← Back to Projects
// case study

Home Lab Architecture: Proxmox VE Security Research Lab

ቹ59 Home Lab
6
VLANs
8+
VMs
4
SIEM Tools
Proxmox
Hypervisor

Purpose

A production-grade security research lab built on Proxmox VE for continuous skills development, tool testing, detection rule validation, and realistic attack simulation. Every component mirrors enterprise production patterns — ensuring skills transfer directly to real environments without adjustments.

The lab supports the full attack-defend cycle: adversary simulation on isolated attack VLAN → detection in SIEM → hunting in dedicated hunt environment → detection rule creation → deployment validation. Everything feeds back into production improvements at PostEx.

Hardware Specifications

Primary Server:
  Platform:  Bare metal server (self-hosted)
  CPU:       Intel / AMD (32 vCPU threads)
  RAM:       64GB DDR4 ECC
  Storage:   2TB NVMe SSD (VM disks)
             4TB HDD RAID1 (log storage)
  Network:   4x 1GbE NIC (VLAN trunking)
  IPMI:      Remote out-of-band management

Network Hardware:
  Switch:    Managed L2/L3 with 802.1Q VLAN support
  Router:    MikroTik RouterOS (VLAN routing + firewall)
  WiFi:      Segmented guest/lab/management SSIDs

Network Architecture (VLAN Design)

VLAN 10
💥 Corporate Network
  • Windows 10/11 Workstations
  • Windows Server 2022 (AD DC)
  • File Server
  • Exchange/Mail Server
VLAN 20
🔎 Attack VLAN
  • Kali Linux (primary attacker)
  • Parrot OS (secondary)
  • C2 Framework VMs
  • Isolated from corp by ACL
VLAN 30
🔌 Security Monitoring
  • Security Onion (NSM)
  • Wazuh Manager
  • ELK Stack / Kibana
  • n8n Automation
VLAN 40
📈
  • Splunk Enterprise
  • Splunk Forwarder VMs
  • Threat Intel Platform
VLAN 50
🖥 Linux Server Lab
  • Ubuntu 22.04 LTS servers
  • CentOS/RHEL servers
  • Web application targets
VLAN 99
🔒 Management
  • Proxmox VE web UI
  • Jump server (SSH bastion)
  • IPMI/iDRAC access

VM Inventory

VM NameOSVLANPurposeCPU/RAM
dc01Windows Server 202210Active Directory Domain Controller2vCPU / 4GB
win10-01Windows 10 22H210Victim workstation2vCPU / 4GB
kali-mainKali Linux 202420Primary attack platform4vCPU / 8GB
seconionSecurity Onion 2.430NSM — Suricata + Zeek4vCPU / 8GB
wazuh-mgrUbuntu 22.0430Wazuh Manager + Elastic4vCPU / 12GB
splunk-entUbuntu 22.0440Splunk Enterprise (standalone)4vCPU / 12GB
ubuntu-01Ubuntu 22.04 LTS50Linux target / web app host2vCPU / 4GB
n8n-autoUbuntu 22.0430n8n SOC automation2vCPU / 4GB

Network Topology Diagram

Internet
    |
MikroTik Router (VLAN routing + NAT + Firewall)
    |
    ├── VLAN 10 (Corporate) ──── dc01, win10-01 (targets)
    |        │
    |     Wazuh Agent, Splunk UF, Elastic Agent installed
    |
    ├── VLAN 20 (Attack) ────── kali-main, parrot-os
    |        │
    |     ACL: can reach VLAN 10; blocked from VLAN 30,40,99
    |
    ├── VLAN 30 (Security Monitoring)
    |        ├── seconion (SPAN port from switch)
    |        ├── wazuh-mgr
    |        └── n8n-auto
    |
    ├── VLAN 40 (Splunk)
    |        └── splunk-ent (receives from forwarders on all VLANs)
    |
    ├── VLAN 50 (Linux Lab)
    |        └── ubuntu-01, ubuntu-02
    |
    └── VLAN 99 (Management - Restricted)
             └── Proxmox web UI, SSH jump server

Key Lab Scenarios

Scenario 1: Kerberoasting Detection

  1. Kali Linux runs GetUserSPNs.py against DC (T1558.003)
  2. AD logs Event 4769 (Kerberos Service Ticket Request with RC4 encryption)
  3. Wazuh agent on DC ships log to Wazuh Manager → alert fires
  4. Splunk SPL hunt query confirms pattern across multiple accounts
  5. New detection rule written and pushed via Ansible to production

Scenario 2: Lateral Movement via RDP

  1. Attacker compromises win10-01, uses valid credentials to RDP to another host
  2. Security Onion SPAN port captures RDP SYN flood from unexpected source
  3. Elastic Defend behavioral rule fires on mstsc.exe + EventCode 4648 sequence
  4. EQL correlation rule confirms lateral movement pattern

Scenario 3: C2 Beaconing via DNS

  1. Simulated C2 agent makes regular DNS queries to a controlled domain
  2. Zeek DNS log captures high-frequency queries with high-entropy subdomains
  3. Splunk SPL query flags statistical anomaly in DNS query patterns
  4. Security Onion Suricata rule detects based on JA3 hash and query length

Monitoring Stack on VLAN 10 Targets

# On every Windows VM in VLAN 10:
# 1. Splunk Universal Forwarder
Start-Process -FilePath .\splunkforwarder-9.x-x64-release.msi -ArgumentList DEPLOYMENT_SERVER=splunk-ent:8089 /quiet

# 2. Wazuh Agent
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.x.msi -OutFile wazuh-agent.msi
Start-Process wazuh-agent.msi -ArgumentList WAZUH_MANAGER=wazuh-mgr WAZUH_AGENT_NAME=$env:COMPUTERNAME /quiet

# 3. Elastic Agent (Fleet-managed)
.\elastic-agent.exe install --url=https://fleet-server:8220 --enrollment-token=TOKEN_HERE
All Projects Flagship Platform Work With Me