DetectionLab
Overview
This project is based on the awesome DetectionLab project.
There are only some minor changes to focus on the network analysis. A router was added and the default gateway of the virtual machines have been changed.
This enabled network analyzers to inspect Internet traffic from the virtual machines.
Be aware: This is an unsupported setup as vagrant assumes the first network card is always used for outbound connections and used as the default gateway.
Reprovisioning might fail. As it is pretty automated it is easier to destroy a virtual machine and recreate it.
There are some more optional boxes included in the Vagrant file, but not started by default. You can bring up kali, malcolm, or securityonion if you need them.
Setup on Windows
Run powershell as admin, and execute the following commands:
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
choco install -y virtualbox vagrant git googlechrome
c:
cd \
mkdir data
cd data
& 'C:\Program Files\Git\bin\git.exe' clone https://git.trinitor.de/trinitor/DetectionLab.git
cd DetectionLab/Vagrant
C:\HashiCorp\Vagrant\bin\vagrant.exe plugin install vagrant-reload
Usage
Start router, dc, wef, and win10. This is the default DetectionLab setup.
C:\HashiCorp\Vagrant\bin\vagrant.exe up
You can also choose the virtual machines you want to create.
Example: If you do not need the Windows Environment you can get a small network
C:\HashiCorp\Vagrant\bin\vagrant.exe up router malcolm kali
Destroy lab
C:\HashiCorp\Vagrant\bin\vagrant.exe destroy
Information
- Domain Name: windomain.local
| Hostname | IPs |
|---|---|
| router | 192.168.38.2, 192.168.39.2 |
| logger | 192.168.38.105 |
| dc | 192.168.38.102 |
| wef | 192.168.38.103 |
| win10 | 192.168.38.104 |
| kali | 192.168.38.30 |
| securityonion | 192.168.39.10, 192.168.38.10 |
| malcolm | 192.168.39.11, 192.168.38.11 |
Usage
| Name | URL | User | Password |
|---|---|---|---|
| Domain Admin | vagrant | vagrant | |
| Fleet | https://192.168.38.105:8412 | admin | admin123# |
| Splunk | https://192.168.38.105:8000 | admin | changeme |
| MS ATA | https://192.168.38.103 | wef\vagrant | vagrant |
| Guacamole | http://192.168.38.105:8080/guacamole | vagrant | vagrant |
| Velociraptor | https://192.168.38.105:9999 | admin | changeme |
| Malcolm Arkime | https://192.168.39.11 | vagrant | vagrant |
| Malcolm Kibana | https://192.168.39.11/kibana | vagrant | vagrant |
| CyberChef | https://192.168.39.10/cyberchef/cyberchef.htm | ||
| Squert | https://192.168.39.10/squert/ | vagrant | vagrant |
Acknowledgements
- DetectionLab
- Microsoft Advanced Threat Analytics
- Splunk
- osquery
- Fleet
- Windows Event Forwarding for Network Defense
- palantir/windows-event-forwarding
- osquery Across the Enterprise
- palantir/osquery-configuration
- Configure Event Log Forwarding in Windows Server 2012 R2
- Monitoring what matters — Windows Event Forwarding for everyone
- Use Windows Event Forwarding to help with intrusion detection
- The Windows Event Forwarding Survival Guide
- PowerShell ♥ the Blue Team
- Autoruns
- TA-microsoft-sysmon
- SwiftOnSecurity - Sysmon Config
- ThreatHunting
- sysmon-modular
- Atomic Red Team
- Hunting for Beacons
- Velociraptor
- BadBlood
- PurpleSharp
- EVTX-ATTACK-SAMPLES
- Malcolm
- SecurityOnion
- Kali