SEC350 Lab 10.1 Windows Logging - Zacham17/my-tech-journal GitHub Wiki

Active Directory Domain Services on MGMT02

  • In this lab, I added ADDS to the MGMT02 system and connected
  • In order to install ADDS on MGMT02, I needed to allow it to connect to the internet for the install. I allowed internet access for MGMT02 by adding a temporary firewall rule on edge01.
  • The commands that I used to create the firewall rule are shown below:
set firewall name MGMT-to-LAN rule 999 action accept
set firewall name MGMT-to-LAN rule 999 source address 172.16.200.11
commit
  • To install ADDS on MGMT02, click Manage > Add Roles and Features
    • In the Server Roles section, select Active Directory Domain Services.
  • After ADDS installation, a notification to promote MGMT02 to a domain controller will appear. Make sure to do this. My domain name is "zachary.local"
    • Also make sure to allow for the DNS installation
  • In Tools > Active Directory Users and Computers, I added a basic domain user called zachary-user, and an administrative domain user, called zachary-adm
  • In Tools > DNS, I configured a reverse lookup zone using the 172.16.200.x network address. In the reverse lookup zone I generated the pointer record for the associated A record for MGMT02.
  • REMEMBER: to delete the firewall rule that allows connections to the internet from MGMT02 after you download ADDS. Use, del firewall name MGMT-to-LAN rule 999

Allow ADDS Connections

  • In order for systems to communicate with MGMT02 for ADDS communication, there are certain ports that traffic needs to be allowed through the LAN-to-MGMT and MGMT-to-LAN firewalls. The ports required are 53,88,135,389,445,636,3268,3269, and 1024-65535
  • More information on the ports and their protocols used by ADDS can be found here
  • The commands that I used for firewall configuration are below:
set firewall name LAN-to-MGMT rule 50 action accept
set firewall name LAN-to-MGMT rule 50 description “ADDS Ports to MGMT02”
set firewall name LAN-to-MGMT rule 50 destination address 172.16.200.11
set firewall name LAN-to-MGMT rule 50 destination port 53,88,135,389,445,636,3268,3269,1024-65535
set firewall name LAN-to-MGMT rule 50 protocol tcp_udp

set firewall name MGMT-to-LAN rule 30 action accept
set firewall name MGMT-to-LAN rule 30 description “ADDS Ports to MGMT02”
set firewall name MGMT-to-LAN rule 30 destination address 172.16.150.0/24
set firewall name MGMT-to-LAN rule 30 destination port 53,88,135,389,445,636,3268,3269,1024-65535
set firewall name MGMT-to-LAN  rule 30 protocol tcp_udp
commit
save

Joining wks01 to the zachary.local Domain

  • On wks01, I first changed the DNS server in the network configuration to be 172.16.200.11(which is mgmt02's IP address)
  • I then added wks01 to the domain using domain admin credentials.
  • I then rebooted wks01 and was able to log in as my domain user.

Wazuh Agent Installation on Windows

  • I installed the wazuh agent service on both wks01 and mgmt02

wks01 Wazuh Agent

  • On wks01, I installed the wazuh-agent service by running the following command in Powershell:
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.10-1.msi -OutFile ${env:tmp}\wazuh-agent-4.3.10.msi; msiexec.exe /i ${env:tmp}\wazuh-agent-4.3.10.msi /q WAZUH_MANAGER='172.16.200.10' WAZUH_REGISTRATION_SERVER='172.16.200.10' WAZUH_AGENT_GROUP='windows'
  • I then started the wazuh agent on wks01, using the command NET START WazuhSvc
  • wks01 then appeared as an agent in the Wazuh Manager

mgmt02 Wazuh Agent

  • To install the wazuh-agent on mgmt02, I had to set the firewall rule, on edge01, allowing for connection to the internet from mgmt02. On edge01, I entered:
set firewall name MGMT-to-LAN rule 999 action accept
set firewall name MGMT-to-LAN rule 999 source address 172.16.200.11
commit
  • On mgmt02, I installed the wazuh-agent service by running the following command in Powershell:
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.10-1.msi -OutFile ${env:tmp}\wazuh-agent-4.3.10.msi; msiexec.exe /i ${env:tmp}\wazuh-agent-4.3.10.msi /q WAZUH_MANAGER='172.16.200.10' WAZUH_REGISTRATION_SERVER='172.16.200.10' WAZUH_AGENT_GROUP='windows'

  • REMEMBER: to delete the firewall rule that allows connections to the internet from MGMT02 after downloading the Wazuh agent. Use, del firewall name MGMT-to-LAN rule 999

  • I then started the wazuh agent on mgmt02, using the command NET START WazuhSvc

  • mgmt02 then appeared as an agent in the Wazuh Manager

Testing Windows Logging on Wazuh

I did some basic and common tasks to generate logs in wazuh. They are described below:

  1. On wks01, I logged in as my basic domain user, zachary-user. This produced a security event that logged a "Windows workstation logon success". This log told me the user that logged on and the domain.
  2. On wks01, I attempted to log in as a non-existent user, "eviluser". This produced an log titled, "Logon failure - Unknown user or bad password". The event details showed the "eviluser" username.
  3. On wks01, I attempted to RDP onto mgmt02, using domain admin credentials. This produced a security event for mgmt02 titled, "Successful Remote Logon Detected - NTLM authentication, possible pass-the-hash attack". The event details show the user that logged on over RDP, and the source address of the remote desktop connection.
  4. On wks01, I attempted to RDP onto mgmt02, using a non-existent user, called "evilremoteuser". This produced a security event for mgmt02 titled, "Logon failure - Unknown user or bad password". The event details show the user that attempted to log on over RDP, and the source address of the remote desktop connection.

Challenges

  • One challenge that I experienced in this lab was joining wks01 to the domain. I was unable to join wks01 to the domain, so I examined my firewall rules and noticed that I was missing a port to be allowed through the firewall. Once I did that, I was successfully able to join wks01 to the domain.