-
VMware Workstation was upgraded to version 17.5 to ensure compatibility and access to the latest features.
-
The logger virtual machine was upgraded from Ubuntu 20.04 to Ubuntu 24.04.
-
All logger servers were updated to the latest available software versions.
-
The Domain Controller (DC) virtual machine was upgraded from Windows Server 2016 to Windows Server 2022.
-
The Windows Event Forwarding (WEF) virtual machine was upgraded from Windows Server 2016 to Windows Server 2022.
-
The Workstation virtual machine was migrated from Windows 10 to Windows 11.
-
The subnet configuration was changed from 192.168.56.X to 192.168.57.X.
-
Tested Only with VMWare Workstation 17.6
https://developer.hashicorp.com/vagrant/downloads
vagrant plugin install vagrant-vmware-desktop
https://developer.hashicorp.com/vagrant/install/vmware
net.exe start vagrant-vmware-utility
git clone https://github.com/hasamba/DetectionLabRevamped.git
cd DetectionLabRevamped/Vagrant
.\prepare.ps1
vagrant up --provider=vmware_desktop
#or one by one
vagrant up logger
vagrant up dc
vagrant up wef
vagrant up win11
.\post_build_checks.ps1
- disable network adapters for the hypervisor you do NOT use, for example is installing with vmware than disable virtualbox network cards (if exists)
- Install as non privileged user
- Vagrant encountered an unexpected communications error with the Vagrant VMware Utility driver
- check that vagrant-vmware-utility service is started
- Vagrant service failed to start
-
- Check event log
- reinstall driver
net stop winnat&net start winnatC:\HashiCorp\VagrantVMwareUtility\bin\vagrant-vmware-utility.exe certificate generate
-
- A VM machine fail to install
- try vagrant reload MACHINE_NAME —provision or vagrant destroy MACHINE_NAME -f;vagrant up MACHINE_NAME
- if all fail and you want a fresh install
- delete the hidden folder .vagrant under vagrant and start again
- if vagrant keeps on failing with provisioning
- enter the machine via winrm (enter-pssession -ComputerName MACHINE-DHCP-IP -Credential (Get-Credential) -Authentication Basic) and run all scripts as in vagrantfile
DetectionLab is tested weekly on Saturdays via a scheduled CircleCI workflow to ensure that builds are passing.
This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.
Read more about Detection Lab on Medium here: https://medium.com/@clong/introducing-detection-lab-61db34bed6ae
NOTE: This lab has not been hardened in any way and runs with default vagrant credentials. Please do not connect or bridge it to any networks you care about. This lab is deliberately designed to be insecure; the primary purpose of it is to provide visibility and introspection into each host.
- Microsoft Advanced Threat Analytics (https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics) is installed on the WEF machine, with the lightweight ATA gateway installed on the DC
- A Splunk forwarder is pre-installed and all indexes are pre-created. Technology add-ons are also preconfigured.
- A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging
- Palantir's Windows Event Forwarding subscriptions and custom channels are implemented
- Powershell transcript logging is enabled. All logs are saved to
\\wef\pslogs - osquery comes installed on each host and is pre-configured to connect to a Fleet server via TLS. Fleet is preconfigured with the configuration from Palantir's osquery Configuration
- Sysmon is installed and configured using Olaf Hartong's open-sourced Sysmon configuration
- All autostart items are logged to Windows Event Logs via AutorunsToWinEventLog
- Zeek and Suricata are pre-configured to monitor and alert on network traffic
- Apache Guacamole is installed to easily access all hosts from your local browser
When preparing to build DetectionLab locally, be sure to use the prepare.[sh|ps1] scripts inside of the Vagrant folder
to ensure your system passes the prerequisite checks for building DetectionLab.
- Prerequisites
- MacOS - Virtualbox or VMware Fusion
- Windows - Virtualbox or VMware Workstation
- Linux - Virtualbox or VMware Workstation
- AWS via Terraform
- Azure via Terraform & Ansible
- ESXi via Terraform & Ansible
- HyperV
- LibVirt
- Proxmox
The primary documentation site is located at https://detectionlab.network
Please do all of your development in a feature branch on your own fork of DetectionLab. Contribution guidelines can be found here: CONTRIBUTING.md
- DetectionLab, Chris Long – Paul’s Security Weekly #593
- TaoSecurity - Trying DetectionLab
- Setting up Chris Long's DetectionLab
- Detection Lab: Visibility & Introspection for Defenders
A sizable percentage of this code was borrowed and adapted from Stefan Scherer's packer-windows and adfs2 Github repos. A huge thanks to him for building the foundation that allowed me to design this lab environment.
- Microsoft Advanced Threat Analytics
- Splunk
- osquery
- Fleet
- Windows Event Forwarding for Network Defense
- palantir/windows-event-forwarding
- osquery Across the Enterprise
- palantir/osquery-configuration
- Configure Event Log Forwarding in Windows Server 2012 R2
- Monitoring what matters — Windows Event Forwarding for everyone
- Use Windows Event Forwarding to help with intrusion detection
- The Windows Event Forwarding Survival Guide
- PowerShell ♥ the Blue Team
- Autoruns
- TA-microsoft-sysmon
- SwiftOnSecurity - Sysmon Config
- ThreatHunting
- sysmon-modular
- Atomic Red Team
- Hunting for Beacons
- Velociraptor
- BadBlood
- PurpleSharp
- EVTX-ATTACK-SAMPLES
I would like to extend thanks to everyone who sponsored DetectionLab over the past few years. DetectionLab is no longer actively being maintained or developed.