Commando VM is a Windows testing platform, created by Mandiant FireEye, meant for penetration testers who are more comfortable with Windows as an operating system. Commando VM is essentially the sister to Kali, a Linux testing platform widely used throughout the penetration testing community. These testing platforms are packaged with all the common tools and scripts that a tester would need to utilize during an engagement. Commando VM can be installed on Windows 7 SP1 or Windows 10 and is made easily accessible on GitHub.
Understanding what these testing platforms are, and how to use them, is important for both red and blue teamers. When working with customers, I commonly ask if they’re familiar with tools like Mimikatz or Bloodhound. Surprisingly enough, a handful of them are not. This is somewhat concerning to me, as one of the things I learned in school, is to protect yourself from an attacker, you must think like an attacker. How better to think like an attacker, than to use all of the tools that they’ll be attempting to leverage against you and the environment you’re attempting to secure. Commando VM makes it very easy to do this, as it’s packaged up with the latest and greatest tools and scripts that will assist in a blue team’s education on what they do.
Commando VM is packaged with a myriad of tools that can be used for a variety of things. Some of the categories that Commando VM can assist with are:
All of the tools listed below are included in an installation of Commando VM.
Information gathering is a major part of assessing your own environment. Understanding what is exposed to an attacker with no privileges is key to understanding what you need to lock down and secure. If you can see it with some of these tools and scripts, so can they.
Once you’ve done some reconnaissance, the next step would be trying to exploit some of the things you’ve found. For example, if you’ve identified that sessions existed on a certain machine, or permissions existed for a certain user, there are tools you can use to try and leverage those permissions or sessions to your advantage.
If your company or environment uses internal web applications, it would be in your best interest to penetration test them. Once someone gets in your environment, if they were to find that these applications existed, it would not be hard for them to use tools found in Commando VM to try and find any vulnerabilities. Some of the easily found vulnerabilities may be able to be addressed prior to any official engagement.
Now that I’ve given a high-level overview of what Commando VM is, why it is important, and some of the tools that exist, my next topic will be on the installation and configuration of Commando VM. After that, I’ll be diving into some proof of concepts for various Active Directory attacks, and how both blue and red teams can use this tool to understand and help secure their environments.
Kevin Joyce is a Senior Technical Product Manager at Stealthbits – now part of Netwrix. He is responsible for building and delivering on the roadmap of Stealthbits products and solutions.
Kevin is passionate about cyber-security and holds a Bachelor of Science degree in Digital Forensics from Bloomsburg University of Pennsylvania.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.
Read more© 2022 Stealthbits Technologies, Inc.
Hello, Kevin,
you write a beautiful post. But where is the exact difference between the blue and red group ? And how do you switch between them ?
Hey Rick,
Thanks for reading! The difference between red and blue teams is that the red team is attempting to attack an environment, identifying vulnerabilities that need to be resolved. The blue team is attempting to secure an environment, before the red team is able to exploit it. The point I’m trying to make in this post is that the blue team should leverage the same tools the red team will utilize in their attacks, to familiarize themselves with how they work and how to defend against them.
Thanks for the quick answer. And these teams are made for a kind of tournament in competition ? Or how should I understand that?
While there are security conferences that have events you can compete in similar to red team or blue team exercises, what I’m referring to are normally departments within an organization. Here is a blog post that outlines the goals of the read and blue teams within an organization.
https://securitytrails.com/blog/cybersecurity-red-blue-team
Ahh cool thx for help. Have a nice Day.