DetectionLab is tested weekly on Saturdays via a scheduled CircleCI workflow to ensure that builds are passing. This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.

NOTE: This lab has not been hardened in any way and runs with default vagrant credentials. Please do not connect or bridge it to any networks you care about. This lab is deliberately designed to be insecure; the primary purpose of it is to provide visibility and introspection into each host.

Also Read – Custom Header : Automatic Add New Header To Entire BurpSuite HTTP Requests

Primary Lab Features

  • Microsoft Advanced Threat Analytics ( is installed on the WEF machine, with the lightweight ATA gateway installed on the DC
  • Splunk forwarders are pre-installed and all indexes are pre-created. Technology add-ons for Windows are also preconfigured.
  • A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging
  • Palantir’s Windows Event Forwarding subscriptions and custom channels are implemented
  • Powershell transcript logging is enabled. All logs are saved to \\wef\pslogs
  • osquery comes installed on each host and is pre-configured to connect to a Fleet server via TLS. Fleet is preconfigured with the configuration from Palantir’s osquery Configuration
  • Sysmon is installed and configured using SwiftOnSecurity’s open-sourced configuration
  • All autostart items are logged to Windows Event Logs via AutorunsToWinEventLog
  • SMBv1 Auditing is enabled


  • 55GB+ of free disk space
  • 16GB+ of RAM
  • Packer 1.3.2 or newer
  • Vagrant 2.2.2 or newer
  • Virtualbox or VMWare Fusion/Workstation


Building DetectionLab from Scratch

  1. Determine which Vagrant provider you want to use. Current supported providers are:
  • Virtualbox
  • VMware Workstation & Fusion

There are currently three ways to build the lab:

  • Recommended: Use the boxes hosted on Vagrant Cloud. This method should take ~2 hours total to download the boxes and provision the lab.
  • Build the boxes yourself using Packer. This method will take ~4 hours to build the boxes and another ~90-120 minutes to provision them for a total of 5-6 hours.
  • Provision the lab in AWS using Terraform. The lab can be brought online in under 30 minutes.

If you choose to use the boxes hosted on Vagrant Cloud, you may skip steps 2 and 3. If you don’t trust pre-built boxes, I recommend following steps 2 and 3 to build them on your machine.

  1. cd to the Packer directory and build the Windows 10 and Windows Server 2016 boxes using the commands below. Each build will take about 1 hour. As far as I know, you can only build one box at a time.

$ cd detectionlab/Packer
$ packer build –only=[vmware|virtualbox]-iso windows_10.json
$ packer build –only=[vmware|virtualbox]-iso windows_2016.json

  1. Once both boxes have built successfully, move the resulting boxes (.box files) in the Packer folder to the Boxes folder: mv *.box ../Boxes
  2. cd into the Vagrant directory: cd ../Vagrant and edit the Vagrantfile. Change the lines = "detectionlab/win2016" and = "detectionlab/win10 to = "../Boxes/windows_2016_<provider>.box" and = "../Boxes/windows_10_<provider>.box" respectively.
  3. Install the Vagrant-Reload plugin: vagrant plugin install vagrant-reload
  4. VMware Only:
  1. Ensure you are in the base DetectionLab folder and run ./ (Mac & Linux) or ./build.ps1 (Windows). This script will do the following:
  • Provision the logger host. This host will run the Fleet osquery manager and a fully featured pre-configured Splunk instance.
  • Provision the DC host and configure it as a Domain Controller
  • Provision the WEF host and configure it as a Windows Event Collector in the Servers OU
  • Provision the Win10 host and configure it as a computer in the Workstations OU
  1. Build logs will be present in the Vagrant folder as vagrant_up_<host>.log. If filing an issue, please paste the contents of that log into a Gist to help with debugging efforts.
  2. Navigate to in a browser to access the Splunk instance on logger. Default credentials are admin:changeme (you will have the option to change them on the next screen)
  3. Navigate to in a browser to access the Fleet server on logger. Default credentials are admin:admin123#. Query packs are pre-configured with queries from palantir/osquery-configuration.