Elastic Profile
Full lab with Elastic Stack SIEM, dual AD domains, ADCS, IIS + MSSQL, GitLab CE, and Breach & Attack Simulation.
Table of contents
Infrastructure
All VMs run on VLAN 50 (10.2.50.0/24).
| IP | Hostname | OS | Role |
|---|---|---|---|
| 10.2.50.1 | elastic | Debian 12 | SIEM — Elastic Stack + Fleet |
| 10.2.50.2 | ops | Ubuntu 24.04 | Operations — Guacamole + Infection Monkey |
| 10.2.50.11 | DC01-2022 | Windows Server 2022 | Primary DC — thruntops.domain |
| 10.2.50.12 | DC01-SEC | Windows Server 2022 | Primary DC — secondary.thruntops.domain |
| 10.2.50.13 | ADCS | Windows Server 2022 | Certificate Authority — thruntops.domain |
| 10.2.50.14 | WEB | Windows Server 2022 | IIS + ASP.NET + MSSQL 2019 |
| 10.2.50.15 | gitlab | Ubuntu 24.04 | GitLab CE — source control + CI/CD |
| 10.2.50.21 | WIN11-22H2-1 | Windows 11 22H2 | Workstation — thruntops.domain |
| 10.2.50.22 | WIN11-22H2-2 | Windows 11 22H2 | Workstation — secondary.thruntops.domain |
| 10.2.50.254 | router | Debian 11 | Router / DNS |
Kali is not deployed by default. Run
bash scripts/add-kali.shto add it at10.2.50.250.
Network Diagram
graph TB
subgraph VLAN50["VLAN 50 — 10.2.50.0/24"]
subgraph primary["thruntops.domain"]
DC1["🖥 DC01-2022\n10.2.50.11\nPrimary DC"]
ADCS["🖥 ADCS\n10.2.50.13\nCertificate Authority"]
WEB["🖥 WEB\n10.2.50.14\nIIS + ASP.NET + MSSQL"]
W1["🖥 WIN11-22H2-1\n10.2.50.21\nWorkstation"]
end
subgraph secondary["secondary.thruntops.domain"]
DC2["🖥 DC01-SEC\n10.2.50.12\nPrimary DC"]
W2["🖥 WIN11-22H2-2\n10.2.50.22\nWorkstation"]
end
ELASTIC["🐧 elastic\n10.2.50.1\nElastic SIEM"]
OPS["🐧 ops\n10.2.50.2\nGuacamole + Monkey"]
GITLAB["🐧 gitlab\n10.2.50.15\nGitLab CE"]
ROUTER["🔀 router\n10.2.50.254\nRouter / DNS"]
end
DC1 <-->|"domain trust"| DC2
ADCS -->|"member"| DC1
WEB -->|"member"| DC1
W1 -->|"member"| DC1
W2 -->|"member"| DC2
GITLAB -->|"CI/CD deploy"| WEB
ELASTIC -.->|"Fleet agent"| DC1
ELASTIC -.->|"Fleet agent"| DC2
ELASTIC -.->|"Fleet agent"| ADCS
ELASTIC -.->|"Fleet agent"| WEB
ELASTIC -.->|"Fleet agent"| W1
ELASTIC -.->|"Fleet agent"| W2
ELASTIC -.->|"Fleet agent"| OPS
ELASTIC -.->|"Fleet agent"| GITLAB
OPS -->|"RDP/SSH"| VLAN50
OPS -->|"BAS simulation"| VLAN50
ROUTER -->|"DNS / GW"| VLAN50
Credentials
| Service | URL | User | Password |
|---|---|---|---|
| Elastic / Kibana | https://10.2.50.1:5601 | elastic | set in elastic.yml → ludus_elastic_password |
| Guacamole | http://10.2.50.2:8080/guacamole/ | guacadmin | guacadmin |
| Infection Monkey | https://10.2.50.2:5000 | — | set on first visit |
| GitLab | http://10.2.50.15 | root | set on first visit |
Guacamole pre-loaded connections
| Connection | Protocol | Host | Bound user | Password |
|---|---|---|---|---|
| DC01-2022 | RDP | 10.2.50.11 | thruntops\domainuser | NV#8SL9# |
| DC01-SEC | RDP | 10.2.50.12 | secondary\domainuser | p0aAQ¿9) |
| ADCS | RDP | 10.2.50.13 | thruntops\primary_user04 | ggA15$y! |
| WEB | RDP | 10.2.50.14 | webadmin | O5G=S(5q |
| WIN11-22H2-1 | RDP | 10.2.50.21 | basicuser | H)2?H8vC |
| WIN11-22H2-2 | RDP | 10.2.50.22 | basicuser | H)2?H8vC |
| gitlab | SSH | 10.2.50.15 | primary_user05 | X¿s|m7C8 |
| SIEM | SSH | 10.2.50.1 | localuser | — (key auth) |
| ops | SSH | 10.2.50.2 | localuser | — (key auth) |
Deployment
ludus range config set -f ranges/elastic.yml
ludus range deploy
Monitor:
ludus range logs -f
Verify Fleet agent enrollment after deploy:
bash tests/fleet_status.sh
All Windows VMs (DC01-2022, DC01-SEC, ADCS, WEB, WIN11-22H2-1, WIN11-22H2-2), the GitLab VM, and the ops VM should appear with status online.
Development Pipeline
GitLab CE (10.2.50.15) is the source control and CI/CD hub for the web application running on WEB (10.2.50.14). Code pushed to GitLab triggers a pipeline that deploys to C:\inetpub\wwwroot on the IIS server.