Building a Threat Hunting Lab (Part 4): Initial Windows 7 build

Windows 7 basic set up

Alright, this is going to be the longest part of the blog series.  I'm considering breaking this into multiple parts.  The initial installation, hardening, installation of tools, and exploitation.

Installation

I'm using a basic Windows 7 Professional installation.  My intention behind this is to create an an environment that a user would actually use.  Granted when I get further along I will be installing tools that a standard user wouldn't use such as Splunk and NetWitness but for now we are focusing on installation and hardening.

I actually own a few Windows 7 license keys but I'm not going to use them here, so I grabbed a copy off the Microsoft Developer Network (MSDN).  I'm not going to spend long on this because it's a fairly standard install. The basic hardening I performed on this was:

  • Full patching
  • Firewall on
  • Antivirus (Bitdefender) installed and running
  • User Access Controls enabled
  • Data Execution Prevention Enabled
This is a fairly basic hardening outline and something that the average user is likely using.  I also added a few bits of software. Namely:
  • Microsoft Office 2016, courtesy of MSDN
  • Adobe PDF
  • Adobe Flash
  • Google Chrome
  • Mozilla Firefox
  • Notepad++
  • Python (More on that when I get to GRR and Yara).
During the course of the lab preparation I will be exploiting the Windows 7 box, which I made significantly more difficult by hardening the system beforehand; however, I believe it is important to teach the analysts that no matter how hardened the system it can still be exploited.  I also wanted to demonstrate Antivirus evasion techniques and how you can't rely on antivirus to protect or defend a system. There's a phrase I like that helps to describe exactly what I'm talking about; "Mustache on a Mouse". Putting a Mustache on a Mouse is enough to completely disguise the mouse from being seen.  Malware follows this same basic principle, rename it or modify it slightly and watch as AV can't find it. 

In the next part of this blog I'm going to be working on actually installing the forensic tools I plan to use with special exception given to GRR. 

Comments

Post a Comment

Popular posts from this blog

Fingbox Review: Simply not worth it.

Image
I'd like to open an honest public discourse on the Fingbox. First off I'd like to say that this isn't meant to be an attack on the product or the company. I actually really like the Fingbox but the marketing advertises a Corvette when the product is more of a Honda. I've been doing Network security and Forensics for a little over 7 years so the idea of a device like the Fingbox excited me; however, after having a Fingbox for a little while I'm ultimately disappointed. The bottom line up front: spend your $150 on an Asus RT-86U instead. You'll get 99% of the features and a powerful router with a Network intrusion prevention system built in. Devices Tab I'm going to go in order of the app when discussion its features. So up first is the network scan. I actually really like this scan and subsequent list in the app. It's clean, it's easy to read and search. Clicking on devices allows you to see some basic information about
Read more

Cypherpunk: A VPN review

Image
Those of you who know me know that I am a major advocate of VPNs. I think they're great security tools for keeping your public IP address less public. They're similar to a PO box in the sense that you give out that address instead of your actual home address, ideally making it less likely someone unwanted will show up at your front door. VPNs have many practical security applications. First and foremost they protect your information from prying eyes when you're using public Wi-Fi, but a lot of them also provide added features like DNS adblocking, Malware domain blocking, and IPv6 prevention. For this review, I'll be comparing the Cypherpunk to an industry standard Private Internet Access (PIA).  Right off the bat, you can see that Cypherpunk is very stylized. It certainly goes for the look of cyber. It's a simple button press to activate the VPN. Then you get this stylized graphic showing ciphertext moving across the screen. There are 35 ser
Read more

Simple Security: Moderate Difficulty Setup

A few days ago I posted Simple Security: The basics  to cover a few easy and cheap ways to ways to help secure your Windows environment. Today I am planning on going a step further and covering some more advanced techniques to help secure your environment. Given that this is a moderate set up I am going to be trying to keep things as cheap as possible.  On my advanced guide I will be talking about expensive high-quality security solutions like Cisco ASA, SonicWall, Pallo Alto, ESXI, Domain Controllers, enterprise level malware protection like SideWinder, VM servers, and Splunk. In today's guide I will be discussing how to set up tools like Host Level Intrusion Detection Systems (HIDS), Network Level IDS (NIDS),  System Information and Event Management servers, and Smart Firewalls.  I'll also talk about ways to automatically aggregate data from opensource intelligence (OSINT) and using that to feed the analysis systems that will be helping to protect your network. First, l
Read more