Lab Setup

Users
Sales
├── jdoe -> Summer2025!
├── alice.smith -> password123!
└── rjohnson -> MarketingRocks!
Marketing
├── emilyw -> SecurePass#7
├── davidb -> 12345678D!
└── sarahg -> CreativeMind@24
IT
├── admin_it -> P@ssw0rdS3cur3!
├── tech_support -> DevOps!42
└── network_ops -> Spring2025!
HR
├── hr_manager -> HR_Confidential!
├── alewis -> P@ssw0rd123!
└── danderson -> PayRoll$ystem!
Engineering
└── dclark -> C30_S3cur3P@ssw0rd!
Attack Scenario
The attacker obtained the NTLM hash of the user
alice.smith
onCOM02
and successfully cracked it.Using these credentials, the attacker logged into
COM02
. During enumeration, they identified a Kerberoastable user,alewis
, and extracted their credentials.The attacker then authenticated to
COM01
using alewis's credentials. Further enumeration revealed another user account. A password spraying attack was performed, successfully compromising the credentials ofsarahg
.The
sarahg
account had theSeTakeOwnershipPrivilege
, which the attacker leveraged to take ownership of a file containing the credentials of another user onCOM01
,tech_support
.The attacker then used tech_support's credentials to authenticate to
COM04
, where they discovered a user withGenericAll
permissions. They deployedInveigh.ps1
to capture the NTLM hash of this user,danderson
.After cracking danderson’s hash, the attacker authenticated as this user and added themselves to the
Domain Admins
group. They subsequently performed aDCSync
attack.As a result, the attacker obtained the NTLM hash of the domain
Administrator
, authenticated to the Domain Controller, and implemented several persistence mechanisms, includingGolden Ticket creation
, adding amalicious shortcut
, and modifyingregistry keys
.Finally, the attacker dumped the
NTDS.dit
file, collected several sensitive files, archived them, and exfiltrated the data to their own machine via an SMB share.
Winlogbeat must be installed on both the Windows Server and the Windows Machines to transmit logs to the ELK stack.
Refer to this guide for detailed instructions on installing and configuring it: https://faresbltagy.gitbook.io/footprintinglabs/build-elk-lab/set-up-winlogbeat-and-filebeat-for-log-collection.
Last updated