Skip to content

JordanM14/Active-Directory-Detection-Lab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
README.md
README.md
 
 

Repository files navigation

Active-Directory-Detection-Lab

Objective

The Detection Lab project aimed to establish a controlled environment for simulating and detecting cyber attacks. The main goal was to analyze logs in Splunk and generate telemetry to mimic real-world attacks scenarios. This hands on experience has helped me Develop the understanding of SIEM tools like splunk,

Skills Learned

  • Advanced understanding of SIEM concepts and practical application.
  • Proficiency in analyzing and interpreting network logs.
  • Ability to generate and recognize attack signatures and patterns.
  • Enhanced knowledge of network protocols and security vulnerabilities.
  • Development of critical thinking and problem-solving skills in cybersecurity.

Tools Used

  • Splunk (SIEM) system for log ingestion and analysis.
  • Oracle VM VirtualBox
  • Telemetry generation tools to create realistic network traffic and attack scenarios.
  • windows 10, kali linux, and ubuntu operating systems used to create realistic envirnment
  • crowbar (Telemetry)
  • atomic red team (Telemetry)

Steps

Diagram

diagram

STEP 1: Download the following VMs

machine downloads

  • Windows 10(Victim)
  • Kali-Linux(Attacker)
  • Windows Server
  • ubuntu(Splunk server)

Step 2: Install and Configure Sysmon and Splunk

-install splunk and create a user

splunk download 1splunk install4

-install sysmon

  • sysmon powershell download TM

-import pre-installed sysmon configurations

SPLUNK INPUTS FILE

-install and configure splunk UF

splunk target machine UF2splunk UF TM3

-create index and enable splunk to receive data

creating new splunk indexenable splunk to reciev data

-repeat steps on windows server

Step 3: Configure Windows Server And Active Directory

-install active directory domain services

ACTIVE DIRECTORY DOWNLOAD

-promote server to domain controller

PREMOTE SERVER TO DC

-create new organizational unit with users

new organtinal groups

-add target pc to domain

add target pc to domain

Step 4: perform brute force attack and view telemetry in splunk

-save the top 20 passwords from rockyou.txt to password.txt and add the correct passwords

  • rockyou.txt is a preinstalled list with over 100 passwords on linux getting top 20 passwords pt2addig password to list pt 2

-execute bruteforce against user Tsmith with crowbar

execute bruteforce

-view telemetry in splunk

brute force in splunkbrute force in splunk pt 2

Step 4: perform MITRE ATT&CK T1059.001 using ART and view telemetry in splunk

MITRE ATT CK T1059 001

-perfrom attack using ART, the attack creates a new user

art

-view telemetry in splunk

new local user

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published