rjonhaas/hunt_lab — reverse-engineered prompt

Build me a local cyber threat hunting lab that I can spin up on my own machine with VMware and Vagrant. I want one Linux VM running the security tools in Docker, including Elastic, Kibana, Fleet, MITRE Caldera, LocalStack, Velociraptor, and log shipping. I also want Windows VMs for a small Active Directory domain, with a domain controller, a server with a finance share, and a Windows 11 victim machine.

Please make the setup as automatic as possible with scripts for Windows PowerShell and Linux or macOS. After running setup, the lab should enroll the Windows machines into Elastic, install Sysmon, connect Caldera agents, seed fake users and data, and create a simulated S3 target.

Include two ready to run attack scenarios, one based on ransomware style activity with endpoint and S3 exfiltration signals, and one based on identity attacks like Kerberoasting, DCSync, Golden Ticket, and Pass the Ticket. Add clear instructions, credentials output, troubleshooting notes, and an optional Tracecat SOAR overlay that can receive Kibana webhooks and run response playbooks.