SOC Automation Lab Project 2

Souleymane Diallo

Acknowledgment: The success of this project was significantly enhanced by the guidance and resources available on the MyDFIR YouTube channel. Their detailed tutorials and expert insights played a crucial role in shaping the development of this lab.

Lab Objective:

By the end of this lab, you will have successfully set up one Windows 10 virtual machine with Sysmon installed, and deployed two cloud-based virtual machines: Wazuh (SIEM solution) and TheHive (incident response platform).

Skills Learned:

• Installing and configuring VirtualBox.

• Setting up Windows 10 virtual machine and installing Sysmon.

• Creating and securing cloud-based VMs using DigitalOcean.

• Installing and configuring Wazuh and TheHive.

  
  

Tools Used:

• VirtualBox: Virtualization software for running virtual machines.

• Windows 10 ISO: Used to create a virtual machine.

• Sysmon: System monitoring tool for event logging.

• Ubuntu 22.04: Operating system for the Wazuh and TheHive servers.

• DigitalOcean: Cloud provider for hosting Wazuh and TheHive.

  
  

Step-by-Step Instructions

Part 1: Install VirtualBox and Create a Windows 10 Virtual Machine

• Download VirtualBox:

  • Visit the official VirtualBox website.

  • Download VirtualBox version 7.1 for your host machine's operating system (e.g., Windows, Mac, Linux).

    

• Verify Download Integrity:

  • Check the SHA256 hash to verify the integrity of the VirtualBox installer.

  • Open PowerShell, navigate to your download folder, and run the command:

    
    

    Get-FileHash VirtualBox-7.1.xxx.exe -Algorithm SHA256

    
    

  • Compare the output with the hash from VirtualBox's download page.

    

    

• Install VirtualBox:

  • Double-click the installer and follow the prompts.

    

  • If prompted, install any missing dependencies (e.g., Microsoft Visual C++ Redistributable). I have provided the link below.

    

    Latest supported Visual C++ Redistributable downloads

  • Complete the installation and launch VirtualBox.

    

• Download Windows 10 ISO:

  • Navigate to Microsoft’s website and download the Media Creation Tool.

    

  • Use the tool to create a Windows 10 ISO file.

    

• Create Windows 10 Virtual Machine:

  • Open VirtualBox, click "New", and create a new VM.

    

  • Set the name (e.g., "Windows10 Test") and select the Windows 10 ISO.

    

  • Assign at least 4GB RAM, 1 CPU, and a 50GB virtual hard disk. Finish setup and power on the virtual machine.

    

• Install Windows 10:

  • Follow the on-screen instructions to install Windows 10 in the VM.

  • Choose "I don’t have a product key" if you do not have one.

    

  • Select Windows 10 Pro and proceed with the installation.

    

Part 2: Install Sysmon on Windows 10

• Download Sysmon:

  • Visit the official Sysinternals website and download Sysmon.

    Sysmon - Sysinternals

  • Extract the downloaded files.

    

• Download Sysmon Configuration:

  • Visit the and download the Sysmon config.xml file.

    
    

    sysmon-modular/sysmonconfig.xml at master · olafhartong/sysmon-modular

    
    

  • On the page, locate and click on the SysmonConfig.xml file.

    

  • Click on the Raw button to view the file content in raw format. Save the file locally (e.g., as "sysmon-config.xml").

    

• Install Sysmon & Sysmon Config file Using PowerShell:

  • Open PowerShell as Administrator.

    

  • Navigate to the Sysmon directory

    

  • Install Sysmon with the configuration file:

    
    

    .\sysmon64.exe -i .\sysmonconfig.xml

  

• Verify Sysmon Installation:

  • Check if Sysmon is running by opening Services and searching for "Sysmon".

    

    

  • Alternatively, check logs in the Event Viewer under:

    
    

    Applications and Services Logs > Microsoft > Windows > Sysmon

    
    

    

    

Part 3: Set Up Wazuh and TheHive on DigitalOcean

1. Install Wazuh Server

• Create a Droplet (Virtual Machine) for Wazuh:

  • Click on “Create” at the top right corner and select ‘Droplets’.

    

  • Choose the following specifications:

    • Region: Your preferred region (e.g., New York, Toronto)

      

    • Image: Ubuntu 22.04 LTS (Basic)

      

    • Size: 8 GB RAM, 160 GB SSD, 5TB transfer

    • CPU: Premium Intel

    • Plan: $48/month

      

  • Select Password for the authentication method and create your root password.

    

  • Change Hostname to something identifiable, e.g., ‘Wazuh’.

    

  • Click ‘Create Droplet’.

    

• Set Up a Firewall for Wazuh:

  • On the left-hand corner, go to Networking → Firewalls → Create Firewall.

    

  • Name the firewall (e.g., ‘Firewall’). By default SSH is open to the public.

    

  • Under Inbound Rules, change from SSH to All TCP and specify your public IP address as the source. (You can easily find your IP address by searching "What is my IP address" in a web browser. The result will typically appear at the top of the search results, allowing you to copy and paste it directly.)

    

  • Repeat the same step for UDP.

    

  • Click ‘Create Firewall’.

    

  • The purpose of creating a firewall and limiting access to only our IP address is to establish a security rule that restricts access to our virtual machine exclusively to us. Without this measure, our VM would be exposed to the public internet, potentially compromising its security.

• Associate the Firewall with Wazuh Droplet:

  • Go to Droplets on the left-hand side.

    

  • Select your ‘Wazuh’ droplet.

    

  • Go to Networking,

    

  • Scroll down and click on ‘Edit’ on the ‘Firewalls’ settings.

    

  • Select the firewall you created earlier, then click on the ‘Droplets’ tab and ‘Add Droplets’, search for Wazuh, and add it.

    

    

    

• Access the Wazuh VM:

  • You can access your Wazuh machine via:

    • PuTTY (for SSH)

    • Type in your Wazuh VM public IP address, and click on ‘Open’

      

    if it is your first time accessing the Wazuh VM, you will be presented with this screen, click ‘Accept’

    

    • You will be login into your Wazuh VM as root. So type in ‘root’ and enter your password.

      

    If everything was entered correctly, you should be able to login and will be presented with the following screen

    

    • Or go to Droplets, select Wazuh, and use the Launch Droplet Console option.

      

• Update and Upgrade the Wazuh VM:

  • Once connected to the machine, run the following commands to update and upgrade:

    
    

    sudo apt-get update && sudo apt-get upgrade -y

  
  

  

  • Hit enter then in the next following screens

    

• Install Wazuh:

  • Install Wazuh by running the command below:

    
    

    curl -sO <https://packages.wazuh.com/4.7/wazuh-install.sh> && sudo bash ./wazuh-install.sh -a

    
    

    

  • Keep the admin username and password provided after installation. You'll need it to log into the Wazuh dashboard.

    

• Access Wazuh Dashboard:

  • Copy the public IP address of the Wazuh server.

    

  • Open a web browser and navigate to https://<your-wazuh-public-ip>. Click on ‘Advanced’

    

  • Click on ‘Proceed to<your-wazuh-public-ip>'

    

  • Log in using the credentials provided during installation.

    

2. Install TheHive

• Create a Droplet (Virtual Machine) for TheHive:

  

  • Repeat the process to create another VM:

  

  • Image: Ubuntu 22.04 LTS

  • RAM: 8 GB (16 GB recommended)

  • HDD: 50+ GB

  • CPU: Premium Intel

  • Authentication Method: Password

  

  

  

  • Name the VM ‘thehive’.

  

  • Click ‘Create Droplet’.

  

• Set Firewall for TheHive:

  • Edit the firewall settings as you did for Wazuh.

  

  • Add ‘TheHive’ droplet to the same firewall used for Wazuh.

  

  

• SSH into TheHive VM and install required dependencies:

  • Use SSH to connect to TheHive.

    

  • Update and upgrade ‘thehive’ by running the following command:

    
    

  sudo apt-get update && sudo apt-get upgrade -y

  
  

  

  • Run the following command to install required dependencies:

    
    

    sudo apt install wget gnupg apt-transport-https git ca-certificates ca-certificates-java curl software-properties-common python3-pip lsb-release

  
  

  

  • Click Enter

    

• Install Java for TheHive:

  • Run the following commands to install Java:

    
    

    wget -qO- https://apt.corretto.aws/corretto.key | sudo gpg --dearmor -o /usr/share/keyrings/corretto.gpg echo "deb [signed-by=/usr/share/keyrings/corretto.gpg] https://apt.corretto.aws stable main" |  sudo tee -a /etc/apt/sources.list.d/corretto.sources.list sudo apt update sudo apt install java-common java-11-amazon-corretto-jdk echo JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto" | sudo tee -a /etc/environment export JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto"

• Install Cassandra for TheHive:

  wget -qO - <https://downloads.apache.org/cassandra/KEYS> | sudo gpg --dearmor -o /usr/share/keyrings/cassandra-archive.gpg echo "deb [signed-by=/usr/share/keyrings/cassandra-archive.gpg] <https://debian.cassandra.apache.org> 40x main" | sudo tee -a /etc/apt/sources.list.d/cassandra.sources.list sudo apt update sudo apt install cassandra

• Install Elasticsearch for TheHive:

  
  

  wget -qO - <https://artifacts.elastic.co/GPG-KEY-elasticsearch> | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg sudo apt-get install apt-transport-https echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] <https://artifacts.elastic.co/packages/7.x/apt> stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list sudo apt update sudo apt install elasticsearch

• Install TheHive:

  
  

  wget -O- <https://archives.strangebee.com/keys/strangebee.gpg> | sudo gpg --dearmor -o /usr/share/keyrings/strangebee-archive-keyring.gpg echo 'deb [signed-by=/usr/share/keyrings/strangebee-archive-keyring.gpg] <https://deb.strangebee.com> thehive-5.2 main' | sudo tee -a /etc/apt/sources.list.d/strangebee.list sudo apt-get update sudo apt-get install -y thehive

Conclusion

By following the above steps, you have successfully installed and configured Wazuh and TheHive on virtual machines, set up firewalls, and secured access via SSH. (See Part 3 to continue).