[NEW] Building My Own Cybersecurity Virtual Lab: Pentesting,

By on

 


I recently built a new lab using VirtualBox because my previous setup on EVE-NG was slow and often froze. With VirtualBox, my experience is much smoother, and all devices run simultaneously without issues.

This diagram provides a simple overview of my lab setup. On the adversary side, we have the attacker system running Kali Linux, along with our Command and Control (C2) server using Mythic.

On the other side, we have the target devices and the SOC environment. For our SIEM solution, I chose Elasticsearch. And a Fleet server that is responsible for managing Elastic Agents, handling their deployment, and forwarding logs to the Elasticsearch server. Additionally, the lab includes a Windows Server and an Ubuntu Server.

In my next post, I’ll walk through the installation of Sysmon and its integration with Elasticsearch SIEM.


"Blending years of Network Engineering with a passion for Cybersecurity."

Comments

Post a Comment

Popular posts from this blog

Deploying Sysmon on Windows and Integrating with Elasticsearch SIEM

By on
Image
  First, let's install Sysmon on our Windows host by opening this link in a browser and downloading it: Sysmon - Sysinternals | Microsoft Learn . As of this writing, the latest version of Sysmon is 15.5 Once the download is complete, go ahead and unzip the file. Sysmon configurations or rules are available on GitHub, with a well-known repository being SwiftOnSecurity's Sysmon config: 🔗 https://github.com/SwiftOnSecurity/sysmon-config We will download this configuration for our setup. We can place the downloaded configuration file in the same directory as Sysmon, then open PowerShell and follow the steps below. We can use net start to start Sysmon64, and it will list all services that start afterward. To further verify, go to Event Viewer > Applications and Services Logs > Microsoft > Windows > Sysmon > Operational , where you should see the corresponding event IDs. And now let's ingest Sysmon and Windows Defender logs into elasticsearch. Click the Add integ...
Read more

Installing Suricata IDS/IPS and Triggering Rules with an Nmap Stealth Scan and XSS Attack on bWAPP Using Burp Suite

By on
Image
  We are enabling the IDS/IPS functionality on our OPNsense firewall to detect and alert on potential threats by analyzing incoming traffic against predefined rules. These rules act as "fingerprints" to identify known attacks and suspicious behaviors across the network. In this Lab, i will be using Suricata, a free and open-source cybersecurity tool that functions as both an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS). Widely adopted by organizations worldwide, Suricata monitors networks for suspicious activity and detects cyber threats. Suricata's rules analyze network packets for specific characteristics, such as source and destination IP addresses, ports, protocol types, and even packet content, to identify potential threats. When traffic matches a rule, Suricata generates an alert, notifying administrators of potential security incidents. Based on my research, it is essential to disable offloading features before enabling the IDS/IPS capa...
Read more

Boss of the SOC v1 (2015) Website Defacement

By on
Image
  Question #1 Based on the first question, the task is to identify the IP address of an individual conducting  reconnaissance using a scanning technique. I began my investigation with the search parameter  index=botv1, as provided in the instructions, and incorporated imreallynotbatman.com as  specified in question number 1. After running the search parameters, I identified the dest_header field in the left-side panel.  Upon expanding it, I analyzed the details within and discovered references to the Acunetix  Web Vulnerability Scanner, indicating its use in the reconnaissance activity. To enhance visibility and identify the IP address scanning the web server, I created a table that  included the fields src_ip, dest_ip, and dest_header. I then filtered the results by searching  for the keyword 'scan' within the dest_header field and applied a dedup command to the src_ip  field to remove duplicate entries, effectively narrowing down the source...
Read more