Windows is usually the target in penetration testing, but CommandoVM flips this script by turning Windows itself into a first-class offensive platform. Instead of relying on Linux-based pentesting distributions, this project leverages Windows 10 as the base OS and uses PowerShell to orchestrate a comprehensive suite of red team tools. It’s an opinionated approach that embraces the Windows environment for offensive security engagements.
what CommandoVM is and how it works
CommandoVM is a Windows 10 virtual machine distribution designed specifically for penetration testers and red teamers who want a Windows-native offensive platform. Unlike Kali Linux or other Linux-based pentesting VMs, CommandoVM packages a curated collection of red team and pentesting tools that often don’t have Linux equivalents or are better integrated on Windows.
The core of the project is a PowerShell installation script that automates the setup of dozens of offensive security tools. This script handles package orchestration, ensuring that tools are installed, configured, and ready to use within a single VM environment. The repo separates concerns by hosting the VM orchestration logic in one repository and the definitions of packages (tools) in another, allowing community members to contribute new tools easily.
Under the hood, the VM runs Windows 10 (non-Insider Preview editions) with a recommended minimum of 60 GB hard drive space and 2 GB of RAM. The project is backed by Mandiant’s Red Team and FLARE teams, reflecting a practical and production-oriented offensive toolchain.
what makes CommandoVM stand out: technical strengths and limitations
The most notable technical aspect is how it treats Windows not as a hardened target but as a weaponized platform. This is a shift from the conventional Kali Linux approach and offers a different attack surface and toolset.
The PowerShell-based installer script is surprisingly comprehensive, automating the installation of a breadth of tools ranging from network scanners and exploit frameworks to forensic utilities and custom scripts. This orchestration via PowerShell provides a unified and repeatable setup process, making it easier to maintain and update the VM.
However, this setup comes with a clear tradeoff: security defenses such as Windows Defender and Tamper Protection must be permanently disabled to allow the offensive tools to function properly. The installation instructions explicitly require users to disable Tamper Protection through Windows Security and then disable real-time protection and Defender entirely via Group Policy Editor, with mandatory system reboots between steps. This requirement underscores the tension between Windows’ security posture and the offensive flexibility needed by red teams.
The codebase reflects a practical engineering mindset. By using native Windows scripting and policies, it avoids the overhead of compatibility layers or virtualization beyond the VM itself. The community-driven package definitions mean the VM can evolve as new tools and techniques emerge in the offensive security space.
The tradeoff here is clear: you gain a Windows-native offensive platform with tools that may not be available or as mature on Linux, but you must accept a reduced security posture during operation. This makes CommandoVM more suited for controlled lab environments or engagements where the attacker controls the VM fully.
installation: pre-requisites and setup steps
The installation process is well documented but involves several manual steps to prepare the Windows environment. Here are the key steps exactly as provided:
## Requirements
* Windows 10
> Insider Preview editions of Windows are not supported
* 60 GB Hard Drive
* 2 GB RAM
# Install Instructions
Deploy a Windows Virtual Machine
> Where can I find a Windows 10 Virtual Machine?
## Pre-Install Procedures
**You MUST disable Windows Defender for a smooth install**. The best way to accomplish this is through Group Policy.
In Windows versions 1909 and higher, Tamper Protection was added.
**Tamper Protection must be disabled first, otherwise Group Policy settings are ignored.**
1. Open Windows Security (type `Windows Security` in the search box)
1. Virus & threat protection > Virus & threat protection settings > Manage settings
1. Switch `Tamper Protection` to `Off`
> It is not necessary to change any other setting (`Real Time Protection`, etc.)
> **Important!** Tamper Protection must be disabled before changing Group Policy settings.
To permanently disable Real Time Protection:
1. Make sure you disabled Tamper Protection
1. Open Local Group Policy Editor (type `gpedit` in the search box)
1. Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection
1. Enable `Turn off real-time protection`
1. **Reboot**
> Make sure to **reboot** before making the next change
To permanently disable Microsoft Defender:
1. Make sure you rebooted your machine
1. Open Local Group Policy Editor (type `gpedit` in the search box)
1. Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus
1. Enable `Turn off Microsoft Defender Antivirus`
1. **Reboot**
After completing these prerequisite steps, users download and extract the CommandoVM repository zip, open PowerShell as Administrator, set execution policy to unrestricted, navigate to the extracted folder, and run the install script. This single script manages the installation of the bundled tools.
verdict: who should consider CommandoVM?
CommandoVM serves a niche but important role in the offensive security toolkit. If you’re a penetration tester or red teamer who primarily operates in Windows environments or needs access to Windows-specific tools that aren’t easily available on Linux, this project is worth a close look.
It’s not suitable for casual or casual-like use due to the required Defender disabling and the security implications thereof. This is a tool for professional offensive operators who understand the tradeoffs of disabling Windows security and need a practical, repeatable Windows-based pentesting platform.
The PowerShell-driven orchestration offers a maintainable and extensible approach, but it’s tightly coupled to Windows 10 and requires administrative privileges and careful system preparation.
In summary, CommandoVM is a practical, opinionated Windows pentesting VM that fills a gap in red team tooling by elevating Windows from target to platform. It’s a solid choice if your engagements demand it and you’re comfortable managing the security tradeoffs inherent in disabling Defender.
Related Articles
- Inside Mandiant’s FLARE Learning Hub: A practical Go reverse engineering reference and malware analysis training platform — Explore Mandiant’s FLARE Learning Hub, an open educational platform for malware analysis and reverse engineering with a
- BoxPwnr: benchmarking autonomous LLM agents on cybersecurity challenges with iterative command execution — BoxPwnr benchmarks LLM-based autonomous agents on cybersecurity challenges using iterative command execution in a Kali D
- OpenShell: Securing AI agents with runtime-policy sandboxing from NVIDIA — OpenShell by NVIDIA offers a Rust-based AI agent sandbox runtime with hot-reloadable YAML policies for filesystem, netwo
- awesome-sandbox: comparing modern sandboxing tech for AI agent execution — A curated repo comparing sandboxing technologies for secure, fast AI agent execution. Covers microVMs, containers, WebAs
- microvm.nix: declarative MicroVM management with Nix flakes — microvm.nix offers declarative MicroVMs on NixOS/macOS using eight hypervisors, enabling version-controlled, reproducibl
→ GitHub Repo: mandiant/commando-vm ⭐ 7,650 · PowerShell