Lab 10.1 Windows Logging - Cyber-JL/SEC-350-01 GitHub Wiki
AD Install on MGMT02
-
Using powershell run the following:
# setup ADDs Add-WindowsFeature AD-Domain-Services Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 Install-ADDSForest -DomainName jude.local -InstallDNS # manage DNS Add-DnsServerPrimaryZone -NetworkID "172.16.200.0/28" -ReplicationScope "Domain" # Add a Domain Admin Add-ADGroupMember -Identity "Domain Admins" -Members jude # Create a new AD admin user New-ADUser -Name "jude-adm" -AccountPassword (Read-Host -AsSecureString "AccountPassword") -Enabled $true Add-ADGroupMember -Identity "Domain Admins" -Members jude-adm
Firewall Rules on FW-MGMT
MGMT-to-LAN
set firewall name mgmt-to-lan rule 30 action accept
set firewall name mgmt-to-lan rule 30 description “Allow ADDs ports and services”
set firewall name mgmt-to-lan rule 30 destination address “172.16.150.100-172.16.150.250”
set firewall name mgmt-to-lan rule 30 destination port “53,88,135,389,445,686,1024-65535”
set firewall name mgmt-to-lan rule 30 protocol “tcp_udp”
LAN-to-MGMT
set firewall name lan-to-mgmt rule 50 action accept
set firewall name lan-to-mgmt rule 50 description “Allow ADDs ports and services”
set firewall name lan-to-mgmt rule 50 destination address “172.16.200.11”
set firewall name lan-to-mgmt rule 50 destination port “53,88,135,389,445,686,1024-65535”
set firewall name lan-to-mgmt rule 50 protocol “tcp_udp”
Join WSK01 to Domain
Add-Computer -DomainName "jude.local" -restart
Install Wazuh Agents on Windows:
- In Administrative PowerShell run:
FW-MGMT
#temp firewall rule for mgmt02 to download wazuh agent
set firewall name MGMT-to-LAN rule 999 action accept
set firewall name MGMT-to-LAN rule 999 destination port 80,443
set firewall name MGMT-to-LAN rule 999 protocol tcp
set firewall name MGMT-to-LAN rule 999 source address 172.16.200.11
WSK01 and MGMT02
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.10-1.msi -OutFile ${env:tmp}\wazuh-agent-4.3.10.msi;
msiexec.exe /i ${env:tmp}\wazuh-agent-4.3.10.msi /q WAZUH_MANAGER='172.16.200.10' WAZUH_REGISTRATION_SERVER='172.16.200.10'
WAZUH_AGENT_GROUP='windows'
NET START WazuhSvc
- once wazuh agent is installed on MGMT02 delete MGMT-to-LAN rule 999 from FW-MGMT