Autoscaling Windows EC2 does not launch agent #2013
Comments
|
hello, we don't have AWS setup so that is community driven support, but if you run normal win10 there, follow steps in docs should works, the rdp is maybe bcz of not loggined user? you need to take snapshot of running VM |
|
Hello, I can close this since I figured it out and it works fine now. Just gotta focus on configuration and getting some other issues sorted. |
|
btw did you see this #1982? i have to port that to our docs, but that might help you |
|
I saw but did not follow/try. I will do so and see if there are any odd issues with the latest version. |
|
that is not the issue, that is your own preference, we can't monitor and test each version release |
About accounts on capesandbox.com
This is open source and you are getting free support so be friendly!
Prerequisites
Please answer the following questions for yourself before submitting an issue.
Expected Behavior
AWS Autoscaling to automatically spin up an EC2 and auto-run the agent in the guest.
Current Behavior
AWS Autoscaling spins up the EC2 guests, however, it does not launch the agent.pyw. Following the instructions here: https://capev2.readthedocs.io/en/latest/installation/guest/agent.html
For windows 10 machines, the agent only runs when you RDP into the box. So the analysis only works when you manually RDP into the instance, instead of it launching on boot. This means you have to manually RDP all the time for an analysis to work.
I've changed the scheduler to run on boot, but it did not work. I'll try more things later.
Steps to Reproduce
Configure
aws.confto have the correct info. Leaving outmachines =blank.autoscale = yes,image_id = ami-xxxxx,instance-type = tx-xxxx, and also the rest like the subnet and the SG.Tags have to have something at least. Just do
tags = cuckooin addition toarch = x64Comment out the
[machine_name]and the rest of the config.Make sure the AWS creds are also loaded at the top of the config, and in addition in
~/.aws/credentialsfor botocore issues to be resolved.Make sure in
cuckoo.confthatmachinery_screenshots = offis set to off, since there was an issue ofNotImplementedErrorMake sure you fill out any IPs in the config with the private IPs of the EC2s, such as the result server.
Setup the guest instance by disabling all necessary securities
Deploy the agent.pyw and rename it to something else. Place it in a random location
Follow the instructions above from the docs on using the Scheduler to launch the agent.
Reboot, notice by following the instructions, it does not launch the agent. You have to launch it with the following: Script:
"C:\Users\Administrator\AppData\Local\Programs\Python\Python311-32\pythonw.exe"-> In argumentsC:\Location\agent.pywRun
poetry run python3 cuckoo.pyin the CAPEv2 hostWait for it to select a new EC2 to run this on and notice that it hangs
Copy the IP of the new instance (since you made it from the same AMI, the password for the RDP will be the same)
RDP in, it will now start the analysis
Test out if the agent is launched by curling it from the CAPEv2 host
curl private.ip.of.ec2:8000I think what's going on here is that, whenever a new instance is created from this AMI, it does not "login" to the machine to run the analysis when CAPE selects it for the analysis to run. There's no password or username config in
aws.confto perhaps run it that way. Once I RDP in manually, the mouse even moves on its own as well, so there's that control happening, which is successful. But it doesn't create that initial authentication whenever a new EC2 is spun up from the created guest AMI, then it hangs until timeout. Unless you RDP in, which starts the agent.pyw via scheduler.Context
Basic AWS Windows and Ubuntu 22.04 LTS
commit 2b9b122110856a9e5703c6b94757597f41a6d8bdThe text was updated successfully, but these errors were encountered: