Built a fully intentionally vulnerable Active Directory environment to practice the complete attack chain, from initial recon to Domain Admin compromise, and implement the corresponding detections.
Overview
Active Directory is the identity backbone of the vast majority of enterprise environments and the most targeted attack surface in internal network compromises. This lab replicates a realistic SME AD setup with deliberately misconfigured accounts, then runs the attacker and defender roles in sequence using the same infrastructure.
Infrastructure
- Proxmox hypervisor with two isolated network bridges (physical LAN + dedicated AD network 10.10.20.0/24)
- pfSense as the perimeter router/firewall with Suricata IDS
- Windows Server 2022 Domain Controller (DC01, domain lab.local)
- Windows 10 Pro client joined to the domain
- Parrot OS (physical laptop) as the attack machine
Intentional misconfigurations
| Account | Vulnerability | Attack |
|---|---|---|
svc-sql | SPN set on a user account | Kerberoasting |
svc-backup | Pre-authentication disabled | AS-REP Roasting |
bob.dupont | Domain Admin, weak password | Lateral movement target |
alice.martin | Standard user, entry point | Initial foothold |
Planned attack chain
Planned defensive phase
- Windows Event logging (Event IDs 4768, 4769, 4771 for Kerberos anomalies)
- Sysmon deployment for process and network telemetry
- Suricata rules for lateral movement patterns
- Potential SIEM integration
Why this matters
AD attacks account for the majority of ransomware intrusion paths. Kerberoasting, Pass-the-Hash, and DCSync are standard OSCP-level techniques and standard blue team detection requirements. Running both sides of the same lab builds the dual understanding that separates a security engineer from a tool operator.