Download, configuration, integration and installation of...
- Windows 10 (VM)
- Kali Linux (VM)
- Ubuntu Server
- Windows Server 2022
- Virtual Box
- Splunk
- Sysmon
- Atomic Red Team
- Active Directory
- Domain Controller I will be using a drawing diagram called draw.io. This will be used to visualize the home lab environment. The home lab will persist of 2 servers, 1 switch, 1 router, 1 target pc, 1 attack machine and a cloud icon to represent the internet and all connection to the appropriate devices.
Server: Splunk server will have an IP: 192.168.10.10
Server: Active Directory will have an IP: 192.168.10.7 , Splunk Universal Forwarder and Sysmon
Target: Windows 10 , IP: 192.168.10.100, Splunk Universal Forwader, Atomic Red Team and Sysmon
Attacker: Kali Linux, 192.168.10.25
Both Servers, target and attack machine will all connect to the switch, the switch will connect to the router and the router will be connected to the internet. The target machine as well as the Active Directory server will be connected to the Splunk Server to indicate forwarding of logs to splunk ( dotted line without an arrow).
I installed vitrual box, a Windows 10 (iso), Windows 2022 Server (iso), Ubuntu Server (iso), and Kali Linux onto the virtual box. Using meaningful naming convictions, I provided each machine with the appropriate usernames, machine/ server names and secure passwords (ie. Admin, splunk etc.)
I installed and configure sysmon and splunk on the Windows Machine (target) and Windows Server so they may began collecting telmetry and send logs to the splunk server
1.) First network settings must be set to NAT network to ensuring the virtual machines can be on the same network still have intenet access.
This can be done by clicking on the 3 bulletin points next to tool in Virtual Box > select "Network" > select "Create".
Double click the new NAT network that was created and at the bottom under the "General Options" tab provide the NAT network with a name (e.g. "AD-HomeLab") and the IPv4 prefix will be the established IP for our network (e.g. 192.168.10.0/24). "Enable DHCP" should be left on and then apply.
2.) Now go into each machine and change the current network setting from NAT to the NAT network we just created and click okay to apply to each.
3.) Logging into the splunk server you will notice a that the IP for the server is not true to the diagram that was draw for the lab. We should change the IP of the server by writing the command, "ip addr" to see our IP for the machine, then "sudo nano /etc/netplan/". Tab will bring you to the file which will allow you to deactiviate DHCP and write a static IP for the machine.
4.)The DHCP should be removed, replacing "True" with "no". This lets the file know you do not want a dynamic IP address given to the server.
Next we should align the "addresses" configuration with the dhcp4 and give it our static IP from the diagram [192.168.10.10/24].
Next the "nameservers" should be align under our static ip address, we will then tab 4 spaces under our nameservers: and list the hosting ip address we want our domain to point to. [8.8.8.8] (Goolge).
Then align the "routes:" with the dhcp4, addresses: and nameservers:... We will then put where we want our traffic to go "-to", which will be "via" our gateway address.
Ctrl + x , "Y" and hit "Enter" to save the configuration
5.) Lastly type in the command "sudo netplan apply" and then check the new static ip address and try pinging to google.com to ensuring network is connecting.
6.) Go to Splunk's website to creat an account and go to products / free downloads to download the .deb enterprise addition (linux) for a splunk server.
7. In the splunk server the command "sudo apt-get install virtualbox" was typed to display options. We are looking for the "virtualbox-guest-additions-iso
. Type Y for yes, then hit enter.
8.) On the top of the splunk servers vm , click "Devices" > "Shared Folders" > "Shared Folders settings" > click the add folder icon. We then will find the path to where we downloaded our splunk .deb and leave the name of the folder as is. Then check all boxes and hit okay. After we will type in the splunk server sudo reboot to reboot the server and log back in.
9.) We will now input the command "sudo adduser vboxsf. Note.. If "The group 'vboxsf' does not exist" appear. Type in sudo apt-get install virtualbox , then find "sudo apt-get install virtualbox-guest-utils" and install it. Then after installation 'sudo reboot' then log on to re add user again
10.) We now will create a new directory called "share", then mount the shared folder onto the directory called share with this command.
sudo mount -t vboxsf -o uid=1000,gid=1000 <shared_folder_name> share/
11.) After we will cd into the share folder we created and ls -la to see all the shared folders including the splunk .deb package. We will then use the command to install the splunk package into the machine. " sudo dpkg -i splunk to do the rest. Hit enter and wait until it is completed.
splunk will be located in the /opt/splunk directory, cd the and ls -la to see that the user and group belongs to splunk. Change into the user splunk by typing sudo -u splunk bash. We will cd into bin directory and used the binary command "./splunk start". Hit Q and Y to accept user agreements and input a username and password.
When installation is complete use this command to make sure splunk starts up evertime VM reboots. We want to exit from the splunk user "exit" command. We will then "cd bin" as our user into our bin and then type "sudo ./splunk enable boot-start -user splunk".
1.) We will open our target windows machine and rename the PC to target-pc, by typing pc in search bar and clicking properties. We will then "Rename this pc" to target-pc, next and restart the vm.
2) Go to cmd to check ip, ipconfig and change IP for this machine as needed. We will need to change the machines IP by right clicking the network icon, click open net. and intenet setting, ethernet, change adaptor options, right click adaptor, click properties, and double click the internet protocol version 4 or properties.
click "use the following IP address and input the assigned IP we made in the diagram. IP of 192.168.10.100 A subnet of 255.255.255.0 and a defualt gateway of 192.168.10.1, DNS server 8.8.8.8 and hit okay. Re-check IP.
Go to the internet browser to go to our splunk server listening on 192.168.10.10:8000 (splunk server must be up)
We will install splunk universial forwarder on the target vm. Go to splunk.com on the vm and download the Splunk Universal Forwarder as a Windows-64 bit package ( must be signed into account).
Double click the download packages and agree to the license agreement, make sure "An on-premises Splunk Enterprise instance" box is selected, hit next > user name left as admin and random generated password selected. Skip deploying servers, the receiving indexer should be the splunk server 192.10.10.10 : 9997, then install.
We will download sysmon from microsoft, with sysmon configuration by olaf on GitHub, find sysmonconfig.xml, click raw, save as, and save in download directory on vm machine. Go to downloads and extract all from Sysmon zip folder.
https://github.com/olafhartong/sysmon-modular
Open and copy the file explorer bar of the extract folder and go to Powershell (run as admin). Cd into the copied file and type .\Sysmon64.exe -i ..\sysmonconfig.xml. Hit agree to install sysmon.
We will then instruct splunk forwarder on what we want to send over to our splunk server. Configure file called "inputs.conf" found at "This PC" , Local C drive, program files, splunk universal forwarder, etc, system, default. Copy the inputs.conf file, make a new file under the local directory of system files . Do not edit the inputs.conf under the default directory.
Open notepad as admin, from the github https://github.com/MyDFIR/Active-Directory-Project , copy and paste the "inputconfig" file into your notepad. Take note of the " index=endpoint ". Save as "inputs.conf" under the profile files > universal forwarders > etc, system, local as a "all files" for the "Save as type". Save
We will now restart splunks universal forwarders service. Search up services, run as admin, type "s" to find "splunk forwarder services". When this is found you should see NT Service under the splunk forwarder services tab "Log on As". Click on the splunk forwarder service. Select local system account, then hit "okay" after the message appears. You will now notice the "Log on As" is now " local system" on splunk service. You will also notice the sysmon64 is running under it.
Right-click splunk forwarder, click restart, clcik okay after services message, then click start to start the services.
We will not go to our splunk enterprise via the browser on the Windows Machine at 192.168.10.10:8000 and login using the same credentials to log in with our splunk server. We then navigate to the settings tab and click on "Indexes". This is where we will create the index "endpoint" for the input.conf file to send indexes to.
Click New index on the top right. Then type "endpoint" as the Index Name and save. Double check by scrolling down.
We will now make sure the splunk server receives the data. Settings, Forwarding and Receiving, configure receiving, new recieving port, and type 9997 and save. Once set up, click app to on the top left nav bar. Go to search and reporting , skip, skip tour and type in the Search bar , " index=endpoint" with a time frame of "last 24 hours". You will see different events happening on the system that have been recorded.
You will see in the host tab we have our "target-pc"
You will also see the sources and source type, where our inputs.conf and its specified security, system, application and sysmon data.
We will do the same steps that we did on the windows machine onto the windows server. Hint( If you try to connect to the splunk server and it is not listening, go the the server an input the command , "systemctl status " to check the status, if services status is "-1/FAILURE" we need to type in the command, "sudo systemctl restart " to restart the service, re-check the status, it should now be running)
We will log into our windows server machine and click on the server manager. Here we will click on manage at the top right. We will go through the prompt to click next on the "Before you begin page, enable "Role-based or feature-based installation" then click next, select the ADDC (should only be one), click next, We want to select the Active directory Domain Services" button and continue to move forward click next until it is installed ( Configuration required installion seucceded on ADDC01) when finished.
Go back to the service manager and click the flag icon. Here you will notice "promote this server to a domain controller", click this option.
We will then click "Add a new forest" and give our Domain a name with a top level domain. (e.g ADHomeLab.local). Continue through prompt, provide a password, next>, NetBIOS domain name will appear, click the empty bar and continue. In the "Paths" part, it will show paths to store database files (NTDS , SYSVOL). These are common files that can be a clear indicator a system is compromised . Click next until prerequisites check out and installation is completed. Server should restart and our new sign in screen should show a back slash indicating we installed ADDC and promoted server to a DC.
We will now create users, log into server and go to service manager. We will click on tools on the top right corner and select "active directory users and computers". Click the domain, go to builtin and right click on the right hand side, click new, click group and give the group a name. Click OK. Double Click the test group that was just made then click member of and click add. We will now add administrators then click okay.
Right click domain > new > click "Organizational Unit" to create a department called "IT"
We will now right click the OU to create a new user and name them Jenny Smith and username will be jsmith. We will also uncheck the "user must change password at next logon" because this is simply a lab environment. Give the user a simple password then hit next, then finish.
We will continue the same steps to create new OU (HR) and new user (Terry Smith, tsmith and a password for the user).
We will now go to the windows target machine and join it to our new domain we created and authenticate it with jenny smith's account.
On the windows 10 machine go to pc > properties > advance system settings >computer name >change > select domain > and type in you domain name. If presented with error go to network and internet setting, change adaptor options,right click adaptor, select properties and click IPv4 and change our DNS to our Domain contoller (192.168.10.7). Then click ok.
Return back to naming the domain and click ok. We then will input the administrator and password of the server which will have the proper permissions. A Welcome message should appear and a restart should appear.
We will now login with jenny smith. select other user and restart, make sure the domain is the one we created. We will use jsmith and password and we will be able to login.
Log into kali machine to set up static ip of 192.168.10.250 per diagram. Select the eternet icon on the top right of the screen and select "edit connections". Select the first wire connection > IPv4 setting. If set to DHCP change to manuel, add then type in for IP: 192.168.10.250, Netmask : 24, Gateway : 192.168.10.1, DNS servers: 8.8.8.8, then save.
open a terminal and type in the command "ip a". You may notice the ip did not change yet. Go to the ethernet connection icon on the type right of screen, disconnect it and then reconnect to the wired connection. Type is "ip a" in the terminal again and youll see it have changed to 192.168.10.250. Try pinging to google and the splunk server to verify connectivity.
Update and upgrade repository using the command "sudo apt-get update && sudo apt-get upgrade -y"
cd into the Desktop directory (cd Desktop) and make a directory (mkdir) called "ad-project"
We then was to "sudo apt-get install -y crowbar". Crowbar is a brute force tool used to perform attacks on services like RDP, SSH or other protocols that require authentication by using dictionarys for the brute force attack.
Kali linux comes with wordlist that can be used in brute force attacks, we can cd into the /usr/share/wordlists/ and ls to see the different word list. Here we will be using the wordlist rockyou.txt.gz
Unzip the rockyou.txt.gz file using gunzip. "sudo gunzip rockyou.txt.gz". When completed ls the to see that the rockyou.txt.gz is no longer red and is now rockyou.txt
We will no copy the rockyou.txt file into the ad-project folder we created with command. cp rockyou.txt ~/Desktop/ad-porject. Then cd into the ad-project and ls -lh in the folder.
rockyou.txt will display a file size of 134M. We will use the first 20 lines using the command "head -n 20" and > it to a file called passwords.txt. We then will nano into the passwords.txt file and at the bottom put in our password for the
windows target machine. This is done to show how the brute force will work.
Sign in the windows machine as one of the users. Type pc in the search bar, right click to go to properties and go to advanced settings and log in with the administrator account.
Go to the remote tab and under remote desktop go to allow remote connections to this computer. Click add to add terry and jenny smith as the users. Click ok, ok, apply and ok to finish.
Go back to the linux machine and use the command "crowbar -b rdp -u jsmith -C passwords.txt -s 192.168.10.100/32
-b to specify our service (rdp) , -u to specify the user (jsmith), -C for the pass word list (passwords.txt) -s to specify the source IP ( 192.168.10.100/32). /32 is used at the end of the IP as a cidr notation to specify we are only using this single IP
Crowbar should now find a password that matches the user name we provided.
On the windows machine go to the splunk instance to observe it telemetry.
Go to search and reporting, type in "index=endpoint jsmith" and change the duration to last 15 minutes to see the event related to our brute force attack. Go to "event code". Here you will see an event id of 4625 with a count of 21 (on yours it should say 20, i added two extra passwords).
Searching for event on our web browser "event id 4625" will return us " a security event that indicates that the user account failed to log on"
In splunk selecting the event id will auto update our search bar, upon scroll throught the events you will notice that the times for the log in our occuring at the same time , indicating a brute force attack.
If we change the EventCode to 4624, we will see the successful login that crowbar made to the account as well as the login we made into the vm to access it.
When we click on the "Show all 70 lines" it will show more information regarding the event. It will also show use the kali machine in which the login was made and its ip of 192.168.10.250
Open powershell with admin priv., log in as admin and type the command "Set-ExecutionPolicy Bypass CurrentUser" ,hit enter, type "Y" then enter again.
Set exclusion for the entire C drive so Microsoft Defenders doesnt remove some files from atomic red team.
Click the bottom up arrow and click window security, virus and threat protection, go to manage settings. At the bottom, under exclusions, click add or remove exclusion, select folder and select "This pc", select our c drive and click select folder, re log in as admin and you will see the exclusion.
Now we will go to powershell again and install atomic red team. Type in the command in the screen shot. Then Type "y" , enter to continue after downloaded. Then go to the AtomicRedTeam folder in "This PC" > Local Dick (C:)
Click the AtomicRedTeam folder and click "atomics" which will map back to technique ids from the MITRE ATT&K framework.
If you go to the MITRE ATT&CK framework you can go to the Matrix for Enterprise, you can highlight any of time and see the Technique which might be under the atomics folder. We can use the T1136.001 technique which is a persistence tactic on the local account which is also available in the atomics folder. This technique allows you to "create account"
You will type in the command in powershell as admin. "Invoke-AtomicTest T1136.001" (if not working re-install with the command within the photo above).
Once complete a NewLocaclUser should have been created and deleted by the atomic test script. Go into splunk and type in the search bar for NewLocalUser events.
If we try the execution by pass technique T1059.001 our Microsoft Defender should pop up. The events will also be visible in splunk. If events in splunk do not pop up until a few seconds later there could be a gap in security.
Reference Material: https://www.youtube.com/@MyDFIR https://attack.mitre.org/ https://github.com/olafhartong/sysmon-modular https://github.com/redcanaryco/atomic-red-team