{"id":142,"date":"2025-09-16T09:00:00","date_gmt":"2025-09-16T09:00:00","guid":{"rendered":"https:\/\/justruss.tech\/?p=142"},"modified":"2026-05-15T10:34:55","modified_gmt":"2026-05-15T10:34:55","slug":"setting-up-a-home-lab","status":"publish","type":"post","link":"https:\/\/justruss.tech\/index.php\/2025\/09\/16\/setting-up-a-home-lab\/","title":{"rendered":"Building a Home Lab for Threat Hunting and DFIR Practice"},"content":{"rendered":"

After deciding to rebuild rather than migrate an old lab, the goal was to build something that could support realistic threat hunting and DFIR practice rather than just isolated tool testing. This covers the hardware, network topology, and core software stack.<\/p>\n

Hardware<\/h3>\n

The lab runs on a repurposed Dell PowerEdge R730 with dual Xeon E5-2640v4 processors, 128GB RAM, and four 1TB SAS drives in RAID10. RAM is the important constraint. Running a realistic lab simultaneously requires a Windows 10 target, a Windows Server DC, a Kali attack VM, a SIEM, and a Zeek sensor all running at once. Anything under 32GB means constant swapping.<\/p>\n

Virtualisation<\/h3>\n

VMware ESXi 7 on bare metal. ESXi over VMware Workstation because snapshot management at scale is far better. Rolling back a compromised VM to a clean state in under ten seconds, without rebooting the host, makes the iteration loop for attack and analysis much faster in practice.<\/p>\n

Network topology<\/h3>\n
Internet\n    |\n[Home Router 192.168.1.0\/24]\n    |\n[Managed switch, VLAN aware]\n    |\n    +-- VLAN 10: Management (172.16.10.0\/24)\n    |     Velociraptor, Elastic SIEM, Zeek sensor\n    |\n    +-- VLAN 20: Attack (172.16.20.0\/24)\n    |     Kali Linux\n    |\n    +-- VLAN 30: Targets (172.16.30.0\/24)\n          Windows 10 with Sysmon and Elastic Agent\n          Windows Server 2019 Domain Controller\n          Ubuntu 22.04 web server<\/pre>\n
Attack VLAN can reach targets. Management VLAN can reach both. Targets have no direct internet access and all outbound traffic from the attack VLAN routes through the Zeek sensor so every tool download and C2 callback gets logged.<\/p>\n
Sysmon configuration<\/h3>\n
Invoke-WebRequest -Uri \"https:\/\/raw.githubusercontent.com\/SwiftOnSecurity\/sysmon-config\/master\/sysmonconfig-export.xml\" -OutFile sysmon.xml\n.\\Sysmon64.exe -accepteula -i sysmon.xml<\/pre>\n
Extra rules added on top of the base config: all access to lsass.exe regardless of source, and all DNS queries without the Microsoft hostname exclusions that are in the default template. In a lab you want to see your own tooling resolve things.<\/p>\n
SIEM stack<\/h3>\n
Elasticsearch, Kibana, and Elastic Agent running in Docker on the management VLAN. The docker-compose setup takes about twenty minutes and Elastic Agent fleet enrollment is straightforward once the server certificate is sorted. Windows agents ship Security events, Sysmon events, and PowerShell operational logs. Zeek JSON logs ship via Filebeat with the Zeek module enabled. Having all data sources in one place where you can write KQL queries across everything simultaneously is what makes the lab useful for practice rather than just having individual tools installed in isolation.<\/p>\n","protected":false},"excerpt":{"rendered":"
A walkthrough of setting up a home lab capable of supporting realistic DFIR and threat hunting practice. Covers hardware selection, network topology with VLANs, Sysmon configuration, and getting a full SIEM stack running on a budget.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-142","post","type-post","status-publish","format-standard","hentry","category-dfir"],"_links":{"self":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/142","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/comments?post=142"}],"version-history":[{"count":8,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/142\/revisions"}],"predecessor-version":[{"id":339,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/142\/revisions\/339"}],"wp:attachment":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/media?parent=142"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/categories?post=142"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/tags?post=142"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}