Uncover the Secrets of a Home SOC Analyst Lab! [Step-by-Step Walkthrough]

In this video, I walk through the entire creation of the SOC Analyst home lab by Eric Capuano.

https://blog.ecapuano.com/p/so-you-want-to-be-a-soc-analyst-intro

Every mouse click, screen, configuration, etc. You can follow this video to build the lab.

📒 Show Notes 📒

⏰ Markers

1:22 Erics Blog Post So You want to be a soc analyst

1:25 Virtual Machine Setup

1:35 VMWare Install

2:12 Ubuntu (Attacker) Machine vm install

4:06 Windows (Victim) Machine vm install

4:27 VMWare error requested power operation is already in progress and powershell fix

4:47 Removing security defenses from Windows VM

5:16 Windows VM defense removal: Turning off Virus and Threat Protection

6:15 Windows VM defense removal: Group Policy Editor

8:01 Windows VM defense removal: Disabling power configurations

10:03 Windows VM defense removal: Safe Boot

11:29 Windows VM defense removal: Registry Editing

14:04 Installing Sysmon on Windows VM

14:55 Installing LimaCharlie Agent on Windows VM

15:10 LimaCharlie - Creating an organization

15:46 LimaCharlie - Installing agent on Windows VM

18:13 LimaCharlie - Configuring LimaCharlie to ingest Sysmon logs from Windows VM

19:45 Sliver - Setup Sliver c2 Framewor on Ubuntu VM

20:41 Sliver - Get IP network details (this will be different values on your machine)

22:39 Sliver - Editing /etc/netplan/00-installer-config.yaml with network values

25:58 Sliver - SSH into Ubuntu box

26:13 Sliver - Downloading and installing Sliver

27:50 Sliver - Launching Sliver

29:20 Sliver - Pulling Sliver payload down onto Windows VM (victim)

31:46 Sliver - Sliver to access on Windows VM (using a session)

33:33 LimaCharlie - Seeing attacks in limacharlie

35:40 Resources to learn more about windows processes and binaries threat actors use

36:49 Checking VirusTotal via LimaCharlie to see if malware has been seen

38:43 Detection Engineering to detect this attack

40:08 Writing a custom detection rule in LimaCharlie

42:42 Seeing the detection in LimaCharlie work

43:10 Configuring a custom output webhook to add automation and notification to your detection (not in blog post, but cool so i added it)

RESOURCES IN VIDEO

Eric So You Want to Be A SOC Analyst blog post: https://blog.ecapuano.com/p/so-you-want-to-be-a-soc-analyst-intro

Lima Charlie: https://limacharlie.io/

Sliver You'll have to google, this video could be pulled down if i link to it for "reasons"

Sysmon: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

SwiftOnSecurity Sysmon Config: https://github.com/SwiftOnSecurity/sysmon-config

EchoTrail: https://www.echotrail.io/

SANS Hunt Evil Poster: https://www.sans.org/posters/hunt-evil/

Living Off The Land Binaries, Scripts and Libraries: https://lolbas-project.github.io/#

Simply Cyber's mission is to help purpose driven professionals make and and take a cybersecurity career further, faster.

SEO

cybersecurity,information security,career,cyber,security,cyber security,cyber for beginners,blue team,cyber job,entry level cybersecurity,entry level,no degree,cyber careers,simply cyber,cyber security for beginners,get into cyber security,how to become a soc analyst,home lab,soc analyst,lima charlie,limacharlie edr,cyber lab,how to build a soc analyst,how to be a soc analyst,working as a soc analyst,cybersecurity for beginners,cybersecurity careers