Part 1 - Setting Up the Environment

Designed for SOC analysts, it simulates real-world cybersecurity scenarios using LimaCharlie, Sysmon, C2 Framework(sliver-server),

Prerequisites

• A computer with at least 8GB RAM

• VMware Workstation Pro

• Windows 10 VM

• Ubuntu Server 22.04.1 ISO (Server version is required, not Desktop)

Step 1: Install Ubuntu Server VM

1. Download the Ubuntu Server 22.04.1 ISO.

2. Create a new VM in VMware with the following specs:

   • Installer image: Ubuntu ISO

   • Disk size: 20GB

   • CPU: 2 cores

   • RAM: 2GB

3. During installation:

   • Use default settings unless otherwise stated.

   • Enable OpenSSH server.

4. Set a static IP for the Linux VM: A static IP keeps the Linux VM’s address the same, so tools and connections don’t break after a reboot.

   • Find the NAT network’s gateway IP in VMware:

     • Click Edit in VMware Workstation.

     • Open Virtual Network Editor.

     • Select the NAT network and click NAT Settings.

     • Copy the Subnet IP & Gateway IP.

   • Assign an IP within the subnet.

   • Example:

     • Address: 192.168.64.100/24

     • Gateway: 192.168.64.2

5. Set login credentials:

   • Your name: user

   • Server name: attack

   • Username: user

   • Password: password

6. Complete installation:

   • Reboot when prompted.

   • If it hangs on "removing the CDROM," press Enter.

7. Test network connectivity ⇒ ping -c 2 google.com

   • - If responses return successfully, your setup is working.

Step 2: Set Up Windows 10 Machine

1. Power on the Windows VM for the first time after installing.

2. It will log you in automatically as user.

3. Wait for the desktop to appear.

Disable Microsoft Defender Permanently

1. Disable Tamper Protection

   • Open Windows Security → Virus & threat protection → Manage settings

   • Turn OFF Tamper Protection and all other security options.
2. Disable Defender via Group Policy

   • Open Command Prompt (Admin) and run:

     gpedit.msc

   • Navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus

   • Enable Turn off Microsoft Defender Antivirus.

3. Disable Defender via Registry

   • Open Command Prompt (Admin) and run:

     REG ADD "hklm\software\policies\microsoft\windows defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

4. Disable Defender Services in Safe Mode

   • Open msconfig, go to Boot tab, check Safe Boot, and restart.
   • Open Registry Editor (regedit) and set Start values to 4 for:

     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter

   • Open msconfig, uncheck Safe Boot, and restart.

5. Prevent Standby Mode in the VM

   • Standby mode can interrupt monitoring, kill connections, and miss suspicious activity. Stay sharp.

     • Open Command Prompt (Admin) and run:

       powercfg /change standby-timeout-ac 0
       powercfg /change standby-timeout-dc 0
       powercfg /change monitor-timeout-ac 0
       powercfg /change monitor-timeout-dc 0
       powercfg /change hibernate-timeout-ac 0
       powercfg /change hibernate-timeout-dc 0

Install Sysmon on Windows VM

Why install Sysmon? Sysmon is a powerful tool for monitoring system activity, essential for security analysis. While not mandatory for this guide, it provides deep visibility into Windows events.

Step 1: Open PowerShell as Administrator

Press Win + X, then click Windows PowerShell (Admin) to launch an elevated PowerShell session.

Step 2: Download Sysmon

Run the following command to download Sysmon from the official Microsoft Sysinternals site:

Invoke-WebRequest -Uri https://download.sysinternals.com/files/Sysmon.zip -OutFile C:\Windows\Temp\Sysmon.zip

Step 3: Extract Sysmon

After downloading, extract the Sysmon package using:

Expand-Archive -LiteralPath C:\Windows\Temp\Sysmon.zip -DestinationPath C:\Windows\Temp\Sysmon

Step 4: Download Sysmon Configuration File (Optional)

For better event logging, use a pre-configured Sysmon ruleset from SwiftOnSecurity:

Invoke-WebRequest -Uri https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml -OutFile C:\Windows\Temp\Sysmon\sysmonconfig.xml

Step 5: Install Sysmon

Install with Custom Configuration (Recommended)

C:\Windows\Temp\Sysmon\Sysmon64.exe -accepteula -i C:\Windows\Temp\Sysmon\sysmonconfig.xml

Install Without Configuration

C:\Windows\Temp\Sysmon\Sysmon64.exe -accepteula -i

Step 6: Verify Installation

Check if Sysmon Service is Running

Get-Service sysmon64

If Sysmon is running, you will see its status as Running.

Check Sysmon Event Logs

Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 10

If logs appear, Sysmon is successfully installed and working!tep 3: Verify Installation

Check if Sysmon is running:

Get-Service sysmon64

Check event logs:

powershellCopyEditGet-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 10

If you see logs, Sysmon is successfully installed!

Install LimaCharlie EDR on Windows VM

LimaCharlie is a powerful SecOps Cloud Platform that provides cross-platform EDR, log shipping, and a threat detection engine. It offers a free tier for up to two systems, making it perfect for this guide.

Step 1: Create a LimaCharlie Account

1. Sign up for a free LimaCharlie account.

2. Answer the role-related questions (optional, helps improve their service).

3. After logging in, create an organization:

   • Name: Any unique name

   • Data Residency: Choose the nearest location

   • Demo Configuration Enabled: Disabled

   • Template: Extended Detection & Response Standard

Step 2: Add a Sensor

1. Click Add Sensor.

2. Select Windows.

3. Provide a description (e.g., Windows VM - Lab).

4. Click Create.

5. Select the Installation Key.

6. Choose the x86-64 (.exe) sensor (ignore LC’s instructions and follow these instead).

Step 3: Install LimaCha

Install LimaCharlie Agent on Windows VM

1. Open an Administrative PowerShell prompt in your Windows VM.

2. Run the following commands:

   cd C:\Users\pc1\Downloads
   Invoke-Invoke-WebRequest -Uri https://downloads.limacharlie.io/sensor/windows/64 -Outfile "$env:USERPROFILE\Downloads\lc_sensor.exe"-Uri https://downloads.limacharlie.io/sensor/windows/64 -Outfile C:\Users\User\Downloads\lc_sensor.exe

   • 
3. Switch to Command Prompt:

   cmd.exe

4. Copy and paste the installation command from LimaCharlie (contains your key).

   
5. Press Enter to install the agent.

   Note: If the EXE fails, try installing the x86-64 MSI version.

6. 
8. Check if the sensor appears in the LimaCharlie web UI.

Step 4: Integrate Sysmon Logs to LimaCharlie

1. In LimaCharlie, navigate to Artifact Collection.

2. Click Add Rule.

3. Configure the rule:

   • Name: windows-sysmon-logs

   • Platforms: Windows

   • Path Pattern: wel://Microsoft-Windows-Sysmon/Operational:*

   • Retention Period: 10

4. Click Save Rule.

LimaCharlie will now collect Sysmon logs, providing detailed telemetry alongside its EDR data.

Step 5: Snapshot Your Windows VM

Before proceeding, create a snapshot of your Windows VM. This ensures you can revert to a clean state if needed.

You're now ready to move on to setting up the Linux VM!

Setting Up the Attack System

We will run Sliver, a tool used for cybersecurity testing. We’ll do this by connecting to an Ubuntu VM using SSH from your main computer.

What You Need

• An Ubuntu VM with a fixed IP address.

• An SSH client (Windows CMD, PowerShell, Linux Terminal, or PuTTY).

• An Internet connection to download Sliver.

Connect to Ubuntu VM

1. Open a command prompt or terminal on your computer.

2. Type the following command, replacing [Linux_VM_IP] with your VM’s actual IP:

   ssh user@[Linux_VM_IP]

3. Press Enter and log in.

Get Admin Access

To avoid permission issues, switch to the root user:

sudo su

Install Sliver C2 Server

Run these commands one by one:

# Download Sliver
wget https://github.com/BishopFox/sliver/releases/download/v1.5.34/sliver-server_linux -O /usr/local/bin/sliver-server

# Make Sliver executable
chmod +x /usr/local/bin/sliver-server

# Install extra tools for Sliver
apt install -y mingw-w64

Create a Sliver Folder

To keep things organized, create a folder for Sliver:

mkdir -p /opt/sliver

What’s Next?

Sliver is now installed! In the next steps, we’ll deploy a C2 payload on a Windows VM and use Sysmon and LimaCharlie to monitor its activity.