Skip to content
Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices
Branch: master
Clone or download
Pull request Compare This branch is 5 commits ahead, 80 commits behind clong:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci Update CircleCI job to include approval workflow Dec 22, 2018
Packer Packer: Update guest additions for VMware and VirtualBox [ci skip] Oct 31, 2018
Terraform fixed 2 May 6, 2019
Vagrant bootstrap fix May 6, 2019
.gitignore Add backup files to .gitignore Mar 12, 2019 Adding Dec 23, 2018
LICENSE Adding MIT License Dec 11, 2017 Update Win10 boxes, hashes, update build Vagrant to 2.2.4 Mar 4, 2019
build.ps1 Update Win10 boxes, hashes, update build Vagrant to 2.2.4 Mar 4, 2019 Update Win10 boxes, hashes, update build Vagrant to 2.2.4 Mar 4, 2019

Detection Lab

DetectionLab is tested weekly on Saturdays via a scheduled CircleCI workflow to ensure that builds are passing.

CircleCI: CircleCI

Donate to the project:

All of the infrastructure, building, and testing of DetectionLab is currently funded by myself in my spare time. If you find this project useful, feel free to buy me a coffee using one of the buttons below!

Donate Donate Donate

Additionally, A GoFundMe has been generously started by @BlueTeamHB to support development of DetectionLab. Thank you so much to everyone who has made a donation!


This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.

Read more about Detection Lab on Medium here:

NOTE: This lab has not been hardened in any way and runs with default vagrant credentials. Please do not connect or bridge it to any networks you care about. This lab is deliberately designed to be insecure; the primary purpose of it is to provide visibility and introspection into each host.

Primary Lab Features:

  • Microsoft Advanced Threat Analytics ( is installed on the WEF machine, with the lightweight ATA gateway installed on the DC
  • Splunk forwarders are pre-installed and all indexes are pre-created. Technology add-ons for Windows are also preconfigured.
  • A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging
  • Palantir's Windows Event Forwarding subscriptions and custom channels are implemented
  • Powershell transcript logging is enabled. All logs are saved to \\wef\pslogs
  • osquery comes installed on each host and is pre-configured to connect to a Fleet server via TLS. Fleet is preconfigured with the configuration from Palantir's osquery Configuration
  • Sysmon is installed and configured using SwiftOnSecurity’s open-sourced configuration
  • Mitre's Caldera server is built on the logger host and the Caldera agent gets pre-installed on all Windows hosts
  • All autostart items are logged to Windows Event Logs via AutorunsToWinEventLog
  • SMBv1 Auditing is enabled


  • 55GB+ of free disk space
  • 16GB+ of RAM
  • Packer 1.3.2 or newer
  • Vagrant 2.2.2 or newer
  • Virtualbox or VMWare Fusion/Workstation

Known Bad Versions:

  • Packer 1.1.2 will fail to build VMWare-ISOs correctly due to this issue.


DetectionLab now contains build scripts for *NIX, MacOS, and Windows users!

There is a single build script that supports 3 different options:

  • ./ <virtualbox|vmware_desktop> - Builds the entire lab from scratch. Takes 3-5 hours depending on hardware resources and bandwidth
  • ./ <virtualbox|vmware_desktop> --vagrant-only - Downloads pre-built Packer boxes from and builds the lab from those boxes. This option is recommended if you have more bandwidth than time or are having trouble building boxes.
  • ./ <virtualbox|vmware_desktop> --packer-only - This option only builds the Packer boxes and will not use Vagrant to start up the lab.

Windows users will want to use the following script:

  • ./build.ps1 -ProviderName <virtualbox|vmware_desktop> - Builds the entire lab from scratch. Takes 3-5 hours depending on hardware resources and bandwidth
  • ./build.ps1 -ProviderName <virtualbox|vmware_desktop> -VagrantOnly - Downloads pre-built Packer boxes from and builds the lab from those boxes. This option is recommended if you have more bandwidth than time or are having trouble building boxes.

Building DetectionLab from Scratch

  1. Determine which Vagrant provider you want to use.

NOTE: If you'd like to save time, you can skip the building of the Packer boxes and download the boxes directly from and put them into the Boxes directory:

Provider Box URL MD5 Size
Virtualbox Windows 2016 231b54077d4396cad01e4cd60651b1e0 7.9GB
Virtualbox Windows 10 c03f10f21b8d79e6acca2b2965b23046 6.4GB
VMware Windows 2016 2bbaf5a1177e0499dc3aacdb0246eb38 8.2GB
VMware Windows 10 b334c3ba5be3b29840567ffe368db5fe 5.9GB

If you choose to download the boxes, you may skip steps 2 and 3. If you don't trust pre-built boxes, I recommend following steps 2 and 3 to build them on your machine.

  1. cd to the Packer directory and build the Windows 10 and Windows Server 2016 boxes using the commands below. Each build will take about 1 hour. As far as I know, you can only build one box at a time.
$ cd detectionlab/Packer
$ packer build --only=[vmware|virtualbox]-iso windows_10.json
$ packer build --only=[vmware|virtualbox]-iso windows_2016.json
  1. Once both boxes have built successfully, move the resulting boxes (.box files) in the Packer folder to the Boxes folder:

    mv *.box ../Boxes

  2. cd into the Vagrant directory: cd ../Vagrant

  3. Install the Vagrant-Reload plugin: vagrant plugin install vagrant-reload

  4. Ensure you are in the Vagrant folrder and run vagrant up. This command will do the following:

  • Provision the logger host. This host will run the Fleet osquery manager and a fully featured pre-configured Splunk instance.
  • Provision the DC host and configure it as a Domain Controller
  • Provision the WEF host and configure it as a Windows Event Collector in the Servers OU
  • Provision the Win10 host and configure it as a computer in the Workstations OU
  1. Navigate to in a browser to access the Splunk instance on logger. Default credentials are admin:changeme (you will have the option to change them on the next screen)
  2. Navigate to in a browser to access the Fleet server on logger. Default credentials are admin:admin123#. Query packs are pre-configured with queries from palantir/osquery-configuration.
  3. Navigate to in a browser to access the Caldera server on logger. Default credentials are admin:caldera.

Basic Vagrant Usage

Vagrant commands must be run from the "Vagrant" folder.

  • Bring up all Detection Lab hosts: vagrant up (optional --provider=[virtualbox|vmware_desktop])
  • Bring up a specific host: vagrant up <hostname>
  • Restart a specific host: vagrant reload <hostname>
  • Restart a specific host and re-run the provision process: vagrant reload <hostname> --provision
  • Destroy a specific host vagrant destroy <hostname>
  • Destroy the entire Detection Lab environment: vagrant destroy (Adding -f forces it without a prompt)
  • SSH into a host (only works with Logger): vagrant ssh logger
  • Check the status of each host: vagrant status
  • Suspend the lab environment: vagrant suspend
  • Resume the lab environment: vagrant resume

Lab Information

Lab Hosts

  • DC - Windows 2016 Domain Controller
    • WEF Server Configuration GPO
    • Powershell logging GPO
    • Enhanced Windows Auditing policy GPO
    • Sysmon
    • osquery
    • Splunk Universal Forwarder (Forwards Sysmon & osquery)
    • Sysinternals Tools
    • Microsft Advanced Threat Analytics Lightweight Gateway
  • WEF - Windows 2016 Server
    • Microsoft Advanced Threat Analytics
    • Windows Event Collector
    • Windows Event Subscription Creation
    • Powershell transcription logging share
    • Sysmon
    • osquery
    • Splunk Universal Forwarder (Forwards WinEventLog & Powershell & Sysmon & osquery)
    • Sysinternals tools
  • Win10 - Windows 10 Workstation
    • Simulates employee workstation
    • Sysmon
    • osquery
    • Splunk Universal Forwarder (Forwards Sysmon & osquery)
    • Sysinternals Tools
  • Logger - Ubuntu 16.04
    • Splunk Enterprise
    • Fleet osquery Manager
    • Mitre's Caldera Server
    • Bro
    • Suricata

Splunk Indexes

Index Name Description
osquery osquery/Fleet result logs
osquery-status osquery/fleet INFO/WARN/ERROR logs
powershell Powershell transcription logs
sysmon Logs from the Sysmon service
wineventlog Windows Event Logs
bro Bro network traffic logs
suricata Suricata IDS logs

Installed Tools on Windows

  • Sysmon
  • osquery
  • AutorunsToWinEventLog
  • Caldera Agent
  • Process Monitor
  • Process Explorer
  • PsExec
  • TCPView
  • Notepad++
  • Google Chrome
  • WinRar
  • Mimikatz
  • Wireshark

Applied GPOs

Known Issues and Workarounds

Vagrant has been particularly flaky with VMWare and I encountered many issues while testing. However, most of the issues are easily resolved.

Issue: Vagrant reports: Message: HTTPClient::KeepAliveDisconnected: while provisioning.
Workaround: Run $ vagrant reload <hostname> --provision

Issue: Vagrant timed out while attempting to connect via WinRM after Win10 host joins the domain.
Workaround Documented in #21. Just run $ vagrant reload win10 --provision

Issue: Vagrant is unable to forward a port for you
Workaround: Documented in #11. There are a few possibilities:

  1. Try a vagrant reload <hostname> --provision. For whatever reason vagrant up doesn't fix conflicts but reload does.
  2. Check if something is legitimately occupying the port via sudo lsof -n -iTCP:<port_number>
  3. Follow the instructions from this comment:

Issue: Fleet server becomes unreachable after VM is suspended and resumed

Workaround: Documented in #22. The following commands should make it reachable without deleting data:

$ docker stop $(docker ps -aq)
$ service docker restart
$ cd /home/vagrant/kolide-quickstart
$ docker-compose start -d

Issue: Your primary hard drive doesn't have enough space for DetectionLab

Workaround: Documented in #48. You can change the default location for Vagrant by using the VAGRANT_HOME environment variable.


Please do all of your development in a feature branch on your own fork of DetectionLab. Contribution guidelines can be found here:

In the Media


A sizable percentage of this code was borrowed and adapted from Stefan Scherer's packer-windows and adfs2 Github repos. A huge thanks to him for building the foundation that allowed me to design this lab environment.


You can’t perform that action at this time.