Home

Awesome

Adaz: Active Directory Hunting Lab in Azure

Maintained

This project allows you to easily spin up Active Directory labs in Azure with domain-joined workstations, Windows Event Forwarding, Kibana, and Sysmon using Terraform/Ansible.

<p align="center"> <img src="./screenshots/architecture.png" width="80%" /> </p>

It exposes a high-level configuration file for your domain to allow you to customize users, groups and workstations.

dns_name: hunter.lab
dc_name: DC-1

initial_domain_admin:
 username: hunter
 password: MyAdDomain!

organizational_units: {}

users:
- username: christophe
- username: dany

groups:
- dn: CN=Hunters,CN=Users
 members: [christophe]

default_local_admin:
 username: localadmin
 password: Localadmin!

workstations:
- name: XTOF-WKS
 local_admins: [christophe]
- name: DANY-WKS
 local_admins: [dany]

enable_windows_firewall: yes

Features

Here's an incomplete and biaised comparison with DetectionLab:

AdazDetectionLab
Public cloud supportAzureAWS, Azure (beta)
Expected time to spin up a lab15-20 minutes25 minutes
Log management & queryingElasticsearch+KibanaSplunk Enterprise
WEF:heavy_check_mark::heavy_check_mark:
Audit policies:heavy_check_mark::heavy_check_mark:
Sysmon:heavy_check_mark::heavy_check_mark:
YAML domain configuration file:heavy_check_mark::no_entry_sign:
Multiple Windows 10 workstations support:heavy_check_mark::no_entry_sign:
VirtualBox/VMWare support:no_entry_sign::heavy_check_mark:
osquery / fleet:no_entry_sign:(vote!):heavy_check_mark:
Powershell transcript logging:no_entry_sign: (vote!):heavy_check_mark:
IDS logs:no_entry_sign: (vote!):heavy_check_mark:

Use-cases

Screenshots

Getting started

Prerequisites

Installation

git clone https://github.com/christophetd/Adaz.git
# Note: the virtual env needs to be in ansible/venv
python3 -m venv ansible/venv 
source ansible/venv/bin/activate
pip install -r ansible/requirements.txt
deactivate
cd terraform
terraform init

Usage

Optionally edit domain.yml according to your needs (reference here), then run:

terraform apply

Resource creation and provisioning takes 15-20 minutes. Once finished, you will have an output similar to:

dc_public_ip = 13.89.191.140
kibana_url = http://52.176.3.250:5601
what_next =
####################
###  WHAT NEXT?  ###
####################

Check out your logs in Kibana:
http://52.176.3.250:5601

RDP to your domain controller:
xfreerdp /v:13.89.191.140 /u:hunter.lab\\hunter '/p:Hunt3r123.' +clipboard /cert-ignore

RDP to a workstation:
xfreerdp /v:52.176.5.229 /u:localadmin '/p:Localadmin!' +clipboard /cert-ignore


workstations_public_ips = {
  "DANY-WKS" = "52.165.182.15"
  "XTOF-WKS" = "52.176.5.229"
}

Don't worry if during the provisioning you see a few messages looking like FAILED - RETRYING: List Kibana index templates (xx retries left)

By default, resources are deployed in the West Europe region under a resource group ad-hunting-lab. You can control the region with a Terraform variable:

terraform apply -var 'region=East US 2'

Documentation

Community

Talks / posts referencing Adaz:

Roadmap

I will heavily rely on the number of thumbs up votes you will leave on feature-proposal issues for the next features!

Suggestions and bugs

Feel free to open an issue or to tweet @christophetd.