SSEC350 Lab 10.1 ‐‐ Windows Logging - ConnorEast/Tech-Journal GitHub Wiki

Windows Logging Lab

For this lab we will be setting up logging, through wazuh for our internal network. This will require a total of at least 14 port firewall rules to be added to our network. 9 TCP and 5 UDP. Below are the expectations for the course

  • Disable Traveler, NGINX, and Jump [Unless Jump hosts Wazuh]
    --- My Jump box hosts Wazuh and by proxy is exempt from this.
  • Active Directory Domain Services must be installed on MGMT02
    ---
  • Access to the following ports must be allowed through the firewall
    --- For the port group use the vyos port group commands. Said commands are linked.

Non-Ephemeral Port Purpose
UDP: Port 88
UDP: Port 138
UDP: Port 389
TCP: Port 135
TCP: Port 636
TCP: Port 3269
TCP: Port 3268
TCP: Port 139
UDP_TCP: Port 464
UDP_TCP: Port 445
UDP_TCP: Port 335
UDP_TCP: Port 53
UDP_TCP: Port 128
Ephemeral Port Purpose
UDP_TCP: Ports 1025-5000
UDP_TCP:Port 49152-65535
  • Figure out how to install Wazuh Agents on WKs1 and MGMT02
    ---
  • AD joining wks1 to your MGMT 2 AD Forest
    ---
  • Be able to RDP from WKs1 to MGMT02 using Valid AD credentials
    ---


  • MGMT Box Installation
    --- Go to Server Manager.
    --- Select "Add Roles and Features".
    --- Select "MGMT02-East" as your server in server selection.
    --- Under Server Roles select "Active Directory Domain Services".
    --- Complete the install and promote the Server.
    --- For the "Deployment Configuration" section add the domain name east.local
    --- Set a DSRM password
    --- Commit all changes and allow server to restart



  • Management Firewall commands
    # Allow AD traffic from LAN to MGMT02 (main services)
    set firewall name LAN-to-MGMT rule 40 action 'accept'
    set firewall name LAN-to-MGMT rule 40 description 'Allow AD traffic to MGMT02'
    set firewall name LAN-to-MGMT rule 40 destination address '172.16.200.11'
    set firewall name LAN-to-MGMT rule 40 protocol 'tcp_udp'
    set firewall name LAN-to-MGMT rule 40 destination port '53,88,123,135,137-139,389,445,464,636,3268,3269'
    set firewall name LAN-to-MGMT rule 40 source address '172.16.150.0/24'
    

    Allow dynamic RPC ports

    set firewall name LAN-to-MGMT rule 41 action 'accept' set firewall name LAN-to-MGMT rule 41 description 'Allow AD dynamic RPC ports' set firewall name LAN-to-MGMT rule 41 destination address '172.16.200.11' set firewall name LAN-to-MGMT rule 41 protocol 'tcp_udp' set firewall name LAN-to-MGMT rule 41 destination port '49152-65535' set firewall name LAN-to-MGMT rule 41 source address '172.16.150.0/24'



  • Domain Joining Windows Box
    --- Go to "System and security"
    --- Go to System and select "Change Settings"
    --- In System Properties select "Change"
    --- Change the type to Domain and enter the forest name
    --- Use Administrative level account to complete setup




  • WKS1 Wazuh Agent Setup
    --- Open Wazuh at "https://172.16.50.4"
    --- Select "Wazuh > Agents"
    --- On the page "Agents" select "Deploy new agent"
    --- On the page labeled "Deploy new agents", put in the needed information.
    --- At the bottom a powershell script should be outputted, run it in an admin powershell box.
    --- Following installation open ports 1514 and 1515 on the windows firewall
    --- Run "NET STOP wazuhsvc"
    --- Run "NET START wazuhsvc"




  • MGMT02 Wazuh Agent Setup
    --- On MGMT02 set the following rules to open web traffic to MGMT02
    set firewall name MGMT-to-LAN rule 40 action 'accept'
    set firewall name MGMT-to-LAN rule 40 description 'Allow MGMT02 web requests'
    set firewall name MGMT-to-LAN rule 40 protocol 'tcp'
    set firewall name MGMT-to-LAN rule 40 destination port '80,443'
    set firewall name MGMT-to-LAN rule 40 source address '172.16.200.11'
    


    --- Download Chrome as your default browser [Cause its nicer]
    --- Open Wazuh at "https://172.16.50.4"
    --- Select "Wazuh > Agents"
    --- On the page "Agents" select "Deploy new agent"
    --- On the page labeled "Deploy new agents", put in the needed information.
    --- At the bottom a powershell script should be outputted, run it in an admin powershell box.
    ---
    ---


  • Deliverables

    Deliverable 1:

    Deliverable 2:

    Deliverable 3:

    Deliverable 4:

    Deliverable 5:

    Deliverable 6:

    Deliverable 7:

⚠️ **GitHub.com Fallback** ⚠️