Building Azure Cyber Ranges for Learning and Fun

Overview

Research shows there is a Cybersecurity skills shortage that is growing worse (Oltsik, 2020). Sadly, we’ve grown accustomed to hearing news of companies falling victim to data breaches.

The time is now for us to get better at defense. If you are new to Cybersecurity or already in the field, what better way to spend your free time during this COVID-19 pandemic than helping your career and also closing this skills gap? This post introduces some Cyber Range options that automatically deploy into Microsoft Azure. They allow you to have some fun while learning and sharpening your skills with security tooling. I’m so excited to talk about these three infrastructure security projects that deploy into Azure:

  1. Azure HELK: The automated deployment can be downloaded here. It deploys “Hunting ELK” or “HELK”, a hunting platform.
  2. Azure Velociraptor: The automated deployment can be downloaded here. It deploys Velociraptor, an open-source endpoint monitoring, digital forensic and cyber response platform.
  3. PurpleCloud: This is an automated deployment of an enterprise Microsoft Active Directory environment with endpoints and a Domain Controller. PurpleCloud also deploys a penetration testing adversary system.
Required resources:
  • A Microsoft Azure account with a credit card
  • Virtualization software, such as VMWare or virtualbox
  • A Linux OS guest machine installed into VMware or virtualbox. For these demos I use Ubuntu Linux 20.04.
  • Some software installed into the Linux OS guest virtual machine: Terraform, Ansible
Option 1: The Hunting ELK (HELK) in Azure

This lab option will deploy a small Cyber Security range of the Hunting ELK or “HELK” in Azure. HELK is an open source hunting platform based on ELK stack that includes a lot of nice capabilities such as data science with Jupyter notebooks. HELK enables detection, security monitoring, and investigation through high fidelity security logs such as Sysmon or Windows event logs that can be shipped via a Winlogbeat agent using the Kafka output. The logs are then indexed in Elastic, and visualized and searched with Kibana. The deployment includes a HELK server and one Windows 10 Professional endpoint that is automatically configured to forward logs to HELK. Rather than running a security lab locally using virtualization software, this deployment uses Infrastructure as Code (IaC) with Terraform and Ansible to enable quickly turning up a Cyber Range within a Cloud Service Provider (Azure, in this case). You can also quickly tear it down when you’re done. What are these terms?

  • Infrastructure as Code (IaC) is a technology enabling automated deployment and management of infrastructure (i.e., Virtual Machines) using templates or definition files. IaC has a lot of growing use cases for Cyber Security.
  • Terraform.io is a company offering both commercial and open source tooling for IaC. With Terraform, we specify definitions in terraform file format and use the terraform free tool to automatically and quickly deploy our Virtual Machines in Azure. Terraform has flexible and rich support for all three of the CSPs (AWS, Azure, Google) as well as other providers.
  • Ansible is popular Configuration Management software that allows us to do post-deployment software implementation and configuration after Terraform has deployed the virtual machines. We use Terraform to invoke Ansible from within our Terraform files. Nice!
Let’s Get Started with Creating Hunting ELK in Azure

For this lab to have the greatest impact, we’ll go with installing Option 2 of the HELK in Azure project. Option 1 enables just a standalone HELK server, while Option 2 enables HELK and a Windows 10 endpoint working together for log ingestion with Kafka. For development of these templates and this demo, I’ve used VMWare Fusion with an Ubuntu 20.04 virtual machine. But any modern Linux OS should work as well. After you’ve installed the pre-requisites using these detailed instructions, configure your Azure Service Principal credentials within your terraform.tfvars file, which lets Terraform use your Azure account to automatically manage infrastructure. It should look like these fake credentials below:

subscription_id = "aa9d8c9f-34c2-6262-89ff-3c67527c1b22"
client_id = "7e9c2cce-8bd4-887d-b2b0-90cd1e6e4781"
client_secret = ":+O$+adfafdaF-?%:.?d/EYQLK6po9`|E<["
tenant_id = "8b6817d9-f209-2071-8f4f-cc03332847cb"

If you want to have the Azure Network Security Groups (NSGs) firewall provided added security to whitelist your source IP address, uncomment the following line in terraform.tfvars to white list your source prefix. If you don’t, the HELK infrastructure will be open to the public Internet on its listening ports.

# Set variable below for IP address prefix for white listing Azure
# https://ifconfig.me/
# curl https://ifconfig.me
src_ip = "192.168.87.4"

With this out of the way, simply run a few terraform commands to build your HELK infrastructure:

$ cd HELK_Azure/option2_helk_endpoint/deploy
$ terraform init
$ ./create.sh

Boom! Now grab a cup of coffee and after about fifteen minutes, you should be in business.

Generating some log artifacts

Let’s do two things really quick to generate some test log artifact data. First, access the Kibana UI for your HELK server. The IP address of HELK is listed in:

/modules/helk/hosts.cfg

Use Firefox to accept the self-signed certificate warnings and browse to https://<HELK_IP>. The username/password is: helk/hunting

HELK Kibana Image, taken by Jason Ostrom

This is the Kibana interface used for searching and monitoring the security logs that will be sent from our Windows target. At this point in time you likely won’t see any data in the Kibana UI as the Windows endpoint hasn’t generated any traffic of interest.

Next, use RDP for remote access into our Windows 10 virtual machine. Azure provisions a public IP address for the Windows 10 VM and it is listed in the following file:

/modules/win10-vm1/hosts.cfg

RDP into this IP with the username/password: HELKAdmin/Password123

Launch the Windows command prompt (cmd.exe) as shown below. We just want to generate a very simple example of a parent process (Windows Explorer) calling a child process (cmd.exe), just enough for this HELK example to generate a log entry.

Screen shot created by Jason Ostrom

Now go back to the Kibana interface, and type “cmd” into the search window and enter. You should see the logs refresh to show evidence of command execution.

View of Kibana search, with Explorer launching cmd.exe; Image created by Jason Ostrom

Shutting Down and Destroying the Infrastructure

$ cd HELK_Azure/option2_helk_endpoint/deploy
$ ./destroy.sh

HELK Conclusion

This is a very high level introduction to the capabilities of security log ingestion with HELK. This lab is configured to ship Sysmon with Winlogbeat using HELK configuration settings. Sysmon can track process execution including full command line execution and event tracing of suspected malicious processes. This can be used for research and an early warning system to investigate malicious process execution such as malware. The configuration uses the HELK recommended settings with SwiftOnSecurity tuning for Sysmon. The HELK deployment scripts are hard-coded to deploy hardware option #4, which deploys 8 GB of RAM for use cases requiring data science and Jupyter Notebook capabilities.

One of my favorite features of HELK is the support for Mordor, which are pre-recorded attack simulations in JSON file format. A researcher can run a simulation and share it, where it can be imported into HELK via Kafka using the Kafkacat tool. Since Kafka is already supported in HELK and the Azure NSGs allow the Kafka port ingress from your source prefix, you can upload Mordor datasets from your Terraform system directly into HELK, for analysis in Kibana. That’s a different kind of nice.

More Reading

Option 2: Velociraptor in Azure

Velociraptor is a digital forensics and hunting tool focused on live forensics on the endpoint. From its website:

Velociraptor provides the next generation in endpoint monitoring, digital forensic investigations and cyber incident response…The most powerful feature of Velociraptor is its framework for creating highly customized artifacts which allow a user to collect, query and monitor almost any aspect of a single endpoint, groups of endpoints or an entire network.

The Velociraptor Azure project provides an automated IaC deployment which builds a Velociraptor server, installs a Windows 10 endpoint with the Velociraptor agent, and configures the agent to register to the Velociraptor server. The entire deployment time is approximately 8 minutes and 50 seconds.

Enter Velociraptor: DFIR Beast Mode!

Follow all of the pre-requisites and setup instructions from the Github repository, and simply run these commands to deploy a Velociraptor lab in Azure:

$ cd Velociraptor_Azure/deploy
$ terraform init
$ ./create.sh

Let’s do a quick tour of Velociraptor. First, take note of the Azure provisioned public IP address for your Velociraptor server:

$ cat modules/velociraptor/hosts.cfg

Point your Firefox browser to the Velociraptor IP address web administration console at the following port and accept the default warnings (This deployment uses self-signed certificates): https://<IP>:8889

The username/password is: vadmin/vadmin

After logging in, the top left corner “show all” should show the Windows 10 endpoint computer of “Win10-Lars” automatically registered.

Velociraptor dashboard showing endpoint, by Jason Ostrom

There are tons of fantastic forensic investigation features of Velociraptor. A user can drill into the Virtual File System (VFS) button where they can browse the file system and pull file artifacts, raw NTFS access, and registry entries. An investigator can query the installed services, installed software programs, process execution with prefetch, and scheduled tasks. Velociraptor establishes a persistent Command and Control channel with the agent that allows an Administrator to query the agent in near realtime. Velociraptor has a powerful and flexible query engine that allows an administrator to run queries using Velociraptor Query Language (VQL) across all registered endpoints. These “hunts” can be scheduled at intervals and run across all endpoints.

Scheduled Task Persistence Mechanism

Velociraptor includes many pre-built artifact flow collectors that can query endpoints for artifacts. A common persistence mechanism used in malware is Windows Task Scheduler. Velociraptor included a VQL query for enumerating all scheduled tasks on a windows system for analysis. Velociraptor also includes a VQL query for remediation of scheduled tasks.

The VQL artifact collector for Scheduled Tasks; Image created by Jason Ostrom

In this example, I’ve created a persistent ping scheduled task as a simulated malicious scheduled task. I then ran the Velociraptor artifact collector. The results can be downloaded as a CSV for analysis, and the query can run across all of your enterprises when hunting for persistence mechanisms.

Image of Velociraptor Scheduled Task artifact collector results; Image created by Jason Ostrom

Investigating Further

In a recent SANS blog post, Josh Wright describes a Red Team tactic used by adversaries to hide windows services. This is a fascinating description of a lesser known persistence mechanism: using Service Descriptor Definition Language (SDDL) to modify the syntax of service permissions. He followed up with a Blue Team blog showing how to detect this. As an exercise to the reader, what VQL artifact collectors of Velociraptor can detect this adversary tactic?

Option 3: Purple Cloud in Azure

Purple Cloud is a Cyber Range that simulates a realistic enterprise configuration more prevalent in an on-premise Active Directory domain. It includes one Windows 2019 Domain Controller and three Windows 10 Professional machines. The Windows 10 endpoints are automatically joined to the domain. Each Windows 10 VM has an associated Domain User with an interactive domain logon. This configuration enables exploring tactics and techniques between computers and simulation of privilege escalation. Purple Cloud also deploys a Linux adversary system, with a Docker penetration test container installed. This entire configuration is automatically deployed in Azure in roughly 24 minutes. There are myriad purple teaming use cases for the Purple Cloud Cyber Range which can be saved for a dedicated article.

Purple Cloud Network Drawing, created by Jason Ostrom
Conclusion

Commercial Cyber Ranges are growing in the marketplace including newer Cyber Range “As a Service” (CyRaaS) offerings (Schiappa, 2019). This article gives you several free, small templates to create your own Cyber Range and use them for your own advancement. They use Terraform for Infrastructure as Code (IaC). IaC offers benefits such as speed, cost reduction, and flexibility. These templates can also help you in pursuing the Microsoft AZ-500 security exam. The concepts of building Azure Virtual Machine infrastructure and managing Network Security Groups (NSGs) align with the exam blueprint, and can help you get your Azure Security Engineer Associate certification.