DARKSURGEON has three stated goals:
- Accelerate incident response, digital forensics, malware analysis, and network defense with a preconfigured Windows 10 environment complete with tools, scripts, and utilities.
- Provide a framework for defenders to customize and deploy their own programmatically-built Windows images using Packer and Vagrant.
- Reduce the amount of latent telemetry collection, minimize error reporting, and provide reasonable privacy and hardening standards for Windows 10.
DARKSURGEON is based on a few key development principles:
- Modularity is key. Each component of the installation and configuration process should be modular. This allows for individuals to tailor their packer image in the most flexible way.
- Builds must be atomic. A packer build should either complete all configuration and installation tasks without errors, or it should fail. A packer image with missing tools is a failure scenario.
- Hardened out of the box. To the extent that it will not interfere with investigative workflows, all settings related to proactive hardening and security controls should be enabled. Further information on DARKSURGEON security can be found later in this post.
- Instrumented out of the box. To the extent that it will not interfere with investigative workflows, Microsoft Sysmon, Windows Event Logging, and osquery will provide detailed telemetry on host behavior without further configuration.
- Private out of the box. To the extent that it will not interfere with investigative workflows, all settings related to privacy, Windows telemetry, and error reporting should minimize collection.
DARKSURGEON is hardened out of the box and comes with scripts to enable High or Low-security modes.
All default installations of DARKSURGEON have the following security features enabled:
- Windows Secure Boot is Enabled.
- Windows Event Log Auditing is Enabled. (Palantir Windows Event Forwarding Guidance)
- Windows Powershell Auditing is Enabled. (Palantir Windows Event Forwarding Guidance)
- Windows 10 Privacy and Telemetry are Reduced to Minimal Settings. (Microsoft Guidance)
- Sysinternals Sysmon is Installed and Configured. (SwiftonSecurity Public Ruleset)
- LLMNR is Disabled.
- NBT is Disabled.
- WPAD is Removed.
- Powershell v2 is Removed.
- SMB v1 is Removed.
- Application handlers for commonly-abused file extensions are changed to notepad.exe.
Low-Security mode is primarily used for virtual machines intended for reverse engineering, malware analysis, or systems that cannot support VBS security controls.
In Low-Security mode, the following hardening features are configured:
- Windows Defender Anti-Virus Real-Time Scanning is Disabled.
- Windows Defender SmartScreen is Disabled.
- Windows Defender Credential Guard is Disabled.
- Windows Defender Exploit Guard is Disabled.
- Windows Defender Exploit Guard Attack Surface Reduction (ASR) is Disabled.
- Windows Defender Application Guard is Disabled.
- Windows Defender Application Guard does not enforce isolation.
Out of the box, DARKSURGEON comes equipped with tools, scripts, and binaries to make your life as a defender easier.
Tools, scripts, and binaries focused on android analysis and reverse engineering.
- APKTool (FLARE)
Tools, scripts, and binaries focused on blue team, network defense, and alerting/detection development.
- Bloodhound / Sharphound
- EndGame Red Team Automation (RTA)
- LOLBAS (Living Off the Land Binaries And Scripts)
- OSX Collector
- Practical Malware Analysis Labs (FLARE)
- Yara (FLARE)
Tools, scripts, and binaries for debugging binary artifacts.
- Ollydbg (FLARE)
- OllyDump (FLARE)
- OllyDumpEx (FLARE)
- Ollydbg2 (FLARE)
- OllyDump2Ex (FLARE)
- x64dbg (FLARE)
- Windbg (FLARE)
Tools, scripts, and binaries for disassembling binary artifacts.
- IDA Free Trial (FLARE)
- Binary Ninja Demo (FLARE)
- Radare2 (FLARE)
Document Analysis: Tools, scripts, and binaries for performing analysis of documents.
- OffVis (FLARE)
- OfficeMalScanner (FLARE)
- PDFId (FLARE)
- PDFParser (FLARE)
- PDFStreamDumper (FLARE)
Tools, scripts, and binaries for performing analysis of DotNet artifacts.
- DE4Dot (FLARE)
- DNSpy (FLARE)
- DotPeek (FLARE)
- ILSpy (FLARE)
Tools, scripts, and binaries for performing analysis of flash artifacts.
- FFDec (FLARE)
Tools, scripts, and binaries for performing forensic analysis on the application and operating system artifacts.
- Amcache Parser
- AppCompatCache Parser
- JumpList Explorer
- Registry Explorer
- Regshot (FLARE)
- Shellbags Explorer
- Timeline Explorer
- TSK (The Sleuthkit)
- X-Ways Forensics Installer Manager (XWFIM)
- FileInsight (FLARE)
- HxD (FLARE)
- 010 Editor (FLARE)
- JD-GUI (FLARE)
- Burp Free
- FakeNet-NG (FLARE)
- Wireshark (FLARE)
- DIE (FLARE)
- EXEInfoPE (FLARE)
- Malware Analysis Pack (MAP) (FLARE)
- PEiD (FLARE)
- ExplorerSuite (CFF Explorer) (FLARE)
- PEStudio (FLARE)
- PEview (FLARE)
- Resource Hacker (FLARE)
- VirusTotal Uploader
- Active Directory
- Azure Management
- Visual C++ for Python
- Powershell Empire
- PSAttack Build Tool
- AWS Command Line (AWSCLI)
- Remote Server Administration Tools (RSAT)
- Adobe Flash Player
- Adobe Reader
- API Monitor
- Containers (Hyper-V)
- Cyber Chef
- DotNet 3.5
- DotNet 4
- FLOSS (FLARE)
- Google Chrome
- Java JDK8
- Java JRE8
- Microsoft Edge
- Mozilla Firefox
- Mozilla Thunderbird
- Neo4j Community
- Office365 ProPlus
- Python 2.7
- Sublime Text 3
- Sysinternals Suite
- Tor Browser
- Visual C++ 2005
- Visual C++ 2008
- Visual C++ 2010
- Visual C++ 2012
- Visual C++ 2013
- Visual C++ 2015
- Visual C++ 2017
- Visual Studio Code
- Windows 10 SDK
- Windows Subsystem for Linux (WSL)
Visual Basic Analysis:
You can download DARKSURGEON iso image here.
Copyright (c) 2018 DANΞ