Building a Threat Hunting Lab (Part 4): Initial Windows 7 build

Windows 7 basic set up

Alright, this is going to be the longest part of the blog series.  I'm considering breaking this into multiple parts.  The initial installation, hardening, installation of tools, and exploitation.

Installation

I'm using a basic Windows 7 Professional installation.  My intention behind this is to create an an environment that a user would actually use.  Granted when I get further along I will be installing tools that a standard user wouldn't use such as Splunk and NetWitness but for now we are focusing on installation and hardening.

I actually own a few Windows 7 license keys but I'm not going to use them here, so I grabbed a copy off the Microsoft Developer Network (MSDN).  I'm not going to spend long on this because it's a fairly standard install. The basic hardening I performed on this was:

  • Full patching
  • Firewall on
  • Antivirus (Bitdefender) installed and running
  • User Access Controls enabled
  • Data Execution Prevention Enabled
This is a fairly basic hardening outline and something that the average user is likely using.  I also added a few bits of software. Namely:
  • Microsoft Office 2016, courtesy of MSDN
  • Adobe PDF
  • Adobe Flash
  • Google Chrome
  • Mozilla Firefox
  • Notepad++
  • Python (More on that when I get to GRR and Yara).
During the course of the lab preparation I will be exploiting the Windows 7 box, which I made significantly more difficult by hardening the system beforehand; however, I believe it is important to teach the analysts that no matter how hardened the system it can still be exploited.  I also wanted to demonstrate Antivirus evasion techniques and how you can't rely on antivirus to protect or defend a system. There's a phrase I like that helps to describe exactly what I'm talking about; "Mustache on a Mouse". Putting a Mustache on a Mouse is enough to completely disguise the mouse from being seen.  Malware follows this same basic principle, rename it or modify it slightly and watch as AV can't find it. 

In the next part of this blog I'm going to be working on actually installing the forensic tools I plan to use with special exception given to GRR. 

Comments

Popular posts from this blog

Cypherpunk: A VPN review

Fingbox Review: Simply not worth it.

Simple Security: The Basics