petergamasecit-code/active-directory-kerberos-hardening

# active-directory-kerberos-hardening Project Scope: Active Directory, Kerberos Exploitation & Identity Hardening This lab covers the configuration of centralized authentication services, the execution of identity-based attack primitives, and the engineering of detection rules to isolate credential abuse. # Active Directory & Kerberos Hardening Lab ## Lab Infrastructure Breakdown * **Identity Provider:** Windows Server 2022 (Domain Controller) / Linux FreeIPA Server * **Defensive Gateway:** Wazuh Agent ingesting Event Channel / Audited authentication logs * **Attacker Machine:** Kali Linux running Impacket framework and Hashcat ## Phase 1: Enabling Deep Authentication Auditing Standard Active Directory environments do not log the subtle cryptographic indicators of a Kerberos ticket theft out of the box. ### 1. Configure the Local Security Policy To catch Kerberoasting, the Domain Controller must explicitly log successful service ticket operations: 1. Open `GPMC.msc` (Group Policy Management Console). 2. Edit the **Default Domain Controllers Policy**. 3. Navigate to: `Computer Configuration` -> `Policies` -> `Windows Settings` -> `Security Settings` -> `Advanced Audit Policy Configuration` -> `Audit Policies` -> `Account Logon`. 4. Set **Audit Kerberos Service Ticket Operations** to track both **Success** and **Failure**. ### 2. Route Windows Event Logs to Wazuh Manager Update the `ossec.conf` file on your Domain Controller's Wazuh Agent to ingest the Security log subsystem: Security eventchannel Event/System[EventID=4769] --- ### Where should we take Phase 2 of this project? * **Option A:** Write out the **Offensive Exploitation commands**, detailing how to pull tickets using Impacket (`GetUserSPNs.py`) and crack them using `hashcat`. * **Option B:** Build the **Defensive SIEM rules**, writing custom Wazuh XML alerts that flag whenever a user requests an anomaly-heavy amount of Kerberos tickets using legacy encryption types.