Project Fur-Tress: Building a Home SOC Lab (Part 7)
Introduction
In part 6 of my SOC project, I finished setting up part of my Corporate LAN network, and getting some vulnerable web apps running in Docker containers on my Ubuntu Server VM. I also set DNS entries on the Windows Server, so that these apps could be accessed through internal domain names. I then set some firewall rules, so that traffic from this network was only available towards my fake internet VLAN, and the fake internet traffic was available towards the corporate LAN VLAN.
The goal of this step of this project is to start setting up some VMs for use with malware analysis, one based on Windows, and another based on Linux. I would be starting with the Windows VM, get that set up on my domain network, then look at configuring group policies to restrict access to this device.
Windows Malware Analysis System
Windows 10 VM, 2 vCPUs, 4 GM RAM and 100 GB disk space, as flare requires at leat 80 GB, and would need space to contain files while doing investigations and analysis.
Setting Organizational Unit
While Windows was installing on the VM, I logged in to my Windows Server domain controller, into Active Directory Users and Groups, and created a new Organizational Unit, named 'MalwareAnalysis'. This group would be used to hold certain user accounts, and the plan was for only these users to be able to log in to the malware analysis VMs. Once the OU was created, I added a new group, 'MA_Users' in this OU. I would need a user to test with, so I created a new user and next to the 'User logon name' I selected @MA from the dropdown.
Once Windows 10 Enterprise had finished installing on the VM, I connected this to my domain, and verified my new user could log in, using the format username@ma and entering the password. Success, I had logged in, and my user was in.
There are some other things that I wanted to do, before setting up Flare VM on this system.
I wanted a way to set my system, so that only users of certain groups would be able to log in to this system. I wasn't sure how to do this, so it was time for some online research. It appeared that I would need to have the Domain Computer first set as a Computer in my malware analysis OU. I found many ways to pre-set this before connecting the computer to the domain, but I had already set my VM up to the domain, and needed a clean way to move it.
Moving the Domain Computer was easy enough, and from AD Users and Computers, I just needed to right-click on the device, select 'Move' then in the dialogue, select the OU I wanted to move this to, then click OK. While I was making changes to users and computers, I also wanted to set a restriction for my MA user, so that they can only log in to the Malware Analysis Windows VM (I will change this later when I also have a Linux MA VM).
Going into the properties for my MA user, I then went into the 'Account' tab, then pressed the 'Log On To' button. Here, I could add the specific computers this user account can access.
Organizational Unit GPOs
I started with creating a GPO so that only MA Users and Administrators could log in to the Window MA system. In the Group Policy Console, I created then edited a new GPO. In the Group Policy Management Editor, I went to 'Computer Configuration > Policies > Window Settings > Security Settings > Local Policies > User Rights Assignment' and edited 'Allow log on locally', adding the MA users and Administrators groups.
After I had made the changes, I then right-clicked on my malware analysis OU in the Group Policy console, and linked the new GPO I had created. Once the GPO was set, I restarted the VM, and started my Windows 10 workstation VM. Attempting to log in to both, my MA user could log in to the malware analysis VM, but was restricted from logging in to my workstation VM. Perfect!
There was more I needed to do for this VM yet. Now I needed to ensure it was fully up-to-date, disable Windows Defender, and make sure I met all the other requirements.
I could disable Windows Defender manually, but I wanted to set this through Group Policy. I achieved this by creating a new GPO, and then under Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender Antivirus, then set 'Turn off Windows Defender' to 'Enabled'. Then under Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender Antivirus >> Real-time Protection and set 'Turn off real-time protection' to 'Enabled'.
Finally, I then 'Configure Automatic Updates' under Computer Configuration >> Administrative Templates >> Windows Components >>Windows Update, to 'Disabled'.
After the policy was saved and applied to the OU, checking the Security settings confirmed this had been disabled, and I was ready to proceed.
Installing Flare VM
Opening up PowerShell as administrator, I downloaded the setup script for Flare-VM.
(New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$([Environment]::GetFolderPath("Desktop"))\install.ps1")Following on from the guide, the script needed to be unlocked, and script execution set, and then the script executed.
Unblock-File .\install.ps1
Set-ExecutionPolicy Unrestricted -Force
.\install.ps1During the installation of the script, I ran in to a mistake I had overlooked. I had put the work in to prepare an OU, set GPOs, and Flare needed a local account to install.
This changed how I was going to have to work to get this VM tied within my domain, but for now, I reset the VM and installed Windows with a Local user. I made sure it was still in my Isolated VLAN, but configured the network to point the DNS to my Windows DNS Server, so that it was at least on my domain network.
I then disabled the Windows Threat Protection, Defender, and Updates manually through the settings, and started again to install Flare VM. Following the steps in the guide from the repository linked at the end of this post. Selecting to install all applications, as I thought it would be good to have access to a range of applications, that might aid in malware analysis.
The installation took some time, it is a lengthy process, but finally I had Flare VM set up, and now I could take a snapshot of the VM. Once the firewall rules are configured to lock the network down, my Windows Malware Analysis system was done.
Challenges
I did run in to some challenges during this part of my project, and learned some lessons. After spending quite a bit of time setting, and testing, various options and configurations though GPO, I found that when it came to installing Flare on the Windows VM, it kept failing. The problem was that the script was trying to work with the local user, but I was logged in with an AD account.
While I didn't need to spend the time doing the steps to configure the GPO, I left them in this article, because it was part of the experience I went through.
Summary
While things didn't go quite as planned during this step of the project, I did get some group policies set. I learned a little more about organizational units in a Windows domain, and learned how to create UPN suffixes, that would allow effect subdomains for users when logging on, etc. I also got Flare VM set up, and tasks for a later date, include looking for a way to lock this system down so that only permitted domain users can access it. This may include RDP policies, and once I have more of my SOC systems installed, an isolated system so that malware examples can be securely stored, and shared with the malware analysis VMs.
In the next part, I will be setting up another VM, this one using Linux, then I will be going through the configuration of setting up a malware analysis environment there. After both systems are set, then I will be setting the firewalls for my Isolated VLAN, so all outbound traffic is blocked, and can only receive traffic from my Security VLAN.