Walkthrough - SOC164 - Suspicious Mshta Behavior

What is LetsDefend For those who are not familiar LetsDefend is a site mainly focused for BlueTeam professionals and especially SOC members. EventID 114 From the alert we see that it is related with LolBins. LolBins or Living of the land binaries are binaries of a non-malicious nature, local to the operating system, that have been utilised and exploited by cyber criminals and crime groups to camouflage their malicious activity.

pfSense Setup

On this post i will cover pfSense configurations made: Vlan setup Firewall rules VM setup Since our homelab is built on top of ESXi also pfSense is stood up there. I have allocated 1 vCPU and 1GB of Memory, that should be enough for this setup. I have run pfSense on production environment and is not resource intensive. Initial Configuration Once pfSense is running we need to configure WAN and Lan interface

Wazuh Setup

Architecture

On the following sections i will explain what i have created on my HomeLab, Hardware - Dell OptiPlex 7010 Memory - 16 GB 4 CPUs x Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz 256 Gb of SSD Storage Hypervisor - ESXi-7 Goal HomeLab Architecture

Network

ESXi Network I do not have a router at this point so everything will be done on my Dell PC and ESXi Below image shows what port groups i have created for the HomeLab machines Since based on the architecture we will have 3 Vlans is neccessary to create 3 port groups in ESXi for our vlans. Also we need a trunk port group that will have all Vlans. Trunk and Wan will be assigned to pfsense VM

Blue

This sample post tests the followings: Category, sub-category nesting in the sidebar. Hero image and other images are in images folder inside this post directory. Different media rendering like image, tweet, YouTube video, Vimeo video etc.. Image Sample

Red Team Threat Intel

This sample post tests the followings: Category, sub-category nesting in the sidebar. Hero image and other images are in images folder inside this post directory. Different media rendering like image, tweet, YouTube video, Vimeo video etc. Image Sample

Introduction

Greeting! This is an introduction post. This post tests the followings: Hero image is in the same directory as the post. This post should be at top of the sidebar. Post author should be the same as specified in author.yaml file.