All Projects → iknowjason → Purplecloud

iknowjason / Purplecloud

An Infrastructure as Code (IaC) deployment of a small Active Directory pentest lab in the cloud. The deployment simulates a semi-realistic corporate enterprise Active Directory with a DC and endpoints. Purple team goals include blue team detection capabilities and R&D for detection engineering new approaches.

Projects that are alternatives of or similar to Purplecloud

Adaz
🔧 Automatically deploy customizable Active Directory labs in Azure
Stars: ✭ 197 (+61.48%)
Mutual labels:  azure, hcl
Terraform Kubestack
Terraform GitOps Framework — Everything you need to build reliable automation for AKS, EKS and GKE Kubernetes clusters in one free and open-source framework.
Stars: ✭ 300 (+145.9%)
Mutual labels:  azure, hcl
Kubify
Terraform Template to Setup a Kubernetes Cluster on OpenStack/AWS/Azure
Stars: ✭ 142 (+16.39%)
Mutual labels:  azure, hcl
Hybrid multicloud overlay
MutiCloud_Overlay demonstrates a use case of overlay over one or more clouds such as AWS, Azure, GCP, OCI, Alibaba and a vSphere private infrastructure in Hub and spoke topology, point to point topology and in a Single cloud. Overlay protocols IPv6 and IPv4 are independent of underlying infrastructure. This solution can be integrated with encryption and additional security features.
Stars: ✭ 127 (+4.1%)
Mutual labels:  azure, hcl
Cloudguardiaas
Check Point CloudGuard Network Security repository containing solution templates, Terraform templates, tools and scripts for deploying and configuring CloudGuard Network Security products.
Stars: ✭ 27 (-77.87%)
Mutual labels:  azure, hcl
Caf Terraform Landingzones
Cloud Adoption Framework for Azure - Terraform landing zones
Stars: ✭ 335 (+174.59%)
Mutual labels:  azure, hcl
Azure arc
Automated Azure Arc environments
Stars: ✭ 224 (+83.61%)
Mutual labels:  azure, hcl
Cobalt
Infrastructure turn-key solution for app service workloads
Stars: ✭ 97 (-20.49%)
Mutual labels:  azure, hcl
Sentinel Attack
Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT&CK
Stars: ✭ 676 (+454.1%)
Mutual labels:  azure, hcl
Terratag
Terratag is a CLI tool that enables users of Terraform to automatically create and maintain tags across their entire set of AWS, Azure, and GCP resources
Stars: ✭ 385 (+215.57%)
Mutual labels:  azure, hcl
Ha Sap Terraform Deployments
Automated SAP/HA Deployments in Public/Private Clouds
Stars: ✭ 61 (-50%)
Mutual labels:  azure, hcl
Typhoon
Minimal and free Kubernetes distribution with Terraform
Stars: ✭ 1,397 (+1045.08%)
Mutual labels:  azure, hcl
Sippts
Set of tools to audit SIP based VoIP Systems
Stars: ✭ 116 (-4.92%)
Mutual labels:  pentest
Intermediator Bot Sample
A sample bot, built with the Microsoft Bot Framework (v4), that routes messages between two users on different channels.
Stars: ✭ 120 (-1.64%)
Mutual labels:  azure
Actionpacks
Public PowerShell script gallery for ScriptRunner.
Stars: ✭ 118 (-3.28%)
Mutual labels:  azure
Terraform Aws Kubernetes
Install a Kubernetes cluster the CoreOS Tectonic Way: HA, self-hosted, RBAC, etcd Operator, and more
Stars: ✭ 118 (-3.28%)
Mutual labels:  hcl
Terraform
Terraform automation for Cloud
Stars: ✭ 121 (-0.82%)
Mutual labels:  hcl
Terraform Google Sql Db
Modular Cloud SQL database instance for Terraform.
Stars: ✭ 120 (-1.64%)
Mutual labels:  hcl
Config Lint
Command line tool to validate configuration files
Stars: ✭ 118 (-3.28%)
Mutual labels:  hcl
Vdc
Toolkit to accelerate Azure adoption for enterprise customers
Stars: ✭ 117 (-4.1%)
Mutual labels:  azure

Overview: Purple Cloud

Pentest Cyber Range for a small Active Directory Domain. Automated templates for building your own Pentest/Red Team/Cyber Range in the Azure cloud! Purple Cloud is a small Active Directory enterprise deployment automated with Terraform / Ansible Playbook templates to be deployed in Azure. Purple Cloud also includes an adversary node implemented as a docker container remotely accessible over RDP.

Quick Fun Facts:

  • Deploys a pentest adversary Linux VM and Docker container (AriaCloud) accessible over RDP
  • Deploys one (1) Windows 2019 Domain Controller and three (3) Windows 10 Pro Endpoints
  • Automatically joins the three Windows 10 computers to the AD Domain
  • Uses Terraform templates to automatically deploy in Azure with VMs
  • Terraform templates write Ansible Playbook configuration, which can be customized
  • Automatically uploads Badblood (but does not install) if you prefer to generate thousands of simulated users https://github.com/davidprowe/BadBlood
  • Post-deployment Powershell script provisions three domain users on the 2019 Domain Controller and can be customized for many more
  • Domain Users: olivia (Domain Admin); lars (Domain User); liem (Domain User)
  • All Domain User passwords: Password123
  • Domain: RTC.LOCAL
  • Domain Administrator Creds: RTCAdmin:Password123
  • Deploys four IP subnets
  • Deploys intentionally insecure Azure Network Security Groups (NSGs) that allow RDP, WinRM (5985, 5986), and SSH from the Public Internet. Can be secured to your source network prefix using src_ip variable.
  • Post-deploy Powershell script that adds registry entries on each Windows 10 Pro endpoint to automatically log in each username into the Domain as respective user. This feature simulates a real AD environment with workstations with interactive domain logons. When you attempt to RDP into the endpoints, simulated adversary is met with:
  • Approximate build time: 24 minutes
  • Approximate Monthly Cost: $331.44 per month

AriaCloud Pentest Container - Automated Deployment

This repo now includes a Terraform template and Ansible Playbook that automatically deploys AriaCloud into an Azure VM with remote access over RDP. You can also do a standalone deployment of AriaCloud from within this repo. For this option, navigate into the aria-cloud directory and see the README. For more information on the AriaCloud docker container and included pentest tools, navigate to https://github.com/iknowjason/AriaCloud.

Purple Cloud Deployment Instructions

Note: Tested on Ubuntu Linux 20.04

Requirements:

  • Azure subscription
  • Terraform: Tested on v0.12.26
  • Ansible: Tested on 2.9.6

Installation Steps

Note: Tested on Ubuntu 20.04

Step 1: Install Terraform and Ansible on your Linux system

Download and install Terraform for your platform --> https://www.terraform.io/downloads.html

Install Ansible

$ sudo apt-get install ansible

Step 2: Set up an Azure Service Principal on your Azure subscription that allows Terraform to automate tasks under your Azure subscription

Follow the exact instructions in this Microsoft link: https://docs.microsoft.com/en-us/azure/developer/terraform/getting-started-cloud-shell

These were the two basic commands that were run based on this link above:

az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/<subscription_id>

and this command below. From my testing I needed to use a role of "Owner" instead of "Contributor". Default Microsoft documentation shows role of "Contributor" which resulted in errors.

az login --service-principal -u <service_principal_name> -p "<service_principal_password>" --tenant "<service_principal_tenant>"

Take note of the following which we will use next to configure our Terraform Azure provider:

subscription_id = ""
client_id = ""
client_secret = ""
tenant_id = ""

Step 3: Clone this repo

$ git clone https://github.com/iknowjason/PurpleCloud.git

Step 4: Using your favorite text editor, edit the terraform.tfvars file for the Azure resource provider matching your Azure Service Principal credentials

cd PurpleCloud/deploy
vi terraform.tfvars

Edit these parameters in the terraform.tfvars file:

subscription_id = ""
client_id = ""
client_secret = ""
tenant_id = ""

Your terraform.tfvars file should look similar to this but with your own Azure Service Principal credentials:

subscription_id = "aa9d8c9f-34c2-6262-89ff-3c67527c1b22"
client_id = "7e9c2cce-8bd4-887d-b2b0-90cd1e6e4781"
client_secret = ":+O$+adfafdaF-?%:.?d/EYQLK6po9`|E<["
tenant_id = "8b6817d9-f209-2071-8f4f-cc03332847cb"

Step 5: Edit the terraform.tfvars file to include your source network prefix Edit the following file: deploy/terraform.tfvars At the bottom of the file, uncomment the "src_ip" variable and populate it with your correct source IP address. If you don't do this, the Azure NSGs will open up your two VMs to the public Internet. Below is exactly where the variable should be uncommented and an example of what it looks like:

# Set variable below for IP address prefix for white listing Azure NSG
# uncomment variable below; otherwise, all of the public Internet will be permitted
# https://ifconfig.me/
# curl https://ifconfig.me
src_ip = "192.168.87.4"

Step 6: Run the commands to initialize terraform and apply the resource plan

$ cd PurpleCloud/deploy
$ terraform init
$ terraform apply -var-file=terraform.tfvars -auto-approve

This should start the Terraform automated deployment plan

Step 7: Optional: Unzip and run Badblood from C:\terraform directory (https://github.com/davidprowe/BadBlood)

Known Issues or Bugs

There are issues that are WIP for me to debug and resolve based on timing. They are mentioned below with workarounds.

Sometimes one of the provisioning steps doesn't work with the DC. It is the terraform module that calls the Ansible Playbook which runs a Powershell script to add domain users. The error will look like this when running the steps:

module.dc1-vm.null_resource.provision-dc-users (local-exec): TASK [dc : debug] **************************************************************
module.dc1-vm.null_resource.provision-dc-users (local-exec): ok: [52.255.151.90] => {
module.dc1-vm.null_resource.provision-dc-users (local-exec):     "results.stdout_lines": [
module.dc1-vm.null_resource.provision-dc-users (local-exec):         "WARNING: Error initializing default drive: 'Unable to find a default server with Active Directory Web Services ",
module.dc1-vm.null_resource.provision-dc-users (local-exec):         "running.'."
module.dc1-vm.null_resource.provision-dc-users (local-exec):     ]
module.dc1-vm.null_resource.provision-dc-users (local-exec): }

If this happens, you can change into the modules/dc1-vm directory and immediately run the ansible playbook commands, as shown in README.ANSIBLE.txt: ansible-playbook -i hosts.cfg playbook.yml

If you run this command before the Windows 10 endpoints are provisioned, they will run just fine. If the entire script runs and you see this error, then you need to run the Ansible Playbook on the Windows server and all of the endpoints.

Sometimes the adversary will throw this error:

module.adversary1-vm.null_resource.ansible-deploy (local-exec): fatal: [40.121.138.118]: FAILED! => {"changed": false, "msg": "Failed to update apt cache: "}

To resolve the issue, change into the modules/adversary1-vm directory and run the Ansible Playbook commands shown in README.ANSIBLE.txt:

ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i ./hosts.cfg --private-key ssh_key.pem ./playbook.yml

Sometimes the Windows 10 Endpoints don't automatically log into the domain via registry entry. I've traced this issue to a timing issue with the Domain Controller creation. The powershell script creating the three users does not run correctly. To resolve the issue, simply run the Ansible Playbooks in each module directory. The following should resolve the issue:

$ cd ../modules/dc1-vm/
$ ansible-playbook -i hosts.cfg playbook.yml

$ cd ../win10-vm-1/
$ ansible-playbook -i hosts.cfg playbook.yml

$ cd ../win10-vm-2/
$ ansible-playbook -i hosts.cfg playbook.yml

$ cd ../win10-vm-3/
$ ansible-playbook -i hosts.cfg playbook.yml

Credits

@ghostinthewires for his Terraform templates (https://github.com/ghostinthewires)

@mosesrenegade for his Ansible Playbook integration with Terraform + Powershell script (https://github.com/mosesrenegade)

@davidprowe for his Badblood (https://github.com/davidprowe/BadBlood)

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].