Setting up a home lab

in DFIR

I bought myself a server to expand my development as the war between gaming and personal development was finally over and you guess it, games won. Instead of simply copying from virtual machines over, I decided to build my lab again from the ground up using new tools and endpoints.

This blog will be split into multiple parts listed below:

  • Part 1 – The Setup – Network topology and endpoint installs
  • Part 2 – The Connection – Connecting all the endpoints and pipes to get logs flowing
  • Part 3 – The Exploit – Run a few malicious activities to test visibility

With the intros out of the way lets kick this weekend project off.

Part 1 – The Setup – Network topology and endpoint installs

For the setup, I am going to largely copy DetectionLab’s design, https://detectionlab.network. Whilst I may end up using their easy deployment processes, I wanted to set this up myself from scratch so that I know every aspect of the deployment not only for my own awareness of resourcing and network interoperability of servers, logs, tools, and workflows but also so that I may be able to assist any clients that I wish to request various similar deployments.

So the design is very straight forward

  • Ubuntu 22.04 LTS – Used to capture and index everything.
    • Services
      • Splunk
      • Malcolm – https://malcolm.fyi/
      • Velociraptor – https://github.com/Velocidex/velociraptor
      • Fleet – https://fleetdm.com/
  • Windows server 2022 – The DC
    • Services / Tools
      • DC
      • ATA Lightweight gateway
      • Sysmon
      • Osquery
      • Velociraptor agent
  • Windows server 2022 – Windows Event Forwarder
    • Services / Tools
      • Windows Event Collector
      • Splunk Forwarder
      • Microsoft ATA
      • Sysmon
      • Osquery
      • Velociraptor agent
      • Powershell Log Collector
  • Windows 10 – The main victim
    • Services / Tools
      • Simulates a user desktop
      • Sysmon
      • Osquery
      • Velociraptor agent
  • Kali Linux – The actor
    • Services / Tools
      • What ever is needed

Part 2 – The Connection – Connecting all the endpoints and pipes to get logs flowing

dd

Part 3 – The Exploit – Run a few malicious activities to test visibility