i really like your videos, keep it up. currently got certifications and looking to get into cyber security. Learning a lot from while a apply for roles
dont forget to enable rdp! Open Settings: - Press Windows + I to open the Settings app. // Go to System > Remote Desktop: - Toggle on the Enable Remote Desktop option. // Confirm your selection if prompted.
Thank you so much, Ive been using Kasm Workspaces with docker but know i wanna try vmware pro and see how it goes. God bless you brother keep up the amazing work!
Hey DFIR, when I click ‘find more apps’, I get the following message: “Error resolving: No such host is known” so I can’t download the Splunk Add-on for Sysmon. Any advice?
I did it yay!, Thank you for this useful lab videos lab 1 and 2 are great did the lab 3 also but how do i remember all those new things i have done in lab 3 (injecting malware and all the lines written in prompt?). Is it necessary to remember?
Awesome work! You can take notes for the lines in prompt. You don’t need to remember it exactly but its good to be aware of it and doing it more than once will help build muscle memory.
I've literally followed everything to a T but when searching index=endpoint "IP address" I get no events shown in Splunk. I also get 0 events when searching index=endpoint Resume.pdf.exe. Any help here please?
Hi DFIR! I really hope you respond to this. I have follower each step in lab 1 and 2. I am currently stuck in lab 3. After you used ifconfig to get the IP of the kali, then you used nmap to scan the same IP of the kali and it showed you the port. Mine keeps telling me 1000 ports are in ignored state. pls what do i do?
You want to scan your target machine, not kali. Also make sure that services such as SMB and RDP is enabled on your Windows target machine so you can see it from your nmap scan. It is also good to include the flag -Pn when using nmap to ignore host discovery
@MyDFIR Thank you, i get it now. Why do the IP's differ from the ones you used in the previous videos? Did you randomly assign new IP's in this current lab 3 video?
Question! When i got into windows, how do i get internet connections? Sounds easy but being on VM its hard to connect to use internet, like you typing IP and port nr 9999
1. Change your network settings of windows back to NAT. 2. Open it up and go to the network settings where you assigned the ip manually and change it back to automatically. 3. If you did it correctly you now have internet connection. 4. Install and configure sysmon and splunk and then revert the ip and network settings.
When I do nmap from my Kali machine to my Windows machine it is unable to find any open ports. Does anyone else experience this? Both machines are connected on an internal network. Any advice?
@@MyDFIR WOW I am so surprised you responded. I trying all sorts of port scans but I my nmap in Kali tells me that "All ports are in ignored state" Do you know a solution to this?
@@nathanenterline8610 Try using -Pn and make sure you have some ports opened on your Windows machine. If that works, I'll leave it to you to research why :)
For certifications, you want “HR friendly” certifications for example Security+. However specifically for a SOC, BTL1 / CCD is really nice and tailored for that environment. This will allow you to obtain TECHNICAL skills however you will still need to learn and work on your SOFT skills along with networking with others.
You're first two parts were great, I set up my VM's without any issues and everything was smooth. This third part threw me off though because they have a network connected to them and mine are on a internal network with the IP from the second part. Even when switching the network settings to NAT, I don't have internet access so I am unable to download splunk or sysmod. Please advise me on what I need to do.
Yeah that was not intentional, I would recommend you install Splunk & Sysmon on your windows machine by reverting the network settings (use NAT and be sure to set your windows network settings to DHCP) and once both are installed, switch your network settings back to internal network
Will do that. And just for clarity, everything in this third part was done on an internal network with no access to the internet correct? And if so, should I change my IP back to what the IP was in the second part of this series for windows and kali?@@MyDFIR
Honestly it doesn’t matter if you have network or not for this specific demo, just make sure your VM hosts can communicate with each other and that they are on the same network. However if you are handling real malware, then yes remove internet access.
Also I’m really late but In vbox settings you can change the NAT ip to a different one so your attacker and defender machines can both use NAT without being on the same NAT ip.
Love it!!! It seems as if this could be labeled as a Project for job resume purposes. Great videos (1/2/3) to gain experience for those who are having problems getting into the IT Field. Keep up the great work!!!
How do you add splunk and sysmon to your windows VM after already putting it in internal network mode? Do you have to change it back to NAT to use the internet? Also, really great videos. Thank you
Great question - I typically start off with a fresh install with NAT and download the tools needed. Once I have everything ready to go, I’ll snapshot it and then perform whatever I wanted to do. That way if I know a tool needs updating, I could always revert to a known good state and update from there.
Hey I did this same thing. But I found you can manually install splunk add ons. Just search for the splunk sysmon addon and you will find the download page and instructions for manual install. I downloaded on my host PC then I copied it to the VM from there.
@mydfir I have changed my password 4 times now, and when I click on install, it asks for a password and if I input the recent password, it keeps saying invalid Id and password, please what can I do? I have been on this video for 1 week now and it’s really depressing
Great video, thanks for sharing this information but I have a question! How come you have fast internet on your virtual machines, how to post the internet service on my virtual machines?
I know it's been a while since this was posted but when I scan for open ports with nmap, it shows they're all closed. It says my Home edition of Windows doesn't support Remote Desktop. Is there some other way to open up that port without upgrading my windows version? Can't find anything online on what to do in this scenario aside from running a bridged connection instead of internal. Thank you in advance
Perhaps I missed an instruction but how is it possible for you to log into splunk while on the internal network? Should i switch the settings back to NAT? As it stands neither one of my VMs have internet access.
Hi MyDFIR! Is it possible that you could also make a video on how to make a report or dashboard using Splunk to show what we have found in the detection?
i cant get nmap to scan the windows10 vm for some reason . it says this "All 1000 scanned ports on ( ip address ) are in ignored states Not shown: 1000 filtered tcp ports (no-response)"
@@mattvee7242 Because the firewall in the windows machine blocks the incoming ICMP traffic from the linux machine. If you can ping the linux machine from the windows machine then you have configured it correctly!
Will save this video and the previous parts in library. If you happen to visit any city around Southeast Asia, I owe you a good lunch. Let me know how to directly contact you. Thanks for your great vids.
Excellent videos 1-3. I'm fascinated with cybersecurity and at the early stages of creating a virtual environment so apologieses for the noob question. In your last video, you assigned your VM windows machine a different IP address than what the ifconfig showed at 2:27 in this video. Kindly explain this. Thanks!!
dudeeee yesss!!! im commenting this just before watching this video Question: if i follow along and do everything in this video, can i put it in my resume that i did this in my homelab? If yes, you gotta make more videos like this!!
Kind of, since these labs were made in a way that allows you to get started in home labs, I would be careful about how you would word it. In fact, this would be a great conversation starter instead. For example, some interviews I have been in asked me “do you have a homelab?” And this is where I would talk about it. Hope that helps! Thanks for watching 😃
Question - I’m following this with several VMs with an internal networked environment. On the step where you download the sysmon app do we connect to the internet for that part?
Basically, we have installed two machines so far, Kali & Windows. I get a little bit confused that you installed Splunk & Sysmon in the same windows or another Windows machine ?
hey so part 1 & 2 we connected the machines were on the same IP address so as in part 3 realize that you are on a different iP now ? a bit confused about that
@@MyDFIR alright so both my vm’s are on the same iP . When I change iP for the windows machine I’m disconnected from the internet and I can’t ping it from the kali machine. Your machines are on different iP’s but are they connected to the internet for this step ?
@@KendricNewburn-y3x hi, change the network settings of both the vm's and make sure they're connected to the same "internal network". disable firewall on your windows vm. assign IPs to both vm's and then you should be able to ping both machines with each other.
@@MyDFIR ironically enough I'm working on trying to get wazuh up and running. There are no great resources aside from the documentation to walk you through on how to setup the server :c I look forward to your next lab video :D
I can’t seem to get kali to ping windows or use the nmap -A command on it. Says zero host but I know I followed your last video unless there’s an unsaid step there Any advice on this fix would be great
Good job. MyDFIR. i was following the Lab but hit a bump road when i tried to download the malware. I was able to downdload it but its showing 'Unconfirmed 33579.crdownload' everytime i select keep to save it it only provide me with delete from history option. Any suggestion?
i really enjoyed your videos, the whole serries. At least now I can set up a basic home lab and configure it although most of the stuff in this part 3 seem a bit difficult for me. Can I get your email or do you have discord channel I can easily connect with you and ask questions please.
i really like your videos, keep it up. currently got certifications and looking to get into cyber security. Learning a lot from while a apply for roles
nmap -A -Pn portion my kali machine is reading "unable to determine DNS servers.Reverse DNS is Disabled." Any fix for this?? @MyDFIR
Great video, thanks! Would def love more home lab videos.
Thanks for watching!
I didn't get the additional fields with the sysmon add on installed. Any help?
Very nice video. When searching index-endpoint in Splunk, it doesn't find anything. Any solution?
Make sure the index exists. There can be many reasons as to why nothing shows up. Check your time filter as well.
Really enjoyed building this. Do you have a template one could use to put this on a resume as a project? Or as a write up for a blog site?
Thanks! Glad you had fun with it. Unfortunately, I do not have a template.
dont forget to enable rdp!
Open Settings: - Press Windows + I to open the Settings app. // Go to System > Remote Desktop: - Toggle on the Enable Remote Desktop option. // Confirm your selection if prompted.
Yup! Thanks❤️
BRB gotta go install splunk
Amazing series
Thank you ❤️
Hey @MyDFIR, I got lost at 3:06. After scanning, it says no ports were open. Do you know what I did wrong? Thank you for this video.
On your target machine, enable RDP and try again. You should see port 3389
Hello, how do I move Malware into the Isolated VMs, should I use USB Drives, Shared Folders? Thank you in advance for your help!
There are many ways, I usually download it from the internet or via shared folder and once its on the machine, disconnect everything before executing
Thank you so much, Ive been using Kasm Workspaces with docker but know i wanna try vmware pro and see how it goes. God bless you brother keep up the amazing work!
I just bumped into your video and i've been blown away. You just earned a follower. Thanks for the good job.
Awesome, thank you!
When running exploit in the multi handler it is taking forever. Is this normal?
I would double check the spellings just to make sure. It shouldn’t take that long
Hey DFIR, when I click ‘find more apps’, I get the following message: “Error resolving: No such host is known” so I can’t download the Splunk Add-on for Sysmon. Any advice?
Yeah, you’ll need to be sure to have internet access for that host and download the app.
I did it yay!, Thank you for this useful lab videos
lab 1 and 2 are great did the lab 3 also but how do i remember all those new things i have done in lab 3 (injecting malware and all the lines written in prompt?). Is it necessary to remember?
Awesome work! You can take notes for the lines in prompt. You don’t need to remember it exactly but its good to be aware of it and doing it more than once will help build muscle memory.
@LakshmiPriyaRachakonda I have some doubts regarding this ! Do you think u could help out ? and do u have a prior knowledge about this ?
when searching for more apps in splunk I get :Error resolving, no such hot is known. What could be the issue?
This is due to no network connection
@@MyDFIR Anyway to resolve as i'm able to use my host network still when on other webpages in my windows VM??
why does my splunk say You're just our source type, but we need some extra time to finish setting up your account
Are you using protonmail as I know that happens quite often with that. If so, try a different provider/service.
@@MyDFIRGot it, how do we remove the malware from our machine just take a snap shot?
I've literally followed everything to a T but when searching index=endpoint "IP address" I get no events shown in Splunk. I also get 0 events when searching index=endpoint Resume.pdf.exe.
Any help here please?
Try restarting your splunk service and make sure your index is created
Hi DFIR! I really hope you respond to this. I have follower each step in lab 1 and 2. I am currently stuck in lab 3. After you used ifconfig to get the IP of the kali, then you used nmap to scan the same IP of the kali and it showed you the port. Mine keeps telling me 1000 ports are in ignored state. pls what do i do?
You want to scan your target machine, not kali. Also make sure that services such as SMB and RDP is enabled on your Windows target machine so you can see it from your nmap scan. It is also good to include the flag -Pn when using nmap to ignore host discovery
@MyDFIR Thank you, i get it now. Why do the IP's differ from the ones you used in the previous videos? Did you randomly assign new IP's in this current lab 3 video?
I made video 2 as an “add-on” if that makes sense. It was more to show you how to change IPs and the different network settings
Can you make a video on what equipment is necessary to begin making the home lab?
Question! When i got into windows, how do i get internet connections? Sounds easy but being on VM its hard to connect to use internet, like you typing IP and port nr 9999
Depends on your network adapter, take a look at part 2 for a breakdown
Did everything twice, just getting Hmmm cant reach this page
1. Change your network settings of windows back to NAT.
2. Open it up and go to the network settings where you assigned the ip manually and change it back to automatically.
3. If you did it correctly you now have internet connection.
4. Install and configure sysmon and splunk and then revert the ip and network settings.
When I do nmap from my Kali machine to my Windows machine it is unable to find any open ports. Does anyone else experience this? Both machines are connected on an internal network. Any advice?
Make sure you enable RDP on your host or open some ports like SMB file share.
@@MyDFIR WOW I am so surprised you responded. I trying all sorts of port scans but I my nmap in Kali tells me that "All ports are in ignored state" Do you know a solution to this?
@@nathanenterline8610 Try using -Pn and make sure you have some ports opened on your Windows machine. If that works, I'll leave it to you to research why :)
Can you make a video on certifications for SOC analyst
For certifications, you want “HR friendly” certifications for example Security+. However specifically for a SOC, BTL1 / CCD is really nice and tailored for that environment. This will allow you to obtain TECHNICAL skills however you will still need to learn and work on your SOFT skills along with networking with others.
You're first two parts were great, I set up my VM's without any issues and everything was smooth. This third part threw me off though because they have a network connected to them and mine are on a internal network with the IP from the second part. Even when switching the network settings to NAT, I don't have internet access so I am unable to download splunk or sysmod. Please advise me on what I need to do.
Yeah that was not intentional, I would recommend you install Splunk & Sysmon on your windows machine by reverting the network settings (use NAT and be sure to set your windows network settings to DHCP) and once both are installed, switch your network settings back to internal network
Will do that. And just for clarity, everything in this third part was done on an internal network with no access to the internet correct? And if so, should I change my IP back to what the IP was in the second part of this series for windows and kali?@@MyDFIR
Honestly it doesn’t matter if you have network or not for this specific demo, just make sure your VM hosts can communicate with each other and that they are on the same network.
However if you are handling real malware, then yes remove internet access.
Also I’m really late but In vbox settings you can change the NAT ip to a different one so your attacker and defender machines can both use NAT without being on the same NAT ip.
Love it!!! It seems as if this could be labeled as a Project for job resume purposes. Great videos (1/2/3) to gain experience for those who are having problems getting into the IT Field. Keep up the great work!!!
Thank you!! Nothing puts a smile on my face more than when people like yourself find value in my content. Helps me to keep pushing.
How do you add splunk and sysmon to your windows VM after already putting it in internal network mode? Do you have to change it back to NAT to use the internet? Also, really great videos. Thank you
Great question - I typically start off with a fresh install with NAT and download the tools needed. Once I have everything ready to go, I’ll snapshot it and then perform whatever I wanted to do. That way if I know a tool needs updating, I could always revert to a known good state and update from there.
Hey I did this same thing. But I found you can manually install splunk add ons. Just search for the splunk sysmon addon and you will find the download page and instructions for manual install. I downloaded on my host PC then I copied it to the VM from there.
ok did I miss it but how did you get splunk? Paid?
Nope not paid, you can sign up for a free trial of Splunk Enterprise on their site
bro, please i have tried downloading the sysmon add-on but it refuses to download even after changing my password, what s going on?
@mydfir I have changed my password 4 times now, and when I click on install, it asks for a password and if I input the recent password, it keeps saying invalid Id and password, please what can I do? I have been on this video for 1 week now and it’s really depressing
Just to make sure, you’re using your splunk user and password correct? The same account used to download splunk
@@MyDFIR yes I am, I used the same splink password and username but it’s still doing the same thing
When I try to connect to the python http server I get a “page took too long to respond” error
Make sure the hosts are on the same network
@@MyDFIRaye I got it. Thanks so much for this wonderful tutorial
Great video, thanks for sharing this information but I have a question! How come you have fast internet on your virtual machines, how to post the internet service on my virtual machines?
You can search up speedtest on google and see your speeds. It should be the same as what you are currently using
@@MyDFIR
So this what happens when I run the Kali Linux on my virtual book. When I go to TH-cam or google the internet is really slow!
This could be due to your computer VM specs, try increasing it if possible.
@@MyDFIR How can I increase the space of the VM ?
windows 10 works perfectly with Nat on virtual box.
I know it's been a while since this was posted but when I scan for open ports with nmap, it shows they're all closed. It says my Home edition of Windows doesn't support Remote Desktop. Is there some other way to open up that port without upgrading my windows version? Can't find anything online on what to do in this scenario aside from running a bridged connection instead of internal. Thank you in advance
You can try and open up a network share. Although not RDP but the concept still applies.
@@MyDFIR Thank you! I'm new to this so I'll look this up and then continue to follow along
Perhaps I missed an instruction but how is it possible for you to log into splunk while on the internal network? Should i switch the settings back to NAT? As it stands neither one of my VMs have internet access.
I downloaded splunk and then put the adapter back to internal network. So yea, switch to NAT, download splunk and switch back
Hi MyDFIR! Is it possible that you could also make a video on how to make a report or dashboard using Splunk to show what we have found in the detection?
Anybody knows how i can i fix this error Found no matches for the service mask 'n' and your specified protocols
QUITTING!
Diactivated my firewall using cmd command it works
Happy you got it to work!
My 3389 port is filtered what do I do now!?!
Can check Splunk to see what telemetry its being generated / enable RDP on your PC and rerun nmap
@@MyDFIR my home pc or windows virtual machine??
@@MyDFIR also how to check that😓😓
Btw nice Nezuko and Luffy figure there. I guess it's easy to bump into fellow anime enjoyer in IT lol
Thanks! Almost caught up on the latest season of demon slayer and then gotta catch up on one piece 😅
question .. are you doing this on internal network? or NAT
I am doing this via internal network
i cant get nmap to scan the windows10 vm for some reason . it says this "All 1000 scanned ports on ( ip address ) are in ignored states
Not shown: 1000 filtered tcp ports (no-response)"
however i can ping the linux machine from the windows machine .. however i cant ping the windows machine from linux
@@mattvee7242 Because the firewall in the windows machine blocks the incoming ICMP traffic from the linux machine. If you can ping the linux machine from the windows machine then you have configured it correctly!
Will save this video and the previous parts in library. If you happen to visit any city around Southeast Asia, I owe you a good lunch. Let me know how to directly contact you. Thanks for your great vids.
Haha Appreciate it! Happy I could provide some value.
I have a discord channel for those that sign up on my site, you can always reach me there 😁
Excellent videos 1-3. I'm fascinated with cybersecurity and at the early stages of creating a virtual environment so apologieses for the noob question. In your last video, you assigned your VM windows machine a different IP address than what the ifconfig showed at 2:27 in this video. Kindly explain this. Thanks!!
Hey! That was not intentional, I happened to use another VM which had a different IP.
@@MyDFIR ok thank you sir
I really liked this video. Thank you very much.
👍
Glad you liked it!
dudeeee yesss!!!
im commenting this just before watching this video
Question: if i follow along and do everything in this video, can i put it in my resume that i did this in my homelab? If yes, you gotta make more videos like this!!
Kind of, since these labs were made in a way that allows you to get started in home labs, I would be careful about how you would word it. In fact, this would be a great conversation starter instead. For example, some interviews I have been in asked me “do you have a homelab?” And this is where I would talk about it.
Hope that helps! Thanks for watching 😃
Dude, you are legit. How is it that you don't have more subscribers???
I appreciate that! Happy that the channel is slowly growing and reaching more people!!
I followed all the steps, but I don't have those additional fields after installing sysmon add-on app. Am I maybe missing something? ;(
Do you see sysmon logs in splunk? Also there are 2 add-ons, be sure to install the correct one
thank you so much!!! It turns out I haven't installed the actual sysmon log on my computer yet. @@MyDFIR
Excellent Home lab Series! You are a rockstar! I have a question, when i run nmap i dont find any open port, in this case what can i do?
Thanks! Make sure you enable RDP on your windows VM machine and run nmap using -Pn
Will do, Thank you!
You are the man ! such a great channel and such great helpful information ! Highly recommend
I appreciate that!
Thanks for this video Bobi
make more similar videos 🔥
Question - I’m following this with several VMs with an internal networked environment. On the step where you download the sysmon app do we connect to the internet for that part?
yeah, I usually have this installed in the beginning before locking down my connections
thanks for the reply and for the guide my man. super helpful stuff@@MyDFIR
Basically, we have installed two machines so far, Kali & Windows. I get a little bit confused that you installed Splunk & Sysmon in the same windows or another Windows machine ?
hey so part 1 & 2 we connected the machines were on the same IP address so as in part 3 realize that you are on a different iP now ? a bit confused about that
Apologies as that was not intentional. Part 2 was simply showing you HOW to assign an IP. The IP listed in there has nothing to do with the lab.
@@MyDFIR alright so both my vm’s are on the same iP . When I change iP for the windows machine I’m disconnected from the internet and I can’t ping it from the kali machine. Your machines are on different iP’s but are they connected to the internet for this step ?
@@KendricNewburn-y3x hi, change the network settings of both the vm's and make sure they're connected to the same "internal network". disable firewall on your windows vm. assign IPs to both vm's and then you should be able to ping both machines with each other.
nmap returned 1000 filtered tcp ports with no-response for me
Try enabling RDP on your target host and allow pings as well since nmap uses pings to scan for hosts by default
@@MyDFIR Ty
Wow. Super informative. I enjoyed this series. You should keep them coming. You went to great lengths to provide insight on what and how. Subscribed😄
Thank you! If you enjoyed this, hopefully you’ll enjoy my upcoming lab video on Wazuh + SOAR
@@MyDFIR ironically enough I'm working on trying to get wazuh up and running. There are no great resources aside from the documentation to walk you through on how to setup the server :c
I look forward to your next lab video :D
i have kali wsl ??
Very interesting demonstration 👏👏👏👏👏
Thanks ❤️
Why don't I see the RDP port when I run nmap?
Nevermind I just found out I had RDP disabled on my windows vm. lol
Troubleshooting skill obtained +1 heheh great job!
Enjoyed a lot! More videos pls.
Thank you! You can check out my SOC Automation Project next!
I can’t seem to get kali to ping windows or use the nmap -A command on it. Says zero host but I know I followed your last video unless there’s an unsaid step there
Any advice on this fix would be great
Windows blocks ping by default, you can get use nmap with the flag -Pn or add a rule on Windows host firewall to allow pings.
@@MyDFIR I turned off the firewall actually nd it worked should I turn it back on nd try that? Thanks for replying btw
Nvm I fixed it thank u
@@BusyBodyB pls how did you fix this?
@@BusyBodyB HOW!!!!
Thank you so much.
You're welcome!
Thanks for this video
Most welcome - thanks for watching!
Awesome 😎
Thank you! Cheers!
keep it Up bruh💜
Glad you enjoyed it! Thanks for watching
Thank you sir
Thank you for watching!
Love it🙌🏿
Thanks for watching!
Good job. MyDFIR. i was following the Lab but hit a bump road when i tried to download the malware. I was able to downdload it but its showing 'Unconfirmed 33579.crdownload' everytime i select keep to save it it only provide me with delete from history option. Any suggestion?
This is due to your browser blocking the malware (as it should) - to download it, you will need to lower its security settings
any idea how to do that, i was using Chrome.
@@MyDFIR
i really enjoyed your videos, the whole serries. At least now I can set up a basic home lab and configure it although most of the stuff in this part 3 seem a bit difficult for me. Can I get your email or do you have discord channel I can easily connect with you and ask questions please.
I do, if you sign up on my site I provide you with a link to my discord 👍
great video, the best one i have ever came across 🦾🦾
Thank you! 😊