Awesome Open Source
Awesome Open Source

Detection Lab

As of 2023-01-01, DetectionLab is no longer being actively maintained


DetectionLab is tested weekly on Saturdays via a scheduled CircleCI workflow to ensure that builds are passing.

Lint Code Base license Maintenance GitHub last commit Twitter


This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.

Read more about Detection Lab on Medium here:

NOTE: This lab has not been hardened in any way and runs with default vagrant credentials. Please do not connect or bridge it to any networks you care about. This lab is deliberately designed to be insecure; the primary purpose of it is to provide visibility and introspection into each host.

Primary Lab Features:

  • Microsoft Advanced Threat Analytics ( is installed on the WEF machine, with the lightweight ATA gateway installed on the DC
  • A Splunk forwarder is pre-installed and all indexes are pre-created. Technology add-ons are also preconfigured.
  • A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging
  • Palantir's Windows Event Forwarding subscriptions and custom channels are implemented
  • Powershell transcript logging is enabled. All logs are saved to \\wef\pslogs
  • osquery comes installed on each host and is pre-configured to connect to a Fleet server via TLS. Fleet is preconfigured with the configuration from Palantir's osquery Configuration
  • Sysmon is installed and configured using Olaf Hartong's open-sourced Sysmon configuration
  • All autostart items are logged to Windows Event Logs via AutorunsToWinEventLog
  • Zeek and Suricata are pre-configured to monitor and alert on network traffic
  • Apache Guacamole is installed to easily access all hosts from your local browser

Building Detection Lab

When preparing to build DetectionLab locally, be sure to use the prepare.[sh|ps1] scripts inside of the Vagrant folder to ensure your system passes the prerequisite checks for building DetectionLab.

DetectionLab Documentation

The primary documentation site is located at


Please do all of your development in a feature branch on your own fork of DetectionLab. Contribution guidelines can be found here:

In the Media


A sizable percentage of this code was borrowed and adapted from Stefan Scherer's packer-windows and adfs2 Github repos. A huge thanks to him for building the foundation that allowed me to design this lab environment.


DetectionLab Sponsors

Last updated: 01/01/2023

I would like to extend thanks to everyone who sponsored DetectionLab over the past few years. DetectionLab is no longer actively being maintained or developed.

Related Awesome Lists
Top Programming Languages

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
Html (276,512
Ansible (21,623
Powershell (20,430
Logging (16,077
Vagrant (14,702
Terraform (12,558
Packer (2,948
Forwarding (1,503
Vagrantfile (1,414
Information Security (1,411
Dfir (382
Osquery (194
Sysmon (188
Dfir Automation (14
Lab Environment (5