Adaz: Active Directory Hunting Lab in Azure

Adaz: Active Directory Hunting Lab in Azure

This project allows you to easily spin up Active Directory labs in Azure with domain-joined workstations, Windows Event Forwarding, Kibana, and Sysmon using Terraform/Ansible.

It exposes a high-level configuration file for your domain to allow you to customize users, groups, and workstations.

dns_name: hunter.lab

dc_name: DC-1



initial_domain_admin:

 username: hunter

 password: MyAdDomain!



organizational_units: {}



users:

- username: christophe

- username: dany



groups:

- dn: CN=Hunters,CN=Users

 members: [christophe]



default_local_admin:

 username: localadmin

 password: Localadmin!



workstations:

- name: XTOF-WKS

 local_admins: [christophe]

- name: DANY-WKS

 local_admins: [dany]



enable_windows_firewall: yes

Features

• Windows Event Forwarding pre-configured
• Audit policies pre-configured
• Sysmon installed
• Logs centralized in an Elasticsearch instance which can easily be queried from the Kibana UI
• Domain easily configurable via YAML configuration file

Here’s an incomplete and biased comparison with DetectionLab:

Use-cases

• Detection engineering: Having access to clean lab with a standard is a great way to understand what traces common attacks and lateral movement techniques leave behind.
• Learning Active Directory: I often have the need to test GPOs or various AD features (AppLocker, LAPS…). Having a disposable lab is a must for this.

Install & Use