Vagrant up – Malware Lab Build on VMware Fusion

Vagrant up – Cheat sheet

Vagrant and Packer are very useful tools to build Lab environments quickly, but, it can become a pain in the ass, as there are allot of quirks and you end up waste a whole day, trying to get a basic VM up and running. So, this is my notes to repeat the process on new workstations.

Windows Security Logs Events

My lab

  • MacBook Pro
    • MacBook Pro (13-inch, 2019,) Four Thunderbolt 3 ports
    • 2.4 GHz Quad-Core Intel Core i5
    • 8 GB 2133 MHz LPDDR
    • 250.69 GB (250,685,575,168 bytes) APPLE SSD AP0256M
  • VMware Fusion
  • VMware Desktop Vagrant Plugin (costs $79 USD)
  • Samsun Portable T5 SSD
    • I store my VM on the external drive, as I use my internal for documents, etc.


touch ~/.bash_profile; open ~/.bash_profile
  • Download the VMware Vagrant license as per the email you received after purchase.
  • Install the VMware Vagrant license;
    • vagrant plugin install vagrant-vmware-desktop
    • vagrant plugin update vagrant-vmware-desktop
    • vagrant plugin license vagrant-vmware-desktop /Usersr/rock/Desktop/license.lic
    • vagrant plugin list

DetectionLab install on VMware Fusion

You may need to adjust the Memory allocation to fit with your specific Physical memory limits, by adjusting the Vagrantfile settings;

## adjust Vagrantfile;   
v.memory (vmware) or
vb.customize ["modifyvm", :id, "--memory"] (virtualbox) in the Vagrantfile

      v.vmx["displayname"] = "logger"
      v.memory = 4096
      v.vmx["displayname"] = "dc.windomain.local"
      v.memory = 3072
      v.vmx["displayname"] = "wef.windomain.local"
      v.memory = 2048
      v.vmx["displayname"] = "win10.windomain.local"
      v.memory = 2048

## Deployment

cd /Volumes/VM/vmware/DetectionLab/Vagrant
git clone
export VAGRANT_HOME=/Volumes/VM/vmware/vagrant
export VAGRANT_DEFAULT_PROVIDER=vmware_desktop
vagrant up --provider=vmware_desktop 
vagrant up win10 --provider=vmware_desktop  (I had to ran each of the VM on its on starting from the DC.)
.\ (needs to be run inside the Win10 VM.)

Install Kali via Vagrant

# Make a folder and inside that folder type
vagrant init kalilinux/rolling
vagrant up
vagrant halt
vagrant version
# open the VM and login with vagrant/vagrant
# run updates as per my other kali blog.

Executing a Powershell script

# Powershell Script in local folder /scripts
Vagrant.configure("2") do |config|
  config.vm.provision "shell", path: "scripts/PowershellScript.ps1"

# Remote Powershell scripts, must have .sh or .ps1 extension
Vagrant.configure("2") do |config|
  config.vm.provision "shell", path: ""

# Inline script
Vagrant.configure("2") do |config|
  config.vm.provision "shell",
    inline: "/bin/sh /path/to/the/script/already/on/the/"

Vagrant.configure("2") do |config|
  config.vm.provision "shell",
    inline: "Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString(''))"
     inline: "Set-TimeZone 'Eastern Standard Time'" 

# Running: Restart-WUService.ps1 as c:\tmp\vagrant-shell.ps1
Vagrant.configure("2") do |config|
    config.vm.define "test" do |test| = "eratiner/w2016x64vmX" "private_network", ip: ""
        test.vm.hostname = "test"
        test.vm.provision "shell", privileged: "true", powershell_elevated_interactive: "true", path: "Restart-WUService.ps1"

Vagrant.configure("2") do |config| = "StefanScherer/windows_2019"
  config.vm.provision "shell" do |shell|
    shell.path = "headless_dsc.ps1"
    shell.privileged = true

Auto Windows 10

Vagrant.configure("2") do |config|

  # Enable provisioning with a shell script. Additional provisioners such as
  # Ansible, Chef, Docker, Puppet and Salt are also available. Please see the
  # documentation for more information about their specific syntax and use.
  # config.vm.provision "shell", inline: <<-SHELL
  #   apt-get update
  #   apt-get install -y apache2

  config.vm.define "win10" do |cfg| = "detectionlab/win10" = "bento"
    cfg.vm.hostname = "Autowin10"
    cfg.vm.boot_timeout = 1200
    cfg.vm.communicator = "winrm"
    cfg.winrm.basic_auth_only = true
    cfg.winrm.timeout = 1200
    cfg.winrm.retry_limit = 20 :private_network, ip: "", gateway: "", dns: ""

    cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip -dns -gateway" 
    cfg.vm.provision "shell", path: "scripts/MakeWindows10GreatAgain.ps1", privileged: false
    cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
    cfg.vm.provision "reload"
    cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
    cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
    cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
    cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
    cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false
    cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
    cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
    cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
    cfg.vm.provision "shell", path: "scripts/install-velociraptor.ps1", privileged: false
    cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
    cfg.vm.provision "shell", inline: 'cscript c:\windows\system32\slmgr.vbs /dlv', privileged: false

    cfg.vm.provider "vmware_desktop" do |v, override|
      v.vmx["displayname"] = "win10.windomain.local"
      v.vmx["gui.fullscreenatpoweron"] = "FALSE"
      v.vmx["gui.viewModeAtPowerOn"] = "windowed"
      v.memory = 1024
      v.cpus = 1
      v.gui = true
      v.enable_vmrun_ip_lookup = false

AWS DetectionLab Build Process

# Create IAM User Account
aws iam create-user \
> --user-name 'cli_first_user'
    "User": {
        "Path": "/",
        "UserName": "cli_first_user",
        "UserId": "AIDAS3CARBCBUS63MIFZT",
        "Arn": "arn:aws:iam::195556345987:user/cli_first_user",
        "CreateDate": "2019-08-18T09:14:38Z"

# Create Policy
git clone
aws iam create-policy --policy-name my-policy --policy-document file://5eae6a83e6484bb2c01fa5e9cc6e8c9d

# Inline Create Policy 
aws iam create-policy \
    --policy-name AmazonEKSClusterAutoscalerPolicy \
    --policy-document \
    "Version": "2012-10-17",
    "Statement": [
            "Action": [
            "Resource": "*",
            "Effect": "Allow"

# Attaching Policy to IAM User
aws iam attach-user-policy \ > --user-name 'cli_first_user' \ > --policy-arn 'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess'

# Create group using AWS CLI
aws iam create-group \
> --group-name 'HR'
    "Group": {
        "Path": "/",
        "GroupName": "HR",
        "GroupId": "AGPAS3CARBCB7H4NRBUHW",
        "Arn": "arn:aws:iam::195556345987:group/HR",
        "CreateDate": "2019-08-18T09:34:55Z"

# Adding user to a group using AWS CLI
aws iam add-user-to-group \
> --group-name 'HR' \
> --user-name 'cli_second_user'

# Get user details
aws iam get-user \
> --user-name 'cli_first_user'

aws iam list-users 

Deployment Step-by-Step

git clone

#Install Terraform
brew tap hashicorp/tap
brew install hashicorp/tap/terraform
brew upgrade hashicorp/tap/terraform
terraform -install-autocomplete

# Verify that terraform is installed
terraform --version

# Configure AWS keys to use with Terraform ~/.aws/credentials
aws configure --profile terraform
aws configure set region us-west-1

# Generate an SSH key to authenticat to Logger with
ssh-keygen -b 2048 -f ~/.ssh/id_logger

SHA256:v6ilK83pgxjJYA3Q6KR06y9lGdXEmiixjk6THa4mfqo [email protected]

# Go to the Terraform directory in DetectionLab folder
cd /DetectionLab/Terraform

# Copy terraform.tfvars.example to terraform.thvars
cp DetectionLab/AWS/Terraform/terraform.tfvars.example /DetectionLab/AWS/Terraform/terraform.tfvars

cp DetectionLab/AWS/Terraform/terraform.tfvars.example /Users/rock/Desktop/DetectionLab/AWS/Terraform/terraform.tfvars

# Edit terraform.tfvars
nano terraform.tfvar
region = "us-west-1"
profile = "terraform"
shared_credentials_file = "/Users/rock/.aws/credentials"
public_key_name = "id_logger"
public_key_path = "/Users/rock/.ssh/"
private_key_path = "/Users/rock/.ssh/id_logger"
ip_whitelist = [""]
availability_zone = "us-west-1b"
// instance_name_prefix = "some_prefix_"
// custom-tags = {"tag_name": "tag_value"}
# Create Default VPC
aws ec2 create-default-vpcs
aws ec2 create-default-subnet --availability-zone us-west-1
aws ec2 describe-vpcs
aws ec2 describe-subnets

# Deployment
terraform init
terraform fmt
terraform validate
terraform apply
terraform state list
terraform show
terraform destroy -f
terraform output
vagrant reload <hostname> --provision

Terraform Example

mkdir learn-terraform-aws-instance
cd learn-terraform-aws-instance
pbpaste >
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"

provider "aws" {
  profile = "default"
  region  = "us-west-2"

resource "aws_instance" "example" {
  ami           = "ami-830c94e3"
  instance_type = "t2.micro"

  tags = {
    Name = "ExampleInstance"

Terraform / AWS / Ansible Setup

Terraform Output

output "instance_id" {
  description = "ID of the EC2 instance"
  value       =

output "instance_public_ip" {
  description = "Public IP address of the EC2 instance"
  value       = aws_instance.example.public_ip

New Lab environment 25..07.23

This sections is for a build of a hacking lab environment.

Tools to consider;

  • Docker
  • Vagrant
  • Terraform
  • VMware Imager
  • Bitname
  • Quem
  • UTM


  • Disable updates autologin
  • Install Tools
  • Install TeamViewer
  • Sysprep and rename