Part 1 | SOC Analyst Home Labs

Part 1: Creating a small virtualization environment (2 VMs)



Install VMware Workstation Pro
For the virtualization environment we will be using VMware. For setting up this lab we will need a machine with at least 8GB of RAM, but 16GB and above is preferable as we will be running more than one VMs parallel to each other. As stated in Eric's guide, VMware Workstation Pro is now free for personal use. If you don't already have it installed in your system, this guide will take you through the sign-up process with Broadcom and downloading the VMware Workstation Pro 17 (same guide suggested by Eric Capuano in his blog series).

Download the Windows 11 VM
Once we have VMware set up on our local machine, we can go ahead and download the Windows VM (VMware version) from the Official Microsoft Website. It is important to keep an eye on our available disk space during the process of setting up the lab as in total we will be using somewhere between 80 and 100 GB for setting up the VMs.

Import and configure the Windows VM into VMware
After the download is finished and upon unzipping the folder, we will see three files inside. Please note that if you have both Virtual Box and VMware installed on your system, the files might be recognized as Virtual Box ones even though we downloaded the VMware version of the VM. In that case, we can right-click the file with the .ovf extension and select "Open with > VMware Workstation".
We will be asked to input a name for that VM and after that the import process will start. It is also worth noting that the Windows VM will expire at the specified date that is displayed on the VM's download page. If needed, we can always download a new VM and repeat the import process when that happens. When the VM has finished importing, we can go ahead and delete the zip file that we downloaded from the Microsoft website and the folder that was created upon unzipping that file as each one of those are roughly about 23GB.
Before booting up the freshly imported VM, the RAM can be adjusted from the left panel depending on your system's specs. The Windows machine can run with 4GB of RAM minimum. If that is causing it to run too slow, we can increase it to 8GB later.

Download and configure Ubuntu Server into a new VM
For the next step we will download the ISO for Ubuntu 22.04.1 Server from the Official Ubuntu Website. The download for the specified version should begin by pressing the link above. We don't need to install the Desktop version for this lab as it will only use up extra resources from our host machine.
Once the ISO image has finished downloading, we can start creating a new VM. If you are you need help creating a new VM from an ISO file, this guide shows how to make a new VM in VMware.
We can use the default settings for creating the VM with the following exceptions.

  • 14GB Disk space
  • 2 CPU Cores
  • 2GB RAM


  • Once we are done with the Virtual Machine Creation Wizard, the VM will automatically boot-up and start the OS installation. While going through the OS installation part, we can only use Tab and the arrow keys for navigation, the Space-Bar to check boxes, and the Enter button to confirm and proceed to the next steps by pressing "Done" on the bottom of the screen. Similarly to the previous step, we can proceed with the default options for most steps and only making a few changes to the following parts of the installation.

  • The first option we encounter is if we want to update. We will press "Continue without updating"
  • We will proceed with the default settings until we get to the "Network Connections" screen.
        Here we will need to make a few adjustments to set up the VM's IP to static which will make it easier to work with throughout this lab.

  • First, we need to find the gateway IP of our VMware Workstation NAT network. To do this, we will click on "Edit > Virtual Network Editor" from the top menus of VMware.
  • From the available networks, we will click on the "NAT" network then click on "NAT Settings". From here we need to take a note of the "Subnet IP" and "Gateway IP" then we can close down the NAT Settings and Virtual Network Editor windows.

  • Now we are back in the Ubuntu installer screen, we will click on the "eth" type network and then "Edit IPv4". On the new screen we can change the configuration from "Automatic (DHCP)" to "Manual". Once that is done, we'll confirm the changes and we should be back on the "Network Connections" screen.
  • Next, we will click on the IP displayed next to "DHCPv4" and once inside the "Edit ens33 IPv4 Configuration" screen, we will input the IP Addresses we noted down at the previous step. Replace the subnet IP with the one we got from the VMware settings and add "/24" at the end. In the "Address" field, we will copy the one that shows up next to "DHCPv4" from the "Network Connections" screen of the Ubuntu installer. Lastly, next to the "Gateway" field we will input the one we noted down from the VMware Virtual Network Editor and next to "Name servers" we can input "8.8.8.8". Click save and we should be back on the "Network Connections" screen. Now the second line should be saying "static" instead of "DHCPv4". Here we should take a note of the VM's IP address as we will need it throughout the lab.

  • Now we can proceed with the OS installation. When prompted, set up a memorable username and password for this VM. Next, when asked if you'd like to install "OpenSSH server", check the box / yes then continue with the installation until the "Installation Complete" appears on the top of the screen then we can hit Enter on "Reboot Now". Please note that it might take a while for the processes to finish and the system to reboot. You can click on "Show full log" to see all the packages that are being installed. If the process gets stuck on "removing CDROM", we can press enter for the system to reboot.
  • Once the reboot is done, we can now log-in into the newly installed VM and test our connectivity by pinging google by typing ping -c 2 google.com if we get responses with the IP of google's server displayed, it means that we're all set and good to move onto the next steps.


  • Setup the Windows VM
    We can now boot-up the Windows VM for the first time. Depending on your system's configuration and specifications, the first time you try to run the VM you might get an error message that says "Virtualized AMD-V/RVI is not supported on this platform".

    To resolve this, click on "Edit virtual machine settings" on the left panel in VMware Workstation, then select the "Processors" tab and uncheck the "Virtualize Intel VT-x/EPT or AMD-V/RVI" box.

    Now we can proceed with powering on this VM again. Once it goes through the "setting up" stage which might take a while, we should be automatically logged in as "user" and see the Windows Desktop environment.

    Disable Microsoft Defender on the Windows VM
    For this part of the lab, we will disable Microsoft Defender on the Windows VM so that it doesn't block our traffic from our "attacker VM". At later stages of this lab series, we can look into various ways that we could potentially bypass the Defender by utilizing Red-Team techniques to mimic a true adversarial attack and make our lab exercises more realistic.
    Apparently disabling Microsoft Defender is trickier than expected so it's important to complete the following tasks in the specific order they are laid out here.

      Disable Tamper Protection
    1. Click on the "Start" menu, then click on "Settings"
    2. Click on "Privacy & Security" from the left panel
    3. Click on "Windows Security"
    4. Click on "Virus & Threat protection" then "Manage Settings"
    5. Toggle Off the "Tamper Protection" switch, then click "Yes" when prompted
    6. Toggle Off all other options on that page as well
    7. Close down all of the Windows and return to the Desktop
      Permanently Disable Microsoft Defender via Group Policy Editor
    1. Click on the "Start" menu, then type "cmd"
    2. Right-click on "Command Prompt" and select "Run as administrator"
    3. Type in the command: gpedit.msc , then press "Enter"
    4. In the Local Group Policy Editor, click on Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus
    5. Double-click "Turn off Microsoft Defender Antivirus"
    6. Select "Enabled"
      (If you enable this policy setting, Microsoft Defender Antivirus does not run, and will not scan computers for malware or other potentially unwanted software.)
    7. Click "Apply", then "OK"
    8. Close down the Local Group Policy Editor window and keep the Command Prompt open
      Permanently Disable Microsoft Defender via the Registry
    1. In the same Administrative Command Prompt we used earlier, copy & paste the following command and press Enter
      	
    2. REG ADD "hklm\software\policies\microsoft\windows defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      Boot into Safe Mode to disable all Microsoft Defender services
    1. Click on the "Start" menu, then type "msconfig"
    2. Select the "Boot" tab
    3. Under "Boot Options", check the box for "Safe boot" and "Minimal"
    4. Click "Apply", then "OK"
    5. The VM will restart into Safe Mode
    6. Once the restart is finished, we are now into Safe Mode and can go ahead to disable a few services via the Registry
    7. Click on the "Start" menu then type "regedit"
    For each of the following registry locations, we’ll need to browse to the key, find the “Start” value, and change it to 4
  • Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense
  • Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot
  • Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend
  • Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv
  • Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc
  • Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter


    1. Leave Safe Mode
    2. Click on the "Start" menu, then type "msconfig"
    3. Select the "Boot" tab
    4. Under "Boot Options", uncheck the box for "Safe boot"
    5. Click "Apply", then "OK"
    6. The VM will restart into the normal desktop environment and Microsoft Defender should be now completely disabled


    Install Sysmon on the Windows VM via Powershell
    It is recommended that we install Sysmon on the Windows VM even though it won't be used directly in this guide. It a good idea to familiarize ourselves with this tool as it's a must-have for getting a granular telemetry on our Windows system with all the activity that is happening.

    1. Click on the "Start" menu, then type "powershell"
    2. Right-click on "Windows Powershell", then select "Run as administrator"
    3. Copy & paste the following commands into Powershell to download and install Sysmon

      1. # Download Sysmon

         Invoke-WebRequest -Uri https://download.sysinternals.com/files/Sysmon.zip -OutFile C:\Windows\Temp\Sysmon.zip 


      2. # Unzip Sysmon.zip

         Expand-Archive -LiteralPath C:\Windows\Temp\Sysmon.zip -DestinationPath C:\Windows\Temp\Sysmon 


      3. # Download SwiftOnSecurity’s Sysmon config

        Invoke-WebRequest -Uri https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml -OutFile C:\Windows\Temp\Sysmon\sysmonconfig.xml  


      4. # Install Sysmon with Swift’s config

        1.  C:\Windows\Temp\Sysmon\Sysmon64.exe -accepteula -i 
        2.  C:\Windows\Temp\Sysmon\sysmonconfig.xml 


      5. # Validate Sysmon64 service is installed and running

         Get-Service sysmon64 


      6. # Check for the presence of Sysmon Event Logs

         Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 10 




      Install LimaCharlie EDR on the Windows VM
      LimaCharlie is a Cloud Based tool used by SecOps for Incident Detection with a free tier available which allows us to monitor up to two systems.

      1. Create a free LimaCharlie account
        During the sign-up process, LimaCharlie asks a few questions. Feel free to answer those however you like. They use that information to try and develop their product better.

      2. Once logged into LC, create and organization
        1. Name: Choose a name for your organization. Any will do as long as it is a unique one
        2. Data Residency: Whichever option is closest to your current location
        3. Demo Configuration Enabled: Disabled
        4. Template: Extended Detection & Response Standard

      3. Once the organization is created, click "Add Sensor
        1. Select Windows
        2. Write a description such as: Windows VM Lab and click Create
        3. Select the Installation Key we created earlier
        4. Specify the x86-64 (.exe) sensor. Do not click the "selected installer" option from the installation steps of the website.
        5. In the Windows VM, open an Administrative PowerShell prompt and paste the following commands:


        6.  cd C:\Users\User\Downloads 


           Invoke-WebRequest -Uri https://downloads.limacharlie.io/sensor/windows/64 -Outfile C:\Users\User\Downloads\lc_sensor.exe 


        7. Change into a standard Command Prompt by executing the following command


        8.  cmd.exe 


        9. Next, copy the command provided on the LC platform which contains the installation key and paste it into the open terminal of the Windows VM. At the time of writing this documentation, the code snippet provided on the website is missing the first part which contains the actual command for the installation. Make sure you add the "
           lc_sensor.exe 
          "
          part in front of the command mentioned above if it's not included in the original command.
        10. If the installation is completed, the LimaCharlie logo will be displayed in the terminal in ASCII form and the output should be "Agent installed successfully"
        11. In case the .exe option did not work for the installation, try the "x86-64 msi" instead
        12. Once LimaCharlie is installed on the Windows VM, we should be able to see the sensor on the Web Platform detecting it as "windev2407eval.localdomain".


      4. Next, we will configure LC to also ship the Sysmon event logs and its own Telemetry

        1. From the left-side menu, click "Artifact Collection"


        2. On the right of "Artifact Collection Rules", click add "Artifact Collection Rule"
          1. Name: windows-sysmon-logs
          2. Platforms: Windows
          3. Path Pattern: wel://Microsoft-Windows-Sysmon/Operational:*
          4. Retention Period: 10
          5. Click "Save Rule"


        3. LC will now start sending Sysmon logs which provide a lot of EDR-related information. Many of the built-in Sigma rules that were enabled in the previous steps, are written for Sysmon which is another reason why it's recommended to utilize that tool in this lab.


      This concludes our configuration part of LC for now. We can now go ahead and take a Snapshot of the Windows VM by clicking "VM > Snapshot > Take Snapshot" from the VMware Workstation's top menu in case we need to revert to this state of the machine at a later time.



      Setup the Ubuntu VM
      The easiest way to configure our attack box is via SSH from our host machine. In my case, I will be using Kali Linux on WSL2 but the same steps can be followed from Windows or Mac as well. If you wish to set this up, you can check my guide on setting up Kali Linux on WSL2 with a Graphical Interface. The installation process takes roughly 20 minutes.

      The main reason that SSH is the recommended method for this part, is so that we can copy-paste the commands from this guide.
      By setting up the Ubuntu VM with a static IP address earlier it makes it easier for us to SHH into the machine from our Host at any time using the address we took a note of.
      Even though we can use SSH clients to initiate the connection, the simplest way to do this is to open a terminal and type in the following command.

       ssh {VM_username}@{Ubuntu_VM_IP} 


      1. Once the SSH connection is established, first we will elevate our shell to root privileges by using the superuser command.


      2.  sudo su 


      3. Now we can download Sliver, a Command & Control (C2) framework developed by BishopFox. We want to make sure the full length of the following commands is copied as some of them might be extending to the lines beneath (line wrapped).


        1. # Download Sliver server for Linux binary

           wget https://github.com/BishopFox/sliver/releases/download/v1.5.34/sliver-server_linux -O /usr/local/bin/sliver-server 


        2. # Make it executable

           chmod +x /usr/local/bin/sliver-server 


        3. # Install mingw-w64 for additional capabilities

           apt install -y mingw-w64 


        4. Next, we will create a working directory which we will use in the following steps.

          # Create our working directory

           mkdir -p /opt/sliver 


        If everything so far went smoothly, we are now ready to proceed to the next part of the Lab where we will work on sending a C2 payload to the Windows VM. We will then detect the various activities that are taking place with the help of Sysmon and LimaCharlie.

        Lastly, it's recommended to go through the LimaCharlie web interface and options to familiarize ourselves with the various sections, tools and actions it provides.



        Resources:

        So you want to be a SOC Analyst? Part 1