Adversary Emulation Labs Based on MITRE ADCS: the LAVAEL Project
This project is inspired by MITRE ADCS and MITRE’s TTP-based hunting documentation.
This is my first attempt at using virtualization and automation tools to build a lab for adversary emulation. While I refer to it as emulation, in this specific lab, it will be more of a simulation. In future projects, I plan to use this lab to emulate specific APT groups whose tactics and techniques are documented and publicly available.
LAVAEL stands for Libvirt Ansible Vagrant Adversary Emulation Lab. This project was built with complete automation in mind, meaning the entire lab environment can be installed automatically using these tools for a fast, hands-off setup. However, I chose to first write detailed articles explaining each step before introducing the fully automated process.
The MITRE methodology will be discussed and applied at the end of the lab. You can find more information from official sources linked above. In this lab, I will share my approach to implementing adversary emulation methodologies and TTP-based hunting. Please note that this is my interpretation and not an exhaustive resource. My knowledge is not final, and I am continuously learning and refining my approaches.
The topics are still in development and will be released progressively:
- #0 LAVAEL: Intro
- #1 LAVAEL: Localhost Setup
- #2 LAVAEL: Deploy ISP VM
- #3 LAVAEL: Deploy Email Server VM
- #4 LAVAEL: Deploy Threat Actor VM
- #5 LAVAEL: Deploy FortiGate VM
- #6 LAVAEL: Deploy Elastic Stack VM
- #7 LAVAEL: Deploy Windows VM
- #8 LAVAEL: Implementing MITRE TTP-Based Hunting — “V Diagram” Methodology
- #9 LAVAEL: Report
