Marvel Lab - Read the Docs

Marvel LabRelease 0.0.1

Jan 15, 2022

Lab Info

1 Installation: 3

2 Logging: 5

3 Troubleshooting: 7

4 Scripts: 9

5 Tools: 11

6 Acknowledgements: 13

7 To Do: 157.1 Build Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157.2 Troubleshooting Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177.3 Script Explanations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177.4 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187.5 Telemetry/Logging Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

i

ii

Marvel Lab, Release 0.0.1

Lab Info 1

Marvel Lab, Release 0.0.1

2 Lab Info

CHAPTER 1

Installation:

Go see - Build Steps.

3

Marvel Lab, Release 0.0.1

4 Chapter 1. Installation:

CHAPTER 2

Logging:

This lab is meant to be used for research and detection development. The logging information for this lab is heldwithin the - Logging page. If there is any other telemtry you would like to see, let us know!

5

Marvel Lab, Release 0.0.1

6 Chapter 2. Logging:

CHAPTER 3

Troubleshooting:

Before creating an issue within the Github, please check out the - Troubleshooing page.

7

Marvel Lab, Release 0.0.1

8 Chapter 3. Troubleshooting:

CHAPTER 4

Scripts:

Many scripts are being used for this build, for explanations on these scripts please see - Script Explanations.

9

Marvel Lab, Release 0.0.1

10 Chapter 4. Scripts:

CHAPTER 5

Tools:

Tools for red-teaming, blue-teaming, and debugging are installed. To see the full list, visit the - Tools page. If there isany other tools you’d like to see, let us know!

11

Marvel Lab, Release 0.0.1

12 Chapter 5. Tools:

CHAPTER 6

Acknowledgements:

• Olaf Hartong’s Sysmon Modular Config

13

Marvel Lab, Release 0.0.1

14 Chapter 6. Acknowledgements:

CHAPTER 7

To Do:

7.1 Build Steps

7.1.1 Domain Controller:

1. Build stock Windows Server VM.

2. Go into Server and download this repo into the C:\ directory. If you downloaded the .zip of the repo, move thechild folder to the C: directory and rename to Marvel-Lab.

3. Go into the Earth-DC folder.

4. Run these scripts in order:

• rename-dc.ps1

• deploying-marvel-forest.ps1

• import-marvel-users.ps1

• add-ou.ps1

• Import-GPOBackup.ps1

• Install Logging. Go to Logging below and follow steps.

7.1.2 Workstations (Windows):

1. Build Windows 10 VM.

2. Go into one of the Windows VMs and download this repo into the C:\ directory. If you downloaded the .zip ofthe repo, move the child folder to the C: directory and rename to Marvel-Lab.

3. Go into one of the Workstaion folders. This project supports two different Workstations.

4. Run these scripts in order:

• rename-workstation.ps1

15

Marvel Lab, Release 0.0.1

• join-domain.ps1

• updating-groups.ps1

• Tools.ps1

• Install Logging. Go to Logging below and follow steps.

Note: If join-domain.ps1 fails, make sure that the host is pointing to Earth-DC’s IP for DNS.

7.1.3 Workstations (MacOS):

1. Build Mac VM.

2. Pull down the Marvel-Lab repo

3. Go into the Marvel-Lab/Workstations/MacOS/ directory

4. Run these scripts in order:

• build.sh

• tools.sh

• Install Logging. Go to Logging below and follow steps.

Note: If build.sh fails, make sure that the host is pointing to Earth-DC’s IP for DNS.

Adding Earth-DC’s IP: System Preferences -> Network -> Ethernet Adapter -> Advanced-> DNS -> Add the IP of Earth-DC under DNS Servers

Adding domain name to Search Domains: System Preferences -> Network -> EthernetAdapter -> Advanced -> DNS -> Add marvel.local in the Search Domains

7.1.4 Logging:

Steps to get logging set up:

If you plan on using Splunk/Jupyter Notebooks/OSQuery/Kolide - install the required scripts on the Ubuntu box firstbefore setting up logging on endpoints.

7.1.5 On Ubuntu box:

1. On the Ubuntu machine download the Marvel-Lab repository.

2. Go into Marvel-Lab\Logging\splunk and run splunk_logging.sh.

3. Go to the hosts and AFTER Kolide has been set up from the On Windows Workstation and DC instruc-tions, run fleet-pack.sh.

Note: Only Ubuntu 18+ is supported for this script.

7.1.6 On Windows Workstation and DC:

In order to recieve logs in Splunk, the ‘‘splunk_logging.sh‘‘ script must have succeeded on the Logger box(Ubuntu).

1. Download the Marvel-Lab repository in the C:\ directory. (If you downloaded the .zip of the repo, move thechild folder to the C: directory and rename to Marvel-Lab).

16 Chapter 7. To Do:

Marvel Lab, Release 0.0.1

2. Go to KolideIP:8443, set up Username/Password.

3. Set Organization Name to Marvel Lab. You don’t have to do the URL. When it shows you the fleet webaddress, press Submit, then Finish.

4. Go into Marvel-Lab\Set-Logging and run Set-Logging.ps1.

Note: The Sysmon configuration is up to date with version - 11.0. FileDelete Events will only be logged within the\Downloads folder of each user. Deletions are saved within the C:\ArchivedFiles folder.

7.1.7 On MacOS Workstation:

1. Run logging.sh

2. During installation there will be some prompt that will need to be filled in when accepting the Splunk License.Exact steps are below: - Press Enter - Press q - Press y, then Enter - Enter admin username/password of your choice(You might have to do this twice)

7.2 Troubleshooting Steps

1. If the docker containers are not starting correctly after reboot, run sudo docker ps on the splunk box. Makesure the containers were started.

2. If you do not see the GPO’s are being properly pushed to your workstation, go to workstation open power-shell.exe and run: gpupate /force.

7.3 Script Explanations

• rename-dc.ps1

– Powershell script that will rename the computer name of the Domain Controller to: Earth-DC.

• deploying-marvel-forest.ps1

– Powershell script that will create and deploy a forest with the domain name of: marvel.local

• import-marvel-users.ps1

– Powershell script that imports marvel characters from a csv into the AD infrastructure. This script willassign groups to domain users as well.

• add-ou.ps1

– Powershell script that will add the Workstation organizational unit to the AD infrastructure.

• Import-GPOBackup.ps1

– Powershell script that will import mulitple Group Policy Objects (GPOs) into the group policy manage-ment. GPO’s will be linked and enforced with this script as well.

• rename-workstation.ps1

– Powershell script that will rename the computer name of the Win10 workstation to either: Asgard-WrkStnor Wakanda-Wrkstn

• join-domain.ps1

– Powershell script that will join the workstation to the marvel.local.

7.2. Troubleshooting Steps 17

Marvel Lab, Release 0.0.1

• updating-groups.ps1

– Powershell script that will add users within the LocalAdmin group in AD to the Local Administrators andRemote Desktop Users groups on the host.

– This script will also set a wallpaper for the current user NOT all users. If you want to update the wallpaperper user run this following:

New-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\ -Name System

Set-ItemProperty -path→˓'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\\System' -name→˓Wallpaper -value "C:\Marvel-Lab\images\<image_name>.jpg"

Set-ItemProperty -path→˓'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\\System' -name→˓WallpaperStyle -value "4"

• Logging.ps1

– Powershell script will give 3 options for endpoint logging:

1) Just to install Sysmon.

2) To install Sysmon and send logs to a HELK build (we do not build this for you, it assumes you alreadyhave it built).

3) To install Sysmon and send logs to Splunk.

• Tools.ps1

– Powershell script that will install various different Red-Team tools and Wireshark.

• splunk_logging.sh

– Bash script that will build out Splunk, Portainer, and Jupyter Notebooks within a docker container.

• fleet-pack.sh

– Sets up osquery packs in fleet.

• build.sh

– Rename hostname of MacOS Workstation and binds host to the domain - marvel.local.

• tools.sh

– Install Homebrew/Wget on MacOS Workstation.

• logging.sh

– Installs OSQuery/Splunk Forwarder.

– Configures OSQuery and Splunk Forwarder.

7.4 Tools

7.4.1 Red:

• Powersploit

• Rubeus

18 Chapter 7. To Do:

Marvel Lab, Release 0.0.1

• PowershellArsenal

• GhostPack Seatbelt

• Mimikatz

7.4.2 Blue:

• Wireshark

• Sysinternals

7.4.3 Debugging:

• Windows SDK

• IDA Pro

• API Monitor

• DNSpy

7.4.4 Misc:

• Git

• Google Chrome

• Chocolatey

7.5 Telemetry/Logging Information

7.5.1 Data Sensors Available:

• Window Event Logs (Application, Security, System, Setup)

– Security events are being configured/audited via GPO.

• Sysmon

– Configuration is being pulled from Olaf Hartong’s sysmon-modular project

• Zeek

– Logs are stored within the Marvel-Lab directory you created under: Marvel-Lab/Logging/splunk/zeek/zeek-logs

• OSQuery (Mac and Windows)

– Configs are coming from: https://github.com/palantir/osquery-configuration

7.5. Telemetry/Logging Information 19

Marvel Lab, Release 0.0.1

7.5.2 Analytic Platforms:

• Splunk

– We recommend getting the Developer License Splunk offers and applying it within this lab due to therobustness of logs being collected.

• Jupyter Notebooks

7.5.3 Current data sources being shipped to Splunk:

• Windows Events (Window Event Logs (Application, Security, System, Setup) (Windows Workstations)

• Sysmon (Windows Workstations)

• Zeek

• OSQuery (Windows/MacOS Workstations)

7.5.4 Splunk Universal Forwarder:

The Forwarder currently has some exclusions set within the inputs.conf. These can be found below:

Event ID 4688:

blacklist1=EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program→˓Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?→˓:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.→˓exe)"

Rule was borrowed from: https://gist.github.com/automine/a3915d5238e2967c8d44b0ebcfb66147

Event ID 4689:

blacklist2=EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program→˓Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?→˓:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.→˓exe)"

Rule was borrowed from: https://gist.github.com/automine/a3915d5238e2967c8d44b0ebcfb66147

Event ID 5156:

blacklist3=EventCode="5156" Message="(?ms)Application\sName:\s.→˓*\\windows\\system32\\svchost.exe."

20 Chapter 7. To Do: