Detection Lab
Last updated
Was this helpful?
Last updated
Was this helpful?
DetectionLab is a repository containing a variety of Packer, Vagrant, Powershell, Ansible, and Terraform scripts that allow you to automate the process of bringing an ActiveDirectory environment online complete with logging and security tooling using a variety of different platforms. DetectionLab was built with defenders in mind.
Read more about DetectionLab on Medium .
â
As of 2023-01-01, DetectionLab is no longer being actively maintained-đ Credit goes to . (Some of the quoted data inside this document is taken from the official website.)
DetectionLab can currently be deployed to the following platforms:
Virtualbox (Windows, MacOS, Linux)
VMware Workstation/Fusion (Windows, MacOS, Linux)
HyperV
ESXi
AWS
Azure
LibVirt (Not officially supported)
Proxmox (Not officially supported)
Microsoft Advanced Threat Analytics is installed on the
WEFmachine, with the lightweight ATA gateway installed on theDCA Splunk forwarder is pre-installed and all indexes are pre-created. Technology add-ons are also preconfigured.
A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging
Powershell transcript logging is enabled. All logs are saved to
\\wef\pslogsZeek and Suricata are pre-configured to monitor and alert on network traffic
Apache Guacamole is installed to easily access all hosts from your local browser
Domain Name: windomain.local
Admininstrator login:
vagrant:vagrant
admin@detectionlab.network:Fl33tpassword!
admin:changeme
vagrant:vagrant
admin:changemeLab Hosts
DC - Windows 2016 Domain Controller
WEF Server Configuration GPO
Powershell logging GPO
Enhanced Windows Auditing policy GPO
Sysmon
Velociraptor
osquery
Splunk Universal Forwarder (Forwards Sysmon & osquery)
Sysinternals Tools
Microsft Advanced Threat Analytics Lightweight Gateway
WEF - Windows 2016 Server
Microsoft Advanced Threat Analytics
Windows Event Collector
Windows Event Subscription Creation
Powershell transcription logging share
Sysmon
Velociraptor
osquery
Splunk Universal Forwarder (Forwards WinEventLog & Powershell & Sysmon & osquery)
Sysinternals tools
Win10 - Windows 10 Workstation
Simulates employee workstation
Sysmon
Velociraptor
osquery
Splunk Universal Forwarder (Forwards Sysmon & osquery)
Sysinternals Tools
Logger - Ubuntu 16.04
Splunk Enterprise
Fleet osquery Manager
Zeek
Suricata
Guacamole
Velociraptor server
Splunk Indexes
evtx_attack_samples
Samples from https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
osquery
osquery/Fleet result logs
osquery-status
osquery/fleet INFO/WARN/ERROR logs
powershell
Powershell transcription logs
suricata
Suricata IDS logs
sysmon
Logs from the Sysmon service
threathunting
Used for the ThreatHunting app
wineventlog
Windows Event Logs
zeek
Zeek network traffic logs
### Installed Tools on Windows
Sysmon
Velociraptor Agent
osquery
AutorunsToWinEventLog
Process Monitor
Process Explorer
PsExec
TCPView
Notepad++
Google Chrome
WinRar
Mimikatz
Wireshark
Powersploit
Atomic Red Team
BadBlood
Applied GPOs
Virtualbox
Deploy DetectionLab to your local machine as individual Virtualbox VMs.
Windows, Linux, and MacOS are all supported
55GB+ of free disk space
16GB+ of RAM highly recommended
Vagrant 2.2.9+
Packer 1.6.0+ (only required if building your own boxes)
Virtualbox 6.0+ (older versions may work but are not tested)
VMware Fusion/Workstation
Deploy DetectionLab to your local machine as individual VMware VMs.
Windows, Linux, and MacOS are all supported
VMware Fusion or Workstation (It must be registered, trials will not work)
55GB+ of free disk space
16GB+ of RAM highly recommended
Vagrant 2.2.9+
Packer 1.6.0+ (only required if building your own boxes)
VMware Fusion 11+ or Workstation 15+ (older versions may work but are not tested)
Itâs easiest to think of Vagrant as a command-line wrapper for interacting with Virtualbox and VMware.
Setting a default provider
Basic Vagrant Usage
All commands must be run from the âDetectionLab/Vagrantâ folder
Bring up all Detection Lab hosts using Virtualbox:
vagrant up --provider=virtualboxBring up all Detection Lab hosts using VMware:
vagrant up ---provider=vmware_desktopBring up a specific host:
vagrant up <hostname>Restart a specific host:
vagrant reload <hostname>Restart a specific host and re-run the provision process:
vagrant reload <hostname> --provisionDestroy a specific host:
vagrant destroy <hostname>Destroy the entire Detection Lab environment:
vagrant destroy(Adding -f forces it without a prompt)SSH into a host (only works with Logger):
vagrant ssh loggerRun a WinRM command on a host (only works with DC, WEF, and WIN10):
vagrant winrm --command hostname --shell powershell <hostname>Check the status of each host:
vagrant statusSuspend the lab environment:
vagrant suspendResume the lab environment:
vagrant resumeShutdown each host:
vagrant halt
Here are some strategies for resolving common problems:
Issue: You run into an error while provisioning a host
Issue: You get stuck and want to start fresh
Solution: Navigate to DetectionLab/Vagrant and run
vagrant destroy -fto force destroy all VMs. Afterwards, delete the.vagranthidden folder inside of DetectionLab/Vagrant to ensure the VMs and their metadata have been properly removed. Optionally, delete and re-clone the entire DetectionLab git repo after those steps have been completed.Issue: I get an âERR_TOO_MANY_REDIRECTSâ when trying to connect to the Exchange server over HTTPS
Workarounds: This often happens when you try to connect to Exchange while the server is still initializing. Wait 5-10 minutes, then try again. If the issue persists, please file an issue on GitHub.
Issue: Splunk says âYour Splunk license has expired or you have exceeded your license too many timesâ
Workarounds:
Make some modifications to ingest less data
Simply re-provision the logger host (no need to re-provision the windows hosts - theyâll automatically reconnect):
vagrant destroy -f logger; vagrant up loggerIssue: Vagrant reports:
Message: HTTPClient::KeepAliveDisconnected:while provisioning. Workaround: Run$ vagrant reload <hostname> --provisionIssue: Vagrant is unable to forward a port for you.
Try a
vagrant reload <hostname> --provision. For whatever reasonvagrant updoesnât fix conflicts but reload does.Check if something is legitimately occupying the port via
sudo lsof -n -iTCP:<port_number>Issue: Your primary hard drive doesnât have enough space for DetectionLab.
Issue: Youâre having problems running Virtualbox while Hyper-V or CredentialGuard are enabled
Issue: You see an error message like
VBoxManage: error: Unknown option: --clipboard
Create a dedicated folder for the lab and move into it
Clone the DetectionLab repo into the dedicated folder
Open PowerShell as Administrator and navigate to the DetectionLab\Vagrant folder
Run .\prepare.ps1 script to verify the system prerequisites
Vagrant will bring up one host at a time, starting with
loggerand followed bydc,wefandwin10.Three boxes will be downloaded from Vagrant cloud:
Each box will go through provisioning, which configures the host and installs software.
If all goes well, this process should continue for 1-2 hours depending on your computer and network speed. The boxes are very large, but only need to be downloaded once.
To speed up the provisioning process, we can bring up some hosts in parallel. To do this, I recommend opening 4 separate terminal windows open to the
DetectionLab/Vagrantdirectory.In terminal windows 1 and 2, you can run
vagrant up loggerandvagrant up dcat the same time. Before we can bring upwefandwin10, we have to wait for thedchost to finish creating the domain.Once it has passed that step of the provisioning process, you can run
vagrant up wefandvagrant up win10in terminal windows 3 and 4 at the same time.
First bring up logger and dc inside two diferents PowerShell terminals
đŠ Wait for the dc to finish provisiong
Bring up wef and win10
Once provisioning is finished, you can access the VMs through the GUI or SSH/RDP to them directly.
You can also verify services are accessible by running
WEF + WIN10 failed to join domain
I think this is because DC provisioning freezed on Running Autohotkey installer.
Solution:
win10&wefboth freezed onRunning Autohotkey installertoo. (likedc)
Forced VMs turn off from VirtualBox.
post_build_checks.ps1 Error:
Error occured on webrequest: Exception calling "DownloadString" with "1" argument(s): "The SSL connection could not be established, see inner exception."
Open PowerShell as Administrator and navigate to the DetectionLab\Vagrant folder
subscriptions and custom channels are implemented
osquery comes installed on each host and is pre-configured to connect to a server via TLS. Fleet is preconfigured with the configuration from
Sysmon is installed and configured using
All autostart items are logged to Windows Event Logs via
Fleet login:
Splunk login:
MS ATA login: - wef\vagrant:vagrant [DEPRECATED]
Guacamole login:
Velociraptor login:
The
The must be installed
If you happen to have both Virtualbox and VMware Workstation/Fusion installed, it may be helpful to set the environment variable to either vmware_desktop or virtualbox.
Be sure to check the GitHub issues page for solved issues related to your problem:
Solution: Each problem is different. Take a look at the error text and see if you can determine what the exact problem is based on the error message. Often times, running vagrant reload <hostname> --provision is enough to get things back on track. That command will simply restart the VM and start provisioning over again. If that doesnât work, try destroying the host via vagrant destroy <hostname> and then re-creating it using vagrant up <hostname>. If you continue to run into the same error, search . Finally, if you canât find a solution to your problem, please open a new issue!
Sign up for a free Splunk dev license which gives you 10GB/day ingest: and apply that license
Issue: Vagrant timed out while attempting to connect via WinRM after Win10 host joins the domain. Workaround Documented in . Just run $ vagrant reload win10 --provision
Workaround: Documented in . There are a few possibilities:
Follow the instructions from this comment:
Workaround: Documented in . You can change the default location for Vagrant by using the environment variable.
Workaround: This is not a supported configuration. See and
Workaround: This should be fixed in Virtualbox 6.1.4, but please see for details on how to fix this.
Install & VirtualBox Extension Pack (default Vagrant provider)
Install for Windows
Host can be brought up one at a time using this command (or proceed with the ):
If you encounter an error or any issues, checkout the .
. I've checked all the services and they are up (post_build_checks.ps1 script must be checked).
đ Check the
đ Check the
