The purpose of utilizing the active directiry funcitinaly and attack vectors for detectiona & analysis .
- Active directory installtion.
- Setting up Windows & Linux VM's.
- Setting up Splunk Server .
- Create detection & log analysis.
- Security Information and Event Management (SIEM) system for log ingestion and analysis Wazuh
- Kali Linux for attacking windows based victim machine
- WIndows & Linux VM's. ( Target Win machine and Linux 22.05 LTS Ubuntu server) Win 2022 server trial
- Darw.io for digramatic flow
-
Create 4 VM's For setting up these VM's watch Video-2 In Links & references section FOr VM's configurations watch Lab-3 Video.
-
Windows 10 Machine , Kali Linux machine , Ubuntu 20.04 LTS for Splunk deployment , Active Directory
-
Setup & Configuee VM's based on network diagram based on your system vailable resources (RAM)
Ref 1: Network Diagram*
Setting Up VM's </b
Configuring NAT settings Go to tools > Hamburger options > Network
Select Tab NAT network > Create We selct CIDR range as per diagram 192.168.10.0/24 Then Apply Enable DHCP remain clicked
Assign created NAT to all VM Resources Make Sure to Assign Created NAT to All VM's
Login to Splunk VM Linux Ubuntu 20.04 LTS machine Run command : ip a wil show you Ip adr as 912.168.10.4/24 as per our diagram we need to install IP 192.168.10.10.
So we need to run command by setting up installer.config.yaml file
Configure File :
-After DHCP- NO line hit enter to add new line and hit tab 3 times
-After addresses line hit Enter then hot Tab 3 times again
-After nameservers line hit Enter for new line and then hit TAB 5 times to add DNS 8.8.8.8 (Google DNS)
- After that nameserver line hit tab 3 times
- After routes line hot TAB 5 times
- Enter new line press Enter then hit TAB 6 times
- CTRL+X then then Y Press Enter key
If see warnings rewlaetd to vswitch use this link to resolve issue it worked for me ! https://stackoverflow.com/questions/77352932/ovsdb-server-service-from-no-where
Run ip a command if see IP: 192.168.10.10/24 then it means netplan worked and configurations all setup .
Last check ping www.google.com if you see reply it means all working else revisit your netplan config file formatting and indentation then apply netplan fiel again until you see ping response from google.com
After this step completed then we are ready to Install SPLUNK on our machine .
After you sign up on splunk.com then click on
Select Linux and Deb file as we are using Debian based Ubunt Distro for linux Downlaod and Save
Add on Virtual guest Add on to our VM
Add shared folder to access Splunk download file
Run comand sudo reboot to reboot VM
Add user to vboxsf command : sudo adduser vboxsf
If see error group vboxsf not exit then we need to install additional guest utility
sudo reboot
Run Add user to vboxsf command : sudo adduser vboxsf This time user will be added to group - Done
Create shared directory command mkdir share
Mount the share directory/folder [Change your created folder name !]
Command: 
If successful must see :
If see any error then try exit command reboot then try again !
cd to share and must see Splunk downloaded file
Install splunk command : 
Once see Complete means all good now !
CD to /opt/splunk
la -ls
see all users are splunk
run command :
CD to /bin all binaries files will be displayed here ls-la
Run splunk installer using command : 
IF see error like folder not found then reboot splunk VM
again run command : sudo -u splunk bash then run command : cd bin then ./splunk start read and accept and then select y choose admin name and password
Use command exit to exit splunk user
Then cd bin
run command : 
It will enable splunk servr to start everytime VM reboots or turns on! you will see init script is configured to run at startup .
Change hostname to Target-PC
Restart Machine.
Check IP run : ipconfig from CMD
Assign static IP 192.168.10.100 with defauly gateway 192.168.10.1 DNS 8.8.8.8
Access Splunk server started at 192.168.10.10:8000
Go to splunk.com login with your account
Go to Products > Free Trials & Downloads > Universal Forwarder
Downlaod relevant OS file after downloading double click file from downlaods folder.
Search Google sysmon
Use sysmon olaf config search o Google sysmon olaf config https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml
Open powershell as Amdin after copying path of sysmon downloaded folder
Run command ./sysmon64.exe -i sysmonconfig.xml ( if you sysmon.conf fil ein other folder then give that path I copied mine to same sysmon folder)
If all goes smooth see this .
It will instruct what needs to be forwarded to our Splunk server Need to configure file inputs.conf Path to file : C:\Program Files\SplunkUniversalForwarder\etc\system\default Note : we need to copy inputs.conf file from default folder and then paste into \system\local folder do not modify master inouts.conf file in default folder. Modify inputs.conf file and paste contents from inputs.conf file to your /system/local inputs.conf file ( you can only modilfy it when select open notepad right click then select open as admin admin privileges then go to location of file open and paste then save"
Restart Splunk Universal Forwarder Go to services run ad admin find splunk forwarder right click then restart.
IF see NETSRV account we need to change it to local system account
Login to Splunk sever with you credentials
Since our inputs.conf file contains index=endpoint we need to create same index at splunk to collect logs
Go to Setting > Indexes
Enter Name : endpoint Click SAVE
Enable Splunk Server To recive data :
Settings > Forwarding and receiving
To check if we are getting Data from endpoint to splunk server.
Addiitionally use/install splunk sysmon APP for getting more enriched data/fields. Find more Apps
Follow this detailed video for installing universal forwarder for linux and forwarding logs to splunk server
Installing & Setting Up Linux Universal Splunk Forwarder
Other helpful article
Make these chnages to inputs.conf file : [WinEventLog://Microsoft-Windows-Windows Firewall With Advanced Security/Firewall]
index = firewall
disabled = false
sourcetype = [WinEventLog://Security] Make sure to restart Splunk Universal Forwarder Service
Assign Static IP to AD server
Select IPV4 settings then add these settings .
Click NEXT
Click NEXT
Click & Select Active Directory Domain Service a.k.a ADDS
Click Add Feature.
Keep Clikcing Next Unitil see this Screen and click Install.
Will take sometine to install .
Click Close.
Check Notification.
Put Password and all defaults and Click NEXT.
Keep Clicking NEXT.
Click INSTALL.
Once all completed server will automatically restart.
After server reboots will see domain screen .
Login and Add users.
Expand domain & click Builtin will show you builtin groups created automatically
Users option will show users .
Click Finish.
Search PC then click on Properties.
Chnage domain DNS server . Change it to our Domain server address 192.168.10.7
To validate settings.
After Clint machine logs back user jsmith user we created .
