6/17/2020 SOC Cybersecurity

Analyst
Build book

Jensky Colin
Table of Contents
Index.............................................................................................................................................................. 2
Lab Design ..................................................................................................................................................... 3
Cybersecurity Build Book .............................................................................................................................. 4
Install Windows Server using Virtual Box ..................................................................................................... 4
Step 1 – Download Virtual Box ................................................................................................................. 4
Step 2 – Launch Virtual Box ...................................................................................................................... 4
Step 3 – Network card configuration ........................................................................................................ 4
Step 4 – Install Windows image ................................................................................................................ 5
Step 5 – Windows Settings ....................................................................................................................... 6
Step 6 - Edit and view the VM settings ..................................................................................................... 9
Step 7 – Start the VM .............................................................................................................................. 11
Step 8 – Windows Server 2016 installation ............................................................................................ 11
Windows Server 2016 configuration .......................................................................................................... 14
Configure Active Directory and Domain Server ...................................................................................... 14
Add roles and Features to the Server. .................................................................................................... 16
Configure AD ........................................................................................................................................... 17
Create a New User ...................................................................................................................................... 21
Add client’s computer to the Domain......................................................................................................... 23
Pfsense installation and configuration ....................................................................................................... 26
Windows Server setup to use pfsense .................................................................................................... 30
Pfsense rules configuration..................................................................................................................... 32
Sumologic configuration ............................................................................................................................. 34
Create Collection..................................................................................................................................... 34
Create Collection alert ............................................................................................................................ 37
Nessus Vulnerability Server scan ................................................................................................................ 40
N-stalker Web server scan .......................................................................................................................... 43
Badstore .................................................................................................................................................. 43
Web scanner ........................................................................................................................................... 44
Deploying IPS (Snort) module in PFsense ................................................................................................... 46
Pfsense setup .......................................................................................................................................... 46
Get a Snort OinkCode ............................................................................................................................. 50
Enable Snort as IPS .................................................................................................................................. 53
Installing and configuring Sophos ............................................................................................................... 55
Create Sophos account ........................................................................................................................... 55

1|Page
Index
FIGURE 1-NETWORK SHARING CENTER ................................................................................................................ 14
FIGURE 2-ETHERNET STATUS ................................................................................................................................ 15
FIGURE 3-TCP/IPV4 ............................................................................................................................................... 15
FIGURE 4-IPV4....................................................................................................................................................... 16
FIGURE 5-LAUNCH START MANAGER ................................................................................................................... 16
FIGURE 6-DASHBOARD ......................................................................................................................................... 17
FIGURE 7- DESTINATION SERVER .......................................................................................................................... 18
FIGURE 8- AD / DNS .............................................................................................................................................. 18
FIGURE 9 - PROMOTE SERVER .............................................................................................................................. 19
FIGURE 10 - DOMAIN NAME ................................................................................................................................. 19
FIGURE 11 – PASSWORD....................................................................................................................................... 20
FIGURE 12 - ADDITIONAL OPTION ........................................................................................................................ 20
FIGURE 13- USERS AND COMPUTERS ................................................................................................................... 21
FIGURE 14- CREATE USER ..................................................................................................................................... 21
FIGURE 15 - NEW USER ......................................................................................................................................... 22
FIGURE 16 - CLIENT STATIC IP ............................................................................................................................... 23
FIGURE 17- SYSTEM PROPERTIES.......................................................................................................................... 24
FIGURE 18- DOMAIN NAME.................................................................................................................................. 24
FIGURE 19 - CLIENT LOG ....................................................................................................................................... 25
FIGURE 20-PFSENSE VM SETUP ............................................................................................................................ 26
FIGURE 21 -LOAD PFSENSE ISO FILE ..................................................................................................................... 27
FIGURE 22- PFSENSE ADAPTER 1 .......................................................................................................................... 27
FIGURE 23 - PFSENSE ADAPTER 2 ......................................................................................................................... 28
FIGURE 24 – ACCEPT ............................................................................................................................................. 28
FIGURE 25 - INSTALL PFSENSE .............................................................................................................................. 29
FIGURE 26 - DEFAULT KEYMAP ............................................................................................................................. 29
FIGURE 27 - COMPLETED INSTALLATION .............................................................................................................. 30
FIGURE 28 - WINDOWS SERVER ADAPTER 1 ........................................................................................................ 30
FIGURE 29 - WINDOWS SERVER ADAPTER 2 ........................................................................................................ 31
FIGURE 30 - ADAPTER 2 ........................................................................................................................................ 31
FIGURE 31 - CREATED ALIASE ............................................................................................................................... 32
FIGURE 32 - ADD RULE .......................................................................................................................................... 32
FIGURE 33 - EDIT RULE.......................................................................................................................................... 33
FIGURE 34 - SET SOURCE AND DESTINATION ....................................................................................................... 33
FIGURE 35 - RULE CREATED .................................................................................................................................. 34
FIGURE 36 - CREATE COLLECTION......................................................................................................................... 35
FIGURE 37_ ADD COLLECTOR ............................................................................................................................... 35
FIGURE 38- COLLECTOR TYPE ............................................................................................................................... 36
FIGURE 39- WINDOWS SOURCES.......................................................................................................................... 36
FIGURE 40- CREATE COLLECTION ......................................................................................................................... 37
FIGURE 41 - EVENT SEARCH .................................................................................................................................. 38
FIGURE 42-PARSE EVENTCODE ............................................................................................................................. 38
FIGURE 43 - PARSE EVENT .................................................................................................................................... 38
FIGURE 44- NAME YOUR ALERT ............................................................................................................................ 39
FIGURE 45 - NESSUS CODE.................................................................................................................................... 40
FIGURE 46-CREATE A SCAN................................................................................................................................... 41
FIGURE 47- SCAN OPTION .................................................................................................................................... 41
FIGURE 48-CUSTOMIZE SCAN ............................................................................................................................... 42
FIGURE 49- BADSTORE SERVER ............................................................................................................................ 43
FIGURE 50 - BADSTORE WEB ACCESS ................................................................................................................... 43

2|Page
Lab Design

3|Page
 Cybersecurity Build Book
Install Windows Server using Virtual Box

Step 1 – Download Virtual Box

Download and install the latest Version of Virtual Box.

https://www.virtualbox.org/

Download Windows Server 2016 (ISO version).

https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2016/

Step 2 – Launch Virtual Box

Open Oracle VM Virtual Box.

Step 3 – Network card configuration

Before proceeding, if the lab asks, click the Preferences icon, select Network, and click on the
Add new NAT Network icon to create a NAT Network card.1 You will be not able to do it after
launching your Virtual Machine.

1
NAT Network. A NAT network is a type of internal network that allows outbound connections.

4|Page
Step 4 – Install Windows image

Now ready to install the Windows image. Click the New icon.

5|Page
Name your VM, choose the operating system and the version you will create.

Step 5 – Windows Settings

Select the amount RAM.

See the minimum requirements.2

2
https://docs.microsoft.com/en-us/windows-server/get-started/system-requirements

6|Page
Select Create a Virtual Disk now.

Select VDI (Virtual Disk Image) in the next window.

7|Page
Select Dynamically allocated in the next window.

View the default select location of the VM and select the hard disk size to allocate the VM.
Virtual Box recommended 50 GB.

8|Page
Step 6 - Edit and view the VM settings

Select the name of your new VM to edit the settings and click the Settings icon.

Click the System icon and select the boot order where to find your image.

Select the Processor tab and choose the number of processors to assign.

9|Page
Click on Storage to load the ISO file to the VM, select Empty, click the optical disk icon, and find
the windows server 2016 ISO.

10 | P a g e
Click on Network, within your network adaptor tab selected, attached the NAT Network.

Click OK

Step 7 – Start the VM

With Your VM selected, click the Start button to Launch the VM.

Step 8 – Windows Server 2016 installation

In the Windows Setup window, click Next, and Install now.

11 | P a g e
Select Desktop experience version

Accept the license

Select the Custom installation.

Set partitions if need or click next in the entire assigned disk.

12 | P a g e
Choose a Password.

13 | P a g e
Windows Server 2016 configuration

Configure Active Directory and Domain Server

First, it is recommended to assign static IP to your server.
1. Right click the Network card icon (left to the clock)
2. Click Open Network and Sharing.
3. Click the Ethernet link in the opened Network and Sharing Center window. (Figure 1)
4. Click the Properties button in the Ethernet Status. (Figure 2)
5. Double click Internet Protocol Version 4. (Figure 3)
6. Insert your choosing IP. (Figure 4)
7. Click Ok

Figure 1-Network Sharing Center

14 | P a g e
Figure 2-Ethernet Status

Figure 3-TCP/IPV4

15 | P a g e
Figure 4-IPV4

Add roles and Features to the Server.

If Server Manager did not open automatically, click the Windows Start button and select Server
Manager. (Figure 5)
In the Server Manager window, select Dashboard if it is not already selected. (Figure 6)

Figure 5-Launch Start Manager

16 | P a g e
Figure 6-Dashboard

Configure AD

1. Click Add roles and features.

2. Click Next.
3. Select Role-based or Feature-based installation and click Next.
4. Tick Select a Server from the server pool.
5. Make sure the server name is selected. (Figure 7)
6. Click Next
7. In the Add Roles and Features Wizard window, select Active Directory Domain Service and click
Next. (Figure 8)
8. Click Next in the Select features window.
9. Next
10. Click Install in the next window.
11. When the installation is complete, click Close.
12. Back to Dashboard, click the flag with a yellow triangle, and click Promote this server to a
Domain Controller. Figure 9
13. Tick the Add New Forest, name your Domain, and click Next. (Figure 10)
14. Leave the default selected, enter a password, and click Next. (Figure 11)
15. Next
16. Make sure to see your Domain Name in the NetBIOS Domain Name and Next. (Figure 12)
17. Next
18. Next
19. Install the Pre-check.
20. Close

17 | P a g e
Figure 7- Destination Server

Figure 8- AD / DNS

18 | P a g e
Figure 9 - Promote Server

Figure 10 - Domain Name

19 | P a g e
Figure 11 – Password

Figure 12 - Additional Option

20 | P a g e
Create a New User

1. With the Dashboard open, click Tools, and click Active Directory Users and Computers. Figure 13
2. In the Active Directory Users and Computers, click the down arrow left your Domain Name.
3. Right click Users, New and click User. Figure 14
4. Create the User. Figure 15
5. Next
6. Create a password and click Finish.

Figure 13- Users and computers

Figure 14- Create User

21 | P a g e
Figure 15 - New User

22 | P a g e
Add client’s computer to the Domain

1. Setup static IP for the client, add the Server IP address as client’s DNS. (Figure 16)
2. Try to ping each other. Maybe you could have to disable the Windows Firewall.
3. Open Windows System info click Change Settings.
4. In System Properties click change. (Figure 17)
5. In Computer Name/Domain Changes window, enter the Domain Name. (Figure 18)
6. Enter the Server admin Password
7. Click Close and click Restart Now
8. Login to the client with the created user. (Figure 19)

Figure 16 - Client Static IP

23 | P a g e
Figure 17- System Properties

Figure 18- Domain Name

24 | P a g e
Figure 19 - Client log

25 | P a g e
Pfsense installation and configuration

1. Download pfsense AMD64 (iso) from https://www.pfsense.org/download/

2. Create a new Vm and add the pfsense iso file. Figure 20
3. On the VM settings, go to storage and load the pfsense ISO file. Figure 21
4. Go to Network set 2 adapters. Adapter 1 as NAT (Figure 22) and Adapter 2 as Host-Only (Figure
23).
5. Click Start to begin the installation.
6. Accept. Figure 24
7. Select Install pfsense and OK. Figure 25
8. Select Continue with the default and click OK. Figure 26
9. Next windows, click NO.
10. Reboot.
11. Don’t forget to unmount the ISO optical drive before rebooting the pfsense VM.
12. Hit 7 to try pinging any website. Figure 27

Figure 20-pfsense VM setup

26 | P a g e
Figure 21 -load pfsense iso file

Figure 22- Pfsense Adapter 1

27 | P a g e
Figure 23 - Pfsense Adapter 2

Figure 24 – Accept

28 | P a g e
Figure 25 - Install pfsense

Figure 26 - Default keymap

29 | P a g e
Figure 27 - Completed installation

Windows Server setup to use pfsense

1. Setup two Network Adapters, both as Host-Only. (Figure 28) (Figure 29)
2. Start the Windows Server VM.
3. Set Static IP for Adapter 2 by using the Firewall LAN IP as Default Gateway. (Figure 30)

Figure 28 - Windows Server Adapter 1

30 | P a g e
Figure 29 - Windows Server Adapter 2

Figure 30 - Adapter 2

31 | P a g e
Pfsense rules configuration

1. Access the firewall webpage by using his IP Address (192.168.1.1) and Sign In.
2. Change the password.
3. Click on Firewall menu and click Aliases.
4. Click Add to create aliases. (Figure 31)
5. Save
6. Click Apply changes
7. Click Firewall menu and select Rules.
8. Click the Lan link and click Add. (Figure 32)
9. In Edit Firewall Rule, Select Block in Action menu, LAN interface, IPV4 Address Family, and TCP
protocol. (Figure 33)
10. Any source
11. In Destination, Select Single Host or Aliases. (Figure 34)
12. Click Apply Changes. (Figure 35)

Figure 31 - Created Aliase

Figure 32 - Add rule

32 | P a g e
Figure 33 - Edit Rule

Figure 34 - Set Source and Destination

33 | P a g e
Figure 35 - Rule created

Sumologic configuration

Create Collection
1. Go to sumologic website (https://www.sumologic.com/)
2. Create an account.
3. Download Sumologic Agent
4. Click on Manage Data – Collection (Figure 36 - Create Collection)
5. Click the link Add a Collector (Figure 37_ Add Collector)
6. Select Installed Collector and download (Figure 38- Collector type)
7. Install SumoCollector agent on your server.
8. Click Next and Accept the agreement.
9. Next
10. Login to SumoLogic
11. Click the link Add Source beside the server name.
12. Choose a Windows Sources. (Figure 39- Windows Sources)
13. Fill the field. (Figure 40- Create collection)

34 | P a g e
Figure 36 - Create Collection

Figure 37_ Add Collector

35 | P a g e
Figure 38- Collector type

Figure 39- Windows Sources

36 | P a g e
Figure 40- Create collection

Create Collection alert

1. Move the cursor over your server collection and click the blue icon.
2. Edit the query code collector by adding a windows event code.
3. Edit the search time to your convenience.
4. Click the Receipt Time
5. Click Start button (Figure 41 - Event search)
6. Select the EventCode, right click it and parse (Figure 42-Parse EventCode)
7. Click the Save As button.
8. Give a name (Figure 44- Name your Alert)
9. Click Schedule this search button to be alerted for any specified change.

37 | P a g e
Figure 41 - Event search

Figure 42-Parse EventCode

Figure 43 - Parse Event

38 | P a g e
Figure 44- Name your Alert

39 | P a g e
Nessus Vulnerability Server scan

1. Make sure Server and Client can communicate together and have internet connection.
2. Go to https://www.tenable.com/downloads/nessus, and download the last Nessus version for
windows server.
3. Start the installation in the client machine.
4. Go to https://www.tenable.com/try, and click Nessus Try for free.
5. Enter your information and receive and evaluation code to your email.
6. Click Activate Account.
7. Create and account.
8. When the installation done, Nessus will launch your browser to the localhost port 8894.
9. Plugins will be downloaded.
10. Enter your received code. (Figure 45 - Nessus Code)
11. Click new Scan button (Figure 46-Create a scan)
12. Select your desire scan option. (Figure 47- Scan Option)
13. Enter the server IP address. (Figure 48-Customize scan)
14. Save and start the scan.

Figure 45 - Nessus Code

40 | P a g e
Figure 46-Create a scan

Figure 47- Scan Option

41 | P a g e
Figure 48-Customize scan

42 | P a g e
N-stalker Web server scan

Badstore
1. Load and install Badstore as web application
2. Type ifconfig to see your Badstore IP address. (Figure 49- Badstore server)
3. Setup the web application to be in your network.
4. Use the IP address in a browser to access the web page. (Figure 50 - Badstore web access)

Figure 49- Badstore server

Figure 50 - Badstore web access

43 | P a g e
Web scanner

44 | P a g e
45 | P a g e
Deploying IPS (Snort) module in PFsense

Pfsense setup
1. Setup 2 network interfaces for the pfsense. 1 NAT adapter as 1 Host only adapter. (Figure 51 -
Adapter 1) (Figure 52 - Adapter 2)
2. Install pfsense if it not already.
3. Launch pfsense. (Figure 53-pfsense interface)
4. Launch Windows server
5. Setup Server in the same network than pfsense.
6. Test internet connection on pfsense then Windows Server.
7. In a browser, type the pfsense LAN IP address. (Figure 54 - pfsense login)
8. In order to install Snort, go to System – Package Manager – Available Packages (Figure 55-
pfsense packages) and type snort in the search bar.
9. Click Install and Confirm. (Figure 56-Install snort)
10. When completed go to Service, click snort. (Figure 57 - snort installed)
11. In the next screen, click Add for network interfaces settings. (Figure 58- Add interfaces)
12. Keep the default settings for both interfaces. (Figure 59-Interface settings)
13. Click Global Settings to add rule to Snort.
14. Select Enable Snort GPLv2, Enable ET Open, Enable OpenAppID.
15. On enable Snort VRT, click the link Sign Up for a free Registered User.

Figure 51 - Adapter 1

46 | P a g e
Figure 52 - Adapter 2

Figure 53-pfsense interface

47 | P a g e
Figure 54 - pfsense login

Figure 55- pfsense packages

48 | P a g e
Figure 56-Install snort

Figure 57 - snort installed

49 | P a g e
Figure 58- Add interfaces

Figure 59-Interface settings

Get a Snort OinkCode

1. Go to the link https://www.snort.org/

2. In Step 2, click Sign up/Subscribe to get the oinkcode. (Figure 60-Snort sign up)
3. Create an account. (Figure 63- Snort sign up)
4. Go to your email to confirm the new created account.
5. After you log in, click on Oinkcode and copy the code. (Figure 63- Snort sign up)
6. Copy the Oinkcode and paste in the Snort Oinkmaster code field. (Figure 62-Snort Oinkmaster
Code) (Figure 63- Snort sign up)
7. Click save
8. Click the Updates link
9. Click the Update Rules button (Figure 64-Update Snort Rules)
10. Update will proceed
11. Rules updated (Figure 65- Snort Rules updated)

50 | P a g e
Figure 60-Snort sign up

Figure 61-Oinkcode

51 | P a g e
Figure 62-Snort Oinkmaster Code

Figure 63- Snort sign up

52 | P a g e
Figure 64-Update Snort Rules

Figure 65- Snort Rules updated

Enable Snort as IPS

1. Click Edit to add alert to block offenders in WAN. (Figure 66-WAN block alert)
2. Click Save
3. Click Edit to add alert to block offenders in LAN. (Figure 67-LAN block Offenders)
4. Click Save
5. LAN and WAN blocking enabled. ( Figure 68- IPS enabled)

Figure 66-WAN block alert

53 | P a g e
Figure 67-LAN block Offenders

Figure 68- IPS enabled

54 | P a g e
Installing and configuring Sophos

Create Sophos account

1. Go to Sophos website central.sophos.com

2. Click Create Sophos Central trial. (Figure 69- Sophos account)
3. Confirm your account by clicking the email confirmation.
4. Create a Sophos Password. (Figure 70- create password)
5. Log to your account and Click Protect devices to download the Endpoint Agent (Figure 71-
Download Sophos Endpoint Agent)
6. Install the Endpoint in the Workstation
7. Go back to your Sophos Central account to see a summary of the Workstation.
8. Click Dashboard (Figure 72 - Devices Summary)
9. Click People to see Users and computers are using the Sophos account. (Figure 73 - Users and
Computers)
10. Launch the installed Sophos Endpoint (Figure 74 - Protected Device)
11. Login as an Admin by clicking Admin sign-in to manage the settings (Figure 75 - Admin sign-in)
12. Find the tamper protection password. Click Devices (Figure 76 - Devices option)
13. Double click your device
14. Under Tamper Protection, click View password details to see the current password (Figure 77-
Tamper password)
15. Copy the password and pass it to the Tamper Protection Password (Figure 78 - Admin Sign in)

55 | P a g e
Figure 69- Sophos account

Figure 70- create password

56 | P a g e
Figure 71- Download Sophos Endpoint Agent

Figure 72 - Devices Summary

57 | P a g e
Figure 73 - Users and Computers

Figure 74 - Protected Device

58 | P a g e
Figure 75 - Admin sign-in

Figure 76 - Devices option

59 | P a g e
Figure 77- Tamper password

Figure 78 - Admin Sign in

60 | P a g e