Building Your Purple-Team Lab

PT0 showed you the gap between detection claims and evidence. PT1 builds the lab that closes it.

By the end of this module you'll have a working purple-team lab — four target environments, three SIEMs, attack tooling installed and validated, tracking configured. You'll fire your first technique (T1059.001 PowerShell execution) and confirm telemetry lands in Sentinel, Defender XDR Advanced Hunting, and your secondary SIEM. That smoke test is the proof the lab works. Everything from Module 2 onward uses this lab.

Why a local lab

You cannot safely fire ATT&CK techniques against your employer's environment. The commands in this course are real attacker techniques — procdump.exe -ma lsass.exe, Mimikatz credential extraction, DCSync, AiTM phishing proxies. Running them outside a lab you own is illegal in most jurisdictions. Running them against production systems is a career-ending mistake even where it's legal.

A local lab solves this. You own the hardware. You own the VMs. You own the M365 dev tenant and the Azure subscription. Every attack runs inside your lab. Every piece of telemetry stays in your own SIEM. Nobody's production systems are touched. You can break things, rebuild them, and break them again — that's the point.

The lab also teaches infrastructure skills that transfer directly. By the end of this module you'll have configured Sysmon, auditd, telemetry forwarding, Sentinel ingestion, and SIEM query environments from scratch. Those skills aren't the course curriculum but they're the foundation every blue-team practitioner needs.

What you'll build

Lab Architecture
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Target Environments (VMs on your workstation):
  ┌─────────────────────────┐  ┌─────────────────────────────┐
  │ Windows 10/11 Endpoint  │  │ Windows Server 2022 (DC)    │
  │ Sysmon + SwiftOnSecurity│  │ AD DS, domain-joined        │
  │ AMA → Sentinel          │  │ AMA → Sentinel              │
  └─────────────────────────┘  └─────────────────────────────┘
  ┌─────────────────────────┐  ┌─────────────────────────────┐
  │ Ubuntu Server (Linux)   │  │ M365 Developer Tenant       │
  │ auditd + Neo23x0 rules  │  │ E5 licences, Entra ID       │
  │ rsyslog → Sentinel      │  │ Defender XDR connected      │
  └─────────────────────────┘  └─────────────────────────────┘

SIEMs (where detection rules run):
  ┌──────────────────┐  ┌──────────────────┐  ┌──────────────────┐
  │ Microsoft         │  │ Defender XDR     │  │ Splunk Free      │
  │ Sentinel (KQL)   │  │ Advanced Hunting │  │   OR Elastic     │
  │ £15-25/mo        │  │ (free w/ tenant) │  │ (free)           │
  └──────────────────┘  └──────────────────┘  └──────────────────┘

Attack Tooling:
  Atomic Red Team · Caldera · manual commands per technique

Tracking:
  VECTR (results per technique) · ATT&CK Navigator (coverage heatmap)

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

You don't need to run all of this simultaneously. Each technique sub uses one or two environments at a time. Bring up the VM you need, fire the attack, check the SIEMs, shut it down.

Module structure

Each sub builds one piece of the lab with step-by-step commands, expected output, and verification checks. If something breaks, each sub includes troubleshooting for the most common failures.

Subs in this module

• PT1.1 Why a local lab — and why not your work environment
• PT1.2 Hypervisor and VM setup
• PT1.3 Windows endpoint build with Sysmon
• PT1.4 Active Directory domain controller build
• PT1.5 Joining the endpoint to the domain
• PT1.6 Linux VM build with auditd
• PT1.7 M365 developer tenant configuration
• PT1.8 Azure subscription, Sentinel deployment, Log Analytics workspace
• PT1.9 Defender XDR Advanced Hunting setup
• PT1.10 Secondary SIEM — Splunk Free path
• PT1.11 Secondary SIEM — Elastic path
• PT1.12 Smoke test — fire T1059.001, confirm all three SIEMs
• PT1.13 Module Summary
• PT1.14 Check My Knowledge

PT1.10 and PT1.11 are parallel paths — you do one, not both. Pick the SIEM that matches your environment or the one you want to learn.

What you'll need before starting

You should have completed Module 0 (Course Introduction). You need a workstation with a hypervisor installed (VirtualBox, Hyper-V, or VMware). You need an internet connection for downloading ISOs and configuring cloud services.

The lab build itself doesn't require any prior configuration. Each sub starts from scratch and ends with a verified component.

Cost

Everything is free except Sentinel. The Azure subscription is pay-as-you-go — realistic lab cost during the course is £15–25/month. Azure offers $200 of free credit on new accounts which covers the first month. See PT1.8 for the detailed cost breakdown.

Start here

Go to PT1.1 — Why a local lab next. It covers the legal, practical, and learning reasons for building your own lab rather than using your employer's environment.