In this module
PT1.5 Joining the Endpoint to the Domain
You've joined machines to a domain before. This sub connects the Windows endpoint from PT1.3 to the domain controller from PT1.4, so the lab has a realistic AD environment for credential access and lateral movement techniques.
Prerequisites
Both VMs must be running:
If either VM is not running, start it now and wait for it to fully boot.
Step 1: Verify network connectivity
On PT-WIN-ENDPOINT, open PowerShell as administrator:
# Can the endpoint reach the DC?
ping 10.0.0.1Reply from 10.0.0.1: bytes=32 time<1ms TTL=128If the ping fails, check both VMs are on the same internal/host-only network and that the IPs are correctly assigned:
# On the endpoint — check internal adapter IP
Get-NetIPAddress -InterfaceAlias "Ethernet 2" | Select-Object IPAddressIPAddress
---------
10.0.0.10If the endpoint can't reach the DC:
- Confirm both VMs have their second adapter attached to the same host-only/internal network in the hypervisor settings
- On the DC, check if Windows Firewall is blocking ICMP:
Get-NetFirewallRule -DisplayName "ICMPv4". If blocked, enable it:Enable-NetFirewallRule -DisplayName "File and Printer Sharing (Echo Request - ICMPv4-In)"
Step 2: Point the endpoint's DNS to the domain controller
The endpoint must use the DC as its DNS server. Domain join requires the endpoint to resolve the domain name psyche.yourlab.local — and only the DC's DNS server knows that name.
# On PT-WIN-ENDPOINT — set DNS to the DC's IP
Set-DnsClientServerAddress -InterfaceAlias "Ethernet 2" -ServerAddresses 10.0.0.1Verification — confirm DNS resolves the domain:
Resolve-DnsName psyche.yourlab.localName Type TTL Section IPAddress
---- ---- --- ------- ---------
psyche.yourlab.local A 600 Answer 10.0.0.1If Resolve-DnsName fails with "DNS name does not exist":
- Confirm the DC is running and AD DS promotion completed successfully (on the DC, run
Get-ADDomain) - Confirm the DC's DNS service is running: on the DC, run
Get-Service DNS - Confirm you set the DNS on the correct adapter — the internal one, not the NAT one. Check:
Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2" - If the DNS is set on the NAT adapter instead, the endpoint resolves internet names but not the lab domain
Step 3: Join the domain
# On PT-WIN-ENDPOINT — join the domain
# This will prompt for credentials
Add-Computer -DomainName "psyche.yourlab.local" -Credential (Get-Credential) -RestartA credential dialog appears. Enter:
User name: YOURLAB\Administrator
Password: (the Administrator password you set during Windows Server installation in PT1.4)The VM reboots. This takes 1–2 minutes.
Troubleshooting — domain join fails:
- "The specified domain either does not exist or could not be contacted" — DNS isn't resolving the domain. Go back to Step 2 and confirm
Resolve-DnsName psyche.yourlab.localreturns 10.0.0.1. - "Access denied" — wrong password, or you typed a local account instead of
YOURLAB\Administrator. Make sure the username includes the domain prefix. - "The machine account already exists" — the endpoint was previously joined and removed. On the DC, delete the stale computer account:
Remove-ADComputer -Identity "PT-WIN-ENDPOINT", then retry the join.
Step 4: Log in as a domain user
After reboot, the login screen shows the domain name YOURLAB above the password field. Click Other user (bottom-left) and enter:
User name: YOURLAB\t.ashworth (or just t.ashworth — Windows adds the domain)
Password: Purple2026!You land on the desktop as Tom Ashworth.
Verification:
# Confirm you're logged in as a domain user
whoamiyourlab\t.ashworth# Confirm domain membership
(Get-WmiObject Win32_ComputerSystem).Domainpsyche.yourlab.local# Confirm domain trust — query the DC from the endpoint
nltest /dsgetdc:psyche.yourlab.local DC: \\PT-DC01.psyche.yourlab.local
Address: \\10.0.0.1
Dom Guid: <guid>
Dom Name: psyche.yourlab.local
Forest Name: psyche.yourlab.local
Dc Site Name: Default-First-Site-Name
Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN
The command completed successfullyStep 5: Verify Sysmon captures domain context
This is the important verification for the course. Sysmon events from a domain user look different from local user events — the User field shows YOURLAB\t.ashworth instead of PT-WIN-ENDPOINT\labadmin. Your detection rules need to see the domain context.
Generate a test event as the domain user:
whoami /allFind it in the Sysmon log:
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 50 |
Where-Object { $_.Id -eq 1 -and $_.Message -match "whoami" } |
Select-Object TimeCreated,
@{N='User';E={($_.Properties[12]).Value}},
@{N='CommandLine';E={($_.Properties[10]).Value}} |
Format-ListTimeCreated : 25/04/2026 15:12:44
User : YOURLAB\t.ashworth
CommandLine : whoami /allThe User field shows YOURLAB\t.ashworth — the domain account, not the local labadmin. This is the user context your detection rules will see when attack techniques run. When procdump.exe dumps LSASS from this context, the Sysmon Event 10 will show SourceUser: YOURLAB\t.ashworth — which is how you distinguish a domain user attack from legitimate local admin activity.
Step 6: Verify the DC logs the endpoint's activity
On PT-DC01, check that the domain join and logon events are being recorded in the Security Event Log:
# On PT-DC01 — find recent logon events from the endpoint
Get-WinEvent -LogName Security -MaxEvents 100 |
Where-Object { $_.Id -eq 4624 } |
Select-Object TimeCreated,
@{N='LogonType';E={($_.Properties[8]).Value}},
@{N='User';E={($_.Properties[5]).Value}},
@{N='SourceHost';E={($_.Properties[11]).Value}} |
Where-Object { $_.User -match "ashworth" -or $_.SourceHost -match "ENDPOINT" } |
Format-TableTimeCreated LogonType User SourceHost
----------- --------- ---- ----------
25/04/2026 15:12:32 3 t.ashworth PT-WIN-ENDPOINT
25/04/2026 15:10:18 3 t.ashworth PT-WIN-ENDPOINTEvent 4624 with LogonType 3 (network logon) — this is the domain authentication from the endpoint to the DC. These events are what your AD-focused detection rules will query in Modules 7–9.
Step 7: Snapshot the endpoint (post-domain-join)
Take a new snapshot of the endpoint in its domain-joined state:
VirtualBox: Machine → Take Snapshot → name: Domain-Joined-Baseline
Hyper-V:
Checkpoint-VM -Name "PT-WIN-ENDPOINT" -SnapshotName "Domain-Joined-Baseline"VMware: right-click → Snapshot → Take Snapshot → name: Domain-Joined-Baseline
Verification checklist
☐ Endpoint can ping DC (10.0.0.1)
☐ DNS on endpoint points to DC (Set-DnsClientServerAddress confirmed)
☐ Resolve-DnsName psyche.yourlab.local returns 10.0.0.1
☐ Endpoint joined to domain (domain shows as psyche.yourlab.local)
☐ Can log in as YOURLAB\t.ashworth on the endpoint
☐ whoami returns yourlab\t.ashworth
☐ nltest finds the DC and reports healthy flags
☐ Sysmon Event 1 shows YOURLAB\t.ashworth as User
☐ DC Security log shows Event 4624 from the endpoint
☐ Endpoint snapshot "Domain-Joined-Baseline" takenYou've built the lab and understand the validation gap.
Module 0 showed you why detection rules fail silently — vendor schema changes, attacker tool evolution, environment divergence, tuning drift. Module 1 gave you a working four-environment, three-SIEM purple-team lab. From here, you walk the kill chain technique by technique.
- 61 ATT&CK techniques across 12 tactic modules — Initial Access through Impact, each walked end-to-end with attack commands, annotated telemetry, and multi-SIEM detection rules
- Every detection in four formats — Sigma rule (canonical), Sentinel KQL, Defender XDR Advanced Hunting KQL, and Splunk SPL or Elastic. Tabbed side-by-side in every technique sub
- Module 14 Capstone — CHAIN-HARVEST — full purple-team exercise on an AiTM credential-phishing chain. Multi-stage attack, detection results across all three SIEMs, coverage gaps, tuning recommendations
- Programme template — coverage matrix, MTTD per technique, FP rates, detection quality scores, remediation backlog. Populated as you work, presentable to leadership by Module 14
- Public Sigma rule repo — every detection rule in a GitHub repository. Alumni contribute via PR. The artefacts outlive the course
Cancel anytime