The objective of this project is to design and deploy a comprehensive network security infrastructure using virtual machines in VirtualBox. The project aims to simulate a real-world IT environment with the following components: Splunk Enterprise deployed on an Ubuntu server for security information and event management (SIEM) to monitor, analyze, and visualize security data. Active Directory hosted on a Windows Server for centralized authentication and user management. A Windows client machine to simulate end-user activity within the network. A Kali Linux machine to simulate a potential attacker’s perspective, used for penetration testing and security assessments. This project demonstrates the integration of different technologies to create a secure network environment, while providing real-time data analytics and monitoring capabilities through Splunk.
- Virtualization using VirtualBox
- Installation and configuration of Ubuntu Server and Windows Server
- Deployment and setup of Splunk Enterprise on Linux
- Configuration of Active Directory Domain Services (AD DS) on Windows Server
- Creation and management of users, groups, and organizational units in Active Directory
- Joining Windows machines to an Active Directory domain
- Basic networking setup (static IP, DNS configuration, etc.)
- Installation and configuration of Sysmon (System Monitor) for detailed Windows event logging
- Deployment and configuration of Splunk Universal Forwarder on Windows machines
- Log forwarding from Windows endpoints to Splunk using Universal Forwarder
- Creating and using Splunk dashboards, alerts, and SPL (Search Processing Language) queries
- Simulating a brute-force attack using Hydra on an Active Directory login interface
- Analyzing attack behavior and detecting brute force attempts through Sysmon logs in Splunk
- Conducting basic penetration testing and attack simulation using Kali Linux
- Splunk Enterprise as a Security Information and Event Management (SIEM) system for log ingestion, analysis, and real-time security monitoring.
- Sysmon (System Monitor) for detailed Windows event logging to capture system-level events and enhance visibility into suspicious activity.
- Splunk Universal Forwarder to forward logs from Windows endpoints to the Splunk server for centralized analysis.
- Hydra for simulating a brute-force attack on Active Directory login credentials.
- Kali Linux as a penetration testing platform for simulating attacks and assessing the network's security posture.
- Active Directory for user management, authentication, and simulating real-world corporate network environments.
Based on the diagram below, we create a network with an Ubuntu server hosting Splunk, a Windows Server 2022 machine serving as Active Directory, a Windows 10 client, and Kali Linux for attack simulation.
We installed 4 virtual machines in VirtualBox: Windows Server 2022 with Active Directory, Windows 10, Ubuntu server with Splunk, and Kali Linux for attacks.
In VirtualBox, under Tools → NAT Networks, we click on "Create" to set up a network for our virtual machines.
After creating the network, we configure the network name and IPv4 scope in the general options.
Once finished, we should see the changes under the NAT networks tab as shown in the picture.
Next, we configure each virtual machine to use the newly created network.
First, we configure the Ubuntu server.
In the 50-cloud-init.yaml file, we set the IPv4 address according to our network scheme.
Then we download the Splunk Enterprise .deb version for Linux from the official website.
To install this file on the Ubuntu server, we create a shared folder in VirtualBox.
We install the tools and drivers necessary for VirtualBox interaction.
We add our user (splunk) to the vboxsf group and create a shared folder with access to the Splunk installation file.
We use the mount command to link the shared folder with the Ubuntu server; the picture below shows how it looks.
We start the Splunk installation on the server.
After installation, we configure Splunk to start automatically on system boot.
Once Splunk is installed, we move to the Windows machine and set the IPv4 address and DNS.
Then we download and install the Splunk Forwarder from the Splunk website.
We set the username as admin and let the system generate the password automatically.
Next, we configure the forwarding settings to send logs to the Splunk server address.
After installation, we download Sysmon for generating logs on the Windows machine.
We use a configuration file for Sysmon from Olaf Hartong's GitHub repository.
We run Sysmon installation in PowerShell with the -i flag to specify the configuration file.
Then we create the inputs.conf file in the local Splunk folder and configure the index and log types.
We also set the service to run under the Local System account for maximum privileges.
The Splunk configuration for the Windows server is identical to the Windows client configuration.
In the browser, entering 192.168.10.10:8000 opens the Splunk login page.
After logging in, we see the Splunk dashboard..
Next, we create the index defined in the inputs.conf file for the Splunk forwarder to send logs.
We also configure the port on which the server will receive logs (9997 is the default).
In the search bar, we can search all logs sent to index=endpoint.
Next, we configure the Windows Server by setting its IPv4 address.
In the Manage dropdown menu, we start the domain controller installation by selecting Role-based or feature-based installation.
We select our Windows Server.
Under Server Roles, we choose Active Directory Domain Services and click Add Features.
We confirm the installation and proceed.
After installation, we configure the domain.
We select Add a new forest and assign a domain name.
On the next page, we set the password and continue.
If everything installs successfully, we see the domain name in front of the username.
To add new users, we open Active Directory Users and Computers from the Tools menu.
Right-clicking the domain name, we first create an Organizational Unit .
We created the OU named IT.
Right-clicking the unit, selecting New → User, we create users, setting usernames and passwords.
The same process is repeated for the HR department.
After creating the accounts, we return to the Windows client and set its DNS server to the Windows Server IP address.
Then we go to PC Properties → Advanced System Settings.
Under the Computer Name tab, we click Change.
We select Domain and enter the domain name we set on Windows Server (project.local).
To save the changes, we log in using the Windows Server administrator account.
If successful, we see a welcome message.
On the next login screen, we see the domain name below the login field; using the created domain credentials, we can log in.
To simulate a brute-force attack, we configure the IPv4 address on the Kali Linux virtual machine.
We copy 20 passwords from rockyou.txt into password.txt, placing our correct password at the end.
To run the brute-force attack, we return to the Windows machine and go to Properties.
Under Advanced System Settings → Remote, we enable Allow remote connections to this computer.
Clicking Select Users → Add, we add users allowed to use RDP (Remote Desktop Protocol).
The Remote Desktop Users window shows added users; after clicking OK and Apply, RDP is enabled, allowing brute-force attacks from Kali Linux.
We use Hydra for the brute-force attack with the following flags: -l (username), -P (password list), -t (threads), and the target IP address. We specify rdp because we use the RDP protocol.
Back in the Splunk web interface, we search index=endpoint and EventCode=4625 (failed login code).
Search results show multiple failed attempts within a second, indicating a brute-force attack.
We then search for EventCode=4624 (successful login) to confirm successful access.
Clicking Show all lines reveals the attacking machine's name and IP address.
