Setting Up DetectionLab
An essential part of Threat Analysis is keeping up with the evolution of attacks and building detections around them. Attackers have the advantage of not playing by the rules. While defenders have the advantage of…? of knowing the playing field, I guess. But how we simulate this playing field without disturbing operations? There are 100 ways to do it. But we will be focusing on the easiest and most time efficient way to get this done. In this write up I will be walking through the steps to set up Chris Long’s amazing tool Detection Lab. Credit to him and everyone involved.
What is DetectionLab?
DetectionLab is an out of the box lab environment to test out your defense controls and eliminate blind spots.
It leverages Vagrant, VirtualBox, Packer and a Host Computer to carry out its functions. The out of the box lab has virtual machines simulating a Domain Controller, An Event forwarder, A logger and A windows 10 Endpoint which are essential tools in every infrastructure. Using this lab you can simulate attacks and observe what you’re missing.
Who is it for?
While it is made with cyber defenders in mind, red teams can leverage this tool by learning what defenders see and modify their attacks.
What other Functionalities does it have?
Too many to list on here. The GitHub is well documented. Take a look.
Listed below are my Hardware Specs they recommend this be your minimum hardware too.
OS: Windows 10
Processor: i7-8750H (12 cores)
RAM: DDR4-2666 16GB
Storage: M.2 PCIe SSD 512GB (We need 55GB+ of free disk space)
Step 1: Open PowerShell as an administrator.
Command: Start >> Type PowerShell >> (Right Click) >> Run as Administrator.
Step 2: With PowerShell, you must ensure ‘Get-ExecutionPolicy’ is not Restricted. Read more on what Execution Policy is, but later.
Command: Set-ExecutionPolicy AllSigned
Step 2a. Now check if you did it right. It should say ‘RemoteSigned.
Step 3: Install Chocolatey.
Chocolatey is a package manager and a pretty good one. What is a package manager? System Administrators who manage 1000s of Laptops do not log in to each laptop and install common software. They deploy it for all systems together. Chocolatey enables them to this.
Command: Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString(‘https://chocolatey.org/install.ps1’))
Wait for a few minutes and you should be done…..
Command: Choco install git –params ‘/GitAndUnixToolsOnPath‘
It will ask you a few questions, say ‘Y’ and you should be done..
Step 5: Downloading Vagrant.
Vagrant is a box for boxes, but as code. It helps you spin a whole environment up using just… code. The 4 virtual machines we mentioned at the start of this writeup will all be spun up by this awesome tool alone. We would do it one by one during the olden days of 2012.
Command: choco install vagrant
Step 6: Clone detection lab.
mkdir git #making a directory called git
cd git #entering the directory git
mkdir detectionlab #making a directory inside the directory detctionlab
cd detectionlab #entering the directory detectionlab
git clone https://github.com/clong/DetectionLab.git. #cloning the code
Remember we spoke about paths earlier. You might encounter an error that says ‘git’ is not recognized as an internal or external command. This is because of the path issue. Double check if the path is right using steps in this article. Basically, we have 2 ways to resolve this. Either refresh your path variables using the command ‘refreshenv’ OR just exit PowerShell and restart as admin again. Finally run the git clone command again.
Step 7: Install Virtual Box
Command: choco install virtualbox
Done. Now, for the final step that will take you about an hour and a half to a day depending on your internet speed.
Step 8: Installing Detection Lab:
We are installing the out of the box version that was pre-built for us. If you’re an advanced user, you have the freedom to build your own boxes.THe documentation walks you through that. Moving on,i n the detectionlab directory we created earlier, we will have a build file. We excute the command below to build the lab.
Command: .\build.ps1 -ProviderName virtualbox -VagrantOnly
That’s it. It takes a while so be patient. To see the progress, go to /vagrant/ folder and check for the .log file.
Post Installation Steps:
After you’re done, navigate to the vagrant directory and check if all the hosts are up.
You should see the following output:
Current machine states:
logger running (virtualbox)
dc running (virtualbox)
wef running (virtualbox)
win10 running (virtualbox)
As you can see below, all four virtual machines are up and running.
I ran into some issues while the win10 box was getting installed and when I switched my PC off and came back next day. Re-Provisioning the box that is throwing up errors is the best way forward. Navigate to the Vagrant directory and enter the commands below.
Commands to Restart a specific host:
vagrant reload <hostname>
OR if the problem persists,
Restart a specific host and re-run the provision process
vagrant reload <hostname> –provision
Additional Resources: https://github.com/clong/DetectionLab
Basic Vagrant Usage: https://github.com/clong/DetectionLab/wiki/Vagrant-Usage
Lab Information and credentials: https://github.com/clong/DetectionLab/wiki/Lab-Information-&-Credentials
Known Issues and Workarounds: https://github.com/clong/DetectionLab/wiki/Known-Issues-and-Workarounds
Finally, how do we use this?
Red canary’s project Atomic Red Team is a great start. This is already built in the lab. Pick an attack and simulate it. Look for attack vectors and test what rules fired in your system. Write rules based on your findings.
In my next write Up I will be demonstrating a few attack techniques which can be detected using the plethora of functionalities in the lab.