Tuesday, January 31, 2017

ED without the R Lab Setup

Hello readers, unfortunately in the latter of 2016 I have not been able to write as much as I intended due to personal matters but this year my goal is to at least write one blog post per month.

For my first blog post of 2017, I wanted to show how to setup an endpoint detection lab using sysmon, windows auditing and the free version of Splunk. There are many endpoint detection and response products such as CarbonBlack, Crowdstrike's Falcon Host, Tanium Trace, Endgame, etc. If you have used any of these tools then you'll know the value they provide from an incident response, detection and threat hunting perspective. Unfortunately these tools come at a cost, thankfully the great team at sysinternals released sysmon which provides on par visibility as the commercial tools I mentioned.

Laptop or Desktop capable of running 3+ virtual machines
Virtualization software (Virtual Box, VMWare, etc)
Windows 7, 8.1, or 10 Pro or Enterprise ISOs and license x64 or x86
Windows Server 2008R2+ (optional)
*note that the pro and enterprise versions are needed for windows auditing policy.
Setup a free account to download the installer and the addons.

Splunk Add-Ons
TA for Microsoft Windows — this will provide the extracted fields for windows event logs

add-on for Sysmon

Splunk forwarder for Windows


Google Chrome

For licensing if you are a working pro you may have access to all of these due to job perks if not, have a chat with your manager :) . For students, look into Microsoft Imagine formerly known as Dreamspark, depending on the school's subscription level you may get access to all of the software for free or at discount.

Splunk Instance
Your first VM will host the Splunk instance, assign at least 2 cores and 4GB of RAM, 120GB of Drive Space, if you can do more by all means increment. I recommend a 64bit install of windows for this VM along with applying the latest patches. Install Splunk as per the video and install Google Chrome and set as the default web browser. If all goes well, chrome will open to http://localhost:8000 and you will be presented with the splunk interface. Yay!

Installing Add-Ons
You may be wondering what these add-ons are for? Short answer is they contain the extraction field syntax for the logs we will be scraping from our second VM so that we can search on relevant things like EventCode (Event ID), Process(Process Name), etc.

There are two ways to install add-ons, you can download the compressed packages using the links I posted and install through the splunk interface or use the splunk apps button you see in the screenshot. Both require a splunk account, which one is easier? The second option. Search for the add-on names as I have posted them, when you click on the install button you will be prompted for your splunk account credentials, enter them and the add-ons will be automagically installed. If you run into issues or want to do it manually, here is a guide from Splunk.

After you have finished installing the add-ons, set the networking type of the Splunk VM to host only.
make note of the ip address that is assigned. Create a snapshot.

The second VM can be either Windows 7, 8.1 or 10 x86 or x64 and even Windows server versions 2008R2+ . It depends on your testing/analysis goals. Patching is optional.
You can set up this VM with a single core, 2-4GB of memory, 60-80GB of drive space.

To configure the windows auditing policy you can use the Local Security Policy MMC console or import my settings with auditpol. if you choose the latter, you can download the file from here . The file is in a csv format exported with the auditpol utility from my test system. It can be opened in notepad ++ or excel for review. To import the settings, save the file to a location inside of the 2nd VM, something like C:\test\audit.csv then open an elevated command prompt. Type...

                                          auditpol /restore /file:C:\test\audit.csv 

If all goes well, it should look like per the screenshot below
Next, transfer or download sysmon to your 2nd VM. Change into the directory where sysmon.exe or sysmon64.exe resides and execute the following.... (replace with 64 if VM is 64bit)

sysmon -accepteula –i –h md5,sha256 –n -l

This installs sysmon as a service/driver and logs md5,sha256 of executables launched, network connections and module loads of processes. This casts a wide net of events but since this is a lab setup, this is to get us familiar with how things look like and then improve our config.

I like to increment the log size to at least 1GB for Sysmon, Application, Security and System event logs so that I don't rollover events when I am not using snapshots. To do this type the following command.

wevtutil sl Microsoft-Windows-Sysmon/Operational /ms:1073741824

Replace Microsoft-Windows-Sysmon/Operational with Application, Security, System each time you execute.

set the networking type of the 2nd VM to host only. Make note of the ip address that is assigned.

Are We Done Yet???
almost :) . the last piece is installing the splunk forwarder. Use the x86 or x64 MSI installer, choose customize options.

Click next on the following screens and leave any settings as is, do check on any of the boxes on this screen. We will configure these manually later.

When you get to this screen, fill in using the ip address of your splunk instance, click next and finish the install.

Open windows explorer and browse to 
C:\Program Files\SplunkUniversalForwarder\etc\system\local

edit the inputs.conf file

host = W701-64   <<<< this is my hostname, yours will be different
———paste the text below after the above————
disabled = false
renderXml = true
disabled = 0
renderXml = true
disabled = 0
renderXml = true
disabled = 0
renderXml = true

Save the inputs.conf file and restart the VM or the Splunk Forwarder service. To verify that the 2nd VM is communicating with the Splunk instance, open task manager, click on the performance tab, click on the resource monitor button.

In the resource monitor, click on the network tab, look for/filter on the splunkd.exe process and look at the Network Activity and TCP connections section. There should activity under the Send column of the Network Activity section. Once validated, create a VM snapshot.

You can also check in your splunk instance using the following query, please see screenshot, replace host with the hostname of your 2nd VM.

Why Bother?
Well if you like experimenting and thinking like an attacker but also as a defender this setup allows you test different scenarios. For example, If I had such logging enabled in my enterprise how would i detect someone using one drive via the net use command? Is that common? or how does copying from the volume shadow copies look like using the @GMT method?

I will discuss these scenarios and others in upcoming posts, until then happy hunting!

If you have any questions, please leave a comment and i'll try to answer as best as i can.