clong/DetectionLab
GitHub: clong/DetectionLab
面向防御者的自动化安全实验环境构建工具,可快速搭建预装安全工具与日志最佳实践的 Windows 域环境。
Stars: 4950 | Forks: 1014
# Detection Lab
## 自 2023-01-01 起,DetectionLab 不再被积极维护
DetectionLab 于每周六通过预定的 CircleCI 工作流进行测试,以确保构建能够成功通过。
[](https://github.com/clong/DetectionLab/blob/master/license.md)
[](https://github.com/clong/DetectionLab/commit/master)
[](https://twitter.com/DetectionLab)
## 目的
该实验室专为防御者设计。其主要目的是允许用户快速构建一个预装安全工具并采用系统日志配置最佳实践的 Windows 域环境。它可以轻松修改以满足大多数需求,或扩展以包含更多主机。
在此处 Medium 上阅读更多关于 Detection Lab 的信息:https://medium.com/@clong/introducing-detection-lab-61db34bed6ae
注意:此实验室未经过任何安全强化,且使用默认的 vagrant 凭据运行。请不要将其连接或桥接到您关注的任何网络。该实验室被故意设计为不安全的;其主要目的是提供对每个主机的可见性和内部检查。
## 主要实验室功能:
* Microsoft Advanced Threat Analytics (https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics) 安装在 WEF 机器上,轻量级 ATA 网关安装在 DC 上
* Splunk forwarder 已预装,所有索引均已预先创建。Technology add-ons 也已预配置。
* 通过 GPO 设置了自定义 Windows 审计配置,包括命令行进程审计和额外的 OS 级别日志记录
* 实现了 [Palantir 的 Windows Event Forwarding](http://github.com/palantir/windows-event-forwarding) 订阅和自定义通道
* 启用了 Powershell transcript 日志记录。所有日志都保存到 `\\wef\pslogs`
* osquery 安装在每个主机上,并预配置为通过 TLS 连接到 [Fleet](https://fleetdm.com/) 服务器。Fleet 使用 [Palantir 的 osquery Configuration](https://github.com/palantir/osquery-configuration) 中的配置进行了预配置
* Sysmon 已安装,并使用 [Olaf Hartong 的开源 Sysmon 配置](https://github.com/olafhartong/sysmon-modular) 进行了配置
* 所有自启动项都通过 [AutorunsToWinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog) 记录到 Windows Event Logs 中
* Zeek 和 Suricata 经过预配置,可监控网络流量并发出警报
* Apache Guacamole 已安装,可让您轻松地从本地浏览器访问所有主机
## 构建 Detection Lab
准备在本地构建 DetectionLab 时,请务必使用 Vagrant 文件夹中的 `prepare.[sh|ps1]` 脚本,以确保您的系统通过了构建 DetectionLab 的先决条件检查。
* [前置条件](https://www.detectionlab.network/introduction/prerequisites/)
* [MacOS - Virtualbox 或 VMware Fusion](https://www.detectionlab.network/deployment/macosvm/)
* [Windows - Virtualbox 或 VMware Workstation](https://www.detectionlab.network/deployment/windowsvm/)
* [Linux - Virtualbox 或 VMware Workstation](https://www.detectionlab.network/deployment/linuxvm/)
* [通过 Terraform 部署 AWS](https://www.detectionlab.network/deployment/aws/)
* [通过 Terraform 和 Ansible 部署 Azure](https://www.detectionlab.network/deployment/azure/)
* [通过 Terraform 和 Ansible 部署 ESXi](https://www.detectionlab.network/deployment/esxi/)
* [HyperV](https://www.detectionlab.network/deployment/hyperv/)
* [LibVirt](https://www.detectionlab.network/deployment/libvirt/)
* [Proxmox](https://www.detectionlab.network/deployment/proxmox/)
## DetectionLab 文档
主要文档站点位于 https://detectionlab.network
* [Vagrant 基础用法](https://www.detectionlab.network/introduction/basicvagrant/)
* [实验室信息与凭据](https://www.detectionlab.network/introduction/infoandcreds/)
* [故障排除与已知问题](https://www.detectionlab.network/deployment/troubleshooting/)
## 媒体报道
* [DetectionLab, Chris Long – Paul’s Security Weekly #593](https://securityweekly.com/2019/02/08/detectionlab-chris-long-pauls-security-weekly-593/)
* [TaoSecurity - 尝试 DetectionLab](https://taosecurity.blogspot.com/2019/01/trying-detectionlab.html)
* [搭建 Chris Long 的 DetectionLab](https://www.psattack.com/articles/20171218/setting-up-chris-longs-detectionlab/)
* [Detection Lab: 面向防御者的可见性与内省](https://isc.sans.edu/forums/diary/Detection+Lab+Visibility+Introspection+for+Defenders/23135/)
## 鸣谢/资源
很大一部分代码借鉴并改编自 [Stefan Scherer](https://twitter.com/stefscherer) 的 [packer-windows](https://github.com/StefanScherer/packer-windows) 和 [adfs2](https://github.com/StefanScherer/adfs2) Github 仓库。非常感谢他构建的基础,使我能够设计这个实验室环境。
# 致谢
* [Microsoft Advanced Threat Analytics](https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics)
* [Splunk](https://www.splunk.com)
* [osquery](https://osquery.io)
* [Fleet](https://github.com/fleetdm/fleet)
* [Windows Event Forwarding for Network Defense](https://medium.com/@palantir/windows-event-forwarding-for-network-defense-cb208d5ff86f)
* [palantir/windows-event-forwarding](http://github.com/palantir/windows-event-forwarding)
* [osquery Across the Enterprise](https://medium.com/@palantir/osquery-across-the-enterprise-3c3c9d13ec55)
* [palantir/osquery-configuration](https://github.com/palantir/osquery-configuration)
* [Configure Event Log Forwarding in Windows Server 2012 R2](https://www.petri.com/configure-event-log-forwarding-windows-server-2012-r2)
* [Monitoring what matters — Windows Event Forwarding for everyone](https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/)
* [Use Windows Event Forwarding to help with intrusion detection](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection)
* [The Windows Event Forwarding Survival Guide](https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4)
* [PowerShell ♥ the Blue Team](https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/)
* [Autoruns](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082)
* [TA-microsoft-sysmon](https://github.com/splunk/TA-microsoft-sysmon)
* [SwiftOnSecurity - Sysmon Config](https://github.com/SwiftOnSecurity/sysmon-config)
* [ThreatHunting](https://github.com/olafhartong/ThreatHunting)
* [sysmon-modular](https://github.com/olafhartong/sysmon-modular)
* [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)
* [Hunting for Beacons](http://findingbad.blogspot.com/2020/05/hunting-for-beacons-part-2.html)
* [Velociraptor](https://github.com/Velocidex/velociraptor)
* [BadBlood](https://github.com/davidprowe/BadBlood)
* [PurpleSharp](https://github.com/mvelazc0/PurpleSharp)
* [EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES)
# DetectionLab 赞助商
#### 最后更新:01/01/2023
我要感谢过去几年中赞助过 DetectionLab 的所有人。DetectionLab 已不再被积极维护或开发。
标签:AI合规, AMSI绕过, ATA, Cutter, GPO, Metaprompt, TGT, Vagrant, Windows域, 后端开发, 威胁检测, 安全可视化, 实验环境, 攻防演练, 最佳实践, 系统提示词, 系统日志, 网络安全, 自动化搭建, 蜜罐, 证书利用, 配置修复, 防御实验室, 隐私保护, 靶场环境