Disaster Recovery Plan ← Back to Topology

Lab Build Notes & Configuration Hacks

This document serves as the "Runbook" for rebuilding the lab environment. It contains specific configuration hacks, command-line fixes, and topology requirements to restore the lab to a working state after a reset.

🛡️ SOC-Gateway pfSense Firewall 💻 Win11-Victim Target Endpoint 📊 Ubuntu-Splunk SIEM Server 👁️ Sysmon Telemetry Config

1. SOC-Gateway (pfSense)

The Air Gap

OS	FreeBSD (Other 64-bit)
vCPU	1
RAM	1 GB
Storage	8 GB
Network 1	WAN (VM Network)
Network 2	LAN_Isolated

⚠️ The "Invisible Disk" Fix

Issue: The installer may fail to find a hard drive during setup.

Fix: In ESXi "Edit Settings", ensure SCSI Controller 0 is set to LSI Logic SAS. Do not use VMware Paravirtual.

Critical Configuration Steps

Interface Assignment: WAN = vmx0 (DHCP), LAN = vmx1 (Static).
IP Config (LAN): Set IP to 172.16.10.1 / 24. Enable DHCP Server (Range: .100 to .200).
Firewall Rule "Gotcha": By default, pfSense blocks RFC1918 (Private Networks) on WAN. Since the lab WAN is your home LAN (10.0.x.x), this kills internet. Action: Interfaces > WAN > Uncheck "Block private networks" & "Block bogon networks".

2. Win11-Victim (Endpoint)

Primary Target

OS	Windows 11 Ent.
vCPU	2
RAM	6 GB
Storage	60 GB
Network	LAN_Isolated

Hack 1: The TPM Bypass

ESXi cannot natively support Windows 11 requirements without complex encryption. When the installer fails:

Press Shift + F10 to open CMD.
Type regedit and go to HKEY_LOCAL_MACHINE\SYSTEM\Setup.
Create Key LabConfig with DWORDs set to 1:
- BypassTPMCheck
- BypassSecureBootCheck
- BypassRAMCheck

Hack 2: Enable Copy/Paste

Edit VM Settings > VM Options > Advanced > Edit Configuration. Add:

isolation.tools.copy.disable = FALSE
isolation.tools.paste.disable = FALSE

Hack 3: Allow Ping (ICMP)

Run in PowerShell (Admin) to allow network troubleshooting:

New-NetFirewallRule -DisplayName "Allow Ping" -Protocol ICMPv4

3. Ubuntu-Splunk (SIEM)

The Watchtower

OS	Ubuntu Server 22.04
vCPU	2
RAM	4 GB
Storage	50 GB

Installation Commands

# 1. Download & Install
wget -O splunk.deb 'https://download.splunk.com/...'
sudo dpkg -i splunk.deb

# 2. Setup User & Start
sudo groupadd splunk
sudo useradd -d /opt/splunk -m -g splunk splunk
sudo chown -R splunk:splunk /opt/splunk
sudo -u splunk /opt/splunk/bin/splunk start --accept-license

Source:

⚠️ Disk Space & Timezone Fixes

Disk Threshold: Splunk pauses if free space < 5GB. Fix by editing server.conf to set minFreeSpace = 2000.
Time Drift: Fix log timestamps by aligning server to local time:
sudo timedatectl set-timezone America/Denver

4. Sysmon Deployment

Advanced Telemetry

Replaces standard Windows Event Logs with granular data on Process Creation, Network Connections, and File Changes.

1. Installation

Download Sysmon.zip and sysmonconfig.xml (SwiftOnSecurity). Run via Admin PowerShell:

.\Sysmon64.exe -accepteula -i sysmonconfig.xml

2. Splunk Integration (inputs.conf)

Configure the Universal Forwarder to read the Sysmon channel:

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml = true

Note: Ensure the file extension is .conf, not .conf.txt!

3. Verification

Open Event Viewer > Applications and Services > Microsoft > Windows > Sysmon > Operational. Look for Event ID 1 (Process Create).