trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
master
DetectionLab/README.md
Trinitor 4e7bb096df added new Readme
2021-08-06 17:45:27 +02:00

99 lines
5.6 KiB
Markdown
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# DetectionLab
## Overview
This project is based on the awesome [DetectionLab](https://www.detectionlab.network) project.
There are only some minor changes to focus on the network analysis. A router was added and the default gateway of the virtual machines have been changed.
This enabled network analyzers to inspect Internet traffic from the virtual machines.
Be aware: This is an unsupported setup as vagrant assumes the first network card is always used for outbound connections and used as the default gateway.
Reprovisioning might fail. As it is pretty automated it is easier to destroy a virtual machine and recreate it.
There are some more optional boxes included in the Vagrant file, but not started by default. You can bring up kali, malcolm, or securityonion if you need them.
## Setup on Windows
Run powershell as admin, and execute the following commands:
```
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
choco install -y virtualbox vagrant git googlechrome
c:
cd \
mkdir data
cd data
& 'C:\Program Files\Git\bin\git.exe' clone https://git.trinitor.de/trinitor/DetectionLab.git
cd DetectionLab/Vagrant
C:\HashiCorp\Vagrant\bin\vagrant.exe plugin install vagrant-reload
```
## Usage
Start router, dc, wef, and win10. This is the default DetectionLab setup.
```
C:\HashiCorp\Vagrant\bin\vagrant.exe up
```
You can also choose the virtual machines you want to create.
Example: If you do not need the Windows Environment you can get a small network
```
C:\HashiCorp\Vagrant\bin\vagrant.exe up router malcolm kali
```
Destroy lab
```
C:\HashiCorp\Vagrant\bin\vagrant.exe destroy
```
## Information
* Domain Name: windomain.local
| Hostname | IPs |
|--- |--- |
|router |192.168.38.2, 192.168.39.2 |
|logger |192.168.38.105 |
|dc |192.168.38.102 |
|wef |192.168.38.103 |
|win10 |192.168.38.104 |
|kali |192.168.38.30 |
|securityonion |192.168.39.10, 192.168.38.10 |
|malcolm |192.168.39.11, 192.168.38.11 |
## Usage
| Name | URL | User | Password |
|--- |--- |--- |--- |
|Domain Admin | |vagrant |vagrant |
|Fleet |https://192.168.38.105:8412 |admin |admin123# |
|Splunk |https://192.168.38.105:8000 |admin |changeme |
|MS ATA |https://192.168.38.103 |wef\vagrant |vagrant |
|Guacamole |http://192.168.38.105:8080/guacamole |vagrant |vagrant |
|Velociraptor |https://192.168.38.105:9999 |admin |changeme |
|Malcolm Arkime |https://192.168.39.11 |vagrant |vagrant |
|Malcolm Kibana |https://192.168.39.11/kibana |vagrant |vagrant |
|CyberChef |https://192.168.39.10/cyberchef/cyberchef.htm | | |
|Squert |https://192.168.39.10/squert/ |vagrant |vagrant |
# Acknowledgements
* [DetectionLab](https://www.detectionlab.network)
* [Microsoft Advanced Threat Analytics](https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics)
* [Splunk](https://www.splunk.com)
* [osquery](https://osquery.io)
* [Fleet](https://github.com/fleetdm/fleet)
* [Windows Event Forwarding for Network Defense](https://medium.com/@palantir/windows-event-forwarding-for-network-defense-cb208d5ff86f)
* [palantir/windows-event-forwarding](http://github.com/palantir/windows-event-forwarding)
* [osquery Across the Enterprise](https://medium.com/@palantir/osquery-across-the-enterprise-3c3c9d13ec55)
* [palantir/osquery-configuration](https://github.com/palantir/osquery-configuration)
* [Configure Event Log Forwarding in Windows Server 2012 R2](https://www.petri.com/configure-event-log-forwarding-windows-server-2012-r2)
* [Monitoring what mattersWindows Event Forwarding for everyone](https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/)
* [Use Windows Event Forwarding to help with intrusion detection](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection)
* [The Windows Event Forwarding Survival Guide](https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4)
* [PowerShell ♥ the Blue Team](https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/)
* [Autoruns](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082)
* [TA-microsoft-sysmon](https://github.com/splunk/TA-microsoft-sysmon)
* [SwiftOnSecurity - Sysmon Config](https://github.com/SwiftOnSecurity/sysmon-config)
* [ThreatHunting](https://github.com/olafhartong/ThreatHunting)
* [sysmon-modular](https://github.com/olafhartong/sysmon-modular)
* [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)
* [Hunting for Beacons](http://findingbad.blogspot.com/2020/05/hunting-for-beacons-part-2.html)
* [Velociraptor](https://github.com/Velocidex/velociraptor)
* [BadBlood](https://github.com/davidprowe/BadBlood)
* [PurpleSharp](https://github.com/mvelazc0/PurpleSharp)
* [EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES)
* [Malcolm](https://github.com/cisagov/Malcolm)
* [SecurityOnion](https://securityonionsolutions.com/)
* [Kali](https://kali.org/)
Reference in New Issue View Git Blame Copy Permalink