I’m happy to announce the alpha release of DARKSURGEON, a Windows 10 packer project to empower incident response, digital forensics, malware analysis, and network defense.
DARKSURGEON is designed to perform the following:
If you haven’t worked with packer before, this project has a simple premise:
Provide all the tools you need to have a productive, secure, and private Windows virtual machine so you can spend less time tweaking your environment and more time fighting bad guys.
Example DARKSURGEON Applications.
DARKSURGEON is based on a few key development principles:
Hardening of the host must balance the needs of productivity with risk mitigation. DARKSURGEON pre-configured with scripts to enable either a High or Low Security mode, each tailored towards different workflows. Currently, only the low security mode is available for testing.
The default selection, Low Security, caters primarily to ephemeral use virtual machines (e.g. incident response or malware analysis, etc.)
Regardless of your selection, all default installations of DARKSURGEON have the following security features:
In Low Security mode, the following hardening features are present:
Whether analyzing unknown binaries or working on sensitive projects, endpoint telemetry powers detection and response operations. DARKSURGEON comes pre-configured with the following telemetry sources available for analysis:
Your operational environment contains some of the most sensitive data from your network, and it’s important to safeguard that from prying eyes. DARKSURGEON implements the following strategies to maximize privacy without hindering workflows:
Out of the box, DARKSURGEON comes equipped with tools, scripts, and binaries to make your life as a defender easier. The following are a non-exhaustive listing of the various categories and tools present in the project:
Android Analysis: Tools, scripts, and binaries focused on android analysis and reverse engineering. Examples include:
Blue Team: Tools, scripts, and binaries focused on blue team, network defense, and alerting/detection development. Examples include:
Debuggers: Tools, scripts, and binaries for debugging binary artifacts. Examples include:
Disassemblers: Tools, scripts, and binaries for disassembling binary artifacts. Examples include:
DotNet Analysis: Tools, scripts, and binaries for performing analysis of DotNet artifacts. Examples include:
Flash Analysis: Tools, scripts, and binaries for performing analysis of flash artifacts. Examples include:
Forensic Analysis: Tools, scripts, and binaries for performing forensic analysis on application and operating system artifacts. Examples include:
Hex Editors: Hex editing software. Examples include:
Java Analysis: Tools, scripts, and binaries for performing analysis of Java artifacts. Examples include:
Network Analysis: Tools, scripts, and binaries for performing analysis of network traffic and protocols. Examples include:
PE Analysis: Tools, scripts, and binaries for performing analysis of PE artifacts. Examples include:
Powershell Modules: Administration, productivity, and support modules for Powershell. Examples include:
Python Libraries: Administration, productivity, and support libraries for Python. Examples include:
Red Team: Tools, scripts, and binaries focused on red team, network exploitation, and alerting/detection development. Examples include:
Remote Management: Administration, productivity, and support modules for remote management of systems and applications. Examples include:
Utilities: Administration, productivity, and support utilities. Examples include:
Visual Basic Analysis: Tools, scripts, and binaries for performing analysis of Visual Basic artifacts. Examples include:
The Mark of a Successful Build.
DARKSURGEON is built using the HashiCorp application packer. The total build time for a new instance of DARKSURGEON is around 2–3 hours.
Note: Hyper-V is currently the only supported hypervisor in this alpha release. VirtualBox and VMWare support are forthcoming.
powershell.exe New-DARKSURGEONISO.ps1
packer build -only=[hyperv-iso|vmware|virtualbox] .\DARKSURGEON.json
Need new capabilities? Add them to DARKSURGEON.json.
DARKSURGEON is designed to be modular and easy to configure. An example configuration is provided in the DARKSURGEON.json file, but you may add, remove, or tweak any of the underlying scripts.
Have a custom CA you need to add? Need to add a license file for IDA? No problem. You can throw any files you need in the configuration-files directory and they’ll be copied over to the host for you.
Want to install a custom package, or need some specific OS tweaks? No worries. Simply make a new powershell script (or modify an existing one) in the configuration-scripts directory and add it as a build step in the packer JSON file.
Note: Hyper-V is currently the only supported hypervisor in this alpha release. VirtualBox and VMWare support are forthcoming.
Vagrant up to fight bad guys.
Once DARKSURGEON has successfully built, you’ll receive an output vagrant box file. The box file contains the virtual machine image and vagrant metadata, allowing you to quickly spin up a virtual machine as needed.
vagrant up
Vagrant will now extract the virtual machine image from the box file, read the metadata, and create a new VM for you.
Want to kill this VM and get a new one? Easy, just perform the following:
vagrant destroy && vagrant up
Once the DARKSURGEON virtual machine is running, you can login using one of the two local accounts:
Note: These are default accounts with default credentials. You may want to consider changing the credentials in your packer build.
Administrator Account:
Username: darksurgeon
Password: darksurgeon
Local User Account:
Username: unprivileged
Password: unprivileged
If you’d rather not use vagrant, you can either import the VM image manually, or look at one of the many other post-processor options provided by packer.
Ready to get started? Just head over to the GitHub Repository and download the project.
Contributions, fixes, and improvements can be submitted directly against this project as a GitHub issue or pull request. Tools will be reviewed and added on a case-by-case basis.
This project stands on the shoulders of giants, and I cannot properly thank all of the original authors for their work, contributions, and inspiration.