DetectionLab – Lab environment with complete security tooling

DetectionLab is a collection of Packer and Vagrant scripts that allow you to quickly bring a Windows Active Directory online, complete with a collection of endpoint security tooling and logging best practices. This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations.

NOTE: This lab has not been hardened in any way and runs with default vagrant credentials. Please do not connect or bridge it to any networks you care about. This lab is deliberately designed to be insecure; the primary purpose of it is to provide visibility and introspection into each host.

Primary feature you will have with DetectionLab:

  • Microsoft Advanced Threat Analytics ( is installed on the WEF machine, with the lightweight ATA gateway installed on the DC
  • Splunk forwarders are pre-installed and all indexes are pre-created. Technology add-ons for Windows are also preconfigured.
  • A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging
  • Palantir’s Windows Event Forwarding subscriptions and custom channels are implemented
  • Powershell transcript logging is enabled. All logs are saved to \\wef\pslogs
  • osquery comes installed on each host and is pre-configured to connect to a Fleet server via TLS. Fleet is preconfigured with the configuration from Palantir’s osquery Configuration
  • Sysmon is installed and configured using SwiftOnSecurity’s open-sourced configuration
  • Mitre’s Caldera server is built on the logger host and the Caldera agent gets pre-installed on all Windows hosts
  • All autostart items are logged to Windows Event Logs via AutorunsToWinEventLog
  • SMBv1 Auditing is enabled
DetectionLab - Lab environment with complete security tooling

DetectionLab – Lab environment with complete security tooling

New features with release version 4.0 is:

  • Suricata and Bro are now present on the logger host! (Thanks @jbeley !)
  • Hosts clear event logs before Splunk forwarder installation to avoid overwhelming the Splunk license
  • Standardized the names for the VMs inside VBox and VMware
  • Re-fixed the DHCP issue on logger
  • Updated CI Infra to the latest versions of Packer and Vagrant
  • New refreshed boxes are available on

You can read more and download the latest version over here:

Notify of
Inline Feedbacks
View all comments