{"id":142,"date":"2022-09-11T00:43:18","date_gmt":"2022-09-11T00:43:18","guid":{"rendered":"https:\/\/justruss.tech\/?p=142"},"modified":"2023-07-30T03:18:41","modified_gmt":"2023-07-30T03:18:41","slug":"setting-up-a-home-lab","status":"publish","type":"post","link":"https:\/\/justruss.tech\/index.php\/2022\/09\/11\/setting-up-a-home-lab\/","title":{"rendered":"Setting up a home lab"},"content":{"rendered":"\n<p>I bought myself a server to expand my development as the war between gaming and personal development was finally over and you guess it, games won. Instead of simply copying from virtual machines over, I decided to build my lab again from the ground up using new tools and endpoints.  <\/p>\n\n\n\n<p>This blog will be split into multiple parts listed below:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Part 1 &#8211; The Setup &#8211; Network topology and endpoint installs<\/li>\n\n\n\n<li>Part 2 &#8211; The Connection &#8211; Connecting all the endpoints and pipes to get logs flowing<\/li>\n\n\n\n<li>Part 3 &#8211; The Exploit &#8211; Run a few malicious activities to test visibility<\/li>\n<\/ul>\n\n\n\n<p>With the intros out of the way lets kick this weekend project off. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Part 1 &#8211; The Setup &#8211; Network topology and endpoint installs<\/h2>\n\n\n\n<p>For the setup, I am going to largely copy DetectionLab&#8217;s design, https:\/\/detectionlab.network. Whilst I may end up using their easy deployment processes, I wanted to set this up myself from scratch so that I know every aspect of the deployment not only for my own awareness of resourcing and network interoperability of servers, logs, tools, and workflows but also so that I may be able to assist any clients that I wish to request various similar deployments.<\/p>\n\n\n\n<p>So the design is very straight forward<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ubuntu 22.04 LTS &#8211; Used to capture and index everything.\n<ul class=\"wp-block-list\">\n<li>Services\n<ul class=\"wp-block-list\">\n<li>Splunk<\/li>\n\n\n\n<li>Malcolm &#8211; https:\/\/malcolm.fyi\/<\/li>\n\n\n\n<li>Velociraptor &#8211; https:\/\/github.com\/Velocidex\/velociraptor<\/li>\n\n\n\n<li>Fleet &#8211; https:\/\/fleetdm.com\/<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Windows server 2022 &#8211; The DC\n<ul class=\"wp-block-list\">\n<li>Services \/ Tools\n<ul class=\"wp-block-list\">\n<li>DC<\/li>\n\n\n\n<li>ATA Lightweight gateway<\/li>\n\n\n\n<li>Sysmon<\/li>\n\n\n\n<li>Osquery<\/li>\n\n\n\n<li>Velociraptor agent<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Windows server 2022 &#8211; Windows Event Forwarder\n<ul class=\"wp-block-list\">\n<li>Services \/ Tools\n<ul class=\"wp-block-list\">\n<li>Windows Event Collector<\/li>\n\n\n\n<li>Splunk Forwarder<\/li>\n\n\n\n<li>Microsoft ATA<\/li>\n\n\n\n<li>Sysmon<\/li>\n\n\n\n<li>Osquery<\/li>\n\n\n\n<li>Velociraptor agent<\/li>\n\n\n\n<li>Powershell Log Collector<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Windows 10 &#8211; The main victim\n<ul class=\"wp-block-list\">\n<li>Services \/ Tools\n<ul class=\"wp-block-list\">\n<li>Simulates a user desktop<\/li>\n\n\n\n<li>Sysmon<\/li>\n\n\n\n<li>Osquery<\/li>\n\n\n\n<li>Velociraptor agent<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Kali Linux &#8211; The actor\n<ul class=\"wp-block-list\">\n<li>Services \/ Tools\n<ul class=\"wp-block-list\">\n<li>What ever is needed<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"Part-2---The-Connection---Connecting-all-the-endpoints-and-pipes-to-get-logs-flowing\">Part 2 &#8211; The Connection &#8211; Connecting all the endpoints and pipes to get logs flowing<\/h2>\n\n\n\n<p>dd<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"Part-3---The-Exploit---Run-a-few-malicious-activities-to-test-visibility\">Part 3 &#8211; The Exploit &#8211; Run a few malicious activities to test visibility<\/h2>\n","protected":false},"excerpt":{"rendered":"<p>I bought myself a server to expand my development as the war between gaming and personal development was finally over and you guess it, games won. Instead of simply copying from virtual machines over, I decided to build my lab again from the ground up using new tools and endpoints. This blog will be split [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[4],"tags":[],"class_list":["post-142","post","type-post","status-publish","format-standard","hentry","category-dfir"],"_links":{"self":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/142","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/comments?post=142"}],"version-history":[{"count":5,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/142\/revisions"}],"predecessor-version":[{"id":155,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/142\/revisions\/155"}],"wp:attachment":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/media?parent=142"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/categories?post=142"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/tags?post=142"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}