trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
Chris Long
2019-05-01 00:25:16 -07:00
committed by GitHub
parent bb2a17ba98
commit 8b8ff232b3
1 changed files with 33 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
README.md
View File

@@ -3,6 +3,8 @@ DetectionLab is tested weekly on Saturdays via a scheduled CircleCI workflow to
CircleCI: [![CircleCI](https://circleci.com/gh/clong/DetectionLab/tree/master.svg?style=svg)](https://circleci.com/gh/clong/DetectionLab/tree/master) CircleCI: [![CircleCI](https://circleci.com/gh/clong/DetectionLab/tree/master.svg?style=svg)](https://circleci.com/gh/clong/DetectionLab/tree/master)
[![Twitter](https://img.shields.io/twitter/follow/DetectionLab.svg?style=social)](https://twitter.com/DetectionLab)
#### Donate to the project: #### Donate to the project:
All of the infrastructure, building, and testing of DetectionLab is currently funded by myself in my spare time. If you find this project useful, feel free to buy me a coffee using one of the buttons below! All of the infrastructure, building, and testing of DetectionLab is currently funded by myself in my spare time. If you find this project useful, feel free to buy me a coffee using one of the buttons below!
@@ -39,10 +41,6 @@ NOTE: This lab has not been hardened in any way and runs with default vagrant cr
* Vagrant 2.2.2 or newer * Vagrant 2.2.2 or newer
* Virtualbox or VMWare Fusion/Workstation * Virtualbox or VMWare Fusion/Workstation
**Known Bad Versions:**
* Packer 1.1.2 will fail to build VMWare-ISOs correctly due to [this issue](https://github.com/hashicorp/packer/issues/5622).
--- ---
## Quickstart ## Quickstart
@@ -50,31 +48,28 @@ DetectionLab now contains build scripts for \*NIX, MacOS, and Windows users!
There is a single build script that supports 3 different options: There is a single build script that supports 3 different options:
- `./build.sh <virtualbox|vmware_desktop>` - Builds the entire lab from scratch. Takes 3-5 hours depending on hardware resources and bandwidth - `./build.sh <virtualbox|vmware_desktop>` - Builds the entire lab from scratch. Takes 3-5 hours depending on hardware resources and bandwidth
- `./build.sh <virtualbox|vmware_desktop> --vagrant-only` - Downloads pre-built Packer boxes from https://detectionlab.network and builds the lab from those boxes. This option is recommended if you have more bandwidth than time or are having trouble building boxes. - `./build.sh <virtualbox|vmware_desktop> --vagrant-only` - Downloads pre-built Packer boxes from Vagrant Cloud and builds the lab from those boxes. This option is recommended if you have more bandwidth than time or are having trouble building boxes.
- `./build.sh <virtualbox|vmware_desktop> --packer-only` - This option only builds the Packer boxes and will not use Vagrant to start up the lab. - `./build.sh <virtualbox|vmware_desktop> --packer-only` - This option only builds the Packer boxes and will not use Vagrant to start up the lab.
Windows users will want to use the following script: Windows users will want to use the following script:
- `./build.ps1 -ProviderName <virtualbox|vmware_desktop>` - Builds the entire lab from scratch. Takes 3-5 hours depending on hardware resources and bandwidth - `./build.ps1 -ProviderName <virtualbox|vmware_desktop>` - Builds the entire lab from scratch. Takes 3-5 hours depending on hardware resources and bandwidth
- `./build.ps1 -ProviderName <virtualbox|vmware_desktop> -VagrantOnly` - Downloads pre-built Packer boxes from https://detectionlab.network and builds the lab from those boxes. This option is recommended if you have more bandwidth than time or are having trouble building boxes. - `./build.ps1 -ProviderName <virtualbox|vmware_desktop> -VagrantOnly` - Downloads pre-built Packer boxes from Vagrant Cloud and builds the lab from those boxes. This option is recommended if you have more bandwidth than time or are having trouble building boxes.
--- ---
## Building DetectionLab from Scratch ## Building DetectionLab from Scratch
1. Determine which Vagrant provider you want to use. 1. Determine which Vagrant provider you want to use. Current supported providers are:
* Note: Virtualbox is free, the [VMWare Desktop vagrant plugin](https://www.vagrantup.com/vmware/#buy-now) is $80.
#### Warning: As of May 1, 2019 the boxes will only be available from [Vagrant Cloud](https://app.vagrantup.com/detectionlab/) - Virtualbox
- VMware Workstation & Fusion
- Note: Virtualbox is free, the [VMWare Desktop Vagrant plugin](https://www.vagrantup.com/vmware/#buy-now) is $80 and is required to use Vagrant with VMware.
If you'd like to save time, you can skip the building of the Packer boxes and download the boxes directly from https://detectionlab.network and put them into the `Boxes` directory: There are currently three ways to build the lab:
* **Recommended**: Use the boxes hosted on [Vagrant Cloud](https://app.vagrantup.com/detectionlab). This method should take **~2 hours** total to download the boxes and provision the lab.
* Build the boxes yourself using Packer. This method will take ~4 hours to build the boxes and another ~90-120 minutes to provision them for a total of **5-6 hours**.
* [Provision the lab in AWS using Terraform](Terraform/README.md). The lab can be brought online in under **30 minutes**.
Provider | Box | URL | MD5 | Size If you choose to use the boxes hosted on Vagrant Cloud, you may skip steps 2 and 3. If you don't trust pre-built boxes, I recommend following steps 2 and 3 to build them on your machine.
------------|-----|-----|----|----
Virtualbox |Windows 2016 | https://www.detectionlab.network/windows_2016_virtualbox.box | 231b54077d4396cad01e4cd60651b1e0 | 7.9GB
Virtualbox | Windows 10 | https://www.detectionlab.network/windows_10_virtualbox.box | c03f10f21b8d79e6acca2b2965b23046 | 6.4GB
VMware | Windows 2016 | https://www.detectionlab.network/windows_2016_vmware.box | 2bbaf5a1177e0499dc3aacdb0246eb38 | 8.2GB
VMware | Windows 10 | https://www.detectionlab.network/windows_10_vmware.box | b334c3ba5be3b29840567ffe368db5fe | 5.9GB
If you choose to download the boxes, you may skip steps 2 and 3. If you don't trust pre-built boxes, I recommend following steps 2 and 3 to build them on your machine.
2. `cd` to the Packer directory and build the Windows 10 and Windows Server 2016 boxes using the commands below. Each build will take about 1 hour. As far as I know, you can only build one box at a time. 2. `cd` to the Packer directory and build the Windows 10 and Windows Server 2016 boxes using the commands below. Each build will take about 1 hour. As far as I know, you can only build one box at a time.
@@ -89,17 +84,28 @@ $ packer build --only=[vmware|virtualbox]-iso windows_2016.json
`mv *.box ../Boxes` `mv *.box ../Boxes`
4. cd into the Vagrant directory: `cd ../Vagrant` 4. `cd` into the Vagrant directory: `cd ../Vagrant` and edit the `Vagrantfile`. Change the lines `cfg.vm.box = "detectionlab/win2016"` and `cfg.vm.box = "detectionlab/win10` to `cfg.cm.box = "../Boxes/windows_2016_<provider>.box"` and "`cfg.cm.box = "../Boxes/windows_10_<provider>.box"` respectively.
5. Install the Vagrant-Reload plugin: `vagrant plugin install vagrant-reload` 5. Install the Vagrant-Reload plugin: `vagrant plugin install vagrant-reload`
6. Ensure you are in the Vagrant folder and run `vagrant up`. This command will do the following: 6. **VMware Only:**
* [Buy a license](https://www.vagrantup.com/vmware/index.html#buy-now) for the VMware plugin
* Install it with `vagrant plugin install vagrant-vmware-desktop`.
* License it with `vagrant plugin license vagrant-vmware-desktop <path_to_.lic>`.
* Download and install the VMware Vagrant utility: https://www.vagrantup.com/vmware/downloads.html
7. Ensure you are in the base DetectionLab folder and run `./build.sh` (Mac & Linux) or `./build.ps1` (Windows). This script will do the following:
* Provision the logger host. This host will run the [Fleet](https://kolide.co/fleet) osquery manager and a fully featured pre-configured Splunk instance. * Provision the logger host. This host will run the [Fleet](https://kolide.co/fleet) osquery manager and a fully featured pre-configured Splunk instance.
* Provision the DC host and configure it as a Domain Controller * Provision the DC host and configure it as a Domain Controller
* Provision the WEF host and configure it as a Windows Event Collector in the Servers OU * Provision the WEF host and configure it as a Windows Event Collector in the Servers OU
* Provision the Win10 host and configure it as a computer in the Workstations OU * Provision the Win10 host and configure it as a computer in the Workstations OU
7. Navigate to https://192.168.38.105:8000 in a browser to access the Splunk instance on logger. Default credentials are admin:changeme (you will have the option to change them on the next screen) 8. Build logs will be present in the `Vagrant` folder as `vagrant_up_<host>.log`. If filing an issue, please paste the contents of that log into a Gist to help with debugging efforts.
8. Navigate to https://192.168.38.105:8412 in a browser to access the Fleet server on logger. Default credentials are admin:admin123#. Query packs are pre-configured with queries from [palantir/osquery-configuration](https://github.com/palantir/osquery-configuration).
9. Navigate to https://192.168.38.105:8000 in a browser to access the Splunk instance on logger. Default credentials are admin:changeme (you will have the option to change them on the next screen)
10. Navigate to https://192.168.38.105:8412 in a browser to access the Fleet server on logger. Default credentials are admin:admin123#. Query packs are pre-configured with queries from [palantir/osquery-configuration](https://github.com/palantir/osquery-configuration).
---
## Basic Vagrant Usage ## Basic Vagrant Usage
Vagrant commands must be run from the "Vagrant" folder. Vagrant commands must be run from the "Vagrant" folder.
@@ -165,6 +171,7 @@ sysmon | Logs from the Sysmon service
wineventlog | Windows Event Logs wineventlog | Windows Event Logs
bro | Bro network traffic logs bro | Bro network traffic logs
suricata | Suricata IDS logs suricata | Suricata IDS logs
threathunting | Used for the ThreatHunting app
## Installed Tools on Windows ## Installed Tools on Windows
* Sysmon * Sysmon
@@ -180,6 +187,7 @@ suricata | Suricata IDS logs
* Mimikatz * Mimikatz
* Wireshark * Wireshark
* Powersploit * Powersploit
* Atomic Red Team
## Applied GPOs ## Applied GPOs
* [Custom Event Channel Permissions](https://rawgit.com/clong/DetectionLab/master/Vagrant/resources/GPO/reports/Custom%20Event%20Channel%20Permissions.htm) * [Custom Event Channel Permissions](https://rawgit.com/clong/DetectionLab/master/Vagrant/resources/GPO/reports/Custom%20Event%20Channel%20Permissions.htm)
@@ -191,12 +199,10 @@ suricata | Suricata IDS logs
* [Windows Event Forwarding Server](https://rawgit.com/clong/DetectionLab/master/Vagrant/resources/GPO/reports/Windows%20Event%20Forwarding%20Server.htm) * [Windows Event Forwarding Server](https://rawgit.com/clong/DetectionLab/master/Vagrant/resources/GPO/reports/Windows%20Event%20Forwarding%20Server.htm)
* [Workstations Enhanced Auditing Policy](https://rawgit.com/clong/DetectionLab/master/Vagrant/resources/GPO/reports/Workstations%20Enhanced%20Auditing%20Policy.htm) * [Workstations Enhanced Auditing Policy](https://rawgit.com/clong/DetectionLab/master/Vagrant/resources/GPO/reports/Workstations%20Enhanced%20Auditing%20Policy.htm)
## Known Issues and Workarounds
Vagrant has been particularly flaky with VMWare and I encountered many issues while testing. However, most of the issues are easily resolved.
--- ---
## Known Issues and Workarounds
**Issue:** Vagrant reports: `Message: HTTPClient::KeepAliveDisconnected:` while provisioning. **Issue:** Vagrant reports: `Message: HTTPClient::KeepAliveDisconnected:` while provisioning.
**Workaround:** Run `$ vagrant reload <hostname> --provision` **Workaround:** Run `$ vagrant reload <hostname> --provision`
@@ -265,3 +271,4 @@ A sizable percentage of this code was borrowed and adapted from [Stefan Scherer]
* [SwiftOnSecurity - Sysmon Config](https://github.com/SwiftOnSecurity/sysmon-config) * [SwiftOnSecurity - Sysmon Config](https://github.com/SwiftOnSecurity/sysmon-config)
* [ThreatHunting](https://github.com/olafhartong/ThreatHunting) * [ThreatHunting](https://github.com/olafhartong/ThreatHunting)
* [sysmon-modular](https://github.com/olafhartong/sysmon-modular) * [sysmon-modular](https://github.com/olafhartong/sysmon-modular)
* [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)