Adaz: Active Directory Hunting Lab in Azure

by do son · October 10, 2020

Adaz: Active Directory Hunting Lab in Azure

This project allows you to easily spin up Active Directory labs in Azure with domain-joined workstations, Windows Event Forwarding, Kibana, and Sysmon using Terraform/Ansible.

It exposes a high-level configuration file for your domain to allow you to customize users, groups, and workstations.

dns_name: hunter.lab

dc_name: DC-1



initial_domain_admin:

 username: hunter

 password: MyAdDomain!



organizational_units: {}



users:

- username: christophe

- username: dany



groups:

- dn: CN=Hunters,CN=Users

 members: [christophe]



default_local_admin:

 username: localadmin

 password: Localadmin!



workstations:

- name: XTOF-WKS

 local_admins: [christophe]

- name: DANY-WKS

 local_admins: [dany]



enable_windows_firewall: yes

Features

Windows Event Forwarding pre-configured
Audit policies pre-configured
Sysmon installed
Logs centralized in an Elasticsearch instance which can easily be queried from the Kibana UI
Domain easily configurable via YAML configuration file

Here’s an incomplete and biased comparison with DetectionLab:

	Adaz	DetectionLab
Public cloud support	Azure	AWS
Expected time to spin up a lab	15-20 minutes	25 minutes
Log management & querying	Elasticsearch+Kibana	Splunk Enterprise
WEF	✔️	✔️
Audit policies	✔️	✔️
Sysmon	✔️	✔️
YAML domain configuration file	✔️	🚫
Multiple Windows 10 workstations support	✔️	🚫
VirtualBox/VMWare support	🚫	✔️
osquery / fleet	🚫(vote!)	✔️
Powershell transcript logging	🚫 (vote!)	✔️
IDS logs	🚫 (vote!)	✔️

Use-cases

Detection engineering: Having access to clean lab with a standard is a great way to understand what traces common attacks and lateral movement techniques leave behind.
Learning Active Directory: I often have the need to test GPOs or various AD features (AppLocker, LAPS…). Having a disposable lab is a must for this.