Active Directory Project

Overview of ADDS

In this project, I set up 4 virtual machines an attacking machine (Kali), a victim machine (Windows 10), a Splunk Server, and ADDS machine. By setting this up, I can attack the Windows 10 machine and create events that can be logged by Splunk and be able to recognize a brute-force attack.

Set-up of Splunk Universal Forwarder with Sysmon

This shows the set-up of Splunk UF on both the Active Directory and my Windows 10 (WindowsAD machine). I installed Splunk UF, and assigned the correct IP addresses to each machine so they could communicate correctly. Then I installed the Sysmon Sysinternals configuration file to monitor and log system activity to the Windows event log. I had to include a custom .conf file to add to Splunk's system local file. This instructs the Splunk UF what to send to the Splunk server, the index endpoint under the WinEventLog for application, security, and system. So now when I search "index=endpoint" in my Splunk server I can see my two hosts ADDC01, my ADDS machine, and my Target-PC which is the Windows 10 machine.

ADDS

On the Active Directory machine I installed ADDS and promoted the server to a domain controller. I created a new forest and used 'mydfir.local' as the root domain name so I could have the users login on the Windows 10 machine. I changed the domain name in the Windows 10 machine under the advanced settings of the computer.

Signing in

I created two groups in Active Directory, I added an IT and HR department and added a user to each group. One as 'Jenny Smith with the username of 'jsmith' and the other as 'Terry Smith' with the username of 'tsmith'. The second screenshot shows that I configured the domain correctly as you can see "MYDFIR". I was able to successfully login as 'jsmith' with an assigned password.

Attacking

After everything was set up, I used my Kali machine to initiate an attack against the Windows 10 machine. I used Crowbar to brute-force the system with the known elements: username and port 3389 for RDP. I created a short 'password.txt' file with the last password as 'jsmith's password, and hacking was a success.

Logs

Moving back to my Splunk server, I can now search for the endpoint within the last 15 minutes and observe that there is an event code 4625 - "Failed Logon Attempts" and that it happened 20 times. Also, the timestamps of the events do indicate that it is a brute-force attack due to the timing of the attempts. Also, when I investigated further and clicked on the successful login I could see the host workstation was from Kali with the IP address that I assigned it.

Conclusion

This lab taught me many things. There were many elements to set up, however, it gave me the knowledge of how servers are set up and how organizations set up their domains and allow many different users to sign in. This also taught me some hands-on Splunk and how to search through logs.

I will keep this setup handy and practice hacking on the Kali machine and then see if I can identify the attack I created on the Splunk server. Of course in the real world, there will be many complicated and sophisticated attacks that will be harder to detect. However, this will teach me to think like an attacker and a defender!