Kernel of Truth

Cybersecurity Home Lab – Intermediate

🧱 Intermediate Cybersecurity Lab Setup Guide

If you’ve mastered basic VM configurations and want to start thinking like an enterprise SOC, this intermediate lab introduces blue team and red team tooling, multi-host networks, threat emulation, and logging pipelines.

🔐 “This is where you stop playing and start defending like a pro.”

🧭 Goals of This Lab

  • 🧪 Detect real attacker behaviour using MITRE ATT&CK
  • 📦 Ingest and correlate logs across multiple hosts
  • 🤖 Use open-source SOAR automation (e.g. Shuffle, TheHive + Cortex)
  • 💥 Run adversary emulation with Atomic Red Team or Caldera
  • ☁️ Add simulated cloud logging (Azure/AWS)

🧰 Lab Components Overview

RoleTool
Attack BoxKali Linux or Commando VM
Victim WorkstationWindows 10/11 w/ Sysmon, osquery
Linux ServerUbuntu server for hosting logs/attack targets
SIEMSplunk (free), Elastic Stack, or Wazuh
SOARShuffle (Docker) or TheHive + Cortex
Threat EmulationAtomic Red Team, Caldera
Cloud Logs (Optional)Azure + Sentinel, or AWS GuardDuty logs via API

🖥 Suggested Virtual Machine Layout

[Host System or Proxmox ESXi]
├── Kali VM           (Attacker, Metasploit, Atomic Red Team)
├── Win10 VM          (Endpoint, Sysmon, Office Tools, Defender)
├── Ubuntu VM         (ELK or Splunk + Wazuh)
├── Shuffle/TheHive   (SOAR automation)
├── Optional: Cloud Log Forwarding VM (Azure/AWS logs to SIEM)

🔗 Lab Networking

  • Use internal NAT/host-only adapters for isolation
  • Enable port mirroring (if physical switch supports it) for passive capture
  • Optional: simulate DMZ or segmented networks using VLANs in Proxmox or pfSense

🧪 Threat Emulation Setup

ToolPurpose
Atomic Red TeamRun ATT&CK-based test cases on Windows
Caldera (MITRE)AI-driven red team emulation with built-in agents
Invoke-AtomicPowerShell tool to automate ATT&CK tests
Metasploit FrameworkSimulate reverse shells, privilege escalation, exploits

🔥 Use detection tags like T1059, T1027, T1047 to track coverage

🔍 Blue Team Setup

SIEM Options:

  • 🟠 Splunk Free Edition (500MB/day)
  • 🔵 Elastic Stack (Beats + Kibana)
  • Wazuh – Integrated with Elastic, focused on host monitoring

Endpoint Logging:

⚙️ SOAR Integration

SOAR ToolUse Case
Shuffle (Docker)Free and powerful—use webhooks and API nodes
TheHive + CortexGreat for case management, enrichment, automation
Phantom (Splunk SOAR)If licensed, use with Splunk for advanced playbooks

Sample Playbooks:

  • IOC Enrichment via VirusTotal or AbuseIPDB
  • Auto-case creation when Atomic Red Team fires detection
  • Email notification on suspicious login behaviour

☁️ Simulated Cloud Logging

Option 1: Azure Cloud Lab (Free Tier)

  • Enable Defender for Cloud logs
  • Ingest Azure AD login logs into local SIEM via API or Logstash
  • Simulate login anomalies and risky sign-ins

Option 2: AWS Free Tier

  • Create CloudTrail & GuardDuty logs
  • Export to S3 → pull to local Splunk/Wazuh
  • Detect account misuse and brute force attempts

🔍 Detection Engineering Use Cases to Try

Use CaseMITRE Technique
Encoded PowerShellT1059.001
Suspicious Parent Process (e.g. winword → cmd)T1204.002
Living Off The Land Binaries (LOLBins)T1218
Credential Dumping (mimikatz)T1003
RDP Logon from External IPT1021.001
DNS TunnelingT1071.004

🧠 Bonus Tips

  • 🧪 Use MITRE ATT&CK Navigator to track your detection coverage
  • 📦 Automate threat intel ingestion into your SIEM (MISP/STIX feeds)
  • 📊 Build dashboards to visualise attack chains, IOC hits, and host risk scores
  • 🧰 Use Cron, Watchdog or FleetDM to keep tools running smoothly
  • 📜 Document your detections like a product: title, TTP, logic, test plan, logs required

✅ Summary

This intermediate lab bridges the gap between student and practitioner. You’ll go beyond detection to simulate realistic threats, automate your response, and lay the groundwork for enterprise-grade defensive security.

🧩 “Build like a hacker. Think like a hunter. Automate like an engineer.”