And now we will install VMWare Workstation Pro.  As you will see, this is a fairly straight forward process!

Yes!  Now things are about to get fun.  First we need to install Security Onion 2 which will become the nexus for our Security Operations Center ("SOC").  This is arguably the most capable, free, open source platform for threat hunting, network security monitoring, and log management in existence right now. 

The most complicated (and critical) part of installation is getting the VMWare network adapters properly configured so in this lecture I will carefully explain the adapter setup and help you understand the purpose behind everything we are doing! 

Ok, so it's time to wrap this thing up.  In this lecture I'll step you through each screen of the Security Onion 2 setup so you can quickly get your SIEM up and running.  I'll also explain a few "gotcha's" to watch out for during the setup process!  Let's do this baby!

What's a network without a firewall?  We can't have a realistic cyber range without one!  If you're fortunate enough to have a Palo Alto license you could just import a Palo Alto OVA into your range and pat yourself on the back, but the next best thing to that is pfSense.  Thousands of organizations trust pfSense to secure their networks as it is truly one of the best, production ready appliances for protecting an enterprise.  Today, you are going to set it up!   

We will install and configure pfSense.  Don't worry it is NOT as complicated as you might think.  I'm going to show you a simple, step-by-step approach to getting it ready for our Cyber Range. It will function like a real firewall as it will protect our internal hosts from external threats and will also mirror traffic to Security Onion 2 so we can monitor and analyze any suspicious activity. 

Some security researchers and people who play CTFs such as HackTheBox and TryHackMe love ParrotSec.  This is a great alternative to Kali Linux but Kali is still the pentest standard.  That's why in this lecture I'm going to wall you through setting up our attacker VM: Kali Linux. In this lecture, I'll show you the easiest way to set it up.  We'll update the distro, join our internal LAN and prime the box for attacking our targets

Now that we have Kali setup, we're going to sign-in to the pfSense GUI and configure it so that it mirrors all traffic to Security Onion 2 for analysis.  This will be important later as we start analyzing events in Kibana and hunting for evil.

It's time to log in to the Security Onion 2 Console (SOC) to see the beautiful alerts dashboard!  We're not going to see anything particularly exciting yet as we haven't launched any attacks so the purpose of this test is just to confirm we can access and authenticate into the appliance!

In this lecture we are going to download and install Metasploitable2.  Yes Metasploitable2 is an ancient VM but it's still an extremely good resource for learning how to hack.  Then we will attack the target from our Kali endpoint and watch how the Security Onion 2 SIEM not only logs the nmap scan but also the Suricata event logs the DHCP request against pFsense and alerts us that an attacker is on our network!  It's going to be awesome!  Let's dive right in.

Every Cyber Range must have Windows 10 targets.  Given the ubiquity of Windows 10 it is a must for realism and detection engineering.  So in this lecture we're going to get things started by downloading Windows 10!  In later lectures we'll instrument the endpoint with Sysmon, OSQuery, Wazuh, Windows Defender and more. It's going to be awesome, awesome awesome!  This is truly the course I wish I had when learning Information Security!

Yes! Alright now we need to make sure we have the right logging setup so when we breach the victim we can see what we did in the Security Onion and our SIEM.  Let's start by enabling Powershell module, script block and transcription logging!

Now let's turn on the Windows Defender Firewall logging because by default it is disabled.  We will need to enable it otherwise we won't see nmap scanning our Windows 10 target.

Sysmon will give us unparalleled visibility into the endpoint.  By instrumenting our victim node with Sysmon we will receive enriched telemetry in Kibana that will augment our hunt for evil.  For example, by enabling Sysmon (along with Sysmon-modular by Olaf Hartong) we will see process hashes, parent-child process relationships, command line invocations and more.  It's going to be awesome!  Oh and I almost forgot to mention it's super easy to setup!

Wazuh (pronounced "Wah - Zoo") is a free, open source security monitoring endpoint detection and response ("EDR") solution.  It provides security analytics, host based intrusion detection, log data analysis, file integrity monitoring, vulnerability detection and more.  Sound awesome right?  Yup, we're setting it up on our Windows 10 victim! Yippie Kai Yay, let's go!

This is the final piece of the puzzle as we strive to have truly performant endpoint visibility.  Beats will ship Windows Event Logs, Windows Defender Logs, Sysmon, PowerShell logs and more to our ELK stack and give us everything we need to practice hacking in our Cyber Range!

In this super quick lecture, I'm simply going to walk you through enabling Windows Defender Audit logs so we can begin shipping that telemetry to our Security Onion 2 Console! w00t!

OSquery lets us query almost any data on our endpoint as if they were a giant database of discreet tables.  And Fleet, is the sexy GUI that make the entire thing look awesome.  We will setup both in this lecture.  You'll see how awesome this tool is, it basically gives us endpoint visibility including everything from scheduled tasks (often used for attacker persistence), local ARP tables (used for attacker pivoting), basic system information (used for attacker enumeration) and more!  Let's do this baby!

Oh man this is really really going to be fun lol.  So in this lecture you are going to emulate compromising a Windows 10 endpoint in your Cyber Range and then we're going to do some adversary simulations with basic host recon.  We'll wrap things up by searching the events in Kibana!  I'll show you A - to - Z how to pull this off.  Let's go!

Awww yeah! Now we're going to leverage Red Canary's awesome Atomic Red Team tests (https://atomicredteam.io/) to confirm our Windows 10 endpoint is properly instrumented and generating telemetry as expected!

In this lecture we're going to detect our Mimikatz attack in Kibana.  We're also going to use Fleet, the GUI for OSquery, to detect the malware process in memory.  Let's go!

You can't have a cyber range without a Domain Controller ("DC").  The DC will become a key component for all Active Directory based attacks and defenses such as Kerberoasting and others.  In this lecture you'll learn how to download and install Windows Server 2019 and then join it to the Cyber Range internal network.

Now it's time to promote that bad boy to a Domain Controller and then install OSQuery, Winlogbeat, Wazuh and Sysmon (with sysmon-modular) so we can start shipping logs to Kibana for analysis!

Now we need a domain user account.  Let's create the CEO of our fictitious company and populate the required fields for his office number, email address and title.  This is a quick one so let's go!

This lecture is really just for the fun of it (totally optional).  I just wanted to show you a little tip for making your range feel more like a realistic corporate network.  You'll see one of the top places I go to download faces, royalty free images, that we can use for our fictitious Active Directory user accounts.

In this lecture it gets REAL.  I'm going to show you how to install the latest copy of Outlook so we can send maldocs (malicious documents) that contain macros (or whatever we want, for example a Cobalt Strike Beacon) to gain a foothold on the box and begin an attack.  I'll walk you through how I configured my domain, the email setup and then I'll show you a test email to prove everything is working.  It's easier than you think.

In this lecture you will learn what Kerberoasting is and then we will create a deliberately vulnerable IIS service account with an associated Service Principle Name (SPN) so we can launch a Kerberoasting attack in the next lecture! Oh yeah! Let's do this baby!

Now it's time to blast the box.  We're going to kerberoast our fake user using Invoke-Kerberoast from PowerSploit and then extract the hash, get it over to our Kali cracking rig, crack the hash with Hashcat and investigate any observables left behind from the attack.  Are you ready for this!!!??