Monday, March 17, 2025

SOC Lab: Windows Workstation // Part 3 // Walkthrough


Use this windows tool to create your own Windows VM. We will create a Windows Workstation VM to simulate a regular user's computer, which will help us in simulating cyber-attacks. 






We finished creating and downloading the Windows VM. 



Next, we add the Windows VM we just created to VirtualBox. 




We configured the network the exact same way as the previous machine, Windows Server 2022.



After installing it, go to Network & Internet settings. Then click Change adapter options. 




We want this Windows Workstation to be connected the the LAN with pfSense and Active Directory. So we make the IP address within the same subnet as our other machines. For the Default Gateway and the DNS server we use the pfSense address. 



We sent a ping to the default gateways (pfSense’s LAN interface) to test the connection. It worked. 
at No comments:
Labels: ,

Saturday, March 15, 2025

Network Traffic Analysis #1 (2025-01-25) || Practice


What is the IP address of the infected Windows client?


  • The IP address of the infected Windows client is 10.1.17.215



  • We know that this is the correct IP because we used the http filter to see which IP was interacting with the C2 server IP (5.252.153.241), which we already knew beforehand.



What is the mac address of the infected Windows client?


  • The mac address of the infected Windows client is 00:d0:b7:26:4a:74.We found the MAC address with the arp filter.




What is the host name of the infected Windows client?


  • Using the nbns filter, which checks for NetBIOS traffic we were able to find the host name: DESKTOP-L8C5GSJ



What is the user account name from the infected Windows client?


  • The account name from the infected Windows client was found using the kerberos.CNameString filter. The username, shutchenson, was contained in the “CNameString”. We had to open the packet to investigate its contents.





What is the likely domain name for the fake Google Authenticator page?


  • We found the likely domain name with the tls.handshake.extensions_server_name filter.The likely domain name is authenticatoor.org. We tried different filters like dns or http, but those did not return any results. Once we used the TLS SNI filter above, we received a big list of domains the client was interacting with. We simply scrolled down and looked for a domain related to Google Authenticator. 




What are the IP addresses used for C2 servers for this infection?


  • We already knew one C2 IP address prior, 5.252.153.241.

  • The other C2 IP address we discovered through the filter tls.handshake.extensions_server_name. This gave us a list of packets where our infected client (10.1.17.215) was beginning the first phase of the TLS handshake with different hosts. All of the SNI were domain names, except for one host (45.125.66.32). This stood out to me, so I looked up the IP Address on VirusTotal. 





  • Knowing that C2 channels often will use small and frequent packets for beaconing, I used to filter tcp and frame.len < 128, as if a packet is under 128 bytes it is small. I found our previously discovered C2 address from this filter and an additional one:  45.125.66.252 





Initial Malicious File Download


  • Most malware files are downloaded using HTTP. So we used the filter, http.request.method == "GET", to try to find any evidence of a malicious file being downloaded and we found it at the top of our output.


 


  • We can see our infected client (10.1.17.215) is sending a GET request to the C2 address (5.252.153.241) for the file “ /api/file/get-file/264872
at No comments:
Labels: ,

Thursday, March 13, 2025

SOC Lab: Active Directory // Part 2 // Walkthrough


Active Directory is an important tool in SOC. It is used to manage user accounts, groups, and permissions across the entire network. It plays an important role in the Principle of Least Privilege and in Identity and Access Management. Active Directory logs every password change, login attempt, and access change. It can also create Group Policy Objects to enforce security settings. Lastly, Active Directory logs can be forwarded to SIEMs. 



First, we downloaded Windows Server 2022 ISO file.

 Windows Server 2022 | Microsoft Evaluation Center


After downloading the .iso file I created a new machine with the file.



Make sure when you create the VM that you select Windows Server 2022 Standard Evaluation (Desktop Experience). I originally selected the other option and there was no GUI. 




After creating it, I established one adapter attached to the Internal Network and named it Green. 



After starting the machine, the Microsoft Server OS begins to install. 



After instillation I was automatically logged in and Server Manager automatically opened. 



Go to Network and Internet Settings.



Click on Ethernet, then Ethernet Properties, then IPV 4 Properties.




We want our Windows Server 2022 IPV4 IP address to be in the same range as the pfSense LAN (192.168.1.1/24). We want the Default Gateway to match the IP for pfSense  LAN, The DNS server address can also be the same.



Afterwards we restart the VM.



After restart, we click “Add roles and features”.






Follow all of the above steps to successfully install Active Directory. 



Next, we click “Promote this server to a domain controller”.



Then we “Add a new forest” and name the Root domain name.



Leave these settings on default and assign a DSRM password. Just leave the DNS Options as is. Click “Next”.



Click “Next” for the rest of the settings and then install it. 



It automatically restarted.



Next, we will install BadBlood, which will populate Active Directory with fake users, groups, and permissions. This will be a good way to simulate a real SOC environment and practice. 


I had some issues connecting my Windows Server 2022 VM to the internet and installing Git so that I could install BadBlood. So I spent some time troubleshooting. Then I found the issue…







The issue was that my pfSense adapter 1 was NAT and adapter 2 was Internal Network (Green), but on Windows Server it was reversed, so adapter 1 was Internal Network (Green) and adapter 2 was NAT. Each adapter should match, like displayed above. The internet is now working. Another point is that pfSense must be open in order for the Windows Server 2022 VM to have internet access.



First, I had to install Git so that I could install the BadBlood package.



After installing Git, I entered this command to install the BadBlood package.






The BadBlood installation finished and now Active Directory has 2500 users, 500 groups, OU, 100 computers, etc. This will allow us to simulate a real SOC environment. For the next addition to our SOC lab, we will set up Windows Workstation.



 

at No comments:
Labels: ,
Subscribe to: Posts (Atom)

Help Desk Lab // Part 7-9 // (Mapping Network Drives, Active Directory security groups, NTFS/share-level permissions, Remote Desktop/Remote Registry, Group Policy, RSOP)

 *All credit for this lab goes to Simokid on GitHub. This is my walkthrough.    Security Groups, Mapped Drives, Personal Drives, Permission ...