~/projects/ad-offensive-attack-simulation

AD Offensive Attack Simulation

Red Team Windows AD OPSEC
Muhit: Enterprise Lab (Self-Hosted)
Domain: enterpriselab.local
GitHub: Source →
Kill Chain
Foothold
AD Enum
Kerberoasting
ACL Abuse
Lateral Move
DCSync
Forest Dominance ✓
Lab Infratuzilmasi 01

Butun muhit noldan qurilgan — real enterprise segmentatsiyasini simulatsiya qilish uchun. Har bir router, server va firewall qoidasi qo'lda sozlangan.

Domain Controller
enterpriselab.local
Windows Server 2022
Custom OUs, GPOs, Service Accounts
Firewall / Router
pfSense
NAT, VLAN segmentation
Corporate network simulation
Endpoints (x2)
Windows 10
Domain-joined
Windows Defender aktiv
Attacker
Kali Linux
Isolated subnet
Custom tooling
Hujum Bosqichlari 02
01
Initial Foothold — Assumed Breach
Low-privileged domain user accountdan boshlaymiz. Real scenario: fishing yoki credential leak orqali olingan hisob.
Recon
02
Stealth AD Enumeration
ADSI/.NET native API orqali trust boundaries, SPNlar va privileged guruhlarni xaritalaymiz. Katta LDAP anomaliyalarini triggerlamasdan.
OPSEC
03
Targeted Kerberoasting
Aniq service accountlarga qarshi Kerberoasting. TGS hashlari offline Hashcat bilan crack qilindi. AES-256 tanlanadi — RC4 emas.
Credential
04
ACL Abuse — GenericAll / WriteDACL
Noto'g'ri sozlangan ACL topildi. GenericAll huquqi orqali Tier-1 admin guruhiga o'zimizni qo'shdik.
PrivEsc
05
Lateral Movement — LotL
WinRM va WMI orqali DC ga pivot. Malicious binary tushurilmadi — Living off the Land metodologiyasi.
Lateral
06
DCSync → Forest Dominance
DC autentifikatsiyasi coerce qilindi, krbtgt hashi DCSync orqali olindi. Golden/Diamond ticket persistance o'rnatildi.
Persist
OPSEC Texnikalar 03

Standart toollardan farqli o'laroq, bu lab EDR evasion va minimal footprint ga yo'naltirilgan.

Asosiy falsafa: Noisy binarylar (standart Mimikatz, PsExec) ishlatilmadi. Native Windows API, ADSI va In-Memory execution ustuvorlik oldi.
Kerberoasting — OPSEC versiya
PowerShell — Native .NETOPSEC
# Rubeus emas — native .NET TGS request
PS> Add-Type -AssemblyName System.IdentityModel
PS> $ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken `
-ArgumentList "MSSQLSvc/dc01.enterpriselab.local:1433"
PS> $ticket.GetRequest() | Format-Hex

# RC4 emas AES-256 — Event ID 4769 da kam shubhali
PS> Rubeus.exe kerberoast /rc4opsec /nowrap
Lateral Movement — WMI (fileless)
PowerShell — WMILotL
# Binary tushurilmaydi — WMI orqali in-memory execution
PS> $wmi = [wmiclass]"\\dc01\root\cimv2:Win32_Process"
PS> $wmi.Create("powershell -enc [BASE64_PAYLOAD]")

# WinRM — legitimate admin traffic kabi ko'rinadi
PS> Enter-PSSession -ComputerName dc01 -Credential $cred
WMI va WinRM — Windows admin toollar. SOC ularni legitimate traffic deb filter qiladi. Shuning uchun LotL eng kam shovqinli yo'l.
Blue Team — Detection Notes 04

Har hujum bosqichi uchun qaysi Windows Event ID lari triggerlanishi va qanday aniqlanishi mumkinligi.

Event ID Tavsif Hujum vektori
4769 Kerberos Service Ticket Request Kerberoasting — RC4 encryption type shubhali
4624/4625 Account Logon (success/fail) Logon Type 3 — lateral movement paytida
4688 Process Creation Malicious PowerShell/WMI spawning
4662 Object operation on AD DCSync — Replicating Directory Changes
5136 Directory Service Object Modified ACL abuse — WriteDACL/GenericAll
! DCSync detection: Domain Controller bo'lmagan mashinadan 4662 + Replicating Directory Changes All huquqi = darhol alert bo'lishi kerak.
Foydalanilgan Toollar 06
BloodHound / SharpHound
AD attack path mapping. Targeted collection — full domain dump emas.
Rubeus
Kerberos attacks — Kerberoasting, AS-REP, Pass-the-Ticket.
PowerView
In-memory, heavily modified. ACL enumeration va exploitation.
Impacket
DCSync (secretsdump), WMIexec, SMBexec.
Native Windows
ADSI, WMI, DCOM, WinRM — LotL asosi.
Hashcat
Offline hash cracking — Kerberoast TGS hashlari.