Eric’s Substack

Share this post

So you want to be a SOC Analyst? Part 1

blog.ecapuano.com

So you want to be a SOC Analyst? Part 1

Set up a small virtualization environment (2 small VMs)

Eric Capuano
Feb 24
15
27
Share this post

So you want to be a SOC Analyst? Part 1

blog.ecapuano.com

If you just landed here, be sure to check out the Intro to this series for backstory.

NOTE:

  • This guide is recommended for a system with at least 8GB of RAM, best case 16GB+.

  • Keep an eye on your system’s disk space as we’re potentially about to consume ~80-100GB of it.

  • Many of the commands provided expect you are using the exact systems I prescribed. If you decide to use different systems (like your own Windows VM, etc) then you’ll need to tweak those commands accordingly.

  • Unfortunately, I cannot support issues that go beyond the instructions here. If you come up against a problem I haven’t described, you’ll need to polish up those Google-Fu skills. If you get hopelessly stuck on a particular set of steps, consider starting fresh with a new VM or using snapshots to revert to known good states.

  • It is highly recommended to follow this guide in order, if you hop around you may have issues.

Set up your virtual environment

  1. Download and install a free trial of VMware Workstation

  2. Download and deploy a free Windows VM directly from Microsoft.

    1. Get the “VMWare” version of the workstation.

    2. Take notice of the “Expiration date” of your VM, it will stop working after this date, but you can always download a new one.

    3. Once downloaded, unzip the VM and double-click the WinDev####Eval.ovf file to import the VM into VMware, but do not start it up yet.

  3. Download and install Ubuntu into a new VM

    1. Download the Ubuntu Server 22.04.1 installer ISO.

    2. Once downloaded, create a new VM in Workstation with the following specs

      1. Use the downloaded ISO as the installer image

      2. 14GB Disk size

      3. Customize Hardware

        1. 2 CPU cores

        2. 2GB RAM

      4. During OS install, leave defaults unless otherwise specified

        1. Use Tab to navigate, Space to check boxes, Enter to confirm

        2. “Installer update available”

          1. “Continue without updating”

        3. Set a memorable username/password (this is just a lab)

          1. Your name: user

          2. Your server’s name: attack

          3. Username: user

          4. Password: password

        4. Install OpenSSH server?

          1. [check/yes]

        5. Continue installing OS until “Install complete!”

        6. Hit Enter on [ Reboot Now ]

          1. If it hangs on “removing the CDROM” just press Enter

Setup your Windows VM

  1. Go ahead and “power on” your Windows VM for the first time.

    1. It will automatically log you in as “user”.

    2. Wait for the desktop to appear.

Disable Defender on Windows VM

Permanently disable Microsoft Defender so it doesn’t interfere with the shady stuff we’re planning. This is trickier than it sounds (especially in Windows 11) as Defender will turn itself back on, so follow ALL of these instructions verbatim in the exact order below.

These steps are closely derived from this guide and this one as well, but with fewer screenshots. If you need more guidance, see the original guides.

  1. Disable Tamper Protection

    1. Click the “Start” menu icon

    2. Click “Settings”

    3. Click “Privacy & security” on the left

    4. Click “Windows Security”

    5. Click “Virus & threat protection”

    6. Under “Virus & threat protection settings” click “Manage settings”

    7. Toggle OFF the “Tamper Protection” switch. When prompted, click “Yes”

    8. While you’re in there, toggle every other option OFF as well, even though we’re about to take care of it a couple different ways.

    9. Close the windows we just opened.

  2. Permanently Disable Defender via Group Policy Editor

    1. Click the “Start” menu icon

    2. Type “cmd” into the search bar within the Start Menu

    3. Right+Click “Command Prompt” and click “Run as administrator”

      1. Run the following command

        gpedit.msc
    4. Inside the Local Group Policy Editor

      1. Click Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus

      2. Double-click “Turn off Microsoft Defender Antivirus”

      3. Select “Enabled”

        If you enable this policy setting, Microsoft Defender Antivirus does not run, and will not scan computers for malware or other potentially unwanted software.

      4. Click Apply

      5. Click OK

  3. Permanently Disable Defender via Registry

    1. From the same administrative command prompt we previously opened, copy/paste this command and press Enter

      REG ADD "hklm\software\policies\microsoft\windows defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    2. While you’re still in the administrative command prompt, let’s also prevent the VM from going into sleep/standby mode during our shenanigans

      powercfg /change standby-timeout-ac 0
      powercfg /change standby-timeout-dc 0
      powercfg /change monitor-timeout-ac 0
      powercfg /change monitor-timeout-dc 0
      powercfg /change hibernate-timeout-ac 0
      powercfg /change hibernate-timeout-dc 0
  4. Prepare to boot into Safe Mode to disable all Defender services

    1. Click the “Start” menu icon

    2. type “msconfig” into the search bar within the Start Menu

    3. Go to “Boot” tab and select “Boot Options”

      1. Check the box for “Safe boot” and “Minimal”

        Safe boot
      2. Click Apply and OK

    4. System will restart into Safe Mode

  5. Now, in Safe Mode, we’ll disable some services via the Registry

    1. Click the “Start” menu icon

    2. Type “regedit” into the search bar and hit Enter

    3. For each of the following registry locations, you’ll need to browse to the key, find the “Start” value, and change it to 4

      1. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense

      2. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot

      3. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend

      4. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv

      5. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc

      6. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter

  6. Leave Safe Mode the same way we got into it

    1. Click the “Start” menu icon

    2. type “msconfig” into the search bar within the Start Menu

    3. Go to “Boot” tab and select “Boot Options”

      1. Uncheck the box for “Safe boot”

      2. Click Apply and OK

    4. System will restart into normal desktop environment, now (hopefully) Defender-free.

Install Sysmon in Windows VM

This is mostly optional as we don’t directly use Sysmon in this guide, but it’s a must-have analyst tool for getting very granular telemetry on your Windows endpoint of all sorts of interesting activity — so I recommend it for familiarity reasons alone.

  1. Launch an Administrative PowerShell console for the following commands

    1. Click the “Start” menu icon

    2. Type “powershell” into the search bar within the Start Menu

    3. Right+Click “Windows PowerShell” and click “Run as administrator”

  2. Download Sysmon with the following command. Read more about Sysmon here.

    Invoke-WebRequest -Uri https://download.sysinternals.com/files/Sysmon.zip -OutFile C:\Windows\Temp\Sysmon.zip
  3. Unzip Sysmon.zip

    Expand-Archive -LiteralPath C:\Windows\Temp\Sysmon.zip -DestinationPath C:\Windows\Temp\Sysmon
  4. Download SwiftOnSecurity’s Sysmon config.

    Invoke-WebRequest -Uri https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml -OutFile C:\Windows\Temp\Sysmon\sysmonconfig.xml
  5. Install Sysmon with Swift’s config

    C:\Windows\Temp\Sysmon\Sysmon64.exe -accepteula -i C:\Windows\Temp\Sysmon\sysmonconfig.xml
  6. Validate Sysmon64 service is installed and running

    Get-Service sysmon64
  7. Check for the presence of Sysmon Event Logs

    Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 10

Install LimaCharlie EDR on Windows VM

LimaCharlie is a relatively new, very powerful “Security Infrastructure as a Service” platform. It not only comes with a cross-platform EDR agent, but also handles all of the log shipping/ingestion and has a threat detection engine. I am a huge fan of LimaCharlie for many reasons, one of which is that they have a free tier for up to two systems which is what allows me to make it an instrumental part of this guide.

  1. Create a free LimaCharlie account.

    1. LimaCharlie will ask you a few questions about your role. Answer however you wish, it just helps their developers build a better product. If you’d like for them to know that this series helped you discover LC, reference this blog post under “How did you hear about us?” Completely optional, I do not get kickbacks or anything :)

  2. Once logged into LimaCharlie, create an organization

    1. Name: whatever you want, but it must be unique

    2. Data Residency: whatever is closest

    3. Demo Configuration Enabled: disabled

    4. Template: Extended Detection & Response Standard

  3. Once the org is created, click “Add Sensor”

    1. Select Windows

    2. Provide a description such as: Windows VM - Lab

    3. Click Create

    4. Select the Installation Key we just created

    5. Specify the x86-64 (.exe) sensor, but then skip ahead to my instructions versus the ones provided.

    6. IN THE WINDOWS VM, open an Administrative PowerShell prompt and paste the following commands:

      cd C:\Users\User\Downloads
      Invoke-WebRequest -Uri https://downloads.limacharlie.io/sensor/windows/64 -Outfile C:\Users\User\Downloads\lc_sensor.exe
    7. Next, we will copy the install command provided by LimaCharlie which contains the installation key. Paste this command into your open terminal.

      Paste this command into the admin command prompt in your Windows VM
    8. This is the expected output, ignore the “ERROR” that says “service installed!” Still waiting on those guys to fix that :)

      1. If you experience an error trying to install the EXE, try the x86-64 MSI option on the LimaCharlie installer dialog.

    9. If everything worked correctly, in the LimaCharlie web UI you should also see the sensor reporting in.

  4. Now let’s configure LimaCharlie to also ship the Sysmon event logs alongside its own EDR telemetry

    1. In the left-side menu, click “Artifact Collection”

    2. Next to “Artifact Collection Rules” click “Add Rule”

      1. Name: windows-sysmon-logs

      2. Platforms: Windows

      3. Path Pattern: wel://Microsoft-Windows-Sysmon/Operational:*

      4. Retention Period: 10

      5. Click “Save Rule”

    3. LimaCharlie will now start shipping Sysmon logs which provide a wealth of EDR-like telemetry, some of which is redundant to LC’s own telemetry, but Sysmon is still a very power visibility tool that runs well alongside any EDR agent.

      1. The other reason we are ingesting Sysmon logs is that the built-in Sigma rules we previously enabled largely depend on Sysmon logs as that is what most of them were written for.

  5. That’s all we’ll do with LimaCharlie for now. We’ll dive deeper into what it can do later on. Feel free to close all open windows on the Windows VM as we’re now moving onto the Linux VM.

    1. Pro Tip: Now would be a good time to Snapshot your Windows VM in case it gets hosed later on. You can always revert to this “Clean” snapshot later on to get back to a good state.

Setup Attack System

Switch over to the Ubuntu VM we installed earlier.

  1. Logon with the credentials we defined during install

    1. Username: user

    2. Password: password

  2. Switch to a root command prompt

    sudo su
  3. I highly recommend using an SSH client to access the Ubuntu VM so that you can easily copy/paste commands. MacOS/Linux/Modern Windows systems have builtin SSH abilities, but there are third party tools for this as well.

    1. First we need to learn the IP address of the Linux VM and then make sure that IP won’t change in the future, so type the following command into the console

      ip a
  4. In the screenshot above, our VM has the IP address of 192.168.147.129. This IP is assigned automatically (DHCP) by VMware and could change in the future so we next want to statically assign it so that it does not change.

    1. Take note of the device name of the ethernet adapter as well, at the parent level above the IP address. In our case, it is ens33 — we’ll need that in the next step.

    2. NOTE: Write down the Linux VM’s IP address because you will need it multiple times throughout this guide.

  5. Let’s find out the IP address your VM is using as a gateway, which is given to it by VMware. We’ll need this IP in a moment.

    ping _gateway -c 1
    1. Take note of the IP address of your gateway, in my case it is 192.168.147.2

  6. Type the following command to edit the configuration file for the network manager “netplan”

    sudo nano /etc/netplan/00-installer-config.yaml
    1. In this file, we’ll reconfigure our adapter from DHCP to a statically assigned IP address. Here is my original version

    2. Here is my reconfigured version setting the static IP to the one the VM was already assigned via DHCP

      1. Be sure to change to use your own values according to the interface name, IP address, and gateway acquired previously.

    3. Save the file and test your new configuration for errors, ignore the warning about gateway4 being deprecated, we’ll be fine.

      sudo netplan try
    4. Apply the configuration if no serious errors were found.

      sudo netplan apply
    5. Quick connectivity check, ping Google DNS.

      ping 8.8.8.8
  7. Now that we have a statically assigned IP address that should not change, let’s SSH onto the VM from your host system to make future CLI activities easier thanks to copy/paste magic.

    1. I’ll let you decide which SSH client to use, but from a modern Mac/Linux/Windows system, simply open a command prompt and run

      ssh user@[Linux_VM_IP]
  8. Now, from within this new SSH session, proceed with the following instructions to setup our attacker C2 server. First, let’s drop into a root shell to make life easier.

    sudo su
  9. Run the following commands to download Sliver, a Command & Control (C2) framework by BishopFox. I recommend copy/pasting the entire block as there is line-wrapping occurring.

    # Download Sliver Linux server binary
    wget https://github.com/BishopFox/sliver/releases/download/v1.5.34/sliver-server_linux -O /usr/local/bin/sliver-server
    # Make it executable
    chmod +x /usr/local/bin/sliver-server
    # install mingw-w64 for additional capabilities
    apt install -y mingw-w64
  10. Now let’s create a working directory we’ll use in future steps

    # Create and enter our working directory
    mkdir -p /opt/sliver

If everything above worked as expected, you are good to go. In the next post of this series, we’ll explore dropping a C2 payload onto our Windows VM which opens the door for all sorts of fun detection activities that we’ll look for with Sysmon and LimaCharlie.

While you wait for the next post, I highly recommend exploring the LimaCharlie web interface to learn more about what it can do. Specifically, go to the “Sensors List”, click on the hostname of the sensor we installed today, and explore these menu options to start with:

  • Timeline (this feature alone saved you an extra 2-3 hours of setting up other VMs!)

  • Processes

  • Network

  • File System

In the next post we’ll dive deeper into LimaCharlie, blow some stuff up on the Windows VM, explore the telemetry generated, and write some detection rules!

Share

27
Share this post

So you want to be a SOC Analyst? Part 1

blog.ecapuano.com
Previous
Next
27 Comments
Jordan
Mar 26Liked by Eric Capuano

Awesome lab + write up, thanks!

Expand full comment
Reply
Bob
Mar 27

Hello,

When I was going through the registries I couldn't find Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense.

Do I need this? if so, what should I do to fix it.

Expand full comment
Reply
1 reply
25 more comments…
TopNewCommunity

No posts

Ready for more?

© 2023 Eric Capuano
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing