Anyone have experience building a Windows AD lab environment in Docker?


As you may know !


The closest thing I've found to what I'm attempting is this stream. From the description:

It is common for people to use spare hardware switches, routers, firewalls, and servers. For years, I used VMware workstation on desktops with multiple SSDs and lots of RAM so I could simulate a dozen VMs.

But is there an easier way? Can we simulate hundreds of systems on a desktop. With Docker, I think we can. - cyberlibrarian

However, this video was only a rough guide, as far as I can tell the code wasn't published, and only the early networking setup is covered.


Our org doesn't provide the kind of lab we need so we've been trying to set up an AD testing environment on a hobbyist budget. And that's a low-end (enlisted / E4 pay) "hobbyist budget" not an "I make 6 figures" hobbyist budget.

This post is going to be a bit longer than it needs to be, mostly because I want to cite many of the resources, challenges, and solutions I've found for doing this along the way.

Big picture: We want to work out an in-depth ELK workflow and develop some threat hunting automation. A small ELK stack is hosted for a very reasonable price ($0.0263/hr for a small stack w/ 45GB storage as of today). And a CoCalc instance (collaborative cloud-hosted JupyterLab) costs another $6 per month. So between those two low-cost resources we've figured out a pretty neat Python -> Vega -> Kibana workflow to apply some data science and visualization to our threat-hunting workflow (after some trouble).

Now we just need to figure out low-cost simulated AD infrastructure to ingress some threat emulation logs.

Cloud Lab == $$$

We looked into pre-configured, plug-and-play options. One project (leveraging Ansible) is called PurpleCloud. Probably because running even a handful of Windows VMs on a PC can get pretty slow, pretty fast, their project spins this network up on Azure. However, the estimated monthly cost of the cloud resources is not attractive; over $300 per month. While it's true that we would not need to run the lab every day resulting in lower cost, I think we would want to run new tests fairly often, especially if multiple analysts are using it (and I already know the burn of forgetting an EC2 instance on for a week or two).

So... Docker?

So I've been really interested in leveraging Docker's Windows containers. Because containers re-use the same kernel, you can spin up many, many more docker containers than you could VMs. Docker also has good automation and customization capabilities for designing and deploying the assets. Technically, everything we need for a full sim is offered, including Windows 10 Enterprise (although you do seem to need to be running at least Windows 10 or 11 Pro to host these containers).

However, I've been tinkering with this for a few days now without success so far. I'm running into bugs and also am simply uncertain whether this is even viable. For example, I don't know if the Windows images offered for Docker will support the commands run by the PowerShell testing suite we have in mind for simulating threats, Invoke-AtomicRedTeam. Theoretically, everything should work fine. I'm also curious if someone else has already done this and published setup scripts or anything to help.

I would be interesting to see any examples of others trying this. Or maybe someone has tried setting up a small 5-6 VM lab on a personal PC and had some success (I have a high-end rig, I might be able to try that). But all in-all, this is a rather niche thing to do, especially in our personally-funded scenario.

Looking for any tips / advice / services to look at.

You know, I just wanted to mention that camDown has a modern UI, that is secure and has the improved features that you need and I am certain your mother would feel the same.