Nemesis Installation and Setup

1. Ensure the requisite software/hardware is installed.

2. Run the quickstart Helm chart to configure Nemesis's services and secrets.

3. Deploy Nemesis's services by using its Helm chart.

4. Setup and access Nemesis.

5. Ingest data into Nemesis.

If you run into any issues, please see troubleshooting.md for common errors/issues.

Data Ingestion

Once Nemesis is running, data first needs to be ingested into the platform. Ingestion into Nemesis can occur in muliple ways, including

• Auto-ingesting data from C2 platorms.
• Manually uploading files on the "File Upload" page in the Nemesis's Dashboard UI.
• Using the submit_to_nemesis CLI tool to submit files.
• Writing custom tools to interact with Nemesis's API.

Nemesis C2 Connector Setup

Nemesis includes connectors for various C2 platorms. The connectors hook into the C2 platforms and transfer data automatically into Nemesis. The ./cmd/connectors/ folder contains the following C2 connectors:

• Cobalt Strike
• Mythic
• Sliver
• OST Stage1
• Metasploit
• Chrome Extension

Note: not all connectors have the same level of completeness! We intended to show the range of connectors possible, but there is not yet feature parity.

If you'd like to ingest data from another platform, see the documentation for adding a new connector.

Nemesis Service Endpoints

All Nemesis services are exposed through a single HTTP endpoint (defined in the NEMESIS_HTTP_SERVER environment variable) protected by HTTP basic auth credentials configured through the BASIC_AUTH_USER and BASIC_AUTH_PASSWORD settings.

To see a basic landing page with exposed services, go to http NEMESIS_HTTP_SERVER endpoint root. The routes and corresponding services are:

Service	Route	Username	Password
dashboard	/dashboard/	DASHBOARD_USER	DASHBOARD_PASSWORD
kibana	/kibana/	ELASTICSEARCH_USER	ELASTICSEARCH_PASSWORD
Hasura	/hasura/	N/A	N/A
Nemesis web-api	/api/	N/A	N/A
pgadmin	/pgadmin/	PGADMIN_EMAIL	PGADMIN_PASSWORD
rabbitmq	/rabbitmq/	RABBITMQ_ADMIN_USER	RABBITMQ_ADMIN_PASSWORD
alertmanager	/alertmanager/	N/A	N/A
grafana	/grafana/	GRAFANA_USER	GRAFANA_PASSWORD
prometheus	/prometheus/graph	N/A	N/A
elastic	/elastic/	ELASTICSEARCH_USER	ELASTICSEARCH_PASSWORD
yara	/yara/	N/A	N/A
crack-list	/crack-list/	N/A	N/A

(Optional) Install logging and monitoring services by running the following:

helm install --repo https://specterops.github.io/Nemesis/ monitoring monitoring

(Optional) Install Metrics Server

Metrics Server is available but not installed by default. Enable it with the following:

helm show values --repo https://specterops.github.io/Nemesis/ nemesis

Modify the value:

metricsServer:
  enabled: true

If you have not installed Nemesis yet, see Nemesis Chart or upgrade the installation:

helm upgrade --repo https://specterops.github.io/Nemesis/ [chart name] nemesis

(Optional) Changing Persistent File Storage

Elasticsearch, PostgreSQL, and Minio (if using instead of AWS S3) have persistent storage volumes in the cluster.

File Storage Backend

Nemesis can use AWS S3 (in conjunction with KMS for file encryption) for file storage by modifying the storage setting in values.yaml and configuring the aws block.

By default, Nemesis uses Minio for file storage with a default storage size of 30Gi. To change the size, modify the minio.persistence.size value in values.yaml file.

Elasticsearch

The default storage size is 20Gi. To change this, modify the elasticsearch.storage value in values.yaml.

PostgreSQL

The default storage size is 20Gi. To change this, modify the postgres.storage value in values.yaml.

(Optional) Change Nemesis's Listening Port

Nemesis's HTTP traffic is managed by k3s traefik service. Therefore, in order to change Nemesis's listening port, you need to change the port of k3s's traefik HTTP endpoint. You can do this by creating the file /var/lib/rancher/k3s/server/manifests/traefik-config.yaml with the content below and then installing k3s. In this case, the config exposes HTTP traffic on port 8080 and HTTPS traffic on port 8443.

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    ports:
      web:
        exposedPort: 8080
      websecure:
        exposedPort: 8443

Once updated, ensure to update the operation.nemesisHttpServer configuration option to use the new port.

(Optional) Deleting Running Pods

Using Helm

helm uninstall nemesis && kubectl delete all --all -n default

Using Skaffold

skaffold delete

(Optional) Running Helm local charts

If you do not want to run the Helm charts hosted on https://specterops.github.io/Nemesis/, you can run them locally. For example:

helm install nemesis-quickstart ./helm/quickstart
helm install nemesis ./helm/nemesis --timeout '45m'
helm install nemesis-monitoring ./helm/monitoring

Troubleshooting, Common Errors, and Support

Need additional help?

If you run into any issues, please see troubleshooting.md for common errors/issues.

Otherwise, file an issue or feel free to ask questions in the #nemesis-chat channel in the Bloodhound Slack (click here to join).