Day 15: Be it ever so heinous, there's no place like Domain Controller.

Basics of Active Directory

Active Directory is a service created by Microsoft for centralized management. Active Directory organizes and controls users, devices, and resources in a secure, hierarchical network environment.

Core components of Active Directory -

Domain
Organizational Units (OUs)
Domain Controller (DC)
Forest
Tree

What active directory manages ??

Active directory manages various things, some of them are :

Category	Resources/Services Managed
Devices	Computers, printers, mobile devices, IoT devices
Users	User accounts, passwords, groups, permissions, profiles
Security	Authentication, access control, GPOs, PKI, SSO, auditing
Groups	Security groups, distribution groups, nested groups
Policies	Software deployment, security, desktop, and network configurations
Services	DNS, DHCP, PKI, RAS, file/print services, time sync
Applications	Exchange, SharePoint, Teams, CRM tools, cloud services
Network	Resources Shared folders, network shares, databases, virtualization
Structure	Domains, trees, forests, OUs
Identity	Management MFA, SSO, RBAC, hybrid identity
Auditing	Event logs, security monitoring, SIEM integration
Cloud/Hybrid	Azure AD, Office 365, hybrid identity

Common active directory attacks

Golden ticket attack
Pass-The-Hash
Kerberoasting
Pass-the-Ticket
Malicious GPOs
Skeleton Key Attack

Event viewer in windows

The Event Viewer is a built-in Windows tool used to monitor and manage system events, application logs, and security activities. It helps diagnose issues, track changes, and understand system behavior.

Task 1 - Use the "Security" tab within Event Viewer to answer questions 1 and 2.

No Answer Needed

Task 2 - On what day was Glitch_Malware last logged in?

Login is a security event. To find the date , Start the event viewer application. Go to Windows Logs then Security

Click on find from right panel. And user "Glitch_Malware" as input to find each events related to it.

Do some next next and find the date of successfull login event.

Answer 👉 07/11/2024

Task 3 - What event ID shows the login of the Glitch_Malware user?

After doing some next next , I got the event where the successfull logon appears.

Answer 👉 4624

Task 4 - Read the PowerShell history of the Administrator account. What was the command that was used to enumerate Active Directory users?

To access powershell history I have to read file located on C:\Users\[USERNAME]\%APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Answer 👉 Get-ADUser -Filter * -Properties MemberOf | Select-Object Name

Task 5 - Look in the PowerShell log file located in Application and Services Logs -> Windows PowerShell. What was Glitch_Malware's set password?

To get the password which was logged on powershell event, We have to open "Application and Services Logs" option in Event viewer. Now goto "Windows PowerShell" and search for the input "Password"
After doing some next next I got a command where it executed.

Answer 👉 SuperSecretP@ssw0rd!

Task 6 - Review the Group Policy Objects present on the machine. What is the name of the installed GPO?

To list out all the Group Policy Objects (GPOs) , open powershell and run the command Get-GPO -All

Answer 👉 Malicious GPO - Glitch_Malware Persistence

Task 7 - If you enjoyed this task, feel free to check out the Active Directory Hardening room.

No Answer Needed

CAPA: The Basics01/02/25 ctf → thm → capa-the-basics

SQLMap: The Basics31/01/25 ctf → thm → sqlmap-the-basics

SQL Fundamentals31/01/25 ctf → thm → sql-fundamentals

Powershell30/01/25 programming → powershell