A hands-on Active Directory authentication detection lab built from a SOC Tier-1 analyst perspective.
This repository focuses on defensive security operations:
- Understanding identity-based attacks in Active Directory
- Detecting them through Windows Security and Kerberos logs
- Performing Tier-1 triage (Noise / Exposure / Incident)
- Correlating events into an investigation timeline
- Documenting incidents in a SOC-ready format before escalation
The goal is not exploitation, but learning how attacks appear in logs and how a Tier-1 analyst should respond.
- Domain Controller: Windows Server (AD DS, DNS, Kerberos / KDC)
- Client: Windows 10 (domain-joined)
- Attacker: Kali Linux (isolated lab only)
- Domain:
lab.loc
[Kali Linux] ---> [Windows Server DC: lab.loc] <--- [Windows 10 Client]
(attacker) (AD DS / DNS / KDC) (domain-joined)
Repository Structure
AD-Attack-Detection-Lab/
├── lab-setup/
│ └── environment.md
├── attack-scenarios/
│ ├── password-spraying.md
│ ├── pass-the-hash.md
│ ├── pass-the-ticket.md
│ └── golden-silver-ticket.md
├── detection/
│ └── event-correlation.md
└── incident-response/
├── tier1-workflow.md
└── incident-template.md
Each folder reflects a SOC Tier-1 responsibility:
-
attack-scenarios/
What malicious authentication activity looks like in practice. -
detection/
How Windows and Kerberos logs are correlated into a clear investigation timeline. -
incident-response/
How triage decisions, documentation, and escalation are performed in a real SOC.
- Password Spraying
- Pass-the-Hash (detection-focused)
- Pass-the-Ticket (detection-focused)
- Golden / Silver Ticket (detection-focused)
Each scenario follows a consistent Tier-1 investigation structure:
Attacker Goal → Observable Behavior → Key Logs → Tier-1 Triage → Actions → Escalation Notes
- 4624 – Successful logon
- 4625 – Failed logon
- 4768 – Kerberos TGT request (AS)
- 4769 – Kerberos TGS request
- 4771 – Kerberos pre-authentication failure
- 4672 – Special privileges assigned
- 4673 – Sensitive privilege use
- 7045 – New service installed
- Choose a scenario under attack-scenarios/
- Use detection/event-correlation.md to correlate logs into a timeline
- Apply the Tier-1 workflow in incident-response/tier1-workflow.md
- Document the case using incident-response/incident-template.md
- Escalate with clear evidence and structured notes
4625 Failed Logon | user: alice | src_ip: 192.168.56.20
4625 Failed Logon | user: bob | src_ip: 192.168.56.20
4624 Successful | user: bob | logon_type: 3 | auth: NTLM | src_ip: 192.168.56.20
- Repeated failures across multiple users from one source = Exposure
- Successful authentication following that pattern = Incident
Detection focuses on patterns, not isolated events:
- Multiple
4625events followed by4624 4624(NTLM, Logon Type 3) followed by4672or7045- Abnormal
4769Kerberos service ticket behavior
See: event-correlation.md
The lab follows a realistic SOC Tier-1 process:
- Alert validation
- Triage (Noise / Exposure / Incident)
- Evidence collection and enrichment
- Scope and impact assessment
- Escalation with structured documentation
See: tier1-workflow.md
A reusable SOC Tier-1 incident report template, including:
- Classification rationale
- Evidence summary
- Timeline
- Impact assessment
- Escalation recommendation
See: incident-template.md
This project demonstrates:
- Understanding of Active Directory authentication flows (TGT / TGS)
- Detection of identity-based attacks using Windows Security logs
- SOC Tier-1 triage and decision-making
- Clear, escalation-ready incident documentation
All activities were performed in an isolated lab environment for defensive security learning purposes only.