This covers the build-out of a functional threat hunting and DFIR lab running on a single repurposed server. The focus is on realistic log volume, proper network segmentation, and having the right tools available for each phase of an
\ninvestigation.<\/p>\n
The lab runs on a Dell PowerEdge R730 (2x Xeon E5-2640v4, 128GB RAM, 4x 1TB SAS in RAID10). A minimum viable setup for this work is 32GB RAM \u2014 enough to run 4-5 VMs simultaneously without constant swapping. The storage minimum is approximately
\n500GB to hold OS images, snapshots, and log data without constant cleanup.<\/p>\n
Internet\n |\n[Home Router - 192.168.1.0\/24]\n |\n[Lab Switch - VLAN aware]\n |\n +-- VLAN 10 (172.16.10.0\/24) -- Management\n | - Velociraptor server\n | - SIEM (Elastic)\n | - Zeek sensor\n |\n +-- VLAN 20 (172.16.20.0\/24) -- Attack\n | - Kali Linux\n |\n +-- VLAN 30 (172.16.30.0\/24) -- Targets\n - Windows 10 (patched)\n - Windows 10 (vulnerable - no EDR)\n - Windows Server 2019 (DC)\n - Ubuntu 22.04 (web target)<\/pre>\nVLAN 20 (Attack) can reach VLAN 30 (Targets). VLAN 10 (Management) can reach both. Internet access from VLAN 20 routes through a Zeek tap so all attack tool downloads and C2 callbacks are logged. Targets have no direct internet access.<\/p>\n
SIEM stack \u2014 Docker Compose<\/h3>\n
version: \"3\"\nservices:\n elasticsearch:\n image: docker.elastic.co\/elasticsearch\/elasticsearch:8.11.0\n environment:\n - discovery.type=single-node\n - ES_JAVA_OPTS=-Xms4g -Xmx4g\n - xpack.security.enabled=true\n - ELASTIC_PASSWORD=changeme\n volumes:\n - esdata:\/usr\/share\/elasticsearch\/data\n ports:\n - \"9200:9200\"\n\n kibana:\n image: docker.elastic.co\/kibana\/kibana:8.11.0\n environment:\n - ELASTICSEARCH_URL=http:\/\/elasticsearch:9200\n - ELASTICSEARCH_USERNAME=kibana_system\n - ELASTICSEARCH_PASSWORD=changeme\n ports:\n - \"5601:5601\"\n depends_on:\n - elasticsearch\n\n fleet-server:\n image: docker.elastic.co\/beats\/elastic-agent:8.11.0\n environment:\n - FLEET_SERVER_ENABLE=true\n - FLEET_SERVER_ELASTICSEARCH_HOST=http:\/\/elasticsearch:9200\n - FLEET_SERVER_SERVICE_TOKEN=<generate_via_kibana>\n ports:\n - \"8220:8220\"\n\nvolumes:\n esdata:<\/pre>\nStart with
docker compose up -d<\/code>. Kibana is available at port 5601. First login: create the kibana_system password via the elasticsearch container:<\/p>\ndocker exec -it elastic_elasticsearch_1 \\\n bin\/elasticsearch-reset-password -u kibana_system<\/pre>\nSysmon configuration<\/h3>\n
The SwiftOnSecurity config is a solid starting point but needs additions for a lab:<\/p>\n
# Download base config\nInvoke-WebRequest -Uri https:\/\/raw.githubusercontent.com\/SwiftOnSecurity\/sysmon-config\/master\/sysmonconfig-export.xml -OutFile sysmon.xml\n\n# Install Sysmon with config\n.\\Sysmon64.exe -accepteula -i sysmon.xml\n\n# Verify\nGet-WinEvent -LogName \"Microsoft-Windows-Sysmon\/Operational\" -MaxEvents 5 | Select TimeCreated, Id, Message<\/pre>\nAdditional rules to add for the lab (add inside the appropriate EventFiltering sections):<\/p>\n
<!-- Log all LSASS access regardless of source -->\n<ProcessAccess onmatch=\"include\">\n <TargetImage condition=\"is\">C:\\Windows\\System32\\lsass.exe<\/TargetImage>\n<\/ProcessAccess>\n\n<!-- Log all DNS queries -->\n<DnsQuery onmatch=\"exclude\">\n <QueryName condition=\"end with\">.microsoft.com<\/QueryName>\n <QueryName condition=\"end with\">.windows.com<\/QueryName>\n<\/DnsQuery><\/pre>\nElastic Agent deployment to Windows targets<\/h3>\n
# In Kibana: Fleet > Agent Policies > Create policy \"Lab Windows\"\n# Add integrations: Windows (event logs), Sysmon\n\n# On Windows target - download the agent from Fleet UI\n# Then install:\n.\\elastic-agent.exe install --url=https:\/\/172.16.10.10:8220 `\n --enrollment-token=<token_from_fleet_ui> `\n --insecure # lab only - use proper certs in production<\/pre>\nAfter enrollment, events appear in Kibana under Discover within about 30 seconds. The Sysmon integration auto-parses all field mappings \u2014 process names, hashes, network connections \u2014 without manual index template configuration.<\/p>\n
Zeek on the network tap<\/h3>\n
# Interface ens4 is the span\/tap port receiving all lab traffic\nzeekctl deploy\nzeekctl status\n\n# Verify logs are writing\ntail -f \/opt\/zeek\/logs\/current\/conn.log | python3 -m json.tool<\/pre>\n","protected":false},"excerpt":{"rendered":"After running a basic VM setup for a year, how I stood up
\nElastic SIEM without spending money on hardware I did not need.<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15],"tags":[],"class_list":["post-193","post","type-post","status-publish","format-standard","hentry","category-home-lab"],"_links":{"self":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/193","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/comments?post=193"}],"version-history":[{"count":2,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/193\/revisions"}],"predecessor-version":[{"id":235,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/193\/revisions\/235"}],"wp:attachment":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/media?parent=193"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/categories?post=193"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/tags?post=193"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}