Track 06 — Active Directory & Windows Security¶
The enterprise runs on Active Directory, and so do most intrusions. Learn the Windows and AD security model by attacking it and then closing the paths as code.
What you'll be able to do¶
- Enumerate an AD environment and read its attack paths.
- Execute and explain the core Kerberos and credential attacks.
- Find a path to Domain Admin and walk it.
- Detect those attacks and harden the domain as code.
Modules¶
| # | Module | What you'll learn | OSS tools |
|---|---|---|---|
| 01 | AD & Windows Security Model | Domains, trusts, tokens, and auth | — |
| 02 | Enumeration | Mapping users, groups, and paths | BloodHound, SharpHound |
| 03 | Kerberos Attacks | Kerberoasting and AS-REP roasting | impacket, Rubeus |
| 04 | Credential Theft & Replay | Pass-the-hash / pass-the-ticket | impacket, mimikatz |
| 05 | ACL & Delegation Abuse | Object permissions and delegation paths | BloodHound, PowerView |
| 06 | Lateral Movement | Moving host to host inside the domain | impacket, crackmapexec |
| 07 | Persistence in AD | Golden/silver tickets and other footholds | impacket |
| 08 | Path to Domain Admin | Chaining findings to full control | BloodHound |
| 09 | Detecting AD Attacks | Event logs, honeytokens, and signals | sigma, wazuh |
| 10 | Hardening AD as Code | Tiering, baselines, and measuring posture | PingCastle |
| 11 | Defending Identity | Protecting Kerberos, GPO, and delegation | — |
Phases & projects¶
The eleven modules run in three phases; each ends in a project that integrates its modules (a phase is the substantial, standalone unit — a single module is a few hours). Build and attack your own lab domain (GOAD or a local eval VM) only.
- Phase 1 · Map & break in (01–05) — Project: from a single low-privilege user, enumerate the domain with BloodHound, then execute and document the core credential attacks — Kerberoast/AS-REP, pass-the-hash/ticket, and one ACL or delegation abuse — each tied to its ATT&CK technique.
- Phase 2 · Own the domain (06–08) — Project: chain those findings into a single, replayable path from foothold to Domain Admin — lateral movement, a persistence foothold (golden/silver ticket), and the BloodHound path that explains why it works.
- Phase 3 · Detect & defend (09–11) — Project: the track capstone — close the path you walked: write detections for each step, harden AD as code, and report the before/after PingCastle posture score alongside the attack path and the detections.
Prerequisites¶
Complete Track 00 — Foundations; Track 01 — Offensive helps.
Build your own lab domain (e.g. GOAD — Game of Active Directory, or a local Windows eval VM). Only attack environments you own.
Capstone¶
Find an attack path from a low-privilege user to Domain Admin in a lab domain, walk it, then close it: harden as code and write detections for each step you used. Deliverable: the attack path, the before/after posture score, and the detections.
The starter scaffold and acceptance checks live in
plaintext-labs/active-directory/capstone/.
Capstone rubric¶
You must walk the path, then close it and prove it's closed. Proficient is the bar to ship.
| Dimension | Developing | Proficient | Exemplary |
|---|---|---|---|
| Attack path | One technique run in isolation | Low-priv → Domain Admin path walked, each hop (Kerberos/ACL/cred theft/lateral) validated in the lab | BloodHound path confirmed by hand, alternative paths noted, each step mapped to ATT&CK |
| Hardening as code | Manual GPO clicks, not reproducible | Each abused step closed via reviewed config-as-code (GPO/PowerShell/Ansible) | Tiering/least-privilege applied; changes are idempotent and re-runnable |
| Posture measurement | No before/after, claims only | PingCastle (or equivalent) score before and after, with the delta | Score delta tied to specific paths closed; residual risk acknowledged |
| Detections | No detection for the steps used | A detection per attack step used, tested to fire on the lab activity | Honeytoken or behaviour-based detection beyond signatures; FP-tested |
| Write-up | Screenshots without narrative | Clear before/after story a blue and red reader can follow | Reproducible: lab build, attack, fix, and detection all documented end to end |
AI & automation¶
AI summarises BloodHound paths and drafts detection logic, but the domain is unforgiving of hallucination — every path is validated in the lab, and generated hardening is reviewed before it touches Group Policy. AI accelerates the analysis; you own the change.
Standards & further reading¶
- MITRE ATT&CK (Enterprise) — Credential Access, Lateral Movement, Persistence
- Microsoft AD security and tiering guidance
- The BloodHound and Impacket documentation
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).