SOC Automation Project - Part 2

Building a SOC automation Home Lab: Part 2 - Windows 10 VM installation and configuration

A step-by-step guide for building your very own SOC Automation Home Lab using VMWare and DigitalOcean cloud provider

In this module, we will cover the installation and configuration of our Windows 10. Additionally, we will install Sysmon on our virtual machine (VM) host.

The Windows 10 VM will serve as the Wazuh Agent for our project. However, the number of agents and their OS is up to you, as long as they are supported by Wazuh.

Installing Windows 10 VM host

Download Windows

1. Go to the following link: Download Windows 10 Enterprise 64-bit edition.

2. The downloaded file will have the .iso extension.

Windows 10 VM Creation

1. Launch VMware and select Create a New Virtual Machine from the dashboard.

2. Choose the following options:

• Configuration: Typical
• Installation method: I will install the operating system later
• Guest Operating System: Microsoft Windows
• Version: Windows 10 x64
• Name your VM and choose its location.
• Amount of storage space: 100 GB
• Click Finish to complete the creation.

Before starting the VM, we need to make some changes first.

1. Select Edit virtual machine settings.

2. Under the CD/DVD (SATA) option, change the connection to the Windows .iso file we downloaded earlier.

I changed the memory alocated to 4GB and 1 processor, but you can leave it as it is.

This VM has to have access to the internet, leave the network adapter configured for NAT or Bridged mode.

Now, start the Windows machine and proceed with the installation.

Completing Windows installation

After starting the machine, press any key to begin the Windows installation. Select your preferred language, time and keyboard layout, then click Install Now.

Agree to the terms, choose Custom installation > Next and the VM will reboot a few times.

After rebooting, select your region and keyboard layout. Next, choose the option Domain join instead from the bottom left corner.

Insert the name and password of your user account.

Choose and answer the security questions, disable all privacy settings, and finally select Not Now.

Next, we will install VMware tools in order to improve our VM performance.

Installing VMware Tools

VMware Tools enhances the VM’s performance and adds functionalities such as full-screen resolution (without stretching), copy-paste between guest and host, automatic shutdowns and reboots, and time synchronization. In order to install VMware Tools:

• Go to VM > Install VMware Tools on the top left side of VMware.

• After a few seconds, open the DVD Drive (D:) VMware Tools and run setup64.exe.

• Select Next > Next > Finish and restart to complete the installation.

Now that our Windows 10 VM installation is complete, our next step is to install Sysmon.

Installing Sysmon

Go to the following link to download Sysmon and while it’s downloading, save the sysmonconfig.xml file from this Github Repo.

Extract the Sysmon zip file and move the sysmonconfig.xml file to the same directory.

Next, open a PowerShell terminal with administrative privileges, go to the sysmon directory and run the following command to install Sysmon.

# Changing directory
cd "/path/to/sysmon"

# Installing sysmon
sysmon64.exe -i sysmonconfig.xml

Agree with the license terms and after a few seconds, the Sysmon service will be running.

Now our Windows 10 VM host is ready and with Sysmon running.

Next Steps

In the next module, we will deploy our Wazuh and theHive server on the cloud using DigitalOcean. We will also configure firewall rules to only allow traffic from our machine.