APT29 Evaluation: Environment
The evaluations were performed in Microsoft Azure Cloud. Each vendor was provided an environment consisting of seven hosts on which to install their client software. The vendors also had the option of installing server software onto a virtual machine (VM) already in the environment, or importing a VM if necessary. By default, the Azure VMs were Standard B4MS, each with four vCPUs and 16GB memory. Each vendor had full and complete administrative access to the hosts instantiated for them.
All machines were in an isolated domain in their own resource group in their own virtual network. VPN access enabled connectivity to the environment, and passwords were shared via out-of-band methods. There was one VPN server per environment and vendors then RDP elsewhere within the environment. Hosts were be reachable only within the VPN. They did not have public IP addresses assigned to them via Azure, but they were be able to access the Internet. After VMs are created, an additional script was kicked off to connect the VMs to the domain.
Figure 1: APT29 Evaluation Environment
- Test Range:
- A Windows domain with one domain controller, one file server and five clients. All VMs were the “Standard B4MS” instance, with four vCPUs and 16GB memory. The servers ran Windows Server with SKU: “2019-Datacenter” and the clients ran Windows 10 1903 with SKU “19h1-pro” or “1903-evd-o365pp.“
The following modifications were made to the standard Azure images:
- WinRM is enabled for all Windows hosts
- Powershell execution policy is set to "Bypass"
- Registry modified to allow storage of wdigest credentials
- Registry modified to disable Windows Defender
- Group Policy modified to disable Windows Defender
- Configured firewall to allow SMB
- Created an SMB share
- Set UAC to never notify
- RDP enabled for all Windows hosts