DFIR Lab in AWS
- Create an AWS account
- Set-up MFA authentication
- Create a keypair (eg.
lab-01
) - Set-up AWS Systems Manager Quick Setup (optional if you don't want to use RDP)
Use the aws cloudformation
CLI command to create the stack.
In this example the STS token is store in the mfa
profile of our ~/.aws/credentials file. The KeyPair name created above is lab-01
.
aws sts get-session-token --serial-number arn:aws:iam::XXXXXXXXXXXX:mfa/root-account-mfa-device --token-code XXXXXX
- Edit your
~/.aws/credentials
aws --profile mfa cloudformation create-stack --stack-name dfir-lab-01 --parameters ParameterKey=RDPLocation,ParameterValue=YOUR_IP_ADDRESS/32 ParameterKey=KeyPair,ParameterValue=lab-01 --template-body file://dfirlab.yml
The DC can be created on the Windows Server 2019 instance which has a static IP address.
- RDP (or connect using SSM agent) to the Windows Server 2019 instance
- Change its name to DC-01 in an elevated PowerShell
PS C:\> Rename-Computer -NewName "DC-01" -Restart
- Add the AD DS (and DNS) role and promote it to DC (eg. use dfirlab.local as domain).
- Add a domain administrator user (adm-one) using dsa.msc
- Add a standard user (user-one) and add it to the Remote Desktop Users
- Allow users to connect using RDS via GPO
- Add "Domain users" to the "Remote Desktop Users" local group via GPO
- RDP (or connect using SSM agent) to the Windows Server 2019 instance
- Change its name to SERVER-01 in an elevated PowerShell
PS C:\> Rename-Computer -NewName "SERVER-01" -Restart
- Change its DNS server to DC-01 (ie. 10.42.0.42) in the Network Adapter / IPv4 settings
- Join the dfirlab.local domain using the domain admin account (adm-one) so that it creates the computer account in the AD and restart
Your lab environment is ready 🥳