CONFIGURING ( WINDOWS 10 ENTERPRISE )

LINK : **https://info.microsoft.com/ww-landing-windows-10-enterprise.html?lcid=en-IN**

Once downloaded set it up , install and configure it in the virtual machine. Initially keep the network adapter setting as bridged network untill windows 10 boots up and all the initial confuguration is completed.
While setting up select the option “ Join Domain Instead ” when prompted.

CREDENTIALS:-

USERNAME : sdhacker

PASSWORD : Password@123

After booting , change the hostname of the machine to “ win-victim-01 ” for better visibility while we analyze the attacks in SIEM. Go to This PC → Right Click to select Properties → Click Rename this PC → Enter the needed name → Click Next → Click Restart Later.
We also need to change the power plan option. Go to Edit Power Plan Setting → Select Never under turn off the display and put the computer to sleep options → Click save changes. One morething , click the additional plans → Select Ultimate Performance.
Now install the VMWare tools for better accessibility. Once installed restart the machine.

ENABLING WINDOWS POWERSHELL LOGGING

After restart , we need to enable power shell logging for detecting various malware like in-memory malware , process injection , process hollowing etc. It gives us the visibility to see what scripts are being executed from powershell because it is often abused by adversaries when they are executing their malwares.
So to enable is go to gpedit.msc
Once Local Group Policy Editor is opened , go to Computer Configuration → Administrative Templates → Windows Components → Select Windows Powershell.
Under this settings , first select Turn on Powershell Transcription → Select Enabled option → Also Check Include Invocation Headers option ( this will show a detailed information like timestamp on when a powershell script is executed ) → Click Next setting → Now under Turn on Powershell Script block logging → Select Enabled → Click Next Setting → Now under Module Logging → Select Enabled → Also under Module Names → Click show → Put Asterik symbol * under value which means we included all modules → click ok and finally click apply. Now you should see all the above three logging are enabled.

ENABLING WINDOWS DEFENDER FIREWALL LOGGING

Next we need to enable windows defender firewall logs. So to do that again go to gpedit.msc
Once Local Group Policy Editor is opened , go to Computer Configuration → Windows Settings → Security Settings → Select Windows Defender Firewall with Advanced Security.
Under this settings , Click on Windows Defender Firewall Properties to configure Domain Profile , Private Profile and Public Profile Settings.
First in all the three profiles , Set the Firewall State → On (recommended) , then the Inbound Connections → Block (default) and the Outbound Connections → Allow (default). Finally we need to configure logging , below select the Customize under Logging → Uncheck the “ Not Configured “ option and you will see the path where the log files are being stored , then uncheck the “ Not Configured “ under size limit option too and select YES for both log dropped packets and log successful connections options. Click Apply → Click ok.