Lab Setup

Users

Sales
├── jdoe         -> Summer2025!
├── alice.smith  -> password123!
└── rjohnson     -> MarketingRocks!

Marketing
├── emilyw       -> SecurePass#7
├── davidb       -> 12345678D!
└── sarahg       -> CreativeMind@24

IT
├── admin_it     -> P@ssw0rdS3cur3!
├── tech_support -> DevOps!42
└── network_ops  -> Spring2025!

HR
├── hr_manager   -> HR_Confidential!
├── alewis       -> P@ssw0rd123!
└── danderson    -> PayRoll$ystem!

Engineering
└── dclark       -> C30_S3cur3P@ssw0rd!

Attack Scenario

  1. The attacker obtained the NTLM hash of the user alice.smith on COM02 and successfully cracked it.

  2. Using these credentials, the attacker logged into COM02. During enumeration, they identified a Kerberoastable user, alewis, and extracted their credentials.

  3. The attacker then authenticated to COM01 using alewis's credentials. Further enumeration revealed another user account. A password spraying attack was performed, successfully compromising the credentials of sarahg.

  4. The sarahg account had the SeTakeOwnershipPrivilege, which the attacker leveraged to take ownership of a file containing the credentials of another user on COM01, tech_support.

  5. The attacker then used tech_support's credentials to authenticate to COM04, where they discovered a user with GenericAll permissions. They deployed Inveigh.ps1 to capture the NTLM hash of this user, danderson.

  6. After cracking danderson’s hash, the attacker authenticated as this user and added themselves to the Domain Admins group. They subsequently performed a DCSync attack.

  7. As a result, the attacker obtained the NTLM hash of the domain Administrator, authenticated to the Domain Controller, and implemented several persistence mechanisms, including Golden Ticket creation, adding a malicious shortcut, and modifying registry keys.

  8. Finally, the attacker dumped the NTDS.dit file, collected several sensitive files, archived them, and exfiltrated the data to their own machine via an SMB share.

Winlogbeat must be installed on both the Windows Server and the Windows Machines to transmit logs to the ELK stack.

Refer to this guide for detailed instructions on installing and configuring it: https://faresbltagy.gitbook.io/footprintinglabs/build-elk-lab/set-up-winlogbeat-and-filebeat-for-log-collection.

PreviousAD Scenario 1NextThe Attack

Last updated