Active Directory Hardening TryHackMe Walkthrough

4 min readSep 12


TL;DR TryHackMe is running a promotion for the new Security Engineer pathway! Refer a friend, complete rooms, write one of these walkthroughs, etc for a chance to win stuff! Also, here’s a walkthrough of the AD Hardening room.

THM Walkthroughs:

Attacktive Directory (part of the Pentest+ Pathway)

Credential Harvesting (part of the Red Team Pathway)

AV Evasion: Shellcode (part of the Red Team Pathway)

Anthem (general Practice VM)

Living off the Land (part of the Red Team Pathway)

Zero Logon (part of the Cyber Defense Pathway)

Windows Event Logs (part of the Cyber Defense Pathway)

Sysmon (part of the Cyber Defense Pathway)

Osquery (part of the Cyber Defense Pathway)

Active Directory Hardening (part of the Security Engineer Pathway)

Introduction to Cryptography (part of the Security Engineer Pathway)

Splunk Basics & Splunk 2 (part of the Cyber Defense Pathway)

Investigating Windows (part of the Cyber Defense Pathway)

VulnNet: Roasted (general practice VM)

RazorBlack (general practice VM)

Ra (general practice VM)


Run, don’t walk, to the new TryHackMe Security Engineer pathway. Complete rooms, refer a friend, do a writeup, let your company know about TryHackMe training, and you, yes you could win some great stuff like a free year of TryHackMe or a laptop.

Here at test.local we had the day off so we immediately knocked out the Active Directory Hardening room in the pathway.

The room is very basic and introductory, but it’s a great start. It seeks to educate regarding basic security hygiene such as

  • Requiring SMB & LDAP signing
  • Requiring password length
  • Least privilege
  • Privilege tiers
  • Compliance with baselines
  • Protecting against common attacks such as Kerberoasting

The room left out a few things that should be done in most Windows domain environments:

  • Disabling LLMNR & NetBIOS
  • Configuring LAPS on any workstation OUs
  • Using the Protected Users group
  • Disabling delegation on privileged user accounts
  • Considering smartcards [they can be expensive, but they’re cheaper than a breach]

The room did however list other TryHackMe rooms that cover much of the above.

Well that’s enough theory, let’s put our hands on the keyboard, connect to the VM, and start finding some answers.

xfreerdp /v: /u:Administrator /p:tryhackmewouldnotguess1@ /dynamic-resolution

— Task 2 —

What is the root domain in the attached AD machine?


Or if you want just the answer



— Task 3 —

What is the default minimum password length (number of characters) in the attached VM?


Or if you want just the answer



— Task 5 —

Find and open BaselineLocalInstall script in PowerShell editor — Can you find the flag?

Get-Content (Get-ChildItem -Path “C:\Users\Administrator\Desktop\Scripts” -Include “*BaselineLocalInstall*” -File -Recurse -ErrorAction SilentlyContinue).PSPath | Select-String “THM{“


Find and open MergePolicyRule script (Policy Analyser) in PowerShell editor — Can you find the flag?

I couldn’t find the “MergePolicyRule.ps1”. I think it was supposed to be “Merge-PolicyRule.ps1”.

Get-Content (Get-ChildItem -Path “C:\Users\Administrator\Desktop\Scripts” -Include “*.ps1” -File -Recurse -ErrorAction SilentlyContinue).PSPath | Select-String “{*}”



Get-Content (Get-ChildItem -Path “C:\Users\Administrator\Desktop\Scripts” -Include “*.ps1” -File -Recurse -ErrorAction SilentlyContinue).PSPath | Select-String “Flag :”

— Task 6 —

As per the generated report, how many users have the same password as aaron.booth?

Initially I just ran secretsdump from Kali since after all we already have a Domain Admin login.

cd /home/kali/Downloads/impacket-master/examples

python3 -just-dc-ntlm za/Administrator@

However this is not a good way to get a count of matching NTLM hashes. Therefore I copied Invoke-Mimikatz.ps1 to the VM and ran it there. This can be done via evil-winrm. (Our Mimikatz cheatsheet is here if you are not familiar with it.)

evil-winrm -i -u Administrator -p tryhackmewouldnotguess1@

upload /home/kali/Downloads/exploits/PowerShell/Invoke-Mimikatz.ps1

Or one can just copy/paste it over RDP.

Dump all the hashes to a file.

Invoke-Mimikatz -Command ‘“lsadump::dcsync /domain:za.tryhackme.loc /all”’ | Out-File .\AllCreds.txt

Find aaron.booth’s NTLM.

Get-Content .\AllCreds.txt | Select-String aaron.booth -Context 5

copy/paste aaron.booth’s hash and get a count of total matches.

(Get-Content .\AllCreds.txt | Select-String “64f12cddaa88057e06a81b54e73b949b”).Count

Just stubtract 1 since aaron.booth is one of the matches.


By the way, there were 5,046 AD users on the VM, so running quick queries like the above is a good, workable way to get a count quickly and easily.

In case anyone else is curious, aaron.booth’s plaintest password is Password1.


I’m always happy to see TryHackMe roll out a new pathway. This one looks promising and a good way to keep getting hand on practice and learn.



Dumping all domain hashes with Mimikatz:




I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.