Detection Lab: Visibility & Introspection for Defenders

Detection Lab: Visibility & Introspection for Defenders
Me when I discovered @Centurion's Detection Lab. Chris Long, Detection & Incident Response Analyst at Palantir, released Detection Lab this past Monday. From his own Medium post, "Detection Lab is a collection of Packer and Vagrant scripts that allow you to quickly bring a Windows Active Directory online, complete with a collection of endpoint security tooling and logging best practices." Detection Lab consists of four hosts: DC: A Windows 2016 domain controller WEF: A Windows 2016 server that manages Windows Event Collection Win10: A Windows 10 host simulating a non-server endpoint Logger: An Ubuntu 16.04 host that runs Splunk and a Fleet server From the Detection Lab GitHub, "this lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts." The feature list should close the deal for you: Splunk forwarders are pre-installed and all indexes are pre-created. Technology add-ons for Windows are also preconfigured. A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging Palantir's Windows Event Forwarding subscriptions and custom channels are implemented Powershell transcript logging is enabled. All logs are saved to \\wef\pslogs osquery comes installed on each host and is pre-configured to connect to a Fleet server via TLS. Fleet is preconfigured with the configuration from Palantir's osquery Configuration Sysmon is installed and configured using SwiftOnSecurity’s open-sourced configuration All autostart items are logged to Windows Event Logs via AutorunsToWinEventLog SMBv1 Auditing is enabled Chris really wanted defenders to "have a quick and easy way to bring up a lab environment, complete with tooling and pre-configured logging." Detection Lab represents many of his weekends worth of work, over many months, and for that, we salute him. Well done, Chris! Russ McRee \| @holisticinfosec	Russ McRee 181 Posts ISC Handler
Subscribe	Dec 15th 2017 1 year ago
Thank you	Netmanzim 37 Posts
Quote	Dec 15th 2017 1 year ago
Great post thank you to all	Netmanzim 37 Posts
Quote	Dec 15th 2017 1 year ago

Me when I discovered @Centurion's Detection Lab.

So Much Win

Chris Long, Detection & Incident Response Analyst at Palantir, released Detection Lab this past Monday. From his own Medium post, "Detection Lab is a collection of Packer and Vagrant scripts that allow you to quickly bring a Windows Active Directory online, complete with a collection of endpoint security tooling and logging best practices."
Detection Lab consists of four hosts:

DC: A Windows 2016 domain controller
WEF: A Windows 2016 server that manages Windows Event Collection
Win10: A Windows 10 host simulating a non-server endpoint
Logger: An Ubuntu 16.04 host that runs Splunk and a Fleet server

From the Detection Lab GitHub, "this lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts."

The feature list should close the deal for you:

Splunk forwarders are pre-installed and all indexes are pre-created. Technology add-ons for Windows are also preconfigured.
A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging
Palantir's Windows Event Forwarding subscriptions and custom channels are implemented
Powershell transcript logging is enabled. All logs are saved to \\wef\pslogs
osquery comes installed on each host and is pre-configured to connect to a Fleet server via TLS. Fleet is preconfigured with the configuration from Palantir's osquery Configuration
Sysmon is installed and configured using SwiftOnSecurity’s open-sourced configuration
All autostart items are logged to Windows Event Logs via AutorunsToWinEventLog
SMBv1 Auditing is enabled

Chris really wanted defenders to "have a quick and easy way to bring up a lab environment, complete with tooling and pre-configured logging." Detection Lab represents many of his weekends worth of work, over many months, and for that, we salute him. Well done, Chris!

Russ McRee | @holisticinfosec

Russ McRee

181 Posts
ISC Handler

Thank you

Netmanzim

37 Posts

Great post thank you to all

Netmanzim

37 Posts