Skip to main content
Warranty v01d’s blogs

Homelab: Attacking Splunk+Active Directory Part-2

·1079 words·6 mins· loading · loading ·
Aditya Hebballe
Author
Aditya Hebballe
OSCP Certified Penetration Tester
Table of Contents
Homelab - This article is part of a series.
Part 1: Homelab: Splunk+Active Directory
Part 2: This Article

Introduction
#

In this part, we will attack the Windows 11 machine (target-pc) from our Kali machine and also use Atomic Red Team on the target-pc to simulate various attacks. We’ll then analyze the logs generated in Splunk to see how these attacks appear in the data.

Let’s get started!

Kali Linux
#

Make sure your Kali Linux setup is configured with the Network Adapter created in Part 1 of this blog. Once that’s done, we’ll configure the network to enable access to the other machines.

Network Configuration
#

I’m using GNOME in my Kali VM, but note that XFCE is installed by default, so your network configuration screens may look slightly different. Just open the network settings and replicate the settings shown here.

Open Network Settings and configure the network adapter you are using:

Set the IPv4 method to Manual, set the DNS Server 8.8.8.8 and the IP Address to 192.168.10.250.

Check if it has applied:

ip a

If the IP has not changed, try disabling and enabling the adapter in settings

Now install crowbar:

sudo apt install crowbar

We’ll create a passwords.txt file for brute-forcing the target-pc, using the first 20 passwords from rockyou.txt, a popular wordlist.

Follow these commands:

mkdir ADProject
cd ADProject
sudo gunzip /usr/share/wordlists/rockyou.txt.gz
head -n 20 /usr/share/wordlists/rockyou.txt > passwords.txt

We will also append the actual password to the end so that we can actually crack it:

echo "Password123@" >> passwords.txt

Target-pc (Windows 11)
#

We need to go to the target-pc VM and enable RDP, Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that allows users to remotely connect to and control another computer over a network.

Search for View Advanced system settings in start and open it:

Use the administrator account credentials from the DC when prompted for it.

Enable RDP access.

We will now configure the users allowed to access this machine through RDP.

Click on Select Users
Click on Add
Click on check names after entering username which you created in the Part-1 of this blog to fill it automatically.
Click ok and apply the settings.

RDP Bruteforce
#

Now back to our Kali VM, we will use crowbar to bruteforce RDP on target-pc. We will target the hspecter account and use 192.168.10.100/32 for the IP in CIDR notation. /32 will make sure we target only this machine.

crowbar -b rdp -u hspecter -C passwords.txt -s 192.168.10.100/32

Let it run and after a while we can see that we have successfully cracked the password:

We will open Splunk Enterprise at http://192.168.10.10:8000/ and Apps-> Search & Reporting.

Now we will search the following:

index="endpoint" hspecter #replace with username

Now we can select the field called EventCode:

We have 20 events with the Event ID 4635. We can see what it means here
In Windows, an Event ID is a unique identifier for each type of event recorded in the Event Viewer, which logs system, security, and application activities. Each Event ID represents a specific action or occurrence, such as a user login (Event ID 4624), a failed login attempt (Event ID 4625), or a system error

Click on 4625 in EventCode to see events with only Event ID 4625, we can see the query update:

The timing here indicates bruteforce activity, notice how all these Events occurred at the same time.

If you expand any one of these, we can see more information about the login attempt:
The IP from which the login was attempted is recorded

Now change the EventCode to 4624 in the query:

These are successful logins.
Similarly we can log other types of attacks as well. As it is not possible to cover every type of attack in this blog, it will be your task to try out common Active Directory attacks like Kerberoasting, Silver Ticket Attacks, ASREPRoasting, etc. Keeping an eye on the logs while you attack can help you get better at staying stealthy.

Atomic Red Team
#

Atomic Red Team is an open-source library of simple, scripted security tests designed to simulate real-world attack techniques. It provides prebuilt “atomic” tests for techniques documented in the MITRE ATT&CK framework, covering various stages of the attack lifecycle like persistence, privilege escalation, and lateral movement. We will install Atomic Red Team in our Windows 11 VM (target-pc)

Installation
#

In our target-pc, open Powershell as admin. Use the Administator credentials from the DC when prompted. Execute the following command

Set-ExecutionPolicy Bypass -Scope CurrentUser

Setting the Execution Policy to Bypass allows scripts to run without any restrictions or warnings. It disables the script-blocking security measures for the specified scope which is the current user in this case.

Now open Windows Security:

Click on Virus & Threat protection
Click on Manage Settings
Add an exclusion

Pick the C Drive as the folder to exclude

Now in the Powershell running as Administrator run this command:

IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/refs/heads/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics

Then enter Y to accept. This will install Atomic Red Team.

Attacking With Atomic Red Team
#

ART will be installed in C:\AtomicRedTeam, navigate to C:\AtomicRedTeam\atomics and we see there are folders with seemingly random numbers.

In fact these are not random numbers but MITRE IDs which are unique identifiers assigned to specific tactics, techniques, and sub-techniques in the MITRE ATT&CK framework. Each of these folders map to the MITRE ATT&CK framework.

Go to https://attack.mitre.org/ and look for Create Account, hover on it to see it’s ID:

For Creating a local user, the ID we need is T1136.001, we can see we have a folder with the ID

Now back in Powershell we will execute:

Invoke-AtomicTest T1136.001

We can see that a local user was created:

Now in Splunk Enterprise, we can detect this activity:

index="endpoint" NewLocalUser

We can see the Events where New Local Users were created

We will try Command and Scripting Interpreter now:

Check the MITRE ID

Let’s execute it:

Invoke-AtomicTest T1059.001

You will see a bunch of Powershell windows opening and closing, ART is executing the attack.

In Splunk, we can see that Sharphound was run:

If you investigate the logs you can find more about the commands that were run.

Conclusion
#

Integrating Splunk with Active Directory not only enhances our ability to monitor and analyze security events but also provides invaluable insights into our attack methodologies. By scrutinizing how our actions manifest in Splunk logs, we can identify patterns, potential weaknesses, and the signatures of our attacks. This understanding is crucial for refining our techniques and improving our stealth capabilities.

Homelab - This article is part of a series.
Part 1: Homelab: Splunk+Active Directory
Part 2: This Article

Related

Homelab: Splunk+Active Directory
·2389 words·12 mins· loading · loading
Introduction # In the world of cyber-security, having hands-on experience is invaluable. A home lab setup offers a powerful sandbox to simulate real-world network environments and security incidents.
Project: File Integrity Monitor
·1040 words·5 mins· loading · loading
CIA Triad # Before we jump into the project let’s understand why something like a File Integrity Monitor is required, for this we will need to understand the CIA triad.
Deep Dive into Network Monitoring
·1489 words·7 mins· loading · loading
Network monitoring is essential for ensuring the reliability, security, and performance of computer networks. It involves continuously observing network traffic to detect and respond to anomalies, optimize resource allocation, and maintain uptime.