Part 1 | SOC Analyst Home Labs
Part 1: Creating a small virtualization environment (2 VMs)
Install VMware Workstation Pro
For the virtualization environment we will be using VMware. For setting up this lab we will need a machine with at least 8GB of RAM, but 16GB and above is preferable as we will be running more than one VMs parallel to each other. As stated in Eric's guide, VMware Workstation Pro is now free for personal use. If you don't already have it installed in your system, this guide will take you through the sign-up process with Broadcom and downloading the VMware Workstation Pro 17 (same guide suggested by Eric Capuano in his blog series).Download the Windows 11 VM
Once we have VMware set up on our local machine, we can go ahead and download the Windows VM (VMware version) from the Official Microsoft Website. It is important to keep an eye on our available disk space during the process of setting up the lab as in total we will be using somewhere between 80 and 100 GB for setting up the VMs.Import and configure the Windows VM into VMware
After the download is finished and upon unzipping the folder, we will see three files inside. Please note that if you have both Virtual Box and VMware installed on your system, the files might be recognized as Virtual Box ones even though we downloaded the VMware version of the VM. In that case, we can right-click the file with the.ovf
extension and select "Open with > VMware Workstation"
. We will be asked to input a name for that VM and after that the import process will start. It is also worth noting that the Windows VM will expire at the specified date that is displayed on the VM's download page. If needed, we can always download a new VM and repeat the import process when that happens. When the VM has finished importing, we can go ahead and delete the zip file that we downloaded from the Microsoft website and the folder that was created upon unzipping that file as each one of those are roughly about 23GB.
Before booting up the freshly imported VM, the RAM can be adjusted from the left panel depending on your system's specs. The Windows machine can run with 4GB of RAM minimum. If that is causing it to run too slow, we can increase it to 8GB later.
Download and configure Ubuntu Server into a new VM
For the next step we will download the ISO for Ubuntu 22.04.1 Server from the Official Ubuntu Website. The download for the specified version should begin by pressing the link above. We don't need to install the Desktop version for this lab as it will only use up extra resources from our host machine.Once the ISO image has finished downloading, we can start creating a new VM. If you are you need help creating a new VM from an ISO file, this guide shows how to make a new VM in VMware.
We can use the default settings for creating the VM with the following exceptions.
Once we are done with the Virtual Machine Creation Wizard, the VM will automatically boot-up and start the OS installation. While going through the OS installation part, we can only use Tab and the arrow keys for navigation, the Space-Bar to check boxes, and the Enter button to confirm and proceed to the next steps by pressing "Done" on the bottom of the screen. Similarly to the previous step, we can proceed with the default options for most steps and only making a few changes to the following parts of the installation.
Here we will need to make a few adjustments to set up the VM's IP to static which will make it easier to work with throughout this lab.
ping -c 2 google.com
if we get responses with the IP of google's server displayed, it means that we're all set and good to move onto the next steps.
Setup the Windows VM
We can now boot-up the Windows VM for the first time. Depending on your system's configuration and specifications, the first time you try to run the VM you might get an error message that says "Virtualized AMD-V/RVI is not supported on this platform".To resolve this, click on "Edit virtual machine settings" on the left panel in VMware Workstation, then select the "Processors" tab and uncheck the "Virtualize Intel VT-x/EPT or AMD-V/RVI" box.
Now we can proceed with powering on this VM again. Once it goes through the "setting up" stage which might take a while, we should be automatically logged in as "user" and see the Windows Desktop environment.
Disable Microsoft Defender on the Windows VM
For this part of the lab, we will disable Microsoft Defender on the Windows VM so that it doesn't block our traffic from our "attacker VM". At later stages of this lab series, we can look into various ways that we could potentially bypass the Defender by utilizing Red-Team techniques to mimic a true adversarial attack and make our lab exercises more realistic.Apparently disabling Microsoft Defender is trickier than expected so it's important to complete the following tasks in the specific order they are laid out here.
-
Disable Tamper Protection
- Click on the "Start" menu, then click on "Settings"
- Click on "Privacy & Security" from the left panel
- Click on "Windows Security"
- Click on "Virus & Threat protection" then "Manage Settings"
- Toggle Off the "Tamper Protection" switch, then click "Yes" when prompted
- Toggle Off all other options on that page as well
- Close down all of the Windows and return to the Desktop
-
Permanently Disable Microsoft Defender via Group Policy Editor
- Click on the "Start" menu, then type "cmd"
- Right-click on "Command Prompt" and select "Run as administrator"
- Type in the command:
gpedit.msc
, then press "Enter" - In the Local Group Policy Editor, click on Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus
- Double-click "Turn off Microsoft Defender Antivirus"
- Select "Enabled"
(If you enable this policy setting, Microsoft Defender Antivirus does not run, and will not scan computers for malware or other potentially unwanted software.) - Click "Apply", then "OK"
- Close down the Local Group Policy Editor window and keep the Command Prompt open
-
Permanently Disable Microsoft Defender via the Registry
- In the same Administrative Command Prompt we used earlier, copy & paste the following command and press Enter
-
REG ADD "hklm\software\policies\microsoft\windows defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
-
Boot into Safe Mode to disable all Microsoft Defender services
- Click on the "Start" menu, then type "msconfig"
- Select the "Boot" tab
- Under "Boot Options", check the box for "Safe boot" and "Minimal"
- Click "Apply", then "OK"
- The VM will restart into Safe Mode
- Once the restart is finished, we are now into Safe Mode and can go ahead to disable a few services via the Registry
- Click on the "Start" menu then type "regedit"
-
Leave Safe Mode
- Click on the "Start" menu, then type "msconfig"
- Select the "Boot" tab
- Under "Boot Options", uncheck the box for "Safe boot"
- Click "Apply", then "OK"
- The VM will restart into the normal desktop environment and Microsoft Defender should be now completely disabled
Install Sysmon on the Windows VM via Powershell
It is recommended that we install Sysmon on the Windows VM even though it won't be used directly in this guide. It a good idea to familiarize ourselves with this tool as it's a must-have for getting a granular telemetry on our Windows system with all the activity that is happening.- Click on the "Start" menu, then type "powershell"
- Right-click on "Windows Powershell", then select "Run as administrator"
- Copy & paste the following commands into Powershell to download and install Sysmon
- # Download Sysmon
Invoke-WebRequest -Uri https://download.sysinternals.com/files/Sysmon.zip -OutFile C:\Windows\Temp\Sysmon.zip
- # Unzip Sysmon.zip
Expand-Archive -LiteralPath C:\Windows\Temp\Sysmon.zip -DestinationPath C:\Windows\Temp\Sysmon
-
# Download SwiftOnSecurity’s Sysmon config
Invoke-WebRequest -Uri https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml -OutFile C:\Windows\Temp\Sysmon\sysmonconfig.xml
- # Install Sysmon with Swift’s config
-
C:\Windows\Temp\Sysmon\Sysmon64.exe -accepteula -i
-
C:\Windows\Temp\Sysmon\sysmonconfig.xml
-
# Validate Sysmon64 service is installed and running
Get-Service sysmon64
-
# Check for the presence of Sysmon Event Logs
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 10
-
Create a free LimaCharlie account
During the sign-up process, LimaCharlie asks a few questions. Feel free to answer those however you like. They use that information to try and develop their product better.
-
Once logged into LC, create and organization
- Name: Choose a name for your organization. Any will do as long as it is a unique one
- Data Residency: Whichever option is closest to your current location
- Demo Configuration Enabled: Disabled
-
Template: Extended Detection & Response Standard
-
Once the organization is created, click "Add Sensor
- Select Windows
- Write a description such as: Windows VM Lab and click Create
- Select the Installation Key we created earlier
- Specify the x86-64 (.exe) sensor. Do not click the "selected installer" option from the installation steps of the website.
- In the Windows VM, open an Administrative PowerShell prompt and paste the following commands:
- Change into a standard Command Prompt by executing the following command
-
Next, copy the command provided on the LC platform which contains the installation key and paste it into the open terminal of the Windows VM. At the time of writing this documentation, the code snippet provided on the website is missing the first part which contains the actual command for the installation. Make sure you add the
"
part in front of the command mentioned above if it's not included in the original command.lc_sensor.exe
" - If the installation is completed, the LimaCharlie logo will be displayed in the terminal in ASCII form and the output should be "Agent installed successfully"
- In case the .exe option did not work for the installation, try the "x86-64 msi" instead
- Once LimaCharlie is installed on the Windows VM, we should be able to see the sensor on the Web Platform detecting it as "windev2407eval.localdomain".
cd C:\Users\User\Downloads
Invoke-WebRequest -Uri https://downloads.limacharlie.io/sensor/windows/64 -Outfile C:\Users\User\Downloads\lc_sensor.exe
cmd.exe
-
Next, we will configure LC to also ship the Sysmon event logs and its own Telemetry
- From the left-side menu, click "Artifact Collection"
- On the right of "Artifact Collection Rules", click add "Artifact Collection Rule"
- Name: windows-sysmon-logs
- Platforms: Windows
- Path Pattern: wel://Microsoft-Windows-Sysmon/Operational:*
- Retention Period: 10
- Click "Save Rule"
- LC will now start sending Sysmon logs which provide a lot of EDR-related information. Many of the built-in Sigma rules that were enabled in the previous steps, are written for Sysmon which is another reason why it's recommended to utilize that tool in this lab.
- Once the SSH connection is established, first we will elevate our shell to root privileges by using the superuser command.
- Now we can download Sliver, a Command & Control (C2) framework developed by BishopFox. We want to make sure the full length of the following commands is copied as some of them might be extending to the lines beneath (line wrapped).
-
# Download Sliver server for Linux binary
wget https://github.com/BishopFox/sliver/releases/download/v1.5.34/sliver-server_linux -O /usr/local/bin/sliver-server
-
# Make it executable
chmod +x /usr/local/bin/sliver-server
-
# Install mingw-w64 for additional capabilities
apt install -y mingw-w64
-
Next, we will create a working directory which we will use in the following steps.
# Create our working directory
mkdir -p /opt/sliver
Install LimaCharlie EDR on the Windows VM
LimaCharlie is a Cloud Based tool used by SecOps for Incident Detection with a free tier available which allows us to monitor up to two systems.This concludes our configuration part of LC for now. We can now go ahead and take a Snapshot of the Windows VM by clicking "VM > Snapshot > Take Snapshot" from the VMware Workstation's top menu in case we need to revert to this state of the machine at a later time.
Setup the Ubuntu VM
The easiest way to configure our attack box is via SSH from our host machine. In my case, I will be using Kali Linux on WSL2 but the same steps can be followed from Windows or Mac as well. If you wish to set this up, you can check my guide on setting up Kali Linux on WSL2 with a Graphical Interface. The installation process takes roughly 20 minutes.The main reason that SSH is the recommended method for this part, is so that we can copy-paste the commands from this guide.
By setting up the Ubuntu VM with a static IP address earlier it makes it easier for us to SHH into the machine from our Host at any time using the address we took a note of.
Even though we can use SSH clients to initiate the connection, the simplest way to do this is to open a terminal and type in the following command.
ssh {VM_username}@{Ubuntu_VM_IP}
sudo su
If everything so far went smoothly, we are now ready to proceed to the next part of the Lab where we will work on sending a C2 payload to the Windows VM. We will then detect the various activities that are taking place with the help of Sysmon and LimaCharlie.
Lastly, it's recommended to go through the LimaCharlie web interface and options to familiarize ourselves with the various sections, tools and actions it provides.
Resources:
So you want to be a SOC Analyst? Part 1