Active-Directory-Attack-and-Defense-Project/About This Project at main · Anshyaansh/Active-Directory-Attack-and-Defense-Project · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
# Active Directory Pentesting & Detection Lab

A **hands-on Active Directory security lab** designed to simulate real-world **enterprise attack paths** and study both **offensive techniques and defensive detection mechanisms**.

The project demonstrates how an attacker can move through an **Active Directory environment**, starting from **initial foothold** and progressing to **credential dumping and Kerberos ticket abuse**.

Each stage is documented with:

- attack methodology
- tools used
- command execution
- attack flow
- detection opportunities
- mitigation strategies

The objective is to understand the **full Active Directory attack lifecycle** and how security teams can detect and prevent these techniques.

---

# Lab Architecture

!https://miro.medium.com/v2/resize%3Afit%3A1200/1%2A8MuBbvWdV7jkGYWSYLrPpQ.png

!https://cloudbrothers.info/azure-attack-paths/images/AzureDominancePathsColor.png

https://www.researchgate.net/publication/336623025/figure/fig2/AS%3A815150235922433%401571358369417/Flowchart-showing-SIEM-architecture-for-cyber-kill-chain-model.ppm

4

The lab simulates a **real enterprise environment** with an attacker machine interacting with an internal Active Directory domain.

### Infrastructure Components

| Component | Role |
| --- | --- |
| **Kali Linux** | Attacker machine used for penetration testing |
| **Windows Server 2019 (DC01)** | Domain Controller hosting Active Directory |
| **Windows 10 Workstation** | Domain-joined client machine |
| **Azure Sentinel** | SIEM used for detection and monitoring |
| **Log Analytics Workspace** | Centralized log collection |
| **Sysmon + Windows Event Logs** | Telemetry generation |

The setup allows simulation of:

- domain enumeration
- privilege escalation
- credential theft
- Kerberos attacks
- lateral movement
- detection engineering

---

# Active Directory Attack Path

!https://www.mdpi.com/electronics/electronics-11-02629/article_deploy/html/images/electronics-11-02629-g002-550.jpg

!https://cymulate.com/uploaded-files/2025/05/Credential-Dumping-Attack-Flow.png

!https://assets.beyondtrust.com/assets/images/upm-attack-chain.png?auto=format&fit=clip&lossless=1&q=85&w=518

4

The lab follows a **structured Active Directory attack chain**.

| Module | Attack Phase | Description |
| --- | --- | --- |
| M1 | Initial Exploitation | Network poisoning and credential capture |
| M2 | AD Enumeration | Mapping domain users, computers and privileges |
| M3 | DACL Abuse | Exploiting misconfigured permissions |
| M4 | Kerberos Abuse | Roasting attacks and authentication abuse |
| M5 | Credential Dumping | Extracting credentials from system databases |
| M6 | Kerberos Ticket Attacks | Forging and abusing Kerberos tickets |

Modules **M7–M10** extend into privilege escalation, persistence and ADCS exploitation.

---

# Lab Setup

## 1. Infrastructure

Create the following machines:

| Machine | OS | Purpose |
| --- | --- | --- |
| Attacker | Kali Linux | Offensive operations |
| Domain Controller | Windows Server 2019 | Active Directory domain |
| Client Machine | Windows 10 | Domain user workstation |

Network configuration:

```
Internal Network
    |
Kali Linux (Attacker)
    |
Windows Domain Controller
    |
Domain Workstation
```

---

## 2. Domain Setup

Install **Active Directory Domain Services** on the server.

Example domain:

```
lab.local
```

Create domain users and groups for testing:

Example users used in this lab:

```
naruto_uzumaki
sasuke_uchiha
sakura_haruno
kakashi_hatake
hinata_hyuga
shikamaru_nara
ino_yamanaka
```

Example enumeration output:

!https://miro.medium.com/v2/resize%3Afit%3A1400/1%2Afb9wK50FZNOLNzc80sZlFg.png

!https://miro.medium.com/v2/resize%3Afit%3A2720/1%2AR9LegDg0xEGHBemgSwq96Q.png

https://api-broadcomcms-software.wolkenservicedesk.com/es/attachments/get_attachment_content?uniqueFileId=1465072060768

4

---

# Monitoring & Detection Setup

Logs from the domain environment are forwarded to **Azure Sentinel** for analysis.

Collected telemetry:

- Windows Security Logs
- Active Directory Audit Logs
- Sysmon Events
- Authentication logs

Detection examples implemented:

- LSASS memory dump detection
- abnormal Kerberos ticket requests
- Kerberoasting activity
- suspicious replication (DCSync)

Example detection workflow:

```
Domain Logs
      ↓
Log Analytics Workspace
      ↓
Microsoft Threat Intelligence
      ↓
Detection Rules
      ↓
Security Alerts
```

---

# Tools Used

| Tool | Purpose |
| --- | --- |
| Responder | LLMNR / NBT-NS poisoning |
| BloodHound | AD privilege graph analysis |
| PowerView | PowerShell AD enumeration |
| RPCClient | SMB enumeration |
| Impacket | Credential dumping and Kerberos abuse |
| NetExec | SMB and LDAP enumeration |
| ADRecon | Domain reconnaissance automation |

---

# AD Enumeration (BloodHound)

!https://www.researchgate.net/publication/374027730/figure/fig4/AS%3A11431281219225460%401705979207840/Attack-paths-example-with-BloodHound.png

!https://images.contentstack.io/v3/assets/blt36c2e63521272fdc/blt1ca2179301629d11/60c14f85d475801b9d54ffae/22.JPG

!https://cdn.sanity.io/images/r09655ln/production/94abf94357531122b918db6b9e130529dc86933e-1527x847.webp

4

BloodHound is used to visualize **privilege relationships** inside the domain.

It allows identification of:

- privilege escalation paths
- vulnerable ACL permissions
- group membership abuse
- lateral movement opportunities

---

# Delegation Enumeration

Example enumeration using **Impacket**:

```
impacket-findDelegation lab.local/user:password -dc-ip <DC_IP>
```

Example output:

!https://blog.sentry.security/content/images/2025/05/unnamed--1-.png

!https://www.crowe.com/-/media/crowe/llp/sc10-media/insights/publications/cybersecurity-watch/content-2000x1125/cduw2301-001s-delegation-graphics-exhibit-2.jpg?h=3650&hash=2A53557B4E6478D92971462D98631B24&iar=0&rev=43173906a35b40a28ad5c796ff4812d9&w=5195

!https://cdn.sanity.io/images/r09655ln/production/6a437fca35b707143d76aceb1258e61b7d2aeee5-327x442.png

4

This helps identify:

- **Unconstrained Delegation**
- **Constrained Delegation**
- **Resource-Based Constrained Delegation**

---

# Implemented Attack Modules

## M1 — Initial AD Exploitation

Technique:

**LLMNR / NBT-NS Poisoning**

Example command:

```
responder -I eth0 -dv
```

Goal:

Capture **NTLM authentication hashes** when DNS resolution fails.

Detection:

- monitor LLMNR traffic
- disable legacy name resolution protocols

---

## M2 — AD Post Enumeration

Tools used:

- BloodHound
- RPCClient
- PowerView
- NetExec
- ADRecon

Goal:

Discover:

- users
- computers
- domain trusts
- privilege escalation paths

---

## M3 — DACL Abuse

Exploiting **Active Directory permission misconfigurations**.

Common vulnerable permissions:

| Permission | Impact |
| --- | --- |
| GenericAll | Full control over object |
| GenericWrite | Modify attributes |
| WriteDACL | Modify access control |
| WriteOwner | Take ownership |

Attackers can escalate privileges by abusing these permissions.

---

## M4 — Abusing Kerberos

Kerberos authentication weaknesses allow extraction of password hashes.

Techniques covered:

- AS-REP Roasting
- Kerberoasting
- Timeroasting
- Kerberos brute force
- Delegation abuse

These attacks allow **offline password cracking**.

---

## M5 — Credential Dumping

After gaining privileges, attackers extract credentials from:

| Source | Data |
| --- | --- |
| SAM | Local account hashes |
| LSASS | Memory credentials |
| NTDS.dit | Domain password database |
| Registry Hives | System keys |
| Domain Cache | Cached credentials |

Major techniques:

- NTDS.dit extraction
- SAM dumping
- DCSync attack
- LAPS credential retrieval
- gMSA credential extraction

---

## M6 — Kerberos Ticket Attacks

Kerberos tickets can be forged to maintain domain access.

Techniques covered:

| Attack | Description |
| --- | --- |
| Golden Ticket | Forged TGT using KRBTGT hash |
| Silver Ticket | Forged service ticket |
| Diamond Ticket | Modified ticket from valid TGT |
| Sapphire Ticket | Advanced forged ticket |
| Pass-the-Ticket | Reusing stolen Kerberos ticket |

These attacks allow **persistent unauthorized access** to the domain.

---

# Project Structure

```
AD-Pentest-Lab
│
├── Documentation
│
├── M1-Initial-AD-Exploitation
│
├── M2-AD-Post-Enumeration
│
├── M3-DACL-Abuse
│
├── M4-Abusing-Kerberos
│
├── M5-Credential-Dumping
│
├── M6-Kerberos-Ticket-Attacks
│
└── README.md
```

---

# Learning Outcomes

This project demonstrates practical understanding of:

- Active Directory internals
- AD attack paths
- Kerberos authentication
- credential theft techniques
- privilege escalation in enterprise environments
- detection engineering using SIEM

---

# Disclaimer

This project is for **educational and defensive cybersecurity research only**.

All attacks were performed in a **controlled lab environment**.

Do not attempt these techniques against systems without authorization.