HTB Threat Range Scenario: DomainLooter

is a multi-host intrusion scenario that simulates a realistic Active Directory compromise triggered by a phishing campaign. The intrusion starts with a phishing email posed as a VPN update from the company IT department. The victim unwittingly opens the attachment which establishes a C2 connection to the attacker’s infrastructure. The attacker utilises privileged access to pose as a domain controller and obtain a copy of the active directory database containing the company usernames and passwords.

The environment is composed of critical infrastructure components typically found in a corporate network including: