Lab Architecture
Status: Scaffold — content in progress
The ITDR lab is a set of isolated, reproducible environments for practicing identity attacks and validating detection rules.
Lab Design Principles
- Isolation: each lab runs in its own network segment — no internet access from victim machines
- Reproducibility: all builds are scripted (Vagrant/Ansible or Docker Compose)
- Snapshot-based: baseline snapshots before each attack scenario for easy reset
- Detection-ready: logging infrastructure deployed from the start
- Modular: labs can run standalone or together for hybrid scenarios
Core Lab Components
┌────────────────────────────────────────────────────┐
│ Lab Network (192.168.56.0/24) │
│ │
│ ┌──────────────┐ ┌──────────────┐ │
│ │ DC01 │ │ WS01 │ │
│ │ Win Server │ │ Win 10/11 │ │
│ │ AD DS / CA │ │ Workstation │ │
│ └──────────────┘ └──────────────┘ │
│ │
│ ┌──────────────┐ ┌──────────────┐ │
│ │ SIEM/Wazuh │ │ Attacker │ │
│ │ Log collector│ │ Kali Linux │ │
│ └──────────────┘ └──────────────┘ │
└────────────────────────────────────────────────────┘
Lab Environments
| Lab | Protocols | Key Attacks |
|---|---|---|
| AD Lab | Kerberos, NTLM, LDAP, ADCS | Kerberoasting, DCSync, Golden Ticket, ESC1 |
| Entra ID Lab | OAuth2, OIDC, SAML, CA, PIM | Device code phishing, Golden SAML |
| Linux Lab | PAM, SSSD, Kerberos, sudo | ccache theft, keytab abuse, sudo esc |
| Okta Lab | SAML, SCIM, MFA | MFA fatigue, Okta admin abuse |
Tooling Stack
| Category | Tool |
|---|---|
| Attack | Impacket, Rubeus, BloodHound, Certipy, ROADtools |
| Detection | Wazuh (SIEM), Windows Event Forwarding, Sysmon |
| Lab build | Vagrant + VirtualBox, Ansible |
| Analysis | BloodHound CE, Plumhound |
Cross-Links
| Topic | Link |
|---|---|
| AD Lab Setup | lab-ad-setup |
| Simulation Framework | simulation-framework |