Setting up Cyber Detection Lab

I followed a guide from Cyberwox Academy to configure a simulated enterprise network for practicing SOC analyst procedures.

Installing and Setting Up pfSense Firewall

For this lab, I will be using the VMware workstation Pro Hypervisor. I created the PFSense machine with the setup above, adding 5 network adapters to support all the machines we will use for this lab. The iso for Pfsense can be downloaded from the pfsense website. After installing I assigned all of the interfaces for our network.

After assigning interfaces, I was able to access the Pfsense GUI from my Kali machine

Pfsense setup is complete, All interfaces are assigned. I also created a rule to allow all ipv4 connections on the wan interface.

Security Onion Setup

To monitor SPAN port traffic from the domain controller, Security Onion was installed as the SIEM for our network. I downloaded the ISO file from the Security Onion website and created a new virtual machine, then initiated the installation process. After installation, I added all our networks and utilized “so allow” to add a rule to allow management from our Ubuntu server.

Kali

Kali Linux will be the attack machine used for this lab, this will also be where the pfsense firewall GUI will be accessed from.

Domain Controller

For this lab I will be using Windows Server 2019. I was able to download the iso from Microsoft’s website and create a new workstation in VMware

Server roles & AD services are configured.

The name of this domain will be “TEST.local”. After naming the domain I disabled all of windows Defender services so it doesn’t interfere with the lab. The domain controller will be getting a static IP of 192.168.2.10 with our default gateway being the pfsense firewall at 192.168.2.1.

Setting up Windows workstation

I have set up a Windows 10 workstation within the victim’s network. I assigned a static IP address to the workstation, with the default gateway pointing to the pfsense firewall and the DNS server pointing to the DC. As a result, the workstation has been successfully joined to the “Test.local” domain.

We can now see in AD our windows 10 workstation.

Splunk setup

I have installed Splunk on the Ubuntu machine. I navigated to the Splunk directory and initiated the Splunk service, which will enable us to access the Splunk management GUI.

I accessed the Splunk management GUI and configured Splunk to listen on port 9997, which will be utilized for receiving data from DC through Splunk on-premise universal forwarder.

You can see data is starting to pull in from the “wineventlog” index I created