introduction
Few years or months ago, I came across DetectionLab project and thought it was neat. It would let me conduct attacks and let me work on detection rules and also let me test detection rules. DetectionLab uses Splunk for storing logs which I'm not used to and it also requires a lot of system resources my machine doesn't have.
I then came across DetectionLabELK, which is similar to DetectionLab but uses ELK stack, which I am familiar with but I have the same issue with system requirements and not needing some of the components of the project. DetectionLabELK people (CyberDefenders) provide a cloud version of it which is very cheap if you wanted to utilize it for testing things but I still wanted to have something on my own machine.
I did build an AD lab manually, however, after not taking snapshots and breaking the lab, I decided that I should just use Vagrant.
For my lab needs, I just need to look at logs and not network traffic. I also just need one DC, one Workstation, and a Kali VM. I'm very familiar with using Humio so I decided to use Humio cloud (free) account to store and search my logs. Kali is good for doing certain attacks but I also wanted AtomicRedTeam so I could use that for generating log data and testing queries. The AD lab I made was also inspired by Applied Purple Teaming course and TheCyberMentor ethical hacking course.
design
Domain: testlab.local
Computers: dc1 - 192.168.200.11 - windows server 2019 desktop
workstation1 - 192.168.200.12 - windows 10
kali - no IP initially, you have to set it to 192.168.200.13 - kali linux
Users:
local user: vagrant / vagrant works on all machines
domain users:
jsmith / Password123
jdoe / 123Password
SQLService / Servicepass123
all domain users are in domain admins group, administrators group, and enterprise admins group.
jsmith is a local admin on workstation1
setup
system requirements:
any modern 4 core 8 thread CPU should be fine. I'm using i7-6700HQ.
around 16GB of RAM should work fine as well.
virtualbox download and installation:
Download and install virtualbox from here: https://www.virtualbox.org/wiki/Downloads
Install Oracle VM VirtualBox Extension Pack as well.
vagrant download and installation:
Download and install vagrant from here: https://www.vagrantup.com/downloads
Once vagrant is installed, open command line and run: "vagrant plugin install vagrant-reload" to install the reload plugin. More info here: https://github.com/aidanns/vagrant-reload
downloading the github project:
Code/scripts are here: https://github.com/BoredHackerBlog/LogDetectionLab
Download the zip and unzip it or run git clone https://github.com/BoredHackerBlog/LogDetectionLab
setting up humio:
Get a Humio account and login at cloud.humio.com
Create a new token for this project. You can leave the parser as None. Copy the token.
Edit winlogbeat.yml file and change the password to your token.
usage
Vagrant command line guide: https://www.vagrantup.com/docs/cli
Open command prompt and cd into the LogDetectionLab folder.
Type vagrant up to bring up all 3 virtual machines.
Your initial run will download the VM boxes and set everything up. This may take 30 minutes to an hour.
Once all the machines are up and running and vagrant command exits in command prompt, you will need to login into kali linux VM and change eth1 IP to 192.168.200.13.
You will have to disable Defender on workstation1 and install invoke-atomicredteam manually (check github page for bugs).
For using invoke-atomicredteam, you will need to open powershell and run: Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force
You can also do vagrant up MACHINENAME, such as vagrant up dc1.
To tear down the lab, you need to run vagrant destroy -f. This will shutdown the VMs and remove them.
Vagrant also supports making snapshots and you can read more about that here: https://www.vagrantup.com/docs/cli/snapshot
modifying the project
Vagrantfile - this can be changed to modify VM cpu and memory resources, how port forwarding works, hostname, ip address, and scripts that run.
install-dc.ps1 - domain controller promotion script
join-domain.ps1 - joins the computer to the domain and adds jsmith as a local admin
create-users.ps1 - creates users on the dc
create-smbshare.ps1 - create an smb share on the dc
change_ui.ps1 - changes some Windows setting so ui is adjusted to best performance
change_sec_config.bat - disable updates, disable firewall, disable defender, disable uac, and enable rdp
install-atomicredteam.ps1 - installs invoke-atomicredteam
enable_logging.bat - enables a bunch of logging stuff, installs sysmon with olafhartong config, and downloads winlogbeat
winlogbeat.yml - winlogbeat config file, you'll have to edit this to change where the logs go also as you start seeing event id's that are not useful, you can just edit this to remove them or modify enable_logging.bat to avoid enabling certain events.
setup_winlogbeat.bat - sets up winlogbeat
challenges
I kept getting errors after I promoted the domain controller then tried to reboot. Errors were related to winrm. I added
config.winrm.transport = :plaintext
config.winrm.basic_auth_only = true
and
executed "reg add HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /d 0 /t REG_DWORD /f /reg:64" before promoting and that seemed to fix this issue.
At the time of posting this blog post, I'm having an issue with workstation1 not installing atomicredteam correctly. AV doesn't get turned off for some reason.
I can't change IP address on kali through vagrant.
me typing vagrant destory -f for 10 minutes trying to figure out why it didn't work was also challenging.