A comprehensive guide on detecting Windows Active Directory attacks, lateral movements, Pass-the-Hash, Kerberoasting, Golden/Silver Tickets, Responder attacks, and other threats using Splunk and Zeek logs.

Puppy is an easy Windows machine on HTB. Initial access is obtained by abusing weak credentials in an exposed service. User enumeration reveals credentials for a low-privileged account. Privilege escalation is performed via misconfigured service and local file access to obtain Administrator privileges.

Voleur is a medium level Active Directory Hackthebox machine which is based on the assumed breach scenario (means we have valid credentials).This focusses on kerberos authentication, realm fixation, hash cracking, Bloodhound enumeration, kerberoasting, RunasCs.exe for switching users, extracting DPAPI Vault credentials, recovering deleted AD Objects, lateral movement through users, SSH into WSL and finally using secretsdump to extract secrets from the backups to obtain administrator access.

Artificial is an easy Linux machine on HTB. Foothold comes from uploading a malicious TensorFlow model for RCE. Dumped credentials give user access, and root is obtained via a backup misconfiguration.

Walkthrough of the HTB TombWatcher machine, covering initial access with domain creds, BloodHound ACL abuse, targeted Kerberoasting, and privilege escalation via ADCS ESC15 to Domain Admin.

Walkthrough of the HTB Certificate machine, covering PHP webshell upload, MySQL enumeration, AD credential cracking, and privilege escalation via ESC3 in ADCS.

Fluffy is an easy Windows machine on HTB. Initial access is achieved with valid credentials. Active Directory enumeration and abuse of service account permissions allow privilege escalation to Administrator via ADCS abuse.

Planning is an easy machine. discovering a vulnerable service, leveraging RCE, then using container and system misconfigurations for privilege escalation.

Administrator is a medium Windows AD box where SMB enumeration and misconfigured user privileges lead to password resets, credential cracking,finally a DCSync attack to gain full domain admin access.