Setting Up DetectionLab

An essential part of Threat Analysis is keeping up with the evolution of attacks and building detections around them. Attackers have the advantage of not playing by the rules. While defenders have the advantage of…? of knowing the playing field, I guess. But how we simulate this playing field without disturbing operations? There are 100 ways to do it. But we will be focusing on the easiest and most time efficient way to get this done. In this write up I will be walking through the steps to set up Chris Long’s amazing tool Detection Lab. Credit to him and everyone involved.

What is DetectionLab?
DetectionLab is an out of the box lab environment to test out your defense controls and eliminate blind spots. 

Elaborate Please?
It leverages Vagrant, VirtualBox, Packer and a Host Computer to carry out its functions. The out of the box lab has virtual machines simulating a Domain Controller, An Event forwarder, A logger and A windows 10 Endpoint which are essential tools in every infrastructure. Using this lab you can simulate attacks and observe what you’re missing.

Who is it for?
While it is made with cyber defenders in mind, red teams can leverage this tool by learning what defenders see and modify their attacks.

What other Functionalities does it have?
Too many to list on here. The GitHub is well documented. Take a look.

Hardware Requirements:
Listed below are my Hardware Specs they recommend this be your minimum hardware too.
OS: Windows 10
Processor: i7-8750H (12 cores)
RAM: DDR4-2666 16GB
Storage: M.2 PCIe SSD 512GB (We need 55GB+ of free disk space)

Alright,

Step 1: Open PowerShell as an administrator.

Command: Start >> Type PowerShell >> (Right Click) >> Run as Administrator.

Step 2: With PowerShell, you must ensure ‘Get-ExecutionPolicy’ is not Restricted. Read more on what Execution Policy is, but later.

Command:  Set-ExecutionPolicy AllSigned

Step 2a. Now check if you did it right. It should say ‘RemoteSigned.

Command: ‘Get-ExecutionPolicy’

Step 3: Install Chocolatey.
Chocolatey is a package manager and a pretty good one. What is a package manager? System Administrators who manage 1000s of Laptops do not log in to each laptop and install common software. They deploy it for all systems together. Chocolatey enables them to this.

Command: Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString(‘https://chocolatey.org/install.ps1’))

Wait for a few minutes and you should be done…..

Step 4: Install Git using Chocolatey.
Notice the path variable ‘/GitAndUnixToolsOnPath’ added. This sets the path for git to get installed. What is path and why is it important? Read it, but later.

Command: Choco install git –params ‘/GitAndUnixToolsOnPath

It will ask you a few questions, say ‘Y’ and you should be done..

Step 5: Downloading Vagrant.
Vagrant is a box for boxes, but as code. It helps you spin a whole environment up using just… code. The 4 virtual machines we mentioned at the start of this writeup will all be spun up by this awesome tool alone. We would do it one by one during the olden days of 2012.

Command: choco install vagrant

Step 6: Clone detection lab.

Commands:
mkdir git  #making a directory called git
cd git #entering the directory git
mkdir detectionlab #making a directory inside the directory detctionlab
cd detectionlab #entering the directory detectionlab
git clone https://github.com/clong/DetectionLab.git. #cloning the code

Remember we spoke about paths earlier. You might encounter an error that says ‘git’ is not recognized as an internal or external command. This is because of the path issue. Double check if the path is right using steps in this article. Basically, we have 2 ways to resolve this. Either refresh your path variables using the command ‘refreshenv’ OR just exit PowerShell and restart as admin again. Finally run the git clone command again.

Step 7: Install Virtual Box

Command: choco install virtualbox

Done. Now, for the final step that will take you about an hour and a half to a day depending on your internet speed.

Step 8: Installing Detection Lab:
We are installing the out of the box version that was pre-built for us. If you’re an advanced user, you have the freedom to build your own boxes.THe documentation walks you through that. Moving on,i n the detectionlab directory we created earlier, we will have a build file. We excute the command below to build the lab.

Command: .\build.ps1 -ProviderName virtualbox -VagrantOnly

That’s it. It takes a while so be patient. To see the progress, go to /vagrant/ folder and check for the .log file.

Post Installation Steps:

After you’re done, navigate to the vagrant directory and check if all the hosts are up.

Command:
cd .\DetectionLab\
cd .\Vagrant\
vagrant status

 

 

You should see the following output:

Current machine states:

logger                 running (virtualbox)

dc                        running (virtualbox)

wef                      running (virtualbox)

win10                  running (virtualbox)

 

 

 As you can see below, all four virtual machines are up and running.

Additionally, open your browser and navigate to  https://192.168.38.105:8412 

Credentials:

UserName: admin

Password: admin123#

 

And you should see all three of your hosts up. 

Troubleshooting:

 

I ran into some issues while the win10 box was getting installed and when I switched my PC off and came back next day. Re-Provisioning the box that is throwing up errors is the best way forward. Navigate to the Vagrant directory and enter the commands below.

 

Commands to Restart a specific host:

 vagrant reload <hostname>

 

OR if the problem persists,

 

Restart a specific host and re-run the provision process

vagrant reload <hostname> –provision

 

Links:

Additional Resources: https://github.com/clong/DetectionLab

Basic Vagrant Usage: https://github.com/clong/DetectionLab/wiki/Vagrant-Usage

Lab Information and credentials: https://github.com/clong/DetectionLab/wiki/Lab-Information-&-Credentials

Known Issues and Workarounds: https://github.com/clong/DetectionLab/wiki/Known-Issues-and-Workarounds

 

Finally, how do we use this?

Red canary’s project Atomic Red Team is a great start. This is already built in the lab. Pick an attack and simulate it. Look for attack vectors and test what rules fired in your system. Write rules based on your findings.

 

In my next write Up I will be demonstrating a few attack techniques which can be detected using the plethora of functionalities in the lab. 

2 thoughts on “Setting Up DetectionLab”

  1. Pingback: Elementor #2357 – TRANQUIL SECURITY

  2. Pingback: Maintaining Persistence and Password Hash Dumping using Meterpreter and Mimikatz – TRANQUIL SECURITY

Leave a Comment

Your email address will not be published. Required fields are marked *