The evaluations were performed in the Microsoft Azure Cloud. Each vendor was provided an environment consisting of five hosts on which to install their client software. The vendors also had the option of either importing a server virtual machine (VM) or installing their server software onto an existing additional VM. By default, the Azure VMs were Standard B4MS, each with four vCPUs and 16GB memory. Each vendor had full and complete administrative access to the hosts instantiated for them.
All machines were in an isolated domain in their own resource group in their own virtual network. VPN access enabled connectivity to the environment, and passwords were shared via out-of-band methods. There was one VPN server per environment and vendors then RDP elsewhere within the environment. Hosts were only reachable within the VPN. They did not have public IP addresses assigned to them via Azure, but they were able to access the Internet. After VMs were created, an additional script was kicked off to connect the VMs to the domain.
Figure 1: APT3 Evaluation Environment
Each environment existed just for the length of the evaluation and were deleted after the public release of the evaluation.
There were eight total VMs in the environment, split into three groups: Test Range, Red Team, and Connectivity. The vendor had access to the Test Range group of VMs.
- Test Range:
- A Windows domain with one domain controller, one file server and three clients. All VMs were the "Standard B4MS" instance, with four vCPUs and 16GB memory. The servers were Windows Server with SKU: "2016-Datacenter" and the clients are Windows 10 1803 with SKU "rs4-pro."
- Red Team:
- Two Linux VMs
- One Linux VM setup as the VPN connection point, TCP port 1194 used.
The following modifications were made to the standard Azure images:
- Registry changed to allow storage of wdigest credentials
- Registry changed to disable Windows Defender
- Execution policy set to “bypass”
- Configured firewall to allow SMB
- Configured firewall to allow FTP
- Added conditional DNS forwarder
- Disabled Network Level Authentication via the control panel GUI to allow RDP
- Created a shared drive