Ivan Laqui

  First, let's install Sysmon on our Windows host by opening this link in a browser and downloading it: Sysmon - Sysinternals | Microsoft Learn . As of this writing, the latest version of Sysmon is 15.5 Once the download is complete, go ahead and unzip the file. Sysmon configurations or rules are available on GitHub, with a well-known repository being SwiftOnSecurity's Sysmon config: 🔗 https://github.com/SwiftOnSecurity/sysmon-config We will download this configuration for our setup. We can place the downloaded configuration file in the same directory as Sysmon, then open PowerShell and follow the steps below. We can use net start to start Sysmon64, and it will list all services that start afterward. To further verify, go to Event Viewer > Applications and Services Logs > Microsoft > Windows > Sysmon > Operational , where you should see the corresponding event IDs. And now let's ingest Sysmon and Windows Defender logs into elasticsearch. Click the Add integ...

  I recently built a new lab using VirtualBox because my previous setup on EVE-NG was slow and often froze. With VirtualBox, my experience is much smoother, and all devices run simultaneously without issues. This diagram provides a simple overview of my lab setup. On the adversary side, we have the attacker system running Kali Linux, along with our Command and Control (C2) server using Mythic. On the other side, we have the target devices and the SOC environment. For our SIEM solution, I chose Elasticsearch. And a Fleet server that is responsible for managing Elastic Agents, handling their deployment, and forwarding logs to the Elasticsearch server. Additionally, the lab includes a Windows Server and an Ubuntu Server. In my next post, I’ll walk through the installation of Sysmon and its integration with Elasticsearch SIEM.