Skip to main contentSkip to main content
Room Banner
Back to all walkthroughs
Room Icon

Recovering Active Directory

Premium room

Learn basic techniques to recover an AD in case of compromise.

medium

240 min

2,157

User profile photo.
User profile photo.

To access material, start machines and answer questions login.

We learned basic concepts on implementing group policies and the least privilege model in the previous room. In this room, we will focus on Active Directory vulnerabilities, methods for recovering the compromised Active Directory domain controller, and preventive measures to avoid hacking attempts. We will also discuss the Active Directory red architecture to implement operating system hardening and benchmarks defined for the server environment.

Learning Objectives
The topics that we will cover in this room include:
  • Immediate actions after infection
  • Identifying attack patterns and how to locate an infection vector
  • Basic recovery process
  • Common misconfigurations by domain administrators
  • Post-recovery steps
Prerequisites
We recommend going through the Windows Hardening room to develop a solid understanding of Windows protection architecture.  

Connecting to the Machine
We will use Windows Server 2019, serving a compromised domain controller throughout the room. We assume that the hackers somehow got access to the domain controller on Apr 10, 2023, and now creating additional accounts, modifying group policies, and disrupting essential services of our network. The credentials to access the are mentioned below:

  • IP: MACHINE_IP
  • Username: THM\Administrator
  • Password: recover@123

You can access the VM by clicking Start Machine. The machine will start in a split-screen view. If the is not visible, use the blue Show Split View button at the top-right of the page. Alternatively, you can access the through Remote Desktop using the above credentials.

Let's begin.
Answer the questions below
I can connect to the machine.

What is the flag value after connecting to the machine?

Ready to learn Cyber Security?

The Recovering Active Directory room is only available for premium users. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.

Already have an account? Log in

We use cookies to ensure you get the best user experience. For more information see our cookie policy.