Skip to content

CyberTechSali/Active-Directory-Hardening-and-Security

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

53 Commits
 
 
 
 
 
 
 
 

Repository files navigation

🛡️ Active Directory Security Audit

Domain : cybertechsali.com  |  Period : Nov – Dec 2025  |  Author : OUCHAHED SALMA


Context

This project is a complete security audit of the cybertechsali.com Active Directory environment. The objective was to identify critical vulnerabilities, demonstrate their real-world impact through controlled exploitation, and propose a validated hardening roadmap.


Tools Used

Tool Version Purpose
PingCastle 3.2.1 Risk analysis and global scoring
Purple Knight Community Detection of exposure indicators (IOEs)
BloodHound 8.3.1 Attack path mapping and Tier 0 asset identification
Mimikatz 2.2.0 Credential extraction (DCSync, Pass-the-Hash, Pass-the-Ticket)

Key Findings

Metric Result
PingCastle Score 55/100 (High Risk)
Exposure Indicators (Purple Knight) 17 IOEs
Tier 0 Assets Identified 25 objects (including 5 admin accounts)
Demonstrated Compromise Time Less than 5 minutes

📸 Visual Evidence (Screenshots)

Finding Screenshot
PingCastle Score 55/100 PingCastle
17 IOEs Detected (Purple Knight) Purple Knight
BloodHound Attack Paths (Tier Zero) BloodHound
DCSync Extraction (Mimikatz) Mimikatz DCSync
Successful Pass-the-Hash (Admin Shell) Pass-the-Hash
Kerberos Ticket Validation (klist) Klist Validation
Event 4768 – TGT Request (Audit) Event 4768 TGT
Event 4769 – TGS Request (Audit) Event 4769 TGS

Top 3 Exploited Vulnerabilities

  1. Print Spooler enabled on the DC → DCSync attack (all domain hashes extracted).
  2. Admin accounts delegable → Kerberos ticket theft (Pass-the-Ticket).
  3. NTLMv1/LM still active → Pass-the-Hash (admin shell in 30 seconds).

Remediation Roadmap

Phase Actions Status
Urgent (Week 1-2) Disable Spooler, rotate admin passwords, enable "sensitive & non-delegable" flag ✅ Completed
Structural (Week 3-8) Deploy LAPS, enable Credential Guard, add admins to Protected Users group ⏳ In progress
Governance (Month 2-6) Deploy SIEM, monitor Events 4768/4769, implement Tier 0/1/2 model 📅 Planned

✅ Hardening Validation – Before / After

Before (Vulnerable) After (Hardened)
sekurlsa::pth /user:karim-adm /ntlm:fa7665bef... /run:cmd
Admin shell obtained
sekurlsa::pth /user:karim-adm /ntlm:fa7665bef... /run:cmd
Authentication failed – NTLM refused

Post-Hardening Verification

1. Kerberos Ticket Encryption (klist) The klist command confirms that all tickets are now issued with strong AES-256-CTS-HMAC-SHA1-96 encryption.

Klist Validation

2. Security Auditing & Traceability (Event Viewer) To ensure detection capabilities are operational, the following critical security events are now successfully generated and logged on the Domain Controller:

  • Event ID 4768 : Kerberos authentication ticket (TGT) was requested.

    • Purpose: Detects initial authentication and TGT issuance.

    Event 4768 TGT

  • Event ID 4769 : A Kerberos service ticket (TGS) was requested.

    • Purpose: Detects service access requests, crucial for identifying lateral movement (Pass-the-Ticket).

    Event 4769 TGS


Repository Structure

Audit-AD-cybertechsali/
├── README.md
├── Rapport_Audit_AD_Final.pdf
├── Preuves/                          # 📸 Screenshot folder
│   ├── 01_PingCastle_Score55.png
│   ├── 02_PurpleKnight_IOEs.png
│   ├── 03_BloodHound_TierZero.png
│   ├── 04_Mimikatz_DCSync.png
│   ├── 05_PassTheHash_Shell.png
│   ├── 06_Remediation_Klist_Validation.png
│   ├── 07_Event4768_TGT.png          # 🆕 TGT Audit Log
│   └── 08_Event4769_TGS.png          # 🆕 TGS Audit Log
└── Scripts/
    ├── Disable_Spooler.ps1
    └── Apply_NTLM_Hardening.ps1

Disclaimer

⚠️ This project contains confidential information (internal domain names, NTLM hashes, network topology).
The repository is private and must not be shared publicly.
Intended for lab use or advanced cybersecurity training purposes only.


Author

OUCHAHEd SALMA
Cybersecurity Engineer – AD & Pentesting Specialist
LinkedIn | GitHub


Last updated: July 2026

About

Comprehensive Active Directory security audit framework: assessment (PingCastle/Purple Knight) → reconnaissance (BloodHound) → exploitation (Mimikatz) → hardening. Risk score 55/100 reduced through evidence-based remediation. Includes attack paths, exploitation proofs, and GPO hardening guides.

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors