Professional Documents
Culture Documents
Home / Blog / Creating Active Directory Labs for Blue and Red Teams
In this article, Sven Bernhard will describe how Blue and Red Teams can create Active Directory Labs for
training and testing purposes. He explains how to set up the Active Directory environment as well as how
to introduce common miscon gurations / vulnerabilities on purpose. Furthermore, a monitoring server
setup using Microsoft ATA is described.
Prerequisites
Think about how you like to set up your lab environment:
1. Cloud Incident?
2. Hardware
Cloud
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 1/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Setup of the lab environment on one of the different cloud hosting providers like AWS, Azure or Google
Cloud.
Advantages:
Unlimited resources
Easily accessible from anywhere
You pay only if the lab is running
Disadvantages:
Can be very expensive (7 Machines with 2 CPU, 4GB RAM and 80 Gigs of storage will cost around 300-
400 USD per month – if they are running 24/7)
Hardware
The easiest way is to build a lab just on your personal computer is with a virtualization software like
VirtualBox, VMware Workstation or Hyper-V, but a lot of resources are needed to have all machines up
and running. Therefore, I recommend building a dedicated lab server.
Used server hardware is cheap nowadays. Following an example con guration:
128GB (8×16 GB) DDR3 PC3-12800R (1600 Mhz) ECC RAM 1x 250,00
1 TB SSD 1x 100,00
750-Watt Power Supply (e.g. Corsair XC Series 750 Watt 80 Plus Bronze) 1x 90,00
TOTAL 1570,00
To check how many rearms are left just enter the following command:
PS > slmgr -dlv Incident?
Lab Setup
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 2/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
To install the Windows Operating Systems, Microsoft Windows Server Evaluation versions can be used.
The versions are valid for 180 days, the trial period can be extended up to six times for additional 180
days.
https://www.microsoft.com/de-de/evalcenter/evaluate-windows-server
To extend the period the following command must be issued once the trial period comes to an end:
To check how many days are left in the trial period just issue the following command:
To check how many rearms are left just enter the following command:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 3/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Another option is to get a MSDN/VisualStudio subscription where the most Microsoft products are
included, the subscription costs $1,199 for the rst year and $799 for the renewal per year.
https://visualstudio.microsoft.com/vs/pricing/
Installing The Domain Environment Incident?
Create VMs and install the number of servers (with Windows Server 2016 / 2019) you like to have in your
lab, I recommend 2-3 Domain Controllers and 2-3 Servers rst. The lab can be extended over time. After
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 4/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
installing a few Windows Server 2016 / 2019 VMs , it is time to create forests, promote the domain
controllers and add some servers or workstations.
The rst step is to promote a parent domain controller in the forest root:
Click on Change:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 5/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
After the reboot, open Server Manager and click on Add roles and features:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 6/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
“Select a server from the server pool” will automatically set up your server, you just need to click
on Next:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 7/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Choose Active Directory Domain Services and click on Add Features in the popup window:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 8/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 9/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Wait for the installation to nish and click on yellow exclamation mark on top right of the Server
Manager and choose Promote this server to a domain controller:
Choose the deployment con guration – Add a new forest and enter your root domain name:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 10/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 11/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Set a static IP address for your server in Control Panel\Network and Internet\Network Connections:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 12/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Child Domain
The root domain controller is up and running, it is time to promote a child domain controller and build a
trust relationship between the parent and the child domain. For this purpose, we will do almost the same
steps as for the parent domain. The only difference is that we will not create a new forest but adding a
new domain to an existing forest (Deployment Con guration of the parent dc). A user who is in the
enterprise admin group of the parent domain must be used to enroll the domain.
Repeat the steps previous steps (how to promote a domain controller) until choosing the deployment
con guration.
As Deployment Con guration, choose Add a new domain to an existing forest and enter your details:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 13/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 14/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Set a DSRM password and con rm the installation by clicking on Next until you can choose Install:
After the reboot you can log in to the child domain controller:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 15/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Enrolling Computers
Now, some workstations / servers need to be installed and added to the network.
Give the computers also a static IP address and point the DNS to the domain’s DNS server / DC:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 16/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
After the restart, join the domain under Workgroup (below Computer name in the Server Manger):
Enter the password of a user of the enterprise admins group of the domain:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 17/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Vulnerable Services
To introduce a vulnerable service, you can either search for a software which already contains a
vulnerable service, or you can just modify an existing service. For example, change the permissions of a
service to a user / group to manage it. Vulnerable services must be con gured directly on the machine
where the service is running using the local administrator of the computer.
To change the permissions of a service one of the following methods can be used:
SC.exe:
A standard built-in Windows method to manage system service permissions supposes using the Service
Controller utility (sc.exe). You can get the current permissions to the service like this:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 18/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
The rst letter after brackets means: allow (A) or deny (D).
Next symbols granting different rights on the service:
The last 2 characters are objects (user group or SID) that are granted permissions.
Alias Meaning
AU Authenticated Users
AO Account Operators
AN Anonymous Login
BA Built-in Administrators
BG Built-in Guests
BO Backup Operators
BU Built-in Users
CG Creator Group
CO Creator Owner
DA Domain Administrators
DC Domain Computers
DD Domain Controllers
Incident?
DG Domain Guests
DU Domain Users
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 19/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
EA Enterprise Administrators
WD Everyone
LA Local Administrator
LG Local Guest
SY Local System
PO Printer Operators
PS Personal Self
PU Power Users
RE Replicator
RC Restricted Code
SA Schema Administrators
SO Server Operators
For example, the spooler service permissions can be changed, that any user can restart the service,
using the following command:
Incident?
PS > sc.exe sdset spooler "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 20/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Add the Security Templates snap-in (CTRL+M for add or remove snap ins). Add Security Con guration
and Analysis and Security Templates:
Incident?
It is possible to specify an own path by right-clicking on Security Templates from the console tree and
selecting New Template Search Path…. If no path is selected the default
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 21/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
path %username%\documents\security\templates is used.
A Security Database is required. Right-click Security Con guration and Analysis from the console tree
and select Open Database… Enter a name for the database and click Open:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 22/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
An Import Template window appears. Browse to the previously created template and select it:
Incident?
Right-click Security Con guration and Analysis from the console tree and select Analyze Computer …
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 23/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 24/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Click the Edit Security… button click on Add and type in the group or user you want to grant permissions
to:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 25/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
With the account selected grant the needed permissions and click OK.
Click OK on the Service Properties to bring you back to the console. The service now will appear with
an X next to it as well as an Investigate message on the Permission column:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 26/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
This is because the new permissions causing a con ict with what is con gured on the local machine. To
apply the new permissions, right click on Security Con guration and Analysis from the console tree and
select Con gure Computer…
Now the service can be abused by the con gured user / group.
PowerShellAccessControl Module:
It will be also possible to use PowerShell to miscon gure a service on a computer. A PowerShell module
called PowerShellAccessControl can be found in TechNet gallery. This module can be used for
managing permissions for different Windows objects.
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 27/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Now SEC\user01 will be able to start and stop the spooler service.
Now SEC\user01 will be able to start and stop the spooler service.
If a service is created which executable path contains spaces and isn’t enclosed within quotes, the
service is exposed to a vulnerability known as Unquoted Service Path which enables adversaries to
elevate privileges.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Name of Service]
Incident?
Next open the services folder in the tree structure and modify the service as follows:
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 28/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Service abuse usually leads to local privilege escalation. Once an adversary took over such a user/group
which can interact with a service, it will for example be possible to stop the service, exchange its binary
with a malicious one and restart the service. More information on local privilege escalation can be found
at the SEC Consult article “Windows Privilege Escalaction – an Approach for Penetration Testers“.
Active Sessions
To create an active session, you can either just login to the server manually (and do a snapshot while
the machine is running).
https://docs.microsoft.com/en-us/sysinternals/downloads/autologon
It is a portable executable where you just enter the credentials and the domain name and click
on Enable. From now on, the selected user will automatically logon to the machine once the machine
starts.
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 29/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
The password is encrypted, it is not possible to browse through the registry to nd it.
Credential-Manager
Different credentials can be saved in the Windows Credential Manager. Credentials of local or domain
users as well as credentials for other programs like Internet Explorer.
To save website credentials for Internet Explorer just browse to a web application and login, click on
save credentials. The credentials will now be saved in the credential manager and can be obtained by
adversaries.
This will save the user credentials in the local credential manager:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 30/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To
enable authentication, Kerberos requires that SPNs are associated with at least one service logon
account.
Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos
ticket-granting service (TGS) service tickets for any SPN from a domain controller. The hash of the
service account associated with the SPN is used as the private key and is thus vulnerable to o ine brute
force attacks. Cracked hashes may enables adversaries to perform persistence, privilege escalation, and
lateral movement via access to valid accounts.
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 31/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Create a New User by expanding the domain tree and right click on the User tab:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 32/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
After the user was created and the password was set, right click on the user and open Properties, click
on Account and set the option “Do not require Kerberos preauthentication”:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 33/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
GPO Miscon guration
A Group Policy Object is an Active directory container and used for group policy settings which can be
used as a resource to control users and computers. GPOs can be used to allow or disallow certain
actions for a group of users or computers such as disable local admin access.
In our example we will create a GPO which grants local administrator permissions on a speci c server.
We will then delegate the permissions to another user. If an adversary takes over this user, it will be
possible to change the GPO and create own local administrators on the machines which are linked to
that GPO.
Incident?
Link the GPO to the desired OU, click on Create a GPO in this domain, and Link it here:
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 34/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Create a Group and link it to the GPO. Go to Active Directory Users and Computers, right click on the
desired OU and click on New and choose Group:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 35/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 36/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Press Edit… and the Group Policy Management Editor will pop up. In the editor choose Computer
Con guration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups right click and
add the previously created group to the GPO. Select This group is a member of administrators:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 37/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Click on OK:
Incident?
Now all users in the LocalAdmin group have local admin permission on the linked machines. Add a user
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 38/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
of the domain having edit rights on the GPO. Click on the created GPO and go to delegation and Add… a
user.
SEC\user01 has permissions to Edit settings, delete, modify security on the GPO now, and will be able
to abuse the permissions in several ways to compromise machines/users which are affected by the
GPO. For example, adversaries can push malicious startup scripts or installing a backdoor.
ACLs and ACEs de ne the permissions on speci c objects like users, computers or groups (e.g. change
accounts names, reset passwords, etc.) in Active Directory.
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 39/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
CL/ACE Function
Object can be modi ed – will allow adversaries to gain full access on the
WriteDACL
object
Open Active Directory Users and Computers on the domain controller and right click on our group and
click on Properties, then we choose Member Of and add the Builtin Administrators:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 40/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Go to the tab Managed By and click on Change to choose a domain user which will have the permissions
managing this group:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 41/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Apply the settings. Adversaries, who compromised SEC\user02, would now be able to add and modify
all objects for the LocalAdmins group.
Unconstrained Delegation
Delegation is used when a server or service account needs to impersonate a user. For example, a front-
end webserver impersonates users when accessing a backend database. If unconstrained delegation is
con gured on a server, it allows the server to impersonate connecting users. Computer and user objects
can get unconstrained delegation assigned. Normally it will be assigned to computers running services.
Go to Active Directory Users and Computers on the domain controller and right click on the computer
where the service is running, choose Delegation and tick the following:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 42/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Click on OK and verify if everything worked. To verify click on View and tick Advanced Features:
Incident?
Open Properties of the computer again and click on Attribute Editor. The
attribute UserAccountControl should contain the following entry:
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 43/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
The TGT of every user who is connecting to this server will be saved in memory and can be extracted by
an adversary.
Constrained Delegation
Constrained Delegation limits what services a machine, which is trusted for delegation, can access on
behalf of an authenticated user. If there is a compromised user or computer account where constrained
delegation is enabled, it’s possible to impersonate any domain user and authenticate to the service
where the account is trusted for delegation.
Open Active Directory Users and Computers on the domain controller and click on the Properties of the
computer. Choose Trust this computer for delegation to speci c services only – User Kerberos
only and click on Add to choose the service:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 44/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 45/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
In this case constrained delegation limits the server to authenticate on behalf of a user to the
SPN CIFS/SRV01.SEC.LAB.LOCAL. Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 46/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
If an adversary compromises the server, he will be able to receive the TGS from the machine. If a server
is trusted for CIFS delegation on a machine, it will allow him to read the les on the target system by
extracting the cached TGS ticket.
Advanced Threat Analytics (ATA) is a platform that helps protect enterprises from multiple types of
cyber-attacks and insider threats. ATA is using a network parsing engine to capture and parse network
tra c of multiple protocols (such as Kerberos, DNS, RPC, NTLM, and others) for authentication,
authorization, and information gathering. It is monitoring the network using port mirroring from Domain
Controllers and other important computers.
https://docs.microsoft.com/en-us/advanced-threat-analytics/what-is-ata
https://www.microsoft.com/en-us/evalcenter/evaluate-microsoft-advanced-threat-analytics
Before we start the installation, make sure that the computer where you install ATA is internet
connected. Use a dedicated monitoring machine to set it up, make sure to give the machine enough
resources (6GB+ of RAM).
In this example we will setup our ATA on a second domain controller. The installation process is straight
forward. First, we attach the downloaded ISO to our monitoring server and open it in the Explorer:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 47/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 48/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Choose Database and install path and install a self-signed certi cate:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 49/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Click on Launch:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 50/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Internet Explorer will open, accept the certi cate warning (only do this for your lab setup, don’t accept
certi cate warnings for production machines!):
Figure 75 – Create ATA userEnter the credentials of the ATA user to the ATA instance and click on Test
connection and if the connection succeeded, click on Save:
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 51/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Click on Download Gateway Setup and Install the rst Gateway to install the ATA Gateway:
Gateway Setupdownload
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 52/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
languageNext
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 53/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Incident?
As soon as the installation process is done click on Finish:
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 54/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 55/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
The Gateway will be synced:Please note that this process will take some time:
Incident?
Conclusio
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 56/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
Congratulations, you build your rst Active Directory Lab. With such a basic setup you will be able to
perform different types of attacks and check if an alert will be triggered and how it looks like. Of course,
you can extend the lab to your needs and add different servers and workstations as well as exchange
ATA to your favorite solution.
Sources:
https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
https://adsecurity.org/?p=1684
http://www.harmj0y.net/blog/redteaming/kerberoasting-revisited/
http://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
http://www.labofapenetrationtester.com/
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-
directory-domain-services-overview
http://woshub.com/set-permissions-on-windows-service/
https://rastamouse.me/2019/01/gpo-abuse-part-1/
https://pentestmag.com/gpo-abuse-you-cant-see-me/
https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-
71f2b33688e1
https://medium.com/@riccardo.ancarani94/exploiting-unconstrained-delegation-a81eabbd6976
https://docs.microsoft.com/en-us/advanced-threat-analytics/what-is-ata
https://docs.microsoft.com/de-de/advanced-threat-analytics/install-ata-step1
https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-
kerberos-constrained-delegation
https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-
Incident?
compromise-via-unrestricted-kerberos-delegation
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 57/58
5/13/2021 Creating Active Directory Labs for Blue and Red Teams
https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-
directory-acls-aces
Back
SEC Consult is one of the leading consultancies in the eld of cyber and application security. The company
specializes in information security management, security audits, penetration testing, ISO 27001 certi cation
support, cyber defense and secure software certi cation. SEC Consult is part of Atos.
Incident?
https://sec-consult.com/blog/detail/creating-active-directory-labs-for-blue-and-red-teams/ 58/58