FaresMorcy
  • Whoami
  • Footprinting Labs
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Shells & Payloads
    • The Live Engagement
  • Password Attacks
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Active Directory Enumeration & Attacks
    • Active Directory Enumeration & Attacks
    • AD Enumeration & Attacks - Skills Assessment Part I
    • AD Enumeration & Attacks - Skills Assessment Part II
  • SOC Hackthebox Notes & Labs
    • Security Monitoring & SIEM Fundamentals Module
    • Windows Event Logs & Finding Evil Module
    • Introduction to Threat Hunting & Hunting With Elastic Module
    • Understanding Log Sources & Investigating with Splunk Module
      • Introduction To Splunk & SPL
      • Using Splunk Applications
      • Intrusion Detection With Splunk (Real-world Scenario)
      • Detecting Attacker Behavior With Splunk Based On TTPs
      • Detecting Attacker Behavior With Splunk Based On Analytics
      • Skills Assessment
    • Windows Attacks & Defense
      • Kerberoasting
      • AS-REProasting
      • GPP Passwords
      • GPO Permissions/GPO Files
      • Credentials in Shares
      • Credentials in Object Properties
      • DCSync
      • Golden Ticket
      • Kerberos Constrained Delegation
      • Print Spooler & NTLM Relaying
      • Coercing Attacks & Unconstrained Delegation
      • Object ACLs
      • PKI - ESC1
      • Skills Assessment
    • Intro to Network Traffic Analysis Module
    • YARA & Sigma for SOC Analysts Module
      • Developing YARA Rules
      • Hunting Evil with YARA (Windows Edition)
      • Hunting Evil with YARA (Linux Edition)
      • Sigma and Sigma Rules
      • Developing Sigma Rules
      • Hunting Evil with Sigma (Chainsaw Edition)
      • Hunting Evil with Sigma (Splunk Edition)
      • Skills Assessment
  • TryHackme SOC 1
    • TShark
      • TShark: The Basics
      • TShark: CLI Wireshark Features
      • TShark Challenge I: Teamwork
      • TShark Challenge II: Directory
    • Tempest
    • Boogeyman 1
    • Boogeyman 2
    • Boogeyman 3
  • TryHackme SOC 2
    • Advanced Splunk
      • Splunk: Exploring SPL
      • Splunk: Setting up a SOC Lab
      • Splunk: Dashboards and Reports
      • Splunk: Data Manipulation
      • Fixit
    • Advanced ELK
      • Slingshot
    • Threat Hunting
      • Threat Hunting: Foothold
      • Threat Hunting: Pivoting
      • Threat Hunting: Endgame
  • TryHackme Rooms
    • Investigating Windows
    • Splunk 2
    • Windows Network Analysis
  • Powershell Scripting Fundamentals
  • SANS SEC504 & Labs
    • Book one
      • Live Examination
      • Network Investigations
      • Memory Investigations
      • Malware Investigations
      • Accelerating IR with Generative AI
      • Bootcamp: Linux Olympics
      • Bootcamp: Powershell Olympics
    • Book Two
      • Hacker Tools and Techniques Introduction
      • Target Discovery and Enumeration
      • Discovery and Scanning with Nmap
      • Cloud Spotlight: Cloud Scanning
      • SMB Security
      • Defense Spotlight: Hayabusa and Sigma Rules
    • Book Three
      • Password Attacks
      • Cloud Spotlight: Microsoft 365 Password Attacks
      • Understanding Password Hashes
      • Password Cracking
      • Cloud Spotlight: Insecure Storage
      • Multipurpose Netcat
    • Book Four
      • Metasploit Framework
      • Drive-By Attacks
      • Command Injection
      • Cross-Site Scripting
      • SQL Injection
      • Cloud Spotlight: SSRF and IMDS
    • Book Five
      • Endpoint Security Bypass
      • Pivoting and Lateral Movement
      • Hijacking Attacks
      • Establishing Persistence
      • Defense Spotlight: RITA
      • Cloud Spotlight: Cloud Post-Exploitation
  • SANS SEC511 & Labs
    • Resources
      • Primers
      • References
      • Tools
        • Network
        • Elastic Stack
      • Printable Versions
    • Book One
      • Part One
      • Part Two
      • Part Three
    • Book Two
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Three
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Four
      • Part One
      • Part Two
      • Part Three Lab
      • Part Four Lab
    • Book Five
      • Part One Lab
      • Part Two Lab
      • Part Three Lab
  • CyberDefenders
    • XXE Infiltration Lab
    • T1594 Lab
    • RetailBreach Lab
    • DanaBot Lab
    • OpenWire Lab
    • BlueSky Ransomware Lab
    • Openfire Lab
    • Boss Of The SOC v1 Lab
    • GoldenSpray Lab
    • REvil Lab
    • ShadowRoast Lab
    • SolarDisruption Lab
    • Kerberoasted Lab
    • T1197 Lab
    • Amadey Lab
    • Malware Traffic Analysis 1 Lab
    • Insider Lab
    • Volatility Traces Lab
    • FalconEye Lab
    • GitTheGate Lab
    • Trident Lab
    • NerisBot Lab
  • Practical Windows Forensics
    • Data Collection
    • Examination
    • Disk Analysis Introduction
    • User Behavior
    • Overview of disk structures, partitions and file systems
    • Finding Evidence of Deleted Files with USN Journal Analysis
    • Analyzing Evidence of Program Execution
    • Finding Evidence of Persistence Mechanisms
    • Uncover Malicious Activity with Windows Event Log Analysis
    • Windows Memory Forensic Analysis
  • Hackthebox Rooms
    • Campfire-1
    • Compromised
    • Brutus
    • Trent
    • CrownJewel-1
  • WEInnovate Training
    • Weinnovate - Active Directory Task One
    • Build ELK Lab
      • Configure Elasticsearch and Kibana setup in ubuntu
      • Configure Fluent-Bit to send logs to ELK
      • Set up Winlogbeat & Filebeat for log collection
      • Send Logs from Winlogbeat through Logstash to ELK
      • Enable Windows Audit Policy & Winlogbeat
      • Elasticsearch API and Ingestion Pipeline
    • SOAR
      • Send Alerts To Email & Telegram Bot
      • Integrate Tines with ELK
    • SOC Practical Assessment
    • Lumma C2
    • Network Analysis
  • Build ELK Lab
    • Configure Elasticsearch and Kibana setup in ubuntu
    • Configure Fluent-Bit to send logs to ELK
    • Set up Winlogbeat & Filebeat for log collection
    • Send Logs from Winlogbeat through Logstash to ELK
    • Enable Windows Audit Policy & Winlogbeat
    • Elasticsearch API and Ingestion Pipeline
  • Build Home Lab - SOC Automation
    • Install & configure Sysmon for deep Windows event logging
    • Set up Wazuh & TheHive for threat detection & case management
    • Execute Mimikatz & create detection rules in Wazuh
    • Automate everything with Shuffle
    • Response to SSH Attack Using Shuffle, Wazuh, and TheHive
  • Home Lab (Attack & Defense Scenarios)
    • Pass-the-Hash Attack & Defense
    • Scheduled Task Attack & Defense
    • Kerberoasting Attack & Defense
    • Kerberos Constrained Delegation
    • Password Spraying Attack & Defense
    • Golden Ticket Attack & Defense
    • AS-REProasting Attack & Defense
    • DCSync Attack & Defense
  • Home Lab (FIN7 (Carbanak Group) – Point of Sale (POS) Attack on Hospitality Chains)
  • Home Lab (Lumma Stealer)
Powered by GitBook
On this page
  • Task:
  • A. SIEM
  • B. Fluentbit
  • C. SOAR
  • Bonus Challenge:
  • A. SIEM
  • B. Fluentbit
  • C. SOAR
  • Bonus Challenge:
  1. WEInnovate Training

SOC Practical Assessment

Task:

SOC ENGINEERING: PRACTICAL

Link: http://198.96.95.202:5601/login?next=%2F

A. SIEM

Local Audit Policies:

  • Add local audit policies to your machine.

Log Generation:

  • Generate some administrative activities that trigger logs.

Log Transmission:

  • Send logs using Winlogbeat.

Hostname Format:

  • Ensure your machine’s hostname follows the

  • format: GROUP#_FIRSTNAME_LASTNAME

B. Fluentbit

Regex Parser:

  • Write a regex parser for this log file (extract at least 8 key fields, but you MUST extract the source IP and Destination IP).

Log Indexing:

  • Send the parsed logs to the SIEM.

  • Your index should be named: GROUP#-FIRSTNAME-LASTNAME-Fluentbit

Dashboard Creation:

  • Create a descriptive dashboard for the logs, visualize some important fields.

C. SOAR

Create a new workflow in Tines and do the following steps:

IP Extraction:

  • Using the Fluentbit index created in elastic, extract all destination IP addresses.

Threat Intelligence:

  • Send the IP addresses to VirusTotal to scan their reputation.

Email Notification:

  • Send an email to soc.weinnovate@gmail.com containing the filtered IP addresses that seem to be malicious.

  • The subject of your email MUST be in this format: GROUP#_FIRSTNAME_LASTNAME

Bonus Challenge:

  • Integrating additional threat intelligence feeds (ex: AbuseIPDB).

  • Using winlogbeat index created extract logs with event id: [4720,4725,4726]

  • Extract Most important details from extracted logs (ex: event.action, related users, targetUser).

  • Send an email to Soc.WeInnovate@gmail.com containing Extracted details, The subject of your email MUST be in this format: GROUP#_FIRSTNAME_LASTNAME_Account_Management_Summary

A. SIEM

Let's begin by configuring Local Security Policies on our system.

  • Success (to log successful account changes)

  • Failure (to log failed attempts)

Now, let's generate some logs by creating a new user and then deleting it to verify that everything is functioning correctly.

To create a new user account:

net user Ahmed ahmed123 /add

To disable the user account:

net user Ahmed /active:no

To delete the user account:

net user Ahmed /delete

Let's ensure that these actions are properly recorded in the log files.

4720 → A user account was created.

4725 → A user account was disabled.

4726 → A user account was deleted.

Next, we will download Winlogbeat and configure its configuration to forward logs to Elasticsearch.

Next, we will initiate the Winlogbeat service to begin forwarding logs to Elasticsearch.

Start-Service winlogbeat

Now, let's test the output, and if everything is functioning correctly, we will forward the logs to ELK.

.\winlogbeat.exe test output -c .\winlogbeat.yml -e
.\winlogbeat.exe -c .\winlogbeat.yml -e

Now, let's access ELK to verify that the logs have been successfully sent.

B. Fluentbit

Let's begin by installing Fluent-Bit on Windows.

We have a log file named firewall-log.log that we need to be ingested into the ELK stack. To ensure accurate data extraction, we will begin by crafting an appropriate regular expression to parse the required information.

date=(?<date>\d{4}-\d{2}-\d{2})\s+time=(?<time>\d{2}:\d{2}:\d{2})\s+
devname="(?<devname>[^"]+)"\s+devid="(?<devid>[^"]+)"\s+logid="(?<logid>[^"]+)"
\s+type="(?<type>[^"]+)"\s+subtype="(?<subtype>[^"]+)"\s+eventtype="
(?<eventtype>[^"]+)"\s+level="(?<level>[^"]+)"\s+vd="(?<vd>[^"]+)"\s+
policyid=(?<policyid>\d+)\s+sessionid=(?<sessionid>\d+)\s+srcip=(?<srcip>\d{1,3}\.
\d{1,3}\.\d{1,3}\.\d{1,3})\s+srcport=(?<srcport>\d+)\s+dstip=(?<dstip>\d{1,3}\.
\d{1,3}\.\d{1,3}\.\d{1,3})\s+dstport=(?<dstport>\d+)\s+srcintf="
(?<srcintf>[^"]+)"\s+dstintf="(?<dstintf>[^"]+)"\s+service="
(?<service>[^"]+)"\s+hostname="(?<hostname>[^"]+)"\s+profile="(?<profile>[^"]+)
"\s+direction="(?<direction>[^"]+)"\s+virusname="(?<virusname>[^"]+)"\s+action=
"(?<action>[^"]+)"\s+msg="(?<msg>[^"]+)"

Next, we need to modify the parsers.conf file located in C:\Program Files\fluent-bit\conf.

Next, we need to configure the fluent-bit.conf file, located at C:\Program Files\fluent-bit\conf, to forward logs to the ELK stack.

[SERVICE]
    flush        1
    parsers_file parsers.conf
    plugins_file plugins.conf

[INPUT]
    Name         tail
    Parser       firewall-logs
    Path         C:\Users\Fares\Downloads\firewall-log.log
    Tag          firewall.logs
    
[OUTPUT]
    name    	  es
    Host    	  192.168.204.146
    Port    	  9200
    Match   	  *
    HTTP_User     elastic
    HTTP_Passwd   =Op+25maKY3GqC=IrV7m
    Index         group1faresmorcy
    tls           on
    tls.verify    off 
    Trace_Output  on 
    Suppress_Type_Name on

[OUTPUT]
    name  stdout
    match *

Now, let's run Fluent Bit:

.\fluent-bit.exe -c 'C:\Program Files\fluent-bit\conf\fluent-bit.conf'

We need to duplicate some lines within the firewall-log.log file and save the changes.

Let's confirm whether the logs are successfully being forwarded to ELK.

Now, it is time to create a dashboard utilizing these logs.

First, I created a new data view using the group1faresmorcy index. Next, I will proceed with building a dashboard for this index.

C. SOAR

Using the Fluentbit index created in elastic, we need to extract all destination IP addresses.

First, we need to configure Ngrok to establish a secure connection between Tines and the Elasticsearch.

ngrok http https://192.168.204.146:9200/

Let's send an HTTP request using Tines to retrieve the information of the group1faresmorcy index.

First, let's examine this URL to determine the necessary information.

https://70fa-197-43-37-185.ngrok-free.app/group1faresmorcy/_search

Now, let's send an HTTP request to this URL to retrieve only the destination IP address for further analysis and action:

https://70fa-197-43-37-185.ngrok-free.app/group1faresmorcy/_search?_source=dstip&filter_path=hits.hits._source.dstip

We need to incorporate two additional configurations:

  1. Basic Authentication

  2. Disable SSL verification

Next, we will send the request and analyze the response.

Now, we need to extract the four destination IP addresses and submit them individually to VirusTotal for analysis.

Next, we will submit these IP addresses to VirusTotal to determine whether they are associated with any malicious activity.

Next, we need to determine whether the IP address is malicious.

Next, we will send it to our email account.

Bonus Challenge:

  • Integrating additional threat intelligence feeds (ex: AbuseIPDB).

Let's search for the IP addresses flagged as malicious by VirusTotal on AbuseIPDB.

First, we need to create an account and obtain an API key, which will be used to perform IP searches on AbuseIPDB through Tines.

Based on the data obtained from AbuseIPDB, we can send details of the malicious IP address, its associated domain, and the number of reports to our Gmail account.

  • Using winlogbeat index created extract logs with event id: [4720,4725,4726]

  • Extract Most important details from extracted logs (ex: event.action, related users, targetUser).

First, let's rename the Winlogbeat index we initially created to a different name.

But first, we need to create a new index to reindex the data from the old index into the new one.

PUT /winlogbeat-fares-morcy
{
  "settings": {
    "number_of_shards": 1,
    "number_of_replicas": 1
  }
}

POST /_reindex
{
  "source": {
    "index": ".ds-winlogbeat-8.17.2-2025.02.24-000001"
  },
  "dest": {
    "index": "winlogbeat-fares-morcy"
  }
}

Let's verify that the logs are now present in the new index.

I have added additional columns to retrieve the necessary details and send them to our email account.

Now, let's make another story on tines and send HTTP Request to get the info of winlogbeat-fares-morcy index.

We now need to isolate each event individually to facilitate further analysis and actions.

We now need to send the important information to our email account, including details such as event.action, related users, and targetUser.

PreviousIntegrate Tines with ELKNextLumma C2

Last updated 3 months ago