Saturday, January 30, 2021

Creating an Active Directory (AD) lab for log-based detection research and development with Vagrant, Humio, and AtomicRedTeam

introduction

Few years or months ago, I came across DetectionLab project and thought it was neat. It would let me conduct attacks and let me work on detection rules and also let me test detection rules. DetectionLab uses Splunk for storing logs which I'm not used to and it also requires a lot of system resources my machine doesn't have. 

I then came across DetectionLabELK, which is similar to DetectionLab but uses ELK stack, which I am familiar with but I have the same issue with system requirements and not needing some of the components of the project. DetectionLabELK people (CyberDefenders) provide a cloud version of it which is very cheap if you wanted to utilize it for testing things but I still wanted to have something on my own machine.

I did build an AD lab manually, however, after not taking snapshots and breaking the lab, I decided that I should just use Vagrant.

For my lab needs, I just need to look at logs and not network traffic. I also just need one DC, one Workstation, and a Kali VM. I'm very familiar with using Humio so I decided to use Humio cloud (free) account to store and search my logs. Kali is good for doing certain attacks but I also wanted AtomicRedTeam so I could use that for generating log data and testing queries. The AD lab I made was also inspired by Applied Purple Teaming course and TheCyberMentor ethical hacking course.

design

Domain: testlab.local
Computers: dc1 - 192.168.200.11 - windows server 2019 desktop
workstation1 - 192.168.200.12 - windows 10
kali - no IP initially, you have to set it to 192.168.200.13 - kali linux

Users:
local user: vagrant / vagrant works on all machines
domain users: 
jsmith / Password123
jdoe / 123Password
SQLService / Servicepass123

all domain users are in domain admins group, administrators group, and enterprise admins group.

jsmith is a local admin on workstation1

setup

system requirements:
any modern 4 core 8 thread CPU should be fine. I'm using i7-6700HQ.
around 16GB of RAM should work fine as well.

virtualbox download and installation:
Download and install virtualbox from here: https://www.virtualbox.org/wiki/Downloads
Install Oracle VM VirtualBox Extension Pack as well.

vagrant download and installation:
Download and install vagrant from here: https://www.vagrantup.com/downloads
Once vagrant is installed, open command line and run: "vagrant plugin install vagrant-reload" to install the reload plugin. More info here: https://github.com/aidanns/vagrant-reload

downloading the github project:
Download the zip and unzip it or run git clone https://github.com/BoredHackerBlog/LogDetectionLab

setting up humio:
Get a Humio account and login at cloud.humio.com
Create a new token for this project. You can leave the parser as None. Copy the token.
Edit winlogbeat.yml file and change the password to your token.

usage

Vagrant command line guide: https://www.vagrantup.com/docs/cli

Open command prompt and cd into the LogDetectionLab folder.
Type vagrant up to bring up all 3 virtual machines.
Your initial run will download the VM boxes and set everything up. This may take 30 minutes to an hour. 

Once all the machines are up and running and vagrant command exits in command prompt, you will need to login into kali linux VM and change eth1 IP to 192.168.200.13.

You will have to disable Defender on workstation1 and install invoke-atomicredteam manually (check github page for bugs).

For using invoke-atomicredteam, you will need to open powershell and run: Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force

You can also do vagrant up MACHINENAME, such as vagrant up dc1.

To tear down the lab, you need to run vagrant destroy -f. This will shutdown the VMs and remove them.

Vagrant also supports making snapshots and you can read more about that here: https://www.vagrantup.com/docs/cli/snapshot

modifying the project

Vagrantfile - this can be changed to modify VM cpu and memory resources, how port forwarding works, hostname, ip address, and scripts that run.

install-dc.ps1 - domain controller promotion script

join-domain.ps1 - joins the computer to the domain and adds jsmith as a local admin

create-users.ps1 - creates users on the dc

create-smbshare.ps1 - create an smb share on the dc

change_ui.ps1 - changes some Windows setting so ui is adjusted to best performance

change_sec_config.bat - disable updates, disable firewall, disable defender, disable uac, and enable rdp

install-atomicredteam.ps1 - installs invoke-atomicredteam

enable_logging.bat - enables a bunch of logging stuff, installs sysmon with olafhartong config, and downloads winlogbeat

winlogbeat.yml - winlogbeat config file, you'll have to edit this to change where the logs go also as you start seeing event id's that are not useful, you can just edit this to remove them or modify enable_logging.bat to avoid enabling certain events.

setup_winlogbeat.bat - sets up winlogbeat

challenges

I kept getting errors after I promoted the domain controller then tried to reboot. Errors were related to winrm. I added 
  config.winrm.transport = :plaintext
  config.winrm.basic_auth_only = true

and

executed "reg add HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /d 0 /t REG_DWORD /f /reg:64" before promoting and that seemed to fix this issue.

At the time of posting this blog post, I'm having an issue with workstation1 not installing atomicredteam correctly. AV doesn't get turned off for some reason.

I can't change IP address on kali through vagrant. 

me typing vagrant destory -f for 10 minutes trying to figure out why it didn't work was also challenging. 

resources