Fayth <3's profile picture

Published by

published
updated

Category: Web, HTML, Tech

View Blog View Profile Report Blog Entry

Built a simple SOC Home Lab...

Greetings Minions,

I had just completed building a simple SOC home lab using a guide from LetsDefend. Following, is what I learned and understood from the guide...

Before anything else, I had to install a virtual machine (Oracle VirtualBox) on my host machine. Previously, my home computer had a virtual machine running Parrot OS, which I had primarily used for practicing cybersecurity. Eventually, I transitioned to just installing the OS on my laptop, which I am currently using. So, I never thought of installing a virtual machine in my laptop >_>


First of all, pfSense. I had created a pfSense VM primarily to segment different parts of the network. On the network settings of the machine, I created three networks:

  • RED, attached to NAT. This represents the external untrusted network, like the internet.
  • GREEN, attached to Internal Network. This represents the trusted zone, which is to be monitored and protected
  • DMZ, attached to Internal Network. This represents public-facing services to reduce risk to GREEN if compromised.
I assigned the interfaces on pfSense, according to the above. em0-2 are identified via their MAC addresses. RED = WAN, GREEN = WAN, DMZ = OPT1. Then, I configured the IP addresses. I left WAN as DHCP, in order to get an IP from my host's connection. I assigned LAN with the static IPv4 address 192.168.10.254/24, as it will later be used as gateway. A gateway was not assigned in LAN to avoid routing conflict and because pfSense itself is the gateway for LAN.

P.S. while I was installing pfSense, I encountered a problem that took me forever to figure out. After installation, when asked to reboot, the whole process restarts and I have to install it again. Turns out that when you leave the pfSense ISO mounted after installation and the VM reboots, the system boots from the ISO file again (not from the VMDK where it was just installed). And so, to fix it, I had to unmount the ISO before reboot. Apparently, most hypervisors prioritize booting from optical drives over hard disk unless you change the boot order.


Second, Windows Server and BadBlood. Here, I installed Windows Server 2022 on another VM to serve as the Active Directory Domain Controller to authenticate and authorize users in the network. The network adapter is set to GREEN, the internal environment. I had set a static IPv4 of 192.168.10.10/24, so it doesnt change on reboot, and the gateway to the pfSense LAN interface. Then, I renamed the server to SOC-AD1.

On the Server Manager, I installed AD Domain Services on the server, then promoted it to a domain controller. A forest was created, with the domain name of soc.lab. This is the root container to include all other sub instances like users, groups, and computers, where BadBlood will populate into.

To simulate a more realistic and vulnerable environment, I installed BadBlood on PowerShell. This populates the AD with fake 2500 users, 500 groups, and 100 computers along with misconfigurations.


Finally, WIndows Worksation, Sysmon, and CrowdSec. Another VM, Windows 10, is created here to represents a user machine in the domain network being monitored for suspicious behavior. Since it is part of the internal environment where the AD server and its other fellow users are, the network adapter is set to GREEN. The IPv4 was statically set to 192.168.10.20/24, the gateway to the pfSense LAN interface, and the DNS to the server's IP. This is to let the workstation find the domain controller to join the domain. I then renamed the PC to SOC-WIN10. Make sure that the gateway is accessible via ping.

On the server, check the username on the terminal via whoami. I used this username and the server password to join the domain of soc on the workstation. Then, I installed Sysmon to log system activity into the Windows Event Log. This is under Applications and Services Logs > Microsoft > Windows on the Event VIewer. To specify what to monitor or look out for with sysmon, I installed an .xml config file and placed it on sysmon's folder. 

Then, to establish an IDS, I installed CrowdSec on both the server and workstation to detect RDP and SMB brute force. 

This functionality is extended by installing a collection of parsing rules for reading Windows firewall logs on PowerShell, This parser knows how to read the format of log entries and detect patterns (since CrowdSec wont know how to do anything without you being explicit): 
.\cscli collections install crowdsecurity/windows-firewall

To have CrowdSec read pfirewall.log and treat it as a firewall log (using the parser I just installed), I edited the acquis.yaml config file:
---
filenames:
  - C:\\Windows\\System32\\LogFiles\\Firewall\\pfirewall.log
labels:
  type: windows-firewall

Then, to establish an IPS, I installed CrowdSec Windows Firewall Bouncer to automatically block IPs detected by CrowdSec.


AUUUUUGGHHHHH. ANywyays.... ^_^


I don't have a detailed plan of what I want to do next with this home lab, but these are what I want to do in this specific order:
1. study log analysis stuffs
2. create scripting for automation stuffssss
3. red team / blue team stufffffffffffffffssssssssssss

P.S PLEAZE TELL ME IF I DID OR SAY ANYTHING INCORRECT I WANNA LEARN TNX <3


0 Kudos

Comments

Displaying 0 of 0 comments ( View all | Add Comment )