Main Page
Active Directory Project (Home Lab)
This project was inspired by and follows the guidelines provided by the MyDFIR YouTube channel in their video: https://www.youtube.com/watch?v=5OessbOgyEo
Objectives
- Learn Active Directory: Understand the fundamentals of Active Directory setup, administration, and how it functions within a domain environment.
- Build a hands-on testing environment: Create a simulated environment to practice and experiment with Active Directory and related security concepts.
- Gain IT experience: Build technical skills that are valuable for both blue team (defenders) and red team (attackers) scenarios.
Description
Components:
- Windows Server 2022:
- Acts as the domain controller, hosting the Active Directory service.
- Windows 10/11:
- Represents a target machine within the domain that will be subject to attacks and monitoring.
- Splunk:
- A SIEM (Security Information and Event Management) system to collect and analyze logs from the Windows machines.
- Sysmon:
- A logging utility installed on the Windows machines to gather more detailed telemetry.
- Kali Linux:
- A penetration testing distribution used to simulate attacks against the lab environment.
- Atomic Red Team:
- A framework for testing attacks, providing pre-built attack scenarios.
How They're Used
- Setup: VirtualBox is used to create virtual machines for each component, allowing the entire setup to run on a single computer.
- Active Directory: Windows Server 2022 is configured as a domain controller, managing users, computers, and groups in the simulated domain. The Windows 10 machine is joined to this domain.
- Logging: Sysmon is installed on the Windows machines to provide detailed event logs. Splunk is configured to receive these logs.
- Attack Simulation: Kali Linux is used to launch attacks against the domain environment (e.g., brute-force attacks). Atomic Red Team is used for more advanced attack scenarios.
- Defense and Analysis: Splunk gathers logs from the attack activity. You learn to analyze data in Splunk for security monitoring and incident response.