Setting Up a Detection Lab
When doing an engagement sometimes one would need to test a payload or an attack vector before deploying it. Watching how an operating system logs different events or how security solutions detect certain payloads can be valuable information for a red teamer/penetration tester.
An example that happened was gained credentials to MSSQL, and the MSSQL user had rights to enable xp_cmdshell. Of course, running commands through xp_cmdshell would always be detected in a mature envrionment, but what about other indirect exectuion such as relaying? Instead of testing in a production environment and possibly blow your cover, one could test it in a detection lab.
So the the plan is as follow:
- Using Ludus to set up GOAD (Game of Active Directory (GOAD) | Ludus)
- GOAD (https://github.com/Orange-Cyberdefense/GOAD) is a great way to test different attack vectors against AD.
- Using Ludus to setup ELK and Fleet. (Elastic Security | Ludus)