Skip to main content
Warranty v01d’s blogs

Homelab: Splunk+Active Directory

·2389 words·12 mins· loading · loading ·
Aditya Hebballe
Author
Aditya Hebballe
OSCP Certified Penetration Tester
Table of Contents
Homelab - This article is part of a series.
Part 1: This Article
Part 2: Homelab: Attacking Splunk+Active Directory Part-2

Introduction
#

In the world of cyber-security, having hands-on experience is invaluable. A home lab setup offers a powerful sandbox to simulate real-world network environments and security incidents. Active Directory (AD) and Splunk are two of the most widely used tools in the industry, forming the backbone of network management and security monitoring in countless organisations.

In this project we will ingest the logs generated from Active Directory in Splunk. We will also simulate an attack on the network and monitor the logs in the next part.

What we’ll be doing:

  • AD Administration – Creating users, setting permissions, adding machines to AD.
  • Splunk Fundamentals – Creating a local Splunk server, collecting and analysing logs, configuring Splunk.
  • Threat Detection and Response – Identifying anomalies, investigating incidents, and applying defensive tactics within a realistic, simulated environment.
Note! Before you start, ensure you have a capable machine with at least 16GB of RAM, 50GB of free disk space, and a moderately powerful CPU since we’ll be running 3-4 virtual machines simultaneously. Alternatively, you can set this up in Azure or Vultr which are cloud-based platforms.

Let’s get started!

Structure of the Lab
#

The lab will consist of:

  • Splunk Server: Ubuntu Server running Splunk Enterprise. Data will be received and stored here from ADDC01 and target-pc.
  • ADDC01: Running Windows Server 2022 and this will act as the Domain Controller.
  • Target-pc: Running Windows 10/11 with Splunk Universal Forwarder and connected to the Active Directory Domain.
  • Kali Linux: We will use this machine to attack Active Directory.

Network Configuration
#

The Splunk Server, ADDC01, and Kali Linux will each be assigned static IPs, while the target-pc machine will be configured via DHCP. A NAT connection will be used for this setup, this can be done in VMware Workstation Pro as well as Virtual Box. I will be using VMware Workstation Pro for creating the Virtual Machines.

Here’s how to open network settings in VirtualBox:

We’ll create a virtual NAT network adapter to connect all the machines on a single network.

Edit -> Virtual Network Editor:

Add network and configure as per the screenshot:

Click on NAT Settings and configure as following:
The Gateway IP should be 192.168.10.1. After you are done click save.

Now set the Network Adapter in VM settings:

Don’t forget to set the Network Adapter for all VMs

For creating the virtual machines download the ISOs from here:

Ubuntu Server
#

To create a new virtual machine, click File -> New Virtual Machine. Choose Typical setup, select the downloaded ISO image, and specify a folder for the VM. If you have any issues select I will install the operating system later during the install and select the ISO image when running the VM. Repeat these steps for all the VMs.

After you run the VM you will be presented with the following setup screen:

Pick a username and password and make note of it
Select done and proceed with the installation.

Network Configuration
#

After you have set up the Ubuntu Server instance we need to configure the network settings. To do this first delete all the files in the /etc/netplan directory:

sudo rm /etc/netplan/*

Now create and open the following file:

sudo nano /etc/netplan/00-installer-config.yaml

Now type in the following:

network:
	version: 2
	renderer: networkd
	ethernets:
		ens33:
			dhcp4: no
			addresses:
				- 192.168.10.10/24
			routes:
				- to: default
				  via: 192.168.10.1
			nameservers:
				addresses: [8.8.8.8]

It should look something like this
Now Ctrl+X to exit and y to save. If it’s not working validate the YAML here

Now to apply the configuration:

sudo netplan apply

Check if the IP address is 192.168.10.10:

ip a

We can see the IP has changed

Configuring Splunk
#

Go to http://splunk.com and sign up for a free account. Then go to Products-> Free Trials & Downloads

Get Splunk Enterprise:

Download the .deb package as Ubuntu is Debian-based.

To access this file from our Ubuntu Server VM we need to setup shared folders. Open VM settings by either right clicking the VM tab or in the sidebar:

Enable Shared Folders and pick the folder with the .deb file
Save it.

We can access the folder at /mnt/hgfs/{Shared-Folder-Name}. To view the folder:

ls /mnt/hgfs

We can see the file inside the folder.

To install the .deb package:

sudo dpkg -i /mnt/hgfs/HostDocs/splunk-*.deb

Go to splunk folder at /opt/splunk.

cd /opt/splunk

Using ls -la we can see the files are owned by splunk user

We’ll open bash as splunk user:

sudo -u splunk bash

Now go to /opt/splunk/bin and install splunk:

cd /opt/splunk/bin
./splunk start

Click space continuously and agree license.

Create a user and remember the credentials as we will use it later to login to the web portal for splunk.

Now exit splunk bash and enable splunk on boot

exit

Go to /opt/splunk/bin and enable splunk on boot:

cd /opt/splunk/bin
sudo ./splunk enable boot-start -user splunk

Windows 11
#

Setup the Windows 11 VM in VMware

Don’t forget to set the Network Adapter

Refer here!

Renaming
#

Let’s first rename this machine. Right-click on This PC icon on desktop

Click on Rename this PC:

Let’s name it target-PC as per the diagram in the beginning
Click Next and reboot the machine.

Network Configuration
#

Open command prompt and type ipconfig to check the IP address.

We need to configure the IP as DHCP according to the diagram so let’s do that.

Open Settings and go to Network & Internet

Click on Advanced network settings.

Select your Network and Click on Edit

Double click on Internet Protocol Version 4 (TCP/IPv4)

Configure as shown:

Save and check again with ipconfig:

Now visit http://192.168.10.10:8000, we can see the Splunk enterprise page:

We can successfully access the Splunk Server.

Splunk Installation
#

Visit splunk on the Windows 11 VM and login.

Click on Universal Forwarder.

Download 64-bit version for Windows
Double click and Run the .msi file.

Select on-premises
Create a user

Skip Deployment server
Enter the IP of our Splunk Server and the default port 9997
Now install and finish.

Sysmon
#

Sysmon (System Monitor) is a Windows system service and driver part of Microsoft’s Sysinternals suite. It logs detailed events about system activity, such as process creation, network connections, file changes, and registry modifications. We will use Splunk to collect the logs from Sysmon.

Let’s download and setup Sysmon.

Get it here, this will download a file called Sysmon.zip

Now download the config for Sysmon from here. This config provides a modular and highly customizable Sysmon configuration file.

It’s designed to make Sysmon (System Monitor) setup more manageable and adaptable to specific environments, particularly for security monitoring and threat hunting. This will make our lives much easier.

Download sysmonconfig.xml from the repository:

Download it.

Extract Sysmon.zip by right-clicking, and click on extract all.

Go to the Sysmon folder and copy the file path:

Open Powershell as administrator and go to the file path where Sysmon is located:

cd C:\Splunk\Sysmon

Now use the config file with Sysmon. Mine is in the parent folder which in this case is C:\Splunk

.\Sysmon64.exe -i ..\sysmonconfig.xml

Then click Agree

Splunk Configuration
#

Before we start note that the deefault inputs.conf is in C:\Program Files\SplunkUniversalForwarder\etc\system\default if you mess anything up.

Now in C:\Program Files\SplunkUniversalForwarder\etc\system\local create inputs.conf file.

Run Notepad as administrator and paste this in notepad:

[WinEventLog://Application]
index = endpoint
disabled = false

[WinEventLog://Security]
index = endpoint
disabled = false

[WinEventLog://System]
index = endpoint
disabled = false

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
index = endpoint
disabled = false
renderXml = true
source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

We are using index as endpoint so our Splunk server needs to have an index called endpoint which we will soon create.

Now File-> Save As:

Go to this location:C:\Program Files\SplunkUniversalForwarder\etc\system\local.

Select All files for type and name as inputs.conf

Save as type: All files is important.

Anytime you modify inputs.conf you need to restart the Splunk universalforwarder service.

To do that search services in start:

Run as administrator.

Type S and look for SplunkForwarder
Double click on it.

Now we need to change Splunk Universal Forwarder to logon using the Local System Account so that it has sufficient privileges to access the files it needs to create logs.

Go to Log on tab and change it to Local System Account:

Click Apply and Click OK on the next dialog.

Now in the services list right-click on SplunkForwarder and Restart.

You might get this error:
If you do, just click ok start the service:
It should be running now.

Now open a browser tab and open http://192.168.10.10:8000/

Login using the password you created. I will use splunkserv user.

Click on Settings->Add Data->Indexes.

Create a new index:

Just input name as endpoint(as per the index in inputs.conf) and leave everything as is.

Now go to Settings->Add Data->Forwarding and Receiving:

Click on Configure receiving:
New Recieving Port
Set it as 9997 and save

Now head to Apps-> Search & Reporting:

Search for:

index="endpoint"

We have a lot of events:
We can see our Target-pc in host in the sidebar:

In Source we can see the stanzas we mentioned in inputs.conf file:

Windows Server
#

By now I hope you are familiar with the process of installing a VM so you can go ahead and install it.

Once again don’t forget to set the Network Adapter

Refer here!

Renaming
#

Let’s rename the machine similar to how we did for the Windows 11 machine. Head to Settings-> About and click on rename.

Splunk & Network Configuration
#

Do the same steps that were done for the Windows 11 VM to setup the network and Splunk universal forwarder.

Click to go there

Here’s a quick summary:

  • Network Configuration
  • Install Splunk Universal Forwarder.
  • Install Sysmon with the olaf’s config
  • Create inputs.conf file
  • Restart the service after setting logon account.

After you’ve set it up go to the Splunk console at http://192.168.10.10:8000/ and Apps-> Search & Reporting:

You’ll have ADDC01 in hosts if you have set up everything properly.

Active Directory
#

In this section we’ll go through the process of setting up Active Directory (AD) to effectively manage user access and resources. We’ll begin by creating Organizational Units (OUs) to organize our users and resources, followed by adding user accounts within those OUs. In the spirit of keeping it short, this will be a toy model compared to what a real organisation’s Active Directory would look like.

Open server manager:

Click next
Role Based
You will see all servers here. Just click Next without changing anything
Select Active Directory Domain Services, then click on add features.
Keep clicking next until install button is available and click on it.

This is how success looks like.

Now click on the flag icon:

Let’s make this server as a Domain Controller

A Domain Controller (DC) is a server that manages access to a networked environment using Active Directory (AD). It authenticates and authorizes users and computers within a Windows domain, enforcing security policies and providing directory services. The DC stores information about the domain, including user accounts, group policies, and resources, ensuring that users can access network services securely and efficiently. If a Domain Controller is compromised then it’s game over as all credentials are stored in it.

Set a domain name, I will choose splunky.local :

Set a password you can remember and leave the rest as default.

Then click on next until install is available:

Now the server will restart automatically.

Adding Users in AD
#

Go to Tools-> Active Directory Users and Computers

We will create Organizational Unit (OU), an Organizational Unit (OU) in Active Directory (AD) is a container used to organize users, groups, computers, and other OUs within a domain. OUs help structure the directory hierarchy for easier management and delegation of administrative tasks. They allow for the application of group policies and can be used to reflect the organization’s functional or geographic structure, enhancing security and organizational efficiency. For example we can have Organizational Units for Job roles like HR,IT, Marketing, Sales, Developers, etc.

For example Jack from HR should not have the ability to install software, disable firewall or change system settings.

Now Right-click on the domain(in this case splunky.local) and click on Organizational Unit to create one:

Let’s name it IT:
Now select IT in the sidebar, right-click on it to create a new user:

Now create a user:

Set a password and note it

Let’s create one more Organisational Unit and create a user similar to how we did in the previous steps:

Add Target-pc to the Domain
#

Now open the Target-pc VM. Search for View Advanced system settings in start and open it:

In Computer name tab, click on Change:

Set the domain to what you have created in the server:

Click ok and you will get an error, this is because the DNS was not configured.

We need to set the DNS server as the DC to resolve the domain.

To do this, open network settings:

Select the Adapter and click on Edit
Now set the DNS to DC IP address:
To check:

ipconfig /all

Now try setting the Domain again and a prompt will appear to enter credentials for a user with permission to join the domain, we will use Administrator account from the DC. In the real world we would create users and add users who are allowed to join the domain but for saving time we will do it this way now.
Now restart and pick another user you created in the Active Directory section.

Try logging in with a user you created:

Now we can login!

Congratulations! You have successfully set up Splunk and Active Directory AND they work together!

Attacking with Kali Linux
#

The Kali VM will be preconfigured so you can directly open the VM. But…….

DON’T FORGET TO SET THE NETWORK ADAPTER!!

Refer here!

We will stop here and continue in Part 2 of this blog, where we will focus on attacking the target-pc. We’ll monitor the logs in Splunk to analyze how our attacks are recorded and what insights they provide. Stay Tuned for Part 2!

Homelab: Attacking Splunk+Active Directory Part-2
·1079 words·6 mins· loading · loading
Introduction # In this part, we will attack the Windows 11 machine (target-pc) from our Kali machine and also use Atomic Red Team on the target-pc to simulate various attacks.
Homelab - This article is part of a series.
Part 1: This Article
Part 2: Homelab: Attacking Splunk+Active Directory Part-2

Related

Project: File Integrity Monitor
·1040 words·5 mins· loading · loading
CIA Triad # Before we jump into the project let’s understand why something like a File Integrity Monitor is required, for this we will need to understand the CIA triad.
Deep Dive into Network Monitoring
·1489 words·7 mins· loading · loading
Network monitoring is essential for ensuring the reliability, security, and performance of computer networks. It involves continuously observing network traffic to detect and respond to anomalies, optimize resource allocation, and maintain uptime.
Project: Honeypot and Monitoring with Azure Sentinel SIEM
·1561 words·8 mins· loading · loading
Introduction # Honeypots are deceptive tools used in cybersecurity to attract and trap malicious actors. By simulating vulnerabilities, they divert attackers from real assets while gathering valuable intelligence on their tactics and methods.