This is the sixth and final lab building post in the Building An Atomic Red Team Lab series. This is going to be our manage workstation – the one we’ll run our Atomic tests on. It’s a pretty straightfoward Windows 10 install, so let’s get started.
Operating System Installation
Start with a Windows 10 64-bit virtual machine.
The default settings will be fine. I increased the video memory since this will have a desktop and I want to be able to do full screen.
This is a simple windows installation. Click click click.
- Next
- Install now
- I accept the license terms
- Custom
- New
- Apply
- OK
- Next
- Wait…
- The computer will reboot
- Yes
- Yes
- Skip
- I don’t have internet
- Continue with limited setup
- <username>
- <password>
- <Configure security questions>
- I disabled all the toggle switches
- Accept
- Not now
- Wait again…
Install VMWare Tools
- On the ESXi Host, insert the VMWare Tools CD.
- Double Click on the CD drive in File Explorer
- Accept all the defaults
- Once the installation is complete, reboot the machine
Set a Static IP and Host Name
Since everything in this lab will have a static IP, we’ll set one with powershell.
- Open a powershell terminal as Administrator
- First we set a static IP
- Then configure the DNS servers
- Finally set a host name and reboot
New-NetIPAddress –IPAddress 10.20.0.100 -DefaultGateway 10.20.0.1 -PrefixLength 24 -InterfaceIndex (Get-NetAdapter).InterfaceIndex
Set-DNSClientServerAddress –InterfaceIndex (Get-NetAdapter).InterfaceIndex –ServerAddresses ("10.20.0.10")
Rename-Computer -NewName vdi-win-01 -Restart
Join the Domain
Once the machine reboots, we’re ready to join our domain.
- Open a powershell terminal as Administrator
- Join the domain and reboot with the following command
Add-Computer -DomainName art.lab -Restart
- When prompted for a credential enter
Administrator
and the password you set up. - The machine will reboot and apply the GPOs we set up, install Sysmon and Winlogbeat and start those services.
However, on the first reboot, only Winlogbeat was installed. We need to run the scheduled task to install sysmon.
All of our GPOs have successfully applied, if we log into our HELK instance we can see logs from both the Domain Controller and this Windows Workstation.
Snap Shot
You can shut down the machine and take a snap shot. Power it back up and we’ll move on to installing Atomic Red Team and Invoke-Atomic in the next post.
Leave a Reply