Thursday, February 23, 2017

Setting up a Pentesting... I mean, a Threat Hunting Lab

I see a lot of articles out there showing you how to use specific tools to steal credentials, move laterally, bypass security controls and even own an entire domain. However, only a few articles share how to detect or hunt for those attacks. One of the things I feel helps me a lot to stay up to date and to learn new offensive and defensive skills, besides reading books, is having my own personal lab at home. This allows me to test or validate new attacks while at the same time learning and developing new techniques to detect and hunt for them in the real world. 

Recently I had a few friends ask me to walk them through the basics of building a threat hunting lab. Therefore, I decided to start a series of posts with the title "Setting up a Pentesting... I mean, a Threat Hunting lab" to show you how you can also start setting up your environment to not just play red team but to hunt at the same time. 

This series will cover the basic configurations for the following:

Virtual network (WAN & LAN) (Part 1)

On this first post, I will show you how to set up a virtual WAN and LAN (NAT) with the help of ESXI 6.5 and PfSense. We will have our default original VM management network act as our virtual WAN and a new virtual switch and port group as our virtual LAN with PfSense as our router/Firewall. That way we can simulate real world attacks where inbound connections to non-public systems are not allowed unless there is a reverse connection initiated by a user or an infected host. Eventually we will add a Kali system to our virtual WAN to perform attacks.

Windows Server 2012 R2 build (Part 2)

In order to understand how adversaries compromise an entire domain and to learn what you have to hunt for, you have to create your own at home. In this post we will go over setting up a basic Windows Server 2012 and enabling the following server roles: DHCP, AD and DNS.

Promote your server to a domain controller and set up your own DHCP Server (Part 3)

Our server has AD domain services, DHCP and DNS roles enabled, now what? Time to promote our server to a domain controller (adding a new forest with its respective root domain, selecting functional levels for the forest and domain, specifying domain controller capabilities and setting the location of the AD DS database, log files and SYSVOL ) and to set up our own DHCP server.

Configure your Active Directory environment (Part 4)

It is time to create new Organizational Units (OUs), Users, Groups, GPOs, and join computers to our domain. Also, since we are going to learn how to create a GPO, I will show you how you can increase the visibility on your endpoints from a logging perspective by creating a more robust Audit Policy. Quoting Sean Metcalf "Securing Domain Controllers is only one part of Active Directory Security. Another is being able to detect anomalous activity which starts with logging." [source]

Hunting Platforms - ELK Stack (Part 5)

Up to this point, this setup might look familiar. However, what I believe takes any lab set up to the next level is having a central repository where logs generated during an attack can be stored, parsed and analyzed. This is how you learn the real skills because it allows you to see exactly what you need to look for when hunting for adversaries attacking your network.

For the purpose of my next threat hunting series, I will be using an ELK stack to store native Windows and Sysmon logs from my compromised systems and Winlogbeat to forward those logs to my basic stack. Later on, I will add other open-source projects such as Security Onion Rock NSM, or even AlienVault's OSSIM  and implement other applications to make my ingestion and distribution of data more robust such as Kafka.

Sysmon and Winlogbeat on your endpoints (Part 6)

I wish I had an EDR vendor send me a dev agent [hint! hint!] to test how much event data I can capture from an endpoint, but for now I love to use Sysmon when it comes down to endpoint visibility. In this post I will show you how to install sysmon and use custom configurations to filter noise and still get the visibility you need to hunt for advanced adversaries. Additionally, as you might already know, we need some type of log forwarder to send logs to our ELK stack. In case you didn't know, Elastic provides several products besides Elasticsearch, Logstash and Kibana, and the one that will help us live stream Windows event logs to our ELK stack is named WinlogbeatIn this post, I will also show you how to set it up and integrate it with our ELK stack configurations.

Remember that these are just simple configurations I put together to fulfill most of my basic needs and what I wanted to accomplish with my own lab. These are by no means the MUST HAVE for your own lab environment, but I wanted to share it with the community and hopefully inspire others to also build their own #SharingisCaring. After this series, I will start another one where I will show you how you can use your custom environment to hunt for the hunter.

I hope these posts help you to start building your own environment and encourage you to do more research to fix or to improve what I present to you.

Feedback is greatly appreciated!  Thank you.


  1. Awesome freaking blog @elasticman99

    1. Thank you @elasticmean99, much appreciated!

    2. I got my already programmed and blanked ATM card to withdraw the maximum of $1,000 daily for a maximum of 20 days. I am so happy about this because i got mine last week and I have used it to get $20,000. Mike Fisher Hackers is giving out the card just to help the poor and needy though it is illegal but it is something nice and he is not like other scam pretending to have the blank ATM cards. And no one gets caught when using the card. get yours from Mike Fisher Hackers today! *email

  2. Hey just saw this blog and great tutorials! Can you also update other similar blogs like this. What's your background? you seem to have good background in offensive and defensive techniques. I would appreciate if we can connect in Linkedin.

    Keep up the good work and continue posting

    1. Hey Rajganesh, thank you for your great feedback. Really appreciate it. I started doing IR 3-4 years ago, but in my free time I started playing with a few offensive tools to capture their behavior and do analysis in order to make my job easier and understand what to look for and why. I now focused a lot on the techniques being implemented by adversaries no matter what tool or script they use to accomplish their objectives.This has taken me to explore both sides of this awesome field. Im sending you a request soon. Once again, thank you, and I will keep sharing!!

  3. Great write up! Are you aware of any Unix/Linux options for endpoint visibility (similar to Sysmon for WinOS)?

    1. Hey Unknown, thank you for the feedback! I believe OSQuery can do also Unix/Linux ( . However, it is not constantly sending logs to a central repository (Not continuous monitoring). It basically just sends a snapshot of the information that you request at the time you send the query.

  4. Great write-ups. I am going through each of your posts and I am enjoying it. Your posts are detailed, easy to understand and very precise too. Your posts define the amount of hardwork and research you have done.. Thanks a lot for sharing your precious knowledge. Highly appreciated Guru (teacher) !! Keep up the good work. ;)

  5. Great stuff! Keep up a good work!

    "Later on, I will add other open-source projects such as Security Onion , Rock NSM, or even AlienVault's OSSIM and implement other applications to make my ingestion and distribution of data more robust such as Kafka."

    Are you planning to write about these anytime soon?

  6. Vest Nice blog for learning new things,thanks for such beautiful blog.
    below some new idea plz check once.
    kajal hot

  7. Yes i am totally agreed with this article and i just want say that this article is very nice and very informative article.I will make sure to be reading your blog more. You made a good point but I can't help but wonder, what about the other side? !!!!!!THANKS!!!!!! hunting base layers

  8. As environmental regulations play an increasingly important role in business activities, companies are under increasing pressure to ensure that their activities meet high standards of environmental management. Environment testing

  9. i am always following this website and i ave benefited from this good content, thanks, see here details resource about hunting tips

  10. BE SMART AND BECOME RICH IN LESS THAN 3DAYS....It all depends on how fast you can be to get the new PROGRAMMED blank ATM card that is capable of hacking into any ATM machine,anywhere in the world. I got to know about this BLANK ATM CARD when I was searching for job online about a year ago..It has really changed my life for good and now I can say I'm rich and I can never be poor again. a family friend introduce us to them last year after i first sure the review online and my wife is a full house wife could not support looking for another good job was fucking hell, this hack card enables you to make withdraws on any ATM card in the world without having any cash in account or even having any bank account you can also use it to order items online, The least money I get in a day it is about $15,000.(fifty thousand USD) Even now and then I keeping pumping money into my account. Though is illegal,there is no risk of being caught ,because it has been programmed in such a way that it is not traceable,it also has a technique that makes it impossible for the CCTVs to detect you..For details on how to get yours today, email the hackers on :email the hackers on (