Setting up Attack vs Defend SOC Environment

Introduction

First and foremost, I would like to thank Gerald Auger from Simply Cyber for creating an incredibly informative YouTube video featuring SOC Expert Eric Capuano. It was through Auger’s video that I discovered Eric’s remarkable blog post titled “So You Want to Be a SOC Analyst?” I am truly grateful for their valuable insights and guidance, as they played a significant role in helping me build this lab. Here’s the link if you’d rather follow https://blog.ecapuano.com/p/so-you-want-to-be-a-soc-analyst-intro

NOTE:

• This guide is recommended for a system with at least 8GB of RAM, best case 16GB+.
• Keep an eye on your system’s disk space as we’re potentially about to consume ~80-100GB of it.
• Many of the commands provided are expected we are in sync and using the same OS
• It is highly recommended to follow this guide in order, if you hop around you may have issues.

Setting up our virtual environment

1. Download and install a free trial of VMware Workstation.

• It is strongly encouraged using Workstation Pro versus the free VMware player as a few steps in this guide depend on features included in Workstation

2. Download and deploy a free Windows VM directly from Microsoft.

• a) Get the “VMWare” version of the workstation. (It’s a large download might recommend downloading overnight)
• b) Take note of the Expiration Date of your VM, it will stop working after that date, but we could always download a new one. (30 days is plenty of time)

3. Download the Ubuntu Server 22.04.1 installer ISO

Note: This specific SERVER VERSION is chosen because it comes preinstalled with the necessary packages.

4. Proceed to installing VMware Workstation like any other application.

5. Open up VMware workstation 17 and use the free trial option

Click “Yes to allow permissions and click finish to launch.

6. We will create a new VM in workstation

We will leave everything as default unless otherwise specified.

Let’s attach our ubuntu live server onto it and click “Next” and do the same with the next tab unless you’d like to change the name of the machine if you’d like

Allocate 14GB to the disk size and click “next”

Click “Custom Hardware” and change the specifications to the VM to

The VM will automatically run and install itself wait for it to install…

During the setup of the OS leave defaults unless otherwise specified

1. Use Tab to navigate, Space to check boxes, Enter to confirm
2. If, “Installer update available”
3. Choose “Continue without updating”

When we get to “Network Connections” section shown above, we need to do some steps to set a static IP address for the VM so it won’t change throughout the lab process

• Find out the gateway IP of our VMware Workstation NAT network
• In VMware Workstation, click “Edit” menu at top
• Click “Virtual Network Editor”
• Select the “Type: NAT” network
• Click “NAT Settings…”

Copy down the Subnet IP and Gateway IP we’ll need it for the next step:

In our case the subnet IP: 192.168.227.0 / Gateway IP: 192.168.227.2

Next, close the NAT settings and Virtual Network Editor windows.

Now let’s go to the Ubuntu Installer, let’s change the Interface to DHCPv4 to Manual.

Be sure to copy over the subnet and gateway IP from the previous step , but adding the /24 notation to subnet IP. The “Address” gets copied from what was previously assigned via DHCP.

When you’re done you should see this and from the arrow you would get the Address from there to input.

NOTE: Write down the Linux VMs IP address because you will need it multiple times throughout this guide.

Our IP address: 192.168.227.128

Keep clicking default configurations until you get to the user credential creation screen

Set an easy password to remember for lab demo purposes.

• Your name: user
• Your server’s name: attack
• Username: user
• Password: password

Install Open SSH server? Check Yes.

Continue installing OS until Installation is complete!

Hit Enter on Reboot Now if, it hangs on “removing the CDROM” just press enter

After the reboot, we will perform a quick connectivity check. Let’s login with our credentials we created earlier during the installation

1. Username: user
2. Password: password

Make sure DNS and outbound pings are working

ping -c 2 google.com

If your output looks like mine you're set! 

Setup your Windows VM

Lets go ahead and power on our Windows VM for the first time. It will launch as “user” and wait for the desktop to launch fully.

Disable Defender on Windows

Permanently disable Microsoft Defender so it doesn’t interfere with the shady stuff we are about to do :P. Make sure to follow the steps below as Defender is smart and will turn itself back on.

1. Click the “Start” menu icon
2. Click “Settings”
3. Click “Privacy & security” on the left
4. Click “Windows Security”
5. Click “Virus & threat protection”
6. Under “Virus & threat protection settings” click “Manage settings”
7. Toggle OFF the “Tamper Protection” switch. When prompted, click “Yes”

While you’re at it, toggle every other option OFF as well, even though we’re about to deal with it afterwards; close the window just opened

Let’s permanently disable defender via Group Policy Editor

1. Click the “Start” menu icon
2. Type “cmd” into the search bar within the Start Menu
3. Right+Click “Command Prompt” and click “Run as administrator”
4. Run the following commandgpedit.msc

Inside the Local Group Policy Editor

1. Click Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus
2. Double-click “Turn off Microsoft Defender Antivirus”
3. Select “Enabled”
4. Click Apply
5. Click OK

If we enable this policy setting it will prevent Microsoft Defender from running and scanning our computer for malware or anything malicious.

Permanently Disable Defender via Registry

1. From the same administrative command prompt we previously opened, copy/paste this command and press Enter

REG ADD "hklm\software\policies\microsoft\windows defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

Prepare to boot into Safe Mode to disable all Defender services

1. Click the “Start” menu icon
2. type “msconfig” into the search bar within the Start Menu
3. Go to “Boot” tab and select “Boot Options”
   1. Check the box for “Safe boot” and “Minimal”

Click Apply and OK

1. Sytem will restart into Safe Mode

Now, in Safe Mode, we’ll disable some services via the Registry

1. Click the “Start” menu icon
2. Type “regedit” into the search bar and hit Enter
3. For each of the following registry locations, you’ll need to browse to the key, find the “Start” value, and change it to 4

1. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense
2. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot
3. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend
4. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv
5. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc
6. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter

1. Leave Safe Mode the same way we got into it
   1. Click the “Start” menu icon
   2. type “msconfig” into the search bar within the Start Menu
   3. Go to “Boot” tab and select “Boot Options”
      1. Uncheck the box for “Safe boot”
      2. Click Apply and OK
   4. System will restart into normal desktop environment, now (hopefully) Defender-free.

1. Leave Safe Mode the same way we got into it
   1. Click the “Start” menu icon
   2. type “msconfig” into the search bar within the Start Menu
   3. Go to “Boot” tab and select “Boot Options”
      1. Uncheck the box for “Safe boot”
      2. Click Apply and OK
   4. System will restart into normal desktop environment, now (hopefully) Defender-free.

Prevent the VM from going into standby

1. Run as admin command prompt, and lets prevent our VM from going into sleep/standby during our lab creation as it may stay idle for too long and can get annoying copy into the prompt:

powercfg /change standby-timeout-ac 0

powercfg /change standby-timeout-dc 0

powercfg /change monitor-timeout-ac 0

powercfg /change monitor-timeout-dc 0

powercfg /change hibernate-timeout-ac 0

powercfg /change hibernate-timeout-dc 0

Install Sysmon in Windows VM

This is mostly optional as we don’t need it for this lab but it’s a must have analyst tool for aquiring granular telemetry on Windows Endpoint so I recommend it for familiarity reasons for later.

1. Launch an Administrative PowerShell console for the following commands
   1. Click the “Start” menu icon
   2. Type “powershell” into the search bar within the Start Menu
   3. Right+Click “Windows PowerShell” and click “Run as administrator”
2. Download Sysmon with the following command. Read more about Sysmon here.

Invoke-WebRequest -Uri https://download.sysinternals.com/files/Sysmon.zip -OutFile C:\Windows\Temp\Sysmon.zip

Unzip Sysom.zip

Expand-Archive -LiteralPath C:\Windows\Temp\Sysmon.zip -DestinationPath C:\Windows\Temp\Sysmon

Download SwiftOnSecurity’s Sysmon config.

Invoke-WebRequest -Uri https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml -OutFile C:\Windows\Temp\Sysmon\sysmonconfig.xml

Install Sysmon with Swift’s config

C:\Windows\Temp\Sysmon\Sysmon64.exe -accepteula -i C:\Windows\Temp\Sysmon\sysmonconfig.xml

Validate Sysmon64 service is installed and running

Get-Service sysmon64

Check for the presence of Sysmon Event Logs

Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 10

Install LimaCharlie EDR on Windows VM

LimaCharlie is a very powerful “SecOps Cloud Platform.” It also includes a cross-platform EDR agent, but is versatile in the sense it can handle all of the log shipping/ingestion and has a threat detection engine. Plus it has a free tier for up to two systems which is perfect for this lab!

1. Create a free LimaCharlie account. (Input anything till you get to next step)
2. Once you get to Create a new organization
3. Name: whatever you want, but it must be unique
4. Data Residency: whatever is closest
5. Demo Configuration Enabled: disabled
6. Template: Extended Detection & Response Standard

Once the org is created, click “Add Sensor”

1. Select Windows
2. Provide a description such as: Windows VM - Lab
3. Click Create
4. Select the Installation Key we just created

Specify the x86-64 (.exe) sensor, but then skip ahead to my instructions versus the ones provided.

IN THE WINDOWS VM, open an Administrative PowerShell prompt and paste the following commands:

cd C:\Users\User\Downloads

Invoke-WebRequest -Uri https://downloads.limacharlie.io/sensor/windows/64 -Outfile C:\Users\User\Downloads\lc_sensor.exe

Shift into a standard command prompt by running this command

cmd.exe

Next, we will copy the install command provided by LimaCharlie which contains the installation key. Paste this command into your open terminal.

This is the expected output, ignore the “ERROR” that says “service installed!”

It worked for me but if you experience an error try installing via x86-64 MSI installer option instead.

If everything worked correctly it should sense that you connected to the LimaCharlie UI

Now let’s configure LimaCharlie to also ship the Sysmon event logs alongside its own EDR telemetry

1. In the left-side menu, click “Artifact Collection”
2. Next to “Artifact Collection Rules” click “Add Rule”
   1. Name: windows-sysmon-logs
   2. Platforms: Windows
   3. Path Pattern: wel://Microsoft-Windows-Sysmon/Operational:*
   4. Retention Period: 10
   5. Click “Save Rule”

LimaCharlie will now start shipping Sysmon logs which provide a wealth of EDR-like telemetry, some of which is redundant to LimaCharlie’s own telemetry, but Sysmon is still a very power visibility tool that runs well alongside any EDR agent.

1. The other reason we are ingesting Sysmon logs is that the previously built-in Sigma rules we previously enabled largely depend on Sysmon logs

That’s it for LimaCharlie for now later we will dive deep into it later on!

Pro Tip: Now would be a good idea to take a snapshot of our Windows VM just in case any errors occur later we can always fall back on this clean state.

Setup Attack System

Using the statically assigned IP address we copied down in the Linux VM installation process, let’s SSH onto the VM from your host system to make future CLI activities easier thanks to copy/paste magic.

ssh user@[Linux_VM_IP]

Now, from within this new SSH session, proceed with the following instructions to setup our attacker C2 server. First, let’s drop into a root shell to make life easier.

sudo su

Run the following commands to download Sliver, a Command & Control (C2) framework by BishopFox. I recommend copy/pasting the entire block as there is line-wrapping occurring.

Download Sliver Linux server binary
wget https://github.com/BishopFox/sliver/releases/download/v1.5.34/sliver-server_linux -O /usr/local/bin/sliver-server
# Make it executable
chmod +x /usr/local/bin/sliver-server
# install mingw-w64 for additional capabilities
apt install -y mingw-w64

Now let’s create a working directory we’ll use in future steps

Create our future working directory
mkdir -p /opt/sliver

If everything worked as expected you should've been able to download Sliver successfully. In the next part, we will be dropping a C2 payload onto our Windows for a bunch of fun detection activities using Sysmon and LimaCharlie. 

Before Jumping into the next part, I recommend playing around with the LimaCharlie web interface by clicking "Sensors List" and clicking on the hostname we installed today and explore the options: 

• Timeline (this feature alone saved you an extra 2-3 hours of setting up other VMs!)
• Processes
  • Real-time list of process activity
• Network
  • Real-time list of active network connections and listening ports
• File System
  • Browse the entire file system!

In the next post, we will dive deeper into Lima Charlie, by messing around and finding out right 😛 in our Windows VM, exploring our telemetry generated, and write some detection rules like a real SOC analyst! I’ll see you in part 2 LETTTssss GOOOOOO!!! I’ll see you on the other side what are you waiting for!? 😉