diff --git a/tech_docs/lab/ad_lab.md b/tech_docs/lab/ad_lab.md index 0dc0ad9..9842556 100644 --- a/tech_docs/lab/ad_lab.md +++ b/tech_docs/lab/ad_lab.md @@ -1,3 +1,169 @@ +Great β€” aligning your AD lab to **real-world security frameworks** like **MITRE ATT\&CK**, **NIST 800-53**, and **CIS Controls** transforms it from a sandbox into a **credible training and validation environment**. + +Let’s develop a **solid, extensible lab guide** structured around **defensive hardening, offensive simulation, and detection/response**, explicitly mapped to real-world frameworks. + +--- + +# 🧭 Active Directory Cybersecurity Lab: Framework-Aligned Guide + +--- + +## βš™οΈ 1. **Lab Design Philosophy** + +**Purpose:** +To build a modular AD lab that supports: + +* Simulating attacker TTPs from the **MITRE ATT\&CK Matrix** +* Testing controls mapped to **NIST 800-53** and **CIS Controls** +* Practicing defensive detection and incident response + +**Target Users:** + +* Red and Blue Teamers +* Security Engineers +* SOC Analysts +* Students preparing for certs (e.g., OSCP, GCED, AZ-500) + +--- + +## πŸ—ΊοΈ 2. **Framework Alignment Overview** + +| Framework | Role in Lab | How It Maps | +| ----------------- | -------------------------------------- | ----------------------------------------------- | +| **MITRE ATT\&CK** | Simulate real-world adversary behavior | TTPs via BloodHound, Mimikatz, Rubeus, Impacket | +| **NIST 800-53** | Compliance/hardening baseline | AC-2, AC-6, AU-6, CM-6, IA-5 mapped to GPOs | +| **CIS Controls** | Defensive controls and audit checks | Controls 4, 5, 6, 7, 8, 16 via logging, alerts | + +--- + +## πŸ–₯️ 3. **Lab Topology (Mermaid Diagram)** + +```mermaid +graph TD; + A[Win Server 2019 - DC01] -->|AD DS| B[Domain: cyberlab.local]; + B --> C[Win 10 Client - WKS01]; + B --> D[Sysmon/Log Forwarding]; + B --> E[SIEM - Ubuntu ELK or Splunk]; + F[Kali Linux - Attacker] --> C; + F --> B; + B --> G[OU: Workstations]; + B --> H[OU: Service Accounts]; + B --> I[OU: Admins]; +``` + +--- + +## πŸ› οΈ 4. **Lab Machines** + +| Hostname | OS | Role | Tooling | +| -------- | -------------- | ------------------ | ----------------------------------- | +| `DC01` | Windows Server | Domain Controller | AD DS, GPO, AD CS, DNS, Sysmon | +| `WKS01` | Windows 10 | Domain-joined host | User simulation, endpoint logs | +| `KALI01` | Kali Linux | Red Team | BloodHound, Mimikatz, CrackMapExec | +| `LOG01` | Ubuntu | SIEM | ELK or Splunk, Winlogbeat, Filebeat | + +--- + +## πŸ§ͺ 5. **Core Use Cases by Framework** + +### βœ… MITRE ATT\&CK Mapping (Enterprise, Windows) + +| Tactic | Technique | Tool | System | +| ----------------- | ------------------------------ | ------------ | ------ | +| Discovery | T1069.002 - AD Group Discovery | BloodHound | Kali | +| Credential Access | T1003.001 - LSASS Dumping | Mimikatz | Kali | +| Lateral Movement | T1021.002 - SMB/WinRM | Impacket | Kali | +| Priv. Escalation | T1055 - Process Injection | Rubeus | Kali | +| Persistence | T1053 - Scheduled Task | cmd/Taskschd | WKS01 | + +### βœ… NIST 800-53 Example Mappings + +| Control ID | Control Name | Lab Mapping | +| ---------- | ------------------------- | ------------------------------------- | +| AC-2 | Account Management | Create users/groups with lifecycles | +| AU-6 | Audit Review and Analysis | SIEM logs Sysmon + Event Logs | +| IA-5 | Authenticator Management | Enforce GPO password policies | +| CM-6 | Configuration Settings | Harden via GPOs (disable SMBv1, etc.) | +| AC-6 | Least Privilege | RBAC via Security Groups | + +### βœ… CIS Controls (v8) + +| CIS Control | Description | Implementation Example | +| ----------- | ------------------------ | ------------------------------------------- | +| 4 | Secure Configuration | CIS Benchmarks applied to Windows Server | +| 5 | Account Management | Lifecycle: user creation, disablement tests | +| 7 | Email and Web Protection | Simulate phishing or malicious doc delivery | +| 8 | Malware Defenses | Windows Defender + malicious binaries | +| 16 | Application Monitoring | SIEM alerting + process creation via Sysmon | + +--- + +## 🧰 6. **Scenario Playbook Examples** + +### πŸ”΄ Attack Scenario 1: Kerberoasting + +* Target: Service account with SPN +* Tools: `Rubeus`, `Impacket`, `Hashcat` +* Logs to expect: 4769 events in SIEM + +### πŸ”΅ Detection Scenario: Unusual Admin Logon + +* Trigger: Admin logs in outside normal hours from a user PC +* Tooling: LogonTracer, SIEM alert rule + +### βš™οΈ Configuration Scenario: GPO Hardening + +* Apply baselines via `LGPO.exe` or `Security Compliance Toolkit` +* Disable LM hashes, SMBv1, enable Defender ASR rules + +--- + +## πŸ“¦ 7. **Optional Enhancements** + +| Feature | Purpose | +| --------------------------- | ----------------------------------- | +| ADCS (Certificate Services) | Golden ticket, relay attacks | +| GPO Backdoor Simulation | Persistence and detection scenarios | +| Azure AD Connect | Hybrid attack simulation | +| DCSync/Golden Ticket Labs | Advanced credential theft tactics | + +--- + +## πŸ“ 8. **Suggested Repo Structure (GitHub-Ready)** + +```bash +ad-cyberlab/ +β”œβ”€β”€ docs/ +β”‚ β”œβ”€β”€ framework_mappings.md +β”‚ β”œβ”€β”€ attack_scenarios.md +β”‚ └── setup_guide.md +β”œβ”€β”€ diagrams/ +β”‚ └── topology.mmd +β”œβ”€β”€ configs/ +β”‚ β”œβ”€β”€ gpos/ +β”‚ └── sysmon-config.xml +β”œβ”€β”€ scripts/ +β”‚ └── user-gen.ps1 +β”œβ”€β”€ detections/ +β”‚ └── elastic-rules.yml +└── README.md +``` + +--- + +## βœ… Next Steps + +Would you like me to generate: + +1. The **initial GitHub-ready lab repo structure and README**? +2. A few **MITRE-mapped attack walkthroughs** (step-by-step)? +3. The **GPO hardening starter pack** mapped to CIS/NIST? + +Let me know what you want help building out first β€” I can generate clean code, scripts, detection rules, and markdown docs to get you production-ready. + + +--- + # Active Directory Setup Framework for Cybersecurity Testing ## Overview