In this project I set up an Active Directory home lab with Splunk, Kali Linux, and Atomic Red Team. I wanted to understand how a domain environment actually works, how to get Windows events into a SIEM, and what real attacks look like from the defender's side. Reading about Mimikatz is one thing. Watching Splunk light up when you run a credential dumping simulation against a domain controller you configured yourself is something else.
Diagram of Project:
- Windows Server 2022 - Active Directory Domain Controller (192.168.10.7)
- Windows 10 - Domain-joined target endpoint (192.168.10.100)
- Ubuntu Server - Splunk SIEM (192.168.10.10)
- Kali Linux - Attack machine (192.168.10.250)
All VMs need to be on the same network. Go to Tools, then Network in VirtualBox. Select NAT Network and click create. I named mine "AD Project" with IPv4 Prefix 192.168.10.0/24. Leave DHCP enabled and hit apply.
Once your Splunk VM is running, check the IP with ip a. If it doesn't show 192.168.10.10, you need to set it manually:
sudo nano /etc/netplan/00-installer-config.yamlUpdate it to look like this (indentation matters):
network:
ethernets:
enp0s3:
dhcp4: no
addresses: [192.168.10.10/24]
gateway4: 192.168.10.1
nameservers:
addresses: [8.8.8.8, 8.8.4.4]
version: 2Then run sudo netplan apply and check ip a again.
Brute Force - RDP/SMB via Crowbar (from Kali)
crowbar -b rdp -s 192.168.10.100/32 -u administrator -C /usr/share/wordlists/rockyou.txtSplunk query to catch it:
index=endpoint EventCode=4625
| stats count by src_ip, user, host
| where count > 10
| sort -count
What you'll see: a spike of EventID 4625 (failed login) from the same IP in a short window.
Credential Dumping - Mimikatz via Atomic Red Team
Invoke-AtomicTest T1003.001Splunk query:
index=endpoint EventCode=1
(CommandLine="*mimikatz*" OR CommandLine="*sekurlsa*" OR CommandLine="*lsadump*")
| table _time, host, user, CommandLine, ParentImage
What you'll see: Sysmon Event ID 1 with Mimikatz arguments showing up in the command line, usually launched from PowerShell.
Persistence - New Admin Account Created
index=endpoint EventCode=4720 OR EventCode=4732
| table _time, host, user, MemberSid, TargetUserName
What you'll see: EventID 4720 (account created) followed by 4732 (added to Administrators group).
Splunk not receiving events:
- Check outputs.conf on the forwarder, verify the Splunk server IP and port 9997
- Make sure firewall allows inbound TCP 9997 on the Ubuntu machine
- Run
./splunk list forward-serveron the forwarder to confirm it's connected
Sysmon events missing:
- Confirm Sysmon is running:
sc query sysmon64 - Check inputs.conf includes the Sysmon channel
- Restart the forwarder after any config change
Domain join failing:
- Windows 10 DNS needs to point to the DC's IP, not 8.8.8.8
- Make sure the DC has the DNS role installed
- Logs lie by omission. Sysmon without a good config gives you almost no useful context. The config matters as much as the tool.
- Volume is an attacker's best camouflage. 1,000 failed logins in 60 seconds is obvious. 10 per minute over 100 minutes is not. You need time-window queries, not just raw counts.
- MITRE ATT&CK is a map, not a script. Atomic Red Team runs the documented technique. Real attackers obfuscate. Your detection needs to account for variations.
| Skill | Tool |
|---|---|
| SIEM and Log Analysis | Splunk |
| Attack Simulation | Atomic Red Team, Kali Linux |
| Domain Administration | Windows Server 2022, Active Directory |
| Network Configuration | VirtualBox NAT, static IP, netplan |
| Threat Detection | Windows Event IDs, Splunk SPL queries |
| Virtualization | VirtualBox, 4-VM environment |
- Automated Splunk alerts - trigger notable events when thresholds are crossed instead of running manual searches
- SOAR integration - hook Splunk alerts into the SOC Automation pipeline
- More ATT&CK coverage - add Lateral Movement (pass-the-hash, PsExec) and Exfiltration simulations