jessefmoore · February 17, 2023 19:39
diff --git a/aws_winsrvr_just1.yml b/aws_winsrvr_just1.yml
 AWSTemplateFormatVersion: 2010-09-09
 # Windows cf template. this works in US-West-2 (Oregon)
 # dfir-jesseee modified for workshop on Atomic Red Team and Detection
 # $UserData: Install Atomic Red Team repo and atomics, and execution framework
 #
 #You will need to create a key pair in the Console and 
 #it will ask for the name when you deploy the CF, 
 #If you want it open to the world -Add WorkstationIP Default: 0.0.0.0/0
 # changed AmI to ami-043a10657355653f6 2019 -base container
 Parameters:
  InstanceTypeParameter:
    Type: String
    Default: t3.small
    Description: Enter instance size. Default is t3.small.
  WorkstationIp:
    Type: String
    Default: #PUTYOURPUBLICIPHERE##############
    Description: The IP address of the workstation that can RDP into the instance.
  AMI:
    Type: String
    Default: ami-043a10657355653f6
    Description: The Windows AMI to use.
  Key:
    Type: String
    Default: #PUTYOURKEYHERE########################
    Description: The key used to access the instance.
 Resources:
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true
      InstanceTenancy: default
      Tags:
        - Key: Name
          Value: Windows Target VPC
  InternetGateway:
    Type: AWS::EC2::InternetGateway
  VPCGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref VPC
      InternetGatewayId: !Ref InternetGateway
  SubnetA:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: us-west-2a
      VpcId: !Ref VPC
      CidrBlock: 10.0.0.0/24
      MapPublicIpOnLaunch: true
  RouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
  InternetRoute:
    Type: AWS::EC2::Route
    DependsOn: InternetGateway
    Properties:
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway
      RouteTableId: !Ref RouteTable
  SubnetARouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref RouteTable
      SubnetId: !Ref SubnetA
  InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: "Windows Target Group"
      GroupDescription: "Allow RDP from a personal workstation"
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: '3389'
          ToPort: '3389'
          CidrIp:  !Sub ${WorkstationIp}/00
      SecurityGroupEgress:
        - IpProtocol: -1
          CidrIp: 0.0.0.0/0
  ElasticIP01:
    Type: AWS::EC2::EIP
    Properties:
      Domain: vpc
      InstanceId: !Ref Windows01
  Windows01:
    Type: 'AWS::EC2::Instance'
    Properties:
      ImageId: !Ref AMI
      InstanceType:
        Ref: InstanceTypeParameter
      KeyName: !Ref Key
      SubnetId: !Ref SubnetA
      SecurityGroupIds:
        - Ref: InstanceSecurityGroup
      BlockDeviceMappings:
        - DeviceName: /dev/sda1
          Ebs:
            VolumeSize: 250
      UserData:
        Fn::Base64: !Sub |
          <powershell>
          Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
          Set-ExecutionPolicy Bypass -Force -ErrorAction Ignore
          Add-MpPreference -ExclusionPath C:\AtomicRedTeam\
          Install-Module powershell-yaml -Force -ErrorAction Ignore
          IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
          Install-AtomicRedTeam -Force -ErrorAction Ignore
          IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
          Install-AtomicRedTeam -getAtomics -Force -ErrorAction Ignore
          $string = 'Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force; $PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="C:\AtomicRedTeam\atomics\"}'
          $string | Out-File -FilePath "C:\Users\Administrator\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1" -Append
          </powershell>

      Tags:
        -
          Key: Name
          Value:  Windows Server 01
  
 Outputs:
  PublicIp01:
    Value:
      Fn::GetAtt:
        - Windows01
        - PublicIp
    Description: Server 01 PublicIp Address
	AWSTemplateFormatVersion: 2010-09-09
	# Windows cf template. this works in US-West-2 (Oregon)
	# dfir-jesseee modified for workshop on Atomic Red Team and Detection
	# $UserData: Install Atomic Red Team repo and atomics, and execution framework
	#
	#You will need to create a key pair in the Console and
	#it will ask for the name when you deploy the CF,
	#If you want it open to the world -Add WorkstationIP Default: 0.0.0.0/0
	# changed AmI to ami-043a10657355653f6 2019 -base container
	Parameters:
	InstanceTypeParameter:
	Type: String
	Default: t3.small
	Description: Enter instance size. Default is t3.small.
	WorkstationIp:
	Type: String
	Default: #PUTYOURPUBLICIPHERE##############
	Description: The IP address of the workstation that can RDP into the instance.
	AMI:
	Type: String
	Default: ami-043a10657355653f6
	Description: The Windows AMI to use.
	Key:
	Type: String
	Default: #PUTYOURKEYHERE########################
	Description: The key used to access the instance.
	Resources:
	VPC:
	Type: AWS::EC2::VPC
	Properties:
	CidrBlock: 10.0.0.0/16
	EnableDnsSupport: true
	EnableDnsHostnames: true
	InstanceTenancy: default
	Tags:
	- Key: Name
	Value: Windows Target VPC
	InternetGateway:
	Type: AWS::EC2::InternetGateway
	VPCGatewayAttachment:
	Type: AWS::EC2::VPCGatewayAttachment
	Properties:
	VpcId: !Ref VPC
	InternetGatewayId: !Ref InternetGateway
	SubnetA:
	Type: AWS::EC2::Subnet
	Properties:
	AvailabilityZone: us-west-2a
	VpcId: !Ref VPC
	CidrBlock: 10.0.0.0/24
	MapPublicIpOnLaunch: true
	RouteTable:
	Type: AWS::EC2::RouteTable
	Properties:
	VpcId: !Ref VPC
	InternetRoute:
	Type: AWS::EC2::Route
	DependsOn: InternetGateway
	Properties:
	DestinationCidrBlock: 0.0.0.0/0
	GatewayId: !Ref InternetGateway
	RouteTableId: !Ref RouteTable
	SubnetARouteTableAssociation:
	Type: AWS::EC2::SubnetRouteTableAssociation
	Properties:
	RouteTableId: !Ref RouteTable
	SubnetId: !Ref SubnetA
	InstanceSecurityGroup:
	Type: AWS::EC2::SecurityGroup
	Properties:
	GroupName: "Windows Target Group"
	GroupDescription: "Allow RDP from a personal workstation"
	VpcId: !Ref VPC
	SecurityGroupIngress:
	- IpProtocol: tcp
	FromPort: '3389'
	ToPort: '3389'
	CidrIp: !Sub ${WorkstationIp}/00
	SecurityGroupEgress:
	- IpProtocol: -1
	CidrIp: 0.0.0.0/0
	ElasticIP01:
	Type: AWS::EC2::EIP
	Properties:
	Domain: vpc
	InstanceId: !Ref Windows01
	Windows01:
	Type: 'AWS::EC2::Instance'
	Properties:
	ImageId: !Ref AMI
	InstanceType:
	Ref: InstanceTypeParameter
	KeyName: !Ref Key
	SubnetId: !Ref SubnetA
	SecurityGroupIds:
	- Ref: InstanceSecurityGroup
	BlockDeviceMappings:
	- DeviceName: /dev/sda1
	Ebs:
	VolumeSize: 250
	UserData:
	Fn::Base64: !Sub \|
	<powershell>
	Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
	Set-ExecutionPolicy Bypass -Force -ErrorAction Ignore
	Add-MpPreference -ExclusionPath C:\AtomicRedTeam\
	Install-Module powershell-yaml -Force -ErrorAction Ignore
	IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
	Install-AtomicRedTeam -Force -ErrorAction Ignore
	IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
	Install-AtomicRedTeam -getAtomics -Force -ErrorAction Ignore
	$string = 'Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force; $PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="C:\AtomicRedTeam\atomics\"}'
	$string \| Out-File -FilePath "C:\Users\Administrator\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1" -Append
	</powershell>

	Tags:
	-
	Key: Name
	Value: Windows Server 01

	Outputs:
	PublicIp01:
	Value:
	Fn::GetAtt:
	- Windows01
	- PublicIp
	Description: Server 01 PublicIp Address