Attacking technique and Detection
Introduction
Since Active Directory is widely used in organizations around the world to manage permissions and network access, it has become a valuable target for cyber attackers. Over time, attack techniques against AD have become more advanced and sophisticated.
In this project, I will showcase multiple attack techniques related to Active Directory and identify methods to detect them.
Creating Homelab
Lab Topology
Lab description:
The lab will consist of an Active Directory environment that includes a domain controller and two workstations. Each host in the AD environment will have Sysmon installed to support monitoring and threat detection. The logs collected from Sysmon will be sent to a SIEM system for analysis (in this lab, I will use Wazuh, a free and open-source SIEM). Additionally, an attack machine will be set up on the same network but will not be joined to the AD domain. This machine will be used to execute various AD attack techniques.
Lab Setup
To set up the lab, I followed two excellent videos from The Cyber Mentor and John Hammond:
After completing the setup of all hosts, I will install Sysmon on each machine in the Active Directory environment. This can be done by following the instructions in this document
Last updated