bucket.
AWS VM Import to convert the VM to an AMI.

AWS provides additional documentation on importing a Windows 11 VM.

# Deploy Infrastructure with Terraform

⏳ Depending on bandwidth, deployment of infrastructure may take 40 minutes to 2 hours complete.

Terraform is used to initialize the infrastructure. Please review the architecture in the Deployment Overview before proceeding.

# Amazon Marketplace Subscriptions

During the deployment process, you may be prompted to accept the Terms to subscribe for AWS Marketplace images. If prompted, follow the URL provided in the terminal then click the Subscribe button. Once the subscription process is complete, re-run and apply the Terraform plan.

# Deploy Environment

Infrastructure is initialized using a 3-stage Terraform deployment in the subdirectories:

AWS Account Setup — orgs
Attacker Staging — s3
Evaluation Environment — range

The following steps must be performed per stage in the order listed above:

Open the deploy.auto.tfvars in an editor, and configure with desired values.

Run Terraform:

terraform init                      # 1. Initialize your Terraform environment
terraform validate                  # 2. Validate your Terraform configuration
terraform plan --out=tfplan         # 3. Create a Terraform plan of your deployment
terraform apply tfplan              # 4. Execute the Terraform plan (estimated time to deploy: 20-40 minutes)

After deploying range/, use the Makefile in this directory to:

Generate VPN Profiles
```
make create-vpn-profiles            # Create OpenVPN profiles to connect to your infrastructure
```
The OpenVPN profiles will be stored as .zip files in the publish/ subdirectory, which you will need to connect to the range and run host-based configurations.
All systems have been deployed! They still have to be configured, however time to celebrate! 🍕 🎊 🎆

# Configure Infrastructure with Ansible

⏳ Depending on bandwidth, configuration of infrastructure may take 1-3 hours to complete.

Ansible is used to configure the infrastructure. Please review playbook information in the Configuration Overview before proceeding.

Use any one of the VPN profiles generated in the previous step.
Change to Ansible base directory.
```
cd ../../ansible
```
Run Ansible configuration.
```
make deploy
```
Wait. Enjoy a hot chocolate or other delicious beverage ☕. Ensure your provisioning host will not sleep or disconnect from the VPN during the provisioning step.

# Deploy Attack Platform Software

Clone the ATTACK Evaluations Library to the driftmark and jumpbox (Kali Linux and Windows Jumpbox hosts). Follow the instructions to setup the red team tooling.

# Notice

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.