Lab 10.1 Windows Logging - FlameSpyro/Tech-Journal GitHub Wiki

Lab 10.1 - Windows Logging

Prerequisites

  • It is advised to make a temporary mgmt-to-lan rule on edge to allow for downloads on mgmt02
set firewall name MGMT-to-LAN rule 99 action accept
set firewall name MGMT-to-LAN rule 99 source address 172.16.200.11

Active Directory Installation

  • On the Server manager go to Manage then Add Roles and Features
  • Check off Active Directory Domain Services
  • Ensure DNS is also being installed too
  • Once installed a popup for creating a domain will appear
  • Create a new forest named name.local
  • Create two users, an admin user in the admin group and a normal user

Firewall Configurations

  • This part took some time as there is a LOT of ports that need to be added in order to go across properly here's what I entered
set firewall name LAN-to-MGMT rule 102 action accept
set firewall name LAN-to-MGMT rule 102 description “Connection to MGMT02”
set firewall name LAN-to-MGMT rule 102 destination address 172.16.200.11
set firewall name LAN-to-MGMT rule 102 destination port 53,88,135,389,445,636,3268,3269,1024-65535
set firewall name LAN-to-MGMT rule 102 protocol tcp_udp
  • Dont forget to do it back!
set firewall name LAN-to-MGMT rule 103 action accept
set firewall name LAN-to-MGMT rule 103 description “Connection to MGMT02”
set firewall name LAN-to-MGMT rule 103 destination address 172.16.200.11
set firewall name LAN-to-MGMT rule 103 destination port 53,88,135,389,445,636,3268,3269,1024-65535
set firewall name LAN-to-MGMT rule 103 protocol tcp_udp

DNS

  • In the DNS service, create a new reverse lookup zone for 172.16.200.0 network!
  • Once created you can now make a pointer record for MGMT02 which will automatically make an A record as well
  • Enter the DNS into wks01 as well as add our domain name in as well. We should be welcomed right in after a login prompt!

Wazuh Installation

  • Going back to Wazuh, create a new group for Windows users!
  • Go to the Add page
  • Copy commands to both wks1 and MGMT02 (tmp firewall is still on so this will work)
  • Two new wazuh agents should be added into the GUI
  • Disclaimer you can now delete the tmp firewall rules from earlier

Testing

  • On wks01 simply login using both a actual user and a fake user to spark wazuh warnings
  • Now, RDP into MGMT02 using both a real and fake user to trigger responses in wazuh too.

Challanges

  • The two biggest challenges were definitely finding the long list of ports needed, which I found here
  • Also a weird error that wasn't allowing wks01 to connect to wazuh.