Building a SOC Analyst Home Lab: Environment Setup, LimaCharlie Configuration, and Sliver (C2) Implementation

Introduction:

As I journey into the cybersecurity field and pursue my career, I'm keen on honing various tools and techniques. This segment focuses on Environment Setup, LimaCharlie Configuration, and Sliver (C2) Implementation. Mastering these aspects is crucial for aspiring Security Operations Center (SOC) Analysts, requiring practical experience and hands-on expertise. Inspired by Eric Capuano insightful guides , this series delves into the foundational steps of establishing a virtual security lab. In this initial installment, we focus on creating a virtual environment and integrating essential tools while leveraging Ubuntu Server, Windows, and VMware Workstation. Additionally, we'll explore the concepts of LimaCharlie and Sliver (C2) and their significance in the cybersecurity landscape.

Setting Up the Virtual Lab:

• Installing VMware Workstation:

I began by downloading and installing VMware Workstation from the official website . Following the installation instructions, I launched the software to initiate the setup process for my virtual environment.

• Installing Ubuntu Server in a New Virtual Machine

With the Ubuntu Server ISO file obtained from the official Ubuntu website , I created a new VM in VMware Workstation. Using the downloaded ISO file as the installer image, I proceeded with the Ubuntu Server installation.

As I progressed through the Ubuntu Server installation, I reached the "Network connections" section where I needed to set a static IP address for the VM. To do this, I followed these steps:

I opened VMware Workstation and clicked on the "Edit" menu at the top to access the "Virtual Network Editor."

From there, I selected the network type as "NAT" and clicked on "NAT Settings" to proceed with the configuration.

Returning to the Ubuntu installer, I proceeded to change the network interface configuration from DHCPv4 to Manual.

To facilitate easy command copy/pasting, I installed the OpenSSH server on the Ubuntu machine.

After configuring the necessary settings, I completed the Ubuntu Server OS installation.

• Deploying and configuring the Windows Virtual Machine:

After downloading the Windows virtual machine image from 微软 's official source, I imported the VM into VMware Workstation. This involved double-clicking the downloaded file "WinDev2401Eval" and following the on-screen instructions. I made necessary adjustments to the VM's settings, including RAM allocation and disk space.

I began by starting up the VM, following Eric Capuano's instructions to fully disable Microsoft Defender. Although this action is typically discouraged in production environments, it was necessary for the purpose of this home lab setup to prevent any interference with subsequent activities.

• Install Sysmon in Windows VM

I proceeded to install Sysmon on the Windows VM. Sysmon serves as a valuable analyst tool, providing detailed telemetry on various activities within the Windows endpoint.

To set up Sysmon on the Windows VM, I followed these steps in an administrative PowerShell session:

Downloaded Sysmon using the following command:

Invoke-WebRequest -Uri https://download.sysinternals.com/files/Sysmon.zip -OutFile C:\Windows\Temp\Sysmon.zip        

Unzipped the Sysmon.zip file:

Expand-Archive -LiteralPath C:\Windows\Temp\Sysmon.zip -DestinationPath C:\Windows\Temp\Sysmon        

I downloaded the Sysmon configuration provided by SwiftOnSecurity . Utilizing a custom rule set from SwiftOnSecurity enhances logging on a Windows endpoint, providing optimal results when combined with Sysmon.

Invoke-WebRequest -Uri https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml -OutFile C:\Windows\Temp\Sysmon\sysmonconfig.xml        

Installed Sysmon with Swift’s configuration using the following command:

C:\Windows\Temp\Sysmon\Sysmon64.exe -accepteula -i C:\Windows\Temp\Sysmon\sysmonconfig.xml        

Install LimaCharlie EDR on Windows Virtual Machine:

LimaCharlie serves as a robust SecOps Cloud Platform, providing an extensive suite of features to bolster your cybersecurity defense. It offers a cross-platform EDR agent, robust log management capabilities, and an intelligent threat detection engine. Its comprehensive approach to security makes it akin to having a dedicated security team safeguarding your digital assets around the clock. Additionally, LimaCharlie's provision of a free tier for up to two systems enhances its accessibility for users.

• Begin by creating a free LimaCharlie account .
• After logging into LimaCharlie, proceed to create an organization

• After creating the organization, navigate to the "Add Sensor" option.

• After creating the organization, I proceeded to "Add Sensor," selected "Windows" as the sensor type, provided a description like "Windows VM - Lab," and chose the Installation Key generated earlier.

• Specify the x86-64 (.exe) sensor during the installation process.

• In the Windows VM, I opened an Administrative PowerShell prompt and executed the following commands.

cd C:\Users\User\Downloads        

cd C:\Users\User\Downloads
Invoke-WebRequest -Uri https://downloads.limacharlie.io/sensor/windows/64 -Outfile C:\Users\User\Downloads\lc_sensor.exe        

• Then, I executed the following command, which contains the installation key.

lc_senser.exe -i AAAABgAAAQsFAAAAIzRkODk3MDE1YjA4MTU2MjEubGMubGltYWNoY....        

I observed that the LimaCharlie web UI showed the sensor reporting in.

• Next, I configured LimaCharlie to also send the Sysmon event logs along with its own EDR telemetry.

Navigate to the left-side menu and select "Artifact Collection."

Create a new Rule

Once configured, LimaCharlie will start sending Sysmon logs, offering a wealth of EDR-like telemetry. Sysmon remains a valuable tool for visibility, working hand in hand with any EDR agent you may have in place.

Configuring the Ubuntu Attack VM:

• For smoother command copying and pasting, I chose to SSH into the Ubuntu VM. Although modern MacOS, Linux, and Windows systems have native SSH capabilities, I decided to use Putty for this home lab setup. I haven't used Putty much in the past, so it's an exciting opportunity to try something new and expand my skills.

• After establishing an SSH connection to the VM, I followed these instructions to configure our attacker C2 server. To gain root privileges, I executed the following command.

sudo su        

• Next, I proceeded to download Sliver , a Command & Control (C2) framework developed by BishopFox. Sliver serves as an open-source post-exploitation C2 framework, providing an alternative to other C2 frameworks like Cobalt Strike and Merlin, or complementing them when used together.

• Obtain the Sliver Linux server binary

wget https://github.com/BishopFox/sliver/releases/download/v1.5.42/sliver-server_linux -O /usr/local/bin/sliver-server        

• Grant executable permissions

chmod +x /usr/local/bin/sliver-server        

• Install mingw-w64 to enhance functionality

apt install -y mingw-w64        

• I created a directory where I'll perform our subsequent tasks.

mkdir -p /opt/sliver        

And I have successfully configured the Sliver C2 on the Ubuntu VM.

Exploring LimaCharlie Web Interface:

Let's take a closer look at the LimaCharlie web interface. I navigated to the "Sensors List" and clicked on the hostname of the sensor I was interested in exploring.

• Timeline:

The timeline on Limacharlie EDR provides a chronological view of security events and activities on monitored endpoints, including alerts, endpoint events, incident response actions, and the progression of detected threats. It helps security analysts quickly identify and respond to potential threats.

I conducted an experiment by attempting to ping google.com from the Windows VM where LimaCharlie EDR is installed. Now, I'll check the LimaCharlie web interface's timeline to see if the event has been registered and is available for analysis.

As observed, the ping event was successfully logged and is visible on the timeline in the LimaCharlie web interface. Furthermore, it's noted that the event was captured through the Sysmon channel, affirming that both LimaCharlie and Sysmon are functioning as expected in the setup.

• Processes:

In Limacharlie EDR, the "Processes" section provides a concise overview of the processes running on monitored endpoints, including their names, paths, IDs, parent processes, command line arguments, user context, and execution timestamps.

The three dots menu for each process in Limacharlie EDR provides the following options:

These options provide various capabilities to investigate and respond to potential security threats associated with specific processes.

• File System:

In Limacharlie EDR, the "File System" section provides a view of the files and directories present on the monitored endpoints.

In Limacharlie, a standout feature is the ability to search file hash values directly with VirusTotal. This handy tool quickly checks the potential threat of files against VirusTotal's database, making it easier to assess and handle suspicious files. Integrating VirusTotal into the file explorer streamlines the analysis process, helping security analysts make better decisions and strengthen endpoint security.

In conclusion, setting up this virtual lab was both interesting and exciting. By installing tools like VMware Workstation, Ubuntu Server, Windows VMs, Sysmon, LimaCharlie EDR, and Sliver C2, I've laid a solid foundation for hands-on learning.

Exploring LimaCharlie's web interface has uncovered the power of monitoring and analyzing security events. Engaging with processes and file systems has provided me with valuable insights into threat detection and response.

Till next time, tada!

Thank you for taking the time to read this article. Your feedback and suggestions are greatly appreciated! #Cybersecurity #Infosec #LimaCharlie #Windows #EDR #Microsoft