Purple Team Cyber Training Range

Blog by: Grant Knoetze

This is the first installment of "Purple Team Cyber Range in Google Cloud Platform" page. I will be building on this post so keep watching me on LinkedIn and Twitter. This page is all about creating a test "range" using Google Cloud Platform. In a future post I will go into detail on using Terraform with GCP.



The Google Documentation is comprehensive, and the specifics for using GCP with Terraform can be found here:

This cyber range consists of two main parts:

  • A Windows active directory domain of three Windows VM's, one domain controller (DC) and two workstation machines. GCP offers Windows images in Windows Server 2012 RD Datacenter Core all the way up through Windows Server 2022 Datacenter which includes desktop experience, as well as a Windows Server 2019 Datacenter Core for Containers.

  • A blue team (defenders) subnet, with a Windows VM configured to recieve SIEM logs and events from the AD domain.

How To Access Cloud Shell inside GCP

The GCP command line interface is called Cloud Shell and is a useful tool in automating GCP operations, Cloud Shell provides an easy interface for passing commands for searching for information, for example, the following commands will return information on the billing accounts available as well as the organization ID within a GCP account respectively:

  • gcloud organizations list
  • gcloud beta billing accounts list

Create a Project Inside Google Cloud Platform.

In GCP, billing is associated with a Project, this project has the organizationally unique identifier "red-team-infrastructure". Projects can be nested within organizations, and VPC's and subnets can be nested within projects.

GCP Projects


The second thing that needs to be done after a project with a billing account has been set up, is to set up a VPC nested within the project, and the VM's inside, with firewall rules configured for the VPC, and create a Target Windows Active Directory Domain



The target Windows domain, in this case, consists of three VM's one domain controller (doubling as a DNS server, and two workstation machines).

This range will allow us to simulate an attack against a Windows Active Directory domain, I have created three instances of the available Windows 2012 RD Datacenter Core images using the E2 Micro CPU platform (CPU provided according to availability - Intel Broadwell at the time of writing). The domain controller machine will be configured as the DNS server for the domain.

Windows AD VM's in GCP Project


The Google Cloud Platform project dashboard seems intuitive enough, with a VM instance (Compute engine), instance operating percentage graph, taking up the eyeball position in the dashboard, flanked by GCP general status and system wide, global, problems and errors reported in GCP.



Purple team range dashboard

A service account will now need to be created, allowing us to prepare public/private key pairs for authentication, these keys will be added to scripts in the future. Service accounts in GCP provide an identity for carrying out server to server interactions, programs running within Compute Engine instances can automatically acquire access tokens with credentials.



To authenticate Terraform and GCP together, in the main.tf configuration file, nested inside the "provider" block, use the following syntax to authenticate with the json file that you downloaded when you created a key pair in your service account set up within the project. All these files (renamed json secret key included) files need to be placed inside the same folder set up for the project.

Service account



Configure and deploy a Windows cloud DNS server image VM in GCP. This is an illustration of the steps required in configuration and deployment of this service in GCP. Our Active Directory target machines consist of this domain controller / DNS server, the other two VM's will be one of the Windows server images available in GCP.

The site in the link below is helpful for VM instances on GCP, AWS, and Azure configuration and deployment of the Windows 2016 DNS VM Instance on each respectively.



This GitHub repository of mine contains useful scripts based on the GCP documentation and inspired by it too.

Google Cloud Platform Python


Deploy an instance of Windows DNS server. I will automate this using Terraform, this is the domain controller instance serving as a DNS server. Within GCP, various APIs are available and should be activated within a project as required, this can be automated and I have a small but growing GitHub repository based on the python scripts given to us with the comprehensive GCP documentation. These automatic or "Startup Scripts" are a part of the core infrastructure for VM instances.

Windows Cloud DNS VM Server Instance

The Windows Active Directory target VM's, including DNS server / Domain Controller and two workstations, there is an extra machine in this screenshot, but this will be removed at a later stage.

Target machines inside the GCP purple_team_cyber_range project.

The various API's, including the DNS API's need to be activated.

Enable DNS API's.

Cloud DNS Windows 2016 Server VM successfully deployed in GCP. At a later stage I will automate this step using Terraform as part of the purple_team_cyber_range, this is an illustration of the core concept of Cloud DNS. Remember to allow port 53 traffic when setting up the Cloud DNS VM.

DNS server / domain controller successfully deployed.

Share this with your network

Grant Knoetze

IT Support Specialist Cybersecurity Student Software Developer

Useful Code for Red Teaming

This is code that I wrote to help me with red teaming. Disclaimer - Nothing on this page is intended for malicious purposes, anything that you do with any code is your own responsibility, never engage a target without written permission in the form of a signed contract.