Building a SOC Analyst Home Lab: Environment Setup, LimaCharlie Configuration, and Sliver (C2) Implementation
Introduction:
As I journey into the cybersecurity field and pursue my career, I'm keen on honing various tools and techniques. This segment focuses on Environment Setup, LimaCharlie Configuration, and Sliver (C2) Implementation. Mastering these aspects is crucial for aspiring Security Operations Center (SOC) Analysts, requiring practical experience and hands-on expertise. Inspired by Eric Capuano insightful guides, this series delves into the foundational steps of establishing a virtual security lab. In this initial installment, we focus on creating a virtual environment and integrating essential tools while leveraging Ubuntu Server, Windows, and VMware Workstation. Additionally, we'll explore the concepts of LimaCharlie and Sliver (C2) and their significance in the cybersecurity landscape.
Setting Up the Virtual Lab:
I began by downloading and installing VMware Workstation from the official website. Following the installation instructions, I launched the software to initiate the setup process for my virtual environment.
With the Ubuntu Server ISO file obtained from the official Ubuntu website, I created a new VM in VMware Workstation. Using the downloaded ISO file as the installer image, I proceeded with the Ubuntu Server installation.
As I progressed through the Ubuntu Server installation, I reached the "Network connections" section where I needed to set a static IP address for the VM. To do this, I followed these steps:
I opened VMware Workstation and clicked on the "Edit" menu at the top to access the "Virtual Network Editor."
From there, I selected the network type as "NAT" and clicked on "NAT Settings" to proceed with the configuration.
Returning to the Ubuntu installer, I proceeded to change the network interface configuration from DHCPv4 to Manual.
To facilitate easy command copy/pasting, I installed the OpenSSH server on the Ubuntu machine.
After configuring the necessary settings, I completed the Ubuntu Server OS installation.
After downloading the Windows virtual machine image from 微软 's official source, I imported the VM into VMware Workstation. This involved double-clicking the downloaded file "WinDev2401Eval" and following the on-screen instructions. I made necessary adjustments to the VM's settings, including RAM allocation and disk space.
I began by starting up the VM, following Eric Capuano's instructions to fully disable Microsoft Defender. Although this action is typically discouraged in production environments, it was necessary for the purpose of this home lab setup to prevent any interference with subsequent activities.
I proceeded to install Sysmon on the Windows VM. Sysmon serves as a valuable analyst tool, providing detailed telemetry on various activities within the Windows endpoint.
To set up Sysmon on the Windows VM, I followed these steps in an administrative PowerShell session:
Downloaded Sysmon using the following command:
Invoke-WebRequest -Uri https://download.sysinternals.com/files/Sysmon.zip -OutFile C:\Windows\Temp\Sysmon.zip
Unzipped the Sysmon.zip file:
Expand-Archive -LiteralPath C:\Windows\Temp\Sysmon.zip -DestinationPath C:\Windows\Temp\Sysmon
I downloaded the Sysmon configuration provided by SwiftOnSecurity. Utilizing a custom rule set from SwiftOnSecurity enhances logging on a Windows endpoint, providing optimal results when combined with Sysmon.
Invoke-WebRequest -Uri https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml -OutFile C:\Windows\Temp\Sysmon\sysmonconfig.xml
Installed Sysmon with Swift’s configuration using the following command:
C:\Windows\Temp\Sysmon\Sysmon64.exe -accepteula -i C:\Windows\Temp\Sysmon\sysmonconfig.xml
Install LimaCharlie EDR on Windows Virtual Machine:
LimaCharlie serves as a robust SecOps Cloud Platform, providing an extensive suite of features to bolster your cybersecurity defense. It offers a cross-platform EDR agent, robust log management capabilities, and an intelligent threat detection engine. Its comprehensive approach to security makes it akin to having a dedicated security team safeguarding your digital assets around the clock. Additionally, LimaCharlie's provision of a free tier for up to two systems enhances its accessibility for users.
cd C:\Users\User\Downloads
cd C:\Users\User\Downloads
Invoke-WebRequest -Uri https://downloads.limacharlie.io/sensor/windows/64 -Outfile C:\Users\User\Downloads\lc_sensor.exe
lc_senser.exe -i AAAABgAAAQsFAAAAIzRkODk3MDE1YjA4MTU2MjEubGMubGltYWNoY....
I observed that the LimaCharlie web UI showed the sensor reporting in.
领英推荐
Navigate to the left-side menu and select "Artifact Collection."
Create a new Rule
Once configured, LimaCharlie will start sending Sysmon logs, offering a wealth of EDR-like telemetry. Sysmon remains a valuable tool for visibility, working hand in hand with any EDR agent you may have in place.
Configuring the Ubuntu Attack VM:
sudo su
wget https://github.com/BishopFox/sliver/releases/download/v1.5.42/sliver-server_linux -O /usr/local/bin/sliver-server
chmod +x /usr/local/bin/sliver-server
apt install -y mingw-w64
mkdir -p /opt/sliver
And I have successfully configured the Sliver C2 on the Ubuntu VM.
Exploring LimaCharlie Web Interface:
Let's take a closer look at the LimaCharlie web interface. I navigated to the "Sensors List" and clicked on the hostname of the sensor I was interested in exploring.
The timeline on Limacharlie EDR provides a chronological view of security events and activities on monitored endpoints, including alerts, endpoint events, incident response actions, and the progression of detected threats. It helps security analysts quickly identify and respond to potential threats.
I conducted an experiment by attempting to ping google.com from the Windows VM where LimaCharlie EDR is installed. Now, I'll check the LimaCharlie web interface's timeline to see if the event has been registered and is available for analysis.
As observed, the ping event was successfully logged and is visible on the timeline in the LimaCharlie web interface. Furthermore, it's noted that the event was captured through the Sysmon channel, affirming that both LimaCharlie and Sysmon are functioning as expected in the setup.
In Limacharlie EDR, the "Processes" section provides a concise overview of the processes running on monitored endpoints, including their names, paths, IDs, parent processes, command line arguments, user context, and execution timestamps.
The three dots menu for each process in Limacharlie EDR provides the following options:
These options provide various capabilities to investigate and respond to potential security threats associated with specific processes.
In Limacharlie EDR, the "File System" section provides a view of the files and directories present on the monitored endpoints.
In Limacharlie, a standout feature is the ability to search file hash values directly with VirusTotal. This handy tool quickly checks the potential threat of files against VirusTotal's database, making it easier to assess and handle suspicious files. Integrating VirusTotal into the file explorer streamlines the analysis process, helping security analysts make better decisions and strengthen endpoint security.
In conclusion, setting up this virtual lab was both interesting and exciting. By installing tools like VMware Workstation, Ubuntu Server, Windows VMs, Sysmon, LimaCharlie EDR, and Sliver C2, I've laid a solid foundation for hands-on learning.
Exploring LimaCharlie's web interface has uncovered the power of monitoring and analyzing security events. Engaging with processes and file systems has provided me with valuable insights into threat detection and response.
Till next time, tada!
Thank you for taking the time to read this article. Your feedback and suggestions are greatly appreciated! #Cybersecurity #Infosec #LimaCharlie #Windows #EDR #Microsoft