SOC LimaCharlie Sliver Lab

Credit goes to Eric Capuano for writing "So you want to be a SOC Analyst?" and putting together this lab!

Learning Objective

• Hands-on experience with EDR (Endpoint Detection and Response) and C2s (Command and Control)

Tools & Requirements

1. VirtualBox or VMWare
2. Windows VM
3. Linux VM
4. Sysmon
5. LimaCharlie
6. Sliver

Step 1: Set up a Windows/Linux Server VM

1. Install VirtualBox
2. Download and deploy a Windows VM
3. Download and deploy a Linux Server VM.

Step 2: Disabling Windows Defender

1. Disable Tamper Protection
2. Disable Defender via Group Policy Editor

Step 3: Installing Sysmon (Windows VM)

1. Download and install Sysmon to provide granular telemetry on Windows Endpoints.
2. Download and install SwiftOnSecurity Sysmon config
3. Validate Symon is running

Step 4: Installing LimaCharlie (Windows VM)

1. Create a LimaCharlie account
2. Install LimaCharlie on the Windows VM
3. Add a rule to allow LimaCharlie to receive the Sysmon event table

Step 5: Installing/Creating a payload with Sliver C2 (Linux VM)

1. Download and install Sliver
2. Create a directory for sliver: /opt/sliver
3. Generate a C2 session payload using sliver in /opt/sliver by running sliver
4. Confirm the new implant configuration

Step 6: Python Server

1. Start a Python server with the command python3 -m http.server 80 to transfer over the payload generated by Sliver to the Windows VM

Step 7: Start a Command and Control Session

1. Start an Sliver HTTP listener by running the commands sliver-server and http while in Sliver
2. Execute the C2 payload on the Windows VM

Step 8: Observe the EDR(LimaCharlie) Telemetry

1. Conduct hash analysis using VirusTotal This virus did not show up in VirusTotal because VT has never seen the file! Eric Capuano states "This actually makes a file even more suspicious because nearly everything has been seen by VirusTotal".

Step 9: Stealing credentials with Sliver

1. In Sliver (still connected to the http listener session) run the command procdump -n lsass.exe -s lsass.dmp

Step 10: Detecting the stolen creds with LimaCharlie

1. Look at the timeline of the Windows VM sensor and filter for "SENSITIVE_PROCESS_ACCESS". This will show the event where lsass was accessed.
2. Create a D&R(Detection & Response) rule that will alert anytime this event occurs. This rule specifies that the detection will only look at SENSITIVE_PROGRESS_ACCESS where the process ends with lsass.exe. The response section generates a detection report with the name LSASS access.
3. Test the new rul LSASS rule
4. Save the rule as LSASS Accessed

Step 11: Detect LSASS Accessed

1. Run the procdump command again
2. Look in the "Detections" tab of LimaCharlie. As you can see, our new rule worked, and the event is captured!

Step 12: Perform a ransomware attack! (Kinda)

1. As Eric Capuano states in his post "Volume Shadow Copies provide a convenient way to restore individual files or even an entire file system to a previous state which makes it a very attractive option for recovering from a ransomware attack". So as an attacker, we are deleting the copies so there is no way to recover from the ransomware attack.
2. Run the shell command
3. Run the vssadmin delete shadows /all command
4. Run whoami

Step 13 Detect and Block the Attack

1. Look in the Detections tab of LimaCharlie
2. Make a new D&R rule for Shadow Copies Deletion. The action:report tells LimaCharlie to create a Detection report and the action:task is what will be used to block the attack by killing the parent process of the vssadmin delete shadows /all command.
3. Run the vssadmin delete shadows /all command again and run whoami. Whoami didnt return anything because the D&R rule worked successfully. The rule terminated the parent process of vssadmin delete shadows /all making the shell hang and whoami not returning anything.