Purpose: Compact lab showing AD DS on Windows Server, Splunk on Ubuntu, Windows 10 target, Kali attacker — includes diagrams and screenshot placeholders so you can drop in actual captures.
A one-paragraph summary of the project goals and outcomes.
Project goal: Build an isolated lab to simulate a brute-force attack (Hydra from Kali) against a Windows 10 machine joined to an Active Directory, capture authentication and host logs in Splunk, and validate detection using Splunk dashboards and correlation rules.
Outcome (short): Splunk successfully ingested Windows authentication events; brute-force attempts were visible as spikes of failed logins followed by a successful authentication. Dashboards and saved searches helped quickly identify the compromise.
Caption: Network layout showing attacker, target, domain controller, and Splunk server.
- Windows Server (AD DS) — Domain Controller, user & group management, logs authentication events.
- Ubuntu (Splunk) — Splunk Enterprise installed; indexes Windows events forwarded from hosts.
- Windows 10 — Domain-joined target with services and test accounts.
- Kali Linux — Attacker: ran Hydra for password brute-force.
-
Windows Server: Install AD DS & promote to DC
-
Screenshot:
-
Caption: Show Server Manager > AD DS promotion completed.
-
-
Configure Windows 10 to join domain
- Screenshot:
- Screenshot:
-
Install Splunk on Ubuntu
-
Screenshot:
-
Caption: Splunk web landing page (e.g.,
http://<splunk-ip>:8000).
-
-
Forward Windows event logs to Splunk
-
Screenshot:
-
Caption: Show the Universal Forwarder configuration or WinRM/WEC setup used.
-
-
Prepare Kali & run Hydra
-
Screenshot:
-
Caption: Hydra command and output showing brute-force attempts.
-
Mermaid-style timeline (or simple list):
1. 10:02 — Kali begins brute-force (Hydra) vs target service
2. 10:03 — Windows logs repeated failed authentication events
3. 10:07 — One credential succeeds; attacker obtains access
4. 10:09 — Domain Controller records suspicious authentication
5. 10:12 — Splunk ingests events and dashboard shows spike
Example search (high-level):
index=endpoint EventCode=4625 | stats count by src_ip,dest_ip,dest_port
Screenshot
Caption: Dashboard panels: Failed logins over time, top source IPs, accounts with most failures, successful logins following failures.
- Splunk indexes contained clear signals: repeated failure events then success for the compromised account.
- Correlation across the Windows 10 host and the domain controller provided the timeline of compromise.
- Brute-force generated an obvious pattern that is easy to detect with simple rules.
- Hydra command used + terminal output.
- Windows Event Viewer logs showing failed/successful logon Event IDs (4625, 4624, 4740 if lockouts used).
- Splunk index/ingestion confirmation and sample indexed events.
- Splunk dashboard PNG and saved search definitions.
Placeholders: Insert each at the locations above.
- Enforce strong password policy and MFA.
- Implement account lockout & alerting on repeated failures.
- Restrict RDP/remote services and use VPN.
- Keep centralized logging and test detection periodically.
- Hydra example (illustrative):
hydra -l administrator -P passwords.txt rdp://<target-ip>
- Splunk search (illustrative high-level):
index=windows EventCode=4625 | stats count by src_ip, Account_Name
Note: These are illustrative snippets meant for documenting the lab. Do not run attacks on systems you don’t own or have explicit permission to test.
End of document