Carbanak+FIN7 Evaluation: Environment
The evaluations were performed in Microsoft Azure Cloud. Each vendor was provided with two identical environments consisting of eight hosts each on which to install their client software. These two environments were used for the detection-only and protection tests, respectively. The vendors also had the option of installing server software onto a virtual machine (VM) already in the environment or importing a VM if necessary. By default, the Azure VMs were Standard B4MS, each with four vCPUs and 16GB memory. Each vendor had full and complete administrative access to the hosts instantiated for them.
VPN access enabled connectivity to the environment, and passwords were shared via out-of-band methods. There was one VPN server per environment and vendors then used RDP or SSH elsewhere within the environment. Hosts were reachable only within the VPN. They did not have public IP addresses assigned to them via Azure, but they were able to access the Internet.
The environment consisted of two organizations with separate networks and domains. The network contained domain joined machines running Windows Server 2019, Windows 10, and CentOS 7.7. The versions are as follows:
- Windows Server 2019 1809 (SKU: “2019-Datacenter")
- Windows 10 1909 (SKU: "19h2-evd-o365pp" and "19h2-pro")
- CentOS 7.7 (SKU: "7.7")
The following modifications were made to the standard Azure images:
- WinRM is enabled for all Windows hosts
- Powershell execution policy is set to "Bypass"
- Registry modified to allow storage of wdigest credentials
- Registry modified to disable Windows Defender
- Group Policy modified to disable Windows Defender
- Configured firewall to allow SMB
- Set UAC to never notify
- RDP enabled for all Windows hosts
- SSH enabled for all Linux hosts