Lab introduction

This lab is guided and inspired by MyDFIR youtube channel. It is part of the 30 Day SOC challenge aimed to build practical SOC-analyst skills.

Note

The cloud provider and network setup I have used is different from what is followed in the challenge. I have used the challenge for reference purpose. Although the core tech-stack used is the same, the network configurations and setup steps differ in more than a few ways.

In this lab exercise, I build a miniature SOC lab with ELK Stack using the Google Cloud Platform (GCP). The purpose of this exercise is to practice implementing offensive and defensive strategies, by dealing with real-world attacks, and setting up countermeasures to tackle those attacks.

Caution

The cloud setup is perished and does not exist anymore. Do not try to attack or misuse resources used in the demonstration. It will not work.

Important tools and services I’ll be using are:

• ELK Stack
• GCP - Google Compute Engine
• Draw.io
• Microsoft Windows Server 2022
• Ubuntu Server 24.04 LTS
• Microsoft sysinternals - Sysmon
• Mythic C2
• osTicket

Things I’ll be doing:

• Draw diagrams and plan out the process
• Setup and configure Elasticsearch and Kibana
• Setup log ingestion from endpoints
• Attack, detect, and investigate malware (SSH & RDP brute force)
• Command and Control (C2) over RDP using Mythic
• Create alerts and dashboards on Kibana
• Setup and integrate a ticketing system
• Investigate alerts and defend attacks

Other tools and services are explained in each step as I go through the process. Let’s get started with the lab!