Post

How to Easily Build a Malware Testing Lab with Elastic EDR and TCM's AD Lab

Learn how to easily create your own malware testing lab with a pre-configured Elastic EDR in Docker, integrated with TCM Security’s AD lab for malware evasion testing.

Posted Updated
Preview Image
By WafflesExploits
12 min read

Table of Contents

  1. Introduction
  2. Initial Lab
    1. Pre-requisites
    2. Setting up the Domain Controller
      1. Creating the Domain Controller VM
      2. Make this machine the Domain Controller
    3. Setting up the User Machines
    4. Setting up Users, Groups, and Policies on the Domain Controller
    5. Join User Machines to Domain
  3. Adding Elastic EDR
    1. Installing Docker on Ubuntu
    2. Creating Elastic Container
    3. All Elastic EDR container options
  4. Conclusion
  5. References

Introduction

I wanted to test malware evasion techniques specifically against Elastic EDR, so I decided to build an Active Directory (AD) lab for this purpose.

In this blog post, I’ll guide you step-by-step on how to create your own malware testing environment.

We’ll containerize Elastic EDR using Docker, with a fully pre-configured setup that includes Elasticsearch, Kibana, Fleet, and the Detection Engine.

For the AD lab, we’ll use TCM Security’s Active Directory Lab as the foundation.

Initial Lab

This section focuses on creating 3 VMs: 1 Domain Controller and 2 User Machines.

This initial lab is based entirely on TCM’s Active Directory Lab from the Practical Ethical Hacking Course. I highly recommend checking out their course.

However, you can use any lab environment you prefer, such as GOAD.

  1. Pre-requisites
  2. Setting up the Domain Controller
    1. Creating the Domain Controller VM
    2. Make this machine the Domain Controller
  3. Setting up the User Machines
  4. Setting up Users, Groups, and Policies on the Domain Controller
  5. Join User Machines to Domain

Pre-requisites

Recommended Specs:

  • 60 GB Disk Space.
  • 16 GB RAM.

Download necessary ISOs:

Download a virtualization software:

  • VirtualBox.
  • Hyper-V.
  • VMware Workstation Pro.
    • I will use this one.
    • You can download it here.
    • I recommend the version 17.5.1 since it has more features than 17.6.

Setting up the Domain Controller

Creating the Domain Controller VM

  1. After opening VMware, click on “Create a new Virtual Machine”.
  2. Next, Select the configuration Typical and click Next.
  3. Select Installer disc image file (iso), and select the SERVER_EVAL_x64FRE_en-us file you download.
    • b0b2f451839ce45047eb9941b3c5331f.png
  4. Click Next, and you should see this window:
    • 9d32511d8affbacac239afb10d2c29cf.png
  5. We won’t be using Easy Install, so click Next.
  6. You can use the default Disk options, and click Next.
    • 277f8c4ab91ac09cba55147377628f0a.png
  7. Uncheck "Power on this virtual machine after creation", and click Finish.
    • 7f0327af3ed26aa45c032fa809f9e5ec.png
  8. Click on "Edit Virtual Machine Settings".
  9. Do the following:
    • Remove the Floppy disk:
    • da83be80151024220679eced6fa4f34e.png
    • Change the memory to 4 GB Ram.
    • You can lower this down once you have finished the Setup.
    • Click Okay to exit from the Virtual Machine’s settings.
  10. Power the VM.
  11. Press Enter 1-2 times and you should see this screen:
    • fa43e228d4583ec47c78ed75af723d07.png
  12. Click Next > Install.
  13. Select "Windows 2022 Standard Evaluation (Desktop Experience)", and click Next.
    • 9d22b97b7b28b6a57a556431162cfbc3.png
  14. Accept the License terms, and click Next.
  15. As the type of installation, Select Custom:
    • 583defd9d553c703d9792fca22becb89.png
  16. Click New > Apply > Okay > Next, and the Windows Server should start installing:
    • 01e50fcc1c71017d7505b94db36ead4c.png
    • 3bf17d77b929b999633e95e649116c70.png
  17. While this installs, you can start installing the User Machines.
  18. After the Server finishes installing, you should have the following screen:
    • 3da19e850014680df0d2b0768ec188c3.png
    • For the password, I will use Pa$$w0rd!.
    • Click Next, after you insert your password.
  19. Now, you should be able to login with the password you just set.
    • Press CRTL+ALT+DEL to show the login screen.
    • With VMWare you can use this option:
    • 2b3dbbb91fdf15957ae5ea62d55d0acf.png
  20. If the screen is small, it’s because you need to Install VMWare Tools.
    • On the VM, Select VM > Install VMware Tools.
    • 9931765d2aedbfee02ed24ffcfc55dea.png
    • Alternatively, you can directly download the VMware Tools package here, extract the .tar with 7zip, and left-click the .iso.
    • Open setup64, click Next and Install.
    • a696b99aa75bfe4729ab98adacdb2b41.png
    • This should install VMware tools.
  21. Rename your PC
    1. Search for "About your PC" in the Windows Search bar.
      • cf10b7288e0221f435ea9e6ba8ee8360.png
    2. Click on Rename this PC, choose a name, click Next, and click Restart now.
      • c7108e11cdbd74fd616357d696fb8497.png

Make this machine the Domain Controller

  1. After logging in, In the Server Manager dashboard, Go to Manage > Add Roles and Features.
    • 1dd0a8d9e2039a27be6230881917b513.png
  2. Click Next until the Server Roles section, check "Active Directory Domain Services" and click Add Features.
    • 38c9607ca02ce34a0999325c1ac4d1b1.png
    • ca52d10c577fe32d99c1a51b0a7dbda1.png
  3. Click Next until the Confirmation section, check "Restart the destination server automatically if required", select Yes > Install.
    • 404b5e47cf58e8a5af77d1cbb40ea36d.png
  4. When the installation finishes, Select Promote this server to a domain controller.
    • 6b4234f96843115ee1a32f8c4f53d026.png
  5. Select Add a new forest, choose a domain name, and click Next.
    • 6194c1501bc41ca4c35b2855984658c9.png
  6. In the next window, select a DSRM Password and click Next.
    • I used Pa$$w0rd! again.
    • f190c61d4bf98301a2d4b18f3b9b5923.png
  7. Click Next until Prerequisites check, and Click Install.
  8. After installation, click Close and restart the Domain Controller VM.
  9. After rebooting, In the Server Manager dashboard, Go to Manage > Add Roles and Features.
  10. Click Next until the Server Roles section, check "Active Directory Certificate Services" and click Add Features.
  11. Click Next until the Role Services section and check if Certification Authority box is check.
  12. Click Next until Confirmation section, check "Restart the destination server automatically if required", select Yes > Install.
  13. When the installation finishes, Select Configure Active Directory Certificate Services on the destination server.
    • df21f0f637f8347660c4720337b2b429.png
  14. Click Next. In the Role Services section check the Certification Authority box.
  15. Click Next until Validity Period section, and set the Validity years to 99.
  16. Click Next until Confirmation section, click Configure > Close, and reboot your server.

Your Domain Server Initial Setup is finally finished! You can setup the user machines.

Setting up the User Machines

Creating the Users VMs

This is almost identical to Creating the Domain Controller VM, the only difference are:

  1. Use the Windows 11 Enterprise Evaluation ISO:
    • 94e6f33f06e05afdf928b82a3e22c5a7.png
  2. Use the Windows 11 Enterprise as the Version of installation.
  3. I will name the First machine “THEPUNISHER”, and the Second machine “SPIDERMAN”.
  4. VMware will ask you for the encryption type, select Only the files needed to support a TPM are encrypted.
    • I used 12345678 as the password.
    • 14ca204077e5fdc3e0271408c9889c6a.png
  5. After the installation finishes, select Sign-in options > Domain join instead.
    • This will allows us to create an Local Account.
  6. For the user name, I will use frankcastle for THEPUNISHER, and peterparker for SPIDERMAN.
  7. For the password, I will use Password1 for THEPUNISHER, Password2 for SPIDERMAN.
  8. For the security questions, I will use bob for everything.
  9. Rename the PCs to their VM Name respectively, THEPUNISHER and SPIDERMAN, and restart them.

Setting up Users, Groups, and Policies on the Domain Controller

  1. Start the DC (Domain Controller) VM, and search for Active Directory Users and Computers, and open it.
  2. Right-click on MARVEL.local and select New > Organizational Unit.
    • c86a34f1a205359a684467ca40168f92.png
  3. Name it "Groups" and click Okay.
  4. Left-click on the Users, click on Type to organize users by type, select all Users that belong to the type "Security Group" and drag them to the OU (Organizational Unit) named Groups, that you just created.
    • 4e5b2860d5d93c9282a8ff706fb0459d.png
  5. Right-click on the Administrator user and select Copy....
    • 667f6f6be9f7cfebe799c09cb64feb20.png
  6. Create the Tony Stark user:
    • 78918d2d4e3b7aa755a39bf3d0066aba.png
    • f1dd770344a86dbc7f716b6fc747edae.png
    • Password: Password12345!
    • Check Password never expires.
  7. Create another user the same way you created Tony stark:
    • Full Name: SQL Service
    • User Logon: SQLService
    • Password: MYpassword123#
    • Check Password never expires.
    • After creating the user, right-click on him, select Properties, set its description to "My password is MYpassword123#", and select Apply > Okay.
  8. Right-click on the Users, select New > User.
    • 469bbf648398431140308aeb33a0c027.png
  9. Create 2 users with this method:
    • First User:
      • Full Name: Frank Castle
      • User Logon: fcastle
      • Password: Password1
      • Check Password never expires.
    • Second User:
      • Full Name: Peter parker
      • User Logon: pparker
      • Password: Password2
      • Check Password never expires.
  10. In the DC’s Server manager, Go to File and Storage Services > Shares > TASKS > New Share.
    • fe895e8a21c7b1bcf2dc4ca80b03a720.png
    • 6edbc0073ede98040fc2c936917420ab.png
  11. In the New Share Wizard:
    1. Select SMB Share Quick.
    2. Click Next 2 times.
    3. Set share name to hackme.
    4. Click Next until Confirmation, and click Create > Close.
  12. Open the cmd.exe on the DC, and run the following  commands:
    1

    setspn -a HYDRA-DC/SQLService.MARVEL.local:60111 MARVEL\SQLService
  13. Check if the SQLService SPN is found:
    1

    setspn -l SQLService

  14. Right-click the Ethernet/WIFI symbol and click on Open Network & Internet Settings.

    • af55aa0e26c0ac68f9fe7ef45db5fd76.png

  15. On Advanced Network settings, select Network and Sharing Center.

  16. On active networks, click on the MARVEL.local Connection.

    • In my case, it’s Ethernet0.
    • 814bd1d4417d087c041e5ab1b49e2df2.png

  17. Next, Go to Properties > Internet Protocol Version 4 (TCP/IPv4).

    • 80ac61c7d3fcd5259888c9cb4a33739e.png

    • Open cmd.exe, run ipconfig, and copy the values from the command and use them in the IPv4 Properties, like so:

      • b55a2248fec423a5b038ff6ae4662b9d.png

    • On the IPv4 Properties, click Okay > Okay > Close.

  18. Open any folder, go to the Network section, click the blue rectangle with Click to Change..., and choose Turn on Network Discovery and File Sharing:

    • baf310060dc521f0be2c1b944f3c6e94.png

Now, you just need to make the user machines join the Domain.

Join User Machines to Domain

The final step is to make the user machines join the MARVEL.local Domain.

Repeat the following steps for both User Machines:

  1. On the Windows search bar, Search for Control Panel and open it.
  2. Go to Network and Internet > Network and Sharing Center.
  3. On active networks, click on the MARVEL.local Connection.
    • In my case, it’s Ethernet0.
    • 814bd1d4417d087c041e5ab1b49e2df2.png
  4. Next, Go to Properties > Internet Protocol Version 4 (TCP/IPv4).
  5. For the DNS server address, we will use the IPv4 from the DC :
    • You can get this by running ipconfig on cmd.exe on the DC.
    • cae57c04807316fa931c2d28813f62c7.png
  6. Click Ok > Ok > Close.
  7. In the Windows Search Bar, Search for Access Work or School and open it.
  8. On this new window, Click on Connect
    • fc652d571b1f124427b3605954257198.png
  9. Select Join this device to a local Active Directory Domain.
    • 68cc9925b765a938473772a089e705a0.png
  10. Enter the name of your domain in the new window, click Next, and log in with the Administrator account:
    • cee3af2ea2b0b3b498366bfb5c02012f.png
    • 1cc899feb53a79e4ca4288ee39140bc8.png
  11. As the Account type, select Administrator.
    • baba590e2f1c7c6a3ea8b236d03e6a8a.png
  12. Click Next > Restart Now.
  13. In the Windows search bar, Search for Edit local users and groups and open it:
    • 20edc9d47ec5ae866c7b3fffcfbb1596.png
  14. In this new window, Left-click Users, Right-Click Administrator and Select Set Password > Proceed.
    • 5450c5614ee936bcba31741a8f0dc884.png
  15. Set the Administrator password to Password1!.
  16. Only on the SPIDERMAN machine, Go to Groups, double left-click Administrators group, and click Add.
    • Enter fcastle and click Ok > Apply > Ok.
    • 5450c5614ee936bcba31741a8f0dc884.png
    • This allows you to login into the SPIDERMAN machine using the fcastle user, enabling lateral movement for practice
  17. Open any folder, go to the Network section, click the blue rectangle with Click to Change..., and choose Turn on Network Discovery and File Sharing:
    • baf310060dc521f0be2c1b944f3c6e94.png
  18. Only on the SPIDERMAN machine, Open any folder, go to the This PC section, click on the 3 dots, and select Map network drive.
    • 711ea438e3597f2683ebbab4e3dc9653.png
  19. In this new window, write \\HYDRA-DC\hackme in the folder name, check Connect using different credentials, and click finish.
    • 60d5159b2a1c399e4ac24908a5295f5e.png
  20. Login using the DC’s Administrator account, and check Remember my credentials:
    • 38e8a6c9e5aef066e93f7cda4e39d0c6.png
  21. Now, you should have access to the hackme share as Administrator:
    • f8f4971e3b7d30fd419a8aa282a86ddb.png

Great job! You’ve successfully built the foundation of our lab.

Now, all that’s left is to add Elastic EDR, and your lab setup will be complete!

Adding Elastic EDR

This section will teach you how to add Elastic EDR to any machine using peasead’s elastic-container.

You will need Docker to run Elastic EDR. You can run Docker either in a virtual machine (VM) or directly on your host OS. I’ll be using a Ubuntu VM in this guide.

  1. Installing Docker on Ubuntu
  2. Creating Elastic Container
  3. All Elastic EDR container options

Installing Docker on Ubuntu

1. Set up Docker’s apt repository.

1
2
3
4
5
6
7
8
9
10

# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

# Add the repository to Apt sources:
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update

2. Install Docker’s packages.

1

sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

3. Verify that the installation is successful by running the hello-world image:

1

sudo docker run hello-world

4. Optional, Grant the docker right to the default user.

1
2

sudo groupadd docker
sudo usermod -aG docker $USER

Creating Elastic Container

1. Install elastic container pre-requisites:

1

sudo apt-get install jq git curl

2. Clone the Git repository and navigate to the Elastic container directory:

1
2

git clone https://github.com/peasead/elastic-container.git
cd elastic-container

3. Edit the file .env and change the following settings:

1
2
3
4

ELASTIC_PASSWORD="changeme"
KIBANA_PASSWORD="changeme"
WindowsDR=1
LICENSE=trial # enable 30-day free trial with the platinum features (EDR)

4. Run elastic-container.sh.

1
2

chmod +x ./elastic-container.sh
sudo ./elastic-container.sh start

5. Click on the 3 horizontal lines, scroll down, and click on Fleet.

  • f4eb1b92bd1aed2dda843a48c5ade678.png

6. Select Add agent.

  • 136c8c136331b5d6cd49e34d63c50367.png

7. Scroll down to Install Elastic Agent on your Host, select Windows and copy the PowerShell script.

  • 1955eef6fe48a9d45be6908967e34003.png

8. Now, go to each machine from the AD Lab, and follow these steps:

  • Copy the URL from the PowerShell script and paste it into your browser to download the .zip file faster.
    • 2da87a8f0f7690946b8e9635af831a69.png
  • Once downloaded, extract the contents of the .zip file.
  • Run elastic-agent.exe using the arguments provided in the PowerShell script.
  • If you encounter a certificate trust error, add the --insecure flag to solve it.

9. Now, you should see your machines in the Fleet section of Elastic EDR:

  • 9d5747d4e5cc9a5c720fa2d413034eed.png

All Elastic EDR container options

1
2
3
4
5
6
7
8
9
10
11
12

# Start
./elastic-container.sh start
# Destroy Containers
./elastic-container.sh destroy
# Stop
./elastic-container.sh stop
# Restart
./elastic-container.sh restart
# Status
./elastic-container.sh status
# Clear all logs
./elastic-container.sh clear

Conclusion

Congratulations! You now have your own fully functional malware lab with Elastic EDR.

I hope this guide was helpful and easy to follow. If you have any questions, feel free to leave a comment or reach out to me directly.

Happy hacking! :)

References

Malware, Lab, Hacking, EDR Evasion, Red team, Penetration testing
Malware Lab TCM Evasion EDR Evasion Red team Penetration testing
This post is licensed under CC BY 4.0 by the author.