Keen on starting a career in cybersecurity? Build a blue team lab

Updated on: 25 August 2022

Adam Kohnke
Contributor

Building and excelling with a homegrown blue team lab to build defensive skillsets is a great and maybe less traveled path to cultivate a highly successful cybersecurity career.

Obtaining a career in cybersecurity is all the rage right now, with professionals across many industries transitioning to this fulfilling and fast-paced field. Existing IT professionals serving in non-cybersecurity roles such as Helpdesk or Network administration are trying to get in on the action too. People are posting their TryHackMe standings on LinkedIn or the passing results of their ethical hacking certifications in the hopes of landing a lucrative hacking job with whoever will hire them.

While penetration testing and red teaming occupations serve as the goalpost for many technologies or other professionals heading into 2023, less traveled paths exist to cultivate a highly successful cybersecurity career. Cybernews posted an article back in June 2022 demonstrating how to obtain desirable cybersecurity skills employers seek by building and working in a personal red team lab.

This article is going to turn things upside down by walking through how to develop a complementary set of in-demand cybersecurity skills by building and excelling with a homegrown blue team lab to build defensive skillsets. If following along with the DetectionLab examples previewed throughout this article, ensure the below minimum requirements are satisfied for the Host machine where DetectionLab will be installed before proceeding:

Modern operating system (e.g., Windows 10, MacOS Monterey, etc.)
6 core or greater CPU, with minimum 3.0 Ghz per core
16 GB of RAM
Minimum of 100-200GB of available hard drive space. This requirement will depend on how much traffic you intend to generate via simulated attacks.

Defensive labs: types and variations

There are many variations of defensive labs that can be built, covering a range of tools and defensive cybersecurity practices, including firewall traffic management, intrusion detection systems (IDS), and forensic analysis capabilities. This article is going to cover the installation and use of a basic DetectionLab setup, which is a complete collection of four virtual machine files and related configuration instructions stored as VagrantFiles. DetectionLab is primarily intended to mimic Kali Linux for ethical hackers but is aligned towards ‘blue team’ or defensive cybersecurity professionals, with all necessary tooling, logging, and auditing capabilities ready to go. This article will preview the combined use of Chocolatey, Vagrant, Git, Oracle Virtualbox, and the DetectionLab GitHub files to install the DetectionLab environment, all required dependencies, and tooling needed to generate logging artifacts that are simulated by adversary software like PurpleSharp and Mimikatz.

Getting started

Chocolatey lets us quickly and easily install all needed programs and dependencies to get our defensive lab up and running in record time. It can be installed using PowerShell version 2 or greater with a simple one-liner command. From our Windows 10 machine and using an administrator PowerShell prompt, simply copy and paste the below command to properly position PowerShell’ execution policy, then kick off the Chocolatey installation process:

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

The results of the Chocolatey installation command demonstrating a successful installation. Review all Warning messages to ensure first time use is successful.

Oracle VirtualBox will serve as the Hypervisor layer for any virtual machines added to our defensive security lab environment. Using the Chocolatey package manager from within PowerShell, we can easily install VirtualBox using the ‘choco install virtualbox’ command. The command will provide a prompt asking if Virtualbox should be installed, so proceed with providing only a ‘Y’ for Yes.

downloading virtualbox — Chocolatey is able to download and successfully install the latest version of VirtualBox, placing it in the default installation directory on the Windows 10 host

This version of the defensive lab demonstration will also briefly leverage Vagrant to provide a simple and centralized virtual machine management capability via VagrantFiles or VagrantBoxes. Vagrant provides us an automation capability to mass create or configure similar virtual machine types across disparate hypervisor products like VirtualBox or VMWare.

If there is a need to quickly create many of the same virtual machines or apply configurations across similar device types, Vagrant removes the need for configuration changes to be applied to each machine individually and through manual processes. When defensive labs host a dozen or more similar machines, vagrant can drastically speed up the device creation and configuration process. To install Vagrant, simply replay the last command in PowerShell by pressing the up arrow on the keyboard and swap ‘virtualbox’ for ‘vagrant, the press ‘Enter.’

After successfully installing Vagrant, review any warning messages or purple text informing you to restart your host device to begin using the Vagrant software.

Before installing the DetectionLab, Security Operation Center (SOC) in a box, one final requirement must be satisfied by installing Git using Chocolatey. In the Admin PowerShell prompt, enter the following command:

choco install git.install --params "/GitAndUnixToolsOnPath /WindowsTerminal /NoAutoCrlf"

then restart the Windows 10 machine to make Git available for use. Git will allow DetectionLab files to be cloned into a directory created in the next step, from which Vagrant can be used to launch the resource and establish the blue team lab environment. For the remaining lab setup, ensure the PowerShell Execution policy is set to bypass once more using by issuing:

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

A directory will need be needed to house DetectionLab, which can be achieved using the following series of ‘make directory’ and ‘change directory’ commands:

“mkdir git” to create a top-level git directory for current and future installations for the defensive lab.
“cd git” to change into the newly created ‘git’ directory
“mkdir detectionlab” to create a directory which will house the DetectionLab, SOC in a box resource.
“cd detectionlab” to change into the ‘detectionlab’ directory and clone DetectionLab onto the Windows 10 machine
“git clone https://github.com/clong/DetectionLab.git” installs DetectionLab and its preparation software.
Restart the Windows 10 machine a final time and repeat the process to set the PowerShell Execution Policy into Bypass mode once more.
Change directories back to the Detection Lab directory “cd git\detectionlab”
Change directories into the third and fourth level DetectionLab and Vagrant directories “cd DetectionLab\Vagrant”

Pre-launch

Detection Lab is now primed for setup and initialization using Vagrant. Prepare the environment and satisfy all dependencies by running the prepare.ps1 script using “./prepare.ps1” and hit ‘Enter.’ The prepared script will ensure a Hypervisor product is available, that Windows CredentialGuard is not configured in a manner that will disrupt the use of a hypervisor, ensure sufficient space is available for DetectionLab, and many other pre-launch checks.

Execution of the DetectionLab preparation script will ensure no blockers or critical issues exist which may prevent the resource from running, such as available disk space issues, or pre-existing Vagrant instances

Once the preparation script completes, the “vagrant up” command can be executed to finally establish the DetectionLab environment by creating the four core virtual machines and allowing access to them using SSH or RDP. Apache Guacamole is also installed by default to provide access to virtual machines via a web browser. Creation of the DetectionLab environment will be the most time-consuming, taking approximately 1-2 hours after issuing the “vagrant up” command as the Logger, DC, WEF, and Win10 virtual machines are created individually, in serial order, as they are listed. Setup time can be shortened by leveraging parallelization, issuing the “vagrant up ” command sequentially; just ensure adequate resources are available before performing parallel installations as insufficient system resources can lead to delays in completing the process3! The lab VMs can be shut down normally, and the “vagrant up” command can be used as needed to bring the environment back up to an operational state within 15-20 minutes. Once Detection Lab setup is completed, you will have an Active Directory environment resembling the basic configuration as depicted below:

Each host will have the following services installed and running per the DetectionLab specifications. Ensure this table and especially the credentials are referenced when initial access to the environment is attempted or as examples are followed throughout the rest of this article.

Virtual Machine	Components	Services
Logger	Splunk Enterprise Suricata Threat Detection Zeek Network Security Monitoring Fleet for Osquery Apache Guacamole Velociraptor Intrusion Detection Service	Splunk https://:8000username: adminpwd: changeme Fleet https://:[email protected]: Fl33tpassword! Guacamole https://:8080/guacamoleusername: vagrantpwd: vagrant Velociraptor https://:9999username: adminpassword: changeme SSH - vagrant ssh logging
DC	Domain Controller Microsoft Advanced Threat Analytics (ATA) Gateway Sysmon Osquery Velociraptor endpoint agent	Remote Desktop Host details: dc.windomain.localusername: vagrant / pwd: vagrant
WEF	Windows Event Collector Splunk Universal Forwarder Powershell Log Collector Microsoft Advanced Threat Analytics (ATA) Sysmon Osquery Velociraptor endpoint agent	Remote Desktop Host details: dc.windomain.localusername: vagrant / pwd: vagrant Microsoft ATA https://username: wef\vagrant / pwd: vagrant
Win10	Sysmon Osquery Velociraptor endpoint agent

Performing simulated attacks

We will approach the remainder of the article by performing simulated attacks using Mimikatz and PurpleSharp to simulate attacker events, then use security tools like SPLUNK and custom alerting to improve security intelligence and response capabilities. To avoid wasting time manually creating objects necessary for attack and log analysis, the article will demonstrate how to quickly populate the DetectionLab environment with approximately three thousand AD objects using BadBlood. Attacks in this article will be focused primarily against the Win10 and DC machines as these are common targets in real world scenarios. DetectionLab is also fully extensible, meaning what is possible is only limited by available time, resources and imagination. Please experiment and branch out further with DetectionLab after finishing this article by adding other machines, detection capabilities, and performing other attack techniques! Let’s now seed our lab with interesting attack targets using BadBlood to generate defensive telemetry from.

In this example, the DC machine will be accessed using the vagrant username and password from the table above. Add the vagrant user account to the Enterprise Admins and Schema Admin groups within Active Directory Users and Computers, then open a PowerShell Admin command prompt. Change Directories to “\Tools\BadBlood\BadBlood-master” then issue the “.\Invoke-BadBlood.ps1” script to call the tool.

Bad Blood successfully adding thousands of test user accounts, hundreds of groups for user accounts, and dozens of computers to attack.

Now that we have meaningful targets to abuse and generate future logs against, the effort will shift to simulating adversary activity on the Win10 host against some of the objects in the domain. The first tool used to generate attacker-simulated data will be PurpleSharp4, created by Mauricio Velazco. Adversarial behavior generated by PurpleSharp is mapped to MITRE ATT&CK and can execute malicious activity locally or against remote targets. Starting on the Win10 host, verify PurpleSharp is already installed by changing directories to “C:\Tools\PurpleSharp,” then issuing the “.\Purplesharp.exe” command to load the tool for use.

PurpleSharp syntax is simple to learn, remember, and effectively utilize, leveraging the association to MITRE ATT&CK. In the first example, we will issue the “.\PurpleSharp /t T1053.005” command, which will create a pre-configured, daily scheduled task called ‘BadScheduledTask’ on the Win10 target. Malicious actors will typically leverage scheduled tasks after the initial compromise of a host to maintain persistence or launch malware. After creating the scheduled task, switch to the logger virtual machine to search for scheduled task creation events.

Persistence Tactic T1053.005 was successfully executed to leverage scheduled tasks for nefarious purposes

Reading the detection section of MITRE ATT&CK tactic T1053.005, multiple detection methods such as specific file modifications or scheduled task creation will help locate the PurpleSharp activity. Reviewing the diagram above, windows event logs from the Win10 device are imported first to the Windows Event Forwarder (WEF) virtual machine, then to the logger virtual machine for SPLUNK ingestion. Assuming an accurate tool configuration and forwarding logic, the creation of the ‘BadScheduledTask’ should be present in SPLUNK for review matching the timestamp recorded in the PurpleSharp PowerShell session. Switching over to logger, access SPLUNK using the credentials in the table above, and search for the scheduled task event by issuing the following search without the enclosing quotations “ index=* sourcetype="wineventlog" "eventcode=4698.” Expanding the highlighted event below, the name of “BadScheduledTask” is observed, and we have an event we can generate future alerts or other defensive responses against.

The above SPLUNK search generated 10 events meeting the query criteria. An event of interest matching the windows10 virtual machine with the proper event code is located and associated.

SPLUNK events can be ‘built’ or fine-tuned using specific information from various logs like the computer name -generating alerts of interest, source applications, IP addresses, and several other data points. Once a SPLUNK event is built, it can be saved as a SPLUNK alert that takes a specific action; like sending an email to the security team, once the built event occurs.

turning General SPLUNK logs into targeted events — It is a useful practice to transform General SPLUNK logs into targeted events that have specific actions taken against them when they occur.

Detecting exceptionally intrusive behavior

The article will now pivot to detecting some intensely intrusive behavior, like the dumping of user password hashes from memory using Mimkatz. Compromised Domain Controllers are a prime target for attackers as they contain hashed representations of all user credentials within a domain, granting them potential full control over an environment. Mimikatz facilitates post-exploitation efforts via credential dumping, pass the hash and pass the ticket attacks when abusing the Kerberos protocol.

After navigating to “C:\Tools\mimikatz.exe\x64” and invoking the tool using “.\mimkatz.exe”, the “sekurLsa::LogonPasswords” command will dump username information, including NTLM hashes for the currently logged in user which can be cracked offline with tools like John the Ripper or Hashcat. After issuing the command and successfully dumping the vagrant user account details, let’s see if we can locate the use of Mimikatz in SPLUNK once again.

Switching back to the SPLUNK console, the following search can be used to properly identify Mimikatz usage, helping locate and build future detection rules when Mimikatz is used “index=sysmon EventCode=10 GrantedAccess=0x1010”. After running the search, the following results will be returned confirming the successful use of Mimikatz to dump user credential hashes from the DC domain controller.

confirming the successful use of Mimikatz

At this stage, defensive cybersecurity skills can be refined further by building similar detection rules for the examples covered in this article using the Velociraptor Intrusion Detection Service (IDS), which can be accessed on the logger virtual machine. If interested in developing advanced detection skills, consider the use of the Atomic Red Team PowerShell script and see if telemetry data from that tool can be developed and refined. Atomic Red Team should produce fewer telemetry and searchable artifacts than other tools previewed in this article. Being able to detect the use of simulated behavior from Atomic Red team reflects a certain degree of blue team tenacity and advanced knowledge.

In summary, this article has showcased how to quickly build, deploy and effectively use a free, defensive cybersecurity lab environment which includes many enterprise security solutions and skillsets desired by cybersecurity teams, including hiring managers. DetectionLab is meant to provide an extensible, open source, and effective skill-building playground for cybersecurity enthusiasts or seasoned professionals. DetectionLab contains many useful red team tools and accompanying blue team tools that simulate commonly observed attacker signatures, allowing appropriate responsive measures to be configured.

Investing time not only in virtual environment setup but also in industry standard security tools is the ideal way to demonstrate passion and commitment towards a rewarding career in cybersecurity. Get started with DetectionLab today and show interested hiring managers the commitment towards building valuable skills and further stand out from the rest of the pack!

Cybernews doesn’t endorse nor encourage illegal or unethical activity using any of the concepts previewed throughout this article. Please stay ethical!