OTRF / 2021-OceanLotus-workshop

MIT License
18 stars 4 forks source link

macos-workshops

Table of Contents

Network diagram

AWS resource limit increase requests

Dedicated hosts

To run macOS on AWS you need to create AWS EC2 dedicated hosts of instance type mac1.metal. By default, you can only create 0 instances of this type. You will need to submit a request to AWS to get this increased from 0 to 3.

Virtual CPUs

By default AWS limits your account to 32 vCPUs but this environment requires 72 (see table below). You will need to submit a request to AWS to get this increased from 32 to 72.

Elastic IPs

By default you get 5 Elastic IPs per region for an account but this project needs 9 Elatic IPs. Breakdown:

AWS pricing

Below is a table of all the AWS compute resources needed for this workshop. Depending your target audience size you can adjsut the size allocations for each machine. The SIEM machines and NSM/Arkmie use r5 machines to provide as much memory as possible to keep search times minimal.

It should be noted at the time of this writing that if you plan on running this setup in AWS including the macOS machines even before they are turned on it's $25 per macOS instance. The macOS license states that each instance must be used at least 24 hours. Even, if you use macOS machines for 3 seconds you still end up paying for 24 hours worth of use.

Let's discuss the hour pricing listed in the table below. It should be noted that hourly price listed is only the EC2 computing, the pricing does not include:

# EC2 type vCPU Memory SSD Rate per hour Description
1 r5.2xlarge 8 64GB 100GB $0.504 Elastic server
2 r5.2xlarge 8 64GB 100GB $0.504 Graylog server
3 r5.2xlarge 8 64GB 100GB $0.504 Splunk server
4 r5.2xlarge 4 16GB 100GB $0.1856 NSM server
5 t2.small 1 2GB 8GB $0.023 Jumpbox
6 t2.small 1 2GB 20GB $0.023 red team box - alpha
7 t2.small 1 2GB 20GB $0.023 red team box - beta
8 t2.large 2 8GB 20GB $0.0928 Logstah ingestor server
9 t2.small 1 2GB 20GB $0.023 wiki server
10 t2.small 1 2GB 20GB $0.0234 file server
11 t2.small 1 2GB 60GB $0.0234 Windows server
12 mac1.metal 12 32GB 60GB $1.083 macOS client - alpha
13 mac1.metal 12 32GB 60GB $1.083 macOS client - beta
14 mac1.metal 12 32GB 60GB $1.083 macOS client - charlie
15 dedicated host - - - $1.083 Dedicate host for macOS alpha
15 dedicated host - - - $1.083 Dedicate host for macOS beta
15 dedicated host - - - $1.083 Dedicate host for macOS charlie
Total 72 320GB 748GB $8.426/hr

User table

# Username Pasword account type Description
1 jso-yeon@hac.local <group_vars/corp.yml - user_list> mail account e-mail account
2 lmanoban@hac.local <group_vars/corp.yml - user_list> mail account e-mail account
3 dengziqi@hac.local <group_vars/corp.yml - user_list> mail account e-mail admin account
4 jso-yeon <group_vars/corp.yml - user_list> SMB share smb://172.16.50.20/public
5 lmanoban <group_vars/corp.yml - user_list> SMB share smb://172.16.50.20/public
6 dengziqi <group_vars/corp.yml - user_list> SMB share smb://172.16.50.20/private - admin
7 jso-yeon <group_vars/corp.yml - user_list> macos Alpha VNC vnc://172.16.50.130
8 lmanoban <group_vars/corp.yml - user_list> macos Beta VNC vnc://172.16.50.131
9 dengziqi <group_vars/corp.yml - user_list> macos Charlie VNC vnc://172.16.50.132
10 ec2-user <group_vars/corp.yml - vnc_admin_password> macos Alpha VNC vnc://172.16.50.130
11 ec2-user <group_vars/corp.yml - vnc_admin_password> macos Beta VNC vnc://172.16.50.131
12 ec2-user <group_vars/corp.yml - vnc_admin_password> macos Charlie VNC vnc://172.16.50.132

Generate SSH keys for red team exercise

  1. cd macos-workshop
  2. ssh-keygen -t rsa -b 2048 -C "lmanoban@hac.local" -f files/comp_ssh_keys/id_rsa -q -N ""

Instructions to setup AWS environment

  1. AWS + Terraform
  2. Setup management subnet
  3. Init Ansible playbooks
  4. Setup corp subnet
  5. Setup macOS clients

Install/Setup public subnet

The playbook instructions for these instances assume they are publicaly facing and that these instances have public DNS A records that can be used by Let's Encrypt to generate an HTTPS certificate for NGINX.

Install/Setup Elastic, Graylog, Splunk,Arkmie

Install/Setup corp subnet

The playbook instructions for these instances are to setup

Destroy the AWS environment

  1. cd macos-workshop/terraform
  2. terraform destroy
    1. Terraform destroy

JSON logs

References

Ansible

Docker