Pages

Thursday, February 23, 2017

Setting up a Pentesting... I mean, a Threat Hunting Lab




I see a lot of articles out there showing you how to use specific tools to steal credentials, move laterally, bypass security controls and even own an entire domain. However, only a few articles share how to detect or hunt for those attacks. One of the things I feel helps me a lot to stay up to date and to learn new offensive and defensive skills, besides reading books, is having my own personal lab at home. This allows me to test or validate new attacks while at the same time learning and developing new techniques to detect and hunt for them in the real world. 

Recently I had a few friends ask me to walk them through the basics of building a threat hunting lab. Therefore, I decided to start a series of posts with the title "Setting up a Pentesting... I mean, a Threat Hunting lab" to show you how you can also start setting up your environment to not just play red team but to hunt at the same time. 

This series will cover the basic configurations for the following:


Virtual network (WAN & LAN) (Part 1)


On this first post, I will show you how to set up a virtual WAN and LAN (NAT) with the help of ESXI 6.5 and PfSense. We will have our default original VM management network act as our virtual WAN and a new virtual switch and port group as our virtual LAN with PfSense as our router/Firewall. That way we can simulate real world attacks where inbound connections to non-public systems are not allowed unless there is a reverse connection initiated by a user or an infected host. Eventually we will add a Kali system to our virtual WAN to perform attacks.


Windows Server 2012 R2 build (Part 2)


In order to understand how adversaries compromise an entire domain and to learn what you have to hunt for, you have to create your own at home. In this post we will go over setting up a basic Windows Server 2012 and enabling the following server roles: DHCP, AD and DNS.


Promote your server to a domain controller and set up your own DHCP Server (Part 3)


Our server has AD domain services, DHCP and DNS roles enabled, now what? Time to promote our server to a domain controller (adding a new forest with its respective root domain, selecting functional levels for the forest and domain, specifying domain controller capabilities and setting the location of the AD DS database, log files and SYSVOL ) and to set up our own DHCP server.


Configure your Active Directory environment (Part 4)


It is time to create new Organizational Units (OUs), Users, Groups, GPOs, and join computers to our domain. Also, since we are going to learn how to create a GPO, I will show you how you can increase the visibility on your endpoints from a logging perspective by creating a more robust Audit Policy. Quoting Sean Metcalf "Securing Domain Controllers is only one part of Active Directory Security. Another is being able to detect anomalous activity which starts with logging." [source]


Hunting Platforms - ELK Stack (Part 5)


Up to this point, this setup might look familiar. However, what I believe takes any lab set up to the next level is having a central repository where logs generated during an attack can be stored, parsed and analyzed. This is how you learn the real skills because it allows you to see exactly what you need to look for when hunting for adversaries attacking your network.

For the purpose of my next threat hunting series, I will be using an ELK stack to store native Windows and Sysmon logs from my compromised systems and Winlogbeat to forward those logs to my basic stack. Later on, I will add other open-source projects such as Security Onion Rock NSM, or even AlienVault's OSSIM  and implement other applications to make my ingestion and distribution of data more robust such as Kafka.


Sysmon and Winlogbeat on your endpoints (Part 6)


I wish I had an EDR vendor send me a dev agent [hint! hint!] to test how much event data I can capture from an endpoint, but for now I love to use Sysmon when it comes down to endpoint visibility. In this post I will show you how to install sysmon and use custom configurations to filter noise and still get the visibility you need to hunt for advanced adversaries. Additionally, as you might already know, we need some type of log forwarder to send logs to our ELK stack. In case you didn't know, Elastic provides several products besides Elasticsearch, Logstash and Kibana, and the one that will help us live stream Windows event logs to our ELK stack is named WinlogbeatIn this post, I will also show you how to set it up and integrate it with our ELK stack configurations.



Remember that these are just simple configurations I put together to fulfill most of my basic needs and what I wanted to accomplish with my own lab. These are by no means the MUST HAVE for your own lab environment, but I wanted to share it with the community and hopefully inspire others to also build their own #SharingisCaring. After this series, I will start another one where I will show you how you can use your custom environment to hunt for the hunter.

I hope these posts help you to start building your own environment and encourage you to do more research to fix or to improve what I present to you.


Feedback is greatly appreciated!  Thank you.


30 comments:

  1. Awesome freaking blog @elasticman99

    ReplyDelete
    Replies
    1. Thank you @elasticmean99, much appreciated!

      Delete
    2. I got my already programmed and blanked ATM card to withdraw the maximum of $1,000 daily for a maximum of 20 days. I am so happy about this because i got mine last week and I have used it to get $20,000. Mike Fisher Hackers is giving out the card just to help the poor and needy though it is illegal but it is something nice and he is not like other scam pretending to have the blank ATM cards. And no one gets caught when using the card. get yours from Mike Fisher Hackers today! *email cyberhackingcompany@gmail.com


      Delete
    3. Investment plansPROMO PACKAGE �� BASIC Invest $70 earn $600 Invest $100 earn $1000  Invest $200 earn $2,000  Invest $300 earn $3,500  Invest $400 earn $4,500  Invest $500 earn $6,000 
      �� PRO  Invest $1,000 earn $15,000  Invest $2,000 earn $25,000  Invest $3,000 earn $35,000  Invest $4,000 earn $45,000  Invest $5,000 earn $60,000  Invest $10,000 earn $100,000. 
      �� PREMIUM  1BTC earn 5BTC  2BTC earn 10BTC  3BTC earn 16BTC  4BTC earn 22BTC  5BTC earn 30BTC. 
      ALL RETURNS ARE SCHEDULE, FOR 12 HOURS, UPON CONFIRMATION OF PAYMENTS.
      MODE OF PAYMENT. Any, Suitable For Investors, But Terms and Conditions Apply.
      ⭐️HURRY NOW!!! Refer a Friend or Family member to invest same time, and Receive an instant $50 Reward. 
      To set up an INVESTMENT PLAN, Contact Admin: totalinvestmentcompany@gmail.com
      WhatsApp: +1(929)390-8581
      https://www.facebook.com/pg/Total-Investment-221964325813140/about/
      View more on YouTube: https://www.youtube.com/channel/UC3KWT9dTpFLi0S0vJTWuCJg

      Delete
  2. Hey just saw this blog and great tutorials! Can you also update other similar blogs like this. What's your background? you seem to have good background in offensive and defensive techniques. I would appreciate if we can connect in Linkedin. https://www.linkedin.com/in/rajganeshp/

    Keep up the good work and continue posting

    ReplyDelete
    Replies
    1. Hey Rajganesh, thank you for your great feedback. Really appreciate it. I started doing IR 3-4 years ago, but in my free time I started playing with a few offensive tools to capture their behavior and do analysis in order to make my job easier and understand what to look for and why. I now focused a lot on the techniques being implemented by adversaries no matter what tool or script they use to accomplish their objectives.This has taken me to explore both sides of this awesome field. Im sending you a request soon. Once again, thank you, and I will keep sharing!!

      Delete
  3. Great write up! Are you aware of any Unix/Linux options for endpoint visibility (similar to Sysmon for WinOS)?

    ReplyDelete
    Replies
    1. Hey Unknown, thank you for the feedback! I believe OSQuery can do also Unix/Linux (https://osquery.io/) . However, it is not constantly sending logs to a central repository (Not continuous monitoring). It basically just sends a snapshot of the information that you request at the time you send the query.

      Delete
  4. Great write-ups. I am going through each of your posts and I am enjoying it. Your posts are detailed, easy to understand and very precise too. Your posts define the amount of hardwork and research you have done.. Thanks a lot for sharing your precious knowledge. Highly appreciated Guru (teacher) !! Keep up the good work. ;)

    ReplyDelete
  5. Great stuff! Keep up a good work!

    "Later on, I will add other open-source projects such as Security Onion , Rock NSM, or even AlienVault's OSSIM and implement other applications to make my ingestion and distribution of data more robust such as Kafka."

    Are you planning to write about these anytime soon?

    ReplyDelete
  6. Vest Nice blog for learning new things,thanks for such beautiful blog.
    below some new idea plz check once.
    kajal hot

    ReplyDelete
  7. Yes i am totally agreed with this article and i just want say that this article is very nice and very informative article.I will make sure to be reading your blog more. You made a good point but I can't help but wonder, what about the other side? !!!!!!THANKS!!!!!! hunting base layers

    ReplyDelete
  8. As environmental regulations play an increasingly important role in business activities, companies are under increasing pressure to ensure that their activities meet high standards of environmental management. Environment testing

    ReplyDelete
  9. i am always following this website and i ave benefited from this good content, thanks, see here details resource about hunting tips

    ReplyDelete
  10. BE SMART AND BECOME RICH IN LESS THAN 3DAYS....It all depends on how fast you can be to get the new PROGRAMMED blank ATM card that is capable of hacking into any ATM machine,anywhere in the world. I got to know about this BLANK ATM CARD when I was searching for job online about a year ago..It has really changed my life for good and now I can say I'm rich and I can never be poor again. a family friend introduce us to them last year after i first sure the review online and my wife is a full house wife could not support looking for another good job was fucking hell, this hack card enables you to make withdraws on any ATM card in the world without having any cash in account or even having any bank account you can also use it to order items online, The least money I get in a day it is about $15,000.(fifty thousand USD) Even now and then I keeping pumping money into my account. Though is illegal,there is no risk of being caught ,because it has been programmed in such a way that it is not traceable,it also has a technique that makes it impossible for the CCTVs to detect you..For details on how to get yours today, email the hackers on :email the hackers on (mrmichealblankatmcard@gmail.com) 

    ReplyDelete
  11. ◾Welcome To Mr Micheal Blank Atm Card🤝 ◾Hello, are you guys ready to make real cash??? No dulling moment anymore. No more depending on a cheap check every week. Get thousands of dollars or any currency of your choice and make this life worth living for. Order for a blank ATM card now. How does it work? Our cards are loaded with a balance of $5000 to $100,000.00 with different daily withdrawal limits depending on the card you are buying and you can use the blank atm card to shop online and withdraw cash from any ATM machine closer to you.★ Is this real? Yes, as shown in the video we withdrew cash multiple times without any issues. You can do it too.★ Can I be traced? No, your withdrawal/transactions are completely anonymous.★ Can I trust this method? Yes, we have not had any issue when doing this for the past 5 years now.★ Are people using this ATM card? Absolutely, alot of people {our trusted customers) have quit their jobs to withdraw money on a daily basis. ★ How do I get my card? We will ship your Blank Card /w Pin a few hours after receiving clear payment through a courier service International and give you the tracking details of your card, 2-4 business day delivery service. Once you receive the card you can start cashing out. ★Is this real? YES: we are 100% real and have been doing this since 2015 Contact us to order a working Blank ATM Card that you can use to withdraw a minimum amount of $1000 and maximum amount of $10,000 daily withdrawal limit. Online maximum purchase limit is $30,000 Contact via email: mrmichealblankatmcard@gmail.com

    ReplyDelete
  12. Nice Post...


    We are having very interesting information regarding Hire A Professional Hacker

    ReplyDelete
  13. Great Article
    Cyber Security Projects

    projects for cse

    Networking Security Projects

    JavaScript Training in Chennai

    JavaScript

    Training in Chennai


    The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals,

    Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer.

    Angular Training

    ReplyDelete
  14. Great and awesome documentation.

    ReplyDelete
  15. I was searching for loan to sort out my bills& debts, then i saw comments about Blank ATM Credit Card that can be hacked to withdraw money from any ATM machines around you . I doubted thus but decided to give it a try by contacting (smithhackingcompanyltd@gmail.com} they responded with their guidelines on how the card works. I was assured that the card can withdraw $5,000 instant per day & was credited with$50,000,000.00 so i requested for one & paid the delivery fee to obtain the card, after 24 hours later, i was shock to see the UPS agent in my resident with a parcel{card} i signed and went back inside and confirmed the card work's after the agent left. This is no doubts because i have the card & has made used of the card. This hackers are USA based hackers set out to help people with financial freedom!! Contact these email if you wants to get rich with this Via: smithhackingcompanyltd@gmail.com or WhatsApp +1(360)6370612

    ReplyDelete

  16. Have you pay your necessary BILLS? Do you need money? Do you want a better way to transform your own life? My name his Elizabeth Maxwell. I am here to share with you about Mr OSCAR WHITE new system of making others rich with not less than two to three days.I was in search of a job opportunity on the internet when i come across his aid on a blogs that i was on to, talking on how he can help the needy with a programmed BLANK ATM CARD.I thought it was a scam or normal gist but i never had a choice than to contact him cause i was seriously in need of Finance for Business.I contacted him on the CARD, and not less than a minute he respond and give me the necessary information’s on how to get the card. My friends, today am a sweet happy woman with good business and a happy family. I charge you not to live by ignorance.Try and get an ATM card today through (MR OSCAR WHITE)and be among the lucky ones who are benefiting from this card. This ATM card is capable of hacking into any ATM machine anywhere in the world.It has really changed my life and now I can say I’m rich because I am a living testimony. The less money I get in a day with this card is $ 3,000.Every now and then money keep pumping into my account. Although is illegal, there is no risk of being caught, as it is programmed so that it can not trace you, but also has a technique that makes it impossible for the CCTV to detect you.. I urge you to contact him on the BLANK ATM CARD. For details on how to get yours today, email hackers Below:

    email address is oscarwhitehackersworld@gmail.com

    whats-app +1(513)-299-8247.

    ReplyDelete
  17. Take the Advantage of BLANK ATM CARD/ BANK TRANSFER/ CREDIT CARD RELOAD. The situation has given official hacking company hands to Hack successful 100%✓ guarantee  I was searching for a loan to sort out my bills & debts, then i  saw comments about Blank ATM Credit Cards that can be hacked to withdraw money from any ATM machines around you . I doubted this but decided to give it a try by contacting (dicksonharryblankatmharckers@gmail.com} they responded with their guidelines on how the card works. I was assured that the card can withdraw $5,000 instant per day & was credited with$50,000,000.00 so i requested for one & paid the delivery fee to obtain the card, after 24 hours later, i was shock to see the UPS agent in my resident with a parcel{card} i signed and went back inside and confirmed the card work's after the agent left. This is no doubt because I have the card & have made used of the card. This hackers are USA based hackers set out to help people with financial freedom!! Contact this email if you want to get rich with this Via: dicksonharryblankatmharckers@gmail.com.

    ReplyDelete
  18. I was searching for a loan to sort out my bills & debts, then I saw comments about Blank ATM Credit Cards that can be hacked to withdraw money from any ATM machines around you . I doubted this but decided to give it a try by contacting { officialblankatmservice@gmail.com} they responded with their guidelines on how the card works. I was assured that the card can withdraw $5,000 instant per day & was credited with $50,000,000.00 so i requested for one & paid the delivery fee to obtain the card, after 24 hours later, i was shock to see the UPS agent in my resident with a parcel {card} i signed and went back inside to pick up my car key and drove to a nearest ATM machine to confirmed if the card really work to my greatest surprise it did.. This is no doubt because I have the card & have made use of the card. These hackers are UK based hackers set out to help people with financial freedom!! Contact them via email: officialblankatmservice@gmail.com or WhatsApp +447937001817 if you want to get rich.

    ReplyDelete