List of resources for buiding a home lab
Shout out to Omar Santos (@santosomar) who has 1000s of resources here
Another great collection of tools and such
Pay what you want book Building Virtual Machine SECOND EDITION! by Tony Robinson Learn everything there is to know about building and maintaining your own home or workplace virtual lab environment on the most popular hypervisors today! https://leanpub.com/avatar2
Great run through of building a lab influenced by Tony above. Lots of links and suggestions and lessons learned. https://www.netsecfocus.com/home/lab/2020/09/21/Tjnulls_guide_to_building_a_Home_Lab.html
How to Build a Home Lab Black Hills Information Security webcast
Blog from Black Hills instructions and information for building a lab environment
How to Build a Cloud Hacking Lab by @dafthack
SANS webcast: Building an Enterprise Grade Home Lab
SANS webcast: Extending Your Home Lab to include Cloud
SANS webcast: Building Your Own Super Duper Home Lab
SANS webcast: Building an Azure Pentest Lab for Red Teams
HAK5 video: Building a Home Lab Virtual Server Quick and Dirty - Hak5 1819
Videos by Tyrone E. Wilson
Building an Effective Cybersecurity Learning Environment
Hands-On Learning: How and Why You Should Build a Home Lab
Great instructions for building ELK and Wazuh home lab:
https://github.com/watsoninfosec/ELK-SIEM
Justin Henderson, the author of SANS SEC555, SEC530 and other courses is doing a series on building a home lab
A guide on building a DIY SIEM at home by James Smith @DFIRmadness https://dfirmadness.com/building-a-siem-at-home/
Here is the beginning of a series of blogs for building a Blue Team home lab
Another set of blogs for building a home lab. This one is from Red Siege and will be more offensive focused:
- Part 1: https://redsiege.com/blog/2022/06/simpledomainp1/
- Part 2: https://redsiege.com/blog/2022/06/simpledomainp2/
- Part 3: https://redsiege.com/blog/2022/06/simpledomainp3/
- Part 4: https://redsiege.com/blog/2022/06/creating-a-simple-windows-domain-for-offensive-testing-part-4/
From @secopsgeek, how to ElasticXDR 8.2.0 Gitbook Build Overview
GOAD is a pentest active directory LAB project. The purpose of this lab is to give pentesters a vulnerable Active directory environment ready to use to practice usual attack techniques.
Alternative to GOAD by @MJHallenbeck
AutomatedLab is a provisioning solution and framework that lets you deploy complex labs on HyperV and Azure with simple PowerShell scripts. It supports all Windows operating systems from 2008 R2 to 2019, some Linux distributions and various products like AD, Exchange, PKI, IIS, etc.
Purple Cloud - An Infrastructure as Code (IaC) deployment of a small Active Directory pentest lab in the cloud. The deployment simulates a semi-realistic corporate enterprise Active Directory with a DC and endpoints. Purple team goals include blue team detection capabilities and R&D for detection engineering new approaches.
Cyb3rWard0g has Microsoft-Sentinel2Go which contains scripts in github for multiple configurations to build an entire lab in Azure
MS Defender Evaluation lab which includes Red Canary's atomic red team.
Microsoft Simuland complete lab environment with lessons
Automated build of Azure attack and detect lab by Roxana Kovaci (@RoxanaKovaci)
Websploit by @santosomar
The UK National Cyber Security Center has a great project for small/home offices to help them get started with logging. This can be used for home labs as well. Not a full SIEM solution, but a start.
Offensive Security has a great blog with lots of details and links with a video here
Monitoring your Proxmox environment with Security Onion by @[email protected] (on Mastodon)
Building ELK SIEM in in two videos, part 1 and part 2
Building ELK SIEM in blog format
Cyberrange options to deploy in Azure: https://levelup.gitconnected.com/building-azure-cyber-ranges-for-learning-and-fun-9df1debb2eae?gi=e662f36c25fb
Series of videos for building a home lab by @DayCyberwox:
Watch this talk with SANS Certified Instructor and course author Justin Henderson, as he shares what the steps are in building out a detection oriented blue team lab.
AWS Pen-Testing Laboratory - Pentesting Lab With A Kali Linux Instance Accessible Via Ssh And Wireguard VPN And With Vulnerable Instances In A Private Subnet
Here is a video from Black Hat Trainings in 2020
Video https://youtu.be/yDWug2zhjyA
From @HBRH_314, a video of Malware Analysis Fundamentals to create an analysis environment for safe inspection of malware utilizing Remnux and FLARE VM.
Video from @watsoninfosec on his home lab build
A (very short) introduction to kne from @supertylerc, a project from Google that lets you run virtual network topologies in Kubernetes.
This repo from Black Hills contains guidance on setting up event logging.
Building a SOC lab at home
Buidling an infosec home lab from scratch
- https://youtube.com/playlist?list=PLyJqGMYm0vnP9sgEGRxmhUKFQVVz68Cbh This guy has a TON of videos that can help with your home lab
- https://www.youtube.com/@ITSecurityLabs/videos
Blog series for building a home lab. First post here
Creating a vulnerable Active Directory to test attack tools and detections https://github.com/WazeHell/vulnerable-AD Here is the video explaining it's use @steelcon 2022 by @myexploit2600 and @ZephrFish (mature language) https://youtu.be/8VvLJfAFGcA
Filtering DNS and HTTPS Traffic on pfSense https://docs.diladele.com/tutorials/filtering_https_traffic_squid_pfsense/index.html
BadBlood - BadBlood by @davidprowe, Secframe.com, fills a Microsoft Active Directory Domain with a structure and thousands of objects:
https://github.com/davidprowe/BadBlood
Powershell script to create AD Domain Controller and Workstation
https://browninfosecguy.com/Active-Directory-Lab-Setup-Tool
From Wazehell, Create a vulnerable active directory that's allowing you to test most of active directory attacks in local lab
From @ajpc500, a quick and dirty PowerShell script to install Sysmon (SwiftOnSecurity config), SilkService and Winlogbeat, and forward the logs on to HELK. Might be useful for those looking to quickly configure endpoint logs in a lab environment
Laurel turns Linux auditd logs into JSON format for easier ingestion into SIEM
Atomic Red Team
Stratus Red Team is "Atomic Red Team™" for the cloud, allowing to emulate offensive attack techniques in a granular and self-contained manner. Uses AWS and Sumo Logic
Caldera from MITRE
MITRE has information about how to emulate different adversaries:
General information about their program: https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/ Specific methodologies by attack group: https://github.com/center-for-threat-informed-defense/adversary_emulation_library
Florian Roth's @cyb3rops company released a ransomware emulator
Black Hills has tools to generate suspicious activity
Swimlane released Atomic-Operator
Cribl is an awesome data router/parser/mover/enhancer
Rapid7 InsightIDR Free Trial (SIEM)
Other resources for free/cheap software referenced in the SANS webcasts: https://github.com/aboutsecurity/blueteam_homelabs
Direct link to download free Microsoft Hypber-V server
Splunk Free 500MB/day, 50 GB/day during trial. Or apply for a developer license. Or use a limited Splunk Cloud free license
ELK Open source is free.
Sumo Logic Free account for 1 GB/day
Panther is a modern SIEM built for security operations at scale. Code is here
Tidal is a threat intel platform
Cyb3rWard0g and Cyb3rPandaH have a great site with malicious data sets
Sample MS Windows logs in evtx format from Nextron Systems
A github repository by @ubeeri to generate fake user activity
A quick and dirty HTTP/S "organic" traffic generator
Swimlane has open sourced a tool to generate a lot of different types of data
ntTraceControl is a set of Powershell commands to forge/generate Windows logs
Here are some other ways to generate data to be collected by your SIEM
https://pypi.org/project/log-generator/
https://nxlog.co/documentation/nxlog-user-guide/generating-test-data.html
https://github.com/tdunning/log-synth
Create network traffic to stress test network devices: https://www.candelatech.com/downloads.php
Scripts to configure windows logging at different levels
Here are some good MS logs to baseline your environment
Installing Let's Encrypt on your PFSense firewall
Podcast/Videos on various topics for building stuff for your lab:
Justin Henderson from SANS SEC555 has a couple free labs
User: student Password: sec555
And of course there is at least one homelab reddit
Here is a whole thread on labs. Including networking, not just security
Some great resources from Jeff McJunkin kickasslab and video
A Guide to log formats from Greylog
Attacking AD cheat sheet
Blog series by Josh Wright on working with event logs in powershell
- https://www.sans.org/blog/working-with-event-log-part-1/
- https://www.sans.org/blog/working-with-event-log-part-2-threat-hunting-with-event-logs/
- https://www.sans.org/blog/working-with-the-event-log-part-3-accessing-message-elements
- https://www.sans.org/blog/working-with-the-event-log-part-4-tweaking-event-log-settings/
Blue Team Labs as free and paid plans
As does Cyberdefenders
