Locked Detection Lab: build a lab environment complete with security tooling and logging

[itsMe]

This is the hidden content, please

• Sign In
• or
• Sign Up

Detection Lab

Purpose

This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.

Read more about Detection Lab on Medium here: https://medium.com/@clong/introducing-detection-lab-61db34bed6ae

NOTE: This lab has not been hardened in any way and runs with default vagrant credentials. Please do not connect or bridge it to any networks you care about. This lab is deliberately designed to be insecure; the primary purpose of it is to provide visibility and introspection into each host.

Primary Lab Features:

    Microsoft Advanced Threat Analytics (https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics) is installed on the WEF machine, with the lightweight ATA gateway installed on the DC
    A Splunk forwarder is pre-installed and all indexes are pre-created. Technology add-ons are also preconfigured.
    A custom Windows auditing configuration is set via GPO to include command-line process auditing and additional OS-level logging
    Palantir’s Windows Event Forwarding subscriptions and custom channels are implemented
    Powershell transcript logging is enabled. All logs are saved to \\wef\pslogs
    osquery comes installed on each host and is pre-configured to connect to a Fleet server via TLS. Fleet is preconfigured with the configuration from Palantir’s osquery Configuration
    Sysmon is installed and configured using Olaf Hartong’s open-sourced Sysmon configuration
    All autostart items are logged to Windows Event Logs via AutorunsToWinEventLog
    Zeek and Suricata are pre-configured to monitor and alert on network traffic
    Apache Guacamole is installed to easily access all hosts from your local browser

Detection Lab consists of 4 total hosts:

    DC – Windows 2016 Domain Controller
        WEF Server Configuration GPO
        Powershell logging GPO
        Enhanced Windows Auditing policy GPO
        Sysmon
        osquery
        Splunk Universal Forwarder (Forwards Sysmon & osquery)
        Sysinternals Tools
    WEF – Windows 2016 Server
        Windows Event Collector
        Windows Event Subscription Creation
        Powershell transcription logging share
        Sysmon
        osquery
        Splunk Universal Forwarder (Forwards WinEventLog & Powershell & Sysmon & osquery)
        Sysinternals tools
    Win10 – Windows 10 Workstation
        Simulates employee workstation
        Sysmon
        osquery
        Splunk Universal Forwarder (Forwards Sysmon & osquery)
        Sysinternals Tools
    Logger – Ubuntu 16.04
        Splunk Enterprise
        Fleet osquery Manager

This is the hidden content, please

• Sign In
• or
• Sign Up