• Installing & configuring Elasticsearch

• Installing & configuring Kibana

• Connecting Elasticsearch with Kibana

• Installing & configuring Fluentbit

• Installing & Configuring Winlogbeat

• Writing detection rules & simulating a suspicious activity

Requirements

• VMware / Virtual Box

• Windows 10/11 ISO – Ubuntu (20.0/22.0/24.0) ISO

• 16 GB RAM – 60 GB Disk Space

• 4 CPU Cores

PHASE 1 : Installing & configuring Elasticsearch

1. Updating Ubuntu packages

sudo apt update
sudo apt upgrade -y

2. Installing required packages & dependencies

sudo apt update && sudo apt upgrade -y
sudo apt install -y apt-transport-https gnupg wget curl

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | \
  sudo tee /etc/apt/sources.list.d/elastic-8.x.list

3. Installing Elastic

sudo apt install -y elasticsearch

4. Configuring elasticsearch.yml

sudo nano /etc/elasticsearch/elasticsearch.yml

Lines to be uncommented : Network.host & http.port

Lines to be added : discovery.type: single-node

network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node

5. Enabling & starting the Elasticsearch service

sudo systemctl enable elasticsearch
sudo systemctl start elasticsearch
sudo systemctl status elasticsearch

6. Elasticsearch-reset-password

sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic

Then you can save your password in a txt file for later use

PHASE 2 : Installing & configuring Kibana

1. Installing Kibana

sudo apt install kibana -y

2. configuring Kibana

sudo nano /etc/kibana/kibana.yml

3. Only uncomment the server.port & server.host

server.port: 5601
server.host: "0.0.0.0"

4. Enabling & starting the kibana.service

sudo systemctl enable kibana
sudo systemctl start kibana
sudo systemctl status kibana

5. To check connectivity go to http://<your ip>:5601 , and your will then be asked for an enrollment token

PHASE 3 : Connecting elasticsearch with kibana

1. Generate Token

sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollmenttoken -s kibana

2. After getting your token and inserting it into Kibana, a verification code will be created

3. Getting verification code

sudo cd /usr/share/kibana
sudo ./kibana-verification-code

PHASE 4 : Installing & Configuring Fluentbit & sending logs

sudo apt-get update
sudo apt-get install fluent-bit
sudo systemctl enable fluent-bit
sudo systemctl start fluent-bit

For a simple simulation of logs

Create a .log file for example firewall.log and add a few logs to that file and then save it.

2025-09-15 21:19:10 - AUTH: Failed login attempt for user 'service_account_1' from IP '172.16.2.20'. Reason: Incorrect password.
2025-09-15 21:19:11 - AUTH: Failed login attempt for user 'root' from IP '172.16.2.20'. Reason: User does not exist.
2025-09-15 21:19:12 - AUTH: Failed login attempt for user 'backup_user' from IP '172.16.2.20'. Reason: Incorrect password.
2025-09-15 21:19:10 - AUTH: Failed login attempt for user 'backup_user' from IP '172.16.5.25'. Reason: Too many attempts.
2025-09-15 21:19:11 - AUTH: Failed login attempt for user 'sysadmin' from IP '172.16.43.36'. Reason: User does not exist.
2025-09-15 21:19:12 - AUTH: Failed login attempt for user 'service_account_2' from IP '172.16.209.170'. Reason: User does not exist.
2025-09-15 21:19:13 - AUTH: Failed login attempt for user 'service_account_1' from IP '172.16.39.72'. Reason: User does not exist.
2025-09-15 21:19:14 - AUTH: Failed login attempt for user 'guest' from IP '172.16.210.88'. Reason: Incorrect password.
2025-09-15 21:19:15 - AUTH: Failed login attempt for user 'guest' from IP '172.16.77.96'. Reason: Incorrect password.
2025-09-15 21:19:16 - AUTH: Failed login attempt for user 'db_admin' from IP '172.16.24.146'. Reason: User does not exist.
2025-09-15 21:19:17 - AUTH: Failed login attempt for user 'web_user' from IP '172.16.136.135'. Reason: Account locked.
2025-09-15 21:19:18 - AUTH: Failed login attempt for user 'service_account_1' from IP '172.16.24.89'. Reason: Too many attempts.
2025-09-15 21:19:19 - AUTH: Failed login attempt for user 'db_admin' from IP '172.16.181.30'. Reason: Too many attempts.

• Writing 3 different detection rules for detecting any executable download (IDS MODE)

Snort Installation :

Writing rules in Snort :

nano /etc/snort/rules/local.rules

and paste

alert tcp any any -> any 80 (msg:"Executable Download Detected (.exe)"; flow:to_client,established; content:".exe"; nocase; http_uri; sid:1000001; rev:1;)
alert tcp any any -> any 80 (msg:"Executable MIME Download Detected"; flow:to_client,established; content:"application/x-msdownload"; http_header; nocase; sid:1000002; rev:1;)
alert tcp any any -> any 80 (msg:"Executable Binary Payload Detected (MZ header)"; flow:to_client,established; content:"MZ"; offset:0; depth:2; sid:1000003; rev:1;)

Testing :

Run Snort in a terminal:

sudo snort -c /etc/snort/snort.conf -r Downloads/1.pcap -A fast

Link of the pcap file Download

Sheet Cheat Link Download

• Create a Bash script to block all traffic to/from a domain Youtube by resolving its IPs , then save the info to a file.

Setup Environment

1. First of all I create a directory for the task and create the script file with the extension .sh

   

Write Script

#!/bin/bash

DOMAIN="youtube.com"
OUTPUT_FILE="blocked_domains.txt"


IPs=$(dig +short "$DOMAIN" | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}')

if [ -z "$IPs" ]; then
    echo "Failed to resolve $DOMAIN"
    exit 1
fi

for IP in $IPs; do
    sudo iptables -A OUTPUT -d "$IP" -j REJECT
    sudo iptables -A INPUT -s "$IP" -j REJECT
    echo "$DOMAIN ($IP) has been blocked"
    echo "$(date): $DOMAIN ($IP) blocked" >> "$OUTPUT_FILE"
done

echo "Blocking complete. Details saved in $OUTPUT_FILE."

chmod 777 script.sh
sudo ./script.sh

1. First I specify the domain I want to block , in this case I will choose youtube.com

2. Then I assign an IP variable and use the regex to extract the IP

3. If the domain couldn't be resolved, the script exits with a message

4. Then I block the outgoing & the ingoing traffic from this domain using iptables

Test

cat blocked_domains.txt 
Sun Oct  5 07:41:17 PM EDT 2025: youtube.com (172.217.21.14) blocked

go to youtube.com

sudo apt install -y git gcc g++ make automake autoconf libtool libpcre3 libpcre3-dev \
libxml2 libxml2-dev libyajl-dev pkgconf zlib1g zlib1g-dev libcurl4-openssl-dev \
libgeoip-dev liblmdb-dev libfuzzy-dev liblua5.3-dev libpcre2-dev nginx wget curl

sa

git clone --depth 1 -b v3/master https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git submodule init
git submodule update
./build.sh
./configure
make
sudo make install
cd ..

as

a

s

as

a

Change the Logical MAC Address Every 3 Minutes on Windows

MAC Spoofing With Python

import ctypes, sys, subprocess, random, time

INTERFACE = "Wi-Fi"

def is_admin():
    try:
        return ctypes.windll.shell32.IsUserAnAdmin()
    except:
        return False

def generate_mac():
    mac = [0x02, random.randint(0x00, 0x7f),
           random.randint(0x00, 0xff),
           random.randint(0x00, 0xff),
           random.randint(0x00, 0xff),
           random.randint(0x00, 0xff)]
    return "".join(f"{b:02X}" for b in mac)


def change_mac(interface, mac):
    print(f"[+] Changing {interface} MAC to {mac}")
    try:
        subprocess.run([
            "powershell", "-Command",
            f'Set-NetAdapterAdvancedProperty -Name "{interface}" -DisplayName "Network Address" -DisplayValue "{mac}"'
        ], check=True)

        subprocess.run([
            "powershell", "-Command",
            f'Restart-NetAdapter -Name "{interface}" -Confirm:$false'
        ], check=True)

    except subprocess.CalledProcessError as e:
        print("[-] Failed to change MAC:", e)

def main():
    while True:
        new_mac = generate_mac()
        change_mac(INTERFACE, new_mac)
        print("[*] Waiting 3 minutes before next change...\n")
        time.sleep(180)

if __name__ == "__main__":
    if not is_admin():
        print("[!] Restarting script as Administrator...")
        ctypes.windll.shell32.ShellExecuteW(
            None, "runas", sys.executable, " ".join(sys.argv), None, 1
        )
    else:
        main()

1. Choose Interface

2. make function to check Admin or not

3. Generate MAC

4. Change MAC by running PowerShell command

MAC Spoofing With Registry

# Run this script as Administrator

# Adapter name you want to change (Wi-Fi)
$AdapterName = "Wi-Fi"

# New MAC address (12 hex characters, no separators)
$NewMAC = "02AB4C90D3F1"

# Registry base path for all network adapters
$BasePath = "HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}"

# Find the registry key for the adapter
$Adapter = Get-NetAdapter -Name $AdapterName
if (-not $Adapter) {
    Write-Host "[-] Adapter $AdapterName not found."
    exit
}

$RegKey = Get-ChildItem $BasePath | Where-Object {
    (Get-ItemProperty $_.PSPath).NetCfgInstanceId -eq $Adapter.InterfaceGuid
}

if (-not $RegKey) {
    Write-Host "[-] Could not locate registry key for $AdapterName"
    exit
}

# Set or update the NetworkAddress value
Set-ItemProperty -Path $RegKey.PSPath -Name "NetworkAddress" -Value $NewMAC
Write-Host "[+] MAC Address for $AdapterName set to $NewMAC in registry."

# Restart adapter to apply changes
Write-Host "[*] Restarting adapter..."
Disable-NetAdapter -Name $AdapterName -Confirm:$false
Start-Sleep -Seconds 2
Enable-NetAdapter -Name $AdapterName -Confirm:$false

Write-Host "[+] Done! New MAC should be active."

.\Change-MAC.ps1