Detection Lab

DetectionLab Intro

DetectionLab is a repository containing a variety of Packer, Vagrant, Powershell, Ansible, and Terraform scripts that allow you to automate the process of bringing an ActiveDirectory environment online complete with logging and security tooling using a variety of different platforms. DetectionLab was built with defenders in mind.

Read more about DetectionLab on Medium here.

โ—As of 2023-01-01, DetectionLab is no longer being actively maintained - Sunsetting DetectionLab

๐Ÿ“Œ Credit goes to Chris Long. (Some of the quoted data inside this document is taken from the official DetectionLab.network website.)

Primary Lab Features

  • Microsoft Advanced Threat Analytics is installed on the WEF machine, with the lightweight ATA gateway installed on the DC

  • A Splunk forwarder is pre-installed and all indexes are pre-created. Technology add-ons are also preconfigured.

  • A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging

  • Palantir's Windows Event Forwarding subscriptions and custom channels are implemented

  • Powershell transcript logging is enabled. All logs are saved to \\wef\pslogs

  • osquery comes installed on each host and is pre-configured to connect to a Fleet server via TLS. Fleet is preconfigured with the configuration from Palantir's osquery Configuration

  • Sysmon is installed and configured using Olaf Hartong's open-sourced Sysmon configuration

  • All autostart items are logged to Windows Event Logs via AutorunsToWinEventLog

  • Zeek and Suricata are pre-configured to monitor and alert on network traffic

  • Apache Guacamole is installed to easily access all hosts from your local browser

Acknowledgements

Lab Information and Credentials

Lab Hosts

  • DC - Windows 2016 Domain Controller

    • WEF Server Configuration GPO

    • Powershell logging GPO

    • Enhanced Windows Auditing policy GPO

    • Sysmon

    • Velociraptor

    • osquery

    • Splunk Universal Forwarder (Forwards Sysmon & osquery)

    • Sysinternals Tools

    • Microsft Advanced Threat Analytics Lightweight Gateway

  • WEF - Windows 2016 Server

    • Microsoft Advanced Threat Analytics

    • Windows Event Collector

    • Windows Event Subscription Creation

    • Powershell transcription logging share

    • Sysmon

    • Velociraptor

    • osquery

    • Splunk Universal Forwarder (Forwards WinEventLog & Powershell & Sysmon & osquery)

    • Sysinternals tools

  • Win10 - Windows 10 Workstation

    • Simulates employee workstation

    • Sysmon

    • Velociraptor

    • osquery

    • Splunk Universal Forwarder (Forwards Sysmon & osquery)

    • Sysinternals Tools

  • Logger - Ubuntu 16.04

    • Splunk Enterprise

    • Fleet osquery Manager

    • Zeek

    • Suricata

    • Guacamole

    • Velociraptor server

Splunk Indexes

  • Sysmon

  • Velociraptor Agent

  • osquery

  • AutorunsToWinEventLog

  • Process Monitor

  • Process Explorer

  • PsExec

  • TCPView

  • Notepad++

  • Google Chrome

  • WinRar

  • Mimikatz

  • Wireshark

  • Powersploit

  • Atomic Red Team

  • BadBlood

Applied GPOs

Prerequisites

Virtualbox

Deploy DetectionLab to your local machine as individual Virtualbox VMs.

  • Windows, Linux, and MacOS are all supported

  • 55GB+ of free disk space

  • 16GB+ of RAM highly recommended

  • Vagrant 2.2.9+

  • Packer 1.6.0+ (only required if building your own boxes)

  • Virtualbox 6.0+ (older versions may work but are not tested)

VMware Fusion/Workstation

Deploy DetectionLab to your local machine as individual VMware VMs.

  • Windows, Linux, and MacOS are all supported

  • VMware Fusion or Workstation (It must be registered, trials will not work)

  • The Vagrant VMware Utility must be installed

  • 55GB+ of free disk space

  • 16GB+ of RAM highly recommended

  • Vagrant 2.2.9+

  • Packer 1.6.0+ (only required if building your own boxes)

  • VMware Fusion 11+ or Workstation 15+ (older versions may work but are not tested)

Basic Vagrant Usage

Itโ€™s easiest to think of Vagrant as a command-line wrapper for interacting with Virtualbox and VMware.

Setting a default provider

If you happen to have both Virtualbox and VMware Workstation/Fusion installed, it may be helpful to set the VAGRANT_DEFAULT_PROVIDER environment variable to either vmware_desktop or virtualbox.

Basic Vagrant Usage

All commands must be run from the โ€œDetectionLab/Vagrantโ€ folder

  • Bring up all Detection Lab hosts using Virtualbox: vagrant up --provider=virtualbox

  • Bring up all Detection Lab hosts using VMware: vagrant up ---provider=vmware_desktop

  • Bring up a specific host: vagrant up <hostname>

  • Restart a specific host: vagrant reload <hostname>

  • Restart a specific host and re-run the provision process: vagrant reload <hostname> --provision

  • Destroy a specific host: vagrant destroy <hostname>

  • Destroy the entire Detection Lab environment: vagrant destroy (Adding -f forces it without a prompt)

  • SSH into a host (only works with Logger): vagrant ssh logger

  • Run a WinRM command on a host (only works with DC, WEF, and WIN10): vagrant winrm --command hostname --shell powershell <hostname>

  • Check the status of each host: vagrant status

  • Suspend the lab environment: vagrant suspend

  • Resume the lab environment: vagrant resume

  • Shutdown each host: vagrant halt

Troubleshooting & Known Issues

Be sure to check the GitHub issues page for solved issues related to your problem: https://github.com/clong/DetectionLab/issues

Here are some strategies for resolving common problems:


Issue: You run into an error while provisioning a host

Solution: Each problem is different. Take a look at the error text and see if you can determine what the exact problem is based on the error message. Often times, running vagrant reload <hostname> --provision is enough to get things back on track. That command will simply restart the VM and start provisioning over again. If that doesnโ€™t work, try destroying the host via vagrant destroy <hostname> and then re-creating it using vagrant up <hostname>. If you continue to run into the same error, search DetectionLab issues. Finally, if you canโ€™t find a solution to your problem, please open a new issue!


Issue: You get stuck and want to start fresh

Solution: Navigate to DetectionLab/Vagrant and run vagrant destroy -f to force destroy all VMs. Afterwards, delete the .vagrant hidden folder inside of DetectionLab/Vagrant to ensure the VMs and their metadata have been properly removed. Optionally, delete and re-clone the entire DetectionLab git repo after those steps have been completed.


Issue: I get an โ€œERR_TOO_MANY_REDIRECTSโ€ when trying to connect to the Exchange server over HTTPS

Workarounds: This often happens when you try to connect to Exchange while the server is still initializing. Wait 5-10 minutes, then try again. If the issue persists, please file an issue on GitHub.


Issue: Splunk says โ€œYour Splunk license has expired or you have exceeded your license too many timesโ€

Workarounds:

  1. Make some modifications to ingest less data

  2. Sign up for a free Splunk dev license which gives you 10GB/day ingest: https://dev.splunk.com/enterprise/dev_license/ and apply that license

  3. Simply re-provision the logger host (no need to re-provision the windows hosts - theyโ€™ll automatically reconnect):

    1. vagrant destroy -f logger; vagrant up logger


Issue: Vagrant reports: Message: HTTPClient::KeepAliveDisconnected: while provisioning. Workaround: Run $ vagrant reload <hostname> --provision


Issue: Vagrant timed out while attempting to connect via WinRM after Win10 host joins the domain. Workaround Documented in #21. Just run $ vagrant reload win10 --provision


Issue: Vagrant is unable to forward a port for you.

Workaround: Documented in #11. There are a few possibilities:

  1. Try a vagrant reload <hostname> --provision. For whatever reason vagrant up doesnโ€™t fix conflicts but reload does.

  2. Check if something is legitimately occupying the port via sudo lsof -n -iTCP:<port_number>


Issue: Your primary hard drive doesnโ€™t have enough space for DetectionLab.

Workaround: Documented in #48. You can change the default location for Vagrant by using the VAGRANT_HOME environment variable.


Issue: Youโ€™re having problems running Virtualbox while Hyper-V or CredentialGuard are enabled

Workaround: This is not a supported configuration. See https://stackoverflow.com/questions/37955942/vagrant-up-vboxmanage-exe-error-vt-x-is-not-available-verr-vmx-no-vmx-code and https://github.com/clong/DetectionLab/issues/433


Issue: You see an error message like VBoxManage: error: Unknown option: --clipboard

Workaround: This should be fixed in Virtualbox 6.1.4, but please see this issue for details on how to fix this.


DetectionLab Deployment

  • Install Virtualbox & VirtualBox Extension Pack (default Vagrant provider)

  • Install Vagrant for Windows

  • Create a dedicated folder for the lab and move into it

  • Clone the DetectionLab repo into the dedicated folder

git clone https://github.com/clong/DetectionLab.git
Cloning into 'DetectionLab'...
remote: Enumerating objects: 6531, done.
remote: Counting objects: 100% (406/406), done.
remote: Compressing objects: 100% (169/169), done.
remote: Total 6531 (delta 226), reused 334 (delta 195), pack-reused 6125
Receiving objects: 100% (6531/6531), 194.62 MiB | 4.08 MiB/s, done.
Resolving deltas: 100% (3882/3882), done.
Updating files: 100% (412/412), done.
  • Open PowerShell as Administrator and navigate to the DetectionLab\Vagrant folder

  • Run .\prepare.ps1 script to verify the system prerequisites

vagrant up --provider=virtualbox
  1. Vagrant will bring up one host at a time, starting with logger and followed by dc, wef and win10.

  2. Three boxes will be downloaded from Vagrant cloud:

  3. Each box will go through provisioning, which configures the host and installs software.

  4. If all goes well, this process should continue for 1-2 hours depending on your computer and network speed. The boxes are very large, but only need to be downloaded once.

Parallel Provisioning Hosts

To speed up the provisioning process, we can bring up some hosts in parallel. To do this, I recommend opening 4 separate terminal windows open to the DetectionLab/Vagrant directory.

In terminal windows 1 and 2, you can run vagrant up logger and vagrant up dc at the same time. Before we can bring up wef and win10, we have to wait for the dc host to finish creating the domain.

Once it has passed that step of the provisioning process, you can run vagrant up wef and vagrant up win10 in terminal windows 3 and 4 at the same time.

  • First bring up logger and dc inside two diferents PowerShell terminals

vagrant up logger --provider=virtualbox
vagrant up dc --provider=virtualbox
  • ๐Ÿšฉ Wait for the dc to finish provisiong

  • Bring up wef and win10

vagrant up wef --provider=virtualbox
vagrant up win10 --provider=virtualbox
  • Once provisioning is finished, you can access the VMs through the GUI or SSH/RDP to them directly.

  • If you encounter an error or any issues, checkout the troubleshooting section.

  • You can also verify services are accessible by running

 .\post_build_checks.ps1

Bring Down lab

vagrant halt
# Shutdown each host
==> win10: Attempting graceful shutdown of VM...
==> wef: Attempting graceful shutdown of VM...
==> dc: Attempting graceful shutdown of VM...
==> logger: Attempting graceful shutdown of VM...

Bring Up lab

vagrant up --provider=virtualbox

Errors

  • WEF + WIN10 failed to join domain

  • I think this is because DC provisioning freezed on Running Autohotkey installer.

  • Solution:

vagrant reload dc --provision
# Wait for the message:
	dc: DC Provisioning Complete!
vagrant halt wef
vagrant destroy wef
vagrant up wef --provider=virtualbox
vagrant halt win10
vagrant destroy win10
vagrant up win10 --provider=virtualbox
  • win10 & wef both freezed on Running Autohotkey installer too. (like dc)

    • Forced VMs turn off from VirtualBox.

vagrant reload wef --provision
vagrant reload win10 --provision
  • post_build_checks.ps1 Error:

    • Error occured on webrequest: Exception calling "DownloadString" with "1" argument(s): "The SSL connection could not be established, see inner exception."

Issue. I've checked all the services and they are up (post_build_checks.ps1 script must be checked).

Destroy lab

  • Open PowerShell as Administrator and navigate to the DetectionLab\Vagrant folder

vagrant destroy

# confirm with y the destruction of every VM

DetectionLab Usage

DetectionLab Customization


Last updated