Detection Lab is a collection of Packer and Vagrant scripts that allow you to quickly bring a Windows Active Directory online, complete with a collection of endpoint security tooling and logging best practices.

Detection Lab consists of 4 total hosts:

DC: A Windows 2016 domain controller

WEF: A Windows 2016 server that manages Windows Event Collection

Win10: A Windows 10 host simulating a non-server endpoint

Logger: An Ubuntu 16.04 host that runs Splunk and a Fleet server

I started Detection Lab as a personal challenge to myself. I initially came across Stefan Scherer’s adfs2 repo which provided all of the building blocks I needed to set up Active Directory using Vagrant, and his packer-windows took the guesswork out of building Windows-based boxes.

I decided defenders needed a quick and easy way to bring up a lab environment, complete with tooling and pre-configured logging. This project represents many weekends worth of work over many months.