Sign In
In this module

PT1.2 Hypervisor and VM Setup

4-8 hours · Module 1 · Free
What you already know

You've used virtual machines before — maybe for testing, maybe for an isolated browsing environment, maybe for another course. This sub doesn't teach virtualisation from scratch. It gets you to the point where you have a hypervisor running and the ISOs downloaded, ready for the Windows and Linux builds in the subs that follow.

Operational Objective
The lab needs a hypervisor and three operating system images. This sub gets you from "I have a workstation" to "I have a hypervisor installed and the Windows 11, Windows Server 2022, and Ubuntu Server ISOs downloaded and verified." The hypervisor choice doesn't affect the course — VirtualBox, Hyper-V, and VMware all run the same VMs. Pick the one you're comfortable with or the one that's already installed.
Deliverable: A working hypervisor with three OS images downloaded and ready for VM creation in PT1.3–PT1.6.
Estimated completion: 30–60 minutes (mostly download time)

Pick your hypervisor

Three options. All free. The course works identically on all three.

VirtualBox — cross-platform (Windows, macOS, Linux). Free, open-source. The most portable option. Download from virtualbox.org. Install with defaults. If you're on Windows, enable the VirtualBox Host-Only Network adapter during install — you'll need it for inter-VM communication.

Hyper-V — Windows Pro/Enterprise only. Built into Windows, no separate download. Enable it via PowerShell:

# Enable Hyper-V (requires Windows Pro or Enterprise, reboot required)
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All

After reboot, open Hyper-V Manager from the Start menu. If the command fails with "feature not found," your Windows edition doesn't include Hyper-V — use VirtualBox instead.

VMware Workstation Player — Windows and Linux. Free for personal use. Download from vmware.com. Install with defaults.

If you already have a hypervisor installed, use it. Don't switch for the course.

Verification: open your hypervisor and confirm you can see the VM management interface. If you can create a new VM (don't actually create one yet), the hypervisor is working.

Download the OS images

Three ISOs. Download all three before starting the VM builds — the downloads are large and you don't want to wait mid-build.

Windows 10/11 Evaluation — the endpoint target VM.

Download from Microsoft Evaluation Center. Select "Windows 11 Enterprise Evaluation" and download the ISO. The evaluation is free for 90 days — renewable by re-arming, or by using a Visual Studio Dev subscription licence if you have one.

Verify the download completed:

# Check the ISO file size (should be ~5-6 GB)
Get-Item "C:\Users\$env:USERNAME\Downloads\Win11*.iso" |
    Select-Object Name, @{N='SizeGB';E={[math]::Round($_.Length/1GB,2)}}
Name                                    SizeGB
────                                    ──────
Win11_23H2_EnterpriseEval_x64.iso       5.18

Windows Server 2022 Evaluation — the domain controller VM.

Download from Microsoft Evaluation Center. Select "ISO" format. Free for 180 days.

# Verify
Get-Item "C:\Users\$env:USERNAME\Downloads\*Server*2022*.iso" |
    Select-Object Name, @{N='SizeGB';E={[math]::Round($_.Length/1GB,2)}}

Ubuntu Server 24.04 LTS — the Linux target and C2 host.

Download from ubuntu.com/download/server. Select the latest LTS release. ~2 GB.

# Verify (Linux/macOS)
ls -lh ~/Downloads/ubuntu-*-server-amd64.iso

# Or on Windows PowerShell
Get-Item "C:\Users\$env:USERNAME\Downloads\ubuntu-*-server*.iso" |
    Select-Object Name, @{N='SizeMB';E={[math]::Round($_.Length/1MB,0)}}

VM sizing recommendations

These are recommendations, not requirements. The course works at any spec that can boot the VMs — performance varies with how much RAM and CPU you allocate.

VM Sizing — Recommended Allocation
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
VM                  RAM     CPU    Disk     Notes
──────────────────  ──────  ─────  ───────  ────────────────────────
Windows Endpoint    4 GB    2      40 GB    Primary target. Sysmon,
                                            attack tools installed.
Windows Server DC   2 GB    2      30 GB    AD DS only. Lightweight.
Ubuntu Server       2 GB    1      20 GB    auditd, Caldera, C2.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Total when all 3    8 GB    5      90 GB
running together:

You rarely need all 3 at once. Typical: 1–2 VMs at a time.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

If your workstation has 8 GB RAM total, run one VM at a time and allocate 4 GB to it. If you have 16 GB, you can run two comfortably. If you have 32 GB, run all three and keep your host responsive.

Disk format: use dynamically allocated (VirtualBox) or thin provisioning (VMware/Hyper-V). The VM disk file grows as the guest writes data, so a 40 GB allocation doesn't consume 40 GB immediately.

Network configuration

The VMs need to communicate with each other (for domain join, lateral movement, C2) and with the internet (for Azure/Sentinel connectivity, tool downloads). Configure two network adapters per VM:

Network Adapters per VM
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Adapter 1: NAT or Bridged     → internet access
Adapter 2: Internal/Host-Only → inter-VM traffic
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

VirtualBox:

# Create a host-only network (run once)
VBoxManage hostonlyif create
# Note the interface name (e.g., "vboxnet0")

# For each VM, configure Adapter 2:
# Settings → Network → Adapter 2 → Enable → Host-only Adapter → vboxnet0

Hyper-V:

# Create an internal switch (run once)
New-VMSwitch -Name "PurpleTeamLab" -SwitchType Internal

VMware: use a "Custom" network adapter set to a VMnet in host-only mode. VMware creates VMnet1 (host-only) by default during installation.

Don't assign IP addresses yet — that happens in PT1.3 (Windows) and PT1.6 (Linux) when the VMs are built.

Verification checklist

Before moving to PT1.3, confirm:

☐ Hypervisor installed and opens without errors
☐ Windows 10/11 Evaluation ISO downloaded (~5-6 GB)
☐ Windows Server 2022 Evaluation ISO downloaded (~5 GB)
☐ Ubuntu Server ISO downloaded (~2 GB)
☐ Internal/host-only network adapter created in hypervisor
☐ Enough free disk space for 3 VMs (~90 GB recommended)

If all six pass, you're ready. PT1.3 builds the Windows endpoint — the primary target VM for most of the course.

Next
PT1.3 — Windows Endpoint Build with Sysmon. Create the Windows VM, install Sysmon with the SwiftOnSecurity configuration, install Atomic Red Team, and verify telemetry generation.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You've built the lab and understand the validation gap.

Module 0 showed you why detection rules fail silently — vendor schema changes, attacker tool evolution, environment divergence, tuning drift. Module 1 gave you a working four-environment, three-SIEM purple-team lab. From here, you walk the kill chain technique by technique.

  • 61 ATT&CK techniques across 12 tactic modules — Initial Access through Impact, each walked end-to-end with attack commands, annotated telemetry, and multi-SIEM detection rules
  • Every detection in four formats — Sigma rule (canonical), Sentinel KQL, Defender XDR Advanced Hunting KQL, and Splunk SPL or Elastic. Tabbed side-by-side in every technique sub
  • Module 14 Capstone — CHAIN-HARVEST — full purple-team exercise on an AiTM credential-phishing chain. Multi-stage attack, detection results across all three SIEMs, coverage gaps, tuning recommendations
  • Programme template — coverage matrix, MTTD per technique, FP rates, detection quality scores, remediation backlog. Populated as you work, presentable to leadership by Module 14
  • Public Sigma rule repo — every detection rule in a GitHub repository. Alumni contribute via PR. The artefacts outlive the course
Unlock with Specialist — £25/mo See Full Syllabus

Cancel anytime

← Previous Next →