Installation Manual NIDS & HIDS Malware lab

1. Preface

This document is a manual for installing a Malware Lab environment. The Malware lab is intended for a research project to compare the detection difference between a NIDS and HIDS. The aim of the research was to advise small and medium-sized enterprises if network detection (NIDS) sufficient is to detect malware infection in a enterprise network or that End-Point detection (HIDS) is necessary. The results of the research can be found here.

The manual is subdivided in to the following parts:

Installation & Configuration of:
- VMware Workstation Pro
- PFSense
- Windows 10 VM (Victim Machine)
- HIDS (Ubuntu Server 18 with Wazuh)
- NIDS (Ubuntu Server 18 with Snort & Suricata)
Last configuration to combine these VM’s

The design of the malware lab:

Figure 1. Malware Lab Infrastructure

Wazuh is during the research enriched with Sigma rules, the converted Wazuh rules can be found in the sigWah repository.

Click here for the PDF Version of the manual

Click here for the HTML Version of the manual:

Author: Sander Wiebing

2. Installation & Configuration

2.1. VMware Workstation Pro

In this manual we will use VMware Workstation Pro as the virtualization software. The Pro version is not free but a trial of 30 days is available.

2.1.1. Installation

Download the latest version here, we are using version 15.5.2. Run the installer and complete the installation, no additional settings are required during the installation.

2.1.2. Virtual Networks

The Malware Lab uses 4 virtual networks. By default VMware has 3 virtual networks:

VMnet0 - Birdged network
VMnet1 - Host only network
VMnet8 - NAT adapter

Open VMware Workstation Pro and go to Edit > Virtual Network Editor, the default networks should be visible.

Note	Click in Windows on 'Change Settings' to make the VMnet0 network and settings options available.

Follow the steps below to setup the virtual networks:

Select VMnet1
- Uncheck 'Use local DHCP service to distribute IP address to VM'
- Press 'Add Network' > VMnet2 > Ok
Select VMnet2
- Uncheck connect a host virtual adapter to this network
- Uncheck 'Use local DHCP service to distribute IP address to VM'
Press 'Add Network' > VMnet 3 > Ok
- Uncheck connect a host virtual adapter to this network
- Uncheck 'Use local DHCP service to distribute IP address to VM'

After the setup the Virtual Network Editor should look like this:

Figure 2. Virtual Network Editor

2.2. pfSense

pfSense will be used as the Firewall in the malware lab environment. The latest ISO file can be downloaded here, select the AMD64 architecture and select the installer 'CM image (ISO) installer'. In this manual version 2.4.4-p3 will be used.

2.2.1. Installation pfSense

After the download is completed unzip the file and follow the steps below:

In VMware Workstation Pro click on File > New Virtual Machine
Select Typical > Next
Browse to the just downloaded pfSense ISO > Next
Give the VM a name, enter 'pfSense' > Next
Set the maximum disk size to 5 GB
Select 'Store virtual disk size as a single file' > next
Click 'Customize hardware'
1. Set the amount of memory to 512 MB
2. Click on 'Network Adapter'
  - Select 'Connect at power on'
  - Select 'Bridged: Connected to the physical network'
3. Click 'Add…'
  - Select 'Network Adapter' > Next
  - Select Custom > VMnet1 (Host-only)
  - Check 'Connect at power on'
  - Press finish
4. Click 'Add…'
  - Select 'Network Adapter' > Next
  - Select Custom > VMnet2
  - Check 'Connect at power on'
  - Press finish
5. Select 'USB controller' > Click 'Remove'
6. Select 'Sound Card' > Click 'Remove'
  The hardware configuration should look like this:
  
  Figure 3. Hardware Configuration pfSense
7. Click 'Close'
Click 'Finish'

2.2.2. Adapter Settings host machine

On the Windows machine are some Network adapter settings required, follow the steps below:

Open Network and Sharing Center (Control Panel\Network and Internet\Network and Sharing Center)
Click 'Change adapter Settings'
Right click 'VMware Network Adapter VMnet1' > select Properties
Disable all options except of:
- QoS Packet Scheduler
- Internet Protocol Version 4 (TCP/IPv4)
Select 'Internet Protocol Version 4 (TCP/IPv4)' and click 'Properties'
1. Fill in the following properties:
  - IP address: 172.16.1.2
  - Subnet mask: 255.255.255.0
  - Default gateway: <empty>
2. The properties should look like this:
  
  Figure 4. Windows Adapter Settings VMnet1
3. Click 'Advanced' > select the 'WINS' tab
  - Disable 'NetBIOS over TCP/IP':
    
    Figure 5. Windows Advanced Adapter Settings VMnet1
To finish, click 3 times 'OK'

2.2.3. Setup pfSense

After the installation pfSense the pfSense VM is ready to start and to configurate. Follow the steps below:

Select in VMware Workstaion Pro the pfSene vm and press 'Start up this guest operating system'
Read the Copyright and distribution notice and select Accept > press enter
Select 'Install pfSense ' > press enter
Select the right keymap > press enter
Select 'Guided disk setup' > press enter
After the install is completed, select 'No' for the manual configuration option > press enter
Select reboot > press Enter
After the reboot, power off the machine
Select pfSense VM > right click > 'Settings'
Select CD/DVD (IDE) > Click 'Remove'
Select Network adapter > Press advanced
1. Document the MAC-address
2. Repeat this step for Network adapter 2 and 3
  Mac-addresses in our case:
  - Network Adapter (VMnet0): 00:0C:29:2E:BC:73
  - Network Adapter 2 (VMnet1): 00:0C:29:2E:BC:7D
  - Network Adapter 3 (VMnet2): 00:0C:29:2E:BC:87

Network Configuration PfSense

Start the pfSense VM
Select option 1, 'Assign Interfaces'
1. Enter 'n' for the question 'Should VLANs be set up now?'
2. Check using the documented MAC-address which adapter is which VMnet
3. Assign the WAN interface to the Network Adapter (VMnet0), in our case em0
4. Assign the LAN interface to the Network Adapter 2 (VMnet1), in our case em1
5. Assign the Optional 1 interface to the Network Adapter 3 (VMnet2), in our case em2
6. Enter 'y'
Select option 2, 'Set interface(s) IP address'
1. Enter 1 (WAN)
2. Fil out the following settings:
  
  LAN IP: 172.16.1.1
  LAN Subnet bit count: 24
  LAN upstream gateway address: <empty>
  LAN IPv6 address: <empty>
  Do you want to enable the DHCP server on LAN? y
  LAN DHCP start address: 172.16.1.10
  LAN DHCP end address: 172.16.1.254
  Do you want to revert to HTTP as the webConfigurator protocol? n
Select again option 2, 'Set interface(s) IP address'
1. Enter 2 (LAN)
2. Fil out the following settings:
  
  LAN IP: 172.16.1.1
  LAN Subnet bit count: 24
  LAN upstream gateway address: <empty>
  LAN IPv6 address: <empty>
  Do you want to enable the DHCP server on LAN? y
  LAN DHCP start address: 172.16.1.10
  LAN DHCP end address: 172.16.1.254
  Do you want to revert to HTTP as the webConfigurator protocol? n
3. Press enter
Select for the last time option 2, 'Set interface(s) IP address
1. Enter 3 (OPT1)
2. Fil out the following settings:
  
  LAN IP: 172.16.2.1
  LAN Subnet bit count: 24
  LAN upstream gateway address: <empty>
  LAN IPv6 address: <empty>
  Do you want to enable the DHCP server on LAN? y
  LAN DHCP start address: 172.16.2.10
  LAN DHCP end address: 172.16.2.254
  Do you want to revert to HTTP as the webConfigurator protocol? n
3. Press enter
The pfSense Menu should look something like this:

Figure 6. pfSense Menu

Note	Don’t forget to take several snapshots in the installation process.

pfSense Web configurator setup

Open on the host machine a web browser and navigate to https://172.16.1.1 (the LAN interface). Log in with the default credentials admin/pfsense and follow the steps below:

In the 'pfSense Setup' click 2 times 'next'
Fill out the following settings:
1. Primary DNS Server 8.8.8.8
2. Secondary DNS server 8.8.4.4
Click 'next'
Uncheck the following options:
1. Block private networks from entering via WAN
2. Block non-Internet routed networks from entering via WAN
Click 'next'
Set a admin password
Finish the setup
On the top bar, go to Firewall > rules
Select 'LAN' and click the 'add' button with the arrow facing up
1. Fill out the follow settings:
  
  Action: Pass
  Disabled: <unchecked>
  Interface: LAN
  Address Family: IPv4
  Protocol: TCP
  Source: <uncheck invert match> - Single host or alias - 172.16.1.2
  Destination: <uncheck invert match> - Single host or alias - 172.16.1.1
  Destination port range: From HTTPS(443) - To HTTPS(443)
  Log: <uncheck>
  Description: pfsense strict anti-lockout
2. Click 'save'
  
  Note
  This rule will prevent the machine from accessing the pfSense Web Interface
Select 'OP1' and click the 'add' button with the arrow facing up
1. Fill out the follow settings:
  
  Action: Pass
  Disabled: <unchecked>
  Interface: OP1
  Address Family: IPv4
  Protocol: Any
  Source: <uncheck invert match> - OPT1 net
  Destination: <uncheck invert match> - Any
  Log: <uncheck>
  Description: Default allow OPT1 to any rule
2. Click 'save'
Still in 'OP1', click again the 'add' button with the arrow facing up
1. Fill out the follow settings:
  
  Action: Pass
  Disabled: <unchecked>
  Interface: OP1
  Address Family: IPv6
  Protocol: Any
  Source: <uncheck invert match> - OPT1 net
  Destination: <uncheck invert match> - Any
  Log: <uncheck>
  Description: Default allow OPT1 to any rule
2. Click 'save'
Click 'Apply Changes'

Note
These two rules will give OPT1 internet access
Navigate to Firewall > Aliases
Select 'IP' and click on 'Add'
1. Fill out the follow settings in 'Properties':
  
  Name: RFC1918
  Description: An alias for all RFC1918 netowrks
  Type: Network(s)
2. Press 2 times on 'Add network' and set the network settings to:
  1. Address: 10.0.0.0/8 Description: 10.x.x.x RFC 1918 networks
  2. Address: 172.16.0.0/12 Description: 172.16.x.x RFC 1918 networks
  3. Address: 192.168.0.0/16 Description: 192.168.x.x RFC 1918 networks
3. Click 'Save'
Click 'Apply Changes'
Navigate to System > Advanced
1. Enable the option 'Disable webConfigurator anti-lockout rule'

Warning

Without the firewall rule above you will block your self from access the WebConfigurator

2.3. Victim Machine (Windows 10)

The victim machine will have Windows 10 as operating system. Free to download virtual machines are available on this site, they are completely ready but the VMware Tools are installed by default. VMware tools can be easily detect by malware, that is why we will use a Windows 10 ISO. With the Media Creation Tool it is possible to make a ISO file, the tool can be downloaded here.

2.3.1. Installation Victim

After the Windows 10 ISO file is ready, follow the steps below:

In VMware Workstation Pro click on File > New Virtual Machine
Select Typical > Next
Browse to the created Windows 10 ISO > Next
Give the VM a name, enter 'Victim_Windows10' > Next
Set the maximum disk size to 100 GB
Select 'Store virtual disk size as a single file' > next
Click 'Customize hardware'
1. Set the amount of memory to 2048 MB
2. Set number of processors to 2
3. Set number of cores per processor to 2
4. Set the MAC-address to: "E4-70-B8-23-CF-E0"
5. Click on 'Network Adapter'
  - Select 'Connect at power on'
  - Select Custom > VMnet2
6. Press Close
Press Finish
Log in to the pfSense web UI
1. Navigate to Services > DHCP server and select 'OPT1'
2. Add a Static mapping
  - Mac-adress of the victim machine: E4-70-B8-23-CF-E0
  - IP Address: 172.16.2.2
3. Click 'save' > 'Apply changes'
Start the Virtual Machine
Go through the installation process
1. Select 'I don’t have a product key'
2. Select Windows 10 Home
3. Select option 'Custom: Install Windows Only'
4. Select the unallocated Space > next
  Windows will be installed
When is asked to sign in, follow these steps:
1. Fill in for username: test
2. Password: test (or something else)
  You will get a error that the account is locked, now you can use a offline account
Resume the installation
1. Enter the name: 'John Williams'
2. Fill in a password and document it
3. Fill in the security questions
Disable all features and extra services like 'find my device'
Windows will be loaded, remember:

Warning

Do not install VMware Tools!

2.3.2. VmwareHardenedLoader

With the standard configuration, the virtual environment is easily detected by malware. A example below, a simple PowerShell command reveals the virtualization with the manufacturer and model field.

Figure 7. PowerShell Win32_ComputerSystem

VmwareHardenedLoader is an open-source tool on github. It is a detection mitigation loader, it gets vmware guest undetected by VMProtect 3.2, Safengine and Themida (anti-vm feature).

We will follow the steps provided here, the first part is editing the .vmx file.

Edit .vmx file

Shut down (Do not pause) the Victim machine, in Workstation, right click on 'Victim_Windows10' > 'Open VM Directory'. Open the .vmx file (Victim_Windows10.vmx) in a text editor and add the following settings (at the bottom):

hypervisor.cpuid.v0 = "FALSE"
board-id.reflectHost = "TRUE"
hw.model.reflectHost = "TRUE"
serialNumber.reflectHost = "TRUE"
smbios.reflectHost = "TRUE"
SMBIOS.noOEMStrings = "TRUE"
isolation.tools.getPtrLocation.disable = "TRUE"
isolation.tools.setPtrLocation.disable = "TRUE"
isolation.tools.setVersion.disable = "TRUE"
isolation.tools.getVersion.disable = "TRUE"
monitor_control.disable_directexec = "TRUE"
monitor_control.disable_chksimd = "TRUE"
monitor_control.disable_ntreloc = "TRUE"
monitor_control.disable_selfmod = "TRUE"
monitor_control.disable_reloc = "TRUE"
monitor_control.disable_btinout = "TRUE"
monitor_control.disable_btmemspace = "TRUE"
monitor_control.disable_btpriv = "TRUE"
monitor_control.disable_btseg = "TRUE"
monitor_control.restrict_backdoor = "TRUE"
scsi0:0.productID = "Tencent SSD"
scsi0:0.vendorID = "Tencent"
ethernet0.address = "E4-70-B8-23-CF-E0"

Save the file an start up the Victim machine. If we run the PowerShell command again it will give as result something like this:

Figure 8. PowerShell Win32_ComputerSystem with loader configuration

2.3.3. Install VMloader

Step 2 is installing the VmwareHardenedLoader service. Download the 'bin' folder here and run install.bat as administrator in the victim machine.

Figure 9. VMwareHardenedLoader install

2.3.4. Additional software

We will install some extra software for two reasons. First the machine has to look as a normal machine which is being used, second it helps some malware to run as they might have it as a dependency.

The following software has to be installed:

Table 1. Installed software
Name	Version	link
Google Chrome	80.0.3987.132	https://www.google.com/chrome
Firefox	74.0	https://www.mozilla.org/firefox/new/
x65 Java runtime	8 Update 241	https://www.java.com/download
.NET Core Runtime	v3.1.2	https://dotnet.microsoft.com/download/dotnet-core
Silverlight	5	https://microsoft.com/silverlight
LibreOffice	6.4.1	https://libreoffice.org/download/download
7-Zip	19.00	https://www.7-zip.org/download.html
Thunderbird	68.6.0	https://www.thunderbird.net
Python 3	3.8.2	https://www.python.org/downloads
Python 2	2.7.17	https://www.python.org/downloads
Microsoft Visual C++ Redistributable Package	2015 - 2019 14.25.28508	https://support.microsoft.com/help/2977003/the-latest-supported-visual-c-downloads
Nitro Reader	Pro 11	https://www.gonitro.com/pdf-reader
VLC media-player	3.0.8	https://videolan.org
Microsoft Office Home and Student 2016		https://officecdn.microsoft.com/db/492350F6-3A01-4F97-B9C0-C7C6DDF67D60/media/en-US/HomeStudentRetail.img

To resemble the victim machine as a normal machine we also create some folders and documents. It does not matter what kind of documents, just fill it up. Some sample documents:

'Financial Sample.xlsx' - https://go.microsoft.com/fwlink/?LinkID=521962
Word templates - https://go.microsoft.com/fwlink/?LinkID=521962
Sample pdf - http://www.africau.edu/images/default/sample.pdf
Images - https://www.google.com/imghp

2.3.5. OpenSSH Server

To transfer the malicious files to the victim we will use the SCP command. For this reason we are going to install the OpenSSH server

Open Powershell as Administrator

Run these commands:

Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic'

2.3.6. Wazuh agent

We need to install the Wazuh agent to make monitoring for the HIDS possible.

Start the Victim VM
Open a browser, go to the wazuh packages

https://documentation.wazuh.com/3.11/installation-guide/packages-list/#windows
Download the agent for windows (wazuh-agent-3.11.4-1.msi) and execute it
1. Read and accept the term > press 'Install'
2. Check 'Run agent configuration interface' and press 'Finish'
3. Set the Manager IP to: 172.16.1.3
4. CLick save and exit
  We register the agent to the manager when the installation of the HIDS is completed

2.3.7. Disable Windows Defender

We need to disable the Windows Defender to run the malware.

Start the Victim VM
Press Windows Key + r
1. Type in 'regedit' and click 'OK'

Browse to the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender

Right click on Windows defender folder
1. Select New > DWORD (32-bit)
2. Name it 'DisableAntiSpyware' and press Enter
Double-click on the just created 'DisableAntiSpyware' item.
1. Set the value data to: 1
  
  Figure 10. Regex Editor - Disable Defender
2. Restart the VM

2.4. NIDS

We will use Ubuntu Server as operating system for the NIDS and HIDS VM. The ISO can be downloaded here (18.04.4).

2.4.1. Installation Ubuntu Server 18

In VMware Workstation Pro click on File > New Virtual Machine
Select Typical > Next
Browse to the downloaded Ubuntu Server ISO > Next
Fill in the fields name, username (we use nids), password
Give the VM a name, enter 'NIDS' > Next
Set the maximum disk size to 50 GB
Select 'Store virtual disk size as a single file' > next
Click 'Customize hardware'
1. Set the amount of memory to 2048 MB
2. Set number of processors to 2
3. Set number of cores per processor to 2
4. Click on 'Network Adapter'
  - Select 'Connect at power on'
  - Select Custom > VMnet1 (Host-only)
5. Click 'Add…'
  - Select 'Network Adapter' > Next
  - Select Custom > VMnet2 (IPS1)
  - Uncheck 'Connect at power on'
  - Press finish
6. Click 'Add…'
  - Select 'Network Adapter' > Next
  - Select Custom > VMnet3 (IPS2)
  - Uncheck 'Connect at power on'
  - Press finish
7. Select 'USB controller' > Click 'Remove'
8. Select 'Sound Card' > Click 'Remove'
9. Select 'Printer' > Click 'Remove'
10. Press Close
Press Finish
Open the VM settings again
1. Remove the CD/ DVD with the 'autoinst.iso' inserted
2. Remove the Floppy drive with the 'autoinst.flp' inserted
Start the Virtual Machine
Go through the installation process
1. At the software selection phase, make sure to install OpenSSH server'
Shut down the VM after the installation is completed
1. Remove the last CD/DVD drive
2. Document the MAC-address of the network adapter
3. Check the connect at power on for Network adapter 2 (VMnet2) and Network adapter 3 (VMnet3)
Log in to the pfSense web UI
1. Navigate to Services > DHCP server and select 'LAN'
2. Add a Static mapping
  - Mac-adress of the NIDS machine (E4-70-B8-23-CF-E0)
  - IP Address: 172.16.1.4
3. Click 'save' > 'Apply changes'
Start up the VM
1. Log in
2. Verify that the IP-adress is 172.16.1.4 (with ifconfig)
3. Update the vm with:
  sudo apt-get update; sudo apt-get upgrade;
4. Make sure the server has the correct time and time zone with:
  sudo dpkg-reconfigure tzdata

2.4.2. Snort 2.9

The NIDS software we will install is Snort (http://www.snort.org/). For the main we follow this guide. The steps are documented below

Installation

Log into the NIDS VM

Tip
Login from the host machine with SHH to the NIDS VM for easy copy and paste

Execute these commands:

Make a folder to store the downloaded files
```
mkdir ~/snort_src
cd ~/snort_src
```

Install the Snort prerequisites

sudo apt install -y gcc libpcre3-dev zlib1g-dev libluajit-5.1-dev libpcap-dev openssl libssl-dev libnghttp2-dev libdumbnet-dev bison flex libdnet

Install daq

cd ~/snort_src
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
tar -xvzf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure && make && sudo make install

Install Snort

cd ~/snort_src
wget https://www.snort.org/downloads/snort/snort-2.9.15.1.tar.gz
tar -xvzf snort-2.9.15.1.tar.gz
cd snort-2.9.15.1
./configure --enable-sourcefire && make && sudo make install

Update the shared libraries
```
sudo ldconfig
```

Create a symbolic link to snort

sudo ln -s /usr/local/bin/snort /usr/sbin/snort

Create the folder structure and create the required files

sudo mkdir -p /etc/snort/rules
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /var/log/snort
sudo mkdir /usr/local/lib/snort_dynamicrules

sudo touch /etc/snort/rules/white_list.rules
sudo touch /etc/snort/rules/black_list.rules
sudo touch /etc/snort/rules/local.rules

Copy the configuration files from the download folder

sudo cp ~/snort_src/snort-2.9.15.1/etc/*.conf* /etc/snort
sudo cp ~/snort_src/snort-2.9.15.1/etc/*.map /etc/snort
sudo cp ~/snort_src/snort-2.9.15.1/etc/*.dtd /etc/snort

Verify that Snort can run
```
sudo snort -V
```
Figure 11. Snort installed

Download rules

For the malware lab we will use PRO rules from emergingthreats.net. If you don’t have a pro version, there are also free rules available here or from the Snort community.

Download and setup the rules:

cd ~/snort_src/
wget https://rules.emergingthreatspro.com/$oinkcode/snort-2.9.15.1/etpro.rules.tar.gz
sudo tar -xvf etpro.rules.tar.gz -C /etc/snort

Edit Snort configuration file

We will want to modify our Snort configuration file to enable some extra features and so that we don’t have to specify settings at the command line.

Open the configuration file

sudo nano /etc/snort/snort.conf

Find these sections shown below in the configuration file and change the parameters to reflect the examples here.

# Setup the network addresses you are protecting
ipvar HOME_NET 172.16.2.0/24

# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET !$HOME_NET

# Path to your rules files (this can be a relative path)
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules

# Set the absolute path appropriately
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

Scroll down to section 6 (line 519) and set the output for unified2 to log under filename of snort.log:

# unified2
# Recommended for most installs
output unified2: filename snort.log, limit 128
output alert_fast: alert.fast

Lastly, scroll down to the bottom of the file to find the list of included rules. Replaces this list with the following (in our case).

include $RULE_PATH/local.rules

include activex.rules
include attack_response.rules
include botcc.portgrouped.rules
include botcc.rules
include chat.rules
include ciarmy.rules
include compromised.rules
include current_events.rules
include deleted.rules
include dns.rules
include dos.rules
include drop.rules
include dshield.rules
include exploit.rules
include ftp.rules
include games.rules
include icmp_info.rules
include icmp.rules
include imap.rules
include inappropriate.rules
include info.rules
include local.rules
include malware.rules
include misc.rules
include mobile_malware.rules
include netbios.rules
include p2p.rules
include policy.rules
include pop3.rules
include rpc.rules
include scada.rules
include scada_special.rules
include scan.rules
include shellcode.rules
include smtp.rules
include snmp.rules
include sql.rules
include telnet.rules
include tftp.rules
include tor.rules
include trojan.rules
include user_agents.rules
include voip.rules
include web_client.rules
include web_server.rules
include web_specific_apps.rules
include worm.rules

Test if snort loads the configuration file correctly::
```
snort -T -c /etc/snort/snort.conf
```
The result must be Snort successfully validated the configuration!

Figure 12. Snort with configuration

Tip	Make a snapshot!

Configuring Network Cards

Snort has sometimes problems with network card where GRO or / and LRO is enabled, in this section we will disable these features of the network card.

First, check which MAC-address correspondent with which Ethernet Adapter, run:
```
ifconfig -a
```
Figure 13. NIDS ifconfig

In our case ens33 is the IPS1 (Vmnet2) and ens34 the IPS2 (VMnet3) network, we will now use IPS1 for the capture.
For a NIDS we want to disable offloading (GRO and LRO) on the network card. To check if it is enabled:
```
sudo ethtool -k ens33 | grep receive-offload
```
Figure 14. NIDS Offload status

As you can see the GRO is enabled, we could disable it with the ethtool, but the setting would not persist after a system reboot. The solution is to create a systemD script to set this every boot.

Create the sytemD script

sudo nano /lib/systemd/system/ethtool.service

Enter the following lines:

[Unit]
Description=Ethtool Configration for Network Interface

[Service]
Requires=network.target
Type=oneshot
ExecStart=/sbin/ethtool -K ens33 gro off
ExecStart=/sbin/ethtool -K ens33 lro off

[Install]
WantedBy=multi-user.target

Once the file is created, enable the service:

sudo systemctl enable ethtool
sudo service ethtool start

Check if both are disabled
```
sudo ethtool -k ens33 | grep receive-offload
```
Figure 15. NIDS Offload status off

Both are disabled now.

Run a test

To test if Snort is processing as intended the traffic made by the Victim machine, we add a custom detection rule alert on incoming ICMP connections.

Open local.rules

sudo nano /etc/snort/rules/local.rules

Add the following line:

alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)

Start snort with:

sudo snort -A console -i ens33  -c /etc/snort/snort.conf

Start the Victim machine
1. Open PowerShll and run the command:
  ping www.google.com
On the NIDS side you should see these alerts:

Figure 16. Snort IMCP alert

It is working!

Tip	Make a snapshot!

2.4.3. Suricata 5.0

The second NIDS software we will install is Suricata (https://suricata-ids.org/). For the main we follow this guide. The steps are documented below

Installation

Log into the NIDS VM

Tip
Login from the host machine with SHH to the NIDS VM for easy copy and paste

Execute these commands:

Make a folder to store the downloaded files
```
mkdir ~/suricata_src
cd ~/suricata_src
```

Install Suricata (5.0.2)

sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update
sudo apt install suricata

Verify that Suricata can run
```
sudo suricata -V
```
Figure 17. Suricata installed

Tip	Make a snapshot!

Download rules

For the malware lab we will use PRO rules from emergingthreats.net. If you don’t have a pro version, there are also free rules available here.

Download and setup the rules:

cd ~/suricata_src/
wget https://rules.emergingthreatspro.com/$oinkcode/suricata-5.0/etpro.rules.tar.gz
sudo rm -r /etc/suricata/rules
sudo tar -xvf etpro.rules.tar.gz -C /etc/suricata

Edit Suricata configuration file

We have to modify the configuration files to enable the rules and some other things.

Open the configuration file

cd /etc/suricata
sudo nano suricata.yaml

Find these sections shown below in the configuration file and change the parameters to reflect the examples here.

HOME_NET: "[172.16.2.0/24]"

  - eve.log:
      [...]
      - stats:
          totals: no
          threads: no
          deltas: no

default-rule-path: /etc/suricata/rules

rule-files:
- local.rules
- activex.rules
- adware_pup.rules
- attack_response.rules
- botcc.portgrouped.rules
- botcc.rules
- chat.rules
- ciarmy.rules
- coinminer.rules
- compromised.rules
- current_events.rules
- deleted.rules
- dns.rules
- dos.rules
- drop.rules
- dshield.rules
- exploit_kit.rules
- exploit.rules
- ftp.rules
- games.rules
- hunting.rules
- icmp_info.rules
- icmp.rules
- imap.rules
- inappropriate.rules
- info.rules
- ja3.rules
- malware.rules
- misc.rules
- mobile_malware.rules
- netbios.rules
- p2p.rules
- phishing.rules
- policy.rules
- pop3.rules
- rpc.rules
- scada.rules
- scada_special.rules
- scan.rules
- shellcode.rules
- smtp.rules
- snmp.rules
- sql.rules
- telnet.rules
- tftp.rules
- tor.rules
- user_agents.rules
- voip.rules
- web_client.rules
- web_server.rules
- web_specific_apps.rules
- worm.rules

Test if Suricata loads the configuration file correctly:
```
sudo suricata -T -c /etc/suricata/suricata.yaml
```
The output should look like this:

Figure 18. Suricata configuration loaded

Run a test

To test if Suricata is processing as intended the traffic made by the Victim machine, we add a custom detection rule alert on incoming ICMP connections.

Open local.rules

sudo nano /etc/suricata/rules/local.rules

Add the following line:

alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)

Start Suricata with:

sudo suricata -i ens33  -c /etc/suricata/suricata.yaml

Open a new windows and run this command in the NIDS:
```
sudo tail -f /var/log/suricata/fast.log
```
Start the Victim machine
1. Open PowerShll and run the command:
  ping www.google.com
On the NIDS side you should see these alert:

Figure 19. Suricata IMCP alert

It is working!

Tip	Make a snapshot!

2.5. HIDS

We will use Ubuntu Server as operating system for the NIDS and HIDS VM. The ISO can be downloaded here (18.04.4).

2.5.1. Installation Ubuntu Server 18

This installation is quite similar tot the NIDS installation.

In VMware Workstation Pro click on File > New Virtual Machine
Select Typical > Next
Browse to the downloaded Ubuntu Server ISO > Next
Fill in the fields name, username (we use hids), password
Give the VM a name, enter 'NIDS' > Next
Set the maximum disk size to 80 GB
Select 'Store virtual disk size as a single file' > next
Click 'Customize hardware'
1. Set the amount of memory to 4096 MB
2. Set number of processors to 2
3. Set number of cores per processor to 2
4. Click on 'Network Adapter'
  - Select 'Connect at power on'
  - Select Custom > VMnet1 (Host-only)
5. Select 'USB controller' > Click 'Remove'
6. Select 'Sound Card' > Click 'Remove'
7. Select 'Printer' > Click 'Remove'
8. Press Close
Press Finish
Open the VM settings again
1. Remove the CD/ DVD with the 'autoinst.iso' inserted
2. Remove the Floppy drive with the 'autoinst.flp' inserted
Start the Virtual Machine
Go through the installation process
1. At the software selection phase, make sure to install OpenSSH server'
Shut down the VM after the installation is completed
1. Remove the last CD/DVD drive
2. Document the MAC-address of the network adapter
Log in to the pfSense web UI
1. Navigate to Services > DHCP server and select 'LAN'
2. Add a Static mapping
  - Mac-adress of the NIDS machine (00:0C:29:87:0A:4C)
  - IP Address: 172.16.1.3
3. Click 'save' > 'Apply changes'
Start up the VM
1. Log in
2. Verify that the IP-adress is 172.16.1.3 (with ifconfig)
3. Update the vm with:

sudo apt-get update; sudo apt-get upgrade;

2.5.2. Docker.io

We will use Docker to run the Wazuh server and ELK stack. We have to install docker first.

Log into the HIDS VM
Install docker
```
curl -sSL https://get.docker.com/ | sh
```

Start and automate Docker

sudo systemctl enable docker
sudo systemctl start docker

Check if docker is installed correctly

docker --version

Docker version 19.03.8, build afacb8b7f0

Install docker-compose

sudo curl -L "https://github.com/docker/compose/releases/download/1.25.4/docker-compose-Linux-x86_64" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

Check if docker-compose is installed correctly

docker-compose --version

docker-compose version 1.25.4, build 8d51620a

2.5.3. Wazuh Container

We will follow this guide to deploy the Wazuh container, steps are documented below.

Increase max_map_count:
```
sudo nano /etc/sysctl.conf
```
At the bottom add this line:
```
vm.max_map_count=262144
```

Get the docker-compose-yml

curl -so docker-compose.yml https://raw.githubusercontent.com/wazuh/wazuh-docker/v3.11.4_7.6.1/docker-compose.yml

Get the Wazuh repository

git clone https://github.com/wazuh/wazuh-docker.git -b v3.11.4_7.6.1 --single-branch

Start the stack
```
sudo docker-compose up
```
The installation will take some time. When the installation is done go to https://https://172.16.1.3/ in your browser (host machine), default password is 'foo' and 'bar'. You should have access now to the Kibana interface.

We want the docker container to start automatically at system start up. Follow the steps below.

Stop the stack (Ctrl-c)

Open docker-compose-app.service (New file)

sudo nano /etc/systemd/system/docker-compose-app.service

And add the following content:

[Unit]
Description=Docker Compose Application Service
Requires=docker.service
After=docker.service

[Service]
Type=oneshot
RemainAfterExit=yes
WorkingDirectory=/home/hids/
ExecStart=/usr/local/bin/docker-compose up -d
ExecStop=/usr/local/bin/docker-compose down
TimeoutStartSec=0

[Install]
WantedBy=multi-user.target

Enable and start the service

sudo systemctl enable docker-compose-app
sudo systemctl start docker-compose-app

3. Last configuration

3.1. pfSense Firewall rules

We will add some extra firewall rules to prevent the Victim accessing other machines in the network (except of de Wazuh server).

3.1.1. WAN interface

We don’t need any extra rules for the WAN interface.

Figure 20. pfSense WAN rules

3.1.2. LAN interface

We want to block all traffic to local networks (the RFC1918 alias we created). However the host machine (172.16.1.2) needs SSH access tot the victim and the HIDS will use the Wazuh Ports 1514 and 1515 to communicate with the victim and retrieve the alerts.

If we keep this in mind the configuration should look like this:

Figure 21. pfSense LAN rules

3.1.3. OPT1 interface

As with the LAN interface we want to block all traffic to local networks (the RFC1918 alias we created), except for the communication to the HIDS Wazuh server. The Victim machine is allowed to have access to the outside world.

The configuration should look like this:

Figure 22. pfSense OPT1 rules

3.2. Register Wazuh agent at Wazuh manager

The installation of both the Victim VM and the HIDS VM is completed, it is time to register the Wazuh agent at the Wazuh Manger.

Start the HIDS and run the command:

docker-compose exec wazuh /bin/bash

Add add the agent with manage_agents:

/var/ossec/bin/manage_agents -a any -n windows-10

List the agents

/var/ossec/bin/manage_agents -l

Available agents:
   ID: 004, Name: windows-10, IP: any

Use the ID from the previous command to extract the agents key using:

/var/ossec/bin/manage_agents -e 004

Agent key information for '004' is:
MDA0IHdpbmRvd3MtMTAgYW55IDA3YzI3OTNjYjA3NDJiODAwYjE4ZWEwY2FlZTk1NGU2MGIwODNiOTFmMjcyMGFhMWVjZDg5ZGMwMGU5NDIxMWQ=

Open a shell at the Victim machine
1. Import the previous key with manage_agents
  'C:\Program Files (x86)\ossec-agent\manage_agents' -i MDA0IHdpbmRvd3MtMTAgYW55IDA3YzI3OTNjYjA3NDJiODAwYjE4ZWEwY2FlZTk1NGU2MGIwODNiOTFmMjcyMGFhMWVjZDg5ZGMwMGU5NDIxMWQ=
  Figure 23. Wazuh Agent key imported
2. Restart wazuh-manager (Victim machine)
  Restart-Service -Name wazuh
  At the HIDS Kibana interface, the agent should be visible now:
  
  Figure 24. Wazuh Agent registered Kibana

3.3. Install Filebeat on NIDS

Wazuh uses an Elasticsearch database with Kibana to display the alerts. It is possible to send the NIDS alerts to the same Elasticsearch database to centralize the alerts.

Open a shell at the NIDS

Install Filebeat

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.6.1-amd64.deb
sudo dpkg -i filebeat-7.6.1-amd64.deb
rm filebeat-7.6.1-amd64.deb

Open the configuration file

sudo nano /etc/filebeat/filebeat.yml

Find the input section and fill in:

- type: log
  enabled: true
  paths:
    - /var/log/snort/alert.fast
    - /var/log/suricata/fast.log

Find the output section and fill in:

output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["172.16.1.2:9200"]

  #api_key: "id:api_key"
  username: "foo"
  password: "bar"

Enable the Suricata module

sudo filebeat modules enable suricata
filebeat setup -e

Enable and start filebeat

sudo systemctl enable filebeat
sudo sytemctl start filebeat

3.4. Wazuh

3.4.1. Configure Wazuh Group configuration

We will edit some Wazuh Monitor configuration. All time intervals must be less than 5 minutes because each malware test will last no longer than 10 minutes.

Open the Kibana web interface and navigate to the Wazuh App > Management> Groups
Press the + to create a new group
1. Set the group name to 'Windows10-Machines'

Click 'Edit configuration'

Paste the following lines:

<!-- Log analysis -->
  <localfile>
    <location>Application</location>
    <log_format>eventchannel</log_format>
  </localfile>

  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
      EventID != 5152 and EventID != 5157]</query>
  </localfile>

  <localfile>
    <location>System</location>
    <log_format>eventchannel</log_format>
  </localfile>

  <localfile>
    <location>active-response\active-responses.log</location>
    <log_format>syslog</log_format>
  </localfile>

  <!-- Sysmon tool -->
  <localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
  </localfile>

  <!-- Policy monitoring -->
  <rootcheck>
		<disabled>no</disabled>
		<base_directory>C:</base_directory>
		<scanall>yes</scanall>
		<skip_nfs>no</skip_nfs>
		<frequency>60</frequency>
		<check_dev>yes</check_dev>
		<check_files>no</check_files>
		<check_if>yes</check_if>
		<check_pids>yes</check_pids>
		<check_ports>yes</check_ports>
		<check_sys>yes</check_sys>
		<check_trojans>no</check_trojans>
		<check_winaudit>no</check_winaudit>
		<check_winmalware>yes</check_winmalware>
		<check_winapps>yes</check_winapps>
		<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
		<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
	</rootcheck>

  <!-- Security Configuration Assessment -->
  <sca>
    <enabled>yes</enabled>
    <scan_on_start>yes</scan_on_start>
    <interval>4m</interval>
    <skip_nfs>yes</skip_nfs>
  </sca>

  <!-- File integrity monitoring -->
  <syscheck>

    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>60</frequency>

    <!-- Default files to be monitored. -->
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\regedit.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\system.ini</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\win.ini</directories>

    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\SysNative\at.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\SysNative\attrib.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\SysNative\cacls.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\SysNative\cmd.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\SysNative\drivers\etc</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\SysNative\eventcreate.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\SysNative\ftp.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\SysNative\lsass.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\SysNative\net.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\SysNative\net1.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\SysNative\netsh.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\SysNative\reg.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\SysNative\regedt32.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\SysNative\regsvr32.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\SysNative\runas.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\SysNative\sc.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\SysNative\schtasks.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\SysNative\sethc.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\SysNative\subst.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\SysNative\wbem\WMIC.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\SysNative\WindowsPowerShell\v1.0\powershell.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\SysNative\winrm.vbs</directories>

    <!-- 32-bit programs. -->
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\System32\at.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\System32\attrib.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\System32\cacls.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\System32\cmd.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\System32\drivers\etc</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\System32\eventcreate.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\System32\ftp.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\System32\net.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\System32\net1.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\System32\netsh.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\System32\reg.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\System32\regedit.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\System32\regedt32.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\System32\regsvr32.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\System32\runas.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\System32\sc.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\System32\schtasks.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\System32\sethc.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\System32\subst.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\System32\wbem\WMIC.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe</directories>
    <directories check_all="yes" realtime="yes" whodata="yes">%WINDIR%\System32\winrm.vbs</directories>
    <directories check_all="yes" realtime="yes" whodata="yes" report_changes="yes">%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories>
    <directories check_all="yes" realtime="yes" report_changes="yes" whodata="yes">C:\Users\John Williams\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup</directories>
    <ignore>%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini</ignore>
    <ignore>C:\Users\John Williams\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini</ignore>
    <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>

    <!-- Windows registry entries to monitor. -->
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>

	<!-- added manualy -->
	<windows_registry arch="both">HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
	<windows_registry arch="both">HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>

    <!-- Windows registry entries to ignore. -->
    <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
    <registry_ignore type="sregex">\Enum$</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final</registry_ignore>

    <!-- Frequency for ACL checking (seconds) -->
    <windows_audit_interval>240</windows_audit_interval>
  </syscheck>

  <!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>4m</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="yes">yes</ports>
    <processes>yes</processes>
  </wodle>

  <!-- Active response -->
  <active-response>
    <disabled>no</disabled>
    <ca_store>wpk_root.pem</ca_store>
    <ca_verification>yes</ca_verification>
  </active-response>

Summary changes made from default configuration:

Sysmon tool:

<!-- Sysmon tool -->
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>

Rootcheck:
1. Frequency: 60
Security Configuration Assessment (SCA):
1. interval: 4m
Syscheck:
1. Frequency: 60 seconds
2. For all directories: realtime="yes" whodata="yes"
3. For %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories>: report_changes="yes"
4. Added directory to monitor: C:\Users\John Williams\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
5. Added 2 Windows registry entries to monitor:
   <windows_registry arch="both">HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry> <windows_registry arch="both">HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
System inventory (wodle name="syscollector")
1. Interval: 4m
2. Ports all: yes

3.4.2. Sysmon Second Batch

In the first batch of the malware research (10 samples) Wazuh did not detect any malware but only some indicators. That is why we will install a ruleset using Sysmon to enhance the detection capabilities. We will use the ruleset from Hetstat.

Start the victim machine
Download the System tool and unzip it:
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Download the following configuration (the .xml file) and move it to the uzipped System tool folder
https://github.com/SwiftOnSecurity/sysmon-config
Open PowerShell as administrator and navigate to the unzipped folder
1. Install Sysmon with the following command:
  .\Sysmon64.exe -accepteula -i sysmonconfig-export.xml

Make sure the following lines are added to the Wazuh Group Configuration:

<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>

Open the kibana web interface
1. Navigate to Wazuh > Management > Ruleset
2. Click 'Manage rules files' and open 'local_rules.xml'
3. Add the following line at the bottom:
  
4. Paste content from https://raw.githubusercontent.com/Hestat/ossec-sysmon/master/local_rules.xml underneath
5. Click Save and restart now

3.4.3. Sysmon Third Batch

Contrary to expectations, the results of batch 2 were (almost) no better than batch 1. But we analyzed the Sysmon events generated after the execution and the corresponding rules. We founded several critical bugs why no alerts were generated. The first option was to correct these rules and test them again. But we decided we need a more elaborate version of Sysmon rules, so we started writing a script to generate OSSEC / Wazuh rules from Sigma rules (https://github.com/Neo23x0/sigma). The result is that we have written all Windows Sigma rules to the OSSEC format, both the rules and the script are available here.

Start the victim machine
Download the sysmonconfig.xml from sigWah:
1. Install the configuration with the following command:
  .\Sysmon64.exe -i sysmonconfig.xml

Make sure the following lines are added to the Wazuh Group Configuration:

<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>

Open the kibana web interface
1. Navigate to Wazuh > Management > Ruleset
2. Click 'Manage rules files' and open 'local_rules.xml'
3. Remove the old Sysmon rules and add the following line at the bottom:
  
4. Paste content from https://github.com/SanWieb/sigWah/master/local_rules.xml underneath
5. Click Save and restart now

3.5. Tor / VPN Tunneling

To prevent to give away your own IP-address to the malware developers it is possible to configure a Tor Network at the pfSense VM or a VPN. Here are the steps described to install a Tor-network and here to configure a Free VPN (ProtonVPN) . Alternatively you could use a Mobile phone / Raspberry Pi to setup a network with 3/4G.

We will use the last option because we have a unlimited data abonnement available.

4. Cuckoo Sandbox

Follow this guide to setup the Cuckoo Sandbox environment.