A production-grade security operations environment built on a 3-node Proxmox cluster. Covers the full detection and response lifecycle — infrastructure, SIEM, network security monitoring, hybrid identity, endpoint forensics, threat intelligence, attack simulation, and automated incident response.
| Component | Details |
|---|---|
| Proxmox Cluster | pve-t7810 (Dell T7810, 64GB) · pve-7070 (OptiPlex 7070, 32GB) · pve-3050 (OptiPlex 3050, 16GB) |
| Domain | lab.local · Windows Server 2022 · LAB-DC01 at 192.168.20.21 |
| Hybrid Identity | Entra Connect · Password Hash Sync · MFA · Entra ID tenant |
| Network | Ubiquiti EdgeRouter X SFP · Cisco SG300 · 4-VLAN design |
| Endpoints | LAB-DC01 · FRG-W10-01 (192.168.20.110) · FRG-W10-02 (192.168.20.111) · FRG-FS01 |
| VLAN | Subnet | Purpose |
|---|---|---|
| VLAN 10 | 192.168.10.0/24 | Management — Proxmox nodes, network devices |
| VLAN 20 | 192.168.20.0/24 | Enterprise Lab — domain, servers, SOC tools |
| VLAN 30 | 192.168.30.0/24 | Attack — Kali Linux, offensive tooling |
| VLAN 40 | 192.168.40.0/24 | IoT — isolated wireless devices |
SPAN port: gi1, gi3, gi4, gi9 → gi36 (Security Onion)
| Tool | IP | Status | Details |
|---|---|---|---|
| Wazuh | 192.168.20.60 | ✅ Live | 4 agents · Sysmon · Windows Audit Policy GPO · 5-panel SOC dashboard |
| Splunk | 192.168.20.61 | ✅ Live | Wazuh forwarding via UDP 5514 · JSON field extraction · 5-panel SOC dashboard |
| Security Onion | 192.168.20.70 | ✅ Live | Zeek + Suricata · 25-30k events/hr · SPAN active · Sigma alerts firing |
| Tool | IP | Status | Details |
|---|---|---|---|
| Velociraptor | 192.168.20.63 | ✅ Live | 3 agents: DC01, W10-01, W10-02 · VQL hunts · Windows.Sys.Users validated |
| MISP | 192.168.20.64 | ✅ Live | 5 feeds · MISP → Wazuh integration · IOC correlation active |
| BloodHound CE | 192.168.20.65 | ✅ Live | SharpHound run · DCSync rights mapped · IR-2026-001 documented |
| Tool | IP | Status | Details |
|---|---|---|---|
| Gitea | 192.168.20.66 | ✅ Live | Self-hosted Git · 3 repos: ansible, configs, IR |
| Ansible | 192.168.20.66 | ✅ Live | 6 Linux servers managed · passwordless sudo · patch + static IP playbooks |
| Attack-Kali | 192.168.20.67 | ✅ Live | Dual-NIC · VLAN 20 + VLAN 30 · nmap scans executed |
| Phase | Description | Status |
|---|---|---|
| Phase 1 | Wazuh · Sysmon · DC01 audit policies | ✅ Complete |
| Phase 2 | Security Onion · SPAN · bond0 fix | ✅ Complete |
| Phase 3 | Splunk · Wazuh forwarding · dashboards | ✅ Complete |
| Phase 4 | Entra Connect · hybrid identity | ✅ Complete |
| Phase 5 | Velociraptor · MISP · BloodHound | ✅ Complete |
| Phase 6 | Ansible · Gitea · IR Reports | ✅ Complete |
| Endpoint | OS | Telemetry |
|---|---|---|
| LAB-DC01 | Windows Server 2022 | Sysmon · AD audit · PowerShell logging · WFP audit |
| FRG-W10-01 | Windows 10 Pro 22H2 | Sysmon (SwiftOnSecurity) · process creation · auth events |
| FRG-W10-02 | Windows 10 Pro 22H2 | Sysmon (SwiftOnSecurity) · process creation · auth events |
| frg-splunk | Ubuntu 22.04 | System logs · auth · service events |
| Detection | MITRE ID | Tool | Notes |
|---|---|---|---|
| PowerShell execution | T1059.001 | Wazuh | Real detection during lab operations |
| Ingress Tool Transfer | T1105 | Wazuh | Real detection during lab operations |
| SOC Login Failure | — | Security Onion | First Sigma alert — high severity |
Severity: High | Status: Closed
BloodHound CE identified the Entra Connect sync account (MSOL_01C8813E06CF) with DCSync rights over LAB.LOCAL. If compromised, full credential dump via DCSync is possible — including krbtgt enabling Golden Ticket attacks.
MITRE: T1003.006 — OS Credential Dumping: DCSync
Full report: ir-reports/IR-2026-001.md
- Kali Linux deployed on VLAN 30 with second NIC on VLAN 20 (192.168.20.67)
- Nmap scan executed — 17 hosts discovered on VLAN 20
- First full attack simulation logged and detected
fortreign-soc-lab/
├── README.md
├── architecture/
│ └── soc-architecture.md
├── identity/
│ └── hybrid-identity.md
├── siem/
│ ├── wazuh-deployment.md
│ ├── splunk-deployment.md
│ └── security-onion-deployment.md
├── soc-tools/
│ ├── velociraptor-deployment.md
│ ├── misp-deployment.md
│ └── bloodhound-deployment.md
├── detections/
│ ├── custom-rules.md
│ └── velociraptor-hunts.md
├── ir-reports/
│ ├── IR-TEMPLATE.md
│ └── IR-2026-001.md
├── playbooks/
│ ├── suspicious-logon.md
│ ├── brute-force.md
│ └── dcsync-detection.md
├── ansible/
│ ├── README.md
│ ├── hosts
│ ├── update-linux.yml
│ └── static-ips.yml
└── queries/
├── splunk-spl.md
└── bloodhound-cypher.md
Infrastructure
Proxmox Windows Server 2022 Active Directory DNS DHCP Group Policy VLAN segmentation SPAN port Cisco SG300 Ubiquiti EdgeOS
Security Operations
Wazuh Splunk Security Onion Zeek Suricata Sigma Velociraptor MISP BloodHound Sysmon PCAP analysis Threat hunting Detection engineering Incident response
Identity
Active Directory Entra Connect Hybrid identity Password Hash Sync MFA DCSync analysis
Automation
Ansible Gitea Bash PowerShell Python FastAPI
Offensive
Kali Linux nmap Attack simulation MITRE ATT&CK mapping
