Deploying Threat Detection home lab (Part 1)

Praj Shete

5 min readDec 5, 2024

In this blog we will see what infrastructure is needed to deploy a multi VM threat detection lab.

Requirements:
Host machine (100GB ROM / 16GB RAM)
VMWare/Virtual Box Hypervisor

The process can be divided into 4 parts:

Setting up VMs
Setting up Internal network
Deploying SIEM server (Splunk Enterprise Security)
Connecting client machines to SIEM server and forwarding data to indexers

Setting up VMs

Download Windows 11 from https://www.microsoft.com/en-us/software-download/windows11

Install Windows 11 VM (Refer: https://www.youtube.com/watch?v=UB8CQC_lT5U)

Download Ubuntu Desktop from https://www.microsoft.com/en-us/software-download/windows11

Install Ubuntu VM (Refer: https://www.youtube.com/watch?v=UB8CQC_lT5U)

Download REMnux from https://www.microsoft.com/en-us/software-download/windows11

Install REMnux VM (Refer: https://www.youtube.com/watch?v=UB8CQC_lT5U)

To clarify, our purpose in downloading and installing these VMs is as follows:

Windows 11 — Client machine / Malware lab (FlareVM)
Ubuntu Desktop — SIEM Server (Splunk)
REMnux — Malware Lab / INETSIM

Setting up Internal Network

Precaution must be taken not to use the default network configuration as it will possess threat to our physical machine, if malware tries to escape the VM environment

To begin with:

On VMWare open Edit > Virtual Network Editor

Create a new VMNet and save this configuration

After this head on to REMnux VM

Select Settings > Adapter > Host Only > VMNet2

Open terminal in REMnux and configure IP address

 sudo nano /etc/netplan/01-netcfg.yaml

Add this configuration

# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
ethernets:
    enp0s3:
     dhcp4: no
     addresses: [10.0.0.3/24]
     gateway4: 10.0.0.1

Apply the changes

sudo netplan apply

Move on to next host Ubuntu

Select VM Settings > Adapter > Host Only > VMNet2

Follow the same procedure with IP address 10.0.0.4/24 and gateway4: 10.0.0.3

# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
ethernets:
    enp0s3:
     dhcp4: no
     addresses: [10.0.0.4/24]
     gateway4: 10.0.0.3

Move on to Windows host

Select VM Settings > Adapter > Host Only > VMNet2

Search Control Panel > Network and Internet > Network and Sharing Centre > Change adapter settings

Add IP address: 10.0.0.2 > Save

Ping one machine to other and check if they are communicating or not

In a nutshell

REMnux — 10.0.0.3 — malware analysis and INETSIM

Ubuntu — 10.0.0.4 — Splunk Server

Windows 11–10.0.0.2 — Client machine (Malware Lab)

Deploying SIEM server (Splunk Enterprise Security)

Open Ubuntu VM

Visit https://www.splunk.com/en_us/download.html?utm_campaign=google_amer_en_search_brand&utm_source=google&utm_medium=cpc&utm_content=free_trials_downloads_TR&utm_term=splunk%20enterprise%20security%20download&device=c&_bt=705367594723&_bm=p&_bn=g&gad_source=1&gclid=CjwKCAiAmMC6BhA6EiwAdN5iLXnVGKkzZzXSqLKCSyqy4am4w0JDysTM6bBQqEkIJEBL25FQ638CBxoC2gsQAvD_BwE
Create Account /Login (if you already have one)
Execute :

wget -O splunk-9.3.2-d8bb32809498-linux-2.6-amd64.deb "https://download.splunk.com/products/splunk/releases/9.3.2/linux/splunk-9.3.2-d8bb32809498-linux-2.6-amd64.deb"

Move the downloaded package into /opt/ directory
Install the package either double click or

sudo dpkg -i {packagename}.deb

Follow the prompts (username password…)
Your Splunk server will be running on 127.0.0.1:8000

Now we need to install Splunk Universal Forwarder which basically takes data from the client machine and forwards it to the Splunk server.

Download the splunk universal forwarder on Windows Host from

Download Universal Forwarder for Remote Data Collection | Splunk

Download Splunk Universal Forwarder for secure remote data collection and data forwarding into Splunk software for…

www.splunk.com

Double Click the installer
Follow the prompts (Custom Install > local > skip > skip )
You will be asked to provide the IP address of the deployment server

Next, you will be asked to provide the IP address of receiving indexer

After this you will be asked to select the event logs you would like to send. Select
System
Security
Application

Now, we will se our server if the server has been connected with the client or not!

You will be able to see that client has been connected

Now, in Splunk server, select settings> Forwading and Receiving

Select receiving port to 9997, since the receiving indexer is listening at 9997

At this point you will see we

We have System, Security and Application logs ingested into index=main

Lets go ahead and install Sysmon

Download sysmon from https://download.sysinternals.com/files/Sysmon.zip
extract and install

Once installed, find this path and open inputs.conf

This inputs.conf is basically a configuration file that tells the Universal Forwarder what data to forward, where will it get.

Add this to the input.conf

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog
renderXml=true

After this, go to Services> restart the universal forwarder

Refresh the spunk search page

You will see Sysmon logs are being ingested

Part 2

In the upcoming blog we will see how to install Atomic Red Team in Windows environment and execute our first atomic test, and see what can we see in our SIEM to build some detection rules!!