• Stars
    star
    135
  • Rank 269,297 (Top 6 %)
  • Language Jinja
  • License
    Other
  • Created almost 3 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Blue Team detection lab created with Terraform and Ansible in Azure.

BlueTeam.Lab

BlueTeam.Lab

Purpose

This project contains a set of Terraform and Ansible scripts to create an orchestrated BlueTeam Lab. The goal of this project is to provide the red and blue teams with the ability to deploy an ad-hoc detection lab to test various attacks and forensic artifacts on the latest Windows environment and then to get a 'SOC-like' view into generated data.

NOTE: This lab is deliberately designed to be insecure. Please do not connect this system to any network you care about.


Lab Layout


Prerequisites

A number of features need to be installed on your system in order to use this setup.

# Step 1 - Install Azure CLI. More details on https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=apt
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

# Step 2 - Install Terraform. More details on https://learn.hashicorp.com/tutorials/terraform/install-cli
sudo apt-get update && sudo apt-get install -y gnupg software-properties-common curl
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
sudo apt-get update && sudo apt-get install terraform

# Step 3 - Install Ansible. More details on https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html
sudo apt update
sudo apt install software-properties-common
sudo add-apt-repository --yes --update ppa:ansible/ansible
sudo apt update
sudo apt install ansible

# Step 4 - Finally install python and various packages needed for remote connections and other activities
sudo apt install python3 python3-pip
pip3 install pywinrm requests msrest msrestazure azure-cli
pip3 install -r https://raw.githubusercontent.com/ansible-collections/azure/v1.14.0/requirements-azure.txt

Building and Deploying BlueTeam.Lab

Once all the prerequisites are installed, perform the following series of steps:

# Log in to Azure from command line to ensure that the access token is valid
az login

# Clone Repository and move to BlueTeam.Lab folder
git clone https://github.com/op7ic/BlueTeam.Lab.git && cd BlueTeam.Lab

# Initialize Terraform and begin planning
terraform init && terraform plan

# Create your lab using the following command. 
terraform apply -auto-approve

# Verify the layout of your environment using Ansible
cd ansible && ANSIBLE_CONFIG=./ansible.cfg ansible-inventory --graph -i inventory.azure_rm.yml -vvv && cd ../

# To see IPs of individual hosts and other setup details use the following command: 
cd ansible && ANSIBLE_CONFIG=./ansible.cfg ansible-inventory -i inventory.azure_rm.yml -vvv --list && cd ../

# Once done, destroy your lab using the following command:
terraform destroy -auto-approve

# If you would like to time the execution us following command:
start_time=`date +%s` && terraform apply -auto-approve && end_time=`date +%s` && echo execution time was `expr $end_time - $start_time` s

#NOTE: It will take about two hours to configure it all, depending on your selected hardware.

Deploying Different Windows Versions

Terraform variables set the type of operating systems used for this deployment. A simple modification to runtime variables allows to specify different OS to run the entire Active Directory (AD) on. The default option is to use Windows 10 Enterprise for Workstations and Windows Server 2019 Datacenter for Domain Controller. Here are examples of a few common configuration options that can be used to modify the entire environment to use different OS versions:

# Use Windows 10 Enterprise for Workstations and Server 2019 Datacenter for DC (default option)
terraform apply -auto-approve

# Use Windows 11 Enterprise for Workstations and Server 2019 Datacenter for DC
terraform apply -auto-approve  -var="workstation_os=Windows-11" -var="workstation_SKU=win11-21h2-ent" -var="workstations_vm_size=Standard_DC2s_v2" 

# Use Windows 11 Enterprise for Workstations and Server 2012 Datacenter for DC
terraform apply -auto-approve -var="workstation_os=Windows-11" -var="workstation_SKU=win11-21h2-ent" -var="workstations_vm_size=Standard_DC2s_v2" -var="dc_os=WindowsServer" -var="dc_SKU=2012-Datacenter"

# Use Windows 11 Enterprise for Workstations and Server 2016 Datacenter for DC
terraform apply -auto-approve -var="workstation_os=Windows-11" -var="workstation_SKU=win11-21h2-ent" -var="workstations_vm_size=Standard_DC2s_v2" -var="dc_os=WindowsServer" -var="dc_SKU=2016-Datacenter"

# Use Windows 10 Pro N for Workstations and Server 2012 Datacenter for DC
terraform apply -auto-approve -var="workstation_os=Windows-10" -var="workstation_SKU=21h1-pron" -var="dc_os=WindowsServer" -var="dc_SKU=2012-Datacenter"

Command az vm image list can be used to identify various OS versions for the deployment.


Features

  • Windows AD with two workstations connected to Windows domain in default setup.
  • Flexible domain configuration file allowing for easy changes to the underlying configuration.
  • Auditing policies configured based on CIS Guide to increase event visibility across Windows infrastructure. Auditpol used to configure additional settings and PowerShell Transcript Logs enabled.
  • Sysmon64 deployed across infrastructure using the latest SwiftOnSecurity configuration for Windows devices.
  • Wazuh Server configured and operational to collect logs from devices.
  • Wazuh Agents configured across infrastructure and feeding data into the Wazuh server.
  • Firewall configured to only allow your own IP to access the deployed systems.
  • OSQuery and FleetDM installed across the infrastructure, using configuration templates from Palantir.
  • Velocidex Velociraptor Server configured and operational.
  • Velocidex Velociraptor Agents configured across infrastructure and feeding data into the Velociraptor server.
  • WinLogBeat configured to log data into Elastic instance.
  • LokiToWinEventLog Loki Scanner configured to log data to Windows Event log every 3 hours and ship data to Elastic instance installed with Wazuh Server.
  • Pe-SieveToWinEventLog Pe-Sieve Scanner configured to log data to Windows Event log every 3 hours and ship data to Elastic instance installed with Wazuh Server.

Documentation

The following section describes various components making up this lab along with details on how to change configuration files to modify the setup:

Credentials

Once lab is constructed, Terraform will print out actual location of the systems and associated credentials. An example output can be found below.

Network Setup:

Domain Controller = xx.xx.xx.xx
Workstation DETECTION1: xx.xx.xx.xx
Workstation DETECTION2: xx.xx.xx.xx
Wazuh Server IP = xx.xx.xx.xx
Wazuh Web Interface = https://xx.xx.xx.xx:443/
Velociraptor Web Inteface: = https://xx.xx.xx.xx:10000/
FleetDM Web Interface: = https://xx.xx.xx.xx:9999/

Credentials:

Domain Admin:
    blueteam.lab\blueteam BlueTeamDetection0%%%
Local Admin on Workstations:
    blueteam BlueTeamDetection0%%%
Wazuh Server SSH Login:
    blueteam BlueTeamDetection0%%%
Wazuh Logins:
    wazuh  BlueTeamDetection0%%%
    admin  BlueTeamDetection0%%%
    kibanaserver  BlueTeamDetection0%%%
    kibanaro  BlueTeamDetection0%%%
    logstash  BlueTeamDetection0%%%
    readall  BlueTeamDetection0%%%
    snapshotrestore  BlueTeamDetection0%%%
    wazuh_admin  BlueTeamDetection0%%%
    wazuh_user  BlueTeamDetection0%%%
Velociraptor Web Inteface Login:
    blueteam BlueTeamDetection0%%%
FleetDM Web Inteface Login:
    [email protected] BlueTeamDetection0%%%

RDP to Domain Controller:
xfreerdp /v:xx.xx.xx.xx /u:blueteam.lab\\blueteam '/p:BlueTeamDetection0%%%' +clipboard /cert-ignore

RDP to Workstation DETECTION1: xx.xx.xx.xx
xfreerdp /v:xx.xx.xx.xx /u:blueteam '/p:BlueTeamDetection0%%%' +clipboard /cert-ignore

RDP to Workstation DETECTION2: xx.xx.xx.xx
xfreerdp /v:xx.xx.xx.xx /u:blueteam '/p:BlueTeamDetection0%%%' +clipboard /cert-ignore

Firewall Configuration

The following table summarises a set of firewall rules applied across the BlueTeamLab enviroment in default configuration. Please modify the main.tf file to add new firewall rules as needed in the Firewall Rule Setup section.

Rule Name Network Security Group Source Host Source Port Destination Host Destination Port
Allow-RDP windows-nsg Your Public IP * PDC-1, DETECTION1, DETECTION2 3389
Allow-WinRM windows-nsg Your Public IP * PDC-1, DETECTION1, DETECTION2 5985
Allow-WinRM-secure windows-nsg Your Public IP * PDC-1, DETECTION1, DETECTION2 5986
Allow-SMB windows-nsg Your Public IP * PDC-1, DETECTION1, DETECTION2 445
Allow-SSH wazuh-nsg Your Public IP * Wazuh 22
Allow-Wazuh-Manager wazuh-nsg Your Public IP * Wazuh 1514-1516
Allow-Wazuh-Elasticsearch wazuh-nsg Your Public IP * Wazuh 9200
Allow-Wazuh-API wazuh-nsg Your Public IP * Wazuh 55000
Allow-Elasticsearch-Cluster wazuh-nsg Your Public IP * Wazuh 9300-9400
Allow-Wazuh-GUI wazuh-nsg Your Public IP * Wazuh 443
Allow-Velociraptor-Client-Connections wazuh-nsg Your Public IP * Wazuh 8000
Allow-Velociraptor-GUI wazuh-nsg Your Public IP * Wazuh 10000
Allow-Fleet-GUI wazuh-nsg Your Public IP * Wazuh 9999

Internally the following static IPs and hostnames are used in 10.0.0.0/16 range for this enviroment in the default configuration:

Host Role Internal IP
PDC-1 Primary Domain Controller 10.0.10.10
Wazuh Wazuh Server, also hosting Velocidex Velociraptor installation and FleetDM 10.0.10.100
DETECTION1 Windows 10 Workstation 1 10.0.11.11
DETECTION2 Windows 10 Workstation 2 10.0.11.12

User Configuration

The following default credentials are created during installation. Printout of actual configured credentials will be displayed after the full deployment process completes.

Host Login Password Role
PDC-1 blueteam.lab\blueteam BlueTeamDetection0%%% Domain Administrator for blueteam.lab domain
DETECTION1 localadministrator BlueTeamDetection0%%% Local Administrator of DETECTION1 workstation
DETECTION2 localadministrator BlueTeamDetection0%%% Local Administrator of DETECTION2 workstation
Wazuh blueteam BlueTeamDetection0%%% SSH credentials for Wazuh server
Wazuh wazuh BlueTeamDetection0%%% Wazuh admin
Wazuh admin BlueTeamDetection0%%% Wazuh admin
Wazuh kibanaserver BlueTeamDetection0%%% Wazuh service account
Wazuh kibanaro BlueTeamDetection0%%% Wazuh service account
Wazuh logstash BlueTeamDetection0%%% Wazuh service account
Wazuh readall BlueTeamDetection0%%% Wazuh service account
Wazuh snapshotrestore BlueTeamDetection0%%% Wazuh service account
Wazuh wazuh_admin BlueTeamDetection0%%% Wazuh service account
Wazuh wazuh_user BlueTeamDetection0%%% Wazuh service account
Wazuh blueteam BlueTeamDetection0%%% Velociraptor Web Portal login
Wazuh [email protected] BlueTeamDetection0%%% FleetDM Web Portal login

In order to modify the default credentials, change usernames and passwords in domain_setup.yml file.

Screenshots

Contributing

Contributions, fixes, and improvements can be submitted directly for this project as a GitHub issue or a pull request.

Directory Structure

| - ansible
|  | - ansible.cfg
|  | - domain-controller.yml
|  | - domain-member.yml
|  | - domain_setup.yml
|  | - group_vars
|  |  | - all
|  |  | - wazuh
|  | - inventory.azure_rm.yml
|  | - roles
|  |  | - domain-controller
|  |  |  | - tasks
|  |  |  |  | - main.yml
|  |  | - domain-member
|  |  |  | - tasks
|  |  |  |  | - main.yml
|  |  | - fleetserver
|  |  |  | - tasks
|  |  |  |  | - main.yml
|  |  |  | - templates
|  |  |  |  | - config.yml.j2
|  |  |  |  | - ssl.crt
|  |  |  |  | - ssl.key
|  |  |  |  | - systemd-fleetm.service.j2
|  |  | - monitor
|  |  |  | - tasks
|  |  |  |  | - main.yml
|  |  | - osqueryagent
|  |  |  | - tasks
|  |  |  |  | - main.yml
|  |  |  | - templates
|  |  |  |  | - osquery.conf
|  |  |  |  | - osquery.flags.j2
|  |  |  |  | - osquery.key.j2
|  |  |  |  | - ssl.crt
|  |  |  |  | - ssl.key
|  |  |  | - vars
|  |  |  |  | - main.yml
|  |  | - sysmon
|  |  |  | - handlers
|  |  |  |  | - main.yml
|  |  |  | - tasks
|  |  |  |  | - main.yml
|  |  |  | - vars
|  |  |  |  | - main.yml
|  |  | - velociraptorclient
|  |  |  | - tasks
|  |  |  |  | - main.yaml
|  |  |  | - templates
|  |  |  |  | - clientconfig.yml.j2
|  |  |  | - vars
|  |  |  |  | - main.yml
|  |  | - velociraptorserver
|  |  |  | - tasks
|  |  |  |  | - main.yaml
|  |  |  | - templates
|  |  |  |  | - serverconfig.yml.j2
|  |  |  |  | - systemd-velociraptor.service.j2
|  |  |  | - vars
|  |  |  |  | - main.yml
|  |  | - wazuhagent
|  |  |  | - tasks
|  |  |  |  | - main.yml
|  |  |  | - templates
|  |  |  |  | - ossec.conf.j2
|  |  |  | - vars
|  |  |  |  | - main.yml
|  |  | - wazuhserver
|  |  |  | - tasks
|  |  |  |  | - main.yaml
|  |  |  | - templates
|  |  |  |  | - sysmon_rules.xml
|  |  |  |  | - unattended-installation.sh
|  |  |  |  | - wazuh-passwords-tool.sh.j2
|  |  | - winlogbeat
|  |  |  | - tasks
|  |  |  |  | - main.yml
|  |  |  | - templates
|  |  |  |  | - config.yml.j2
|  |  |  | - vars
|  |  |  |  | - main.yml
|  | - wazuh-server.yml
| - documentation
|  | - osquery.md
|  | - pic
|  |  | - map.png
|  |  | - wazuh-logs.PNG
|  |  | - wazuh-pdc.PNG
|  |  | - winlogbeat.PNG
|  | - sysmon.md
|  | - velociraptor.md
|  | - wazuh.md
|  | - winlogbeat.md
|  | - winmember.md
| - main.tf
| - README.md
| - terraform.tfstate
| - terraform.tfstate.backup
| - variables.tf

FAQ

  • I get Disk wks-1-os-disk already exists in resource group BLUETEAM-LAB. Only CreateOption.Attach is supported. or something similar to this error.

    • Re-run terraform commands terraform destroy -auto-approve && terraform apply -auto-approve to destroy and re-create the lab. This error seems to show up when Azure doesn't clean up all the disks properly so there are leftover resources with the same name.
  • I get Operation 'startTenantUpdate' is not allowed on VM 'domain-controller' since the VM is marked for deletion. You can only retry the Delete operation (or wait for an ongoing one to complete). or something similar to this error.

    • Re-run terraform commands terraform destroy -auto-approve && terraform apply -auto-approve to destroy and re-create the lab. This error seems to show up when Azure doesn't clean up all of the resources properly so there are leftovers which need to be destroyed before the lab is created due to clashes in names and/or locations.
  • I get Network security group windows-nsg cannot be deleted because old references for the following Nics or something similar to this error.

    • Re-run terraform commands terraform destroy -auto-approve && terraform apply -auto-approve to destroy and re-create the lab. This error seems to show up when Azure doesn't clean up all of the resources properly so there are leftovers which need to be destroyed before the lab is created due to clashes in names and/or locations.
  • Why Azure?

  • How do I modify network segments, deployment size or other variables?

    • Modify the Terraform variables file to change your setup. Alternatively, each variable can be changed during runtime by appending -var to terraform apply. For example, terraform apply --auto-approve -var="region=East US 2" would modify a region to be different then the default set in the variables file. The entire setup, including network ranges, operating systems and the VM size can be changed, using a chain of the -var parameters.
  • How to find SKUs for a specific deployment?

    • Use Azure command az vm list-skus --location westeurope --all --output table to find SKUs which are available for your deployment.
  • I get Max retries exceeded with url: /wsman and then connection gets refused when building a system.

    • Unfortunately WinRM limitations mean that, on occasion, WinRM will simply stop working as expected and instead connections will freeze up. As a result, execution won't behave properly. Rerun terraform apply -auto-approve to repair the damaged host.

Sources of Inspiration and Thanks

A good percentage of this code was borrowed and adapted from Christophe Tafani-Dereeper's Adaz. A huge thanks for building the foundation that allowed me to design this lab environment.

More Repositories

1

EDR-Testing-Script

Test the accuracy of Endpoint Detection and Response (EDR) software with simple script which executes various ATT&CK/LOLBAS/Invoke-CradleCrafter/Invoke-DOSfuscation payloads
Batchfile
285
star
2

RT-CyberShield

Protecting Red Team infrastructure with cyber shield blocking AWS/AZURE/IBM/Digital Ocean/TOR/AV IP/ETC. ranges
Shell
44
star
3

Cloud-Investigate

A preconfigured Windows-based system designed for rapid forensic investigations in both Azure and AWS.
HCL
36
star
4

shadowbroker-smb-scanner

shadowbroker SMB exploit scanner. Scans for ETERNALSYNERGY ETERNALBLUE ETERNALROMANCE ETHERNALCHAMPION
Python
36
star
5

LeakGenerator

Generate your own personal data leak
Python
32
star
6

unix_collector

unix_collector is a Live Response collection script for Incident Response on UNIX-like systems using native binaries. Supports AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.
Shell
29
star
7

GeoIPPlotter

GeoIP plotting script written in Python to help security teams draw visualized reports from IP addresses
Python
20
star
8

OS.LAB

Operating System testbed created with Terraform to test payloads, programs and compatibility on different OS versions. Supports AWS and Azure.
HCL
18
star
9

amphunt

Cisco AMP threat hunting scripts
Python
14
star
10

defcon-23-slides-only

10
star
11

investigatehunt

Cisco Umbrella Investigate threat hunting scripts
Python
8
star
12

wordpress-password-bruteforcer

simple module which will attempt to bruteforce wordpress passwords for either specific username or specific list of users and passwords.
Python
8
star
13

powershell-reverse-shell

Simple Powershell Reverse Shell with handling server in python
Python
8
star
14

WINFINGER

A collection of Windows hashes generated against windows installation ISOs using sigcheck from Sysinternals
8
star
15

Bad-Firewall

Bad IP blocking firewall with ipset, iptables and a dash of bash.
Shell
7
star
16

car-hacking-materials

various references and docs related to car hacking
7
star
17

windows-driver-privesc

Check windows drivers for weak permission which could lead to privilage escalation.
5
star
18

LokiToWinEventLog

A repository containing scripts which allow Loki to log to Windows Event Log.
PowerShell
5
star
19

DNS-Testing-Script

Test the accuracy of DNS monitoring and blocking solution.
PowerShell
5
star
20

RT-OfficeBeaconBox

Simple Office-based beacon that calls back to your server for phishing exercises.
Shell
4
star
21

Yara-Mixer

PowerShell scripts concatenating different Yara rules into one master rule file.
PowerShell
3
star
22

Pe-SieveToWinEventLog

A repository containing scripts which allow pe-sieve to log to Windows Event Log.
PowerShell
3
star
23

local-mysql-bruteforcer

local mysql password bruteforcer
Python
3
star
24

fake-http-auth-generator

Python
3
star
25

amp-policy-kit

Cisco Secure Endpoint policy assessment kit
Python
3
star
26

meraki-hunting

Threat hunting scripts for Cisco Meraki installations
Python
2
star
27

SHARPPENCIL

A PowerShell and C# implementation of LDAP attribute extraction for domain users
PowerShell
2
star
28

Invoke-DomainHasher

A threat hunting tool designed to help in identifying unknown binaries across windows domain.
PowerShell
2
star
29

massJARM

A threaded implemenation of JARM tool
Python
2
star
30

afl-fuzz-packets

AFL-minimized packet samples for fuzzing
2
star
31

universal-process-privesc

This simple script is a basic wrapper around windows API to elevate current process privilage. Handy for developement and common functions in python.
Python
2
star
32

evtxpickup

Windows AD wide windows event collection script for scaled up forensic investigations.
PowerShell
1
star
33

MCuban_Blog

Mark Cuban blog copy (in PDF)
Python
1
star
34

Codeword-Generator-Collection

Codeword generators written in common programming and scripting languages
JavaScript
1
star