medusa/the_information_nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update tech_docs/lab/ad_lab.md

Browse Source
This commit is contained in:
medusa
2025-06-30 06:15:57 +00:00
parent a9dbde12c1
commit caa37e13cb
1 changed files with 166 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

166
tech_docs/lab/ad_lab.md
View File

@@ -1,3 +1,169 @@
Great — aligning your AD lab to **real-world security frameworks** like **MITRE ATT\&CK**, **NIST 800-53**, and **CIS Controls** transforms it from a sandbox into a **credible training and validation environment**.
Lets develop a **solid, extensible lab guide** structured around **defensive hardening, offensive simulation, and detection/response**, explicitly mapped to real-world frameworks.
---
# 🧭 Active Directory Cybersecurity Lab: Framework-Aligned Guide
---
## ⚙️ 1. **Lab Design Philosophy**
**Purpose:**
To build a modular AD lab that supports:
* Simulating attacker TTPs from the **MITRE ATT\&CK Matrix**
* Testing controls mapped to **NIST 800-53** and **CIS Controls**
* Practicing defensive detection and incident response
**Target Users:**
* Red and Blue Teamers
* Security Engineers
* SOC Analysts
* Students preparing for certs (e.g., OSCP, GCED, AZ-500)
---
## 🗺️ 2. **Framework Alignment Overview**
| Framework | Role in Lab | How It Maps |
| ----------------- | -------------------------------------- | ----------------------------------------------- |
| **MITRE ATT\&CK** | Simulate real-world adversary behavior | TTPs via BloodHound, Mimikatz, Rubeus, Impacket |
| **NIST 800-53** | Compliance/hardening baseline | AC-2, AC-6, AU-6, CM-6, IA-5 mapped to GPOs |
| **CIS Controls** | Defensive controls and audit checks | Controls 4, 5, 6, 7, 8, 16 via logging, alerts |
---
## 🖥️ 3. **Lab Topology (Mermaid Diagram)**
```mermaid
graph TD;
A[Win Server 2019 - DC01] -->|AD DS| B[Domain: cyberlab.local];
B --> C[Win 10 Client - WKS01];
B --> D[Sysmon/Log Forwarding];
B --> E[SIEM - Ubuntu ELK or Splunk];
F[Kali Linux - Attacker] --> C;
F --> B;
B --> G[OU: Workstations];
B --> H[OU: Service Accounts];
B --> I[OU: Admins];
```
---
## 🛠️ 4. **Lab Machines**
| Hostname | OS | Role | Tooling |
| -------- | -------------- | ------------------ | ----------------------------------- |
| `DC01` | Windows Server | Domain Controller | AD DS, GPO, AD CS, DNS, Sysmon |
| `WKS01` | Windows 10 | Domain-joined host | User simulation, endpoint logs |
| `KALI01` | Kali Linux | Red Team | BloodHound, Mimikatz, CrackMapExec |
| `LOG01` | Ubuntu | SIEM | ELK or Splunk, Winlogbeat, Filebeat |
---
## 🧪 5. **Core Use Cases by Framework**
### ✅ MITRE ATT\&CK Mapping (Enterprise, Windows)
| Tactic | Technique | Tool | System |
| ----------------- | ------------------------------ | ------------ | ------ |
| Discovery | T1069.002 - AD Group Discovery | BloodHound | Kali |
| Credential Access | T1003.001 - LSASS Dumping | Mimikatz | Kali |
| Lateral Movement | T1021.002 - SMB/WinRM | Impacket | Kali |
| Priv. Escalation | T1055 - Process Injection | Rubeus | Kali |
| Persistence | T1053 - Scheduled Task | cmd/Taskschd | WKS01 |
### ✅ NIST 800-53 Example Mappings
| Control ID | Control Name | Lab Mapping |
| ---------- | ------------------------- | ------------------------------------- |
| AC-2 | Account Management | Create users/groups with lifecycles |
| AU-6 | Audit Review and Analysis | SIEM logs Sysmon + Event Logs |
| IA-5 | Authenticator Management | Enforce GPO password policies |
| CM-6 | Configuration Settings | Harden via GPOs (disable SMBv1, etc.) |
| AC-6 | Least Privilege | RBAC via Security Groups |
### ✅ CIS Controls (v8)
| CIS Control | Description | Implementation Example |
| ----------- | ------------------------ | ------------------------------------------- |
| 4 | Secure Configuration | CIS Benchmarks applied to Windows Server |
| 5 | Account Management | Lifecycle: user creation, disablement tests |
| 7 | Email and Web Protection | Simulate phishing or malicious doc delivery |
| 8 | Malware Defenses | Windows Defender + malicious binaries |
| 16 | Application Monitoring | SIEM alerting + process creation via Sysmon |
---
## 🧰 6. **Scenario Playbook Examples**
### 🔴 Attack Scenario 1: Kerberoasting
* Target: Service account with SPN
* Tools: `Rubeus`, `Impacket`, `Hashcat`
* Logs to expect: 4769 events in SIEM
### 🔵 Detection Scenario: Unusual Admin Logon
* Trigger: Admin logs in outside normal hours from a user PC
* Tooling: LogonTracer, SIEM alert rule
### ⚙️ Configuration Scenario: GPO Hardening
* Apply baselines via `LGPO.exe` or `Security Compliance Toolkit`
* Disable LM hashes, SMBv1, enable Defender ASR rules
---
## 📦 7. **Optional Enhancements**
| Feature | Purpose |
| --------------------------- | ----------------------------------- |
| ADCS (Certificate Services) | Golden ticket, relay attacks |
| GPO Backdoor Simulation | Persistence and detection scenarios |
| Azure AD Connect | Hybrid attack simulation |
| DCSync/Golden Ticket Labs | Advanced credential theft tactics |
---
## 📁 8. **Suggested Repo Structure (GitHub-Ready)**
```bash
ad-cyberlab/
├── docs/
│ ├── framework_mappings.md
│ ├── attack_scenarios.md
│ └── setup_guide.md
├── diagrams/
│ └── topology.mmd
├── configs/
│ ├── gpos/
│ └── sysmon-config.xml
├── scripts/
│ └── user-gen.ps1
├── detections/
│ └── elastic-rules.yml
└── README.md
```
---
## ✅ Next Steps
Would you like me to generate:
1. The **initial GitHub-ready lab repo structure and README**?
2. A few **MITRE-mapped attack walkthroughs** (step-by-step)?
3. The **GPO hardening starter pack** mapped to CIS/NIST?
Let me know what you want help building out first — I can generate clean code, scripts, detection rules, and markdown docs to get you production-ready.
---
# Active Directory Setup Framework for Cybersecurity Testing
## Overview