/DetectionLab

Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices

Primary LanguageHTMLMIT LicenseMIT

DetectionLab

Detection Lab

DetectionLab is tested weekly on Saturdays via a scheduled CircleCI workflow to ensure that builds are passing.

CircleCI license Maintenance GitHub last commit Twitter

Donate to the project:

All of the infrastructure, building, and testing of DetectionLab is currently funded by myself in my spare time. If you find this project useful, feel free to buy me a coffee using one of the buttons below!

GitHub Sponsor Donate Donate

Purpose

This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.

Read more about Detection Lab on Medium here: https://medium.com/@clong/introducing-detection-lab-61db34bed6ae

NOTE: This lab has not been hardened in any way and runs with default vagrant credentials. Please do not connect or bridge it to any networks you care about. This lab is deliberately designed to be insecure; the primary purpose of it is to provide visibility and introspection into each host.

Primary Lab Features:

  • Microsoft Advanced Threat Analytics (https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics) is installed on the WEF machine, with the lightweight ATA gateway installed on the DC
  • Splunk forwarders are pre-installed and all indexes are pre-created. Technology add-ons for Windows are also preconfigured.
  • A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging
  • Palantir's Windows Event Forwarding subscriptions and custom channels are implemented
  • Powershell transcript logging is enabled. All logs are saved to \\wef\pslogs
  • osquery comes installed on each host and is pre-configured to connect to a Fleet server via TLS. Fleet is preconfigured with the configuration from Palantir's osquery Configuration
  • Sysmon is installed and configured using SwiftOnSecurity’s open-sourced configuration
  • All autostart items are logged to Windows Event Logs via AutorunsToWinEventLog
  • SMBv1 Auditing is enabled

Requirements

  • 55GB+ of free disk space
  • 16GB+ of RAM
  • Packer 1.3.2 or newer
  • Vagrant 2.2.7 or newer
  • Virtualbox or VMWare Fusion/Workstation

Building Detection Lab

Please view the quickstart guides based on the operating system you are using. The AWS/Terraform DetectionLab can be launched from any operating system.


Basic Vagrant Usage

Moved to the wiki: Basic Vagrant Usage


Lab Information

Moved to the wiki: Lab Information & Credentials


Known Issues and Workarounds

Moved to the wiki: Known Issues and Workarounds


Contributing

Please do all of your development in a feature branch on your own fork of DetectionLab. Contribution guidelines can be found here: CONTRIBUTING.md

In the Media

Credits/Resources

A sizable percentage of this code was borrowed and adapted from Stefan Scherer's packer-windows and adfs2 Github repos. A huge thanks to him for building the foundation that allowed me to design this lab environment.

Acknowledgements