Defused VM

Installation will take you 20-30 minutes

Defused VM is currently offered in the following formats:

KVM

Most Linux distros already have KVM kernel modules and userspace tools available through their packaging systems. This is the easiest and recommended way of using KVM. More information: https://www.linux-kvm.org/page/Downloads

VMWare

Images for platforms like ESXi, Workstation and VMWare player is available.

Hyper-V

An image for Hyper-V Manager is available.

Virtual Machine Images

This Content Requires An Account

You have to login to view this resource. Create a free community account to access this other platform features.

Sign Up

When you've downloaded your image, find your install instructions on the navigation column on the right.

Using the Defused VM - KVM

Prerequisites

This link contains an additional installer script to get up and running as fast as possible.

The local install script (aves-freemium.sh) will automate a lot of your decoy installment procedure. Download and place it into the same folder as your decoy server image:

This Content Requires An Account

You have to login to view this resource. Create a free community account to access this other platform features.

Sign Up

First, ensure you have the necessary KVM packages on the host machine.

• In Fedora/CentOs:

  yum -y install virt-viewer virt-manager qemu-kvm bridge-utils net-tools virt-install libvirt

  Copy
• In Debian/Ubuntu:

  apt install -y virt-viewer virt-manager qemu-kvm bridge-utils net-tools virtinst libvirt-daemon-system

  Copy

Installing the Server

Once all necessary KVM packages are installed onto the host, copy/move the decoy server image (.qcow2) and your install script (.sh) into the following directory:

cp aves-freemium.* /var/lib/libvirt/images/

Copy

Now, jump into /var/lib/libvirt/images and edit the decoy server's ethernet interface according to your host machine interface:

cd /var/lib/libvirt/images

ip addr #your ethernet interface should start with "eth*", "eno*", "ens*", "enp*" or similar

sudo nano aves-freemium.sh # edit ethernet interfaces here

Copy

When editing aves-freemium.sh, change MANAGEMENT_INTERFACE and DECOY_INTERFACE according to your ethernet interface(s) (e.g. enp2s0).

Starting the Decoy Server

In /var/lib/libvirt/images on the host machine:

chmod a+x aves-freemium.sh


sudo ./aves-freemium.sh Copy

Your decoy server should now install and start.

Inside the Decoy Server

If you're using a graphical desktop, the decoy server (KVM) window should pop up automatically after executing aves-freemium.sh. If not:

• 1) Use virt-manager to connect to KVM graphical desktop
• 2) Use virtual machine console for text based connection:

virsh console aves-freemium

Copy

There should be a login prompt when the server has successfully started. Use the user/password combination

XXXXXXXXXX Sign up to view the password
when logging in. Remember to change this password after your first login.

user: [decoy-server-user], password: [decoy-server-password]


sudo su [password] Copy

Networking Setup

Now, we'll set up networking inside the decoy server image.

Run our networking script inside the decoy server image to auto-setup networking:

sudo /opt/aves/avestool -d #this generates /opt/aves/aves.conf

Copy

Check what IP address was set up for your decoy server. It will look something like the following:

ip a #check the IP address of the GUI for access to it



This is the address where you can access your decoy server's management interface. We need to visit soon it to connect your decoy server with your cloud management. Finally, reboot the decoy server to ensure it has configured correctly:

sudo reboot #Restart KVM

Copy

Your decoy server networking is now set up. It may take a couple minutes to reboot. You can now jump into the Logging into the Local Server section.

Defused VM - ESXi

Prerequisites

This guide assumes you have the VMware ESXi installed.

• Login & Create

  Login to the ESXi host and right click Virtual Machines - then click Create/Register VM.

  

• Select Files & Storage

  Give the virtual machine a name then click Click to select files or drag/drop.

  Locate the *.ovf and *.vmdk files that make up your VM, select them.

  Select a datastore to store the virtual machine on, then click Next.

• Port Group & Network Settings

  Note! These settings are required for the decoys to have proper networking.

  Right-click Networking in the VMware Host Client inventory and click Add port group from the pop-up menu.

  Enter a name for the new port group.

  Set the VLAN ID to configure VLAN handling in the port group.

  Select a virtual switch from the drop-down menu.

  Expand Security and enable the following options:

  • Security -> Promiscuous mode
  • Accept Security -> MAC address changes
  • Accept Security->Forged transmits

  Click Add.

  Your port group is created.

• Power on your VM

  You can now power on your VM.

Starting the Decoy Server

Now that the server is running, we'll set up networking inside the decoy server image. The default freemium credentials are

XXXXXXXXXX Sign up to view the password

user: [decoy-server-user], password: [decoy-server-password]


sudo su [password] Copy

Run our networking script inside the decoy server image to auto-setup networking:

/opt/aves/avestool -d Copy

Check what IP address was set up for your decoy server. It will look something like the following:

ip a

Copy


This is the address where you can access your decoy server's management interface. Before logging into the GUI, reboot the decoy server to ensure it has configured correctly:

reboot

Copy

Your decoy server networking is now set up. It may a minute to reboot.

You can now jump over to the section Logging into the Local Server.

Defused VM - Hyper-V

Prerequisites

This guide assumes you have the Hyper-V Manager installed.

Create the Decoy Server Virtual Machine

Open Hyper-V Manager and create a new virtual machine with the following settings:

• Specify Name and Location

  Give your virtual machine a name of choosing. (e.g. DefusedVM1)

• Specify Generation

  Select Generation 1.

• Assign Memory

  We suggest a minimum of 2048MB for the VM. You can keep dynamic memory checked.

• Connect Virtual Hard Disk

  

  Select “Use an existing virtual hard disk” and set it to the Defused virtual hard disk file provided to you.

• Finish

  You can now click “Finish” and complete the install.

Before Powering on Your Defused Server

There’s a few extra configurations needed before powering on the Defused Server.

Networking – Test Setup

For testing purposes, a simple NAT network setup will be sufficient. In the Hyper-V Manager, go to “Virtual Switch Manager” and create a new External virtual switch. Then, connect this to your network adapter of choice.

This setup will make both the management UI and the decoys available in the same network as your host machine (i.e. the machine running your Hyper-V Manager.)

Networking – Production Setup

For production deployments, we highly recommend setting up the decoy interface and the management interface into separate network. For Defused customers, we offer complementary networking help over Zoom - please consult with us for suggestions how to set your decoys up in the most safe manner.

Boot Order

Set “IDE” to be on the top of the boot order list.

Connecting your Defused Server to the network

If you did not already have a ready virtual network switch when creating the virtual machine, right click on your Defused VM on the main screen of Hyper-V Manager and click “Settings.”

Under the list of hardware, find “Network Adapter” and change the virtual switch from “not connected” to the new virtual switch created in the above step.

Before clicking “Apply”, make sure to also enable MAC address spoofing under the “Advanced Features” tab (see image below):



Click apply and your networking setup will be done.

You can now power on the VM.

Starting the Decoy Server

Now that the server is running, we'll set up networking inside the decoy server image. Log in with your supplied credentials:

user: [decoy-server-user], password: [decoy-server-password]


sudo su [password] Copy

Run our networking script inside the decoy server image to auto-setup networking:

/opt/aves/avestool -d Copy

Check what IP address was set up for your decoy server. It will look something like the following:

ip a

Copy


This is the address where you can access your decoy server's management interface. Before logging into the GUI, reboot the decoy server to ensure it has configured correctly:

reboot

Copy

Your decoy server networking is now set up. It may a minute to reboot.

You can now jump over to the section Logging into the Local Server.

Post-install Actions (Defused VM)

Logging into the Defused VM

From your host computer or server, log into your decoy server's management interface - using the setup example IP address here as an example, your local decoy server would be accessed at https://192.168.100.12/. Remember your GUI IP address may be different! You should be presented with a login screen.

Log in with the default credentials:

Linking into the Cloud

Connecting the decoy server to the cloud is a quick and easy process.

On the left hand navigation, under Server Configuration, click Cloud.

Here, give your local decoy server a location name (like "DMZ") and set the Poll Frequency (how often the local server should check for configuration updates from the cloud).

Now, click "Save" and then click "Poll".

Your decoy server is now registered with the cloud management interface and transmits alert activity into the cloud. Well done! You should be able to see your newly registered decoy server in the cloud management interface under Decoy Management --> Decoy Servers:

Defused VM - Deploying your First Decoy

Let's spin up your first decoy!

For a trial decoy, we will use the local server deploy function. On the side navigation menu, click "Decoy" (the plus sign) and simply use one of the Quick Templates to set up a test decoy. Select one of the quick templates and give it a name - then click "Quick Deploy."

Your decoy is now configured but not live yet. To deploy it onto the network, go to Settings, then Decoy Configuration and click Apply Config:

Once the apply finishes, your local decoy server is now armed with it's first decoy - and ready to capture attacks!

Testing and Updating

Testing Instructions

You can now test your local decoys by, for example, scanning them and doing test attacks against them.

Example: scanning my decoys

To view how a decoy looks on your network, you can use Nmap tool to scan the decoy. See Nmap web pages (https://nmap.org/) on installing NMAP.

After installing Nmap, use the command

$ nmap -Sv IP_ADDR

Copy

where IP_ADDR is the IP address of the decoy, to determine service/version information. On console, you should see something like the following ouput after Nmap has been executed. Exact values depend on what services/emulations you have running on the decoy's IP address.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-26 12:04 EET Nmap scan report for IP_ADDR Host is up (0.00012s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 25/tcp open smtp Exim smtpd 4.69 Service Info: Host: smtp.WINNT.com
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds

Example: doing a test attack

To test an exploit decoy, you can use Metasploit Framework. See the Metasploit web pages about installing instructions for Metasploit.

After installing Metasploit Framework, use following command sequence. This example is for vulnerability CVE-1999-0512 "A mail server is explicitly configured to allow SMTP mail relay, which allows abuse by spammers." Substitute IP_ADDR with your decoy's IP address.

$ msfconsole msf5 > use auxiliary/scanner/smtp/smtp_enum
msf5 auxiliary(scanner/smtp/smtp_enum) > set rhosts IP_ADDR
rhosts => IP_ADDR
msf5 auxiliary(scanner/smtp/smtp_enum) > run

On console, you should see something like this when Metasploit runs the exploit sequence:

[*] 172.17.0.2:25 - 172.17.0.2:25 Banner: 220-smtp.WINNT.com ESMTP Exim 4.69 #1 Thu, 26 Mar 2020 09:59:56 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
[+] 172.17.0.2:25 - 172.17.0.2:25 Users found: , 4Dgifts, Debian-exim, Debian-snmp, EZsetup, OutOfBox, _apt, abrt, adm, admin, administrator, anon, arpwatch...
[*] 172.17.0.2:25 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

An alert for exploit attempt should now pop up on your local and cloud server (if the cloud server is connected.)

Example: Testing a Windows Honey File

Open a honey file, such as C:\unattend.txt, to activate the event logger.

Defused continuously scans the event logger, forwarding pertinent events to the Defused cloud dashboard as alerts.

Note: Event detection latency for honey files may extend up to 1 minute. This is because the monitoring agent prioritizes lightweight operation and checks for new events at specific time intervals.

Updating a Connected Server

Updating a cloud-connected decoy server is incredibly easy.

If updating from the local server, simply go to settings and under 'Decoy Configuration', click the 'Update Decoys' or 'Update GUI' button.

Note: the update may take a couple of minutes to complete.

Once the package install completes, the new decoy definitions in the update are ready for use.

If updating from the cloud, go to Decoy Servers and flag the "Update Decoy Engine" action on the server(s) you wish to be updated. The update will commence on the next poll cycle.

Updating a Standalone Server

Updating a standalone server (for example, a server placed into a network without internet connectivity) is also relatively straightforward.

Per the delivery mechanism chosen, you will receive a new decoy package file from us.

First, use a method of choice to transfer the new decoy package file onto the decoy server host. For example, using scp as the transfer method:

scp /path/to/image/file.tgz user@address:/opt/aves/images

Copy

Now that the new decoy package file is on the local decoy server, go to Decoy Packages and select the active "default" package.

Under the package information screen, click 'Refresh' and you should see the new decoy package file under the header 'List of installable image packages'.

Click on the link to the new decoy package file and you should be presented with a overview of the new decoy package contents.

Then, simply click on "Install Package to Server" which will install the new decoy package onto the server.

Note! This may take a minute to complete.

Once the package install completes, the new decoy definitions in the package file are ready for use.

Decoys

Deploy How-To

If you followed the documentation on your first deployment, you'll already be aware that you can deploy decoys both from the local Decoy Server as well as from the Capabilities page (if the local Decoy Server is connected to Defused Cloud.)

Detection Logic

The detection logic of decoys matches incoming attack traffic with the appropriate label best suited to gauge its severity.

Detection events are mapped on the decoy side to match the best hit within the decoy detection parameters. Alerts like 'Vulnerability Exploited' and 'Service Scan' can be generally considered to be highly accurate.

If a decoy has a vulnerability emulator enabled, traffic that does not exploit the vulnerability fully but is still recognized by the decoy is generally labelled as 'Possible exploit attempt.' Note that this is not a direct guarantee that the traffic was aiming to exploit, as sometimes e.g. a network scanner may trigger this in a vulnerability emulation.

Dynamic Sandbox

The Dynamic Sandbox creates a post-exploit sandbox environment where an attacker can be dropped into for further analysis of their actions.

The sandbox environments monitor and record attacker actions in real time, and also collect any files dropped by the attacker into the shell environment.

Not all decoy types currently contain sandbox environments - the Sandbox label denotes decoys with embedded sandbox environments when deploying via Capabilities.

Functionalities

Cloud Integration

The cloud enables management of the local decoy servers without having to actively log into the local servers.

Currently, you can remotely manage the following actions from the cloud:

• Alert Aggregration (collect all alerts from all servers into the cloud)
• New decoy deployment
• Decoy deletion from local environments
• Updating decoy definitions
• Updating the GUI (coming on the next update)

The local server uses your API key to communicate into the cloud. If you haven't already, generate yourself a key in Settings. Note that the key is only visible to you when generating it, so remember to store it somewhere, e.g. a password manager or a similar solution.

When the Cloud Integration is enabled, depending on the Poll Interval variable set on the local server, the local server checks the cloud for new actions to be done based on this interval. It is recommended to set the poll interval at a fairly low number, e.g. 120 seconds.

Capabilities

The Capabilities page in Defused Cloud contains ready-made templates for quickly deploying new decoy types into your local environments. A prerequisite for using Capabilities is enabling the Cloud Integration.

Capabilities contains both individual decoy templates that can be selected for deployment one-by-one and, as a developing functionality, Decoy Bundles which deploy multiple decoy types to cover a specific capability set on the network.

Teams

Adding team members to the Defused platform enhances collaboration by enabling users to share incidents, manage them, and communicate via the incident view.

Managing Teams

To begin the process, go to the Settings tab on your dashboard.

Inside Settings, click on the Team submenu.

Creating a Team

If you are not in a team yet and wish to create one, you can create a team by clicking the "Create Team" button. This will create a team for you and make you the administrator of the team.

Adding Members

Here you can add new team members by entering their email addresses. If the email is not found on the platform, an invitation is sent to them to sign up, and on signup the user is automatically added to your team.

Only team admins can add and delete new teammembers.

Sharing Incidents

Team members can share incidents with one another. This is useful for coordinating responses to issues.

Once team members are added, they can manage incidents and communicate with each other directly in the incident view.

Automation

Automation helps you discover and automate how to structure your decoy operations, for example by highlighting and automatically deploying relevant new decoy types to your decoy servers.

Automation is a beta feature and available only for Defused Enterprise Accounts.

Credits

Upcoming feature - full documentation coming soon.

Incidents & Alerts

Alerts

Alerts are generated when a decoy is attacked. Each alert is contextually labelled with useful details like CVE numbers denoting which attack vector was used, MITRE ATT&CK tactics, attacker source IP and further information where applicable, like a raw representation of the network data. This ultimate is designed to make it easier for the defender to make decisions on the alerts.

Defused has two ways to show you these alerts: 'Verbose' and 'Condensed.' In 'Verbose,' you see a detailed list of every single alert. In 'Condensed,' alerts from the same attacker and close in time are grouped together for quick review.

Incident View

You can group many alerts into one Incident. This lets you see related alerts together. You can also easily share this Incident with teammates using a special link.

If sandbox events occur, 'Incident Mode' activates automatically. This groups related alerts for you, no extra steps needed.

Alert Integrations

Defused subscription users have full access alert integrations capability. You can set up alert forwarding into external tooling, e.g. email, SIEM, ticketing, etc. via the integrations tab on the side navigation.

Email integrations can also be set up to be forwarded to multiple parties in your organization, so that your team can each receive an alert summary on any attack activity into your inbox.

Forensics files

Decoys with the shell emulator enabled can collect files transferred into them by the attacker. The files become available for download for the user in the incident view tab. Files also persist on the decoy server in case the attacker attempts to delete the artifacts on the machine.

FAQ

A Capabilities template is disabled and says "Available after decoy engine update."

The Decoy Server VM you're trying to deploy into doesn't have a new enough decoy engine. You can update the engine in the local server by setting the "Update Decoy Engine" action to trigger on the next update cycle.

---

The top navigation bar says I have "unapplied decoys."

In Defused Cloud, if you use Capabilities to deploy a decoy type into a location (or a Decoy Bundle), you need to set the "Send new decoys" action onto the server you have deployed the decoys into.

In Defused Standalone, if you use the "New Decoy" menu to deploy decoys, you need to run "Apply Config" under Settings whenever you have created new decoy configurations.

---