Configuring Splunk and Generating Telemetry using Atomic Red Team

This is the final phase of the lab. We have built both our SIEM and victim machines. We just need to make some final configuration changes on Splunk and then we can generate some logs.

Access the Splunk Dashboard, navigate to Settings, and then select Add Data.

Select Forward.

Select the device showing on available host(s) > enter your preferred server class name.

Select Local Event Logs > select Application, Security and System. Click Next on the upper right hand side of the screen.

Click the dropdown menu and select wineventlog. Select Review on upper right.

Double-check your current settings and then click Submit.

Now we need to check if the logs are being forwarded. Select Apps on the upper left-hand side of the main screen of Splunk and then select Search and Reporting. Under new search, type index=”wineventlog”.

Do another search and this time type index=”sysmon”.

We have confirmed that both Windows Event and Sysmon logs are being forwarded to our Splunk machine. We will now simulate an attack using Atomic Red Team.

First up go to https://attack.mitre.org/matrices/enterprise/ and view the Enterprise Matrix on your host machine. The website will show you all the techniques and sub-techniques that you can emulate.

For my test I will be using T1136.001 or Create Account: Local Account (https://attack.mitre.org/techniques/T1136/001/).

Navigate to the Atomic Red Team folder and verify that the technique exists.

Looks like we are good to go. Open admin powershell and then type in the following command: Import-Module “C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1” -force.

To view the details of the technique, type Invoke-AtomicTest T1136.001 -ShowDetailsBrief.

To verify if we have all the pre-requisites for the technique, type Invoke-AtomicTest T1136.001 -CheckPrereqs.

We can now run the test. Type Invoke-AtomicTest T1136.001.

The last test failed because the machine does not have an active internet connection. Nevertheless, the other three tests were successful.

You can now go back to the Splunk dashboard and check the telemetry generate by our test!

Our lab is now complete. So what’s next? You can download some random malware from the internet and run it on our victim machine. Just make sure to remove internet connectivity afterwards and reconnect the victim machine to our isolated virtual network adapter. We do not want malware spreading to our home network.

Happy hunting!

Intro: Building a Threat Hunting/Malware Home Lab

Previous: Setting Up the Victim Machine