If you just landed here, be sure to check out the Intro to this series for backstory.

NOTE:

• This guide is recommended for a system with at least 8GB of RAM, best case 16GB+.

• Keep an eye on your system’s disk space as we’re potentially about to consume ~80-100GB of it.

• Many of the commands provided expect you are using the exact systems I prescribed. If you decide to use different systems (like your own Windows VM, etc) then you’ll need to tweak those commands accordingly.

• Unfortunately, I cannot support issues that go beyond the instructions here. If you come up against a problem I haven’t described, you’ll need to polish up those Google-Fu skills. If you get hopelessly stuck on a particular set of steps, consider starting fresh with a new VM or using snapshots to revert to known good states.

• It is highly recommended to follow this guide in order, if you hop around you may have issues.

Set up your virtual environment

1. Download and install a free trial of VMware Workstation.

   1. I strongly suggest using Workstation versus the free VMware Player as a few steps in this guide depend on features only included in Workstation.

2. Download and deploy a free Windows VM directly from Microsoft.

   1. Get the “VMWare” version of the workstation.

   2. Take notice of the “Expiration date” of your VM, it will stop working after this date, but you can always download a new one.

   3. Once downloaded, unzip the VM and double-click the WinDev####Eval.ovf file to import the VM into VMware, but do not start it up yet.

   4. Once imported, if you have 16GB or less of RAM on your system, you may want to modify the amount of RAM allocated to the Windows system — it has 8GB by default but can run with 4GB. If the VMs run slow, it may be due to not enough free RAM on your host.

3. Download and install Ubuntu into a new VM

   1. Download the Ubuntu Server 22.04.1 installer ISO.

      1. NOTE: I am specifying the SERVER version of Ubuntu because it comes preinstalled with necessary packages. If you choose the Desktop flavor, you will have issues, and you are wasting unnecessary resources.

   2. Once downloaded, create a new VM in Workstation with the following specs

      1. Use the downloaded ISO as the installer image

      2. 14GB Disk size

      3. Customize Hardware

         1. 2 CPU cores

         2. 2GB RAM

      4. During OS install, leave defaults unless otherwise specified

         1. Use Tab to navigate, Space to check boxes, Enter to confirm

         2. “Installer update available”

            1. “Continue without updating”

            

         3. When you get to “Network connections” section above, we need to take a few steps to set a static IP address for this VM so that it doesn’t change throughout the lab or beyond it.

            1. Find out the gateway IP of your VMware Workstation NAT network

               1. In VMware Workstation, click “Edit” menu at top

               2. Click “Virtual Network Editor”

               3. Select the “Type: NAT” network

               4. Click “NAT Settings…”

                  

               5. Copy down the “Subnet IP” & “Gateway IP”, we’ll need it in the next step

                  

               6. Close the NAT Settings and Virtual Network Editor windows.

            2. Now, back in the Ubuntu installer, let’s change the interface from DHCPv4 to Manual.

               1. 

               2. 

               3. Be sure to carry forward the subnet and gateway IP from the previous step V., but adding the /24 to subnet IP. The “Address” gets copied from what was previously assigned via DHCP.

                  

               4. When you’re done, you should see this.

                  

               5. NOTE: Write down the Linux VM’s IP address because you will need it multiple times throughout this guide.

         4. Set a memorable username/password (this is just a lab)

            1. Your name: user

            2. Your server’s name: attack

            3. Username: user

            4. Password: password

         5. Install OpenSSH server?

            1. [check/yes]

         6. Continue installing OS until “Install complete!”

         7. Hit Enter on [ Reboot Now ]

            1. If it hangs on “removing the CDROM” just press Enter

   3. After the reboot, let’s perform a quick connectivity check.

      1. Logon with the credentials we defined during install

         1. Username: user

         2. Password: password

      2. Make sure DNS and outbound pings are working

         ping -c 2 google.com

      3. If your output resembles mine, you’re good to go.

         

Setup your Windows VM

1. Go ahead and “power on” your Windows VM for the first time.

   1. It will automatically log you in as “user”.

   2. Wait for the desktop to appear.

Disable Defender on Windows VM

Permanently disable Microsoft Defender so it doesn’t interfere with the shady stuff we’re planning. This is trickier than it sounds (especially in Windows 11) as Defender will turn itself back on, so follow ALL of these instructions verbatim in the exact order below.

These steps are closely derived from this guide and this one as well, but with fewer screenshots. If you need more guidance, see the original guides.

Note: for an easier option, consider just using Sordum’s Defender Control (not covered in this guide, but fairly straightforward)

1. Disable Tamper Protection

   1. Click the “Start” menu icon

   2. Click “Settings”

   3. Click “Privacy & security” on the left

   4. Click “Windows Security”

   5. Click “Virus & threat protection”

   6. Under “Virus & threat protection settings” click “Manage settings”

   7. Toggle OFF the “Tamper Protection” switch. When prompted, click “Yes”

      

   8. While you’re in there, toggle every other option OFF as well, even though we’re about to take care of it a couple different ways.

   9. Close the windows we just opened.

2. Permanently Disable Defender via Group Policy Editor

   1. Click the “Start” menu icon

   2. Type “cmd” into the search bar within the Start Menu

   3. Right+Click “Command Prompt” and click “Run as administrator”

      1. Run the following command

         gpedit.msc

   4. Inside the Local Group Policy Editor

      1. Click Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus

      2. Double-click “Turn off Microsoft Defender Antivirus”

      3. Select “Enabled”

         If you enable this policy setting, Microsoft Defender Antivirus does not run, and will not scan computers for malware or other potentially unwanted software.

      4. Click Apply

      5. Click OK

3. Permanently Disable Defender via Registry

   1. From the same administrative command prompt we previously opened, copy/paste this command and press Enter

      REG ADD "hklm\software\policies\microsoft\windows defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

4. Prepare to boot into Safe Mode to disable all Defender services

   1. Click the “Start” menu icon

   2. type “msconfig” into the search bar within the Start Menu

   3. Go to “Boot” tab and select “Boot Options”

      1. Check the box for “Safe boot” and “Minimal”

         

      2. Click Apply and OK

   4. System will restart into Safe Mode

5. Now, in Safe Mode, we’ll disable some services via the Registry

   1. Click the “Start” menu icon

   2. Type “regedit” into the search bar and hit Enter

   3. For each of the following registry locations, you’ll need to browse to the key, find the “Start” value, and change it to 4

      

      1. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense

      2. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot

      3. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend

      4. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv

      5. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc

      6. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter

6. Leave Safe Mode the same way we got into it

   1. Click the “Start” menu icon

   2. type “msconfig” into the search bar within the Start Menu

   3. Go to “Boot” tab and select “Boot Options”

      1. Uncheck the box for “Safe boot”

      2. Click Apply and OK

   4. System will restart into normal desktop environment, now (hopefully) Defender-free.

Prevent the VM from going into standby

1. From an administrative command prompt, let’s prevent the VM from going into sleep/standby mode during our shenanigans

powercfg /change standby-timeout-ac 0
powercfg /change standby-timeout-dc 0
powercfg /change monitor-timeout-ac 0
powercfg /change monitor-timeout-dc 0
powercfg /change hibernate-timeout-ac 0
powercfg /change hibernate-timeout-dc 0

Install Sysmon in Windows VM

This is mostly optional as we don’t directly use Sysmon in this guide, but it’s a must-have analyst tool for getting very granular telemetry on your Windows endpoint of all sorts of interesting activity — so I recommend it for familiarity reasons alone.

1. Launch an Administrative PowerShell console for the following commands

   1. Click the “Start” menu icon

   2. Type “powershell” into the search bar within the Start Menu

   3. Right+Click “Windows PowerShell” and click “Run as administrator”

2. Download Sysmon with the following command. Read more about Sysmon here.

   Invoke-WebRequest -Uri https://download.sysinternals.com/files/Sysmon.zip -OutFile C:\Windows\Temp\Sysmon.zip

3. Unzip Sysmon.zip

   Expand-Archive -LiteralPath C:\Windows\Temp\Sysmon.zip -DestinationPath C:\Windows\Temp\Sysmon

4. Download SwiftOnSecurity’s Sysmon config.

   Invoke-WebRequest -Uri https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml -OutFile C:\Windows\Temp\Sysmon\sysmonconfig.xml

5. Install Sysmon with Swift’s config

   C:\Windows\Temp\Sysmon\Sysmon64.exe -accepteula -i C:\Windows\Temp\Sysmon\sysmonconfig.xml

   

6. Validate Sysmon64 service is installed and running

   Get-Service sysmon64

   

7. Check for the presence of Sysmon Event Logs

   Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 10

   

Install LimaCharlie EDR on Windows VM

LimaCharlie is a relatively new, very powerful “Security Infrastructure as a Service” platform. It not only comes with a cross-platform EDR agent, but also handles all of the log shipping/ingestion and has a threat detection engine. I am a huge fan of LimaCharlie for many reasons, one of which is that they have a free tier for up to two systems which is what allows me to make it an instrumental part of this guide.

1. Create a free LimaCharlie account.

   1. LimaCharlie will ask you a few questions about your role. Answer however you wish, it just helps their developers build a better product. If you’d like for them to know that this series helped you discover LC, reference this blog post under “How did you hear about us?” Completely optional, I do not get kickbacks or anything :)

2. Once logged into LimaCharlie, create an organization

   1. Name: whatever you want, but it must be unique

   2. Data Residency: whatever is closest

   3. Demo Configuration Enabled: disabled

   4. Template: Extended Detection & Response Standard

      

3. Once the org is created, click “Add Sensor”

   

   1. Select Windows

   2. Provide a description such as: Windows VM - Lab

   3. Click Create

   4. Select the Installation Key we just created

      

   5. Specify the x86-64 (.exe) sensor, but then skip ahead to my instructions versus the ones provided.

      

   6. IN THE WINDOWS VM, open an Administrative PowerShell prompt and paste the following commands:

      cd C:\Users\User\Downloads

      Invoke-WebRequest -Uri https://downloads.limacharlie.io/sensor/windows/64 -Outfile C:\Users\User\Downloads\lc_sensor.exe

   7. Shift into a standard command prompt by running this command

      cmd.exe

   8. Next, we will copy the install command provided by LimaCharlie which contains the installation key. Paste this command into your open terminal.

      

   9. This is the expected output, ignore the “ERROR” that says “service installed!” Still waiting on those guys to fix that :)

      

      1. If you experience an error trying to install the EXE, try the x86-64 MSI option on the LimaCharlie installer dialog.

   10. If everything worked correctly, in the LimaCharlie web UI you should also see the sensor reporting in.

       

4. Now let’s configure LimaCharlie to also ship the Sysmon event logs alongside its own EDR telemetry

   1. In the left-side menu, click “Artifact Collection”

   2. Next to “Artifact Collection Rules” click “Add Rule”

      1. Name: windows-sysmon-logs

      2. Platforms: Windows

      3. Path Pattern: wel://Microsoft-Windows-Sysmon/Operational:*

      4. Retention Period: 10

      5. Click “Save Rule”

   3. LimaCharlie will now start shipping Sysmon logs which provide a wealth of EDR-like telemetry, some of which is redundant to LC’s own telemetry, but Sysmon is still a very power visibility tool that runs well alongside any EDR agent.

      1. The other reason we are ingesting Sysmon logs is that the built-in Sigma rules we previously enabled largely depend on Sysmon logs as that is what most of them were written for.

5. That’s all we’ll do with LimaCharlie for now. We’ll dive deeper into what it can do later on. Feel free to close all open windows on the Windows VM as we’re now moving onto the Linux VM.

   1. Pro Tip: Now would be a good time to Snapshot your Windows VM in case it gets hosed later on. You can always revert to this “Clean” snapshot later on to get back to a good state.

Setup Attack System

We’ll perform these steps from your host system, by using SSH to access the Linux VM.

I highly recommend using an SSH client to access the Ubuntu VM so that you can easily copy/paste commands. MacOS/Linux/Modern Windows systems have builtin SSH abilities, but there are third party tools for this as well.

1. Using the statically assigned IP address we copied down in the Linux VM installation process, let’s SSH onto the VM from your host system to make future CLI activities easier thanks to copy/paste magic.

   1. I’ll let you decide which SSH client to use, but from a modern Mac/Linux/Windows system, simply open a command prompt and run

      ssh user@[Linux_VM_IP]

1. Now, from within this new SSH session, proceed with the following instructions to setup our attacker C2 server. First, let’s drop into a root shell to make life easier.

   sudo su

2. Run the following commands to download Sliver, a Command & Control (C2) framework by BishopFox. I recommend copy/pasting the entire block as there is line-wrapping occurring.

   # Download Sliver Linux server binary
   wget https://github.com/BishopFox/sliver/releases/download/v1.5.34/sliver-server_linux -O /usr/local/bin/sliver-server
   # Make it executable
   chmod +x /usr/local/bin/sliver-server
   # install mingw-w64 for additional capabilities
   apt install -y mingw-w64

3. Now let’s create a working directory we’ll use in future steps

   # Create our future working directory
   mkdir -p /opt/sliver

If everything above worked as expected, you are good to go. In the next post of this series, we’ll explore dropping a C2 payload onto our Windows VM which opens the door for all sorts of fun detection activities that we’ll look for with Sysmon and LimaCharlie.

While you wait for the next post, I highly recommend exploring the LimaCharlie web interface to learn more about what it can do. Specifically, go to the “Sensors List”, click on the hostname of the sensor we installed today, and explore these menu options to start with:

• Timeline (this feature alone saved you an extra 2-3 hours of setting up other VMs!)

• Processes

• Network

• File System

In the next post we’ll dive deeper into LimaCharlie, blow some stuff up on the Windows VM, explore the telemetry generated, and write some detection rules!

Share