Detecting AD Initial Access
Premium roomDetect AD initial access attacks by analyzing IIS, NPS, and Windows Security logs.
medium
To access material, start machines and answer questions login.
In an environment, every internet-facing service that authenticates against the domain is a potential entry point. This room teaches how to detect initial access attacks against three of the most common ones: web applications, Exchange , and gateways.
Each scenario uses a different application log source, but they share a common principle:
- The attack is visible in the application logs first
- Then, correlating with other log sources (e.g., and Windows Security logs) to reveal the full scope
Learning Objectives
- Analyze logs to detect web application attacks and web shell activity
- Correlate Exchange/ authentication events with Windows Security logs
- Investigate credential attacks using event logs
- Investigate post-authentication activity to determine the impact of a breach
- Build investigation timelines by correlating application logs with Windows Security logs
Prerequisites
- Active Directory: How users, groups, and authentication work (Active Directory Basics room)
- Windows Event Logs: Reading and filtering Security events (Windows Event Logs room)
- : Writing queries to search and filter log data (: Exploring room)
- Monitoring: Understanding the main Event needed to know what's normal in to detect abnormal (Monitoring Active Directory room)
Machine Access
Start the machine by clicking the Start Machine button below. Give the instance about 4-5 minutes to launch, then access it using the link below. Feel free to continue reading the next tasks while it boots:
Info: This instance is used throughout Tasks 2-7. A separate instance with different data is provided for the Task 8 challenge.
Set up your virtual environment
I have successfully started my Splunk instance.
Ready to learn Cyber Security?
The Detecting AD Initial Access room is only available for premium users. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.
Already have an account? Log in