DC01 is my opportunity to learn the Windows Server environment along with Active Directory.
I created the domain structure and ensured DNS authority, and I gave the users, groups, and service accounts excessive permissions.
These identity and access management vulnerabilities provide multiple paths for privilege escalation and persistence - as well as
opportunities to learn how to defend against these attacks.
⚔️ Attack Simulations
Kerberoasting Service Accounts
AS-REP Roasting (No Pre-Auth)
SMB Relay / NTLM Coercion
DCSync (DRS Replication)
🛡️ Detection & Remediation
Advanced AD Auditing Policy
Deploying Honey Tokens
Enforcing SMB Signing
Protected Users Group Config
Critical Findings
🎟️ Service Principal Names
Weak service accounts registered with SPNs (mssql_svc) allow offline TGS cracking.
📝 SMB Signing Disabled
Signing is not enforced on the DC, allowing for NTLM relay attacks against the server itself.
Impact: Relay to DA🔓 Weak Password Policy
Min password length of 7 with lockout threshold of 0.
Impact: Brute force target