Vagrants
Metta makes use of vagrants to have hosts to interact with. The below is a quick-start to get something going. Ideally you'd make a instrumented virtualbox image with your organization's various tooling (CarbonBlack, CrowdStrike, Cylance, OSQuery, etc) and then convert to a vagrant "box".
-
We can use the following windows virtualbox/vagrant image: https://app.vagrantup.com/StefanScherer/boxes/windows_10
-
Init and bring up the vagrant
vagrant init StefanScherer/windows_10
vagrant up
- If everything is working like it should you should be able to issue some commands over winrm. (the vagrant box above has winrm set up)
$ vagrant winrm -c whoami
vagrant-10\vagrant
$ vagrant winrm -c "cmd.exe /c net localgroup administrators"
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
vagrant
The command completed successfully.
- Open the host in virtualbox so we can install sysmon. I'm using Swift on Security's sysmon config as an example:
https://github.com/SwiftOnSecurity/sysmon-config
-
download sysmon https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
-
open admin command prompt
sysmon.exe -accepteula -i sysmonconfig-export.xml
-
You can then check logs of your activity
-
There are tons of resources on using sysmon. Here is a decent one: https://www.darkoperator.com/blog/2014/8/8/sysinternals-sysmon/