Gaz
Gaz Threat Hunter and Malware Analyst

Detection Lab: The long way (Pt. 1)

I recently came across Chris Long’s Detection Lab. Detection Lab automates the creation of an Active Directory environment, complete with logging and additional tools. Once deployed it acts as a play area for defenders to practise and test, all whilst capturing the sort of logs you’d expect from any self-respecting business. I can’t tell you how many times I’ve wanted to set up a similar environment but not known where to begin.

However, after trying to deploy the environment, it became obvious that whilst a lot of time had been put into the automation and additional features, not a huge amount was spent on documentation. A statement that some of the project contributors have openly admitted and vowed to rectify. After eventually admitting defeat, I realised that the better solution would be to configure the environments manually. Since the documentation details the endpoints and installed tools, it takes away the main struggle I was facing.

alt text

This diagram gives an overview of what a deployed Detection Lab environment should look like. Since I’m creating this manually, I’ll likely omit some of the tools and feed the logs into IBM QRadar Community Edition. To save some time I’ve already created the required virtual machines in ESXi. So, we’ll start by promoting one of the Windows 2019 servers to a domain controller.

Installing Roles & Features

We’ll start small by modifying the Local Security Policy to enable “Interactive logon: Do not require CTRl + ALT + DEL”. This just makes logging into the server a little easier when RDP’ing.

Firstly, head to Tools > Local Security Policy from the Server Manager window.

Local Security Policy

Then open and enable “Interactive logon: Do not require CTRl + ALT + DEL”, located under Local Policies > Security Options.

No CTRL + ALT + DEL

Now that’s sorted, we need to install the services and software required for a DC. We can do this by selecting “Add roles and features” from the quick start section of the Server Manager dashboard.

Dashboard Quick Start

We’re then presented with two installation types:

Role-based or feature-based installation: This option allows you to select which services/roles you want to install.

Remote Desktop Services installation: This option will select, install, and configure the needed components for the selected scenario.

We'll choose "Role-based or feature-based installation" and keep the default settings on the Server Selection page.

To promote the server to a domain controller we need to ensure that "Active Directory Domain Services" are installed, at the very least.

Roles/Services

Select the check box next to the service and click Add Features on the pop-up. On the next page, the basic features required for this role should be selected by default. Click next and next again.

Confirmation page

Finally, ensure the automatic restart option is enabled and click install.

Configuration

Now that the roles and features are installed, we need to promote the server to a domain controller. First, open the notifications window and select "Promote this server to a domain controller".

Promote to domain controller

Next, select "Add a new forest" and specify a domain. This is commonly a .local address.

Add a new forest

Then we need to set a DSRM (Directory Services Restore Mode) password. DSRM is a boot mode that allows repair or recovery of Active Directory. It allows logon when Active Directory has failed.

Specify DSRM password

We can ignore the warning on the DNS Options page since we're configuring a DNS server as part of this process. Leaving this page as is and moving to the next step.

After a few seconds, the NetBIOS name should automatically populate.

Set netBIOS name

The paths can be left as default.

Set paths

Finally, review the options and, once the prerequisite checks are complete, click install.

Prerequisit checks

Now we have the domain controller configured. We'll look to add the other two VMs to the domain and configure the event collector in the next part.