Skip to content

Vagrants

Chris Gates edited this page Mar 21, 2018 · 4 revisions

Vagrants

Metta makes use of vagrants to have hosts to interact with. The below is a quick-start to get something going. Ideally you'd make a instrumented virtualbox image with your organization's various tooling (CarbonBlack, CrowdStrike, Cylance, OSQuery, etc) and then convert to a vagrant "box".

Windows vagrant with Sysmon

  1. We can use the following windows virtualbox/vagrant image: https://app.vagrantup.com/StefanScherer/boxes/windows_10

  2. Init and bring up the vagrant

vagrant init StefanScherer/windows_10

vagrant up
  1. If everything is working like it should you should be able to issue some commands over winrm. (the vagrant box above has winrm set up)
$ vagrant winrm -c whoami
vagrant-10\vagrant
$ vagrant winrm -c "cmd.exe /c net localgroup administrators"
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
vagrant
The command completed successfully.
  1. Open the host in virtualbox so we can install sysmon. I'm using Swift on Security's sysmon config as an example:

https://github.com/SwiftOnSecurity/sysmon-config

  1. download sysmon https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

  2. open admin command prompt

sysmon.exe -accepteula -i sysmonconfig-export.xml

Sysmon Install

  1. You can then check logs of your activity checking sysmon logs command-line

  2. There are tons of resources on using sysmon. Here is a decent one: https://www.darkoperator.com/blog/2014/8/8/sysinternals-sysmon/

Clone this wiki locally