DetectionLab
Automate the creation of a lab environment complete with security tooling and logging best practices
Top Related Projects
A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.
MISP (core software) - Open Source Threat Intelligence and Sharing Platform
TheHive: a Scalable, Open Source and Free Security Incident Response Platform
Security Onion is a free and open platform for threat hunting, enterprise security monitoring, and log management. It includes our own interfaces for alerting, dashboards, hunting, PCAP, detections, and case management. It also includes other tools such as osquery, CyberChef, Elasticsearch, Logstash, Kibana, Suricata, and Zeek.
A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk
Investigate malicious Windows logon by visualizing and analyzing Windows event log
Quick Overview
DetectionLab is a project that automates the creation of a Windows-based security lab environment for testing and improving detection capabilities. It uses Vagrant, Packer, and Terraform to deploy a fully-functional lab with pre-configured security tools and logging, making it ideal for blue team training and research.
Pros
- Fully automated setup of a complete security lab environment
- Includes popular security tools like Splunk, Velociraptor, and Suricata
- Supports multiple providers (VirtualBox, VMware, AWS, Azure)
- Excellent for learning and testing detection techniques
Cons
- Requires significant system resources to run locally
- Setup process can be time-consuming, especially for first-time users
- Limited to Windows-based environments
- May require troubleshooting for specific hardware/software configurations
Getting Started
To get started with DetectionLab:
- Install prerequisites (Vagrant, VirtualBox/VMware, and Git)
- Clone the repository:
git clone https://github.com/clong/DetectionLab.git
- Navigate to the desired provider directory:
cd DetectionLab/Vagrant
- Start the lab environment:
vagrant up
Note: The setup process can take several hours depending on your system and internet connection. Refer to the project's documentation for detailed instructions and troubleshooting tips.
Competitor Comparisons
A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.
Pros of ThreatHunter-Playbook
- Focuses on threat hunting techniques and playbooks, providing a comprehensive resource for security analysts
- Includes a wide range of data sources and detection opportunities across various platforms
- Regularly updated with community contributions and new threat hunting methodologies
Cons of ThreatHunter-Playbook
- Primarily a knowledge base, lacking the hands-on lab environment provided by DetectionLab
- May require more effort to implement and test the techniques in a real-world scenario
- Less emphasis on automated setup and configuration of security tools
Code Comparison
DetectionLab (Vagrant configuration):
config.vm.define "logger" do |cfg|
cfg.vm.box = "detectionlab/logger"
cfg.vm.hostname = "logger"
cfg.vm.provision "shell", path: "scripts/configure-ou.ps1"
end
ThreatHunter-Playbook (YAML detection rule):
detection:
selection:
EventID: 4688
NewProcessName|endswith: '\powershell.exe'
CommandLine|contains: '-enc'
condition: selection
While DetectionLab focuses on providing a ready-to-use lab environment, ThreatHunter-Playbook offers a collection of detection rules and techniques. The code snippets reflect these different approaches, with DetectionLab emphasizing infrastructure setup and ThreatHunter-Playbook showcasing detection logic.
MISP (core software) - Open Source Threat Intelligence and Sharing Platform
Pros of MISP
- Focused on threat intelligence sharing and collaboration
- Extensive API and integration capabilities
- Large, active community and ecosystem
Cons of MISP
- Steeper learning curve for setup and configuration
- Requires more resources to run effectively
- Less emphasis on end-to-end detection lab functionality
Code Comparison
MISP (Python):
@misp_json
def add_attribute(self, event, attribute_type, value, **kwargs):
attribute = MISPAttribute()
attribute.from_dict(type=attribute_type, value=value, **kwargs)
event.add_attribute(attribute)
return attribute
DetectionLab (PowerShell):
function Install-Sysmon {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Sysmon..."
$sysmonDir = "C:\ProgramData\Sysmon"
if (!(Test-Path $sysmonDir)) { New-Item -ItemType Directory -Path $sysmonDir | Out-Null }
$sysmonPath = Join-Path $sysmonDir "Sysmon.exe"
$sysmonConfigPath = Join-Path $sysmonDir "sysmonConfig.xml"
# ... (additional installation steps)
}
TheHive: a Scalable, Open Source and Free Security Incident Response Platform
Pros of TheHive
- Focused on incident response and case management
- Integrates with various security tools and threat intelligence platforms
- Supports collaborative investigations with real-time updates
Cons of TheHive
- Steeper learning curve for setup and configuration
- Requires additional components (Cortex, MISP) for full functionality
- Less comprehensive for general security lab environments
Code Comparison
TheHive (Scala):
def create(caseTemplate: CaseTemplate): Future[CaseTemplate] = {
val caseTemplateWithId = caseTemplate.copy(id = UUID.randomUUID().toString)
collection.insert(caseTemplateWithId).map(_ => caseTemplateWithId)
}
DetectionLab (PowerShell):
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing Sysmon..."
$sysmonPath = "C:\ProgramData\Sysmon"
if(!(Test-Path $sysmonPath)) {
New-Item -ItemType Directory -Path $sysmonPath
}
While TheHive focuses on incident response workflows, DetectionLab provides a more comprehensive security lab environment for testing and learning. TheHive excels in collaborative investigations, but DetectionLab offers a broader range of security tools and logging capabilities out of the box. The code snippets highlight TheHive's focus on case management (in Scala) versus DetectionLab's emphasis on system configuration and monitoring setup (in PowerShell).
Security Onion is a free and open platform for threat hunting, enterprise security monitoring, and log management. It includes our own interfaces for alerting, dashboards, hunting, PCAP, detections, and case management. It also includes other tools such as osquery, CyberChef, Elasticsearch, Logstash, Kibana, Suricata, and Zeek.
Pros of securityonion
- More comprehensive suite of security tools and capabilities
- Larger community and more extensive documentation
- Regular updates and long-term support
Cons of securityonion
- Steeper learning curve due to complexity
- Higher system requirements for full functionality
- Less flexibility in customization compared to DetectionLab
Code comparison
DetectionLab (Vagrant configuration):
config.vm.define "logger" do |cfg|
cfg.vm.box = "bento/ubuntu-18.04"
cfg.vm.hostname = "logger"
cfg.vm.network "private_network", ip: "192.168.38.105"
cfg.vm.provider "virtualbox" do |vb, override|
vb.gui = true
vb.name = "logger"
vb.customize ["modifyvm", :id, "--memory", 4096]
vb.customize ["modifyvm", :id, "--cpus", 2]
end
end
securityonion (Docker Compose configuration):
version: '3'
services:
so-elasticsearch:
image: securityonionsolutions/so-elasticsearch:HH2.3.0
container_name: so-elasticsearch
restart: always
environment:
- cluster.name=securityonion
- node.name=elasticsearch
Both projects use configuration management tools, but DetectionLab focuses on Vagrant for VM provisioning, while securityonion utilizes Docker Compose for containerization.
A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk
Pros of attack_range
- Focuses specifically on Splunk integration and testing Splunk detections
- Provides more flexibility in deployment options (local, cloud, container)
- Includes built-in attack simulation capabilities
Cons of attack_range
- More complex setup and configuration process
- Limited to Splunk-centric environments and use cases
- Smaller community and less frequent updates
Code Comparison
DetectionLab:
Invoke-Expression (New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')
choco install -y virtualbox vagrant
vagrant up
attack_range:
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt
python attack_range.py --mode terraform --target aws --action build
Both projects aim to provide security professionals with environments for testing and improving detection capabilities. DetectionLab offers a more general-purpose lab environment with support for multiple security tools, while attack_range is tailored specifically for Splunk users and focuses on attack simulation and detection testing.
DetectionLab is easier to set up and has a larger community, making it more suitable for beginners or those looking for a broader range of tools. attack_range, on the other hand, offers more advanced features for Splunk users and provides greater flexibility in deployment options, but requires more technical expertise to configure and use effectively.
Investigate malicious Windows logon by visualizing and analyzing Windows event log
Pros of LogonTracer
- Focused specifically on visualizing and analyzing Windows logon events
- Provides a web-based interface for easy access and interaction
- Utilizes graph database (Neo4j) for efficient data storage and querying
Cons of LogonTracer
- Limited scope compared to DetectionLab's comprehensive environment
- Requires manual log collection and parsing, unlike DetectionLab's automated setup
- Less active development and community support
Code Comparison
LogonTracer (Python):
def parse_evtx(evtx_file, output_file):
parser = PyEvtxParser(evtx_file)
with open(output_file, 'w') as of:
for record in parser.records():
of.write(json.dumps(record.get('data')) + '\n')
DetectionLab (PowerShell):
$splunkPassword = ConvertTo-SecureString -String $splunkPassword -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential('admin', $splunkPassword)
Start-Process http://localhost:8000 -Credential $credential
Both repositories serve different purposes in the cybersecurity domain. LogonTracer is a specialized tool for analyzing Windows logon events, while DetectionLab provides a comprehensive environment for threat detection and analysis. The code snippets highlight their different focuses: LogonTracer deals with event log parsing, while DetectionLab manages various security tools and configurations.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Detection Lab
As of 2023-01-01, DetectionLab is no longer being actively maintained
DetectionLab is tested weekly on Saturdays via a scheduled CircleCI workflow to ensure that builds are passing.
Purpose
This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.
Read more about Detection Lab on Medium here: https://medium.com/@clong/introducing-detection-lab-61db34bed6ae
NOTE: This lab has not been hardened in any way and runs with default vagrant credentials. Please do not connect or bridge it to any networks you care about. This lab is deliberately designed to be insecure; the primary purpose of it is to provide visibility and introspection into each host.
Primary Lab Features:
- Microsoft Advanced Threat Analytics (https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics) is installed on the WEF machine, with the lightweight ATA gateway installed on the DC
- A Splunk forwarder is pre-installed and all indexes are pre-created. Technology add-ons are also preconfigured.
- A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging
- Palantir's Windows Event Forwarding subscriptions and custom channels are implemented
- Powershell transcript logging is enabled. All logs are saved to
\\wef\pslogs
- osquery comes installed on each host and is pre-configured to connect to a Fleet server via TLS. Fleet is preconfigured with the configuration from Palantir's osquery Configuration
- Sysmon is installed and configured using Olaf Hartong's open-sourced Sysmon configuration
- All autostart items are logged to Windows Event Logs via AutorunsToWinEventLog
- Zeek and Suricata are pre-configured to monitor and alert on network traffic
- Apache Guacamole is installed to easily access all hosts from your local browser
Building Detection Lab
When preparing to build DetectionLab locally, be sure to use the prepare.[sh|ps1]
scripts inside of the Vagrant folder
to ensure your system passes the prerequisite checks for building DetectionLab.
- Prerequisites
- MacOS - Virtualbox or VMware Fusion
- Windows - Virtualbox or VMware Workstation
- Linux - Virtualbox or VMware Workstation
- AWS via Terraform
- Azure via Terraform & Ansible
- ESXi via Terraform & Ansible
- HyperV
- LibVirt
- Proxmox
DetectionLab Documentation
The primary documentation site is located at https://detectionlab.network
Contributing
Please do all of your development in a feature branch on your own fork of DetectionLab. Contribution guidelines can be found here: CONTRIBUTING.md
In the Media
- DetectionLab, Chris Long â Paulâs Security Weekly #593
- TaoSecurity - Trying DetectionLab
- Setting up Chris Long's DetectionLab
- Detection Lab: Visibility & Introspection for Defenders
Credits/Resources
A sizable percentage of this code was borrowed and adapted from Stefan Scherer's packer-windows and adfs2 Github repos. A huge thanks to him for building the foundation that allowed me to design this lab environment.
Acknowledgements
- Microsoft Advanced Threat Analytics
- Splunk
- osquery
- Fleet
- Windows Event Forwarding for Network Defense
- palantir/windows-event-forwarding
- osquery Across the Enterprise
- palantir/osquery-configuration
- Configure Event Log Forwarding in Windows Server 2012 R2
- Monitoring what mattersâââWindows Event Forwarding for everyone
- Use Windows Event Forwarding to help with intrusion detection
- The Windows Event Forwarding Survival Guide
- PowerShell ⥠the Blue Team
- Autoruns
- TA-microsoft-sysmon
- SwiftOnSecurity - Sysmon Config
- ThreatHunting
- sysmon-modular
- Atomic Red Team
- Hunting for Beacons
- Velociraptor
- BadBlood
- PurpleSharp
- EVTX-ATTACK-SAMPLES
DetectionLab Sponsors
Last updated: 01/01/2023
I would like to extend thanks to everyone who sponsored DetectionLab over the past few years. DetectionLab is no longer actively being maintained or developed.
Top Related Projects
A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.
MISP (core software) - Open Source Threat Intelligence and Sharing Platform
TheHive: a Scalable, Open Source and Free Security Incident Response Platform
Security Onion is a free and open platform for threat hunting, enterprise security monitoring, and log management. It includes our own interfaces for alerting, dashboards, hunting, PCAP, detections, and case management. It also includes other tools such as osquery, CyberChef, Elasticsearch, Logstash, Kibana, Suricata, and Zeek.
A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk
Investigate malicious Windows logon by visualizing and analyzing Windows event log
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot