Post

ATTACKING ACTIVE DIRECTORY | INSTALLING AND CONFIGURING SPLUNK AND SYSMON

img-description

Objective

Splunk is a well-known and popular SIEM tool. In this scenario, I will be installing it on the Splunk Ubuntu Server on 192.168.10.10.

In order for it to gather information from the other 2 computers on the network, I will install both Splunk Universal Forwarder and Sysmon to both the AD server and the Windows Client. In the end, we should a working instance of Splunk that is pulling data from both computers.

Implementation

Download Splunk

Sign up and download Splunk.

img-description

Once logged in, go to ‘Products’ tab and choose ‘Free trials & Downloads’.

img-description

Go to the Linux tab and download the .deb file to the host machine.

img-description

Put Splunk on Ubuntu VM

Login to the Ubuntu VM created earlier install virtualbox plugins

1
sudo apt-get install virtualbox-guest-additions-iso

img-description

Say yes to prompts.

img-description

Once it is finished. Go to the ‘Devices’ tab on the VM and go to ‘Shared Folder Settings…’ Select the folder that Splunk is in and check the 3 boxes.

img-description img-description img-description

Reboot the VM to apply the changes.

1
sudo reboot

img-description

Add guests utils.

1
sudo apt-get install virtualbox-guest-utils

img-description

Add user to the vboxsf group.

1
sudo adduser telepathy vboxsf

img-descriptionMake a directory called ‘share’.

1
mkdir share

img-description

Mount the share.

1
sudo mount -t vboxsf -o uid=1000,gid=1000 AD share/

img-descriptionMove into the directory and install Splunk

1
sudo dpkg -i splunk...amd64.deb

img-description

Move to the /opt/splunk directory and change users to splunk.

1
cd /opt/splunk
1
sudo -u splunk bash

img-description

Move into the ~/bin directory and run Splunk

1
cd bin
1
./splunk start

img-description Scroll down. Accept the license and create Splunk credentials.

img-description

Set Splunk to run on bootup as user ‘splunk’.

1
exit
1
cd bin
1
sudo ./splunk enable boot-start -user splunk

img-description

Splunk Universal Forwarder & Sysmon

On the target machine, go to Splunk on the browser.

192.168.10.10:8000

Download Splunk Universal Forwarder off Splunk website.

Navigate to the downloaded file and double click. Check the box and go next.

img-description

Name username ‘admin’.

img-description

Type the IP and default port for splunk receiver 9997. Then install.

img-description

Download sysmon.

Extract it to the folder.

Download the raw config file.

Open a PowerShell terminal with ‘Run as administrator’.

img-description

Move into the sysmon directory and run it with the config file.

1
cd C:\Users\Telepathy\Downloads\Sysmon

img-description

Run notepad as administrator. Create the config file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[WinEventLog://Application]
index = endpoint
disabled = false

[WinEventLog://Security]
index = endpoint
disabled = false

[WinEventLog://System]
index = endpoint
disabled = false

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
index = endpoint
disabled = false
renderXml = true
source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

img-description

Save it in:

C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf

img-description

Run services as administrator. Select SplunkForwarder.

img-description

Change the log on as ‘Local System account’. Restart it.

img-description

img-description Go to the Splunk portal on port 8000 and login.

Go to settings then indexes.

img-description

Create a new index called ‘endpoint’.

Click on ‘new index’. Name it ‘endpoint’ then save.

img-description

img-description

Go to settings then forwarding and receiving.

Click on configure receiving. Then new receiving port.

img-description

img-description

img-description Click on apps the search and reporting.

img-description

Events are coming through. Do the same with the Active Directory server and Splunk and Sysmon will be installed an configured.

This post is licensed under CC BY 4.0 by the author.

Trending Tags