alexchmiel.com

← projects March 2026 NECCDC 2026

CCDC blue-team operations

Runbooks and hardening notes written for live play at NECCDC 2026: defending two Active Directory domains against a professional red team while keeping scored services green. Plus the postmortem, rough edges left in.

Active DirectoryGroup PolicyKeycloakpfSenseWindows hardeningIncident response

GitHub ↗

blue team · DC01 · day 1

The competition

NECCDC puts student blue teams inside a deliberately compromised enterprise network and pays a professional red team to keep attacking it for two days. Services are scored continuously (every minute the point-of-sale system or the identity provider is down costs points), so the problem is never just “harden everything.” It’s harden while the business keeps running, document what you did, and explain it to a non-technical executive on a deadline.

Our scenario: a managed service provider protecting a food-services client across two Active Directory domains, on a hybrid Windows/Linux stack: AD, pfSense, Keycloak, Nginx, Grafana, Gitea, Semaphore, Teleport, Windows point-of-sale, and kiosks.

My role

I was the Domain Controller administrator. First login to full lockdown: OU structure and least-privilege buckets on day one, persistence hunting before any hardening (which caught two scheduled tasks we would otherwise have hardened around), Group Policy for PowerShell logging, and the core Windows services (DNS, DHCP, Kerberos) kept available and authenticating under active attack. Day two opened with re-verifying everything from day one, because the red team works overnight.

What’s in the repo

The notes were written to be useful under pressure: commands first, explanation second. Not a tutorial, a reference.

  • Active Directory hardening from first login through full lockdown
  • Persistence-hunting methodology
  • Domain trust setup, and what to harden the moment it goes live
  • POS and kiosk network isolation
  • Keycloak access and hardening notes
  • Incident response templates and event-ID references
  • The printable PDF runbooks we actually used on competition day

What it taught me

The full postmortem is in the repo and adapted here as a writeup. The short version: identity infrastructure first, because anything that authenticates other things is the priority target. Hunt for persistence before you harden, not after. Document in real time, because the scoring rewards evidence, not memory. And most of the points live in the two places that get the least practice: documentation quality and explaining business impact to people who don’t read event logs.

The repo is competition notes, not a polished knowledge base. There are rough edges and decisions made under time pressure. They’re left in as written, because that’s what working under fire actually produces.