GitHub - CRobin0780/fortreign-soc-lab-old: Production-grade SOC homelab — Wazuh, Splunk, Velociraptor, MISP, BloodHound, Entra Connect hybrid identity. 6-phase build with IR reports and Ansible automation. · GitHub
Skip to content

CRobin0780/fortreign-soc-lab-old

Folders and files

Repository files navigation

Fort Reign — SOC Lab

A production-grade security operations environment built on a 3-node Proxmox cluster. Covers the full detection and response lifecycle — infrastructure, SIEM, network security monitoring, hybrid identity, endpoint forensics, threat intelligence, attack simulation, and automated incident response.


Environment

Component Details
Proxmox Cluster pve-t7810 (Dell T7810, 64GB) · pve-7070 (OptiPlex 7070, 32GB) · pve-3050 (OptiPlex 3050, 16GB)
Domain lab.local · Windows Server 2022 · LAB-DC01 at 192.168.20.21
Hybrid Identity Entra Connect · Password Hash Sync · MFA · Entra ID tenant
Network Ubiquiti EdgeRouter X SFP · Cisco SG300 · 4-VLAN design
Endpoints LAB-DC01 · FRG-W10-01 (192.168.20.110) · FRG-W10-02 (192.168.20.111) · FRG-FS01

VLAN Architecture

VLAN Subnet Purpose
VLAN 10 192.168.10.0/24 Management — Proxmox nodes, network devices
VLAN 20 192.168.20.0/24 Enterprise Lab — domain, servers, SOC tools
VLAN 30 192.168.30.0/24 Attack — Kali Linux, offensive tooling
VLAN 40 192.168.40.0/24 IoT — isolated wireless devices

SPAN port: gi1, gi3, gi4, gi9 → gi36 (Security Onion)


Security Stack

SIEM & Monitoring

Tool IP Status Details
Wazuh 192.168.20.60 ✅ Live 4 agents · Sysmon · Windows Audit Policy GPO · 5-panel SOC dashboard
Splunk 192.168.20.61 ✅ Live Wazuh forwarding via UDP 5514 · JSON field extraction · 5-panel SOC dashboard
Security Onion 192.168.20.70 ✅ Live Zeek + Suricata · 25-30k events/hr · SPAN active · Sigma alerts firing

SOC Tools

Tool IP Status Details
Velociraptor 192.168.20.63 ✅ Live 3 agents: DC01, W10-01, W10-02 · VQL hunts · Windows.Sys.Users validated
MISP 192.168.20.64 ✅ Live 5 feeds · MISP → Wazuh integration · IOC correlation active
BloodHound CE 192.168.20.65 ✅ Live SharpHound run · DCSync rights mapped · IR-2026-001 documented

Infrastructure

Tool IP Status Details
Gitea 192.168.20.66 ✅ Live Self-hosted Git · 3 repos: ansible, configs, IR
Ansible 192.168.20.66 ✅ Live 6 Linux servers managed · passwordless sudo · patch + static IP playbooks
Attack-Kali 192.168.20.67 ✅ Live Dual-NIC · VLAN 20 + VLAN 30 · nmap scans executed

Build Phases

Phase Description Status
Phase 1 Wazuh · Sysmon · DC01 audit policies ✅ Complete
Phase 2 Security Onion · SPAN · bond0 fix ✅ Complete
Phase 3 Splunk · Wazuh forwarding · dashboards ✅ Complete
Phase 4 Entra Connect · hybrid identity ✅ Complete
Phase 5 Velociraptor · MISP · BloodHound ✅ Complete
Phase 6 Ansible · Gitea · IR Reports ✅ Complete

Detection Coverage

Endpoint Telemetry (Wazuh Agents)

Endpoint OS Telemetry
LAB-DC01 Windows Server 2022 Sysmon · AD audit · PowerShell logging · WFP audit
FRG-W10-01 Windows 10 Pro 22H2 Sysmon (SwiftOnSecurity) · process creation · auth events
FRG-W10-02 Windows 10 Pro 22H2 Sysmon (SwiftOnSecurity) · process creation · auth events
frg-splunk Ubuntu 22.04 System logs · auth · service events

Real Detections Logged

Detection MITRE ID Tool Notes
PowerShell execution T1059.001 Wazuh Real detection during lab operations
Ingress Tool Transfer T1105 Wazuh Real detection during lab operations
SOC Login Failure Security Onion First Sigma alert — high severity

False Positives Documented

Rule Tool Cause Resolution
Rule 92213 Wazuh cleanmgr.exe flagged as T1105 Tuned — whitelisted legitimate system binary

Key Findings

IR-2026-001 — DCSync Rights Exposure via Entra Connect

Severity: High | Status: Closed

BloodHound CE identified the Entra Connect sync account (MSOL_01C8813E06CF) with DCSync rights over LAB.LOCAL. If compromised, full credential dump via DCSync is possible — including krbtgt enabling Golden Ticket attacks.

MITRE: T1003.006 — OS Credential Dumping: DCSync

Full report: ir-reports/IR-2026-001.md


Attack Simulation

  • Kali Linux deployed on VLAN 30 with second NIC on VLAN 20 (192.168.20.67)
  • Nmap scan executed — 17 hosts discovered on VLAN 20
  • First full attack simulation logged and detected

Repository Structure

fortreign-soc-lab/
├── README.md
├── architecture/
│   └── soc-architecture.md
├── identity/
│   └── hybrid-identity.md
├── siem/
│   ├── wazuh-deployment.md
│   ├── splunk-deployment.md
│   └── security-onion-deployment.md
├── soc-tools/
│   ├── velociraptor-deployment.md
│   ├── misp-deployment.md
│   └── bloodhound-deployment.md
├── detections/
│   ├── custom-rules.md
│   └── velociraptor-hunts.md
├── ir-reports/
│   ├── IR-TEMPLATE.md
│   └── IR-2026-001.md
├── playbooks/
│   ├── suspicious-logon.md
│   ├── brute-force.md
│   └── dcsync-detection.md
├── ansible/
│   ├── README.md
│   ├── hosts
│   ├── update-linux.yml
│   └── static-ips.yml
└── queries/
    ├── splunk-spl.md
    └── bloodhound-cypher.md

Skills Demonstrated

Infrastructure Proxmox Windows Server 2022 Active Directory DNS DHCP Group Policy VLAN segmentation SPAN port Cisco SG300 Ubiquiti EdgeOS

Security Operations Wazuh Splunk Security Onion Zeek Suricata Sigma Velociraptor MISP BloodHound Sysmon PCAP analysis Threat hunting Detection engineering Incident response

Identity Active Directory Entra Connect Hybrid identity Password Hash Sync MFA DCSync analysis

Automation Ansible Gitea Bash PowerShell Python FastAPI

Offensive Kali Linux nmap Attack simulation MITRE ATT&CK mapping

About

Production-grade SOC homelab — Wazuh, Splunk, Velociraptor, MISP, BloodHound, Entra Connect hybrid identity. 6-phase build with IR reports and Ansible automation.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

Contributors