Detection Lab
DetectionLab Intro
DetectionLab is a repository containing a variety of Packer
, Vagrant
, Powershell
, Ansible
, and Terraform
scripts that allow you to automate the process of bringing an ActiveDirectory environment online complete with logging and security tooling using a variety of different platforms. DetectionLab was built with defenders in mind.
Read more about DetectionLab on Medium here.
โ
As of 2023-01-01, DetectionLab is no longer being actively maintained
- Sunsetting DetectionLab๐ Credit goes to Chris Long. (Some of the quoted data inside this document is taken from the official DetectionLab.network website.)
DetectionLab can currently be deployed to the following platforms:
Virtualbox (Windows, MacOS, Linux)
VMware Workstation/Fusion (Windows, MacOS, Linux)
HyperV
ESXi
AWS
Azure
LibVirt (Not officially supported)
Proxmox (Not officially supported)
Primary Lab Features
Microsoft Advanced Threat Analytics is installed on the
WEF
machine, with the lightweight ATA gateway installed on theDC
A Splunk forwarder is pre-installed and all indexes are pre-created. Technology add-ons are also preconfigured.
A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging
Palantir's Windows Event Forwarding subscriptions and custom channels are implemented
Powershell transcript logging is enabled. All logs are saved to
\\wef\pslogs
osquery comes installed on each host and is pre-configured to connect to a Fleet server via TLS. Fleet is preconfigured with the configuration from Palantir's osquery Configuration
Sysmon is installed and configured using Olaf Hartong's open-sourced Sysmon configuration
All autostart items are logged to Windows Event Logs via AutorunsToWinEventLog
Zeek and Suricata are pre-configured to monitor and alert on network traffic
Apache Guacamole is installed to easily access all hosts from your local browser
Acknowledgements
Lab Information and Credentials
Domain Name: windomain.local
Admininstrator login:
vagrant
:vagrant
Fleet login: https://192.168.56.105:8412
admin@detectionlab.network
:Fl33tpassword!
Splunk login: https://192.168.56.105:8000
admin
:changeme
MS ATA login: https://192.168.56.103 -
wef\vagrant
:vagrant
[DEPRECATED]Guacamole login: http://192.168.56.105:8080/guacamole
vagrant
:vagrant
Velociraptor login: https://192.168.56.105:9999
admin
:changeme
Lab Hosts
DC - Windows 2016 Domain Controller
WEF Server Configuration GPO
Powershell logging GPO
Enhanced Windows Auditing policy GPO
Sysmon
Velociraptor
osquery
Splunk Universal Forwarder (Forwards Sysmon & osquery)
Sysinternals Tools
Microsft Advanced Threat Analytics Lightweight Gateway
WEF - Windows 2016 Server
Microsoft Advanced Threat Analytics
Windows Event Collector
Windows Event Subscription Creation
Powershell transcription logging share
Sysmon
Velociraptor
osquery
Splunk Universal Forwarder (Forwards WinEventLog & Powershell & Sysmon & osquery)
Sysinternals tools
Win10 - Windows 10 Workstation
Simulates employee workstation
Sysmon
Velociraptor
osquery
Splunk Universal Forwarder (Forwards Sysmon & osquery)
Sysinternals Tools
Logger - Ubuntu 16.04
Splunk Enterprise
Fleet osquery Manager
Zeek
Suricata
Guacamole
Velociraptor server
Splunk Indexes
Sysmon
Velociraptor Agent
osquery
AutorunsToWinEventLog
Process Monitor
Process Explorer
PsExec
TCPView
Notepad++
Google Chrome
WinRar
Mimikatz
Wireshark
Powersploit
Atomic Red Team
BadBlood
Applied GPOs
Prerequisites
Virtualbox
Deploy DetectionLab to your local machine as individual Virtualbox VMs.
Windows, Linux, and MacOS are all supported
55GB+ of free disk space
16GB+ of RAM highly recommended
Vagrant 2.2.9+
Packer 1.6.0+ (only required if building your own boxes)
Virtualbox 6.0+ (older versions may work but are not tested)
VMware Fusion/Workstation
Deploy DetectionLab to your local machine as individual VMware VMs.
Windows, Linux, and MacOS are all supported
VMware Fusion or Workstation (It must be registered, trials will not work)
The Vagrant VMware Utility must be installed
55GB+ of free disk space
16GB+ of RAM highly recommended
Vagrant 2.2.9+
Packer 1.6.0+ (only required if building your own boxes)
VMware Fusion 11+ or Workstation 15+ (older versions may work but are not tested)
Basic Vagrant Usage
Itโs easiest to think of Vagrant as a command-line wrapper for interacting with Virtualbox and VMware.
Setting a default provider
If you happen to have both Virtualbox and VMware Workstation/Fusion installed, it may be helpful to set the VAGRANT_DEFAULT_PROVIDER environment variable to either vmware_desktop or virtualbox.
Basic Vagrant Usage
All commands must be run from the โDetectionLab/Vagrantโ folder
Bring up all Detection Lab hosts using Virtualbox:
vagrant up --provider=virtualbox
Bring up all Detection Lab hosts using VMware:
vagrant up ---provider=vmware_desktop
Bring up a specific host:
vagrant up <hostname>
Restart a specific host:
vagrant reload <hostname>
Restart a specific host and re-run the provision process:
vagrant reload <hostname> --provision
Destroy a specific host:
vagrant destroy <hostname>
Destroy the entire Detection Lab environment:
vagrant destroy
(Adding -f forces it without a prompt)SSH into a host (only works with Logger):
vagrant ssh logger
Run a WinRM command on a host (only works with DC, WEF, and WIN10):
vagrant winrm --command hostname --shell powershell <hostname>
Check the status of each host:
vagrant status
Suspend the lab environment:
vagrant suspend
Resume the lab environment:
vagrant resume
Shutdown each host:
vagrant halt
Troubleshooting & Known Issues
Be sure to check the GitHub issues page for solved issues related to your problem: https://github.com/clong/DetectionLab/issues
Here are some strategies for resolving common problems:
Issue: You run into an error while provisioning a host
Solution: Each problem is different. Take a look at the error text and see if you can determine what the exact problem is based on the error message. Often times, running
vagrant reload <hostname> --provision
is enough to get things back on track. That command will simply restart the VM and start provisioning over again. If that doesnโt work, try destroying the host viavagrant destroy <hostname>
and then re-creating it usingvagrant up <hostname>
. If you continue to run into the same error, search DetectionLab issues. Finally, if you canโt find a solution to your problem, please open a new issue!Issue: You get stuck and want to start fresh
Solution: Navigate to DetectionLab/Vagrant and run
vagrant destroy -f
to force destroy all VMs. Afterwards, delete the.vagrant
hidden folder inside of DetectionLab/Vagrant to ensure the VMs and their metadata have been properly removed. Optionally, delete and re-clone the entire DetectionLab git repo after those steps have been completed.Issue: I get an โERR_TOO_MANY_REDIRECTSโ when trying to connect to the Exchange server over HTTPS
Workarounds: This often happens when you try to connect to Exchange while the server is still initializing. Wait 5-10 minutes, then try again. If the issue persists, please file an issue on GitHub.
Issue: Splunk says โYour Splunk license has expired or you have exceeded your license too many timesโ
Workarounds:
Make some modifications to ingest less data
Sign up for a free Splunk dev license which gives you 10GB/day ingest: https://dev.splunk.com/enterprise/dev_license/ and apply that license
Simply re-provision the logger host (no need to re-provision the windows hosts - theyโll automatically reconnect):
vagrant destroy -f logger; vagrant up logger
Issue: Vagrant reports:
Message: HTTPClient::KeepAliveDisconnected:
while provisioning. Workaround: Run$ vagrant reload <hostname> --provision
Issue:
Vagrant timed out while attempting to connect via WinRM
after Win10 host joins the domain. Workaround Documented in #21. Just run$ vagrant reload win10 --provision
Issue: Vagrant is unable to forward a port for you.
Workaround: Documented in #11. There are a few possibilities:
Try a
vagrant reload <hostname> --provision
. For whatever reasonvagrant up
doesnโt fix conflicts but reload does.Check if something is legitimately occupying the port via
sudo lsof -n -iTCP:<port_number>
Follow the instructions from this comment: https://github.com/hashicorp/vagrant/issues/8130#issuecomment-272963103
Issue: Your primary hard drive doesnโt have enough space for DetectionLab.
Workaround: Documented in #48. You can change the default location for Vagrant by using the VAGRANT_HOME environment variable.
Issue: Youโre having problems running Virtualbox while Hyper-V or CredentialGuard are enabled
Workaround: This is not a supported configuration. See https://stackoverflow.com/questions/37955942/vagrant-up-vboxmanage-exe-error-vt-x-is-not-available-verr-vmx-no-vmx-code and https://github.com/clong/DetectionLab/issues/433
Issue: You see an error message like
VBoxManage: error: Unknown option: --clipboard
Workaround: This should be fixed in Virtualbox 6.1.4, but please see this issue for details on how to fix this.
DetectionLab Deployment
Install Virtualbox & VirtualBox Extension Pack (default Vagrant provider)
Install Vagrant for Windows
Create a dedicated folder for the lab and move into it
Clone the DetectionLab repo into the dedicated folder
Open
PowerShell
as Administrator and navigate to theDetectionLab\Vagrant
folderRun
.\prepare.ps1
script to verify the system prerequisites
Host can be brought up one at a time using this command (or proceed with the Parallel Provisioning):
Vagrant will bring up one host at a time, starting with
logger
and followed bydc
,wef
andwin10
.Three boxes will be downloaded from Vagrant cloud:
Each box will go through provisioning, which configures the host and installs software.
If all goes well, this process should continue for 1-2 hours depending on your computer and network speed. The boxes are very large, but only need to be downloaded once.
Parallel Provisioning Hosts
To speed up the provisioning process, we can bring up some hosts in parallel. To do this, I recommend opening 4 separate terminal windows open to the
DetectionLab/Vagrant
directory.In terminal windows 1 and 2, you can run
vagrant up logger
andvagrant up dc
at the same time. Before we can bring upwef
andwin10
, we have to wait for thedc
host to finish creating the domain.Once it has passed that step of the provisioning process, you can run
vagrant up wef
andvagrant up win10
in terminal windows 3 and 4 at the same time.
First bring up
logger
anddc
inside two diferentsPowerShell
terminals
๐ฉ Wait for the
dc
to finish provisiong
Bring up
wef
andwin10
Once provisioning is finished, you can access the VMs through the GUI or SSH/RDP to them directly.
If you encounter an error or any issues, checkout the troubleshooting section.
You can also verify services are accessible by running
Bring Down lab
Bring Up lab
Errors
WEF + WIN10 failed to join domain
I think this is because DC provisioning freezed on
Running Autohotkey installer
.
Solution:
win10
&wef
both freezed onRunning Autohotkey installer
too. (likedc
)
Forced VMs turn off from VirtualBox.
post_build_checks.ps1
Error:Error occured on webrequest: Exception calling "DownloadString" with "1" argument(s): "The SSL connection could not be established, see inner exception."
Issue. I've checked all the services and they are up (
post_build_checks.ps1
script must be checked).
Destroy lab
Open
PowerShell
as Administrator and navigate to theDetectionLab\Vagrant
folder
DetectionLab Usage
๐ Check the Usage official repo
DetectionLab Customization
๐ Check the Customization official repo
Last updated