Windows Response LAB

1. Introduction

You may have learned many things about Linux and Open Source Tools, but most enterprise networks are based on Micrsoft Windows and Active Directory.

The Windows Response Lab is based on a fully deployed Active Directory with several computers and servers joined into the domain. Before using the Windows Response Lab, you must deploy it in Azure. Thus, please start and deploy the infrastructure using the Deployment Manager.

The setup is very similar to the WinAttack LAB

2. Architecture

The Windows Response Lab is based on a fully deployed Active Directory with several computers and servers joined into the domain. Before using the Windows Response Lab, you must deploy it in Azure. Thus, please start and deploy the infrastructure using the Deployment Manager.

The picture below highlights the Windows Response Lab, sometimes called Windows Attack Lab. Two hosts, a Windows 10 RDP computer and a Forensic Investigation machine, are accessible from the internet. You must always jump to one of theses hosts to connect other computers in the lab. It is recommended to use the Windows 10 RDP host at first.

• RDP connection to Client1.winattacklab.local

• RDP connection to Forensicclient

Network Diagram

3. Exercises

• Velociraptor Lateral Movement Detection

• Velociraptor (Detect Attackers persistence techniques)

• Velociraptor and Volatility