#
Getting Started
This document covers the infrastructure setup for emulating ATT&CK Evaluations - ALPHV BlackCat and menuPass (2024).
Getting Started Overview AWS Cost Estimate WARNING - $$$ KVM Server Cost
Prerequisites Deploy Infrastructure with Terraform Amazon Marketplace Subscriptions Windows 11 Deploy environment
Configure Infrastructure with Ansible Deploy Attack Platform Software
#
Overview
ATT&CK Evaluations used the Amazon Web Services (AWS) cloud platform.
#
AWS Cost Estimate
Specific costs for the AWS resources used will depend on your specific AWS account agreements, region, savings plans, reservations, how frequently the systems are online, and other cost reduction techniques you use. A rough estimated cost for the environment is approximately $6000 - $10000 per month, assuming the hosts are run 24/7. Note that the leomon
host, which uses the m5.metal
instance type, accounts for 50%+ of the overall cost. Instances should be shutdown and stopped when not in use to further reduce cost.
#
WARNING - $$$
#
KVM Server Cost
WARNING: As mentioned above, the most expensive component is the Kernel Virtual Machine (KVM) Linux server, leomon
, used to run virtual machines. The KVM server uses the AWS instance type m5.metal
, which alone costs $4.608 per hour (at the time of the evaluation), and accounts for ~50% of cost. To reduce cost, you can keep the KVM server off until used, or skip provisioning the KVM host.
#
Prerequisites
It is assumed you have a working knowledge of the following concepts and access to related tools:
Existing AWS Account with permissions to perform required actions (create/manage resources including EC2 instances, VPCs, Internet Gateways, Security Groups, and related resources)
Tools
Install
and common system administration concepts for Windows and Linux
#
Deploy Infrastructure with Terraform
Terraform is used to initialize the infrastructure.
#
Amazon Marketplace Subscriptions
NOTE: You may be prompted to accept the Terms and subscribe for images used in the AWS Marketplace. If prompted, follow the URL provided in the terminal and click the Subscribe button. Once the process completes, re-run the Terraform plan and apply commands below.
#
Windows 11
IMPORTANT: AWS does not currently provide a pre-built Windows 11 Amazon Machine Image (AMI), and the team is unable to share the image used for the evaluation. As a result, you will have to provide your own Windows 11 AMI for use in the environment. The following steps provide some general guidance on building your own Windows 11 AMI. Please review the Amazon and Microsoft terms of service to ensure you are compliant with all licensing guidelines.
- Packer is used to automate the build of a Windows 11 VM from the installation image.
- Packer uploads the virtual machine file to an AWS S3 bucket.
- AWS VM Import to convert the VM to an AMI.
AWS provides additional documentation on importing a Windows 11 VM.
By default, the included configuration uses Windows Server 2022 for all Windows 11 desktop systems to provide a functional system. This is for convenience, however it is not guaranteed that the emulation plan will operate as intended on Windows Server 2022 in instances where Windows 11 is expected.
#
Deploy environment
Create a Terraform settings file from the included template.
cp -a deploy.auto.tfvars.template deploy.auto.tfvars
- Open the
deploy.auto.tfvars
in an editor, and configure with desired values.
Edit the
deploy.auto.tfvars
file:- Uncomment the
aws-bucket-name
variable, and set to the name of the S3 bucket you would like to use for storing terraform state files. AWS S3 bucket names have to be unique and resolvable by DNS.
- Uncomment the
Edit the
backend.tf
file:Towards the bottom of the file, uncomment the
bucket
variable in theterraform.backend.s3
section.Set the value to the name of the S3 bucket in the previous step.
-
- IMPORTANT: The value must be a string. You cannot use a variable in this section, you must hardcode the bucket name.
-
Time to run Terraform.
- Initialize your Terraform environment.
terraform init
- Validate your Terraform configuration.
terraform validate
- Plan your deployment with Terraform.
terraform plan --out=tfplan
- Execute the Terraform plan created in the previous step.
terraform apply tfplan
- NOTE: This step may take a 15-30 minutes to properly provision all resources. This is normal.
- Initialize your Terraform environment.
Generate VPN profiles.
- Run
make create-vpn-profiles
to create OpenVPN profiles to connect to the infrastructure you just deployed. - The final profiles will be stored as
.zip
files in thepublish/
subdirectory.
- Run
All systems have been deployed! They still have to be configured, however time to celebrate! 🍕 🎊 🎆
#
Configure Infrastructure with Ansible
For this round, all post deployment configuration was performed via Ansible.
- Use one of the VPN profiles generated in the previous step. Any profile will work.
- Use the Terraform Makefile to configure the Ansible deployment. The following command copies the SSH key to the Ansible setup directory with the proper permissions.
make ansible-setup
- Change to Ansible base directory.
cd ../../ansible
- Run Ansible configuration.
make configure-range-from-scratch
- Wait. Ensure your provisioning host will not sleep or disconnect from the VPN during the provisioning step. Depending on bandwidth, the deployment could take 1-3 hours to fully configure all infrastructure.
#
Deploy Attack Platform Software
- Download the ATTACK Evaluations Library to the
kraken
andhomelander
(Kali Linux and Windows Jumpbox hosts). Follow the instructions to setup the red team tooling.