Enterprise Active Directory deployment, hardening, and attack detection — building a vulnerable AD environment, implementing security controls, and developing detection rules for common AD attack techniques.
Build an Active Directory lab environment from scratch, deliberately introduce common misconfigurations, then systematically harden the environment while developing detection capabilities for AD-specific attacks. This project demonstrates both offensive awareness and defensive implementation skills critical for enterprise security roles.
┌─────────────────────────────────────────────────────────┐
│ YOURLAB.LOCAL │
│ (AD Forest) │
├─────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ DC-01 │ │ WS-01 │ │ SRV-01 │ │
│ │ Domain │ │ Windows 10 │ │ File Server │ │
│ │ Controller │ │ Workstation │ │ Member Srv │ │
│ │ Server 2019 │ │ │ │ Server 2019 │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │
│ ┌──────────────┐ ┌──────────────┐ │
│ │ WS-02 │ │ Sentinel │ │
│ │ Windows 10 │ │ SIEM │ │
│ │ Workstation │ │ (Azure) │ │
│ └──────────────┘ └──────────────┘ │
│ │
└─────────────────────────────────────────────────────────┘
| Component | Technology | Purpose |
|---|---|---|
| Domain Controller | Windows Server 2019 | AD DS, DNS, Group Policy |
| Workstations | Windows 10 Pro | Domain-joined endpoints |
| SIEM | Microsoft Sentinel | Log collection and detection |
| Monitoring | Sysmon + Windows Event Forwarding | Enhanced endpoint telemetry |
| Scripting | PowerShell | Hardening automation and testing |
- Deployed Windows Server 2019 as Domain Controller (DC-01)
- Configured AD DS forest:
YOURLAB.LOCAL - Created organizational unit (OU) structure mirroring enterprise layout
- Provisioned user accounts with varying privilege levels
- Joined Windows 10 workstations and member server to domain
Introduced common AD security weaknesses to simulate a real-world environment:
| # | Misconfiguration | Risk | MITRE ATT&CK |
|---|---|---|---|
| 1 | Kerberoastable service accounts (SPNs with weak passwords) | Credential theft | T1558.003 |
| 2 | Unconstrained delegation on member server | Privilege escalation | T1558.001 |
| 3 | AdminCount=1 users with reversible encryption | Credential exposure | T1003 |
| 4 | GPP passwords in SYSVOL | Plaintext credentials | T1552.006 |
| 5 | No LAPS (Local Admin Password Solution) | Lateral movement | T1078.003 |
| 6 | Weak password policy (minimum 6 chars, no complexity) | Password attacks | T1110 |
| 7 | Guest account enabled and in local admin group | Unauthorized access | T1078.001 |
| 8 | LLMNR and NBT-NS enabled | Man-in-the-middle | T1557.001 |
Developed custom analytics rules for Microsoft Sentinel to detect common AD attacks:
| Detection | Attack Technique | MITRE ID | File |
|---|---|---|---|
| Kerberoasting Detection | Service ticket requests for SPNs | T1558.003 | kql-ad-detections.kql |
| Password Spray Detection | Multiple failed logons across accounts | T1110.003 | kql-ad-detections.kql |
| DCSync Detection | Directory replication requests from non-DC | T1003.006 | kql-ad-detections.kql |
| Golden Ticket Detection | TGT with abnormal lifetime | T1558.001 | kql-ad-detections.kql |
| Admin Group Modification | Unexpected changes to privileged groups | T1098 | kql-ad-detections.kql |
| # | Control | Implementation | Status |
|---|---|---|---|
| 1 | LAPS Deployment | Deployed LAPS via GPO to all workstations, randomized local admin passwords | Complete |
| 2 | Tiered Admin Model | Separated admin accounts into Tier 0/1/2, restricted logon rights via GPO | Complete |
| 3 | Kerberos Hardening | Rotated SPN passwords to 25+ chars, enabled AES-only Kerberos | Complete |
| 4 | Credential Guard | Enabled Credential Guard via GPO on all Windows 10 workstations | Complete |
| 5 | LSASS Protection | Enabled RunAsPPL on all endpoints | Complete |
| 6 | LDAP Signing | Enforced LDAP signing and channel binding on DC | Complete |
| 7 | SMB Signing | Required SMB signing on all domain members | Complete |
| 8 | Disable LLMNR/NBT-NS | Disabled via GPO to prevent poisoning attacks | Complete |
| 9 | Password Policy | Enforced 14+ char minimum, complexity, 90-day rotation | Complete |
| 10 | GPP Cleanup | Removed all GPP passwords from SYSVOL, deployed LAPS as replacement | Complete |
| 11 | Protected Users Group | Added all Tier 0 admin accounts to Protected Users | Complete |
| 12 | Audit Policy | Configured advanced audit policy for logon, account management, DS access | Complete |
| Metric | Before Hardening | After Hardening | Improvement |
|---|---|---|---|
| Kerberoastable accounts | 5 | 0 | 100% |
| Accounts with weak passwords | 12 | 0 | 100% |
| Systems without LAPS | 4 | 0 | 100% |
| Cleartext credentials in GPP | 3 | 0 | 100% |
| Systems with LLMNR enabled | 4 | 0 | 100% |
| Admin accounts in Protected Users | 0 | 6 | N/A |
| Endpoints with Credential Guard | 0 | 3 | N/A |
- Active Directory deployment and administration
- AD attack technique knowledge (Kerberoasting, DCSync, Golden Ticket, Pass-the-Hash)
- MITRE ATT&CK mapping for detection engineering
- KQL detection rule authoring
- Group Policy hardening and security baselines
- Enterprise identity security architecture
- Tiered administration model implementation