This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.
Read more about Detection Lab on Medium here: https://medium.com/@clong/introducing-detection-lab-61db34bed6ae
NOTE: This lab has not been hardened in any way and runs with default vagrant credentials. Please do not connect or bridge it to any networks you care about. This lab is deliberately designed to be insecure; the primary purpose of it is to provide visibility and introspection into each host.
- Microsoft Advanced Threat Analytics (https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics) is installed on the WEF machine, with the lightweight ATA gateway installed on the DC
- A Splunk forwarder is pre-installed and all indexes are pre-created. Technology add-ons are also preconfigured.
- A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging
- Palantir's Windows Event Forwarding subscriptions and custom channels are implemented
- Powershell transcript logging is enabled. All logs are saved to
\\wef\pslogs - osquery comes installed on each host and is pre-configured to connect to a Fleet server via TLS. Fleet is preconfigured with the configuration from Palantir's osquery Configuration
- Sysmon is installed and configured using Olaf Hartong's open-sourced Sysmon configuration
- All autostart items are logged to Windows Event Logs via AutorunsToWinEventLog
- Zeek and Suricata are pre-configured to monitor and alert on network traffic
- Apache Guacamole is installed to easily access all hosts from your local browser
This is a fork of @CLong's original DetectionLab project that has been modified to run on Proxmox. As such, there are some not insignificant differences between this version of DetectionLab, and @CLong's. I'll detail a few of them below:
- You'll need to pre-configure VM templates. For my personal needs, I have the following:
- 1x Windows Server 2019 VM template which is used for the domain controller and wef VMs
- 1x Windows 10 VM template
- 1x Ubuntu 20.04 VM template
- Each VM template comes pre-installed with qemu-guest-agent... if you don't include it, terraform won't output the "public" IPs. Also, VM cloning will take forever because Proxmox will try for about 10 minutes to retrieve the IPs before timing out.
- Further, some of the code that @CLong included as a remote provisioner in his Terraform has been moved in to cloud-init configuration files. This was done because I wanted to learn more about cloud-init rather than a practical/impactful need.
There are a few places you'll need to modify a few values.
- Make a copy of variables.example and rename it to variables.tf
- Retrieve and enter the proper values for the variables in variables.tf - you'll need to create an API key on your Proxmox server... I recommend creating a dedicated terraform user on your Proxmox server, then creating the API key for it.
- I have set each VM resource to receive IPs for DHCP rather than statically assign them. For the "public IP" (eth0 on the Linux VM, or the first Ethernet adapter on the Windows VMs), this is fine. Where this may mess you up is on the secondary adapter that the DetectionLab VMs use to communicate amongst themselves... @CLong has hardcoded the IPs in the scripts that perform the actual configuration (i.e. what gets run by ansible/vagrant). You can either add the appropriate IPs for static issuance in your DHCP server (which is what I have done), or hard code the appropriate IPs on the secondary NIC for each VM resource.
- Finally, change the target node that's listed in each VM resource. I call my Proxmox node "pve-node1", but you may call yours something different...
Once you've taken care of that, run the terraform like normal: terraform plan -out=dl.tfplan terraform apply dl.tfplan
That'll provision the VMs.
Then you'll need to CD in to the Ansible directory, add the "public IPs" from the terraform output in to the inventory.yml file and run each ansible playbook (you can follow the normal DetectionLab process for the ansible step).
The primary documentation site is located at https://detectionlab.network
Please do all of your development in a feature branch on your own fork of DetectionLab. Contribution guidelines can be found here: CONTRIBUTING.md
- DetectionLab, Chris Long – Paul’s Security Weekly #593
- TaoSecurity - Trying DetectionLab
- Setting up Chris Long's DetectionLab
- Detection Lab: Visibility & Introspection for Defenders
A sizable percentage of this code was borrowed and adapted from Stefan Scherer's packer-windows and adfs2 Github repos. A huge thanks to him for building the foundation that allowed me to design this lab environment.
- Microsoft Advanced Threat Analytics
- Splunk
- osquery
- Fleet
- Windows Event Forwarding for Network Defense
- palantir/windows-event-forwarding
- osquery Across the Enterprise
- palantir/osquery-configuration
- Configure Event Log Forwarding in Windows Server 2012 R2
- Monitoring what matters — Windows Event Forwarding for everyone
- Use Windows Event Forwarding to help with intrusion detection
- The Windows Event Forwarding Survival Guide
- PowerShell ♥ the Blue Team
- Autoruns
- TA-microsoft-sysmon
- SwiftOnSecurity - Sysmon Config
- ThreatHunting
- sysmon-modular
- Atomic Red Team
- Hunting for Beacons
- Velociraptor
- BadBlood
- PurpleSharp
- EVTX-ATTACK-SAMPLES
I would like to extend thanks to the following sponsors for funding DetectionLab development. If you are interested in becoming a sponsor, please visit the sponsors page.
- braimee
- defensivedepth
- kafkaesqu3
- mdtro
- ealaney
- elreydetoda
- DevBits1702
- +1 private sponsor