Securing victim subnet to allow execution of malware for threat hunting

[joshnguyen08]

Secure 192.168.3.0/24 itself to be contained and not leak to other subnet or core pfsense network.

[joshnguyen08]

Rule #1 – this allows for DNS lookups, it should be ok

Rule #2 – allows internal communication in the victim subnet

Rule #3 - allows access to seconion and wazuh to send logs

-disabled and added two new rules to allow only TCP 1514 destination to seconion, allow only TCP  55000 destination to seconion –both rules allow wazuh agents to function 

Rule #4 – splunk forwarding rule

-disabled and added two new rules to allow only TCP 9997 destination to splunk, allow TCP 8089 – both rules allow splunk to receive necessary data from forwarder 

Rule #5 / #6 – allows http/https access

Rule #7 – final rule to block all other traffic from victim network subnet

added 4 firewalls rules, disabled two of the above.

Updated firewall for victim interface:

[joshnguyen08]

How to check:

Check wazuh server to see if active connection is still maintained - checked and is good

Check splunk universal forwarder to see if logs are still being sent - checked via Kibana and still shows traffic from victim subnet being sent over + real-time data logging is still sent

[joshnguyen08]

Snapshot taken of both VMs,