Windows Server Active Directory: Offensive and Defensive Security Strategies
Active Directory (AD) is a critical component in enterprise IT, yet misconfigurations have led to severe real-world breaches through lateral movement, credential theft, and privilege escalation, highlighting the urgent need for improved AD security strategies. This research explores offensive and de...
محفوظ في:
| المؤلف الرئيسي: | |
|---|---|
| منشور في: |
2025
|
| الموضوعات: | |
| الوصول للمادة أونلاين: | https://bspace.buid.ac.ae/handle/1234/3249 |
| الوسوم: |
إضافة وسم
لا توجد وسوم, كن أول من يضع وسما على هذه التسجيلة!
|
| الملخص: | Active Directory (AD) is a critical component in enterprise IT, yet misconfigurations have led to severe real-world breaches through lateral movement, credential theft, and privilege escalation, highlighting the urgent need for improved AD security strategies. This research explores offensive and defensive security approaches within Windows Server AD environments by simulating real-world cyberattacks and evaluating detection capabilities using modern monitoring tools. Unlike prior studies that often isolate theoretical attack techniques or passive defenses, this investigation adopts a practical, lab-based methodology in which offensive tools such as Mimikatz, BloodHound, PowerSploit, and Impacket are executed against deliberately misconfigured AD setups. The proposed defensive approach combines endpoint telemetry from Sysmon with centralized correlation and alerting through the Wazuh SIEM, complemented by Microsoft Defender Antivirus for baseline comparison. All telemetry is mapped to the MITRE ATT&CK framework for structured analysis. Each attack scenario is assessed for detection effectiveness and latency, revealing that while most attacks are identified within one to four seconds, stealthier techniques such as DCSync evade automated detection and are only observable through manual log inspection. The findings highlight the prevalence of AD misconfigurations—including excessive user privileges, weak service account protections, and inadequate Kerberos hardening—which enable credential theft and lateral movement. The study also emphasizes the importance of tuning detection rules, maintaining comprehensive log visibility, and integrating host-based and SIEM-level analytics to improve organizational preparedness. By addressing key gaps in existing literature—such as the lack of empirical simulations, limited benchmarking of detection latency, and insufficient MITRE ATT&CK alignment—this research offers an integrated framework and evidence-based guidance to strengthen enterprise resilience and inform AD security best practices. |
|---|