Building a Threat Hunting/Malware Home Lab

Threat actors are growing progressively more sophisticated in their methods of distributing malware and compromising organizations or businesses. Therefore, it is important to have the ability to identify any potential threats present within one’s network. To help us understand these threats, we need to have a safe environment where we can securely analyze and examine them.

This lab will contain two virtual machines. One will serve as our Splunk SIEM while the other will act as our victim machine. I will be using a Windows 11 host machine with VMware Workstation already installed. I will also create a separate VMware network adapter that we will use so that both machines will be isolated from our home network.

Below is the network diagram for this lab:

These are the software that we will be using:

1. VMWare Workstation Pro 17 — https://www.vmware.com/products/workstation-pro/workstation-pro-evaluation.html

2. Ubuntu Desktop 24.04 LTS — https://ubuntu.com/download/desktop

3. Windows 11 — https://www.microsoft.com/software-download/windows11

4. Splunk Enterprise — https://www.splunk.com/en_us/download.html

5. Splunk Universal Forwarder — https://www.splunk.com/en_us/download/universal-forwarder.html

6. Sysmon — https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

The lab will be broken down into the following sections:

1. Installing Splunk on Ubuntu 24.04
2. Setting up the Victim Machine
3. Configuring Splunk
4. Generating Telemetry using Atomic Red Team

This lab will not show how to setup the VMs from scratch. I will assume that anyone aiming to replicate this lab are already skilled or familiar with the process of installing Ubuntu and Windows 11 from the beginning. If you still need help, you can refer to various resources by googling “how to set up <insert OS here> in VMware.”

I will let you decide how much resources you want to allocate to each of the VMs. If you want to be able to retain more logs, then increase the storage space meant for your Splunk machine. When it comes to allocating RAM to the VMs, having more is always better.

Please take note that you need to create an account with Splunk before you can download their software.

In order for both machines to communicate, they must be connected to the same network. VMware defaults to using NAT as the virtual network when creating a new VM. This is situable in situations when internet access is required for both VMs. However, the lab is meant to be isolated from our home network. We will need to create a separate network that is specifically tailored for this lab.

In the main screen of VMware, select Edit > Virtual Network Editor > Change settings > select Yes on the UAC pop-up.

Click Add network > select the network that you added and uncheck both Connect a host virtual adapter to this network and Use local DHCP service to distribute IP address to VMs.

Click Apply and then Ok.

Next: Installing Splunk on Ubuntu 24.04