JoshuaRemington/Active-Directory-Security-Operations-Center-Malware-Analysis-Homelab
GitHub: JoshuaRemington/Active-Directory-Security-Operations-Center-Malware-Analysis-Homelab
Stars: 0 | Forks: 0
# Active Directory Security Operations Center & Malware Analysis Homelab
A fully functional enterprise-style Active Directory environment featuring red team attack simulation, blue team monitoring with Security Onion, and an isolated malware analysis laboratory using REMnux and FLARE-VM.
## Overview
This homelab simulates a realistic enterprise security environment with Active Directory infrastructure, segmented networks, attack simulation capabilities, centralized security monitoring, and a dedicated malware analysis environment.
The lab allows me to practice:
- Threat Hunting
- Detection Engineering
- Incident Response
- Active Directory Security
- Red Team Operations
- Malware Analysis
- Reverse Engineering Fundamentals
All systems are isolated within a virtualized environment to safely conduct offensive security exercises and malware research.
### Key Objectives
- Build and harden a multi-machine Active Directory environment
- Deploy enterprise security monitoring with Security Onion
- Simulate realistic adversary attacks against Active Directory
- Practice detection, analysis, and response workflows
- Develop malware analysis and reverse engineering skills
- Investigate malicious behavior in a controlled environment
- Create Indicators of Compromise (IOCs) from malware samples
## Architecture
### Network Design
#### pfSense Firewall/Router
- WAN: DHCP from ISP
- LAN (User / Management Network): `192.168.20.0/24`
- OPT1 (Attack Network): `192.168.30.0/24`
- OPT2 (Malware Analysis Network): `192.168.40.0/24`
### LAN - User / Management Network (`192.168.20.0/24`)
#### Enterprise Infrastructure
| System | IP Address | Purpose |
|----------|----------|----------|
| Windows Server 2025 | 192.168.20.10 | Domain Controller |
| Security Onion (Management) | 192.168.20.20 | SIEM / Monitoring |
| Windows 10 Workstation | DHCP | Domain Client |
| Windows 11 Workstation | DHCP | Domain Client |
| Metasploitable 2 | DHCP | Vulnerable Target |
### OPT1 - Attack Network (`192.168.30.0/24`)
#### Offensive Security
| System | Purpose |
|----------|----------|
| Kali Linux | Penetration Testing Platform |
### OPT2 - Malware Analysis Network (`192.168.40.0/24`)
#### Malware Analysis Lab
| System | IP Address | Purpose |
|----------|----------|----------|
| REMnux | 192.168.40.10 | Linux Malware Analysis Workstation |
| FLARE-VM | 192.168.40.20 | Windows Malware Analysis Workstation |
### Domain
`josh_homelab.local`
## Technologies Used
| Category | Tools |
|----------|----------|
| **Hypervisor** | VMware |
| **Firewall** | pfSense |
| **Directory Services** | Windows Server 2025 (Active Directory) |
| **Endpoints** | Windows 10, Windows 11 |
| **SIEM / Monitoring** | Security Onion 2 (Elasticsearch, Logstash, Kibana, Suricata, Zeek, Wazuh) |
| **Attack Platform** | Kali Linux |
| **Vulnerable Systems** | Metasploitable 2 |
| **Malware Analysis (Linux)** | REMnux |
| **Malware Analysis (Windows)** | FLARE-VM |
| **Reverse Engineering** | Ghidra, x64dbg, PEStudio |
| **Network Analysis** | Wireshark, Zeek, Suricata |
## Features & Capabilities
### Active Directory Environment
- Domain Controller with Organizational Unit structure
- Group Policy management
- Centralized authentication and authorization
- Domain-joined Windows 10 and Windows 11 systems
- Windows auditing and event logging
### Security Monitoring
- Full Security Onion deployment monitoring enterprise systems
- Windows Event Log forwarding
- Network traffic analysis using Zeek and Suricata
- Centralized log management and visualization
- Alert generation and investigation workflows
- Threat hunting using Kibana dashboards
### Attack Simulation Capabilities
- Privilege escalation testing
- Credential harvesting simulations
- Lateral movement techniques
- Active Directory attack emulation
- Vulnerability exploitation against Metasploitable 2
### Malware Analysis Environment
#### REMnux
Used for:
- Static malware analysis
- Network traffic inspection
- IOC extraction
- Malware triage
- YARA rule testing
- Memory and artifact analysis
#### FLARE-VM
Used for:
- Dynamic malware analysis
- Reverse engineering
- Process monitoring
- Registry monitoring
- Behavioral analysis
- Windows malware debugging
#### Analysis Tooling
Examples include:
- Ghidra
- x64dbg
- PEStudio
- Procmon
- Process Explorer
- Wireshark
- FakeNet-NG
- INetSim
- YARA
- Volatility
## Security Controls
### Network Segmentation
The environment is divided into separate security zones:
#### Enterprise Network
Contains production-style systems including:
- Domain Controller
- User Workstations
- Security Onion
#### Attack Network
Contains offensive security tooling used for attack simulation.
#### Malware Analysis Network
Contains malware research systems:
- REMnux
- FLARE-VM
Firewall rules restrict unauthorized communication between networks to prevent accidental malware propagation.
### Controlled Analysis Environment
Malware samples are analyzed only within the isolated malware subnet to minimize risk and preserve containment.
## Attack & Defense Scenarios
### Active Directory Attacks
- Kerberoasting with Rubeus
- Pass-the-Hash
- Over-Pass-the-Hash
- PsExec lateral movement
- Mimikatz credential dumping
- Privilege escalation techniques
### Detection Engineering
- Sigma rule creation
- Custom Security Onion detections
- Windows event correlation
- IOC-based alerting
- Threat hunting investigations
### Malware Analysis
- Static analysis of Windows executables
- Dynamic execution analysis in FLARE-VM
- Process and registry monitoring
- Network traffic capture and analysis
- IOC extraction and documentation
- Behavioral malware profiling
## Malware Analysis Workflow
1. Obtain malware sample in a controlled manner
2. Transfer sample into the isolated malware analysis network
3. Perform static analysis using REMnux
4. Execute sample within FLARE-VM
5. Monitor:
- Process creation
- File system activity
- Registry modifications
- Network connections
6. Capture traffic using Wireshark
7. Generate Indicators of Compromise (IOCs)
8. Create detection rules for Security Onion
9. Validate detections against generated telemetry
## Screenshots
### Active Directory
### Security Onion
### Firewall Configuration
### Malware Analysis
## Lessons Learned
- Importance of network segmentation and containment
- Active Directory administration and hardening
- Enterprise monitoring and log management
- Detection engineering methodologies
- Windows telemetry collection and tuning
- Malware analysis workflow development
- IOC extraction and validation
- Integration of offensive and defensive security practices
## Skills Demonstrated
### Blue Team
- Threat Hunting
- SIEM Administration
- Log Analysis
- Detection Engineering
- Incident Response
### System Administration
- Active Directory
- Group Policy
- DNS
- DHCP
- Windows Server Administration
### Offensive Security
- Enumeration
- Vulnerability Assessment
- Exploitation
- Lateral Movement
- Credential Access Techniques
### Malware Analysis
- Static Analysis
- Dynamic Analysis
- Reverse Engineering Fundamentals
- Network Traffic Analysis
- IOC Development
- YARA Rule Creation
## Connect With Me
- **LinkedIn:** www.linkedin.com/in/josh-remington-798b08285
- **Email:** joshua.remington12@gmail.com
**This homelab demonstrates hands-on experience with enterprise Active Directory administration, security monitoring, detection engineering, incident response, offensive security testing, and malware analysis within a segmented enterprise-style environment.**