Active Members Fi8sVrs Posted May 25, 2018 Active Members Report Share Posted May 25, 2018 DARKSURGEON is a Windows packer project to empower incident response, digital forensics, malware analysis, and network defense. https://darksurgeon.io Darksurgeon is a Windows packer project to empower incident response, digital forensics, malware analysis, and network defense. Darksurgeon has three stated goals: Accelerate incident response, digital forensics, malware analysis, and network defense with a preconfigured Windows 10 environment complete with tools, scripts, and utilities. Provide a framework for defenders to customize and deploy their own programmatically-built Windows images using Packer and Vagrant. Reduce the amount of latent telemetry collection, minimize error reporting, and provide reasonable privacy and hardening standards for Windows 10. If you haven’t worked with packer before, this project has a simple premise: Provide all the tools you need to have a productive, secure, and private Windows virtual machine so you can spend less time tweaking your environment and more time fighting bad guys. Please note this is an alpha project and it will be subject to continual development, updates, and package breakage. Development Principles Darksurgeon is based on a few key development principles: Modularity is key. Each component of the installation and configuration process should be modular. This allows for individuals to tailor their packer image in the most flexible way. Builds must be atomic. A packer build should either complete all configuration and installation tasks without errors, or it should fail. A packer image with missing tools is a failure scenario. Hardened out of the box. To the extent that it will not interfere with investigative workflows, all settings related to proactive hardening and security controls should be enabled. Further information on Darksurgeon security can be found later in this post. Instrumented out of the box. To the extent that it will not interfere with investigative workflows, Microsoft Sysmon, Windows Event Logging, and osquery will provide detailed telemetry on host behavior without further configuration. Private out of the box. To the extent that it will not interfere with investigative workflows, all settings related to privacy, Windows telemetry, and error reporting should minimize collection. Building Darksurgeon Build Process Darksurgeon is built using the HashiCorp application packer. The total build time for a new instance of Darksurgeon is around 2–3 hours. Packer creates a new virtual machine using theDarksurgeon JSON file and your hypervisor of choice (e.g. Hyper-V, Virtualbox, VMWare). The answers.iso file is mounted inside theDarksurgeon VM along with the Windows ISO. The answers.iso file contains the unattend.xml needed for a touchless installation of windows, as well as a powershell script to configure Windows Remote Management (winrm). Packer connects to the Darksurgeon VM using WinRM and copies over all files in the helper-scripts and configuration-files directory to the host. Packer performs serial installations of each of the configured powershell scripts, performing occasional reboots as needed. When complete, packer performs a sysprep, shuts down the virtual machine, and creates a vagrant box file. Additional outputs may be specified in the post-processors section of the JSON file. Setup Note: Hyper-V is currently the only supported hypervisor in this alpha release. VirtualBox and VMWare support are forthcoming. Install packer, vagrant, and your preferred hypervisor on your host. Download the repository contents to your host. Download a Windows 10 Enterprise Evaluation ISO (1803). Move the ISO file to your local Darksurgeon repository. Update Darksurgeon.json with the ISO SHA1 hash and file name. (Optional) Execute the powershell script New-Darksurgeon.ps1 to generate a new answers.iso file. There is an answers ISO file included in the repository but you may re-build this if you don’t trust it, or you would like to modify the unattend files: powershell.exe New-DARKSURGEONISO.ps1 Build the recipe using packer: packer build -only=[hyperv-iso|vmware|virtualbox] .\DARKSURGEON.json Using Darksurgeon Note: Hyper-V is currently the only supported hypervisor in this alpha release. VirtualBox and VMWare support are forthcoming. Once Darksurgeon has successfully built, you’ll receive an output vagrant box file. The box file contains the virtual machine image and vagrant metadata, allowing you to quickly spin up a virtual machine as needed. Install vagrant and your preferred hypervisor on your host. Navigate to the Darksurgeon repository (or the location where you’ve saved the Darksurgeon box file). Perform a vagrant up: vagrant up Vagrant will now extract the virtual machine image from the box file, read the metadata, and create a new VM for you. Want to kill this VM and get a new one? Easy, just perform the following: vagrant destroy && vagrant up Once the Darksurgeon virtual machine is running, you can login using one of the two local accounts: Note: These are default accounts with default credentials. You may want to consider changing the credentials in your packer build. Administrator Account: Username: Darksurgeon Password: darksurgeon Local User Account: Username: Unprivileged Password: unprivileged If you’d rather not use vagrant, you can either import the VM image manually, or look at one of the many other post-processor options provided by packer. Download: DARKSURGEON-master.zip Sources: https://github.com/cryps1s/DARKSURGEON https://darksurgeon.io 1 Quote Link to comment Share on other sites More sharing options...
