Active Directory Project

Active Directory (AD) is a directory service developed by Microsoft that is used for managing computers, users, groups, and devices within a network, primarily in a Windows domain environment. It plays a critical role in centralizing the administration of IT infrastructure by providing authentication, authorization, and directory services.

Key Components of Active Directory:

1. Domain: A logical grouping of network objects (such as users, computers, and devices) that share the same database. All resources in a domain are managed by the AD domain controller (DC).
2. Domain Controller (DC): A server that hosts the AD services, holding a copy of the AD database and responsible for authenticating and authorizing users and computers in the domain. It enforces security policies, replicates data across other DCs, and manages access to resources.
3. Active Directory Domain Services (AD DS): The primary service in AD responsible for storing directory information and managing communication between users and domains. It handles authentication and enforces security.
4. Objects: In AD, everything is considered an object: users (Represent individual user accounts.), computers (Machines that are part of the network.), groups (Collections of user accounts, computers, or other groups.), organizational units (Containers used to organize objects (users, computers, groups) hierarchically in a domain for easier management.).
5. Forest: The top-level container in AD, which can consist of multiple domains that share the same directory schema, configuration, and global catalog. It’s the highest-level logical structure.
6. Trusts: Relationships between AD domains that allow users in one domain to access resources in another domain.

This article is focused on an Active Directory project that I am currently working on. Instead of explaining what Active Directory is (because I have already talk about it in one of my articles), I will describe the components of the network devices I used in the project. Above is the diagram of the project, along with the components that were utilized.

What are Network Devices?

Network devices are hardware devices that allow computers and networks to communicate with one another. These devices are often used to connect computers and electronic devices in a LAN (Local Area Network) or WAN (Wide Area Network). These devices serve various purposes and perform different functions.

Routers: operate at the network layer of the OSI model. Routers are used to connect different networks that may or may not use the same protocol. The router’s function is to provide inter-network communication by routing packets from source to destination using IP addresses.

Switch: A network switch connects multiple devices (such as the AD server, Splunk server, and client machines) within the network and ensures proper traffic flow between them. In this project, the switch is used to simulate a realistic network environment where AD and other devices interact. It helps route the network traffic that can be monitored and analyzed by Splunk.

Splunk Server: is used to collect logs from various sources (like Active Directory, network devices, and the attack simulations from Atomic Red Team). Splunk indexes this data and helps you analyze it. In this project, Splunk will collect logs from the AD, monitor network traffic, detect attacks or suspicious activity from Kali Linux, and provide real-time dashboards for analysis. You can set up alerts to notify you of specific attack patterns.

Atomic Red Team (ART): is a collection of scripts designed to simulate real-world cyberattacks using known adversary techniques from frameworks like MITRE ATT&CK. ART will be used to simulate cyberattacks against the Active Directory environment, generating security events and logs that Splunk can capture and analyze. ART allows you to see how these attacks would play out and whether your detection and defense systems work effectively.

Kali Linux: is a penetration testing and security auditing tool. It contains a wide range of tools designed for ethical hacking and testing the security of networks and systems. In this project, Kali Linux will be used as an attacker's machine, perform penetration tests like password attacks, lateral movement, Kerberoasting, and more against the Active Directory environment. The logs generated by these attacks will be sent to Splunk for analysis.

Goal of the project:

• Simulate a Realistic Network Environment: By setting up Active Directory, I will be creating a network that mimics a typical corporate environment, which is often a high-value target for attackers. This is important for simulating realistic attack scenarios.
• Simulate Adversary Behavior: Using Atomic Red Team allows you to run specific adversary tactics in a controlled environment, helping you simulate the activities of malicious actors and understand how these attacks impact your network.
• Penetration Testing: Kali Linux will perform various attacks on your Active Directory environment, similar to what real-world attackers might do. You’ll test the security of your AD setup and find vulnerabilities.
• Log Collection and Monitoring: The Splunk server will collect logs from all components (AD, network devices, and Kali Linux attacks), helping you analyze and visualize attack patterns. This setup will help you detect security breaches, analyze attacker movements, and monitor system health in real-time.
• Improve Security Posture: By simulating attacks and analyzing the logs in Splunk, you'll learn how to defend an Active Directory environment. This setup helps you improve security monitoring, incident detection, and incident response capabilities.

This kind of project allows you to build a cybersecurity portfolio by showcasing your ability to:

• Set up complex environments (Active Directory, Splunk).
• Simulate attacks (Atomic Red Team, Kali Linux).
• Monitor and defend (Splunk alerts and dashboards).