• Stars
    star
    368
  • Rank 115,958 (Top 3 %)
  • Language HCL
  • Created over 4 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

🔧 Deploy customizable Active Directory labs in Azure - automatically.

Adaz: Active Directory Hunting Lab in Azure

Maintained

This project allows you to easily spin up Active Directory labs in Azure with domain-joined workstations, Windows Event Forwarding, Kibana, and Sysmon using Terraform/Ansible.

It exposes a high-level configuration file for your domain to allow you to customize users, groups and workstations.

dns_name: hunter.lab
dc_name: DC-1

initial_domain_admin:
 username: hunter
 password: MyAdDomain!

organizational_units: {}

users:
- username: christophe
- username: dany

groups:
- dn: CN=Hunters,CN=Users
 members: [christophe]

default_local_admin:
 username: localadmin
 password: Localadmin!

workstations:
- name: XTOF-WKS
 local_admins: [christophe]
- name: DANY-WKS
 local_admins: [dany]

enable_windows_firewall: yes

Features

  • Windows Event Forwarding pre-configured
  • Audit policies pre-configured
  • Sysmon installed
  • Logs centralized in an Elasticsearch instance which can easily be queried from the Kibana UI
  • Domain easily configurable via YAML configuration file

Here's an incomplete and biaised comparison with DetectionLab:

Adaz DetectionLab
Public cloud support Azure AWS, Azure (beta)
Expected time to spin up a lab 15-20 minutes 25 minutes
Log management & querying Elasticsearch+Kibana Splunk Enterprise
WEF ✔️ ✔️
Audit policies ✔️ ✔️
Sysmon ✔️ ✔️
YAML domain configuration file ✔️ 🚫
Multiple Windows 10 workstations support ✔️ 🚫
VirtualBox/VMWare support 🚫 ✔️
osquery / fleet 🚫(vote!) ✔️
Powershell transcript logging 🚫 (vote!) ✔️
IDS logs 🚫 (vote!) ✔️

Use-cases

  • Detection engineering: Having access to clean lab with a standard is a great way to understand what traces common attacks and lateral movement techniques leave behind.

  • Learning Active Directory: I often have the need to test GPOs or various AD features (AppLocker, LAPS...). Having a disposable lab is a must for this.

Screenshots

Getting started

Prerequisites

  • An Azure subscription. You can create one for free and you get $200 of credits for the first 30 days. Note that this type of subscription has a limit of 4 vCPUs per region, which still allows you to run 1 domain controller and 2 workstations (with the default lab configuration).

  • A SSH key in ~/.ssh/id_rsa.pub. Your private key must either be added to ssh-agent (typically, by running ssh-add ~/.ssh/id_rsa once and adding eval "$(ssh-agent -s)" in your .bashrc) or not encrypted with a passphrase.

  • Terraform >= 0.12

  • Azure CLI

  • You must be logged in to your Azure account by running az login. Yu can use az account list to confirm you have access to your Azure subscription

Installation

  • Clone this repository
git clone https://github.com/christophetd/Adaz.git
  • Create a virtual env and install Ansible dependencies
# Note: the virtual env needs to be in ansible/venv
python3 -m venv ansible/venv 
source ansible/venv/bin/activate
pip install -r ansible/requirements.txt
deactivate
  • Initialize Terraform
cd terraform
terraform init

Usage

Optionally edit domain.yml according to your needs (reference here), then run:

terraform apply

Resource creation and provisioning takes 15-20 minutes. Once finished, you will have an output similar to:

dc_public_ip = 13.89.191.140
kibana_url = http://52.176.3.250:5601
what_next =
####################
###  WHAT NEXT?  ###
####################

Check out your logs in Kibana:
http://52.176.3.250:5601

RDP to your domain controller:
xfreerdp /v:13.89.191.140 /u:hunter.lab\\hunter '/p:Hunt3r123.' +clipboard /cert-ignore

RDP to a workstation:
xfreerdp /v:52.176.5.229 /u:localadmin '/p:Localadmin!' +clipboard /cert-ignore


workstations_public_ips = {
  "DANY-WKS" = "52.165.182.15"
  "XTOF-WKS" = "52.176.5.229"
}

Don't worry if during the provisioning you see a few messages looking like FAILED - RETRYING: List Kibana index templates (xx retries left)

By default, resources are deployed in the West Europe region under a resource group ad-hunting-lab. You can control the region with a Terraform variable:

terraform apply -var 'region=East US 2'

Documentation

Community

Talks / posts referencing Adaz:

Roadmap

I will heavily rely on the number of thumbs up votes you will leave on feature-proposal issues for the next features!

Suggestions and bugs

Feel free to open an issue or to tweet @christophetd.

More Repositories

1

CloudFlair

🔎 Find origin servers of websites behind CloudFlare by using Internet-wide scan data from Censys.
Python
1,880
star
2

log4shell-vulnerable-app

Spring Boot web application vulnerable to Log4Shell (CVE-2021-44228).
Java
1,055
star
3

censys-subdomain-finder

⚡ Perform subdomain enumeration using the certificate transparency logs from Censys.
Python
579
star
4

spoofing-office-macro

🐟 PoC of a VBA macro spawning a process with a spoofed parent and command line.
VBA
364
star
5

duplicacy-autobackup

💾 Painless automated backups to multiple storage providers with Docker and duplicacy.
Shell
246
star
6

mindmaps

🔍 Mindmaps for threat hunting - work in progress.
148
star
7

IPv6teal

👋 Stealthy data exfiltration via IPv6 covert channel
Python
91
star
8

firepwned

🙏 Checks Firefox saved passwords against known data leaks using the Have I Been Pwned API.
Python
81
star
9

nextcloud-docker-compose

☁️ Spin up a Nextcloud instance with automatied backups and SSL certificate issuance.
75
star
10

docker-python-sandbox

A Docker-powered NodeJS sandbox to execute untrusted python code.
JavaScript
62
star
11

nmap-nse-info

Browse and search through nmap's NSE scripts.
Lua
58
star
12

code-execution-api-demo

JavaScript
17
star
13

aws-sso-device-code-authentication

Python
16
star
14

fun-with-vpc-endpoints

HCL
14
star
15

geolocate-ips

Batch IP geolocation script.
Python
12
star
16

abusing-cloudflare-workers

Abusing Cloudflare Workers to establish persistence and exfiltrate sensitive data at the edge.
JavaScript
10
star
17

telegram-downbot

A Telegram bot to monitor websites
CoffeeScript
6
star
18

polybot

CoffeeScript
5
star
19

unix-commands

Some useful UNIX commands
4
star
20

falias

Shell
2
star
21

powercoders-docker

Repository for Powercoders Docker presentation and workshop
Python
2
star
22

filezilla-passwords-revealer

JavaScript
1
star
23

hackathon

JavaScript
1
star
24

flame-maker

Java
1
star
25

fos2015.github.io

Website for the Foundations of Software course at EPFL in the Fall 2015 semester
CSS
1
star
26

Rails-app

Ruby
1
star