Skip to content

Gitlovess/Active-Directory-Lab

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

🏢 Active Directory Attack & Detection Lab

A cloud-hosted Active Directory environment simulating real-world RDP brute force attacks, detected by Splunk SIEM, and automated through a Shuffle SOAR playbook that notifies the SOC analyst via Slack and requests a user disable decision via email.

Lab 6 of the SOC Home Lab Series — builds on Lab 1 (NSM) | Lab 2 (pfSense IPS) | Lab 3 (Windows Hardening) | Lab 4 (Linux Hardening) | Lab 5 (SOC Automation)


🎯 What This Proves

Active Directory is present in 90% of enterprise networks. This lab proves I can:

  • Build and manage a real AD domain environment
  • Detect unauthorized RDP logons using Splunk
  • Automate analyst response decisions through a SOAR playbook
  • Correlate Event ID 4624/4625 to identify credential-based attacks

🏗️ Architecture

AD Project Architecture

How the pipeline flows:

Attacker Machine
      ↓ [Successful unauthorized RDP authentication]
Test Machine (TEST-MACHINE.venky.local)
      ↓ [Windows Security logs — Event ID 4624]
Domain Controller (venky-ADDC01.venky.local)
      ↓ [Telemetry forwarded via Splunk Universal Forwarder]
Splunk SIEM (Ubuntu Server)
      ↓ [Alert: Unauthorized-Successful-Login-RDP triggered]
Shuffle SOAR
      ↓ [Send alert to Slack #alerts channel]
      ↓ [Email SOC analyst — "Would you like to disable the user?"]
SOC Analyst
      ↓ [YES → Disable domain account]
      ↓ [NO → Do nothing]

🔧 Infrastructure

Vultr Instances Running

VM OS IP Role
VENKY-ADDC01 Windows Server 2025 139.84.154.69 Domain Controller
TEST-MACHINE Windows Server 2025 139.84.152.244 Target Endpoint
VENKY-SPLUNK Ubuntu 24.04 LTS 139.84.147.40 Splunk SIEM

All hosted on Vultr Cloud — Bangalore, India (APAC)


📋 Lab Setup

1. Active Directory Domain Configuration

Active Directory Domain

Setting Value
Domain Name venky.local
Domain Controller venky-ADDC01.venky.local
Domain Mode Windows 2025 Domain
NetBIOS Name VENKY

2. Users Created in Active Directory

Users in AD

Domain user John Doe (JDoe@venky.local) created as a standard domain user — simulating a real enterprise employee account targeted in the attack.

3. Test Machine Joined to Domain

Machine Joined to Domain

  • Computer Name: TEST-MACHINE
  • Full Name: TEST-MACHINE.venky.local
  • Domain: venky.local
  • RDP: Enabled — allowing remote login simulation

📊 Splunk SIEM Setup

4. Splunk Dashboard

Splunk Dashboard

Splunk Enterprise deployed on Ubuntu 24.04. Splunk Universal Forwarder installed on both Windows machines to ship Windows Security event logs in real time.

5. Logs Flowing into Splunk

Splunk Events from Both Hosts

index="ad-project" | stats count by host
Host Events %
venky-ADDC01 5,971 71.47%
TEST-MACHINE 2,384 28.53%

8,355 total events ingested — confirming both DC and endpoint telemetry flowing correctly.


⚔️ Attack Simulation & Detection

6. Unauthorized RDP Login Detected

An external attacker successfully authenticated to TEST-MACHINE via RDP from a public IP address .

Event ID 4624 — Successful Logon

Key fields from Splunk:

Field Value
EventCode 4624 (Successful Logon)
Logon_Type 7 (Unlock/Remote Interactive)
ComputerName TEST-MACHINE.venky.local
Source_Network_Address 139.84.154.69
User Administrator
Keywords Audit Success

Splunk Detection Query

index="ad-project" EventCode=4624 
(Logon_Type=7 OR Logon_Type=10)
Source_Network_Address=*
Source_Network_Address!=127.*
Source_Network_Address!=10.*
Source_Network_Address!=192.168.*
| table _time, ComputerName, user, Source_Network_Address, Logon_Type

7. Splunk Alert Triggered

Splunk Triggered Alerts

Alert "Unauthorized-Successful-Login-RDP" fired twice confirming the detection is working:

  • 2026-07-06 20:59:00 IST
  • 2026-07-06 20:58:00 IST

🤖 SOAR Automation — Shuffle Playbook

8. Shuffle Workflow

Shuffle Workflow

Playbook: Successful Unauthorized Login Response

Splunk Alert (Webhook)
      ↓
Alert Notification → Slack #alerts channel
      ↓
User Action → Email SOC Analyst
      "Would you like to disable the user?"
      ↓
[YES] → Disable Domain Account
[NO]  → Do Nothing

9. Slack Alert Received

Slack Alert in #alerts Channel

Shuffle automatically posted to #alerts channel in the AD-Project Slack workspace:

Alert: Unauthorized-Successful-Login-RDP
Time: 1783403329.308
User: Administrator
Source IP: 170.64.213.125

10. SOC Analyst Email — User Disable Decision

Email — User Input Required

Shuffle sent an automated email to the SOC analyst asking:

"Would you like to disable the user?"

  • If TRUE → Click link to disable domain account
  • If FALSE → Click link to do nothing

This simulates a real interactive SOAR playbook where the analyst has final decision authority before automated action is taken.


✅ Full Pipeline Validation

Stage Tool Result
AD domain built Windows Server 2025 ✅ venky.local domain live
Users created Active Directory ✅ John Doe domain user
Machine joined domain TEST-MACHINE ✅ TEST-MACHINE.venky.local
Logs flowing to Splunk Universal Forwarder ✅ 8,355 events ingested
RDP attack detected Splunk — Event ID 4624 ✅ Alert fired
Slack notification Shuffle → Slack ✅ Message in #alerts
Analyst decision email Shuffle User Action ✅ YES/NO disable user

📁 Repository Structure

ad-splunk-lab/
├── README.md
├── splunk-queries/
│   └── detection-queries.spl     # All Splunk SPL queries used
├── docs/
│   └── setup-notes.md            # Infrastructure setup notes
└── screenshots/
    ├── 01-architecture.png
    ├── 02-vultr-instances.png
    ├── 03-ad-domain.png
    ├── 04-users-in-ad.png
    ├── 05-domain-joined.png
    ├── 06-splunk-dashboard.png
    ├── 07-splunk-events.png
    ├── 08-event-4624.png
    ├── 09-splunk-alert-triggered.png
    ├── 10-shuffle-workflow.png
    ├── 11-slack-alert.png
    └── 12-email-user-action.png

🎯 Skills Demonstrated

  • Active Directory domain deployment on cloud (Vultr)
  • Windows Server 2025 domain controller configuration
  • Domain user and OU management
  • Domain join of Windows endpoints
  • Splunk Enterprise deployment on Ubuntu
  • Splunk Universal Forwarder configuration
  • Windows Security event log ingestion
  • SPL query writing for RDP attack detection
  • Event ID correlation (4624, 4625 — logon events)
  • Splunk scheduled alert configuration
  • Shuffle SOAR playbook design
  • Slack integration for real-time SOC notifications
  • Interactive analyst decision workflow (User Action node)
  • Cloud infrastructure management (Vultr)

📌 Key Event IDs Reference

Event ID Description Relevance
4624 Successful account logon Detects unauthorized RDP access
4625 Failed account logon Detects brute force attempts
4720 User account created Detects persistence via new accounts
4732 User added to security group Detects privilege escalation
4768 Kerberos ticket requested Detects Kerberoasting

📌 References


🔗 SOC Home Lab Series

Lab Project Status
Lab 1 NSM Stack — TShark + Zeek + Suricata IDS ✅ Complete
Lab 2 pfSense Firewall + Suricata IPS ✅ Complete
Lab 3 Windows 10 Endpoint Hardening ✅ Complete
Lab 4 Linux Server Hardening ✅ Complete
Lab 5 SOC Automation — Wazuh + Shuffle + TheHive ✅ Complete
Lab 6 Active Directory + Splunk (this repo) ✅ Complete

About

Active Directory attack detection with Splunk SIEM — RDP brute force detection, Event ID 4624 correlation, and SOAR automation via Shuffle and Slack

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors