In this blog post, we will explore the process of setting the stage for our SOC Analyst home lab, as well as setting up an attack-box to test our home lab. We will cover the installation of Ubuntu Server 22.04.1 and Windows 11 Enterprise, configuring network settings, disabling Microsoft Defender, installing Sysmon and LimaCharlie, and setting up a command and control (C2) framework called Sliver. Let’s dive in!
- Setting Up Virtual Machines: To begin, we downloaded and installed two virtual machines – Ubuntu Server 22.04.1 and Windows 11 Enterprise. These virtual machines provide us with separate environments for testing and experimentation.
- Configuring the Networks: In order to establish communication between the virtual machines, we created a virtual NAT network. For the Ubuntu Server, we switched the network configuration from DHCP to manual, and inputted the subnet, address, gateway, and nameserver details. This allowed us to have control over the network settings and ensure proper connectivity.
- Disabling Microsoft Defender via Settings and Group Policy Editor: Since the Windows virtual machine came in the .ovf format, there was no need for installation. However, we took necessary precautions by permanently disabling Microsoft Defender to prevent interference with our intended tasks. We disabled various settings, including tamper protection, and used the Group Policy Editor to turn off “Microsoft Defender Antivirus.”
- Disabling Microsoft Defender via Registry: To ensure complete disablement of Microsoft Defender, we made changes to the Windows Registry. We also modified the start values in the registry for specific services to prevent them from running during startup. By executing the following command, we disabled the anti-spyware functionality:
REG ADD "hklm\software\policies\microsoft\windows defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f- Installing Sysmon and Configuring Event Logging: Next, we installed Sysmon, a powerful system monitoring tool, on the Windows VM. We used SwiftOnSecurity’s Sysmon config to ensure optimal configuration. We verified the installation and checked for the presence of Sysmon event logs to confirm proper functionality.
- Setting Up Limacharlie and Configuring Artifact Collection Rules: To enhance our security measures, we created a Limacharlie account and set up an organization. We then installed a sensor on the Windows VM and configured artifact collection rules. This allowed Limacharlie to start shipping Sysmon logs, providing us with valuable insights into the system’s activities.
- Setting Up Sliver C2 Framework: Finally, we focused on setting up a command and control (C2) framework called Sliver on our Ubuntu VM. This framework, developed by Bishop Fox, provides advanced capabilities for managing and controlling remote systems.
In this blog post, we have set the stage for the real fireworks of this project. After these preparatory steps, we will begin to attack our windows server, as well as defend these attacks. I hope you enjoy! 😀
4 Responses
dude u need to add images who is gonna read this without images man?
I Enjoyed the read!
good stuff
great read karl !