SOC Lab

Comprehensive documentation for setting up a Security Operations Center (SOC) lab.

Components

• Proxmox HomeLab

Software Used

• Windows Server 2022
• PfSense
• Windows 10 VM
• BadBlood
• Sysmon
• CrowdSec
  

PfSense

1. Downloaded the Iso
2. Created a new VM Using the PfSense iso
3. Went through and followed documentation ensuring to create a new Linux Bridge and adding that to the Hardware of the VM
4. Finished going through installation and now I have a WAN and a LAN configured for my PfSense
5. Im able to access the GUI within my Windows Server 2022

Windows Server 2022

1. Download the Iso
2. Made sure to use the PfSense Network Device which I have configured as vmbr1
3. After installation I now I had access to Windows Server Manager and able to access PfSense
4. I now have a closed network seperate from my own in order to manage and configure Active Directory and monitor and create
5. Under Server Manager I went to Roles and Features > Select Server Roles > Select Active Directory Domain Services > Add Features
6. After the installation completed I Promoted the server to a domain controller
7. Created a New Forest named soc.lab and after a restart I now have an Active Directory Domain, now we need to populate it
8. I created a user for myself to join the AD on Win10

BadBlood

In order to populate my AD, im going to use BadBlood

1. On the Win Server I installed Git
2. After installation, I opened Active Directory Module for Windows PowerShell and ran the commands

# clone the repo
git clone https://github.com/davidprowe/badblood.git
#Run Invoke-badblood.ps1
./badblood/invoke-badblood.ps1

3. Once BadBlood finished running, it generated 2500 Users, 500 Groups, and 100 Computers

Windows 10 VM (22H2)

1. Downloaded the Windows 10 Iso
2. Created a VM utilizing Windows 10 Pro, once loaded in, changed the PC name to SOC-WIN10
3. Went to Settings > System > About > Rename this PC (advanced) > Computer Name > Change (Domain) > Member of Domain: soc

Unforntanetly I kept getting either a DNS error or a Network Path error.
Took me a few hours to resolve this issue.
Pinging the server IP or the DNS from Win10 was always successful.
After a while, I tried pinging the Win10 from the WinServer with all requests timing out. Even did tracert to no avail
I disabled the firewall for both Win10 and WinServer since the communication was being blocked from WinServ to Win10
After doing that tracert was able to ping successfully at 1
----------------
Update: After 2 more hours of troubleshooting...the issue was the IPv6...

Sysmon

1. Downloaded Sysmon
2. Extracted zip file to my Desktop
3. Opened Cmd as admin, navigated to directory with

   cd C:\Users\kyhomelab\desktop
   cd OGSysmon
   #ran the command to install:
   sysmon -i
   #to see if it is running:
   sc query Sysmon

   

CrowdSec