So, you’re an IT professional curious about offensive security? Welcome to the first post of our 10-part Red Team tooling series! In this series, we’ll build a Windows-based cyber range to simulate real-world attacks and improve our defenses. Today, we introduce Commando VM (our attacker’s playground) and a sneak peek at the Covenant C2 framework. We’ll keep it casual and beginner-friendly – no prior red teaming experience needed.
What is Commando VM?
Commando VM (Complete Mandiant Offensive VM) is a “Kali Linux for Windows.” It’s a fully-loaded Windows 10 virtual machine distribution pre-configured with hacking tools for penetration testers and red teamers. Mandiant created commando VM to fill a gap: while Kali Linux is the go-to for offensive Linux platforms, there was no equivalent for those who prefer or need to use Windows.
Many of us have spent hours manually setting up a Windows VM with our favorite tools – a tedious task of downloading, installing, and updating dozens of apps. Commando VM automates all that. Born from Mandiant’s FLARE VM (which focused on malware analysis), Commando VM aims to be the de facto Windows attack platform for internal network penetration tests.
Why a Windows VM? Think about enterprise environments: Active Directory, Windows servers, Windows endpoints everywhere. Having your attack box also be Windows has big advantages. Commando VM was designed to attack Active Directory environments and internal corporate networks. Using a Windows-based attacker VM provides:
- Native AD integration
- “Living off the land” ease
- Staging area for C2 frameworks
- Less target footprint
- Windows-specific tools
In short, Commando VM gives you a ready-to-go Windows attack playground. One security expert put it well: since the target of penetration testing is Windows, Kali alone is not enough – using a dedicated Windows pentest VM is key.
Inside Commando VM – Tools of the Trade
Commando VM comes packed with an arsenal of tools (over 140 out of the box). It uses Chocolatey and Boxstarter scripts to automatically install everything, giving you a one-stop shop for offensive capabilities. Here are just a few highlights:
- Nmap – Network scanner
- Wireshark – Packet capture
- Mimikatz – Credential dumper
- BloodHound – AD mapping tool
- Burp Suite – Web application proxy
- Covenant C2 – Command and control platform
…and so much more. Whether you’re working on initial access, privilege escalation, lateral movement, or persistence, there’s something for every phase of the MITRE ATT&CK chain.
Even for blue teamers, Commando VM is an incredible lab for testing detections and defenses. Think of Commando VM as your personal red team sandbox, with everything already configured for offensive security testing.
Setting Up Your Commando VM Lab
Step-by-step setup:
- Create a Windows 10/11 VM
- Install Pro edition
- Fully patch the system
- Disable antivirus or tamper protection temporarily
- Clone the Commando VM repo or grab the installer script
- Run this in PowerShell (as admin):
Set-ExecutionPolicy Unrestricted -Force .\install.ps1 -password <YourAdminPassword>
It’ll take a few hours, but once it’s done, your VM will be stacked with Pentest tools in categories such as recon, post-exploitation, evasion, credential dumping, and more.
Take a snapshot once you’ve verified the installation. Trust me; it’ll save your bacon later if something breaks or gets flagged.
Meet Covenant: Our C2 Framework of Choice
Let’s preview what’s coming in future labs: Covenant C2, our command-and-control platform for the series.
Why Covenant?
- It’s open source
- It’s. NET-based (great for blending in on Windows environments)
- It has a slick web UI
- It supports multiple users
- It integrates cleanly with PowerShell and C# payloads
- It teaches modern C2 concepts in a digestible way
Covenant’s agents are called Grunts. These lightweight implants call back to your Commando VM via a Listener. Once connected, you can send tasks like taking screenshots, dumping credentials, executing PowerShell, scanning ports, and more.
We’ll walk through setting up Covenant, launching our first listener, creating a launcher payload, and interacting with compromised machines—all from this UI. And yes, we’ll trigger some detections to test how well Microsoft Defender XDR picks them up.
Turning This Into a Cyber Range
This isn’t just about learning to hack stuff. It’s about observing an attacker’s actions and how your tools react.
By pairing Commando VM + Covenant with a few test VMs running Defender for Endpoint (and optionally Microsoft Sentinel), you can create a cyber range to practice purple teaming:
- Watch alerts and detections as you simulate attacks
- Tune your SIEM rules and hunting queries
- Use tools like BloodHound to map AD attack paths
- Perform credential access techniques and track artifacts
- Practice incident response and triage using real telemetry
This is how defenders become dangerous. You stop guessing what attackers might do and start simulating it for real. That’s the whole purpose of this lab series – showing IT pros how to level up their XDR game by thinking like an adversary.
You don’t need a massive budget to do this, either. With Hyper-V or VMware Workstation, a few test ISOs, and Commando VM, you can build a compelling learning environment on your laptop or desktop.
Coming Up in Part 2
In the next blog, we’ll configure the rest of the lab environment, disable Defender on our test machine (simulating a compromised host), and prepare for our first Covenant session. We’ll also look deeper at PowerShell payloads and binary launchers, setting the stage for privilege escalation and lateral movement.
Want the Full Playbook?
This blog series is a companion to the book Red Teaming and Blue Teaming with Microsoft Defender XDR. If you’re serious about understanding the tools, tactics, and techniques used by attackers—and how to build better detections against them—grab the book. It’s designed like a training course with labs, walkthroughs, and practical examples that tie directly into this series.
Stay tuned, and let’s break some stuff (in the lab).
John Sr.
