Project 1:
So you want to be a SOC Analyst?
I had been doing personal curiosity labs involving VMware, running machines at home for running game servers for friends, learning more about Citrix, Horizon, AD, and Azure but never had I tried attacking one of my systems to see what would happen. That all changed with this lab! I was told by a friend to check it out and I was not disappointed!
You can find the lab instructions here: https://blog.ecapuano.com/p/so-you-want-to-be-a-soc-analyst-part
Main platforms and technology used: VMWare, Linux Ubuntu, Windows 11, Windows Defender, Lima Charlie (SIEM), Sliver Shell, Malware, PowerShell, SSH, and Implants.
First I setup new VMs for both Windows 11 and Linux Ubuntu which was easy enough!
After Windows 11 was installed I needed to disable Windows Defender to make attacking the system a little easier for my rookie-self!
After doing that, the exciting part was next! Installing the needed software in my Linux VM to attack my Windows 11 VM. The primary tool was Sliver Shell:
I primarily used Powershell on my PC to SSH into my Linux server for more obscurity and commence the attacks through there. My Windows VM didnt know what hit it. Once Sliver's malware was injected into its victim, I was able to spin up an HTTP server on port 80 using python to start collecting information from the Windows VM.
Next I set up a web hosted SIEM called Lima Charlie (https://limacharlie.io) in order to better help my Windows VM detect what was happening to it. I downloaded a sensor on the Windows VM for Lima Charlie to track what is going on and start aggregating logs for me to parse through.
Before I parsed through the logs I was recommended to read SANS DFIR's Hunt Evil which explains what is normal in Windows which I'll need to know in order to better notice what is not normal and warrants further investigation. I looked for logs that involved sensitive data being accessed (especially from other IPs and/or unknown processes).
After further investigation I was able to find logs from a program that was exfiltrating sensitive data from my Windows VM. I was able to confirm this further once I checked for any digital signatures and nothing was found, which warranted further suspicion.
I then created a detection & response rule that would alert me anytime this activity occurs in the future. Specifically detecting the SENSITIVE_PROCESS_ACCESS event regarding the lsass.exe. I also learned about further steps I can take to stop if from occurring if needed.
SUMMARY:
This lab was extremely valuable to me for getting more hands on experience with another SIEM program that let me collect logs on my device, parse through them for anything suspicious, discern what deems to be suspicious, and what steps I can take to better inform me on malicious actions and how to stop them. I definitely recommend anyone getting into Cyber Security to dive into this lab as well for a much better general understanding of what a SOC Analyst does in their day to day.
