Love it!!! It seems as if this could be labeled as a Project for job resume purposes. Great videos (1/2/3) to gain experience for those who are having problems getting into the IT Field. Keep up the great work!!!
idk if this fixes it but i enabled rdp on the windows machine. in the search bar go to settings then search remote desktop settings. enable remote desktop and click okay. Try another nmap scan. It could also take a while for it to pop up but it worked for me. I hope this helps!
dont forget to enable rdp! Open Settings: - Press Windows + I to open the Settings app. // Go to System > Remote Desktop: - Toggle on the Enable Remote Desktop option. // Confirm your selection if prompted.
Hi MyDFIR! Is it possible that you could also make a video on how to make a report or dashboard using Splunk to show what we have found in the detection?
You're first two parts were great, I set up my VM's without any issues and everything was smooth. This third part threw me off though because they have a network connected to them and mine are on a internal network with the IP from the second part. Even when switching the network settings to NAT, I don't have internet access so I am unable to download splunk or sysmod. Please advise me on what I need to do.
Yeah that was not intentional, I would recommend you install Splunk & Sysmon on your windows machine by reverting the network settings (use NAT and be sure to set your windows network settings to DHCP) and once both are installed, switch your network settings back to internal network
Will do that. And just for clarity, everything in this third part was done on an internal network with no access to the internet correct? And if so, should I change my IP back to what the IP was in the second part of this series for windows and kali?@@MyDFIR
Honestly it doesn’t matter if you have network or not for this specific demo, just make sure your VM hosts can communicate with each other and that they are on the same network. However if you are handling real malware, then yes remove internet access.
Also I’m really late but In vbox settings you can change the NAT ip to a different one so your attacker and defender machines can both use NAT without being on the same NAT ip.
Thank you so much, Ive been using Kasm Workspaces with docker but know i wanna try vmware pro and see how it goes. God bless you brother keep up the amazing work!
How do you add splunk and sysmon to your windows VM after already putting it in internal network mode? Do you have to change it back to NAT to use the internet? Also, really great videos. Thank you
Great question - I typically start off with a fresh install with NAT and download the tools needed. Once I have everything ready to go, I’ll snapshot it and then perform whatever I wanted to do. That way if I know a tool needs updating, I could always revert to a known good state and update from there.
Hey I did this same thing. But I found you can manually install splunk add ons. Just search for the splunk sysmon addon and you will find the download page and instructions for manual install. I downloaded on my host PC then I copied it to the VM from there.
Excellent videos 1-3. I'm fascinated with cybersecurity and at the early stages of creating a virtual environment so apologieses for the noob question. In your last video, you assigned your VM windows machine a different IP address than what the ifconfig showed at 2:27 in this video. Kindly explain this. Thanks!!
I did it yay!, Thank you for this useful lab videos lab 1 and 2 are great did the lab 3 also but how do i remember all those new things i have done in lab 3 (injecting malware and all the lines written in prompt?). Is it necessary to remember?
Awesome work! You can take notes for the lines in prompt. You don’t need to remember it exactly but its good to be aware of it and doing it more than once will help build muscle memory.
i really like your videos, keep it up. currently got certifications and looking to get into cyber security. Learning a lot from while a apply for roles
For certifications, you want “HR friendly” certifications for example Security+. However specifically for a SOC, BTL1 / CCD is really nice and tailored for that environment. This will allow you to obtain TECHNICAL skills however you will still need to learn and work on your SOFT skills along with networking with others.
@@MyDFIR ironically enough I'm working on trying to get wazuh up and running. There are no great resources aside from the documentation to walk you through on how to setup the server :c I look forward to your next lab video :D
Perhaps I missed an instruction but how is it possible for you to log into splunk while on the internal network? Should i switch the settings back to NAT? As it stands neither one of my VMs have internet access.
Great video, thanks for sharing this information but I have a question! How come you have fast internet on your virtual machines, how to post the internet service on my virtual machines?
Hi DFIR! I really hope you respond to this. I have follower each step in lab 1 and 2. I am currently stuck in lab 3. After you used ifconfig to get the IP of the kali, then you used nmap to scan the same IP of the kali and it showed you the port. Mine keeps telling me 1000 ports are in ignored state. pls what do i do?
You want to scan your target machine, not kali. Also make sure that services such as SMB and RDP is enabled on your Windows target machine so you can see it from your nmap scan. It is also good to include the flag -Pn when using nmap to ignore host discovery
@MyDFIR Thank you, i get it now. Why do the IP's differ from the ones you used in the previous videos? Did you randomly assign new IP's in this current lab 3 video?
Question! When i got into windows, how do i get internet connections? Sounds easy but being on VM its hard to connect to use internet, like you typing IP and port nr 9999
1. Change your network settings of windows back to NAT. 2. Open it up and go to the network settings where you assigned the ip manually and change it back to automatically. 3. If you did it correctly you now have internet connection. 4. Install and configure sysmon and splunk and then revert the ip and network settings.
Question - I’m following this with several VMs with an internal networked environment. On the step where you download the sysmon app do we connect to the internet for that part?
Basically, we have installed two machines so far, Kali & Windows. I get a little bit confused that you installed Splunk & Sysmon in the same windows or another Windows machine ?
Hey DFIR, when I click ‘find more apps’, I get the following message: “Error resolving: No such host is known” so I can’t download the Splunk Add-on for Sysmon. Any advice?
I know it's been a while since this was posted but when I scan for open ports with nmap, it shows they're all closed. It says my Home edition of Windows doesn't support Remote Desktop. Is there some other way to open up that port without upgrading my windows version? Can't find anything online on what to do in this scenario aside from running a bridged connection instead of internal. Thank you in advance
i cant get nmap to scan the windows10 vm for some reason . it says this "All 1000 scanned ports on ( ip address ) are in ignored states Not shown: 1000 filtered tcp ports (no-response)"
@@mattvee7242 Because the firewall in the windows machine blocks the incoming ICMP traffic from the linux machine. If you can ping the linux machine from the windows machine then you have configured it correctly!
dudeeee yesss!!! im commenting this just before watching this video Question: if i follow along and do everything in this video, can i put it in my resume that i did this in my homelab? If yes, you gotta make more videos like this!!
Kind of, since these labs were made in a way that allows you to get started in home labs, I would be careful about how you would word it. In fact, this would be a great conversation starter instead. For example, some interviews I have been in asked me “do you have a homelab?” And this is where I would talk about it. Hope that helps! Thanks for watching 😃
Will save this video and the previous parts in library. If you happen to visit any city around Southeast Asia, I owe you a good lunch. Let me know how to directly contact you. Thanks for your great vids.
When I do nmap from my Kali machine to my Windows machine it is unable to find any open ports. Does anyone else experience this? Both machines are connected on an internal network. Any advice?
@@MyDFIR WOW I am so surprised you responded. I trying all sorts of port scans but I my nmap in Kali tells me that "All ports are in ignored state" Do you know a solution to this?
@@nathanenterline8610 Try using -Pn and make sure you have some ports opened on your Windows machine. If that works, I'll leave it to you to research why :)
hey so part 1 & 2 we connected the machines were on the same IP address so as in part 3 realize that you are on a different iP now ? a bit confused about that
@@MyDFIR alright so both my vm’s are on the same iP . When I change iP for the windows machine I’m disconnected from the internet and I can’t ping it from the kali machine. Your machines are on different iP’s but are they connected to the internet for this step ?
@@KendricNewburn-y3x hi, change the network settings of both the vm's and make sure they're connected to the same "internal network". disable firewall on your windows vm. assign IPs to both vm's and then you should be able to ping both machines with each other.
I can’t seem to get kali to ping windows or use the nmap -A command on it. Says zero host but I know I followed your last video unless there’s an unsaid step there Any advice on this fix would be great
@mydfir I have changed my password 4 times now, and when I click on install, it asks for a password and if I input the recent password, it keeps saying invalid Id and password, please what can I do? I have been on this video for 1 week now and it’s really depressing
I've literally followed everything to a T but when searching index=endpoint "IP address" I get no events shown in Splunk. I also get 0 events when searching index=endpoint Resume.pdf.exe. Any help here please?
Good job. MyDFIR. i was following the Lab but hit a bump road when i tried to download the malware. I was able to downdload it but its showing 'Unconfirmed 33579.crdownload' everytime i select keep to save it it only provide me with delete from history option. Any suggestion?
i really enjoyed your videos, the whole serries. At least now I can set up a basic home lab and configure it although most of the stuff in this part 3 seem a bit difficult for me. Can I get your email or do you have discord channel I can easily connect with you and ask questions please.
I just bumped into your video and i've been blown away. You just earned a follower. Thanks for the good job.
Awesome, thank you!
Love it!!! It seems as if this could be labeled as a Project for job resume purposes. Great videos (1/2/3) to gain experience for those who are having problems getting into the IT Field. Keep up the great work!!!
Thank you!! Nothing puts a smile on my face more than when people like yourself find value in my content. Helps me to keep pushing.
Dude, you are legit. How is it that you don't have more subscribers???
I appreciate that! Happy that the channel is slowly growing and reaching more people!!
nmap -A -Pn portion my kali machine is reading "unable to determine DNS servers.Reverse DNS is Disabled." Any fix for this?? @MyDFIR
idk if this fixes it but i enabled rdp on the windows machine. in the search bar go to settings then search remote desktop settings. enable remote desktop and click okay. Try another nmap scan. It could also take a while for it to pop up but it worked for me. I hope this helps!
Hey @MyDFIR, I got lost at 3:06. After scanning, it says no ports were open. Do you know what I did wrong? Thank you for this video.
On your target machine, enable RDP and try again. You should see port 3389
dont forget to enable rdp!
Open Settings: - Press Windows + I to open the Settings app. // Go to System > Remote Desktop: - Toggle on the Enable Remote Desktop option. // Confirm your selection if prompted.
Yup! Thanks❤️
Good stuff, dude!! Definitely going to implement this for my home lab!!
Awesome!! It’ll be a fun activity for sure
Hi MyDFIR! Is it possible that you could also make a video on how to make a report or dashboard using Splunk to show what we have found in the detection?
You are the man ! such a great channel and such great helpful information ! Highly recommend
I appreciate that!
Can you make a video on what equipment is necessary to begin making the home lab?
You're first two parts were great, I set up my VM's without any issues and everything was smooth. This third part threw me off though because they have a network connected to them and mine are on a internal network with the IP from the second part. Even when switching the network settings to NAT, I don't have internet access so I am unable to download splunk or sysmod. Please advise me on what I need to do.
Yeah that was not intentional, I would recommend you install Splunk & Sysmon on your windows machine by reverting the network settings (use NAT and be sure to set your windows network settings to DHCP) and once both are installed, switch your network settings back to internal network
Will do that. And just for clarity, everything in this third part was done on an internal network with no access to the internet correct? And if so, should I change my IP back to what the IP was in the second part of this series for windows and kali?@@MyDFIR
Honestly it doesn’t matter if you have network or not for this specific demo, just make sure your VM hosts can communicate with each other and that they are on the same network.
However if you are handling real malware, then yes remove internet access.
Also I’m really late but In vbox settings you can change the NAT ip to a different one so your attacker and defender machines can both use NAT without being on the same NAT ip.
Hello, how do I move Malware into the Isolated VMs, should I use USB Drives, Shared Folders? Thank you in advance for your help!
There are many ways, I usually download it from the internet or via shared folder and once its on the machine, disconnect everything before executing
Thank you so much, Ive been using Kasm Workspaces with docker but know i wanna try vmware pro and see how it goes. God bless you brother keep up the amazing work!
Is splunk installed on the windows vm?
I cannor download splunk on my vm. It will not let me access the website. Why?
Great video, thanks! Would def love more home lab videos.
Thanks for watching!
How do you add splunk and sysmon to your windows VM after already putting it in internal network mode? Do you have to change it back to NAT to use the internet? Also, really great videos. Thank you
Great question - I typically start off with a fresh install with NAT and download the tools needed. Once I have everything ready to go, I’ll snapshot it and then perform whatever I wanted to do. That way if I know a tool needs updating, I could always revert to a known good state and update from there.
Hey I did this same thing. But I found you can manually install splunk add ons. Just search for the splunk sysmon addon and you will find the download page and instructions for manual install. I downloaded on my host PC then I copied it to the VM from there.
Very interesting demonstration 👏👏👏👏👏
Thanks ❤️
Excellent videos 1-3. I'm fascinated with cybersecurity and at the early stages of creating a virtual environment so apologieses for the noob question. In your last video, you assigned your VM windows machine a different IP address than what the ifconfig showed at 2:27 in this video. Kindly explain this. Thanks!!
Hey! That was not intentional, I happened to use another VM which had a different IP.
@@MyDFIR ok thank you sir
I didn't get the additional fields with the sysmon add on installed. Any help?
I did it yay!, Thank you for this useful lab videos
lab 1 and 2 are great did the lab 3 also but how do i remember all those new things i have done in lab 3 (injecting malware and all the lines written in prompt?). Is it necessary to remember?
Awesome work! You can take notes for the lines in prompt. You don’t need to remember it exactly but its good to be aware of it and doing it more than once will help build muscle memory.
@LakshmiPriyaRachakonda I have some doubts regarding this ! Do you think u could help out ? and do u have a prior knowledge about this ?
i really like your videos, keep it up. currently got certifications and looking to get into cyber security. Learning a lot from while a apply for roles
Really enjoyed building this. Do you have a template one could use to put this on a resume as a project? Or as a write up for a blog site?
Thanks! Glad you had fun with it. Unfortunately, I do not have a template.
Enjoyed a lot! More videos pls.
Thank you! You can check out my SOC Automation Project next!
Can you make a video on certifications for SOC analyst
For certifications, you want “HR friendly” certifications for example Security+. However specifically for a SOC, BTL1 / CCD is really nice and tailored for that environment. This will allow you to obtain TECHNICAL skills however you will still need to learn and work on your SOFT skills along with networking with others.
Wow. Super informative. I enjoyed this series. You should keep them coming. You went to great lengths to provide insight on what and how. Subscribed😄
Thank you! If you enjoyed this, hopefully you’ll enjoy my upcoming lab video on Wazuh + SOAR
@@MyDFIR ironically enough I'm working on trying to get wazuh up and running. There are no great resources aside from the documentation to walk you through on how to setup the server :c
I look forward to your next lab video :D
Thanks for this video Bobi
Excellent Home lab Series! You are a rockstar! I have a question, when i run nmap i dont find any open port, in this case what can i do?
Thanks! Make sure you enable RDP on your windows VM machine and run nmap using -Pn
Will do, Thank you!
Perhaps I missed an instruction but how is it possible for you to log into splunk while on the internal network? Should i switch the settings back to NAT? As it stands neither one of my VMs have internet access.
I downloaded splunk and then put the adapter back to internal network. So yea, switch to NAT, download splunk and switch back
I really liked this video. Thank you very much.
👍
Glad you liked it!
Great video, thanks for sharing this information but I have a question! How come you have fast internet on your virtual machines, how to post the internet service on my virtual machines?
You can search up speedtest on google and see your speeds. It should be the same as what you are currently using
@@MyDFIR
So this what happens when I run the Kali Linux on my virtual book. When I go to TH-cam or google the internet is really slow!
This could be due to your computer VM specs, try increasing it if possible.
@@MyDFIR How can I increase the space of the VM ?
windows 10 works perfectly with Nat on virtual box.
Very nice video. When searching index-endpoint in Splunk, it doesn't find anything. Any solution?
Make sure the index exists. There can be many reasons as to why nothing shows up. Check your time filter as well.
Hi DFIR! I really hope you respond to this. I have follower each step in lab 1 and 2. I am currently stuck in lab 3. After you used ifconfig to get the IP of the kali, then you used nmap to scan the same IP of the kali and it showed you the port. Mine keeps telling me 1000 ports are in ignored state. pls what do i do?
You want to scan your target machine, not kali. Also make sure that services such as SMB and RDP is enabled on your Windows target machine so you can see it from your nmap scan. It is also good to include the flag -Pn when using nmap to ignore host discovery
@MyDFIR Thank you, i get it now. Why do the IP's differ from the ones you used in the previous videos? Did you randomly assign new IP's in this current lab 3 video?
I made video 2 as an “add-on” if that makes sense. It was more to show you how to change IPs and the different network settings
Question! When i got into windows, how do i get internet connections? Sounds easy but being on VM its hard to connect to use internet, like you typing IP and port nr 9999
Depends on your network adapter, take a look at part 2 for a breakdown
Did everything twice, just getting Hmmm cant reach this page
1. Change your network settings of windows back to NAT.
2. Open it up and go to the network settings where you assigned the ip manually and change it back to automatically.
3. If you did it correctly you now have internet connection.
4. Install and configure sysmon and splunk and then revert the ip and network settings.
Amazing series
Thank you ❤️
Question - I’m following this with several VMs with an internal networked environment. On the step where you download the sysmon app do we connect to the internet for that part?
yeah, I usually have this installed in the beginning before locking down my connections
thanks for the reply and for the guide my man. super helpful stuff@@MyDFIR
Basically, we have installed two machines so far, Kali & Windows. I get a little bit confused that you installed Splunk & Sysmon in the same windows or another Windows machine ?
when searching for more apps in splunk I get :Error resolving, no such hot is known. What could be the issue?
This is due to no network connection
@@MyDFIR Anyway to resolve as i'm able to use my host network still when on other webpages in my windows VM??
Hey DFIR, when I click ‘find more apps’, I get the following message: “Error resolving: No such host is known” so I can’t download the Splunk Add-on for Sysmon. Any advice?
Yeah, you’ll need to be sure to have internet access for that host and download the app.
I know it's been a while since this was posted but when I scan for open ports with nmap, it shows they're all closed. It says my Home edition of Windows doesn't support Remote Desktop. Is there some other way to open up that port without upgrading my windows version? Can't find anything online on what to do in this scenario aside from running a bridged connection instead of internal. Thank you in advance
You can try and open up a network share. Although not RDP but the concept still applies.
@@MyDFIR Thank you! I'm new to this so I'll look this up and then continue to follow along
question .. are you doing this on internal network? or NAT
I am doing this via internal network
i cant get nmap to scan the windows10 vm for some reason . it says this "All 1000 scanned ports on ( ip address ) are in ignored states
Not shown: 1000 filtered tcp ports (no-response)"
however i can ping the linux machine from the windows machine .. however i cant ping the windows machine from linux
@@mattvee7242 Because the firewall in the windows machine blocks the incoming ICMP traffic from the linux machine. If you can ping the linux machine from the windows machine then you have configured it correctly!
dudeeee yesss!!!
im commenting this just before watching this video
Question: if i follow along and do everything in this video, can i put it in my resume that i did this in my homelab? If yes, you gotta make more videos like this!!
Kind of, since these labs were made in a way that allows you to get started in home labs, I would be careful about how you would word it. In fact, this would be a great conversation starter instead. For example, some interviews I have been in asked me “do you have a homelab?” And this is where I would talk about it.
Hope that helps! Thanks for watching 😃
When running exploit in the multi handler it is taking forever. Is this normal?
I would double check the spellings just to make sure. It shouldn’t take that long
I followed all the steps, but I don't have those additional fields after installing sysmon add-on app. Am I maybe missing something? ;(
Do you see sysmon logs in splunk? Also there are 2 add-ons, be sure to install the correct one
thank you so much!!! It turns out I haven't installed the actual sysmon log on my computer yet. @@MyDFIR
Will save this video and the previous parts in library. If you happen to visit any city around Southeast Asia, I owe you a good lunch. Let me know how to directly contact you. Thanks for your great vids.
Haha Appreciate it! Happy I could provide some value.
I have a discord channel for those that sign up on my site, you can always reach me there 😁
When I do nmap from my Kali machine to my Windows machine it is unable to find any open ports. Does anyone else experience this? Both machines are connected on an internal network. Any advice?
Make sure you enable RDP on your host or open some ports like SMB file share.
@@MyDFIR WOW I am so surprised you responded. I trying all sorts of port scans but I my nmap in Kali tells me that "All ports are in ignored state" Do you know a solution to this?
@@nathanenterline8610 Try using -Pn and make sure you have some ports opened on your Windows machine. If that works, I'll leave it to you to research why :)
Thanks for this video
Most welcome - thanks for watching!
hey so part 1 & 2 we connected the machines were on the same IP address so as in part 3 realize that you are on a different iP now ? a bit confused about that
Apologies as that was not intentional. Part 2 was simply showing you HOW to assign an IP. The IP listed in there has nothing to do with the lab.
@@MyDFIR alright so both my vm’s are on the same iP . When I change iP for the windows machine I’m disconnected from the internet and I can’t ping it from the kali machine. Your machines are on different iP’s but are they connected to the internet for this step ?
@@KendricNewburn-y3x hi, change the network settings of both the vm's and make sure they're connected to the same "internal network". disable firewall on your windows vm. assign IPs to both vm's and then you should be able to ping both machines with each other.
BRB gotta go install splunk
Thank you so much.
You're welcome!
Anybody knows how i can i fix this error Found no matches for the service mask 'n' and your specified protocols
QUITTING!
Diactivated my firewall using cmd command it works
Happy you got it to work!
Love it🙌🏿
Thanks for watching!
I can’t seem to get kali to ping windows or use the nmap -A command on it. Says zero host but I know I followed your last video unless there’s an unsaid step there
Any advice on this fix would be great
Windows blocks ping by default, you can get use nmap with the flag -Pn or add a rule on Windows host firewall to allow pings.
@@MyDFIR I turned off the firewall actually nd it worked should I turn it back on nd try that? Thanks for replying btw
Nvm I fixed it thank u
@@BusyBodyB pls how did you fix this?
@@BusyBodyB HOW!!!!
When I try to connect to the python http server I get a “page took too long to respond” error
Make sure the hosts are on the same network
@@MyDFIRaye I got it. Thanks so much for this wonderful tutorial
bro, please i have tried downloading the sysmon add-on but it refuses to download even after changing my password, what s going on?
@mydfir I have changed my password 4 times now, and when I click on install, it asks for a password and if I input the recent password, it keeps saying invalid Id and password, please what can I do? I have been on this video for 1 week now and it’s really depressing
Just to make sure, you’re using your splunk user and password correct? The same account used to download splunk
@@MyDFIR yes I am, I used the same splink password and username but it’s still doing the same thing
ok did I miss it but how did you get splunk? Paid?
Nope not paid, you can sign up for a free trial of Splunk Enterprise on their site
why does my splunk say You're just our source type, but we need some extra time to finish setting up your account
Are you using protonmail as I know that happens quite often with that. If so, try a different provider/service.
@@MyDFIRGot it, how do we remove the malware from our machine just take a snap shot?
Awesome 😎
Thank you! Cheers!
Btw nice Nezuko and Luffy figure there. I guess it's easy to bump into fellow anime enjoyer in IT lol
Thanks! Almost caught up on the latest season of demon slayer and then gotta catch up on one piece 😅
keep it Up bruh💜
Glad you enjoyed it! Thanks for watching
I need help.
Why don't I see the RDP port when I run nmap?
Nevermind I just found out I had RDP disabled on my windows vm. lol
Troubleshooting skill obtained +1 heheh great job!
My 3389 port is filtered what do I do now!?!
Can check Splunk to see what telemetry its being generated / enable RDP on your PC and rerun nmap
@@MyDFIR my home pc or windows virtual machine??
@@MyDFIR also how to check that😓😓
make more similar videos 🔥
i have kali wsl ??
Thank you sir
Thank you for watching!
nmap returned 1000 filtered tcp ports with no-response for me
Try enabling RDP on your target host and allow pings as well since nmap uses pings to scan for hosts by default
@@MyDFIR Ty
I've literally followed everything to a T but when searching index=endpoint "IP address" I get no events shown in Splunk. I also get 0 events when searching index=endpoint Resume.pdf.exe.
Any help here please?
Try restarting your splunk service and make sure your index is created
Good job. MyDFIR. i was following the Lab but hit a bump road when i tried to download the malware. I was able to downdload it but its showing 'Unconfirmed 33579.crdownload' everytime i select keep to save it it only provide me with delete from history option. Any suggestion?
This is due to your browser blocking the malware (as it should) - to download it, you will need to lower its security settings
any idea how to do that, i was using Chrome.
@@MyDFIR
i really enjoyed your videos, the whole serries. At least now I can set up a basic home lab and configure it although most of the stuff in this part 3 seem a bit difficult for me. Can I get your email or do you have discord channel I can easily connect with you and ask questions please.
I do, if you sign up on my site I provide you with a link to my discord 👍
great video, the best one i have ever came across 🦾🦾
Thank you! 😊