Detecting Identity Attacks with CrowdStrike ITDR

Details

Goals & objectives

Hardware & software

Solution overview

Identity is the new perimeter — and attackers know it. In this lab, you'll step into a real-world breach simulation where a red team adversary targets Active Directory through Kerberoasting and Pass-the-Hash techniques. Your job is to track the attack using CrowdStrike Falcon ITDR, validate lateral movement with Security Onion's network telemetry, and confirm containment using Falcon SOAR.

This isn't just about detection — it's about proving your ability to defend the core of your enterprise: identity. You'll analyze anomalous Kerberos behavior, spot privilege escalation from endpoint to domain, and watch automation kick in to shut it all down — fast.

If you're serious about defending Active Directory in modern SOC environments, this is where you sharpen that skill.

Lab diagram

Goals and objectives

By completing this lab, you will:

Understand how attackers abuse identity by performing Kerberoasting and Pass-the-Hash attacks in Active Directory.
Simulate real-world credential theft and privilege escalation using Atomic Red Team and Impacket tools.
Detect identity-based threats using CrowdStrike Falcon ITDR, focusing on Kerberos anomalies and suspicious NTLM authentication patterns.
Correlate endpoint activity with network telemetry in Security Onion (Zeek & Suricata).
Validate automated response actions like credential resets and host isolation using Falcon SOAR.
Strengthen your ability to defend identity infrastructure in a modern, high-stakes SOC environment.

Hardware and software

💻 Virtual Machines (Minimum Specs):

Kali Attacker (kali-attacker)
- Role: Red Team Operator
- Specs: 4 vCPU, 16 GB RAM, 60 GB disk

Windows Workstation (mod4-vic01-xxxx & mod4-vic02-xxxx)
- Role: Victim endpoint with Falcon Sensor & Sysmon
- Specs: 4 vCPU, 16 GB RAM, 80 GB disk

Active Directory Server (AD01)
- Role: Windows Server 2022 Domain Controller
- Specs: 4 vCPU, 16 GB RAM, 80 GB disk

Security Onion (securityonion)
- Role: Network Detection (Zeek + Suricata)
- Specs: 4 vCPU, 16 GB RAM, 100 GB disk

🧰 Preinstalled Tools and Components:

Atomic Red Team (Kali attacker)
Impacket suite (Kali attacker)
CrowdStrike Falcon Sensor (Windows victim)
Sysmon with custom config (Windows victim)
Security Onion with Zeek, Suricata, and Kibana dashboards (Network NDR)
Falcon Console with ITDR and SOAR modules enabled (Cloud)