Enterprise Security Lab: Active Directory Attack & Detection

This project simulates a small enterprise Windows domain to demonstrate hands-on skills in identity management, authentication monitoring, and security event correlation. A Windows Server domain controller and Windows 11 client were deployed to generate, collect, and analyze real Active Directory security events.

The lab focuses on detecting account creation, privilege escalation, and authentication activity using native Windows logging. Events were correlated into a forensic timeline and mapped to the MITRE ATT&CK framework to demonstrate adversary technique awareness.

Key Outcomes

Built and secured an Active Directory domain environment

Generated real authentication and group-management security events

Collected and preserved evidence from domain controller and client

Correlated logs into a forensic timeline

Mapped activity to MITRE ATT&CK (T1136.002 – Local Account Creation)

Documented findings in a repeatable, enterprise-style workflow

Skills Demonstrated

Active Directory administration

Windows Security Event Logging

Incident detection and log analysis

Forensic evidence handling

MITRE ATT&CK mapping

PowerShell for security operations

Enterprise documentation and reporting