Real investigations, CTF write-ups, and incident response walkthroughs.
This is Part 9 of the AD DFIR Lab series. Part 8 gave us a noisy-ad-current snapshot packed with 2 years of realistic narrative. Part 9 pulls that snapshot out as a forensic image, intact and ready...
Read more →This is Part 8 of the AD DFIR Lab series. We turn a sterile clean-ad snapshot into noisy-ad-2years — a dataset that looks like a real company has been using the domain for two years.
Read more →This is an interlude in the AD DFIR Lab series. A short operational post about keeping the lab running for years rather than months.
Read more →This is Part 7 of the AD DFIR Lab series. We get Kali ready for the attacks in Phase 9.
Read more →This is Part 6 of the AD DFIR Lab series. We configure all the auditing before running the attacks — if we don’t do it now, the attacks won’t leave a trace.
Read more →This is Part 5 of the AD DFIR Lab series. We catalog everything GOAD creates inside the domains: users, groups, vulnerabilities, and how they fit together to form realistic attack chains.
Read more →This is Part 4 of the AD DFIR Lab series. We deploy the entire Active Directory structure: two forests, a child domain, and the cross-forest trust.
Read more →This is Part 3 of the AD DFIR Lab series. We configure pfSense to separate the attack network from the corporate network, forcing Kali to pivot like an external attacker.
Read more →This is Part 2 of the AD DFIR Lab series. We create all lab VMs with fully unattended installation.
Read more →This is Part 1 of the AD DFIR Lab series. We start from a freshly provisioned Hetzner dedicated server and end with Proxmox VE installed and ready to create virtual machines.
Read more →Why you need an AD lab for DFIR
Read more →