Added TF code and docs

terraform/README.md

@@ -0,0 +1,50 @@
+# Deploy Vulnerable Windows Server
+
+A simple deployment of a vulnerable Windows 2016 Server.
+
+---
+
+## HOWTO
+
+This guide assumes that the following tests are run on a workstation and not using a pipeline system.
+
+### Prerequisites
+
+**NOTE:** This guide uses IAM users. This is not recommended for everyday use or in production environments! When using pipelines or in a secure environment, use alternative approaches such as authenticating runners or actions using OIDC and using IAM roles for them.
+
+* AWS Access/Secret [keypair](https://docs.aws.amazon.com/keyspaces/latest/devguide/create.keypair.html) for a service account
+* Terraform is [installed](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli)
+* S3 bucket to host the `backend.tf` file
+* Preexisting VPC, subnet, EC2 instance role, and SSH keypair
+
+Follow these steps to deploy a Windows server with misconfigurations:
+
+1. Clone this repository.
+2. Navigate to the `terraform` directory.
+3. Fill in values for the variables in `terraform.tfvars`.
+4. Export `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables, like so:
+
+   ```bash
+   export AWS_ACCESS_KEY_ID=""
+   export AWS_SECRET_ACCESS_KEY=""
+   ```
+
+5. Initiate Terraform directory with your backend bucket, like so:
+
+   ```bash
+   terraform init \
+       -backend-config="bucket=awesome-tfstate-bucket" \
+       -backend-config="key=optional/directory/terraform.tfstate" \
+       -backend-config="region=us-east-2"
+   terraform plan # This is optional especially if running in a pipeline
+   terraform apply # Use flag -auto-approve if running in a pipeline
+   ```
+
+---
+
+## Upcoming Changes
+
+* Terraform code for VPC, subnet, EC2 instance role, and SSH keypair to be added.
+* Ensure that this project works with a pipeline configured with OIDC.
+* More resources via Terraform to cover wider variety of use cases.
+* Integrate this repository with `cortexcli` to demonstrate code scanning capabilities.

terraform/main.tf

@@ -0,0 +1,119 @@
+terraform {
+  backend "s3" {
+  }
+}
+
+provider "aws" {
+  region = var.aws_region
+}
+
+resource "aws_security_group" "ec2-security-group" {
+  name        = var.security_group
+  vpc_id      = var.vpc
+  description = "allow all internal traffic, ssh, http, https from anywhere"
+  ingress {
+    from_port = 0
+    to_port   = 0
+    protocol  = "-1"
+    self      = "true"
+  }
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  ingress {
+    from_port   = 3389
+    to_port     = 3389
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_instance" "windows_instance_1" {
+  instance_type        = var.windows_instance_type
+  ami                  = lookup(var.windows_amis, var.aws_region)
+  get_password_data    = true
+  key_name = var.key_name
+  security_groups      = ["${aws_security_group.ec2-security-group.name}"]
+  iam_instance_profile = var.iam_role
+  associate_public_ip_address = true
+  user_data = <<EOF
+  <#
+.SYNOPSIS
+    Simulates an unpatched and misconfigured Windows Server 2016 environment to trigger CSPM or CNAPP detections.
+
+.DESCRIPTION
+    Disables built-in Windows security features including Windows Defender, Firewall, TLS hardening, and exploit mitigations.
+    Enables legacy features like SMBv1 and weak RDP configuration.
+    Intended for lab and testing environments only.
+
+.NOTES
+    Author: @adilio + LLM's
+    Date: July 2025
+    Tested On: Windows Server 2016 (latest AWS AMI)
+
+.WARNING
+    Do not run in production. This script weakens system security significantly.
+
+#>
+
+# Disable Windows Defender
+Write-Output "❌ Disabling Windows Defender..."
+Set-MpPreference -DisableRealtimeMonitoring $true `
+                 -DisableIOAVProtection $true `
+                 -DisableIntrusionPreventionSystem $true `
+                 -EnableControlledFolderAccess Disabled `
+                 -DisableScriptScanning $true `
+                 -MAPSReporting Disabled `
+                 -SubmitSamplesConsent NeverSend
+
+# Enable SMBv1
+Write-Output "📡 Enabling insecure SMBv1 protocol..."
+Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
+
+# Enable admin shares (C$, ADMIN$)
+Write-Output "🔓 Ensuring admin shares are active..."
+New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" `
+                 -Name "AutoShareWks" -Value 1 -PropertyType DWORD -Force
+
+# Disable TLS 1.2
+Write-Output "📉 Disabling modern TLS protocols (TLS 1.2)..."
+New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2" -Force
+New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Force
+New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Force
+New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" `
+                 -Name "Enabled" -Value 0 -PropertyType DWORD -Force
+New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" `
+                 -Name "Enabled" -Value 0 -PropertyType DWORD -Force
+
+# Enable RDP without NLA
+Write-Output "🔐 Disabling RDP Network Level Authentication..."
+Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" `
+                 -Name "UserAuthentication" -Value 0
+
+# Disable Windows Firewall
+Write-Output "🧱 Disabling Windows Firewall..."
+Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
+Write-Output "✅ Vulnerable system configuration complete. Reboot may be required to apply all settings."
+EOF
+}

terraform/terraform.tfvars

@@ -0,0 +1,7 @@
+aws_region = "DEFAULT REGION"
+vpc = "ENTER VPC NAME HERE"
+windows_instance_type = "t3.xlarge"
+windows_amis = {"us-east-2" = "ami-0f63c5662f3d395ae"} # Windows Server 2016
+key_name = "KEY PAIR TO DECRYPT PASSWORD"
+iam_role = "EC2 INSTANCE ROLE"
+security_group = "SECURITY GROUP NAME"

terraform/variables.tf

@@ -0,0 +1,27 @@
+variable "aws_region" {
+  description = "Default region"
+}
+
+variable "vpc" {
+  description = "VPC to use"
+}
+
+variable "windows_instance_type" {
+  description = "EC2 instance type to deploy"
+}
+
+variable "windows_amis" {
+  description = "Windows AMI to use"
+}
+
+variable "key_name" {
+  description = "SSH key name"
+}
+
+variable "iam_role" {
+  description = "IAM role to assign EC2"
+}
+
+variable "security_group" {
+  description = "Security group for EC2"
+}