Cloud Computing Automatically Deploy Customized Active Directory Labs In Azure

Automatically Deploy Customized Active Directory Labs In Azure

This project allows you to easily spin up Active Directory labs in Azure with domain-joined workstations, Windows Event Forwarding, Kibana, and Sysmon utilizing Terraform/Ansible.

It exposes a high-level configuration file to your domain to will let you customize users, groups and workstations.

dns_name: hunter.lab
dc_name: DC-1

initial_domain_admin:
username: hunter
password: MyAdDomain!

organizational_units:

users:
– username: christophe
– username: dany

groups:
– dn: CN=Hunters,CN=Users
members: [christophe]

default_local_admin:
username: localadmin
password: Localadmin!

workstations:
– name: XTOF-WKS
local_admins: [christophe]
– name: DANY-WKS
local_admins: [dany]

enable_windows_firewall: yes

Features

  • Windows Event Forwarding pre-configured
  • Audit policies pre-configured
  • Sysmon installed
  • Logs centralized in an Elasticsearch instance which might easily be queried from the Kibana UI
  • Domain easily configurable via YAML configuration file

Use-cases

  • Detection engineering: Having access to clean lab with a standard is a good way to grasp what traces common attacks and lateral motion techniques leave behind.
  • Learning Active Directory: I often have the necessity to test GPOs or numerous AD features (AppLocker, LAPS…). Having a disposable lab is a must for this.

Screenshots

Getting started

Prerequisites

  • An Azure subscription. You can create one for free and also you get $200 of credits for the primary 30 days. Note that such a subscription has a limit of four vCPUs per area, which nonetheless allows you to run 1 domain controller and a couple of workstations (with the default lab configuration).
  • A SSH key in ~/.ssh/id_rsa.pub
  • Terraform >= 0.12
  • Azure CLI
  • You should be logged in to your Azure account by running az login. Yu can use az account list to substantiate you may have access to your Azure subscription

Installation

git clone https://github.com/christophetd/Adaz.git
  • Create a virtual env and install Ansible dependencies
# Note: the virtual env must be in ansible/venv
python3 -m venv ansible/venv 
source ansible/venv/bin/activate
pip install -r ansible/requirements.txt
deactivate
cd terraform
terraform init

Usage

Optionally edit domain.yml based on your wants (reference here), then run:

terraform apply

Resource creation and provisioning takes 15-20 minutes. Once finished, you should have an output just like:

dc_public_ip = 13.89.191.140
kibana_url = http://52.176.3.250:5601
what_next =
####################
###  WHAT NEXT?  ###
####################

Check out your logs in Kibana:
http://52.176.3.250:5601

RDP to your domain controller:
xfreerdp /v:13.89.191.140 /u:hunter.labhunter ‘/p:Hunt3r123.’ +clipboard /cert-ignore

RDP to a workstation:
xfreerdp /v:52.176.5.229 /u:localadmin ‘/p:Localadmin!’ +clipboard /cert-ignore

workstations_public_ips =
“DANY-WKS” = “52.165.182.15”
“XTOF-WKS” = “52.176.5.229”

Don’t worry if through the provisioning you see a few messages trying like FAILED - RETRYING: List Kibana index templates (xx retries left)

By default, resources are deployed within the West Europe area underneath a resource group ad-hunting-lab. You can control the area with a Terraform variable:

terraform apply -var 'area=East US 2'

LEAVE A REPLY

Please enter your comment!
Please enter your name here