# Turla Setup Procedure

  • Turla Setup Procedure
    • Emulation Team Infrastructure Configuration
      • Linux Attack Platform Setup
        • Move Unzipped Binaries into Payloads
        • Download Required Binary Files

# Emulation Team Infrastructure Configuration

See Getting Started for information on setting up the overall range.

# Linux Attack Platform Setup

See Setup RedTeam for information on setting up the attack platform.

# Move Unzipped Binaries into Payloads

A zip of the scenario binaries have been included here. The binaries.zip can be unzipped to the expected directory location using the following command and password malware:

# from the turla directory

unzip Resources/Binaries/binaries.zip -d Resources/payloads

Snake has not been included in this binaries.zip. Please visit the following resources for building Snake and its components:

  1. Snake Installer Build
  2. Snake Build Script

# Download Required Binary Files

  1. Download and extract the PSTools directory
    1. Copy PSExec.exe to the Resources/payloads/carbon directory
    2. Copy PSExec.exe to the Resources/payloads/snake directory
  2. Download pscp.exe and copy it to the Resources/payloads/carbon directory
  3. Download plink.exe and copy it to the Resources/payloads/carbon directory
  4. Download mimikatz
  5. Update the Mimikatz source code with the PTH adjustments then recompile
  6. Copy mimikatz.exe to the Resources/payloads/carbon and Resources/payloads/snake directory

The Resources/payloads directory should be setup to match the following:

├── Resources
│   ├── payloads
│   │   ├── carbon
│   │   │   ├── PsExec.exe
│   │   │   ├── carbon_installer_2.exe
│   │   │   ├── carbon_installer_3.exe
│   │   │   ├── mimikatz.exe
│   │   │   ├── hsperfdata.zip
│   │   │   ├── keylogger.exe
│   │   │   ├── password_spray.bat
│   │   │   ├── plink.exe
│   │   │   ├── pscp.exe
│   │   ├── epic
│   │   │   ├── dropper.exe
│   │   │   ├── snake.exe (needs compiling)
│   │   ├── snake
│   │   │   ├── PsExec.exe
│   │   │   ├── installer_v2.exe (needs compiling)
│   │   │   ├── installer_v3.exe (needs compiling)
│   │   │   ├── ln_transport_agent.dll
│   │   │   ├── mimikatz.exe
│   │   │   ├── msiex.ps1
│   │   │   ├── n_installer_aux.dll
│   │   │   ├── rules.xml
│   │   │   ├── winmail.dat
│   │   ├── wordpress
│   │   │   ├── EPICDropper_http.exe
│   │   │   ├── EPICDropper_https.exe

As part of infrastructure setup, EPICDropper_http.exe and EPICDropper_https.exe should be staged on a Wordpress server and renamed to NTFVersion.exe and NFVersion_5e.exe, respectively.