Credit goes to Eric Capuano for writing "So you want to be a SOC Analyst?" and putting together this lab!
- Hands-on experience with EDR (Endpoint Detection and Response) and C2s (Command and Control)
- VirtualBox or VMWare
- Windows VM
- Linux VM
- Sysmon
- LimaCharlie
- Sliver
- Install VirtualBox
- Download and deploy a Windows VM
- Download and deploy a Linux Server VM.
- Download and install Sysmon to provide granular telemetry on Windows Endpoints.
- Download and install SwiftOnSecurity Sysmon config
- Validate Symon is running
- Create a LimaCharlie account
- Install LimaCharlie on the Windows VM
- Add a rule to allow LimaCharlie to receive the Sysmon event table
- Download and install Sliver
- Create a directory for sliver: /opt/sliver
- Generate a C2 session payload using sliver in /opt/sliver by running
sliver
- Confirm the new implant configuration
- Start a Python server with the command
python3 -m http.server 80
to transfer over the payload generated by Sliver to the Windows VM
- Start an Sliver HTTP listener by running the commands
sliver-server
andhttp
while in Sliver - Execute the C2 payload on the Windows VM
- Conduct hash analysis using VirusTotal
This virus did not show up in VirusTotal because VT has never seen the file! Eric Capuano states "This actually makes a file even more suspicious because nearly everything has been seen by VirusTotal".
- In Sliver (still connected to the http listener session) run the command
procdump -n lsass.exe -s lsass.dmp
- Look at the timeline of the Windows VM sensor and filter for "SENSITIVE_PROCESS_ACCESS". This will show the event where lsass was accessed.
- Create a D&R(Detection & Response) rule that will alert anytime this event occurs. This rule specifies that the detection will only look at SENSITIVE_PROGRESS_ACCESS where the process ends with lsass.exe. The response section generates a detection report with the name LSASS access.
- Test the new rul LSASS rule
- Save the rule as LSASS Accessed
- Run the procdump command again
- Look in the "Detections" tab of LimaCharlie. As you can see, our new rule worked, and the event is captured!
- As Eric Capuano states in his post "Volume Shadow Copies provide a convenient way to restore individual files or even an entire file system to a previous state which makes it a very attractive option for recovering from a ransomware attack". So as an attacker, we are deleting the copies so there is no way to recover from the ransomware attack.
- Run the
shell
command - Run the
vssadmin delete shadows /all
command - Run
whoami
- Look in the Detections tab of LimaCharlie
- Make a new D&R rule for Shadow Copies Deletion. The action:report tells LimaCharlie to create a Detection report and the action:task is what will be used to block the attack by killing the parent process of the
vssadmin delete shadows /all
command. - Run the
vssadmin delete shadows /all
command again and runwhoami
. Whoami didnt return anything because the D&R rule worked successfully. The rule terminated the parent process ofvssadmin delete shadows /all
making the shell hang andwhoami
not returning anything.