mandiant / ThreatPursuit-VM

Threat Pursuit Virtual Machine (VM): A fully customizable, open-sourced Windows-based distribution focused on threat intelligence analysis and hunting designed for intel and malware analysts as well as threat hunters to get up and running quickly.
Other
1.24k stars 248 forks source link
analytics cyber data-science fireeye intelligence intelligence-analysis malware mandiant threat threathunting threatintelligence virtual-machine

      __   __                         __      
    _/  |_|  |_________  ____ _____ _/  |_    
    \   __|  |  \_  __ _/ __ \\__  \\   __\   
     |  | |   Y  |  | \\  ___/ / __ \|  |     
     |__| |___|  |__|   \___  (____  |__|     
     ______  __ _________ ________ __|___/  |
     \____ \|  |  \_  __ /  ___|  |  |  \   __\
     |  |_> |  |  /|  | \\___ \|  |  |  ||  |
     |   __/|____/ |__| /____  |____/|__||__|
     |__|                    \/

            MANDIANT THREAT INTELLIGENCE VM
                   Version 2020.1
              threatpursuit@fireeye.com

                     Created by:
                     Dan Kennedy
              Jake Barteaux @day1player
          Blaine Stancill @MalwareMechanic
                     Nhan Huynh
      Front Line Advanced Research and Expertise

Pre-Requisites

Google Chrome Browser

Oracle Java SE 11 or Greater

Installation (Install Script)

Requirements

Recommended

Known Issues

Using Oracle Virtualbox as the virtualisation software running from a Windows 10 physical host, will cause issues with the Docker install. There is currently no workaround other than using VMware Player or VMware Workstation.

Instructions

Standard install

  1. Create and configure a new Windows Virtual Machine
  2. Ensure VM is updated completely. You may have to check for updates, reboot, and check again until no more remain
  3. Take a snapshot of your machine!
  4. Download and copy install.ps1 on your newly configured machine.
  5. Open PowerShell as an Administrator
  6. Unblock the install file by running Unblock-File .\install.ps1
  7. Enable script execution by running Set-ExecutionPolicy Unrestricted -f
  8. Finally, execute the installer script as follows: .\install.ps1 You can also pass your password as an argument: .\install.ps1 -password The script will set up the Boxstarter environment and proceed to download and install the ThreatPursuit VM environment. You will be prompted for the administrator password in order to automate host restarts during installation. If you do not have a password set, hitting enter when prompted will also work.

Installed Tools

Development, Analytics and Machine Learning

Visualisation

Triage, Modelling & Hunting

Adversarial Emulation

Information Gathering

Utilities and Links