Constructing Defense
- Buy now
- Learn more
Welcome to Constructing Defense!

Welcome & Introduction
Changelog
Lab Overview

Lab Overview
General Lab Build Approach
Lab Construction

ISO Downloads - Windows Server 2019
ISO Downloads - Windows 11
ISO Downloads - Ubuntu
ISO Downloads - PCAP
Lab Construction - AWS Version

Terraform Setup
Domain Controller
Windows 11 A & V
Certer
Linux A & Linux V
[Splunk] - Lab Construction & Provisioning - Ludus Version

[Splunk] - Ludus Overview
[Splunk] - Ludus Deploy
[Splunk] - Ludus Post Deploy Setup
Lab Construction & Provisioning - Ludus Version

Ludus Overview
Ludus Setup
Ludus Post Deploy Setup
Lab Provisioning

Domain Controller
Windows 11 A & V
Certer
Linux A & Linux V
PCAP
PCAP - New Malcolm Version
Cloud Accounts - Azure
Cloud Accounts - Amazon Web Services (AWS)
Kubernetes Setup
Sysmon Setup
Telemetry Setup & Miscellaneous Lab Configuration

Section Intro
Windows Auditing and GPO Setup
Disabling Defender
Certificate Enrollment
Linux Auditd + Laurel
Sumo Logic SIEM Account
[Sumo Logic] - Windows Event Collection
[Sumo Logic] - Linux Event Collection
[Legacy] - Kubernetes Monitoring
[Sumo Logic] - Kubernetes Monitoring
[Sumo Logic] - Cloud Collection - AWS
[Sumo Logic] - Cloud Collection - Azure
[Splunk] - Splunk Setup
[Splunk] - Forwarder Setup (Windows)
[Splunk] - Forwarder Setup (Linux)
[Splunk] - Kubernetes Monitoring
[Splunk] - Cloud Collection - AWS
[Splunk] - Cloud Collection - Azure/Entra
Lab Executions

Section Intro
Getting to Know Ourselves
Our First Shell
First Shell - Detection 1
First Shell - Detection 2
Our Second Shell - Exploring the Network Layer
Second Shell - Bonus Round
Credential Access on Windows Hosts - LSASS
Credential Access on Windows Hosts - File Shares
Credential Access on Windows Hosts - Kerberoasting
Credential Access on Windows Hosts - DCSync
Lateral Movement in Windows Environments - WMIExec
Lateral Movement in Windows Environments - PSExec
Discovery/Recon Detection on Windows Hosts
Profiling Rundll32 Executions on Windows Hosts
LOLBAS / LOLBINs
Active Directory Certificate Services
Authentication Anomalies on Windows Hosts - The Classic Brute Force
Authentication Anomalies on Windows Hosts - The Kerberos Approach
Credential Access on Linux Hosts - The Shadow File
Credential Access on Linux Hosts - Through a C2 Framework
Lateral Movement on Linux Hosts - Interactive Bash Prompts
Web Shell Detections on Linux Hosts
Kubernetes Threat Detection - Dipping our Toes
Kubernetes Threat Detection - The Host Layer
Kubernetes Threat Detection - The Host Layer - Enumeration
Kubernetes Threat Detection - Tunneling & Exposed Services
Kubernetes Goat 🐐
Kubernetes Threat Detection - Poisoned Pod
Azure - Password Sprays
Azure - MFA Madness
Azure - Wrangling Applications
[Legacy] - Azure - Bad to the Bone
[Updated] - Azure - Bad to the Bone
Azure - AzureHound
Azure/Entra Session Hijacking via Browser Cookie Theft 🍪
Azure Session Hijack via HAR File
AWS - Account Set Up and CLI Access
AWS - CloudTrail - IAM User Creation
AWS - CloudTrail - IAM User Enumeration
AWS - CloudTrail - Pacu - IAM Brute Force
AWS - CloudTrail - Pacu - S3 Bucket Exfil
Adding a bit of Purple
Endpoint Analysis with Hayabusa and Langchain
Kerberos Attacks & Defenses - Pass the Ticket
Kerberos Attacks & Defenses - Golden Ticket
Web Sockets & .NET Assemblies
DPAPI at the Host and Network Layer
Purple Teaming Memory Forensics with MemProcFS
Lab Executions - Splunk

[Splunk] - Getting to Know Ourselves
[Splunk] - Our First Shell
[Splunk] First Shell - Detection 1
[Splunk] - First Shell - Detection 2
[Splunk] - Our Second Shell - Exploring the Network Layer
[Splunk] - Second Shell - Bonus Round
[Splunk] - Credential Access on Windows Hosts - LSASS
[Splunk] - Credential Access on Windows Hosts - File Shares
[Splunk] - Credential Access on Windows Hosts - Kerberoasting
[Splunk] - Credential Access on Windows Hosts - DCSync
[Splunk] - Lateral Movement in Windows Environments - WMIExec
[Splunk] - Lateral Movement in Windows Environments - PSExec
[Splunk] - Discovery/Recon Detection on Windows Hosts
[Splunk] - Profiling Rundll32 Executions on Windows Hosts
[Splunk] - LOLBAS / LOLBINs
[Splunk] - Active Directory Certificate Services
[Splunk] - Authentication Anomalies on Windows Hosts - The Classic Brute Force
[Splunk] - Authentication Anomalies on Windows Hosts - The Kerberos Approach
[Splunk] - Credential Access on Linux Hosts - The Shadow File
[Splunk] - Credential Access on Linux Hosts - Through a C2 Framework
[Splunk] - Lateral Movement on Linux Hosts - Interactive Bash Prompts
[Splunk] - Web Shell Detections on Linux Hosts
[Splunk] - Kubernetes Threat Detection - Dipping our Toes
[Splunk] - Kubernetes Threat Detection - The Host Layer
[Splunk] - Kubernetes Threat Detection - The Host Layer - Enumeration
[Splunk] - Kubernetes Threat Detection - Tunneling & Exposed Services
[Splunk] - Kubernetes Goat 🐐
[Splunk] - Kubernetes Threat Detection - Poisoned Pod
[Splunk] - Azure - Password Sprays
[Splunk] - Azure - MFA Madness
[Splunk] - Azure - Wrangling Applications
[Legacy] - Azure - Bad to the Bone
[Updated] - Azure - Bad to the Bone
[Splunk] - Azure - AzureHound
[Splunk] - Azure/Entra Session Hijacking via Browser Cookie Theft 🍪
[Splunk] - Azure Session Hijack via HAR File
[Splunk] - AWS - Account Set Up and CLI Access
[Splunk] - AWS - CloudTrail - IAM User Creation
[Splunk] - AWS - CloudTrail - IAM User Enumeration
[Splunk] - AWS - CloudTrail - Pacu - IAM Brute Force
[Splunk] - AWS - CloudTrail - Pacu - S3 Bucket Exfil
[Splunk] - Adding a bit of Purple
[Splunk] - Endpoint Analysis with Hayabusa and Langchain
[Splunk] - Kerberos Attacks & Defenses - Pass the Ticket
[Splunk] - Kerberos Attacks & Defenses - Golden Ticket
[Splunk] - Web Sockets & .NET Assemblies
[Splunk] - Purple Teaming Memory Forensics with MemProcFS
Saying Goodbye 👋

Outro

Ludus Overview

Hardware Requirements

The Ludus host that was used for creation the Ludus version of the Constructing Defense lab had the following specs:

64GB RAM
16 CPU Cores
400GB Disk

You may be able to provision the lab on a host with 32GB of RAM and less CPU cores. The PCAP appliance Malcolm requires the most resources, so if you have a less provisioned host, you can choose not to run the Malcolm appliance and simply follow along with the videos and screenshots of the course.

General

The Ludus deployment option of the Constructing Defense lab automates the majority of the steps found within the "Lab Construction", "Lab Provisioning" and "Telemetry Setup & Miscellaneous Lab Configuration" sections of the course.

The Ludus deploy and associated Ansible roles provided for the course perform the following:

Stand up six virtual machines and a router
Stand up a condef.local domain
Set up of all relevant Group Policy objects
- These include GPOs for certificate enrollment so ADCS attack paths work
- These also include logging configurations
Domain join of all Windows virtual machines
Configuration and deploy of Sysmon
- We are using a customized version of Sysmon modular for the course
Configuration and deploy of Linux Auditd and Laurel
- We are using Florian Roth's Auditd configuration with a few customizations to turn the noise down a bit for Docker
Installation of Sumo Logic collectors on all relevant hosts
Set up of Minikube / Kubernetes cluster

After the lab is deployed, there are a few additional steps required, these are outlined in the "Ludus Post Deploy Setup" section and include the following items:

Cloud account creation and collection configuration
Kubernetes telemetry collection
Malcolm setup

As a reminder, all sections of the course are totally optional to complete and you can choose to watch the videos or read the notes. For example, if you don't feel comfortable signing up for paid cloud services or do not have enough compute resources to add a Malcolm host to your lab.