Skip to content

Oracle VirtualBox — VBoxManage (CLI)

Deploy the RTA entirely from the command line using VBoxManage. This guide covers import, firmware configuration, network setup, and starting the VM in a single shell session.

Before you start

Review the VirtualBox overview. You'll need the OVA file from your engagement lead, VirtualBox 7.x installed, and VBoxManage on your PATH. Run VBoxManage --version to confirm.

1. Import the OVA

VBoxManage import <OVA_PATH> \
  --vsys 0 \
  --cpus 4 \
  --memory 8192 \
  --vmname "rta"

--vsys 0 targets the first (and only) virtual system in the OVA. --cpus and --memory override whatever the OVA descriptor specifies — set them to your preferred values (minimum 2 vCPU / 4096 MB).

To preview what the OVA will create before committing:

VBoxManage import <OVA_PATH> --dry-run

2. Enable EFI firmware

This step is mandatory — do not skip it

VirtualBox defaults every new VM to Legacy BIOS. The RTA image uses a GPT disk with an EFI System Partition and will not boot under BIOS. Run this command before starting the VM.

VBoxManage modifyvm "rta" --firmware efi

Secure Boot

Secure Boot is off by default in VirtualBox 7.x — do not enable it. The appliance bootloader is unsigned; enabling Secure Boot prevents the VM from booting.

3. Configure the network adapter (Bridged)

Find the name of the host NIC you want to bridge to:

VBoxManage list bridgedifs

Look for the Name: field of the interface that is connected to the engagement LAN (typically your wired Ethernet adapter).

Name:            en0
...
Status:          Up

Then configure Adapter 1 as a bridged adapter:

VBoxManage modifyvm "rta" \
  --nic1 bridged \
  --bridge-adapter1 "<HOST_NIC>"

Replace <HOST_NIC> with the exact name from VBoxManage list bridgedifs (e.g., en0, eth0, Ethernet).

NAT is fine for isolated lab use

If you are running the appliance in an isolated lab with no real LAN targets, NAT is sufficient for the outbound VPN tunnel. For actual engagements where the appliance must have Layer-2 adjacency to targets, Bridged Adapter is required.

4. Start the VM

With a GUI console window (recommended for first boot — lets you watch the status dashboard):

VBoxManage startvm "rta" --type gui

Headless (no console window, runs in the background):

VBoxManage startvm "rta" --type headless

View the status dashboard from a headless VM

If you started headless and want to see the appliance's status dashboard, reattach a console: 

VBoxManage startvm "rta" --type gui
Or use VBoxManage controlvm "rta" vrde on to enable RDP access if VRDE is configured on your host.

Verify

# Check the VM is running
VBoxManage list runningvms

# Show the VM's current configuration (confirm firmware = EFI, nic = bridged)
VBoxManage showvminfo "rta" | grep -E "Firmware|NIC 1"

Expected output:

Firmware:        EFI
NIC 1:           MAC: ..., Attachment: Bridged Interface '<HOST_NIC>', ...

The appliance is customized for your engagement, so it boots already registered and connects to the Sophos headend over its outbound VPN tunnel automatically — there is no activation step. The VM console shows a live status and troubleshooting dashboard (network, VPN tunnel, connectivity); you do not normally need to log in.

Default admin user

The default admin username is swag. You can SSH into the VM from your host if you know its IP, but the appliance does not need inbound access for normal operation.

Network access

The appliance makes one connection to do its job: an outbound tunnel to the Sophos headend. Nothing inbound is ever required — you never open or forward any ports to the appliance.

Allow this outbound destination
Destination connect.remotetesting.secureworks.com
IP addresses 3.33.194.251 and 15.197.255.2 (static — these do not change)
Port / protocol TCP 443, carrying OpenVPN (not HTTPS)
Direction Outbound only

Allow egress on TCP/443 to that destination from the appliance's network. On a next-generation firewall or NAC-controlled network, an L3 "allow 443" rule is often not enough — Layer-7 application control, TLS/SSL decryption, or NAC can still drop the tunnel even when the port is open. See Connectivity Troubleshooting for the exact firewall and NAC exceptions to request.

Troubleshooting

Deployed but something isn't right?

See Oracle VirtualBox troubleshooting for the most common issues on this platform and how to fix them.