Part 1 - Setting Up the Environment
Designed for SOC analysts, it simulates real-world cybersecurity scenarios using LimaCharlie, Sysmon, C2 Framework(sliver-server),
Prerequisites
A computer with at least 8GB RAM
VMware Workstation Pro
Windows 10 VM
Ubuntu Server 22.04.1 ISO (Server version is required, not Desktop)
Step 1: Install Ubuntu Server VM
Download the Ubuntu Server 22.04.1 ISO.
Create a new VM in VMware with the following specs:
Installer image: Ubuntu ISO
Disk size: 20GB
CPU: 2 cores
RAM: 2GB
During installation:
Use default settings unless otherwise stated.
Enable OpenSSH server.
Set a static IP for the Linux VM: A static IP keeps the Linux VM’s address the same, so tools and connections don’t break after a reboot.
Find the NAT network’s gateway IP in VMware:
Click Edit in VMware Workstation.
Open Virtual Network Editor.
Select the NAT network and click NAT Settings.
Copy the Subnet IP & Gateway IP.
Assign an IP within the subnet.
Example:
Address:
192.168.64.100/24Gateway:
192.168.64.2
Set login credentials:
Your name:
userServer name:
attackUsername:
userPassword:
password
Complete installation:
Reboot when prompted.
If it hangs on "removing the CDROM," press Enter.
Test network connectivity ⇒ ping -c 2 google.com
- If responses return successfully, your setup is working.
Step 2: Set Up Windows 10 Machine
Power on the Windows VM for the first time after installing.
It will log you in automatically as user.
Wait for the desktop to appear.
Disable Microsoft Defender Permanently
Disable Tamper Protection
Open Windows Security → Virus & threat protection → Manage settings
Turn OFF Tamper Protection and all other security options.
Disable Defender via Group Policy
Open Command Prompt (Admin) and run:
gpedit.mscNavigate to
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender AntivirusEnable Turn off Microsoft Defender Antivirus.
Disable Defender via Registry
Open Command Prompt (Admin) and run:
REG ADD "hklm\software\policies\microsoft\windows defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
Disable Defender Services in Safe Mode
Open msconfig, go to Boot tab, check Safe Boot, and restart.
Open Registry Editor (regedit) and set
Startvalues to4for:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilterOpen msconfig, uncheck Safe Boot, and restart.
Prevent Standby Mode in the VM
Standby mode can interrupt monitoring, kill connections, and miss suspicious activity. Stay sharp.
Open Command Prompt (Admin) and run:
powercfg /change standby-timeout-ac 0 powercfg /change standby-timeout-dc 0 powercfg /change monitor-timeout-ac 0 powercfg /change monitor-timeout-dc 0 powercfg /change hibernate-timeout-ac 0 powercfg /change hibernate-timeout-dc 0
Install Sysmon on Windows VM
Why install Sysmon? Sysmon is a powerful tool for monitoring system activity, essential for security analysis. While not mandatory for this guide, it provides deep visibility into Windows events.
Step 1: Open PowerShell as Administrator
Press Win + X, then click Windows PowerShell (Admin) to launch an elevated PowerShell session.
Step 2: Download Sysmon
Run the following command to download Sysmon from the official Microsoft Sysinternals site:
Invoke-WebRequest -Uri https://download.sysinternals.com/files/Sysmon.zip -OutFile C:\Windows\Temp\Sysmon.zipStep 3: Extract Sysmon
After downloading, extract the Sysmon package using:
Expand-Archive -LiteralPath C:\Windows\Temp\Sysmon.zip -DestinationPath C:\Windows\Temp\SysmonStep 4: Download Sysmon Configuration File (Optional)
For better event logging, use a pre-configured Sysmon ruleset from SwiftOnSecurity:
Invoke-WebRequest -Uri https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml -OutFile C:\Windows\Temp\Sysmon\sysmonconfig.xmlStep 5: Install Sysmon
Install with Custom Configuration (Recommended)
C:\Windows\Temp\Sysmon\Sysmon64.exe -accepteula -i C:\Windows\Temp\Sysmon\sysmonconfig.xmlInstall Without Configuration
C:\Windows\Temp\Sysmon\Sysmon64.exe -accepteula -iStep 6: Verify Installation
Check if Sysmon Service is Running
Get-Service sysmon64If Sysmon is running, you will see its status as Running.
Check Sysmon Event Logs
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 10If logs appear, Sysmon is successfully installed and working!tep 3: Verify Installation
Check if Sysmon is running:
Get-Service sysmon64
Check event logs:
powershellCopyEditGet-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 10
If you see logs, Sysmon is successfully installed!
Install LimaCharlie EDR on Windows VM
LimaCharlie is a powerful SecOps Cloud Platform that provides cross-platform EDR, log shipping, and a threat detection engine. It offers a free tier for up to two systems, making it perfect for this guide.
Step 1: Create a LimaCharlie Account
Sign up for a free LimaCharlie account.
Answer the role-related questions (optional, helps improve their service).
After logging in, create an organization:
Name: Any unique name
Data Residency: Choose the nearest location
Demo Configuration Enabled: Disabled
Template: Extended Detection & Response Standard
Step 2: Add a Sensor
Click Add Sensor.
Select Windows.
Provide a description (e.g.,
Windows VM - Lab).Click Create.
Select the Installation Key.
Choose the x86-64 (.exe) sensor (ignore LC’s instructions and follow these instead).
Step 3: Install LimaCha
Install LimaCharlie Agent on Windows VM
Open an Administrative PowerShell prompt in your Windows VM.
Run the following commands:
cd C:\Users\pc1\Downloads Invoke-Invoke-WebRequest -Uri https://downloads.limacharlie.io/sensor/windows/64 -Outfile "$env:USERPROFILE\Downloads\lc_sensor.exe"-Uri https://downloads.limacharlie.io/sensor/windows/64 -Outfile C:\Users\User\Downloads\lc_sensor.exeSwitch to Command Prompt:
cmd.exeCopy and paste the installation command from LimaCharlie (contains your key).
Press Enter to install the agent.
Note: If the EXE fails, try installing the x86-64 MSI version.
Check if the sensor appears in the LimaCharlie web UI.
Step 4: Integrate Sysmon Logs to LimaCharlie
In LimaCharlie, navigate to Artifact Collection.
Click Add Rule.
Configure the rule:
Name:
windows-sysmon-logsPlatforms: Windows
Path Pattern:
wel://Microsoft-Windows-Sysmon/Operational:*Retention Period:
10
Click Save Rule.
LimaCharlie will now collect Sysmon logs, providing detailed telemetry alongside its EDR data.
Step 5: Snapshot Your Windows VM
Before proceeding, create a snapshot of your Windows VM. This ensures you can revert to a clean state if needed.
You're now ready to move on to setting up the Linux VM!
Setting Up the Attack System
We will run Sliver, a tool used for cybersecurity testing. We’ll do this by connecting to an Ubuntu VM using SSH from your main computer.
What You Need
An Ubuntu VM with a fixed IP address.
An SSH client (Windows CMD, PowerShell, Linux Terminal, or PuTTY).
An Internet connection to download Sliver.
Connect to Ubuntu VM
Open a command prompt or terminal on your computer.
Type the following command, replacing
[Linux_VM_IP]with your VM’s actual IP:ssh user@[Linux_VM_IP]Press Enter and log in.
Get Admin Access
To avoid permission issues, switch to the root user:
sudo suInstall Sliver C2 Server
Run these commands one by one:
# Download Sliver
wget https://github.com/BishopFox/sliver/releases/download/v1.5.34/sliver-server_linux -O /usr/local/bin/sliver-server
# Make Sliver executable
chmod +x /usr/local/bin/sliver-server
# Install extra tools for Sliver
apt install -y mingw-w64Create a Sliver Folder
To keep things organized, create a folder for Sliver:
mkdir -p /opt/sliverWhat’s Next?
Sliver is now installed! In the next steps, we’ll deploy a C2 payload on a Windows VM and use Sysmon and LimaCharlie to monitor its activity.
Last updated