added initial setup for domain controller

author: heqnx <root@heqnx.com> 2025-07-11 21:55:20 +0300
committer: heqnx <root@heqnx.com> 2025-07-11 21:55:20 +0300
commit: 6ec2eb61a02f9e55ef5b8d22a5ca61ca53ca05e7 (patch)
tree: d975569e35991a02c73706ce81c0fc1f2e92405c
parent: 742fa0d51cd384ea3d856438861bb86738fdabb8 (diff)
download: ansible-active-directory-range-6ec2eb61a02f9e55ef5b8d22a5ca61ca53ca05e7.tar.gz
ansible-active-directory-range-6ec2eb61a02f9e55ef5b8d22a5ca61ca53ca05e7.zip
52 files changed, 2922 insertions, 0 deletions
diff --git a/ansible/.env.proxmox.example b/ansible/.env.proxmox.example
new file mode 100644
index 0000000..70c9580
--- /dev/null
+++ b/ansible/.env.proxmox.example
@@ -0,0 +1,46 @@
+# proxmox connection details, ssh must be enabled
+export proxmox_hostname="proxmox01.local"
+export proxmox_username="root@pam"
+export proxmox_api_token_id="ansible"
+export proxmox_api_token_secret=""
+export proxmox_node="proxmox01"
+
+# default local credentials for linux and windows
+export linux_username="root"
+export linux_password="root"
+export windows_username="packer"
+export windows_password="packer"
+export windows_svc_password="Svc1234!"
+
+# proxmox vm and template details
+export windows_server_template_id="200"
+export windows_server_template_name="winserver2019-tmpl"
+#export linux_server_template_id="201"
+#export linux_server_template_name="base-img-ubuntu-24.04-server"
+#export kali_template_id="202"
+#export kali_template_name="base-img-kali-top10-xfce"
+
+# domain details
+export main_domain_name="contoso.com"
+
+export main_dc01_vmid="5000"
+export main_dc01_hostname="dc01"
+export main_dc01_ip_address="192.168.1.50"
+
+export network_gateway="192.168.1.1"
+
+#export mssql01_hostname="mssql01"
+#export mssql02_hostname="mssql02"
+#export web01_hostname="web01"
+#export adcs01_hostname="adcs01"
+#export workstation01_hostname="workstation01"
+#export linux_srv01_hostname="srv01"
+#export kali_attackbox_hostname="kali-attackbox"
+#
+#export mssql01_ip_address="192.168.1.111"
+#export mssql02_ip_address="192.168.1.112"
+#export web01_ip_address="192.168.1.113"
+#export adcs01_ip_address="192.168.1.114"
+#export workstation01_ip_address="192.168.1.115"
+#export linux_srv01_ip_address="192.168.1.116"
+#export kali_attackbox_ip_address="192.168.1.120"
diff --git a/ansible/files/SQL2019-SSEI-Expr.exe b/ansible/files/SQL2019-SSEI-Expr.exe
new file mode 100644
index 0000000..e8cf49d
--- /dev/null
+++ b/ansible/files/SQL2019-SSEI-Expr.exe
diff --git a/ansible/files/adcs/ADCSTemplate/ADCSTemplate.psd1 b/ansible/files/adcs/ADCSTemplate/ADCSTemplate.psd1
new file mode 100644
index 0000000..daf338f
--- /dev/null
+++ b/ansible/files/adcs/ADCSTemplate/ADCSTemplate.psd1
diff --git a/ansible/files/adcs/ADCSTemplate/ADCSTemplate.psm1 b/ansible/files/adcs/ADCSTemplate/ADCSTemplate.psm1
new file mode 100644
index 0000000..39da019
--- /dev/null
+++ b/ansible/files/adcs/ADCSTemplate/ADCSTemplate.psm1
@@ -0,0 +1,466 @@
+#requires -Version 5.0 -Modules ActiveDirectory
+
+Function Get-RandomHex {
+param ([int]$Length)
+    $Hex = '0123456789ABCDEF'
+    [string]$Return = $null
+    For ($i=1;$i -le $length;$i++) {
+        $Return += $Hex.Substring((Get-Random -Minimum 0 -Maximum 16),1)
+    }
+    Return $Return
+}
+
+Function IsUniqueOID {
+param ($cn,$TemplateOID,$Server,$ConfigNC)
+    $Search = Get-ADObject -Server $Server `
+        -SearchBase "CN=OID,CN=Public Key Services,CN=Services,$ConfigNC" `
+        -Filter {cn -eq $cn -and msPKI-Cert-Template-OID -eq $TemplateOID}
+    If ($Search) {$False} Else {$True}
+}
+
+Function New-TemplateOID {
+Param($Server,$ConfigNC)
+    <#
+    OID CN/Name                                                         [10000000-99999999].[32 hex characters (MD5hash)]
+    OID msPKI-Cert-Template-OID    [Forest base OID].[1000000-99999999].[10000000-99999999]  <--- second number same as first number in OID name
+    #>
+    do {
+        $OID_Part_1 = Get-Random -Minimum 10000000 -Maximum 99999999
+        $OID_Part_2 = Get-Random -Minimum 10000000 -Maximum 99999999
+        $OID_Part_3 = Get-RandomHex -Length 32
+        $OID_Forest = Get-ADObject -Server $Server `
+            -Identity "CN=OID,CN=Public Key Services,CN=Services,$ConfigNC" `
+            -Properties msPKI-Cert-Template-OID |
+            Select-Object -ExpandProperty msPKI-Cert-Template-OID
+        $msPKICertTemplateOID = "$OID_Forest.$OID_Part_1.$OID_Part_2"
+        $Name = "$OID_Part_2.$OID_Part_3"
+    } until (IsUniqueOID -cn $Name -TemplateOID $msPKICertTemplateOID -Server $Server -ConfigNC $ConfigNC)
+    Return @{
+        TemplateOID  = $msPKICertTemplateOID
+        TemplateName = $Name
+    }
+}
+
+
+<#
+.SYNOPSIS
+Returns the properties of either a single or all Active Directory Certificate Template(s).
+.DESCRIPTION
+Returns the properties of either a single or list of Active Directory Certificate Template(s)
+depending on whether a DisplayName parameter was passed.
+.PARAMETER DisplayName
+Name of an AD CS template to retrieve.
+.PARAMETER Server
+FQDN of Active Directory Domain Controller to target for the operation.
+When not specified it will search for the nearest Domain Controller.
+.EXAMPLE
+PS C:\> Get-ADCSTemplate
+.EXAMPLE
+PS C:\> Get-ADCSTemplate -DisplayName PowerShellCMS
+.EXAMPLE
+PS C:\> Get-ADCSTemplate | Sort-Object Name | ft Name, Created, Modified
+.EXAMPLE
+PS C:\> ###View template permissions
+(Get-ADCSTemplate pscms).nTSecurityDescriptor
+(Get-ADCSTemplate pscms).nTSecurityDescriptor.Sddl
+(Get-ADCSTemplate pscms).nTSecurityDescriptor.Access
+ConvertFrom-SddlString -Sddl (Get-ADCSTemplate pscms).nTSecurityDescriptor.sddl -Type ActiveDirectoryRights
+.NOTES
+Requires Enterprise Administrator permissions, since this touches the AD Configuration partition.
+#>
+Function Get-ADCSTemplate {
+param(
+    [parameter(Position=0)]
+    [string]
+    $DisplayName,
+
+    [string]
+    $Server = (Get-ADDomainController -Discover -ForceDiscover -Writable).HostName[0]
+)
+    If ($PSBoundParameters.ContainsKey('DisplayName')) {
+        $LDAPFilter = "(&(objectClass=pKICertificateTemplate)(displayName=$DisplayName))"
+    } Else {
+        $LDAPFilter = '(objectClass=pKICertificateTemplate)'
+    }
+
+    $ConfigNC     = $((Get-ADRootDSE -Server $Server).configurationNamingContext)
+    $TemplatePath = "CN=Certificate Templates,CN=Public Key Services,CN=Services,$ConfigNC"
+    Get-ADObject -SearchScope Subtree -SearchBase $TemplatePath -LDAPFilter $LDAPFilter -Properties * -Server $Server
+}
+
+
+<#
+.SYNOPSIS
+Adds an ACL to an Active Directory Certificate template.
+.DESCRIPTION
+Adds an ACL to an Active Directory Certificate template.
+Default permission is read (without the Enroll or AutoEnroll switches).
+.PARAMETER DisplayName
+Name of an AD CS template to receive the ACL.
+.PARAMETER Server
+FQDN of Active Directory Domain Controller to target for the operation.
+When not specified it will search for the nearest Domain Controller.
+.PARAMETER Type
+ACL type: Allow or Deny
+.PARAMETER Identity
+String or string array of Active Directory identities (users or groups)
+.PARAMETER Enroll
+Set the Enroll permission
+.PARAMETER AutoEnroll
+Set the AutoEnroll permission
+.EXAMPLE
+PS C:\> Set-ADCSTemplateACL -DisplayName PowerShellCMS -Type Allow -Identity 'CONTOSO\Servers Group' -Enroll
+.EXAMPLE
+PS C:\> Set-ADCSTemplateACL -DisplayName PowerShellCMS -Type Allow -Identity 'CONTOSO\Servers Group','CONTOSO\Workstations Group' -Enroll -AutoEnroll
+.EXAMPLE
+PS C:\> Set-ADCSTemplateACL -DisplayName PowerShellCMS -Type Deny -Identity 'CONTOSO\Servers Group'
+.NOTES
+Requires Enterprise Administrator permissions, since this touches the AD Configuration partition.
+#>
+Function Set-ADCSTemplateACL {
+param(
+    [parameter(Mandatory)]
+    [string]$DisplayName,
+    [string]$Server = (Get-ADDomainController -Discover -ForceDiscover -Writable).HostName[0],
+    [ValidateSet('Allow','Deny')]
+    [string]$Type = 'Allow',
+    [string[]]$Identity,
+    [switch]$Enroll,
+    [switch]$AutoEnroll
+)
+    ## Potential issue here that the AD: drive may not be targetting the selected DC in the -SERVER parameter
+    $TemplatePath        = "AD:\" + (Get-ADCSTemplate -DisplayName $DisplayName -Server $Server).DistinguishedName
+    $acl                 = Get-ACL $TemplatePath
+    $InheritedObjectType = [GUID]'00000000-0000-0000-0000-000000000000'
+    ForEach ($Group in $Identity) {
+        $account = New-Object System.Security.Principal.NTAccount($Group)
+        $sid     = $account.Translate([System.Security.Principal.SecurityIdentifier])
+
+        If ($Type -ne 'Deny') {
+            # Read, but only if Allow
+            $ObjectType = [GUID]'00000000-0000-0000-0000-000000000000'
+            $ace        = New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
+                $sid, 'GenericRead', $Type, $ObjectType, 'None', $InheritedObjectType
+            $acl.AddAccessRule($ace)
+        }
+
+        If ($Enroll) {
+            $ObjectType = [GUID]'0e10c968-78fb-11d2-90d4-00c04f79dc55'
+            $ace        = New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
+                $sid, 'ExtendedRight', $Type, $ObjectType, 'None', $InheritedObjectType
+            $acl.AddAccessRule($ace)
+        }
+
+        If ($AutoEnroll) {
+            $ObjectType = [GUID]'a05b8cc2-17bc-4802-a710-e7c15ab866a2'
+            $ace        = New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
+                $sid, 'ExtendedRight', $Type, $ObjectType, 'None', $InheritedObjectType
+            $acl.AddAccessRule($ace)
+        }
+    }
+    Set-ACL $TemplatePath -AclObject $acl
+}
+
+
+<#
+.SYNOPSIS
+Returns a JSON string with the properties of an Active Directory certificate template.
+.DESCRIPTION
+Returns a JSON string with the properties of an Active Directory certificate template.
+By default returns only the PKI-related properties of the object. These properties are
+sufficient for passing to the New-ADCSTemplate function.
+.PARAMETER DisplayName
+DisplayName for the certificate to export.
+.PARAMETER Server
+FQDN of Active Directory Domain Controller to target for the operation.
+When not specified it will search for the nearest Domain Controller.
+.PARAMETER Detailed
+Includes all ADObject properties of the template. These are not required for 
+use with the New-ADCSTemplate function.
+.NOTES
+C.R.U.D. AD CS Template Operations in this module.
+No longer have to use the cert GUI to clone a template and build a new one.
+Create one manually the first time in the GUI, then export it to JSON.
+Pass the JSON in your new environment (file, here string, DSC, etc.) to build from scratch.
+Requires Enterprise Administrator permissions, since this touches the AD Configuration partition.
+.EXAMPLE
+PS C:\> Export-ADCSTemplate -DisplayName PowerShellCMS
+.EXAMPLE
+PS C:\> Export-ADCSTemplate -DisplayName PowerShellCMS -Detailed
+.EXAMPLE
+### Backup all the templates to JSON
+md C:\ADCSTemplates -ErrorAction SilentlyContinue
+cd C:\ADCSTemplates
+(Get-ADCSTemplate).name | ForEach-Object {"Exporting $_"; Export-ADCSTemplate -DisplayName $_ | Out-File .\$_.json -Force}
+dir
+.EXAMPLE
+PS C:\> New-ADCSTemplate -DisplayName PowerShellCMS-NEW -JSON (Export-ADCSTemplate -DisplayName PowerShellCMS-OLD)
+#>
+Function Export-ADCSTemplate {
+param(
+    [parameter(Mandatory)]
+    [string]$DisplayName,
+    [string]$Server = (Get-ADDomainController -Discover -ForceDiscover -Writable).HostName[0],
+    [switch]$Detailed   # Detailed output is not required for export/import. Use for documentation/backup purposes.
+)
+    If ($Detailed) {
+        Get-ADCSTemplate -DisplayName $DisplayName -Server $Server |
+            ConvertTo-Json
+    } Else {
+        Get-ADCSTemplate -DisplayName $DisplayName -Server $Server |
+            Select-Object -Property name, displayName, objectClass, flags, revision, *pki* |
+            ConvertTo-Json
+    }
+}
+
+<#
+.SYNOPSIS
+Creates a new Active Directory Certificate Services template based on a JSON export.
+.DESCRIPTION
+Creates a new Active Directory Certificate Services template based on a JSON export.
+Optionally can permission and publish the template (best practice).
+.PARAMETER DisplayName
+DisplayName for the certificate template to create. This does not have to match
+the original name of the exported template.
+.PARAMETER JSON
+JSON string output from Export-ADCSTemplate. Defines the template to create.
+Can be retrieved from file using Get-Content -Raw.
+.PARAMETER Server
+FQDN of Active Directory Domain Controller to target for the operation.
+When not specified it will search for the nearest Domain Controller.
+.PARAMETER Identity
+String or string array of Active Directory identities (users or groups).
+This is optional for permissioning the template.
+.PARAMETER AutoEnroll
+Default permission is Read and Enroll. Use this switch to also grant AutoEnroll 
+to the identity. Only used when Identity parameter is used.
+.PARAMETER Publish
+Publish the template to *ALL* Certificate Authority issuers. Use with caution
+in production environments. You may want to manually publish to only specific
+Certificate Authorities in production. In a lab this is ideal.
+.NOTES
+This function does not use the official (complicated) API for PKI management.
+Instead it creates the exact same AD objects that are generated by the API,
+including AD forest-specific OIDs.
+Requires Enterprise Administrator permissions, since this touches the AD Configuration partition.
+.EXAMPLE
+PS C:\> New-ADCSTemplate -DisplayName PowerShellCMS -JSON (Get-Content .\pscms.json -Raw)
+.EXAMPLE
+PS C:\> New-ADCSTemplate -DisplayName PowerShellCMS -JSON (Get-Content .\pscms.json -Raw) -Server dc1.contoso.com -Identity G_DSCNodes -AutoEnroll -Publish
+
+# From a client configured for AD CS autoenrollment:
+$Req = @{
+    Template          = 'PowerShellCMS'
+    Url               = 'ldap:'
+    CertStoreLocation = 'Cert:\LocalMachine\My'
+}
+Get-Certificate @Req
+# Note: If you have the Carbon module installed, it conflicts with Get-Certificate native cmdlet.
+
+$DocEncrCert = (dir Cert:\LocalMachine\My -DocumentEncryptionCert | Sort-Object NotBefore)[-1]
+Protect-CmsMessage -To $DocEncrCert -Content "Encrypted with my new cert from the new template!"
+.EXAMPLE
+PS C:\> New-ADCSTemplate -DisplayName PowerShellCMS-NEW -JSON (Export-ADCSTemplate -DisplayName PowerShellCMS-OLD)
+#>
+Function New-ADCSTemplate {
+param(
+    [parameter(Mandatory)]
+    [string]$DisplayName,   # name in JSON export is ignored
+    [parameter(Mandatory)]
+    [string]$JSON,
+    [string]$Server = (Get-ADDomainController -Discover -ForceDiscover -Writable).HostName[0],
+    [string[]]$Identity, # = "$((Get-ADDomain).NetBIOSName)\Domain Computers",
+    [switch]$AutoEnroll,
+    [switch]$Publish
+)
+    ### Put GroupName and AutoEnroll into a parameter set
+
+    # Manually import AD module to get AD: drive used later for permissions
+    Import-Module ActiveDirectory -Verbose:$false
+
+    $ConfigNC = $((Get-ADRootDSE -Server $Server).configurationNamingContext)
+
+    #region CREATE OID
+    <#
+    CN                              : 14891906.F2AC4390685318BD1D950A66EDB50FF4
+    DisplayName                     : TemplateNameHere
+    DistinguishedName               : CN=14891906.F2AC4390685318BD1D950A66EDB50FF4,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com
+    dSCorePropagationData           : {1/1/1601 12:00:00 AM}
+    flags                           : 1
+    instanceType                    : 4
+    msPKI-Cert-Template-OID         : 1.3.6.1.4.1.311.21.8.11489019.14294623.5588661.594850.12204198.151.6616009.14891906
+    Name                            : 14891906.F2AC4390685318BD1D950A66EDB50FF4
+    ObjectCategory                  : CN=ms-PKI-Enterprise-Oid,CN=Schema,CN=Configuration,DC=contoso,DC=com
+    ObjectClass                     : msPKI-Enterprise-Oid
+    #>
+    $OID = New-TemplateOID -Server $Server -ConfigNC $ConfigNC
+    $TemplateOIDPath = "CN=OID,CN=Public Key Services,CN=Services,$ConfigNC"
+    $oa = @{
+	    'DisplayName' = $DisplayName
+	    'flags' = [System.Int32]'1'
+	    'msPKI-Cert-Template-OID' = $OID.TemplateOID
+    }
+    New-ADObject -Path $TemplateOIDPath -OtherAttributes $oa -Name $OID.TemplateName -Type 'msPKI-Enterprise-Oid' -Server $Server
+    #endregion
+
+    #region CREATE TEMPLATE
+    # https://docs.microsoft.com/en-us/powershell/dsc/securemof#certificate-requirements
+    # https://blogs.technet.microsoft.com/option_explicit/2012/04/09/pki-certificates-and-the-x-509-standard/
+    # https://technet.microsoft.com/en-us/library/cc776447(v=ws.10).aspx
+    $import = $JSON | ConvertFrom-Json
+    $oa = @{ 'msPKI-Cert-Template-OID' = $OID.TemplateOID }
+    ForEach ($prop in ($import | Get-Member -MemberType NoteProperty)) {
+        Switch ($prop.Name) {
+            { $_ -in 'flags',
+                    'msPKI-Certificate-Name-Flag',
+                    'msPKI-Enrollment-Flag',
+                    'msPKI-Minimal-Key-Size',
+                    'msPKI-Private-Key-Flag',
+                    'msPKI-Template-Minor-Revision',
+                    'msPKI-Template-Schema-Version',
+                    'msPKI-RA-Signature',
+                    'pKIMaxIssuingDepth',
+                    'pKIDefaultKeySpec',
+                    'revision'
+            } { $oa.Add($_,[System.Int32]$import.$_); break }
+
+            { $_ -in 'msPKI-Certificate-Application-Policy',
+                    'pKICriticalExtensions',
+                    'pKIDefaultCSPs',
+                    'pKIExtendedKeyUsage',
+                    'msPKI-RA-Application-Policies'
+            } { $oa.Add($_,[Microsoft.ActiveDirectory.Management.ADPropertyValueCollection]$import.$_); break }
+
+            { $_ -in 'pKIExpirationPeriod',
+                    'pKIKeyUsage',
+                    'pKIOverlapPeriod'
+            } { $oa.Add($_,[System.Byte[]]$import.$_); break }
+
+        }
+    }
+    $TemplatePath = "CN=Certificate Templates,CN=Public Key Services,CN=Services,$ConfigNC"
+    New-ADObject -Path $TemplatePath -OtherAttributes $oa -Name $DisplayName.Replace(' ','') `
+        -DisplayName $DisplayName -Type pKICertificateTemplate -Server $Server
+    #endregion
+
+    #region PERMISSIONS
+    ## Potential issue here that the AD: drive may not be targetting the selected DC in the -SERVER parameter
+    If ($PSBoundParameters.ContainsKey('Identity')) {
+        If ($AutoEnroll) {
+            Set-ADCSTemplateACL -DisplayName $DisplayName -Server $Server -Type Allow -Identity $Identity -Enroll -AutoEnroll
+        } Else {
+            Set-ADCSTemplateACL -DisplayName $DisplayName -Server $Server -Type Allow -Identity $Identity -Enroll
+        }
+    }
+    #endregion
+
+    #region ISSUE
+    If ($Publish) {
+        ### WARNING: Issues on all available CAs. Test in your environment.
+        $EnrollmentPath = "CN=Enrollment Services,CN=Public Key Services,CN=Services,$ConfigNC"
+        $CAs = Get-ADObject -SearchBase $EnrollmentPath -SearchScope OneLevel -Filter * -Server $Server
+        ForEach ($CA in $CAs) {
+            Set-ADObject -Identity $CA.DistinguishedName -Add @{certificateTemplates=$DisplayName.Replace(' ','')} -Server $Server
+        }
+    }
+    #endregion
+}
+
+
+<#
+.SYNOPSIS
+Removes a certificate template from Active Directory.
+.DESCRIPTION
+Removes the template from any issuers where it is published.
+Removes the template itself.
+Removes the unique OID object of the template.
+.PARAMETER DisplayName
+DisplayName for the certificate template to delete.
+.PARAMETER Server
+FQDN of Active Directory Domain Controller to target for the operation.
+When not specified it will search for the nearest Domain Controller.
+.EXAMPLE
+PS C:\> Remove-ADCSTemplate -DisplayName PowerShellCMS
+.EXAMPLE
+PS C:\> (Get-ADCSTemplate).name | Where-Object {$_ -like "PowerShellCMS*"} | ForEach-Object {Remove-ADCSTemplate -DisplayName $_ -Verbose}
+.NOTES
+Use with caution!
+Requires Enterprise Administrator permissions, since this touches the AD Configuration partition.
+#>
+Function Remove-ADCSTemplate {
+[CmdletBinding(SupportsShouldProcess=$true,ConfirmImpact='High')]
+param(
+    [parameter(Mandatory)]
+    [string]$DisplayName,
+    [string]$Server = (Get-ADDomainController -Discover -ForceDiscover -Writable).HostName[0]
+)
+    if ($pscmdlet.ShouldProcess($DisplayName, 'Remove certificate template')) {
+        $ConfigNC = $((Get-ADRootDSE -Server $Server).configurationNamingContext)
+
+        $Template = Get-ADCSTemplate -DisplayName $DisplayName -Server $Server
+
+        #region REMOVE ISSUE IF IT EXISTS
+        $EnrollmentPath = "CN=Enrollment Services,CN=Public Key Services,CN=Services,$ConfigNC"
+        $CAs = Get-ADObject -SearchBase $EnrollmentPath -SearchScope OneLevel -Filter * -Server $Server
+        ForEach ($CA in $CAs) {
+            Set-ADObject -Identity $CA.DistinguishedName -Remove @{certificateTemplates=$Template.cn} -Server $Server -Confirm:$false
+        }
+        #endregion
+
+        #region REMOVE TEMPLATE
+        Remove-ADObject -Identity $Template.distinguishedName -Server $Server -Confirm:$false
+        #endregion
+
+        #region REMOVE OID
+        $TemplateOIDPath = "CN=OID,CN=Public Key Services,CN=Services,$ConfigNC"
+        Get-ADObject -SearchBase $TemplateOIDPath -LDAPFilter "(DisplayName=$DisplayName)" -Server $Server | Remove-ADObject -Confirm:$false
+        #endregion
+    }
+}
+
+
+<#
+.SYNOPSIS
+Maps a PowerShell drive to the Active Directory Certificate Services location.
+.DESCRIPTION
+Maps a PowerShell drive to the Active Directory Certificate Services location 
+of the Configuration partition under CN=Public Key Services,CN=Services,... .
+The new drive is ADCS:. This is purely for convenience of checking the objects
+updated by functions in the ADCSTemplate module.
+.PARAMETER Server
+FQDN of Active Directory Domain Controller to target for the operation.
+When not specified it will search for the nearest Domain Controller.
+.EXAMPLE
+PS C:\> New-ADCSDrive
+PS C:\> Set-Location ADCS:
+.EXAMPLE
+### Explore templates with drive
+New-ADCSDrive
+Get-PSDrive
+cd ADCS:
+dir
+
+# List templates
+cd '.\CN=Certificate Templates'
+dir
+dir | fl *
+dir *WebServer*
+
+# list CAs
+cd \
+cd '.\CN=Enrollment Services'
+dir
+cd C:
+.NOTES
+Requires Enterprise Administrator permissions, since this touches the AD Configuration partition.
+#>
+Function New-ADCSDrive {
+param(
+    [string]$Server = (Get-ADDomainController -Discover -ForceDiscover -Writable).HostName[0]
+)
+    $ConfigNC     = $((Get-ADRootDSE -Server $Server).configurationNamingContext)
+    New-PSDrive -Name ADCS -PSProvider ActiveDirectory -Root "CN=Public Key Services,CN=Services,$ConfigNC" -Server $Server -Scope Global
+}
+
+
+Export-ModuleMember -Function *-ADCS*
diff --git a/ansible/files/adcs/templates/ESC1.json b/ansible/files/adcs/templates/ESC1.json
new file mode 100644
index 0000000..a102696
--- /dev/null
+++ b/ansible/files/adcs/templates/ESC1.json
diff --git a/ansible/files/adcs/templates/ESC2.json b/ansible/files/adcs/templates/ESC2.json
new file mode 100644
index 0000000..82414d6
--- /dev/null
+++ b/ansible/files/adcs/templates/ESC2.json
diff --git a/ansible/files/adcs/templates/ESC3-CRA.json b/ansible/files/adcs/templates/ESC3-CRA.json
new file mode 100644
index 0000000..2882ef5
--- /dev/null
+++ b/ansible/files/adcs/templates/ESC3-CRA.json
diff --git a/ansible/files/adcs/templates/ESC3.json b/ansible/files/adcs/templates/ESC3.json
new file mode 100644
index 0000000..fb346c7
--- /dev/null
+++ b/ansible/files/adcs/templates/ESC3.json
diff --git a/ansible/files/adcs/templates/ESC4.json b/ansible/files/adcs/templates/ESC4.json
new file mode 100644
index 0000000..a5f29a3
--- /dev/null
+++ b/ansible/files/adcs/templates/ESC4.json
diff --git a/ansible/files/software/BgInfo.bgi b/ansible/files/software/BgInfo.bgi
new file mode 100644
index 0000000..ecd219f
--- /dev/null
+++ b/ansible/files/software/BgInfo.bgi
diff --git a/ansible/files/software/BgInfo.exe b/ansible/files/software/BgInfo.exe
new file mode 100644
index 0000000..76d3d31
--- /dev/null
+++ b/ansible/files/software/BgInfo.exe
diff --git a/ansible/files/software/PsExec64.exe b/ansible/files/software/PsExec64.exe
new file mode 100644
index 0000000..db94608
--- /dev/null
+++ b/ansible/files/software/PsExec64.exe
diff --git a/ansible/files/software/Sysmon64.exe b/ansible/files/software/Sysmon64.exe
new file mode 100644
index 0000000..8d72282
--- /dev/null
+++ b/ansible/files/software/Sysmon64.exe
diff --git a/ansible/files/software/googlechromestandaloneenterprise64.msi b/ansible/files/software/googlechromestandaloneenterprise64.msi
new file mode 100644
index 0000000..b958b6f
--- /dev/null
+++ b/ansible/files/software/googlechromestandaloneenterprise64.msi
diff --git a/ansible/files/software/npp.exe b/ansible/files/software/npp.exe
new file mode 100644
index 0000000..3ca17fa
--- /dev/null
+++ b/ansible/files/software/npp.exe
diff --git a/ansible/files/software/sysmonconfig-export.xml b/ansible/files/software/sysmonconfig-export.xml
new file mode 100644
index 0000000..028d373
--- /dev/null
+++ b/ansible/files/software/sysmonconfig-export.xml
@@ -0,0 +1,1200 @@
+<!--
+  sysmon-config | A Sysmon configuration focused on default high-quality event tracing and easy customization by the community
+  Source version:	74 | Date: 2021-07-08
+  Source project:	https://github.com/SwiftOnSecurity/sysmon-config
+  Source license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
+
+  Fork version:	<N/A>
+  Fork author:	<N/A>
+  Fork project:	<N/A>
+  Fork license:	<N/A>
+
+  REQUIRED: Sysmon version 13 or higher (due to changes in syntax and bug-fixes)
+	https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
+
+  NOTE: To collect Sysmon logs centrally for free, see https://aka.ms/WEF | Command to allow log access to the Network Service:
+	wevtutil.exe sl Microsoft-Windows-Sysmon/Operational /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)
+
+  NOTE: Do not let the size and complexity of this configuration discourage you from customizing it or building your own.
+	This configuration is based around known, high-signal event tracing, and thus appears complicated, but it is only very
+	detailed. Significant effort over years has been invested in front-loading as much filtering as possible onto the
+	client. This is to make analysis of intrusions possible by hand, and to try to surface anomalous activity as quickly
+	as possible to technicians armed only with Event Viewer. Its purpose is to democratize system monitoring for all organizations.
+
+  NOTE: Sysmon is NOT a whitelist solution or HIDS correlation engine, it is a computer change logging tool.
+	Do NOT ignore everything possible. Sysmon's purpose is providing context during a threat or problem investigation. Legitimate
+	processes are routinely used by threats - do not blindly exclude them. Additionally, be mindful of process-hollowing / imitation.
+
+  NOTE: By default this monitors DNS, which is extremely noisy. If you are starting out on your monitoring journey, just remove that section.
+	You can remove DNS events from Event Viewer screen by applying a 'Filter Current View' for event IDs of: -22
+	Additionally, if you want to monitor DNS, you should deploy client-side adblocking to reduce lookups. See the DNS section for info.
+
+  NOTE: This configuration is designed for PER-MACHINE installs of Chrome and OneDrive. That moves their binaries out of user-controlled folders.
+	Otherwise, attackers could imitate these common applications, and bypass your logging. Below are silent upgrades you can do, no user impact:
+	- https://docs.microsoft.com/en-us/onedrive/per-machine-installation
+	- https://cloud.google.com/chrome-enterprise/browser/download/
+	- As of 2021-02-16 there is no machine-level version of Microsoft Teams. The one provided copies itself to the user profile.
+
+  NOTE: Sysmon is not hardened against an attacker with admin rights. Additionally, this configuration offers an attacker, willing
+	to study it, limited ways to evade some of the logging. If you are in a very high-threat environment, you should consider a broader,
+	log-most approach. However, in the vast majority of cases, an attacker will bumble through multiple behavioral traps which
+	this configuration monitors, especially in the first minutes.
+
+  NOTE: If you encounter unexplainable event inclusion/exclusion, you may have a second Sysmon instance installed under a different exe filename.
+	To clear this, try downloading the latest version and uninstalling with -u force. If it hangs, kill the processes and run it again to cleanup.
+
+  TECHNICAL:
+  - Run sysmon.exe -? for a briefing on Sysmon configuration.
+  - Sysmon XML cannot use the AMPERSAND sign. Replace it with this: &amp;
+  - Sysmon 8+ can track which rule caused an event to be logged through the "RuleName" field.
+  - If you only specify exclude for a filtering subsection, everything in that subsection is logged by default.
+  - Some Sysmon monitoring abilities are not meant for widely deployed general-purpose use due to performance impact. Depends on environment.
+  - Duplicate or overlapping "Include" rules do not result in duplicate events being logged.
+  - All characters enclosed by XML tags are always interpreted literally. Sysmon does not support wildcards (*), alternate characters, or RegEx.
+  - In registry events, the value name is appended to the full key path with a "\" delimiter. Default key values are named "\(Default)"
+  - "Image" is a technical term for a compiled binary file like an EXE or DLL. Also, it can match just the filename, or entire path.
+  - "ProcessGuid" and "LoginGuid" are not random, they contain some embedded information. https://gist.github.com/mattifestation/0102042160c9a60b2b847378c0ef70b4
+
+  FILTERING: Filter conditions available for use are: is,is not,contains,contains any,contains all,excludes,excludes any,excludes all,begin with,end with,less than,more than,image
+  - The "image" filter is usable on any field. Same as "is" but can either match entire string, or only the text after last "\". Credit: @mattifestation
+
+-->
+
+<Sysmon schemaversion="4.50">
+	<!--SYSMON META CONFIG-->
+	<HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms. Remove IMPHASH if you do not use DLL import fingerprinting. -->
+	<CheckRevocation/> <!-- Check loaded drivers, log if their code-signing certificate has been revoked, in case malware stole one to sign a kernel driver -->
+
+	<!-- <ImageLoad/> --> <!-- Would manually force-on ImageLoad monitoring, even without configuration below. Included only documentation. -->
+	<!-- <ProcessAccessConfig/> --> <!-- Would manually force-on ProcessAccess monitoring, even without configuration below. Included only documentation. -->
+	<!-- <PipeMonitoringConfig/> --> <!-- Would manually force-on PipeCreated / PipeConnected events, even without configuration below. Included only documentation. -->
+	<!-- <ArchiveDirectory> -->
+
+	<EventFiltering>
+
+	<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
+		<!--COMMENT:	All processes launched will be logged, except for what matches a rule below. It's best to be as specific as possible,
+			to avoid user-mode executables imitating other process names to avoid logging, or if malware drops files in an existing directory.
+			Ultimately, you must weigh CPU time checking many detailed rules, against the risk of malware exploiting the blindness created.
+			Beware of Masquerading, where attackers imitate the names and paths of legitimate tools. Ideally, you'd use both file path and
+			code signatures to validate, but Sysmon does not support that. Look into AppLocker/WindowsDeviceGuard for whitelisting support. -->
+
+		<!--DATA: UtcTime, ProcessGuid, ProcessID, Image, FileVersion, Description, Product, Company, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine, RuleName-->
+	<RuleGroup name="" groupRelation="or">
+		<ProcessCreate onmatch="exclude">
+			<!--SECTION: Microsoft Windows-->
+			<CommandLine condition="begin with"> "C:\Windows\system32\wermgr.exe" "-queuereporting_svc" </CommandLine> <!--Windows:Windows error reporting/telemetry-->
+			<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Windows-->
+			<CommandLine condition="begin with">C:\Windows\system32\wbem\wmiprvse.exe -Embedding</CommandLine> <!--Windows: WMI provider host-->
+			<CommandLine condition="begin with">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</CommandLine> <!--Windows: WMI provider host-->
+			<CommandLine condition="is">C:\Windows\system32\wermgr.exe -upload</CommandLine> <!--Windows:Windows error reporting/telemetry-->
+			<CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine> <!--Windows: Search Indexer-->
+			<CommandLine condition="is">C:\windows\system32\wermgr.exe -queuereporting</CommandLine> <!--Windows:Windows error reporting/telemetry-->
+			<CommandLine condition="is">\??\C:\Windows\system32\autochk.exe *</CommandLine> <!--Microsoft:Bootup: Auto Check Utility-->
+			<CommandLine condition="is">\SystemRoot\System32\smss.exe</CommandLine> <!--Microsoft:Bootup: Windows Session Manager-->
+			<CommandLine condition="is">C:\Windows\System32\RuntimeBroker.exe -Embedding</CommandLine> <!--Windows:Apps permissions [ https://fossbytes.com/runtime-broker-process-windows-10/ ] -->
+			<Image condition="is">C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe</Image> <!--Windows: Touch Keyboard and Handwriting Panel Helper-->
+			<Image condition="is">C:\Windows\System32\TokenBrokerCookies.exe</Image> <!--Windows: SSO sign-in assistant for MicrosoftOnline.com-->
+			<Image condition="is">C:\Windows\System32\plasrv.exe</Image> <!--Windows: Performance Logs and Alerts DCOM Server-->
+			<Image condition="is">C:\Windows\System32\wifitask.exe</Image> <!--Windows: Wireless Background Task-->
+			<Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image> <!--Windows: Customer Experience Improvement-->
+			<Image condition="is">C:\Windows\system32\PrintIsolationHost.exe</Image> <!--Windows: Printing-->
+			<Image condition="is">C:\Windows\system32\SppExtComObj.Exe</Image> <!--Windows: KMS activation-->
+			<Image condition="is">C:\Windows\system32\audiodg.exe</Image> <!--Windows: Launched constantly-->
+			<Image condition="is">C:\Windows\system32\conhost.exe</Image> <!--Windows: Command line interface host process-->
+			<Image condition="is">C:\Windows\system32\mobsync.exe</Image> <!--Windows: Network file syncing-->
+			<Image condition="is">C:\Windows\system32\musNotification.exe</Image> <!--Windows: Update pop-ups-->
+			<Image condition="is">C:\Windows\system32\musNotificationUx.exe</Image> <!--Windows: Update pop-ups-->
+			<Image condition="is">C:\Windows\system32\powercfg.exe</Image> <!--Microsoft:Power configuration management-->
+			<Image condition="is">C:\Windows\system32\sndVol.exe</Image> <!--Windows: Volume control-->
+			<Image condition="is">C:\Windows\system32\sppsvc.exe</Image> <!--Windows: Software Protection Service-->
+			<Image condition="is">C:\Windows\system32\wbem\WmiApSrv.exe</Image> <!--Windows: WMI performance adapter host process-->
+			<IntegrityLevel condition="is">AppContainer</IntegrityLevel> <!--Windows: Don't care about sandboxed processes right now. Will need to revisit this decision.-->
+			<ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> <!--Windows:CommandShell: Triggered when programs use the command shell, but doesn't provide attribution for what caused it-->
+			<ParentCommandLine condition="is">C:\windows\system32\wermgr.exe -queuereporting</ParentCommandLine> <!--Windows:Windows error reporting/telemetry-->
+			<CommandLine condition="is">C:\WINDOWS\system32\devicecensus.exe UserCxt</CommandLine>
+			<CommandLine condition="is">C:\Windows\System32\usocoreworker.exe -Embedding</CommandLine>
+			<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Windows:Search: Launches many uninteresting sub-processes-->
+			<!--SECTION: Windows:svchost-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k appmodel -s StateRepository</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k appmodel</CommandLine> <!--Windows 10-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k appmodel -p -s tiledatamodelsvc</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k camera -s FrameServer</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k dcomlaunch -s LSM</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k dcomlaunch -s PlugPlay</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k defragsvc</CommandLine> <!--Windows defragmentation-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k devicesflow -s DevicesFlowUserSvc</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k imgsvc</CommandLine> <!--Microsoft:The Windows Image Acquisition Service-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s EventSystem</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s bthserv</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s nsi</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s w32Time</CommandLine>
+      <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation</CommandLine> <!--Windows: Network services-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -p</CommandLine> <!--Windows: Network services-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp</CommandLine> <!--Windows: Network services-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -s BTAGService</CommandLine>
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService</CommandLine> <!--Win10:1903:Network Connection Broker-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted</CommandLine> <!--Windows: Network services-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -p -s SSDPSRV</CommandLine> <!--Windows:SSDP [ https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol ] -->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNoNetwork</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s NgcSvc</CommandLine> <!--Microsoft:Passport-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -p -s NgcCtnrSvc</CommandLine> <!--Microsoft:Passport Container-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SCardSvr</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</CommandLine>
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs -p -s SessionEnv</CommandLine> <!--Windows:Remote desktop configuration-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost</CommandLine> <!--Windows: Diagnostic System Host [ http://www.blackviper.com/windows-services/diagnostic-system-host/ ] -->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k localSystemNetworkRestricted -p -s WdiSystemHost</CommandLine> <!--Windows: Diagnostic System Host [ http://www.blackviper.com/windows-services/diagnostic-system-host/ ] -->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted</CommandLine> <!--Windows-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc</CommandLine> <!--Windows: Windows Live Sign-In Assistant [ https://www.howtogeek.com/howto/30348/what-are-wlidsvc.exe-and-wlidsvcm.exe-and-why-are-they-running/ ] -->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -p -s ncaSvc</CommandLine> <!--Windows: Network Connectivity Assistant [ http://www.blackviper.com/windows-services/network-connectivity-assistant/ ] -->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC</CommandLine> <!--Windows:Network: BitLocker Drive Encryption-->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs -p -s BDESVC</CommandLine> <!--Microsoft:Win10:1903:Network: BitLocker Drive Encryption-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -p -s BITS</CommandLine> <!--Windows:Network: Background Intelligent File Transfer (BITS) -->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s BITS</CommandLine> <!--Windows:Network: Background Intelligent File Transfer (BITS) -->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s Gpsvc</CommandLine> <!--Windows:Network: Group Policy -->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc</CommandLine> <!--Windows: Network services-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s SENS</CommandLine> <!--Windows: Network services-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv</CommandLine> <!--Windows: Network services-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s Themes</CommandLine> <!--Windows: Network services-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt</CommandLine> <!--Windows: Windows Management Instrumentation (WMI) -->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs</CommandLine> <!--Windows: Network services-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s Dnscache</CommandLine> <!--Windows:Network: DNS caching, other uses -->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation</CommandLine> <!--Windows:Network: "Workstation" service, used for SMB file-sharing connections and RDP-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s NlaSvc</CommandLine> <!--Windows:Network: Network Location Awareness-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s TermService</CommandLine> <!--Windows:Network: Terminal Services (RDP)-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService</CommandLine> <!--Windows: Network services-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -p</CommandLine> <!--Windows: Network services-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted</CommandLine> <!--Windows: Network services-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k rPCSS</CommandLine> <!--Windows Services-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k secsvcs</CommandLine>
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k swprv</CommandLine> <!--Microsoft:Software Shadow Copy Provider-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k unistackSvcGroup</CommandLine> <!--Windows 10-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k utcsvc</CommandLine> <!--Windows Services-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k wbioSvcGroup</CommandLine> <!--Windows Services-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k werSvcGroup</CommandLine> <!--Windows: ErrorReporting-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc</CommandLine> <!--Windows: Update Medic Service [ https://www.thewindowsclub.com/windows-update-medic-service ] -->
+			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC</CommandLine> <!--Windows:Apps: Client License Service-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc</CommandLine> <!--Windows:Apps: AppX Deployment Service-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC</CommandLine> <!--Windows:Apps: Client License Service-->
+			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k wsappx</CommandLine> <!--Windows:Apps [ https://www.howtogeek.com/320261/what-is-wsappx-and-why-is-it-running-on-my-pc/ ] -->
+			<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs</ParentCommandLine> <!--Windows: Network services: Spawns Consent.exe-->
+			<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted</ParentCommandLine> <!--Windows-->
+			<CommandLine condition="is">C:\Windows\system32\deviceenroller.exe /c /AutoEnrollMDM</CommandLine> <!--Windows: AzureAD device enrollment agent-->
+			<!--SECTION: Microsoft:Edge-->
+			<CommandLine condition="begin with">"C:\Program Files (x86)\Microsoft\Edge Dev\Application\msedge.exe" --type=</CommandLine>
+			<!--SECTION: Microsoft:dotNet-->
+			<CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</CommandLine> <!--Microsoft:DotNet-->
+			<CommandLine condition="begin with">C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe</CommandLine> <!--Microsoft:DotNet-->
+			<CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</CommandLine> <!--Microsoft:DotNet-->
+			<CommandLine condition="begin with">C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</CommandLine> <!--Microsoft:DotNet-->
+			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
+			<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
+			<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Windows: Font cache service-->
+			<ParentCommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine>
+			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
+			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
+			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
+			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet: Spawns thousands of ngen.exe processes-->
+			<!--SECTION: Microsoft:Office-->
+			<Image condition="is">C:\Program Files\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
+			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
+			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE</Image> <!--Microsoft:Office: Licensing service-->
+			<Image condition="is">C:\Program Files\Microsoft Office\Office16\msoia.exe</Image> <!--Microsoft:Office: Telemetry collector-->
+			<Image condition="is">C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>
+			<!--SECTION: Microsoft:Office:Click2Run-->
+			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!--Microsoft:Office: Background process-->
+			<ParentImage condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</ParentImage> <!--Microsoft:Office: Background process-->
+			<ParentImage condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</ParentImage> <!--Microsoft:Office: Background process-->
+			<!--SECTION: Windows: Media player-->
+			<Image condition="is">C:\Program Files\Windows Media Player\wmpnscfg.exe</Image> <!--Windows: Windows Media Player Network Sharing Service Configuration Application-->
+			<!--SECTION: Google-->
+			<CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
+			<CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
+		</ProcessCreate>
+	</RuleGroup>
+
+	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
+		<!--COMMENT:	[ https://attack.mitre.org/wiki/Technique/T1099 ] -->
+
+		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime-->
+	<RuleGroup name="" groupRelation="or">
+		<FileCreateTime onmatch="include">
+			<Image name="T1099" condition="begin with">C:\Users</Image> <!--Look for timestomping in user area, usually nothing should be doing that here-->
+			<TargetFilename name="T1099" condition="end with">.exe</TargetFilename> <!--Look for backdated executables anywhere-->
+			<Image name="T1099" condition="begin with">\Device\HarddiskVolumeShadowCopy</Image> <!--Nothing should be written here | Credit: @SBousseaden [ https://twitter.com/SBousseaden/status/1133030955407630336 ] -->
+		</FileCreateTime>
+	</RuleGroup>
+
+	<RuleGroup name="" groupRelation="or">
+		<FileCreateTime onmatch="exclude">
+			<Image condition="image">OneDrive.exe</Image> <!--OneDrive constantly changes file times-->
+			<Image condition="image">C:\Windows\system32\backgroundTaskHost.exe</Image>
+			<Image condition="contains">setup</Image> <!--Ignore setups-->
+			<Image condition="contains">install</Image> <!--Ignore setups-->
+			<Image condition="contains">Update\</Image> <!--Ignore setups-->
+			<Image condition="end with">redist.exe</Image> <!--Ignore setups-->
+			<Image condition="is">msiexec.exe</Image> <!--Ignore setups-->
+			<Image condition="is">TrustedInstaller.exe</Image> <!--Ignore setups-->
+			<TargetFilename condition="contains">\NVIDIA\NvBackend\ApplicationOntology\</TargetFilename> <!--NVIDIA GeForce Experience Application Ontology, 1000's of events in user profile-->
+		</FileCreateTime>
+	</RuleGroup>
+
+	<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED [NetworkConnect]-->
+		<!--COMMENT:	By default this configuration takes a very conservative approach to network logging, limited to only extremely high-signal events.-->
+		<!--COMMENT:	[ https://attack.mitre.org/wiki/Command_and_Control ] [ https://attack.mitre.org/wiki/Exfiltration ] [ https://attack.mitre.org/wiki/Lateral_Movement ] -->
+		<!--TECHNICAL:	For the DestinationHostname, Sysmon uses the GetNameInfo API, which will often not have any information, and may just be a CDN. This is NOT reliable for filtering.-->
+		<!--TECHNICAL:	For the DestinationPortName, Sysmon uses the GetNameInfo API for the friendly name of ports you see in logs.-->
+		<!--TECHNICAL:	These exe do not initiate their connections, and thus includes do not work in this section: BITSADMIN NLTEST-->
+
+		<!-- https://www.first.org/resources/papers/conf2017/APT-Log-Analysis-Tracking-Attack-Tools-by-Audit-Policy-and-Sysmon.pdf -->
+
+		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpV6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName-->
+	<RuleGroup name="" groupRelation="or">
+		<NetworkConnect onmatch="include">
+			<!--Suspicious sources for network-connecting binaries-->
+			<Image name="Usermode" condition="begin with">C:\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
+			<Image name="Caution" condition="begin with">C:\Recycle</Image> <!--Nothing should operate from the RecycleBin locations.-->
+			<Image condition="begin with">C:\ProgramData</Image> <!--Normally, network communications should be sourced from "Program Files" not from ProgramData, something to look at-->
+			<Image condition="begin with">C:\Windows\Temp</Image> <!--Suspicious anything would communicate from the system-level temp directory-->
+			<Image name="Caution" condition="begin with">\</Image> <!--Devices and VSC shouldn't be executing changes | Credit: @SBousseaden @ionstorm @neu5ron @PerchedSystems [ https://twitter.com/SwiftOnSecurity/status/1133167323991486464 ] -->
+			<Image name="Caution" condition="begin with">C:\perflogs</Image> <!-- Credit @blu3_team [ https://blu3-team.blogspot.com/2019/05/netconn-from-suspicious-directories.html ] -->
+			<Image name="Caution" condition="begin with">C:\intel</Image> <!-- Credit @blu3_team [ https://blu3-team.blogspot.com/2019/05/netconn-from-suspicious-directories.html ] -->
+			<Image name="Caution" condition="begin with">C:\Windows\fonts</Image> <!-- Credit @blu3_team [ https://blu3-team.blogspot.com/2019/05/netconn-from-suspicious-directories.html ] -->
+			<Image name="Caution" condition="begin with">C:\Windows\system32\config</Image> <!-- Credit @blu3_team [ https://blu3-team.blogspot.com/2019/05/netconn-from-suspicious-directories.html ] -->
+			<!--Suspicious Windows tools-->
+			<Image condition="image">at.exe</Image> <!--Windows: Remote task scheduling, removed in Win10 | Credit @ion-storm -->
+			<Image condition="image">certutil.exe</Image> <!--Windows: Certificate tool can contact outbound | Credit @ion-storm @FVT [ https://twitter.com/FVT/status/834433734602530817 ] -->
+			<Image condition="image">cmd.exe</Image> <!--Windows: Remote command prompt-->
+			<Image condition="image">cmstp.exe</Image> <!--Windows: Connection manager profiles can launch executables from WebDAV [ https://twitter.com/NickTyrer/status/958450014111633408 ] | Credit @NickTyrer @Oddvarmoe @KyleHanslovan @subTee -->
+			<Image condition="image">cscript.exe</Image> <!--WindowsScriptingHost: | Credit @Cyb3rOps [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
+			<Image condition="image">driverquery.exe</Image> <!--Windows: Remote recognisance of system configuration, oudated/vulnerable drivers -->
+			<Image condition="image">dsquery.exe</Image> <!--Microsoft: Query Active Directory -->
+			<Image condition="image">hh.exe</Image> <!--Windows: HTML Help Executable, opens CHM files -->
+			<Image condition="image">infDefaultInstall.exe</Image> <!--Microsoft: [ https://github.com/huntresslabs/evading-autoruns ] | Credit @KyleHanslovan -->
+			<Image condition="image">java.exe</Image> <!--Java: Monitor usage of vulnerable application and init from JAR files | Credit @ion-storm -->
+			<Image condition="image">javaw.exe</Image> <!--Java: Monitor usage of vulnerable application and init from JAR files -->
+			<Image condition="image">javaws.exe</Image> <!--Java: Monitor usage of vulnerable application and init from JAR files -->
+			<Image condition="image">mmc.exe</Image> <!--Windows: -->
+			<Image condition="image">msbuild.exe</Image> <!--Windows: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
+			<Image condition="image">mshta.exe</Image> <!--Windows: HTML application executes scripts without IE protections | Credit @ion-storm [ https://en.wikipedia.org/wiki/HTML_Application ] -->
+			<Image condition="image">msiexec.exe</Image> <!--Windows: Can install from http:// paths | Credit @vector-sec -->
+			<Image condition="image">nbtstat.exe</Image> <!--Windows: NetBIOS statistics, attackers use to enumerate local network -->
+			<Image condition="image">net.exe</Image> <!--Windows: Note - May not detect anything, net.exe is a front-end to lower APIs | Credit @ion-storm -->
+			<Image condition="image">net1.exe</Image> <!--Windows: Launched by "net.exe", but it may not detect connections either -->
+			<Image condition="image">notepad.exe</Image> <!--Windows: [ https://secrary.com/ReversingMalware/CoinMiner/ ] [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
+			<Image condition="image">nslookup.exe</Image> <!--Windows: Retrieve data over DNS -->
+			<Image condition="image">powershell.exe</Image> <!--Windows: PowerShell interface-->
+			<Image condition="image">powershell_ise.exe</Image> <!--Windows: PowerShell interface-->
+			<Image condition="image">qprocess.exe</Image> <!--Windows: [ https://www.first.org/resources/papers/conf2017/APT-Log-Analysis-Tracking-Attack-Tools-by-Audit-Policy-and-Sysmon.pdf ] -->
+			<Image condition="image">qwinsta.exe</Image> <!--Windows: Query remote sessions | Credit @ion-storm -->
+			<Image condition="image">qwinsta.exe</Image> <!--Windows: Remotely query login sessions on a server or workstation | Credit @ion-storm -->
+			<Image condition="image">reg.exe</Image> <!--Windows: Remote Registry editing ability | Credit @ion-storm -->
+			<Image condition="image">regsvcs.exe</Image> <!--Windows: [ https://www.hybrid-analysis.com/sample/3f94d7080e6c5b8f59eeecc3d44f7e817b31562caeba21d02ad705a0bfc63d67?environmentId=100 ] -->
+			<Image condition="image">regsvr32.exe</Image> <!--Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
+			<Image condition="image">rundll32.exe</Image> <!--Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
+			<Image condition="image">rwinsta.exe</Image> <!--Windows: Disconnect remote sessions | Credit @ion-storm -->
+			<Image condition="image">sc.exe</Image> <!--Windows: Remotely change Windows service settings | Credit @ion-storm -->
+			<Image condition="image">schtasks.exe</Image> <!--Windows: Command-line interface to local and remote tasks -->
+			<Image condition="image">taskkill.exe</Image> <!--Windows: Kill processes, has remote ability -->
+			<Image condition="image">tasklist.exe</Image> <!--Windows: List processes, has remote ability -->
+			<Image condition="image">wmic.exe</Image> <!--WindowsManagementInstrumentation: Credit @Cyb3rOps [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
+			<Image condition="image">wscript.exe</Image> <!--WindowsScriptingHost: | Credit @arekfurt -->
+			<!--Live of the Land Binaries and scripts (LOLBAS) -->
+			<Image condition="image">bitsadmin.exe</Image> <!-- Windows: Background Intelligent Transfer Service - Can download from URLs -->
+			<Image condition="image">esentutl.exe</Image> <!-- Windows: Database utilities for the ESE - Can fetch from UNC paths -->
+			<Image condition="image">expand.exe</Image> <!-- Windows: Expands one or more compressed files - Can fetch from UNC paths -->
+			<Image condition="image">extrac32.exe</Image> <!--Windows: Uncompress .cab files - Can fetch from UNC paths -->
+			<Image condition="image">findstr.exe</Image> <!-- Windows: Search for strings - Can fetch from UNC paths -->
+			<Image condition="image">GfxDownloadWrapper.exe</Image> <!-- Intel Graphics Control Panel: Remote file download -->
+			<Image condition="image">ieexec.exe</Image> <!-- Windows: Microsoft .NET Framework application - Download and execute from URLs -->
+			<Image condition="image">makecab.exe</Image> <!-- Windows: Packages existing files into a .cab - Can fetch from UNC paths -->
+			<Image condition="image">replace.exe</Image> <!-- Windows: Used to replace file with another file - Can fetch from UNC paths -->
+			<Image condition="image">Excel.exe</Image> <!-- Windows Office: Excel - Can download from URLs -->
+			<Image condition="image">Powerpnt.exe</Image> <!-- Windows Office: PowerPoint - Can download from URLs -->
+			<Image condition="image">Winword.exe</Image> <!-- Windows Office: Word - Can download from URLs -->
+			<Image condition="image">squirrel.exe</Image> <!-- Windows: Update the Nuget/Squirrel packages. Part of Teams. - Can download from URLs -->
+			<!--Relevant 3rd Party Tools-->
+			<Image condition="image">nc.exe</Image> <!-- Nmap's modern version of netcat [ https://nmap.org/ncat/guide/index.html#ncat-overview ] [ https://securityblog.gr/1517/create-backdoor-in-windows-with-ncat/ ] -->
+			<Image condition="image">ncat.exe</Image> <!-- Nmap's modern version of netcat [ https://nmap.org/ncat/guide/index.html#ncat-overview ] [ https://securityblog.gr/1517/create-backdoor-in-windows-with-ncat/ ] -->
+			<Image condition="image">psexec.exe</Image> <!--Sysinternals:PsExec client side | Credit @Cyb3rOps -->
+			<Image condition="image">psexesvc.exe</Image> <!--Sysinternals:PsExec server side | Credit @Cyb3rOps -->
+			<Image condition="image">tor.exe</Image> <!--Tor [ https://www.hybrid-analysis.com/sample/800bf028a23440134fc834efc5c1e02cc70f05b2e800bbc285d7c92a4b126b1c?environmentId=100 ] -->
+			<Image condition="image">vnc.exe</Image> <!-- VNC client | Credit @Cyb3rOps -->
+			<Image condition="image">vncservice.exe</Image> <!-- VNC server | Credit @Cyb3rOps -->
+			<Image condition="image">vncviewer.exe</Image> <!-- VNC client | Credit @Cyb3rOps -->
+			<Image condition="image">winexesvc.exe</Image> <!-- Winexe service executable | Credit @Cyb3rOps -->
+			<Image condition="image">nmap.exe</Image>
+			<Image condition="image">psinfo.exe</Image>
+			<!--Ports: Suspicious-->
+			<DestinationPort name="SSH" condition="is">22</DestinationPort> <!--SSH protocol, monitor admin connections-->
+			<DestinationPort name="Telnet" condition="is">23</DestinationPort> <!--Telnet protocol, monitor admin connections, insecure-->
+			<DestinationPort name="SMTP" condition="is">25</DestinationPort> <!--SMTP mail protocol port, insecure, used by threats-->
+			<DestinationPort name="IMAP" condition="is">143</DestinationPort> <!--IMAP mail protocol port, insecure, used by threats-->
+			<DestinationPort name="RDP" condition="is">3389</DestinationPort> <!--Windows:RDP: Monitor admin connections-->
+			<DestinationPort name="VNC" condition="is">5800</DestinationPort> <!--VNC protocol: Monitor admin connections, often insecure, using hard-coded admin password-->
+			<DestinationPort name="VNC" condition="is">5900</DestinationPort> <!--VNC protocol Monitor admin connections, often insecure, using hard-coded admin password-->
+			<DestinationPort name="Alert,Metasploit" condition="is">4444</DestinationPort>
+			<!--Ports: Proxy-->
+			<DestinationPort name="Proxy" condition="is">1080</DestinationPort> <!--Socks proxy port | Credit @ion-storm-->
+			<DestinationPort name="Proxy" condition="is">3128</DestinationPort> <!--Socks proxy port | Credit @ion-storm-->
+			<DestinationPort name="Proxy" condition="is">8080</DestinationPort> <!--Socks proxy port | Credit @ion-storm-->
+			<!--Ports: Tor-->
+			<DestinationPort name="Tor" condition="is">1723</DestinationPort> <!--Tor protocol [ https://attack.mitre.org/wiki/Technique/T1090 ] | Credit @ion-storm-->
+			<DestinationPort name="Tor" condition="is">9001</DestinationPort> <!--Tor protocol [ http://www.computerworlduk.com/tutorial/security/tor-enterprise-2016-blocking-malware-darknet-use-rogue-nodes-3633907/ ] -->
+			<DestinationPort name="Tor" condition="is">9030</DestinationPort> <!--Tor protocol [ http://www.computerworlduk.com/tutorial/security/tor-enterprise-2016-blocking-malware-darknet-use-rogue-nodes-3633907/ ] -->
+		</NetworkConnect>
+	</RuleGroup>
+
+	<RuleGroup name="" groupRelation="or">
+		<NetworkConnect onmatch="exclude">
+			<!--SECTION: Microsoft-->
+			<Image condition="begin with">C:\ProgramData\Microsoft\Windows Defender\Platform\</Image>
+			<Image condition="end with">AppData\Local\Microsoft\Teams\current\Teams.exe</Image> <!--Microsoft: Teams-->
+			<DestinationHostname condition="end with">.microsoft.com</DestinationHostname> <!--Microsoft:Update delivery-->
+			<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname> <!--Microsoft:Update delivery-->
+			<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname> <!--Microsoft:Update delivery-->
+			<!--OCSP known addresses-->
+			<DestinationIp condition="is">23.4.43.27</DestinationIp> <!--Digicert [ https://otx.alienvault.com/indicator/ip/23.4.43.27 ] -->
+			<DestinationIp condition="is">72.21.91.29</DestinationIp> <!--Digicert [ https://otx.alienvault.com/indicator/ip/72.21.91.29 ] -->
+			<!--Section: Loopback Addresses-->
+			<DestinationIp condition="is">127.0.0.1</DestinationIp> <!--Credit @ITProPaul-->
+			<DestinationIp condition="begin with">fe80:0:0:0</DestinationIp> <!--Credit @ITProPaul-->
+		</NetworkConnect>
+	</RuleGroup>
+
+	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON SERVICE STATUS MESSAGES-->
+
+		<!--DATA: UtcTime, State, Version, SchemaVersion-->
+		<!--Cannot be filtered.-->
+
+	<!--SYSMON EVENT ID 5 : PROCESS ENDED [ProcessTerminate]-->
+		<!--COMMENT:	Useful data in building infection timelines.-->
+
+		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image-->
+	<RuleGroup name="" groupRelation="or">
+		<ProcessTerminate onmatch="include">
+			<Image condition="begin with">C:\Users</Image> <!--Process terminations by user binaries-->
+			<Image condition="begin with">\</Image> <!--Devices and VSC shouldn't be executing changes | Credit: @SBousseaden @ionstorm @neu5ron @PerchedSystems [ https://twitter.com/SwiftOnSecurity/status/1133167323991486464 ] -->
+		</ProcessTerminate>
+	</RuleGroup>
+
+	<RuleGroup name="" groupRelation="or">
+		<ProcessTerminate onmatch="exclude">
+		</ProcessTerminate>
+	</RuleGroup>
+
+	<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]-->
+		<!--COMMENT:	Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
+			about what you exclude from monitoring. Low event volume, little incentive to exclude.
+			[ https://attack.mitre.org/wiki/Technique/T1014 ] -->
+		<!--TECHNICAL:	Sysmon will check the signing certificate revocation status of any driver you don't exclude.-->
+
+		<!--DATA: UtcTime, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
+	<RuleGroup name="" groupRelation="or">
+		<DriverLoad onmatch="exclude">
+			<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft drivers-->
+			<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft drivers-->
+			<Signature condition="begin with">Intel </Signature> <!--Exclude signed Intel drivers-->
+		</DriverLoad>
+	</RuleGroup>
+
+	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS [ImageLoad]-->
+		<!--COMMENT:	Can cause high system load, disabled by default.-->
+		<!--COMMENT:	[ https://attack.mitre.org/wiki/Technique/T1073 ] [ https://attack.mitre.org/wiki/Technique/T1038 ] [ https://attack.mitre.org/wiki/Technique/T1034 ] -->
+
+		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
+	<RuleGroup name="" groupRelation="or">
+		<ImageLoad onmatch="include">
+			<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
+		</ImageLoad>
+	</RuleGroup>
+
+	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread]-->
+		<!--COMMENT:	Monitor for processes injecting code into other processes. Often used by malware to cloak their actions. Also when Firefox loads Flash.
+		[ https://attack.mitre.org/wiki/Technique/T1055 ] -->
+
+		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->
+	<RuleGroup name="" groupRelation="or">
+		<CreateRemoteThread onmatch="exclude">
+			<!--COMMENT: Exclude mostly-safe sources and log anything else.-->
+			<SourceImage condition="is">C:\Windows\system32\wbem\WmiPrvSE.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\wininit.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\csrss.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\services.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\winlogon.exe</SourceImage>
+			<SourceImage condition="is">C:\Windows\system32\audiodg.exe</SourceImage>
+			<StartModule condition="is">C:\Windows\system32\kernel32.dll</StartModule>
+			<TargetImage condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</TargetImage>
+		</CreateRemoteThread>
+	</RuleGroup>
+
+	<!--SYSMON EVENT ID 9 : RAW DISK ACCESS [RawAccessRead]-->
+		<!--EVENT 9: "RawAccessRead detected"-->
+		<!--COMMENT:	Can cause high system load, disabled by default.-->
+		<!--COMMENT:	Monitor for raw sector-level access to the disk, often used to bypass access control lists or access locked files.
+			Disabled by default since including even one entry here activates this component. Reward/performance/rule maintenance decision.
+			Encourage you to experiment with this feature yourself. [ https://attack.mitre.org/wiki/Technique/T1067 ] -->
+		<!--COMMENT:	You will likely want to set this to a full capture on domain controllers, where no process should be doing raw reads.-->
+
+		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, Device-->
+	<RuleGroup name="" groupRelation="or">
+		<RawAccessRead onmatch="include">
+			<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
+		</RawAccessRead>
+	</RuleGroup>
+
+	<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS [ProcessAccess]-->
+		<!--EVENT 10: "Process accessed"-->
+		<!--COMMENT:	Can cause high system load, disabled by default.-->
+		<!--COMMENT:	Monitor for processes accessing other process' memory.-->
+
+		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace-->
+	<RuleGroup name="" groupRelation="or">
+		<ProcessAccess onmatch="include">
+			<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
+		</ProcessAccess>
+	</RuleGroup>
+
+	<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
+		<!--EVENT 11: "File created"-->
+		<!--NOTE:	Other filesystem "minifilters" can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
+		<!--NOTE:	You may not see files detected by antivirus. Other filesystem minifilters, like antivirus, can act before Sysmon receives the alert a file was written.-->
+
+		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
+	<RuleGroup name="" groupRelation="or">
+		<FileCreate onmatch="include">
+			<TargetFilename name="T1023" condition="contains">\Start Menu</TargetFilename> <!--Windows: Startup links and shortcut modification [ https://attack.mitre.org/wiki/Technique/T1023 ] -->
+			<TargetFilename name="T1165" condition="contains">\Startup\</TargetFilename> <!--Microsoft:Changes to user's auto-launched files and shortcuts-->
+			<TargetFilename name="OutlookAttachment" condition="contains">\Content.Outlook\</TargetFilename> <!--Microsoft:Outlook: attachments-->
+			<TargetFilename name="Downloads" condition="contains">\Downloads\</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
+			<TargetFilename condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
+			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
+			<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
+			<TargetFilename condition="end with">.chm</TargetFilename>
+			<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
+			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
+			<TargetFilename name="T1176" condition="end with">.crx</TargetFilename> <!--Chrome extension-->
+			<TargetFilename condition="end with">.dmp</TargetFilename> <!--Process dumps [ (fr) http://blog.gentilkiwi.com/securite/mimikatz/minidump ] -->
+			<TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
+			<TargetFilename name="DLL" condition="end with">.dll</TargetFilename> <!--Microsoft:Office:Word: Macro-->
+			<TargetFilename name="EXE" condition="end with">.exe</TargetFilename> <!--Executable-->
+			<TargetFilename name="ProcessHostingdotNETCode" condition="end with">.exe.log</TargetFilename> <!-- [ https://github.com/bitsadmin/nopowershell ] | Credit: @SBousseaden [ https://twitter.com/SBousseaden/status/1137493597769687040 ]  -->
+			<TargetFilename condition="end with">.jar</TargetFilename> <!--Java applets-->
+			<TargetFilename condition="end with">.jnlp</TargetFilename> <!--Java applets-->
+			<TargetFilename condition="end with">.jse</TargetFilename> <!--Scripting [ Example: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Phires-C/detailed-analysis.aspx ] -->
+			<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
+			<TargetFilename condition="end with">.job</TargetFilename> <!--Scheduled task-->
+			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
+			<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
+			<TargetFilename condition="end with">.sct</TargetFilename> <!--Scripting | Credit @bartblaze -->
+			<TargetFilename condition="end with">.sys</TargetFilename> <!--System driver files-->
+			<TargetFilename condition="end with">.scr</TargetFilename> <!--System driver files-->
+			<TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting-->
+			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
+			<TargetFilename condition="end with">.wsc</TargetFilename> <!--Scripting | Credit @bartblaze -->
+			<TargetFilename condition="end with">.wsf</TargetFilename> <!--Scripting | Credit @bartblaze -->
+			<TargetFilename condition="end with">.xlsm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
+			<TargetFilename condition="end with">.ocx</TargetFilename> <!--Microsoft:ActiveX-->
+			<TargetFilename condition="end with">proj</TargetFilename><!--Microsoft:MSBuild:Script: [ https://twitter.com/subTee/status/885919612969394177 ] -->
+			<TargetFilename condition="end with">.sln</TargetFilename><!--Microsoft:MSBuild:Script: [ https://twitter.com/subTee/status/885919612969394177 ] -->
+			<TargetFilename condition="end with">.xls</TargetFilename><!--Microsoft [ https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75 ] -->
+			<TargetFilename name="DefaultUserModified" condition="begin with">C:\Users\Default</TargetFilename> <!--Windows: Changes to default user profile-->
+			<TargetFilename condition="begin with">C:\Windows\system32\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
+			<TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
+			<TargetFilename name="T1037,T1484" condition="begin with">C:\Windows\system32\GroupPolicy\Machine\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
+			<TargetFilename name="T1037,T1484" condition="begin with">C:\Windows\system32\GroupPolicy\User\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
+			<TargetFilename condition="begin with">C:\Windows\system32\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
+			<TargetFilename condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
+			<TargetFilename condition="begin with">C:\Windows\system32\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
+			<TargetFilename condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
+			<TargetFilename name="T1053" condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks [ https://attack.mitre.org/wiki/Technique/T1053 ] -->
+			<TargetFilename name="T1053" condition="begin with">C:\Windows\system32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks [ https://attack.mitre.org/wiki/Technique/T1053 ] -->
+			<TargetFilename name="T1053" condition="begin with">C:\Windows\SysWOW64\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks [ https://attack.mitre.org/wiki/Technique/T1053 ] -->
+			<Image condition="begin with">\Device\HarddiskVolumeShadowCopy</Image> <!--Nothing should be executing from VSC | Credit: @SBousseaden [ https://twitter.com/SBousseaden/status/1133030955407630336 ] -->
+			<!--Windows application compatibility-->
+			<TargetFilename condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename> <!--Windows: Application compatibility shims [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
+			<TargetFilename condition="contains">VirtualStore</TargetFilename> <!--Windows: UAC virtualization [ https://blogs.msdn.microsoft.com/oldnewthing/20150902-00/?p=91681 ] -->
+			<!--Exploitable file names-->
+			<TargetFilename condition="end with">.xls</TargetFilename> <!--Legacy Office files are often used for attacks-->
+			<TargetFilename condition="end with">.ppt</TargetFilename> <!--Legacy Office files are often used for attacks-->
+			<TargetFilename condition="end with">.rtf</TargetFilename> <!--RTF files often 0day malware vectors when opened by Office-->
+		</FileCreate>
+	</RuleGroup>
+
+	<RuleGroup name="" groupRelation="or">
+		<FileCreate onmatch="exclude">
+			<!--SECTION: Microsoft-->
+			<Image condition="is">C:\Program Files (x86)\EMET 5.5\EMET_Service.exe</Image> <!--Microsoft:EMET: Writes to C:\Windows\AppPatch\-->
+			<!--SECTION: Microsoft:Office:Click2Run-->
+			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!-- Microsoft:Office Click2Run-->
+			<!--SECTION: Windows-->
+			<Image condition="is">C:\Windows\system32\smss.exe</Image> <!-- Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
+			<Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image> <!-- Windows: Windows 10 app, creates tons of cache files-->
+			<Image condition="is">\\?\C:\Windows\system32\wbem\WMIADAP.EXE</Image> <!-- Windows: WMI Performance updates-->
+			<Image condition="is">C:\Windows\system32\mobsync.exe</Image> <!--Windows: Network file syncing-->
+			<TargetFilename condition="begin with">C:\Windows\system32\DriverStore\Temp\</TargetFilename> <!-- Windows: Temp files by DrvInst.exe-->
+			<TargetFilename condition="begin with">C:\Windows\system32\wbem\Performance\</TargetFilename> <!-- Windows: Created in wbem by WMIADAP.exe-->
+			<TargetFilename condition="begin with">C:\Windows\Installer\</TargetFilename> <!--Windows:Installer: Ignore MSI installer files caching-->
+			<!--SECTION: Windows:Updates-->
+			<TargetFilename condition="begin with">C:\$WINDOWS.~BT\Sources\</TargetFilename> <!-- Windows: Feature updates containing lots of .exe and .sys-->
+			<Image condition="begin with">C:\Windows\winsxs\amd64_microsoft-windows</Image> <!-- Windows: Windows update-->
+		</FileCreate>
+	</RuleGroup>
+
+	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->
+		<!--EVENT 12: "Registry object added or deleted"-->
+		<!--EVENT 13: "Registry value set"-->
+		<!--EVENT 14: "Registry objected renamed"-->
+
+		<!--NOTE:	Windows writes hundreds or thousands of registry keys a minute, so just because you're not changing things, doesn't mean these rules aren't being run.-->
+		<!--NOTE:	You do not have to spend a lot of time worrying about performance, CPUs are fast, but it's something to consider. Every rule and condition type has a small cost.-->
+		<!--NOTE:	"contains" works by finding the first letter, then matching the second, etc, so the first letters should be as low-occurrence as possible.-->
+		<!--NOTE:	[ https://attack.mitre.org/wiki/Technique/T1112 ] -->
+
+		<!--TECHNICAL:	You cannot filter on the "Details" attribute, due to performance issues when very large keys are written, and variety of data formats-->
+		<!--TECHNICAL:	Possible prefixes are HKLM, HKCR, and HKU-->
+		<!--CRITICAL:	Schema version 3.30 and higher change HKLM\="\REGISTRY\MACHINE\" and HKU\="\REGISTRY\USER\" and HKCR\="\REGISTRY\MACHINE\SOFTWARE\Classes\" and CurrentControlSet="ControlSet001"-->
+		<!--CRITICAL:	Due to a bug, Sysmon versions BEFORE 7.01 may not properly log with the new prefix style for registry keys that was originally introduced in schema version 3.30-->
+		<!--NOTE:	Because Sysmon runs as a service, it has no filtering ability for, or concept of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation-->
+
+		<!-- ! CRITICAL NOTE !:	It may appear this section is MISSING important entries, but SOME RULES MONITOR MANY KEYS, so look VERY CAREFULLY to see if something is already covered.
+								Sysmon's wildcard monitoring along with highly-tuned generic strings cuts the rulesets down immensely, compared to doing this in other tools.
+								For example, most COM hijacking in CLSID's across the registry is covered by a single rule monitoring a InProcServer32 wildcard-->
+
+		<!--DATA: EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, Details (can't filter on), NewName (can't filter on)-->
+	<RuleGroup name="" groupRelation="or">
+		<RegistryEvent onmatch="include">
+			<!--Autorun or Startups-->
+				<!--ADDITIONAL REFERENCE: [ http://www.ghacks.net/2016/06/04/windows-automatic-startup-locations/ ] -->
+				<!--ADDITIONAL REFERENCE: [ https://view.officeapps.live.com/op/view.aspx?src=https://arsenalrecon.com/downloads/resources/Registry_Keys_Related_to_Autorun.ods ] -->
+				<!--ADDITIONAL REFERENCE: [ http://www.silentrunners.org/launchpoints.html ] -->
+				<!--ADDITIONAL REFERENCE: [ https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2 ] -->
+				<!--ADDITIONAL REFERENCE: [ https://web.archive.org/web/20200116001643/http://scholarworks.rit.edu/cgi/viewcontent.cgi?article=1533&context=theses | Understanding malware autostart techniques - Matthew Gottlieb ] -->
+			<TargetObject name="T1060,RunKey" condition="contains">CurrentVersion\Run</TargetObject> <!--Windows: Wildcard for Run keys, including RunOnce, RunOnceEx, RunServices, RunServicesOnce [Also covers terminal server] -->
+			<TargetObject name="T1060,RunPolicy" condition="contains">Policies\Explorer\Run</TargetObject> <!--Windows: Alternate runs keys | Credit @ion-storm-->
+			<TargetObject name="T1484" condition="contains">Group Policy\Scripts</TargetObject> <!--Windows: Group policy scripts-->
+			<TargetObject name="T1484" condition="contains">Windows\System\Scripts</TargetObject> <!--Windows: Wildcard for Logon, Loggoff, Shutdown-->
+			<TargetObject name="T1060" condition="contains">CurrentVersion\Windows\Load</TargetObject> <!--Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ] -->
+			<TargetObject name="T1060" condition="contains">CurrentVersion\Windows\Run</TargetObject> <!--Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ] -->
+			<TargetObject name="T1060" condition="contains">CurrentVersion\Winlogon\Shell</TargetObject> <!--Windows: [ https://msdn.microsoft.com/en-us/library/ms838576(v=winembedded.5).aspx ] -->
+			<TargetObject name="T1060" condition="contains">CurrentVersion\Winlogon\System</TargetObject> <!--Windows [ https://www.exterminate-it.com/malpedia/regvals/zlob-dns-changer/118 ] -->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify</TargetObject> <!--Windows: Autorun location [ https://attack.mitre.org/wiki/Technique/T1004 ] [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject> <!--Windows: [ https://technet.microsoft.com/en-us/library/ee851671.aspx ] -->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit</TargetObject> <!--Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
+			<TargetObject condition="begin with">HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Windows: Legacy driver loading | Credit @ion-storm -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject> <!--Windows: Automatic program crash debug program [ https://www.symantec.com/security_response/writeup.jsp?docid=2007-050712-5453-99&tabid=2 ] -->
+			<TargetObject condition="contains">UserInitMprLogonScript</TargetObject> <!--Windows: Legacy logon script environment variable [ http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/ ] -->
+			<TargetObject name="T1112,ChangeStartupFolderPath" condition="end with">user shell folders\startup</TargetObject> <!--Monitor changes to Startup folder location for monitoring evasion | Credit @SBousseaden-->
+			<!--Services-->
+			<TargetObject name="T1031,T1050" condition="end with">\ServiceDll</TargetObject> <!--Windows: Points to a service's DLL [ https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services ] -->
+			<TargetObject name="T1031,T1050" condition="end with">\ServiceManifest</TargetObject> <!--Windows: Manifest pointing to service's DLL [ https://www.geoffchappell.com/studies/windows/win32/services/svchost/index.htm ] -->
+			<TargetObject name="T1031,T1050" condition="end with">\ImagePath</TargetObject> <!--Windows: Points to a service's EXE [ https://attack.mitre.org/wiki/Technique/T1050 ] -->
+			<TargetObject name="T1031,T1050" condition="end with">\Start</TargetObject> <!--Windows: Services start mode changes (Disabled, Automatically, Manual)-->
+			<!--RDP-->
+			<TargetObject name="RDP port change" condition="end with">Control\Terminal Server\WinStations\RDP-Tcp\PortNumber</TargetObject> <!--Windows: RDP port change under Control [ https://blog.menasec.net/2019/02/of-rdp-hijacking-part1-remote-desktop.html ]-->
+			<TargetObject name="RDP port change" condition="end with">Control\Terminal Server\fSingleSessionPerUser</TargetObject> <!--Windows: Allow same user to have mutliple RDP sessions, to hide from admin being impersonated-->
+			<TargetObject name="ModifyRemoteDesktopState" condition="end with">fDenyTSConnections</TargetObject> <!--Windows: Attacker turning on RDP-->
+			<TargetObject condition="end with">LastLoggedOnUser</TargetObject> <!--Windows: Changing last-logged in user-->
+			<TargetObject name="ModifyRemoteDesktopPort" condition="end with">RDP-tcp\PortNumber</TargetObject> <!--Windows: Changing RDP port to evade IDS-->
+			<TargetObject condition="end with">Services\PortProxy\v4tov4</TargetObject> <!--Windows: Changing RDP port to evade IDS-->
+			<!--CLSID launch commands and Default File Association changes-->
+			<TargetObject name="T1042" condition="contains">\command\</TargetObject> <!--Windows: Sensitive sub-key under file associations and CLSID that map to launch command-->
+			<TargetObject name="T1122" condition="contains">\ddeexec\</TargetObject> <!--Windows: Sensitive sub-key under file associations and CLSID that map to launch command-->
+			<TargetObject name="T1122" condition="contains">{86C86720-42A0-1069-A2E8-08002B30309D}</TargetObject> <!--Windows: Tooltip handler-->
+			<TargetObject name="T1042" condition="contains">exefile</TargetObject> <!--Windows Executable handler, to log any changes not already monitored-->
+			<!--Windows COM-->
+			<TargetObject name="T1122" condition="end with">\InprocServer32\(Default)</TargetObject> <!--Windows:COM Object Hijacking [ https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence ] | Credit @ion-storm -->
+			<!--Windows shell visual modifications used by malware-->
+			<TargetObject name="T1158" condition="end with">\Hidden</TargetObject> <!--Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event -->
+			<TargetObject name="T1158" condition="end with">\ShowSuperHidden</TargetObject> <!--Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ] -->
+			<TargetObject name="T1158" condition="end with">\HideFileExt</TargetObject> <!--Windows:Explorer: Some malware hides file extensions to make diagnosis/disinfection more daunting to novice users -->
+			<!--Windows shell hijack and modifications-->
+			<TargetObject condition="contains">Classes\*\</TargetObject> <!--Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
+			<TargetObject condition="contains">Classes\AllFilesystemObjects\</TargetObject> <!--Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
+			<TargetObject condition="contains">Classes\Directory\</TargetObject> <!--Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
+			<TargetObject condition="contains">Classes\Drive\</TargetObject> <!--Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
+			<TargetObject condition="contains">Classes\Folder\</TargetObject> <!--Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
+			<TargetObject condition="contains">Classes\PROTOCOLS\</TargetObject> <!--Windows:Explorer: Protocol handlers-->
+			<TargetObject condition="contains">ContextMenuHandlers\</TargetObject> <!--Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
+			<TargetObject condition="contains">CurrentVersion\Shell</TargetObject> <!--Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Windows: ShellExecuteHooks-->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad</TargetObject> <!--Windows: ShellExecuteHooks-->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject> <!--Windows: ShellExecuteHooks-->
+			<!--AppPaths hijacking-->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
+			<!--Terminal service boobytrap-->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject> <!--Windows:RDP: Note other Terminal Server run keys are handled by another wildcard already-->
+			<!--Group Policy integrity-->
+			<TargetObject name="T1484" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject> <!--Windows: Group Policy internally uses a plug-in architecture that nothing should be modifying-->
+			<!--Winsock and Winsock2-->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock</TargetObject> <!--Windows: Wildcard, includes Winsock and Winsock2-->
+			<TargetObject condition="end with">\ProxyServer</TargetObject> <!--Windows: System and user proxy server-->
+			<!--Credential providers-->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credential Providers and Credential Provider Filters-->
+			<TargetObject name="T1101" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1131 ] [ https://attack.mitre.org/wiki/Technique/T1101 ] -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders</TargetObject> <!--Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Netsh</TargetObject> <!--Windows: Netsh helper DLL [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
+			<TargetObject condition="contains">Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable</TargetObject> <!--Windows: Malware often disables a web proxy for 2nd stage downloads -->
+			<!--Networking-->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject> <!--Windows: | Credit @ion-storm -->
+			<TargetObject name="T1089" condition="end with">\EnableFirewall</TargetObject> <!--Windows: Monitor for firewall disablement, all firewall profiles [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
+			<TargetObject name="T1089" condition="end with">\DoNotAllowExceptions</TargetObject> <!--Windows: Monitor for firewall disablement, all firewall profiles [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject> <!--Windows Firewall authorized applications for all networks| Credit @ion-storm -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List</TargetObject> <!--Windows Firewall authorized applications for domain networks -->
+			<!--DLLs that get injected into every process at launch-->
+			<TargetObject name="T1103" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Windows: Feature disabled by default [ https://attack.mitre.org/wiki/Technique/T1103 ] -->
+			<TargetObject name="T1103" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Windows: Feature disabled by default [ https://attack.mitre.org/wiki/Technique/T1103 ] -->
+			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] [ https://blog.comodo.com/malware/trojware-win32-trojanspy-volisk-a/ ] -->
+			<!--Office-->
+			<TargetObject name="T1137" condition="contains">Microsoft\Office\Outlook\Addins\</TargetObject> <!--Microsoft:Office: Outlook add-ins, access to sensitive data and often cause issues-->
+			<TargetObject name="T1137" condition="contains">Office Test\</TargetObject> <!-- Microsoft:Office: Persistence method [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn -->
+			<TargetObject name="Context,ProtectedModeExitOrMacrosUsed" condition="contains">Security\Trusted Documents\TrustRecords</TargetObject> <!--Microsoft:Office: Monitor when "Enable editing" or "Enable macros" is used | Credit @OutflankNL | [ https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/ ] -->
+			<TargetObject name="Context,ContactedDomain" condition="end with">\EnableBHO</TargetObject> <!--Microsoft:Office: Contacted domains stored here 'HKEY_CURRENT_USER\<SID>\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache\<domain>\EnableBHO' -->
+			<!--IE-->
+			<TargetObject name="T1176" condition="contains">Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ Example: https://www.exterminate-it.com/malpedia/remove-mywebsearch ] -->
+			<TargetObject name="T1176" condition="contains">Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ Example: https://www.exterminate-it.com/malpedia/remove-mywebsearch ] -->
+			<TargetObject name="T1176" condition="contains">Browser Helper Objects\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->
+			<TargetObject condition="end with">\DisableSecuritySettingsCheck</TargetObject>
+			<TargetObject condition="end with">\3\1206</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes assures scripting is on in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
+			<TargetObject condition="end with">\3\2500</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Protected Mode in Internet Zone [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
+			<TargetObject condition="end with">\3\1809</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Pop-up Blocker in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
+			<!--Magic registry keys-->
+			<TargetObject condition="begin with">HKLM\Software\Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\</TargetObject> <!--Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
+			<TargetObject condition="begin with">HKLM\Software\Classes\WOW6432Node\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\</TargetObject> <!--Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
+			<TargetObject condition="begin with">HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\</TargetObject> <!--Windows: DirectX instances-->
+			<TargetObject condition="begin with">HKLM\Software\Classes\WOW6432Node\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\</TargetObject> <!--Windows: DirectX instances-->
+			<!--Install/Run artifacts-->
+			<TargetObject condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: Source URL is stored in this value [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
+			<TargetObject condition="end with">\InstallSource</TargetObject> <!--Windows: Source folder for certain program and component installations-->
+			<TargetObject name="Alert,Sysinternals Tool Used" condition="end with">\EulaAccepted</TargetObject> <!--Sysinternals tool launched. Lots of useful abilities for attackers -->
+			<!--Antivirus tampering-->
+			<TargetObject name="T1089,Tamper-Defender" condition="end with">\DisableAntiSpyware</TargetObject> <!--Windows:Defender: State modified via registry-->
+			<TargetObject name="T1089,Tamper-Defender" condition="end with">\DisableAntiVirus</TargetObject> <!--Windows:Defender: State modified via registry-->
+			<TargetObject name="T1089,Tamper-Defender" condition="end with">\SpynetReporting</TargetObject> <!--Windows:Defender: State modified via registry-->
+			<TargetObject name="T1089,Tamper-Defender" condition="end with">DisableRealtimeMonitoring</TargetObject> <!--Windows:Defender: State modified via registry-->
+			<TargetObject name="T1089,Tamper-Defender" condition="end with">\SubmitSamplesConsent</TargetObject> <!--Windows:Defender: State modified via registry-->
+			<TargetObject name="T1562,Tamper-Defender" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\</TargetObject> <!--Windows:Defender: Exclusions in policy key-->
+			<!--Windows UAC tampering-->
+			<TargetObject name="T1088" condition="end with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject> <!--Detect: UAC Tampering | Credit @ion-storm -->
+			<TargetObject name="T1088" condition="end with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject> <!--Detect: UAC Tampering | Credit @ion-storm -->
+			<!--Microsoft Security Center tampering | Credit @ion-storm -->
+			<TargetObject name="T1089,Tamper-SecCenter" condition="end with">HKLM\Software\Microsoft\Security Center\</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
+			<TargetObject name="T1089,Tamper-SecCenter" condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth</TargetObject> <!--Windows:Security Center: Malware sometimes disables [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
+			<!--Windows application compatibility-->
+			<TargetObject name="T1138,AppCompatShim" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
+			<TargetObject name="T1138,AppCompatShim" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Windows: AppCompat [ https://attack.mitre.org/wiki/Technique/T1138 ] -->
+			<TargetObject condition="contains">VirtualStore</TargetObject> <!--Windows: Registry virtualization, something's wrong if it's in use [ https://msdn.microsoft.com/en-us/library/windows/desktop/aa965884(v=vs.85).aspx ] -->
+			<!--Windows internals integrity monitoring-->
+			<TargetObject name="T1183,IFEO" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject> <!--Windows: Malware likes changing IFEO, like adding Debugger to disable antivirus EXE-->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject> <!--Windows: Event log system integrity and ACLs-->
+			<TargetObject name="Tamper-Safemode" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject> <!--Windows: Services approved to load in safe mode. Almost nothing should ever modify this.-->
+			<TargetObject name="Tamper-Winlogon" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Windows: Providers notified by WinLogon-->
+			<TargetObject name="Context,DeviceConnectedOrUpdated" condition="end with">\FriendlyName</TargetObject> <!--Windows: New devices connected and remembered-->
+			<TargetObject name="Context,MsiInstallerStarted" condition="is">HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Windows: See when WindowsInstaller is engaged, useful for timeline matching with other events-->
+			<TargetObject name="Tamper-Tracing" condition="begin with">HKLM\Software\Microsoft\Tracing\RASAPI32</TargetObject> <!--Windows: Malware sometimes disables tracing to obfuscate tracks-->
+			<TargetObject name="Context,ProcessAccessedPrivateResource" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\</TargetObject> <!-- Windows: Win10 tracks when and what process uses webcam/microphone/location etc [ https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072 ] -->
+			<TargetObject condition="contains">\Keyboard Layout\Preload</TargetObject> <!--Microsoft:Windows: Keyboard layout loaded into user session [ https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index ] | Credit @cyb3rops -->
+			<TargetObject condition="contains">\Keyboard Layout\Substitutes</TargetObject> <!--Microsoft:Windows: Keyboard layout loaded into user session [ https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index ] | Credit @cyb3rops -->
+			<!--Windows inventory events-->
+			<TargetObject name="InvDB-Path" condition="end with">\LowerCaseLongPath</TargetObject> <!-- [ https://binaryforay.blogspot.com/2017/10/amcache-still-rules-everything-around.html ] -->
+			<TargetObject name="InvDB-Pub" condition="end with">\Publisher</TargetObject> <!-- [ https://binaryforay.blogspot.com/2017/10/amcache-still-rules-everything-around.html ] -->
+			<TargetObject name="InvDB-Ver" condition="end with">\BinProductVersion</TargetObject> <!-- [ https://docs.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709 ] -->
+			<TargetObject name="InvDB-DriverVer" condition="end with">\DriverVersion</TargetObject> <!-- [ https://df-stream.com/2015/02/leveraging-devicecontainers-key/ ] -->
+			<TargetObject name="InvDB-DriverVer" condition="end with">\DriverVerVersion</TargetObject> <!-- [ https://df-stream.com/2015/02/leveraging-devicecontainers-key/ ] -->
+			<TargetObject name="InvDB-CompileTimeClaim" condition="end with">\LinkDate</TargetObject> <!-- Compile time of EXE, may not be reliable [ https://en.wikipedia.org/wiki/Link_time ] -->
+			<TargetObject name="InvDB" condition="contains">Compatibility Assistant\Store\</TargetObject> <!-- Inventory -->
+			<!--Suspicious sources-->
+			<Image name="Suspicious,ImageBeginWithBackslash" condition="end with">regedit.exe</Image> <!--Users and helpdesk staff making system modifications -->
+			<Image name="Suspicious,ImageBeginWithBackslash" condition="begin with">\</Image> <!--Devices and VSC shouldn't be executing changes | Credit: @SBousseaden @ionstorm @neu5ron @PerchedSystems [ https://twitter.com/SwiftOnSecurity/status/1133167323991486464 ] -->
+		</RegistryEvent>
+	</RuleGroup>
+
+	<RuleGroup name="" groupRelation="or">
+		<RegistryEvent onmatch="exclude">
+		<!--COMMENT:	Remove low-information noise. Often these hide a procress recreating an empty key and do not hide the values created subsequently.-->
+		<!--NOTE:	A lot of noise can be removed by excluding CreateKey events, which are largely innocuous-->
+			<TargetObject condition="contains">\{CAFEEFAC-</TargetObject>
+			<EventType condition="is">CreateKey</EventType>
+			<TargetObject condition="begin with">HKLM\COMPONENTS</TargetObject>
+			<!--Inventory noise-->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache</TargetObject>
+			<!--Misc-->
+			<TargetObject condition="end with">Toolbar\WebBrowser</TargetObject> <!--Microsoft:IE: Extraneous activity-->
+			<TargetObject condition="end with">Browser\ITBar7Height</TargetObject> <!--Microsoft:IE: Extraneous activity, covers ShellBrowser and WebBrowser-->
+			<TargetObject condition="end with">Browser\ITBar7Layout</TargetObject> <!--Microsoft:IE: Extraneous activity-->
+			<TargetObject condition="end with">Internet Explorer\Toolbar\Locked</TargetObject> <!--Windows:Explorer: Extraneous activity-->
+			<TargetObject condition="end with">Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93}</TargetObject> <!--Windows:Explorer: Extraneous activity-->
+			<TargetObject condition="end with">}\PreviousPolicyAreas</TargetObject> <!--Windows: Remove noise from \Winlogon\GPExtensions by svchost.exe-->
+			<TargetObject condition="contains">\Control\WMI\Autologger\</TargetObject> <!--Windows: Remove noise from monitoring "\Start"-->
+			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start</TargetObject> <!--Windows: Remove noise from monitoring "\Start"-->
+			<TargetObject condition="end with">\Lsa\OfflineJoin\CurrentValue</TargetObject> <!--Windows: Sensitive value during domain join-->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\</TargetObject> <!--Windows: Remove noise monitoring installations run as system-->
+			<TargetObject condition="contains">_Classes\AppX</TargetObject> <!--Windows: Remove noise monitoring "Shell\open\command"--> <!--Win8+-->
+			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\</TargetObject> <!--Windows: SvcHost Noise-->
+			<!--Bootup Control noise-->
+			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LsaPid</TargetObject> <!--Windows:lsass.exe: Boot noise-->
+			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache</TargetObject> <!--Windows:lsass.exe: Boot noise--> <!--Win8+-->
+			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains</TargetObject> <!--Windows:lsass.exe: Boot noise--> <!--Win8+-->
+			<!--Services startup settings noise, some low-risk services routinely change it and this can be ignored-->
+			<TargetObject condition="end with">\Services\BITS\Start</TargetObject> <!--Windows: Remove noise from monitoring "\Start"-->
+			<TargetObject condition="end with">\services\clr_optimization_v2.0.50727_32\Start</TargetObject> <!--Microsoft:dotNet: Windows 7-->
+			<TargetObject condition="end with">\services\clr_optimization_v2.0.50727_64\Start</TargetObject> <!--Microsoft:dotNet: Windows 7-->
+			<TargetObject condition="end with">\services\clr_optimization_v4.0.30319_32\Start</TargetObject> <!--Microsoft:dotNet: Windows 10-->
+			<TargetObject condition="end with">\services\clr_optimization_v4.0.30319_64\Start</TargetObject> <!--Microsoft:dotNet: Windows 10-->
+			<TargetObject condition="end with">\services\deviceAssociationService\Start</TargetObject> <!--Windows: Remove noise from monitoring "\Start"-->
+			<TargetObject condition="end with">\services\fhsvc\Start</TargetObject> <!--Windows: File History Service-->
+			<TargetObject condition="end with">\services\nal\Start</TargetObject> <!--Intel: Network adapter diagnostic driver-->
+			<TargetObject condition="end with">\services\trustedInstaller\Start</TargetObject> <!--Windows: Remove noise from monitoring "\Start"-->
+			<TargetObject condition="end with">\services\tunnel\Start</TargetObject> <!--Windows: Remove noise from monitoring "\Start"-->
+			<TargetObject condition="end with">\services\usoSvc\Start</TargetObject> <!--Windows: Remove noise from monitoring "\Start"-->
+			<!--FileExts noise filtering-->
+			<TargetObject condition="end with">\UserChoice\ProgId</TargetObject> <!--Windows: Remove noise from monitoring "FileExts"--> <!--Win8+-->
+			<TargetObject condition="end with">\UserChoice\Hash</TargetObject> <!--Windows: Remove noise from monitoring "FileExts"--> <!--Win8+-->
+			<TargetObject condition="end with">\OpenWithList\MRUList</TargetObject> <!--Windows: Remove noise from monitoring "FileExts"-->
+			<TargetObject condition="contains">Shell Extentions\Cached</TargetObject> <!--Windows: Remove noise generated by explorer.exe on monitored ShellCached binary keys--> <!--Win8+-->
+			<!--Group Policy noise-->
+			<TargetObject condition="end with">HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups</TargetObject> <!--Windows: Routinely set through Group Policy, not especially important to log-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\PSScriptOrder</TargetObject> <!--Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\SOM-ID</TargetObject> <!--Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\GPO-ID</TargetObject> <!--Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\IsPowershell</TargetObject> <!--Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\ExecTime</TargetObject> <!--Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\PSScriptOrder</TargetObject> <!--Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\SOM-ID</TargetObject> <!--Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\GPO-ID</TargetObject> <!--Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\IsPowershell</TargetObject> <!--Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\ExecTime</TargetObject> <!--Windows:Group Policy: Noise below the actual key while building-->
+			<TargetObject condition="contains">\safer\codeidentifiers\0\HASHES\{</TargetObject> <!--Windows: Software Restriction Policies. Can be used to disable security tools, but very noisy to monitor if you use it-->
+			<!--SECTION: Office C2R-->
+			<TargetObject condition="contains">VirtualStore\MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\</TargetObject> <!--Microsoft: SearchProtocolHost writes to OfficeC2R registry for Outlook, seemingly regarding mail indexing-->
+			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Office\ClickToRun\</TargetObject> <!--Microsoft: Virtual registry for Office-->
+			<!--SECTION: 3rd party-->
+			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image> <!--Constantly writes to HKLM-->
+			<TargetObject condition="begin with">HKCR\VLC.</TargetObject> <!--VLC update noise-->
+			<TargetObject condition="begin with">HKCR\iTunes.</TargetObject> <!--Apple: iTunes update noise-->
+			<!--WINEVT publishers noise-->
+			<TargetObject condition="is">HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{945a8954-c147-4acd-923f-40c45405a658}</TargetObject> <!--Windows update-->
+		</RegistryEvent>
+	</RuleGroup>
+
+	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
+		<!--EVENT 15: "File stream created"-->
+		<!--COMMENT:	Any files created with an NTFS Alternate Data Stream which match these rules will be hashed and logged.
+			[ https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/ ]
+			ADS's are used by browsers and email clients to mark files as originating from the Internet or other foreign sources.
+			[ https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/ ] -->
+		<!--NOTE: Other filesystem minifilters can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
+
+		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, Hash-->
+		<FileCreateStreamHash onmatch="include">
+			<TargetFilename condition="contains">Downloads</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
+			<TargetFilename condition="contains">Temp\7z</TargetFilename> <!--7zip extractions-->
+			<TargetFilename condition="contains">Startup</TargetFilename> <!--ADS startup | Example: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
+			<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
+			<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting | Credit @ion-storm -->
+			<TargetFilename condition="end with">.doc</TargetFilename> <!--Office doc potentially with macro -->
+			<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
+			<TargetFilename condition="end with">.jse</TargetFilename> <!--Registry File-->
+			<TargetFilename condition="end with">.lnk</TargetFilename> <!--Shortcut file | Credit @ion-storm -->
+			<TargetFilename condition="end with">.ppt</TargetFilename> <!--Office doc potentially with macros-->
+			<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell-->
+			<TargetFilename condition="end with">.ps2</TargetFilename> <!--PowerShell-->
+			<TargetFilename condition="end with">.reg</TargetFilename> <!--Registry File-->
+			<TargetFilename condition="end with">.sct</TargetFilename> <!--Scripting | Credit @bartblaze -->
+			<TargetFilename condition="end with">.vb</TargetFilename> <!--VisualBasicScripting files-->
+			<TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting files-->
+			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting files-->
+			<TargetFilename condition="end with">.wsc</TargetFilename> <!--Scripting | Credit @bartblaze -->
+			<TargetFilename condition="end with">.wsf</TargetFilename> <!--Scripting | Credit @bartblaze -->
+		</FileCreateStreamHash>
+
+	<RuleGroup name="" groupRelation="or">
+		<FileCreateStreamHash onmatch="exclude">
+		</FileCreateStreamHash>
+	</RuleGroup>
+
+	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE-->
+		<!--EVENT 16: "Sysmon config state changed"-->
+		<!--COMMENT:	This ONLY logs if the hash of the configuration changes. Running "sysmon.exe -c" with the current configuration will not be logged with Event 16-->
+
+		<!--DATA: UtcTime, Configuration, ConfigurationFileHash-->
+		<!--Cannot be filtered.-->
+
+	<!--SYSMON EVENT ID 17 & 18 : PIPE CREATED / PIPE CONNECTED [PipeEvent]-->
+		<!--EVENT 17: "Pipe Created"-->
+		<!--EVENT 18: "Pipe Connected"-->
+
+		<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
+		<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
+
+		<!--DATA: UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
+		<RuleGroup name="" groupRelation="or">
+			<PipeEvent onmatch="include">
+				<!-- Remote Command Execution Tools -->
+				<PipeName condition="contains any">paexec;remcom;csexec</PipeName>
+				<!-- Password or Credential Dumpers -->
+				<PipeName condition="contains any">\lsadump;\cachedump;\wceservicepipe</PipeName>
+				<!-- Malware -->
+				<PipeName condition="contains any">\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\svcctl;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc</PipeName>
+				<PipeName condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
+				<!-- Cobalt Strike Pipe Names -->
+				<PipeName condition="contains all">MSSE-;-server</PipeName>
+				<PipeName condition="begin with">\postex_</PipeName>
+				<PipeName condition="begin with">\postex_ssh_</PipeName>
+				<PipeName condition="begin with">\status_</PipeName>
+				<PipeName condition="begin with">\msagent_</PipeName>
+			</PipeEvent>
+		</RuleGroup>
+
+	<!--SYSMON EVENT ID 19 & 20 & 21 : WMI EVENT MONITORING [WmiEvent]-->
+		<!--EVENT 19: "WmiEventFilter activity detected"-->
+		<!--EVENT 20: "WmiEventConsumer activity detected"-->
+		<!--EVENT 21: "WmiEventConsumerToFilter activity detected"-->
+
+		<!--ADDITIONAL REFERENCE: [ https://www.darkoperator.com/blog/2017/10/15/sysinternals-sysmon-610-tracking-of-permanent-wmi-events ] -->
+		<!--ADDITIONAL REFERENCE: [ https://rawsec.lu/blog/posts/2017/Sep/19/sysmon-v610-vs-wmi-persistence/ ] -->
+
+		<!--DATA: EventType, UtcTime, Operation, User, Name, Type, Destination, Consumer, Filter-->
+	<RuleGroup name="" groupRelation="or">
+		<WmiEvent onmatch="exclude">
+			<!--NOTE: Using exclude with no rules means everything will be logged-->
+		</WmiEvent>
+	</RuleGroup>
+
+	<!--SYSMON EVENT ID 22 : DNS QUERY [DnsQuery]-->
+		<!--EVENT 22: "Dns query"-->
+
+		<!--NOTE:	Due to the volume of events that DNS queries generate, some orgs may want to remove this section from their configuration to reduce Sysmon log turnover. -->
+
+		<!--COMMENT:	DNS logging is a very nuanced challenge in monitoring due to event volume. Legitimate domains can be used to host malware/C2, but lookup itself is not very informative.
+						It's fine to exclude monitoring these bulk low-value lookups, but at same time, you would not have a full log of how malware communicated, potentially missing C2.
+						This section of Sysmon configuration will require your full judgement and knowledge of your org's priorities. There is no correct answer.-->
+
+		<!--OPERATIONS:	Chrome and Firefox prefetch DNS lookups, or use alternate DNS lookup methods Sysmon won't capture. You need to turn these off.
+						Search for Group Policy for these browsers to configure this.-->
+
+		<!--OPERATIONS:	Most DNS traffic is web advertising. To significantly reduce DNS queries and malware ads, enable client-side advertising filtering via Group Policy. This is easy.
+				Internet Explorer: https://decentsecurity.com/adblocking-for-internet-explorer-deployment/
+				Chrome: https://decentsecurity.com/ublock-for-google-chrome-deployment/
+				Firefox: ToDo
+						Also note, this configuration is designed for United States computers. Your country's users will may need customization to reduce noise.
+			-->
+
+		<!--CONFIG:	DNS poisoning is an issue during threat investigations. Try to only exclude ROUTINE system-level queries you know are strongly validated with HTTPS or code signing.-->
+		<!--CONFIG:	If you exclude microsoft.com, someone could register malware-microsoft.com and it wouldn't be logged. Use "END WITH" with leading . or "IS" operators.-->
+		<!--CONFIG:	Be very specific in exclusions. Threat actors use legitimate services, too. Dont exclude all of AWS or Azure or Google or CDNs!-->
+		<!--CONFIG: Popularity data: [ http://s3-us-west-1.amazonaws.com/umbrella-static/index.html ] [ https://better.fyi/trackers/alexa-top-500-news/ ] -->
+
+		<!--CRITICAL:	Do NOT exclude "wpad" lookups. This is a MitM vector routinely used by attackers. Disable WPAD or enforce client-side DNSSEC for AD domain lookups.-->
+		<!--CRITICAL:	Do NOT exclude IPv6 lookups.-->
+
+		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, QueryName, QueryType, QueryStatus, QueryResults (can't filter on)-->
+
+		<!--BELOW: These domains should not be excluded at the top level. Be specific if you want to reduce noise under them.-->
+		<!-- Rejected: .cloudapp.net, customer content [ https://blogs.technet.microsoft.com/ptsblog/2012/06/18/security-consideration-when-using-cloudapp-net-domain-as-production-environment-in-windows-azure/ ] -->
+		<!-- Rejected: .googleapis.com, customer content [ https://www.zdnet.com/article/this-business-email-scam-spreads-trojans-through-google-cloud-storage/ ] -->
+		<!-- Rejected: .cloudfront.net, customer content -->
+		<!-- Rejected: .windows.net, customer content -->
+		<!-- Rejected: *github.com, customer content, including open-source malware components -->
+
+	<RuleGroup name="" groupRelation="or">
+		<DnsQuery onmatch="exclude">
+			<!--Network noise-->
+			<QueryName condition="end with">.arpa.</QueryName> <!--Design decision to not log reverse DNS lookups. You will need to decide.-->
+			<QueryName condition="end with">.arpa</QueryName> <!--Design decision to not log reverse DNS lookups. You will need to decide.-->
+			<QueryName condition="end with">.msftncsi.com</QueryName> <!--Microsoft proxy detection | Microsoft default exclusion-->
+			<QueryName condition="is">..localmachine</QueryName>
+			<QueryName condition="is">localhost</QueryName>
+			<!--Microsoft-->
+			<QueryName condition="end with">-pushp.svc.ms</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
+			<QueryName condition="end with">.b-msedge.net</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
+			<QueryName condition="end with">.bing.com</QueryName> <!-- Microsoft | Microsoft default exclusion -->
+			<QueryName condition="end with">.hotmail.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.live.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.live.net</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.s-microsoft.com</QueryName> <!--Microsoft-->
+			<QueryName condition="end with">.microsoft.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.microsoftonline.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.microsoftstore.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.ms-acdc.office.com</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
+			<QueryName condition="end with">.msedge.net</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
+			<QueryName condition="end with">.msn.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.msocdn.com</QueryName> <!--Microsoft-->
+			<QueryName condition="end with">.skype.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.skype.net</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.windows.com</QueryName> <!--Microsoft-->
+			<QueryName condition="end with">.windows.net.nsatc.net</QueryName> <!--Microsoft-->
+			<QueryName condition="end with">.windowsupdate.com</QueryName> <!--Microsoft-->
+			<QueryName condition="end with">.xboxlive.com</QueryName> <!--Microsoft-->
+			<QueryName condition="is">login.windows.net</QueryName> <!--Microsoft-->
+			<Image condition="begin with">C:\ProgramData\Microsoft\Windows Defender\Platform\</Image> <!--Microsoft: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/network-protection -->
+			<!--Microsoft:Office365/AzureAD-->
+			<QueryName condition="end with">.activedirectory.windowsazure.com</QueryName> <!--Microsoft: AzureAD-->
+			<QueryName condition="end with">.aria.microsoft.com</QueryName> <!--Microsoft: OneDrive/SharePoint-->
+			<QueryName condition="end with">.msauth.net</QueryName>
+			<QueryName condition="end with">.msftauth.net</QueryName>
+			<QueryName condition="end with">.office.net</QueryName> <!--Microsoft: Office-->
+			<QueryName condition="end with">.opinsights.azure.com</QueryName> <!--Microsoft: AzureAD/InTune client event monitoring-->
+			<QueryName condition="end with">.res.office365.com</QueryName> <!--Microsoft: Office-->
+			<QueryName condition="is">acdc-direct.office.com</QueryName> <!--Microsoft: Office-->
+			<QueryName condition="is">atm-fp-direct.office.com</QueryName> <!--Microsoft: Office-->
+			<QueryName condition="is">loki.delve.office.com</QueryName> <!--Microsoft: Office-->
+			<QueryName condition="is">management.azure.com</QueryName> <!--Microsoft: AzureAD/InTune-->
+			<QueryName condition="is">messaging.office.com</QueryName> <!--Microsoft: Office-->
+			<QueryName condition="is">outlook.office365.com</QueryName> <!--Microsoft: Protected by HSTS-->
+			<QueryName condition="is">portal.azure.com</QueryName> <!--Microsoft: AzureAD/InTune-->
+			<QueryName condition="is">protection.outlook.com</QueryName> <!--Microsoft: Office-->
+			<QueryName condition="is">substrate.office.com</QueryName> <!--Microsoft: Office-->
+			<QueryName condition="end with">.measure.office.com</QueryName> <!--Microsoft: Office-->
+			<!--3rd-party applications-->
+			<QueryName condition="end with">.adobe.com</QueryName> <!--Adobe-->
+			<QueryName condition="end with">.adobe.io</QueryName> <!--Adobe-->
+			<QueryName condition="end with">.mozaws.net</QueryName> <!--Mozilla-->
+			<QueryName condition="end with">.mozilla.com</QueryName> <!--Mozilla-->
+			<QueryName condition="end with">.mozilla.net</QueryName> <!--Mozilla-->
+			<QueryName condition="end with">.mozilla.org</QueryName> <!--Mozilla-->
+			<QueryName condition="end with">.spotify.com</QueryName> <!--Spotify-->
+			<QueryName condition="end with">.spotify.map.fastly.net</QueryName> <!--Spotify-->
+			<QueryName condition="end with">.wbx2.com</QueryName> <!--Webex-->
+			<QueryName condition="end with">.webex.com</QueryName> <!--Webex-->
+			<QueryName condition="is">clients1.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients2.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients3.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients4.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients5.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients6.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">safebrowsing.googleapis.com</QueryName> <!--Google-->
+			<!--Goodlist CDN-->
+			<QueryName condition="end with">.akadns.net</QueryName> <!--AkamaiCDN, extensively used by Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.netflix.com</QueryName>
+			<QueryName condition="end with">aspnetcdn.com</QueryName> <!--Microsoft [ https://docs.microsoft.com/en-us/aspnet/ajax/cdn/overview ]-->
+			<QueryName condition="is">ajax.googleapis.com</QueryName>
+			<QueryName condition="is">cdnjs.cloudflare.com</QueryName> <!--Cloudflare: Hosts popular javascript libraries-->
+			<QueryName condition="is">fonts.googleapis.com</QueryName> <!--Google fonts-->
+			<QueryName condition="end with">.typekit.net</QueryName> <!--Adobe fonts-->
+			<QueryName condition="is">cdnjs.cloudflare.com</QueryName>
+			<QueryName condition="end with">.stackassets.com</QueryName> <!--Stack Overflow-->
+			<QueryName condition="end with">.steamcontent.com</QueryName>
+			<QueryName condition="is">play.google.com</QueryName>
+			<QueryName condition="is">content-autofill.googleapis.com</QueryName>
+			<!--Web resources-->
+			<QueryName condition="end with">.disqus.com</QueryName> <!--Microsoft default exclusion-->
+			<QueryName condition="end with">.fontawesome.com</QueryName>
+			<QueryName condition="is">disqus.com</QueryName> <!--Microsoft default exclusion-->
+			<!--Ads-->
+			<QueryName condition="end with">.1rx.io</QueryName> <!--Ads-->
+			<QueryName condition="end with">.2mdn.net</QueryName> <!--Ads: Google | Microsoft default exclusion-->
+			<QueryName condition="end with">.3lift.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.adadvisor.net</QueryName> <!--Ads: Neustar [ https://better.fyi/trackers/adadvisor.net/ ] -->
+			<QueryName condition="end with">.adap.tv</QueryName> <!--Ads:AOL | Microsoft default exclusion [ https://www.crunchbase.com/organization/adap-tv ] -->
+			<QueryName condition="end with">.addthis.com</QueryName> <!--Ads:Oracle | Microsoft default exclusion [ https://en.wikipedia.org/wiki/AddThis ] -->
+			<QueryName condition="end with">.adform.net</QueryName> <!--Ads-->
+			<QueryName condition="end with">.adnxs.com</QueryName> <!--Ads: AppNexus | Microsoft default exclusion-->
+			<QueryName condition="end with">.adroll.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.adrta.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.adsafeprotected.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.adsrvr.org</QueryName> <!--Ads-->
+			<QueryName condition="end with">.adsymptotic.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.advertising.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.agkn.com</QueryName> <!--Ads | [ https://www.home.neustar/privacy ] -->
+			<QueryName condition="end with">.amazon-adsystem.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.amazon-adsystem.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.analytics.yahoo.com</QueryName> <!--Ads:Yahoo-->
+			<QueryName condition="end with">.aol.com</QueryName> <!--Ads | Microsoft default exclusion -->
+			<QueryName condition="end with">.betrad.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.bidswitch.net</QueryName> <!--Ads-->
+			<QueryName condition="end with">.casalemedia.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.chartbeat.net</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/chartbeat.com/ ]-->
+			<QueryName condition="end with">.cnn.com</QueryName> <!-- Microsoft default exclusion-->
+			<QueryName condition="end with">.convertro.com</QueryName> <!--Ads:Verizon-->
+			<QueryName condition="end with">.criteo.com</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
+			<QueryName condition="end with">.criteo.net</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
+			<QueryName condition="end with">.crwdcntrl.net</QueryName> <!--Ads: Lotame [ https://better.fyi/trackers/crwdcntrl.net/ ] -->
+			<QueryName condition="end with">.demdex.net</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.domdex.com</QueryName>
+			<QueryName condition="end with">.dotomi.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.doubleclick.net</QueryName> <!--Ads:Conversant | Microsoft default exclusion [ https://www.crunchbase.com/organization/dotomi ] -->
+			<QueryName condition="end with">.doubleverify.com</QueryName> <!--Ads: Google-->
+			<QueryName condition="end with">.emxdgt.com</QueryName> <!--Ads: EMX-->
+			<QueryName condition="end with">.everesttech.net</QueryName> <!--Ads | [ https://better.fyi/trackers/everesttech.net/ ] -->
+			<QueryName condition="end with">.exelator.com</QueryName> <!--Ads:Nielson Marketing Cloud-->
+			<QueryName condition="end with">.google-analytics.com</QueryName> <!--Ads:Google | Microsoft default exclusion-->
+			<QueryName condition="end with">.googleadservices.com</QueryName> <!--Google-->
+			<QueryName condition="end with">.googlesyndication.com</QueryName> <!--Ads:Google, sometimes called during malicious ads, but not directly responsible | Microsoft default exclusion [ https://www.hackread.com/wp-content/uploads/2018/06/Bitdefender-Whitepaper-Zacinlo.pdf ]-->
+			<QueryName condition="end with">.googletagmanager.com</QueryName> <!--Google-->
+			<QueryName condition="end with">.googlevideo.com</QueryName> <!--Google | Microsoft default exclusion-->
+			<QueryName condition="end with">.gstatic.com</QueryName> <!--Google | Microsoft default exclusion-->
+			<QueryName condition="end with">.gvt1.com</QueryName> <!--Google-->
+			<QueryName condition="end with">.gvt2.com</QueryName> <!--Google-->
+			<QueryName condition="end with">.ib-ibi.com</QueryName> <!--Ads: Offerpath [ https://better.fyi/trackers/ib-ibi.com/ ] -->
+			<QueryName condition="end with">.jivox.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.krxd.net</QueryName> <!--Ads-->
+			<QueryName condition="end with">.lijit.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.mathtag.com</QueryName> <!--Microsoft default exclusion-->
+			<QueryName condition="end with">.moatads.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.moatpixel.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.mookie1.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.myvisualiq.net</QueryName> <!--Ads-->
+			<QueryName condition="end with">.netmng.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.nexac.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.openx.net</QueryName> <!--Ads-->
+			<QueryName condition="end with">.optimizely.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.outbrain.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.pardot.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.phx.gbl</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.pinterest.com</QueryName> <!--Pinerest-->
+			<QueryName condition="end with">.pubmatic.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.quantcount.com</QueryName>
+			<QueryName condition="end with">.quantserve.com</QueryName>
+			<QueryName condition="end with">.revsci.net</QueryName> <!--Ads:Omniture | Microsoft default exclusion-->
+			<QueryName condition="end with">.rfihub.net</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.rlcdn.com</QueryName> <!--Ads: Rapleaf [ https://better.fyi/trackers/rlcdn.com/ ] -->
+			<QueryName condition="end with">.rubiconproject.com</QueryName> <!--Ads: Rubicon Project | Microsoft default exclusion [ https://better.fyi/trackers/rubiconproject.com/ ] -->
+			<QueryName condition="end with">.scdn.co</QueryName> <!--Spotify-->
+			<QueryName condition="end with">.scorecardresearch.com</QueryName> <!--Ads: Comscore | Microsoft default exclusion-->
+			<QueryName condition="end with">.serving-sys.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.sharethrough.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.simpli.fi</QueryName>
+			<QueryName condition="end with">.sitescout.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.smartadserver.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.snapads.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.spotxchange.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.taboola.com</QueryName> <!--Ads:Taboola-->
+			<QueryName condition="end with">.taboola.map.fastly.net</QueryName> <!--Ads:Taboola-->
+			<QueryName condition="end with">.tapad.com</QueryName>
+			<QueryName condition="end with">.tidaltv.com</QueryName> <!--Ads: Videology [ https://better.fyi/trackers/tidaltv.com/ ] -->
+			<QueryName condition="end with">.trafficmanager.net</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.tremorhub.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.tribalfusion.com</QueryName> <!--Ads: Exponential [ https://better.fyi/trackers/tribalfusion.com/ ] -->
+			<QueryName condition="end with">.turn.com</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/turn.com/ ] -->
+			<QueryName condition="end with">.twimg.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.tynt.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.w55c.net</QueryName> <!--Ads:dataxu-->
+			<QueryName condition="end with">.ytimg.com</QueryName> <!--Google-->
+			<QueryName condition="end with">.zorosrv.com</QueryName> <!--Ads:Taboola-->
+			<QueryName condition="is">1rx.io</QueryName> <!--Ads-->
+			<QueryName condition="is">adservice.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">ampcid.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clientservices.googleapis.com</QueryName> <!--Google-->
+			<QueryName condition="is">googleadapis.l.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">imasdk.googleapis.com</QueryName> <!--Google [ https://developers.google.com/interactive-media-ads/docs/sdks/html5/ ] -->
+			<QueryName condition="is">l.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">ml314.com</QueryName> <!--Ads-->
+			<QueryName condition="is">mtalk.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">update.googleapis.com</QueryName> <!--Google-->
+			<QueryName condition="is">www.googletagservices.com</QueryName> <!--Google-->
+			<!--SocialNet-->
+			<QueryName condition="end with">.pscp.tv</QueryName> <!--Twitter:Periscope-->
+			<!--OSCP/CRL Common-->
+			<QueryName condition="end with">.amazontrust.com</QueryName>
+			<QueryName condition="end with">.digicert.com</QueryName>
+			<QueryName condition="end with">.globalsign.com</QueryName>
+			<QueryName condition="end with">.globalsign.net</QueryName>
+			<QueryName condition="end with">.intel.com</QueryName>
+			<QueryName condition="end with">.symcb.com</QueryName> <!--Digicert-->
+			<QueryName condition="end with">.symcd.com</QueryName> <!--Digicert-->
+			<QueryName condition="end with">.thawte.com</QueryName>
+			<QueryName condition="end with">.usertrust.com</QueryName>
+			<QueryName condition="end with">.verisign.com</QueryName>
+			<QueryName condition="end with">ocsp.identrust.com</QueryName>
+			<QueryName condition="end with">pki.goog</QueryName>
+			<QueryName condition="is">msocsp.com</QueryName> <!--Microsoft:OCSP-->
+			<QueryName condition="is">ocsp.comodoca.com</QueryName>
+			<QueryName condition="is">ocsp.entrust.net</QueryName>
+			<QueryName condition="is">ocsp.godaddy.com</QueryName>
+			<QueryName condition="is">ocsp.int-x3.letsencrypt.org</QueryName>
+			<QueryName condition="is">ocsp.msocsp.com</QueryName> <!--Microsoft:OCSP-->
+			<QueryName condition="end with">pki.goog</QueryName>
+			<QueryName condition="is">ocsp.godaddy.com</QueryName>
+			<QueryName condition="end with">amazontrust.com</QueryName>
+			<QueryName condition="is">ocsp.sectigo.com</QueryName>
+			<QueryName condition="is">pki-goog.l.google.com</QueryName>
+			<QueryName condition="end with">.usertrust.com</QueryName>
+			<QueryName condition="is">ocsp.comodoca.com</QueryName>
+			<QueryName condition="is">ocsp.verisign.com</QueryName>
+			<QueryName condition="is">ocsp.entrust.net</QueryName>
+			<QueryName condition="end with">ocsp.identrust.com</QueryName>
+			<QueryName condition="is">status.rapidssl.com</QueryName>
+			<QueryName condition="is">status.thawte.com</QueryName>
+			<QueryName condition="is">ocsp.int-x3.letsencrypt.org</QueryName>
+		</DnsQuery>
+	</RuleGroup>
+
+	<!--SYSMON EVENT ID 23 : FILE DELETE [FileDelete]-->
+		<!--EVENT 22: "File Delete"-->
+		<!--COMMENT:	Sandbox usage. When a program signals to Windows a file should be deleted or wiped, Sysmon may be able to capture it. 
+			[ https://isc.sans.edu/forums/diary/Sysmon+and+File+Deletion/26084/ ]
+		-->
+
+		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, User, Image, TargetFilename, Hashes, IsExecutable, Archived -->
+
+	<!--
+	<RuleGroup name="" groupRelation="or">
+		<ClipboardChange onmatch="include">
+		</ClipboardChange>
+	</RuleGroup>
+	-->
+
+	<!--SYSMON EVENT ID 24 : CLIPBOARD EVENT MONITORING [ClipboardChange]-->
+		<!--EVENT 24: "Clipboard changed"-->
+		<!--COMMENT:	Sandbox usage.  Sysmon can capture the contents of clipboard events.
+			An  example of what could be a production usage on restricted desktops is provided below, but it is commented-out. -->
+			
+		<!--DATA: EventType, UtcTime, ProcessGuid, ProcessId, Image, Session, ClientInfo, Hashes, Archived -->
+
+	<!--
+	<RuleGroup name="" groupRelation="or">
+		<ClipboardChange onmatch="include">
+			<Image condition="end with">wscript.exe</Image>
+			<Image condition="end with">cscript.exe</Image>
+			<Image condition="end with">powershell.exe</Image>
+			<Image condition="end with">rdpclip.exe</Image>
+		</ClipboardChange>
+	</RuleGroup>
+	-->
+
+	<!--SYSMON EVENT ID 25 : PROCESS TAMPERING [ProcessTampering]-->
+		<!--EVENT 25: "Process Tampering"-->
+		<!--COMMENT:	This event is generated when a process image is changed from an external source, such as a different process.
+			This may or may not provide value in your environment as it requires tuning and a SIEM to correlate the ProcessGuids.
+			[ https://medium.com/falconforce/sysmon-13-process-tampering-detection-820366138a6c ] -->
+		
+		<!--DATA: EventType, RuleName, UtcTime, ProcessGuid, ProcessId, Image, Type -->
+	
+	<!--
+	<RuleGroup name="" groupRelation="or">
+		<ProcessTampering onmatch="exclude">
+			<Image condition="begin with">C:\Program Files (x86)\Microsoft\Edge\Application\</Image>
+		</ProcessTampering>
+	</RuleGroup>
+	-->
+
+	<!--SYSMON EVENT ID 255 : ERROR-->
+		<!--"This event is generated when an error occurred within Sysmon. They can happen if the system is under heavy load
+			and certain tasked could not be performed or a bug exists in the Sysmon service. You can report any bugs on the
+			Sysinternals forum or over Twitter (@markrussinovich)."-->
+		<!--Cannot be filtered.-->
+
+	</EventFiltering>
+</Sysmon>
diff --git a/ansible/group_vars/all/connectors.yaml b/ansible/group_vars/all/connectors.yaml
new file mode 100644
index 0000000..b378f0b
--- /dev/null
+++ b/ansible/group_vars/all/connectors.yaml
@@ -0,0 +1,10 @@
+linux_connector                      : "paramiko"
+linux_port                           : "22"
+win_connector                        : "winrm"
+win_port                             : "5985"
+ansible_connection                   : "{{ win_connector }}"
+ansible_user                         : "{{ default_win_username }}"
+ansible_password                     : "{{ default_win_password }}"
+ansible_winrm_transport              : basic
+ansible_port                         : "{{ win_port }}"
+ansible_winrm_server_cert_validation : ignore
diff --git a/ansible/group_vars/all/main.yaml b/ansible/group_vars/all/main.yaml
new file mode 100644
index 0000000..280d0d3
--- /dev/null
+++ b/ansible/group_vars/all/main.yaml
@@ -0,0 +1,57 @@
+proxmox_hostname                : "{{ lookup('ansible.builtin.env', 'proxmox_hostname') }}"
+proxmox_username                : "{{ lookup('ansible.builtin.env', 'proxmox_username') }}"
+proxmox_api_token_id            : "{{ lookup('ansible.builtin.env', 'proxmox_api_token_id') }}"
+proxmox_api_token_secret        : "{{ lookup('ansible.builtin.env', 'proxmox_api_token_secret') }}"
+proxmox_node                    : "{{ lookup('ansible.builtin.env', 'proxmox_node') }}"
+
+default_win_username            : "{{ lookup('ansible.builtin.env', 'windows_username') }}"
+default_win_password            : "{{ lookup('ansible.builtin.env', 'windows_password') }}"
+default_win_safemode_password   : "{{ lookup('ansible.builtin.env', 'windows_safemode_password') }}"
+default_win_user_password       : "{{ lookup('ansible.builtin.env', 'windows_user_password') }}"
+default_win_svc_password        : "{{ lookup('ansible.builtin.env', 'windows_svc_password') }}"
+
+default_linux_username          : "{{ lookup('ansible.builtin.env', 'linux_username') }}"
+default_linux_password          : "{{ lookup('ansible.builtin.env', 'linux_password') }}"
+
+windows_server_template_id      : "{{ lookup('ansible.builtin.env', 'windows_server_template_id') }}"
+windows_server_template_name    : "{{ lookup('ansible.builtin.env', 'windows_server_template_name') }}"
+windows_desktop_template_id     : "{{ lookup('ansible.builtin.env', 'windows_desktop_template_id') }}"
+windows_desktop_template_name   : "{{ lookup('ansible.builtin.env', 'windows_desktop_template_name') }}"
+linux_server_template_id        : "{{ lookup('ansible.builtin.env', 'linux_server_template_id') }}"
+linux_server_template_name      : "{{ lookup('ansible.builtin.env', 'linux_server_template_name') }}"
+kali_template_id                : "{{ lookup('ansible.builtin.env', 'kali_template_id') }}"
+kali_template_name              : "{{ lookup('ansible.builtin.env', 'kali_template_name') }}"
+
+main_domain_name                : "{{ lookup('ansible.builtin.env', 'main_domain_name') }}"
+tree_domain_name                : "{{ lookup('ansible.builtin.env', 'tree_domain_name') }}"
+child_domain_name               : "{{ lookup('ansible.builtin.env', 'child_domain_name') }}"
+main_dc01_hostname              : "{{ lookup('ansible.builtin.env', 'main_dc01_hostname') }}" 
+main_dc01_vmid                  : "{{ lookup('ansible.builtin.env', 'main_dc01_vmid') }}" 
+tree_dc02_hostname              : "{{ lookup('ansible.builtin.env', 'tree_dc02_hostname') }}" 
+tree_dc02_vmid                  : "{{ lookup('ansible.builtin.env', 'tree_dc02_vmid') }}" 
+child_dc03_hostname             : "{{ lookup('ansible.builtin.env', 'child_dc03_hostname') }}" 
+child_dc03_vmid                 : "{{ lookup('ansible.builtin.env', 'child_dc03_vmid') }}" 
+main_mssql01_hostname           : "{{ lookup('ansible.builtin.env', 'main_mssql01_hostname') }}"
+main_mssql01_vmid               : "{{ lookup('ansible.builtin.env', 'main_mssql01_vmid') }}"
+main_mssql02_hostname           : "{{ lookup('ansible.builtin.env', 'main_mssql02_hostname') }}"
+main_mssql02_vmid               : "{{ lookup('ansible.builtin.env', 'main_mssql02_vmid') }}"
+main_web01_hostname             : "{{ lookup('ansible.builtin.env', 'main_web01_hostname') }}"
+main_web01_vmid                 : "{{ lookup('ansible.builtin.env', 'main_web01_vmid') }}"
+main_adcs01_hostname            : "{{ lookup('ansible.builtin.env', 'main_adcs01_hostname') }}"
+main_adcs01_vmid                : "{{ lookup('ansible.builtin.env', 'main_adcs01_vmid') }}"
+main_linux_srv01_hostname       : "{{ lookup('ansible.builtin.env', 'main_linux_srv01_hostname') }}"
+main_linux_srv01_vmid           : "{{ lookup('ansible.builtin.env', 'main_linux_srv01_vmid') }}"
+kali_attackbox_hostname         : "{{ lookup('ansible.builtin.env', 'kali_attackbox_hostname') }}"
+kali_attackbox_vmid             : "{{ lookup('ansible.builtin.env', 'kali_attackbox_vmid') }}"
+
+main_dc01_ip_address            : "{{ lookup('ansible.builtin.env', 'main_dc01_ip_address') }}"
+tree_dc02_ip_address            : "{{ lookup('ansible.builtin.env', 'tree_dc02_ip_address') }}"
+child_dc03_ip_address           : "{{ lookup('ansible.builtin.env', 'child_dc03_ip_address') }}"
+main_mssql01_ip_address         : "{{ lookup('ansible.builtin.env', 'main_mssql01_ip_address') }}"
+main_mssql02_ip_address         : "{{ lookup('ansible.builtin.env', 'main_mssql02_ip_address') }}"
+main_web01_ip_address           : "{{ lookup('ansible.builtin.env', 'main_web01_ip_address') }}"
+main_adcs01_ip_address          : "{{ lookup('ansible.builtin.env', 'main_adcs01_ip_address') }}"
+main_workstation01_ip_address   : "{{ lookup('ansible.builtin.env', 'main_workstation01_ip_address') }}"
+main_linux_srv01_ip_address     : "{{ lookup('ansible.builtin.env', 'main_linux_srv01_ip_address') }}"
+kali_attackbox_ip_address       : "{{ lookup('ansible.builtin.env', 'kali_attackbox_ip_address') }}"
+network_gateway                 : "{{ lookup('ansible.builtin.env', 'network_gateway') }}"
diff --git a/ansible/main.yaml b/ansible/main.yaml
new file mode 100644
index 0000000..cb46c17
--- /dev/null
+++ b/ansible/main.yaml
@@ -0,0 +1,45 @@
+- name: deploy active directory range on proxmox
+  hosts: localhost
+  gather_facts: no
+  tasks:
+    - name: deploy main domain vm on proxmox
+      include_role:
+        name: proxmox_vm
+      vars:
+        template: "{{ windows_server_template_name }}"
+        id: "{{ windows_server_template_id }}"
+        vm: "{{ main_dc01_hostname }}"
+        newid: "{{ main_dc01_vmid }}"
+        vmid: "{{ main_dc01_vmid }}"
+        ip: "{{ main_dc01_ip_address }}"
+        gateway: "{{ network_gateway }}"
+        dns: "8.8.8.8"
+        hostname: "{{ main_dc01_hostname }}"
+        domain: "{{ main_domain_name }}"
+        fqdn: "{{ main_dc01_hostname }}.{{ main_domain_name }}"
+
+    - name: add windows vm to in-memory inventory
+      add_host:
+        name: "{{ main_dc01_hostname }}.{{ main_domain_name }}"
+        ansible_host: "{{ main_dc01_ip_address }}"
+        ansible_connection: "{{ win_connector }}"
+        ansible_user: "{{ default_win_username }}"
+        ansible_password: "{{ default_win_password }}"
+        ansible_port: "{{ win_port }}"
+        ansible_winrm_transport: basic
+        ansible_winrm_server_cert_validation: ignore
+      changed_when: false
+
+- name: configure windows domain controller
+  hosts: "{{ main_dc01_hostname }}.{{ main_domain_name }}"
+  gather_facts: no
+  vars_files:
+    - group_vars/all/connectors.yaml
+    - group_vars/all/main.yaml
+  tasks:
+    - name: configure windows dc
+      include_role:
+        name: dc01
+      vars:
+        hostname: "{{ main_dc01_hostname }}"
+        domain_name: "{{ main_domain_name }}"
diff --git a/ansible/roles/dc01/tasks/cleanup.yaml b/ansible/roles/dc01/tasks/cleanup.yaml
new file mode 100644
index 0000000..e30df58
--- /dev/null
+++ b/ansible/roles/dc01/tasks/cleanup.yaml
@@ -0,0 +1,3 @@
+- name: "{{ ansible_host }}: execute cleanup.ps1"
+  ansible.windows.win_powershell:
+    script: C:\scripts\cleanup.ps1
diff --git a/ansible/roles/dc01/tasks/init.yaml b/ansible/roles/dc01/tasks/init.yaml
new file mode 100644
index 0000000..afd2820
--- /dev/null
+++ b/ansible/roles/dc01/tasks/init.yaml
@@ -0,0 +1,3 @@
+- name: "{{ ansible_host }}: execute init.ps1"
+  ansible.windows.win_powershell:
+    script: C:\scripts\init.ps1
diff --git a/ansible/roles/dc01/tasks/install_software.yaml b/ansible/roles/dc01/tasks/install_software.yaml
new file mode 100644
index 0000000..4c43d2b
--- /dev/null
+++ b/ansible/roles/dc01/tasks/install_software.yaml
@@ -0,0 +1,3 @@
+- name: "{{ ansible_host }}: execute install-software.ps1"
+  ansible.windows.win_powershell:
+    script: C:\scripts\install-software.ps1
diff --git a/ansible/roles/dc01/tasks/main.yaml b/ansible/roles/dc01/tasks/main.yaml
new file mode 100644
index 0000000..2ce79c9
--- /dev/null
+++ b/ansible/roles/dc01/tasks/main.yaml
@@ -0,0 +1,41 @@
+- name: wait for winrm to be available
+  ansible.builtin.wait_for:
+    host: "{{ ansible_host }}"
+    port: "{{ ansible_port }}"
+    timeout: 300
+  delegate_to: localhost
+  vars:
+    ansible_connection: local
+
+- name: execute init.ps1
+  import_tasks: init.yaml
+
+- name: set hostname
+  import_tasks: set_hostname.yaml
+
+- name: reboot after hostname change
+  import_tasks: reboot.yaml
+
+- name: execute setup-main-domain.ps1
+  import_tasks: setup_domain.yaml
+
+- name: reboot after domain setup
+  import_tasks: reboot.yaml
+
+- name: execute dc-wait-for-ready.ps1
+  import_tasks: wait_for_ready.yaml
+
+- name: execute populate-ad.ps1
+  import_tasks: populate_ad.yaml
+
+- name: execute setup-gpo.ps1 as domain admin
+  import_tasks: setup_gpo.yaml
+
+- name: reboot after gpo setup
+  import_tasks: reboot.yaml
+
+- name: execute install-software.ps1
+  import_tasks: install_software.yaml
+
+- name: execute cleanup.ps1
+  import_tasks: cleanup.yaml
diff --git a/ansible/roles/dc01/tasks/populate_ad.yaml b/ansible/roles/dc01/tasks/populate_ad.yaml
new file mode 100644
index 0000000..1cc0308
--- /dev/null
+++ b/ansible/roles/dc01/tasks/populate_ad.yaml
@@ -0,0 +1,7 @@
+- name: "{{ ansible_host }}: execute populate-ad.ps1"
+  ansible.windows.win_powershell:
+    script: C:\scripts\populate-ad.ps1
+    parameters:
+      DomainName: "{{ domain_name }}"
+      UserPassword: "{{ default_win_user_password }}"
+      SvcPassword: "{{ default_win_svc_password }}"
diff --git a/ansible/roles/dc01/tasks/reboot.yaml b/ansible/roles/dc01/tasks/reboot.yaml
new file mode 100644
index 0000000..6c17c3d
--- /dev/null
+++ b/ansible/roles/dc01/tasks/reboot.yaml
@@ -0,0 +1,3 @@
+- name: "{{ ansible_host }}: reboot"
+  ansible.windows.win_reboot:
+    reboot_timeout: 3600
diff --git a/ansible/roles/dc01/tasks/set_hostname.yaml b/ansible/roles/dc01/tasks/set_hostname.yaml
new file mode 100644
index 0000000..7cca168
--- /dev/null
+++ b/ansible/roles/dc01/tasks/set_hostname.yaml
@@ -0,0 +1,2 @@
+- name: "{{ ansible_host }}: set hostname"
+  ansible.windows.win_shell: Rename-Computer -NewName "{{ hostname }}" -Force
diff --git a/ansible/roles/dc01/tasks/setup_domain.yaml b/ansible/roles/dc01/tasks/setup_domain.yaml
new file mode 100644
index 0000000..43fcfc4
--- /dev/null
+++ b/ansible/roles/dc01/tasks/setup_domain.yaml
@@ -0,0 +1,6 @@
+- name: "{{ ansible_host }}: execute setup-main-domain.ps1"
+  ansible.windows.win_powershell:
+    script: C:\scripts\setup-main-domain.ps1
+    parameters:
+      DomainName: "{{ domain_name }}"
+      SafeModePassword: "{{ default_win_safemode_password }}"
diff --git a/ansible/roles/dc01/tasks/setup_gpo.yaml b/ansible/roles/dc01/tasks/setup_gpo.yaml
new file mode 100644
index 0000000..aa84237
--- /dev/null
+++ b/ansible/roles/dc01/tasks/setup_gpo.yaml
@@ -0,0 +1,7 @@
+- name: "{{ ansible_host }}: execute setup-gpo.ps1 as domain admin"
+  ansible.windows.win_command: powershell.exe -ExecutionPolicy Bypass -File C:\scripts\setup-gpo.ps1 -DomainName "{{ domain_name }}"
+  become: yes
+  become_method: runas
+  become_user: "{{ domain_name }}\\Administrator"
+  vars:
+    ansible_become_password: "{{ default_win_password }}"
diff --git a/ansible/roles/dc01/tasks/wait_for_ready.yaml b/ansible/roles/dc01/tasks/wait_for_ready.yaml
new file mode 100644
index 0000000..c43431c
--- /dev/null
+++ b/ansible/roles/dc01/tasks/wait_for_ready.yaml
@@ -0,0 +1,3 @@
+- name: "{{ ansible_host }}: execute dc-wait-for-ready.ps1"
+  ansible.windows.win_powershell:
+    script: C:\scripts\dc-wait-for-ready.ps1
diff --git a/ansible/roles/proxmox_vm/tasks/create_vm.yaml b/ansible/roles/proxmox_vm/tasks/create_vm.yaml
new file mode 100644
index 0000000..21645b9
--- /dev/null
+++ b/ansible/roles/proxmox_vm/tasks/create_vm.yaml
@@ -0,0 +1,16 @@
+---
+- name: "create vm from template"
+  community.general.proxmox_kvm:
+    api_host: "{{ proxmox_hostname }}"
+    api_user: "{{ proxmox_username }}"
+    api_token_id: "{{ proxmox_api_token_id }}"
+    api_token_secret: "{{ proxmox_api_token_secret }}"
+    node: "{{ proxmox_node }}"
+    clone: "{{ template }}"
+    vmid: "{{ id }}"
+    newid: "{{ newid | int }}"
+    name: "{{ vm }}"
+    full: true
+    storage: "local-lvm"
+    timeout: 1337
+  register: clone_result
diff --git a/ansible/roles/proxmox_vm/tasks/enable_qemu_guest_agent.yaml b/ansible/roles/proxmox_vm/tasks/enable_qemu_guest_agent.yaml
new file mode 100644
index 0000000..df6da92
--- /dev/null
+++ b/ansible/roles/proxmox_vm/tasks/enable_qemu_guest_agent.yaml
@@ -0,0 +1,12 @@
+---
+- name: "vmid {{ clone_result.vmid }}: enabling qemu guest agent via proxmox api"
+  uri:
+    url: "https://{{ proxmox_hostname }}:8006/api2/json/nodes/{{ proxmox_node }}/qemu/{{ clone_result.vmid }}/config"
+    method: PUT
+    headers:
+      Authorization: "PVEAPIToken={{ proxmox_username }}!{{ proxmox_api_token_id }}={{ proxmox_api_token_secret }}"
+    body:
+      agent: 1
+    body_format: json
+    validate_certs: no
+  
diff --git a/ansible/roles/proxmox_vm/tasks/get_ip.yaml b/ansible/roles/proxmox_vm/tasks/get_ip.yaml
new file mode 100644
index 0000000..584b44d
--- /dev/null
+++ b/ansible/roles/proxmox_vm/tasks/get_ip.yaml
@@ -0,0 +1,29 @@
+---
+- name: "vmid {{ clone_result.vmid }}: getting config via proxmox api"
+  set_fact:
+    vm_config: "{{ lookup('url', config_url, validate_certs=False, headers=config_headers) }}"
+  vars:
+    config_url: "https://{{ proxmox_hostname }}:8006/api2/json/nodes/{{ proxmox_node }}/qemu/{{ clone_result.vmid }}/agent/network-get-interfaces"
+    config_headers:
+      Authorization: "PVEAPIToken={{ proxmox_username }}!{{ proxmox_api_token_id }}={{ proxmox_api_token_secret }}"
+
+- name: "vmid {{ clone_result.vmid }}: extracting ipv4 address"
+  set_fact:
+    vm_ip: >-
+      {{
+        vm_config['data']['result']
+        | map(attribute='ip-addresses')
+        | flatten
+        | selectattr("ip-address-type", "equalto", "ipv4")
+        | selectattr("ip-address", "ne", "127.0.0.1")
+        | map(attribute="ip-address")
+        | first
+      }}
+
+- name: "vmid {{ clone_result.vmid }}: ip address result"
+  ansible.builtin.debug:
+    msg: "vmid {{ clone_result.vmid }} ip address is {{ vm_ip }}"
+
+- name: "vmid {{ clone_result.vmid }}: set ip to {{ vm_ip }}"
+  set_fact:
+    ansible_host: "{{ vm_ip }}"
diff --git a/ansible/roles/proxmox_vm/tasks/main.yaml b/ansible/roles/proxmox_vm/tasks/main.yaml
new file mode 100644
index 0000000..c6abe93
--- /dev/null
+++ b/ansible/roles/proxmox_vm/tasks/main.yaml
@@ -0,0 +1,17 @@
+- name: create vm from template
+  import_tasks: create_vm.yaml
+
+- name: enable qemu guest agent
+  import_tasks: enable_qemu_guest_agent.yaml
+
+- name: start vm
+  import_tasks: start_vm.yaml
+
+- name: get vm ip address
+  import_tasks: get_ip.yaml
+
+- name: set vm network configuration
+  import_tasks: set_network.yaml
+
+- name: upload files to vm
+  import_tasks: upload_files.yaml
diff --git a/ansible/roles/proxmox_vm/tasks/set_network.yaml b/ansible/roles/proxmox_vm/tasks/set_network.yaml
new file mode 100644
index 0000000..20ab31c
--- /dev/null
+++ b/ansible/roles/proxmox_vm/tasks/set_network.yaml
@@ -0,0 +1,20 @@
+---
+- name: "vmid {{ clone_result.vmid }}: set up static ip address"
+  win_shell: |
+    Start-Transcript -Path C:\set_domain_network_log.txt -Append
+    Get-NetIpAddress -InterfaceAlias 'Ethernet' | Remove-NetIPAddress -Confirm:$false
+    New-NetIPAddress -InterfaceAlias 'Ethernet' -IPAddress "{{ ip }}" -PrefixLength 24 -DefaultGateway "{{ gateway }}"
+    Set-DnsClientServerAddress -InterfaceAlias 'Ethernet' -ServerAddresses "{{ dns }}"
+    Get-NetConnectionProfile -InterfaceAlias 'Ethernet' | Set-NetConnectionProfile -NetworkCategory Private
+    Stop-Transcript
+  async: 15
+  poll: 0
+  delegate_to: "{{ vm_ip }}"
+
+- name: "vmid {{ clone_result.vmid }}: update ip to {{ ip }}"
+  set_fact:
+    ansible_host: "{{ ip }}"
+
+- name: "vmid {{ clone_result.vmid }}: pause execution for 1 minute to allow ip change and reconnect"
+  pause:
+    minutes: 1
diff --git a/ansible/roles/proxmox_vm/tasks/start_vm.yaml b/ansible/roles/proxmox_vm/tasks/start_vm.yaml
new file mode 100644
index 0000000..f2ed036
--- /dev/null
+++ b/ansible/roles/proxmox_vm/tasks/start_vm.yaml
@@ -0,0 +1,13 @@
+- name: "start vm"
+  community.general.proxmox_kvm:
+    api_host: "{{ proxmox_hostname }}"
+    api_user: "{{ proxmox_username }}"
+    api_token_id: "{{ proxmox_api_token_id }}"
+    api_token_secret: "{{ proxmox_api_token_secret }}"
+    node: "{{ proxmox_node }}"
+    vmid: "{{ vmid | int }}"
+    state: started
+
+- name: "pause execution for 3 minutes to allow vm to fully boot"
+  pause:
+    minutes: 3
diff --git a/ansible/roles/proxmox_vm/tasks/upload_files.yaml b/ansible/roles/proxmox_vm/tasks/upload_files.yaml
new file mode 100644
index 0000000..651d203
--- /dev/null
+++ b/ansible/roles/proxmox_vm/tasks/upload_files.yaml
@@ -0,0 +1,9 @@
+---
+- name: "upload directories"
+  ansible.builtin.copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+  loop:
+    - { src: ../../../scripts/, dest: C:\scripts\ }
+    - { src: ../../../files/software/, dest: C:\software\ }
+  delegate_to: "{{ ansible_host }}"
diff --git a/ansible/scripts/cleanup.ps1 b/ansible/scripts/cleanup.ps1
new file mode 100644
index 0000000..8ac42bf
--- /dev/null
+++ b/ansible/scripts/cleanup.ps1
@@ -0,0 +1,9 @@
+$scriptName = $MyInvocation.MyCommand.Name
+$logFile = "C:\Logs\${scriptName}_log.txt"
+Start-Transcript -Path $logFile -Append
+
+Remove-Item -Path C:\tmp -Recurse -Force
+Remove-Item -Path C:\setup -Recurse -Force
+Remove-Item -Path C:\scripts -Recurse -Force
+Remove-Item -Path C:\software -Recurse -Force
+Stop-Transcript
+\ No newline at end of file
diff --git a/ansible/scripts/dc-wait-for-ready.ps1 b/ansible/scripts/dc-wait-for-ready.ps1
new file mode 100644
index 0000000..afdf8ee
--- /dev/null
+++ b/ansible/scripts/dc-wait-for-ready.ps1
@@ -0,0 +1,17 @@
+$scriptName = $MyInvocation.MyCommand.Name
+$logFile = "C:\Logs\${scriptName}_log.txt"
+Start-Transcript -Path $logFile -Append
+
+while ($true) {
+    try {
+        Write-Host "[INFO] Checking if domain is ready"
+        Get-ADDomain
+        break
+    } catch {
+        Write-Host "[INFO] Sleeping for 60s"
+        Start-Sleep -Seconds 60
+    }
+}
+
+Write-Host "[INFO] Domain is ready"
+Stop-Transcript
+\ No newline at end of file
diff --git a/ansible/scripts/init.ps1 b/ansible/scripts/init.ps1
new file mode 100644
index 0000000..d6b9ff7
--- /dev/null
+++ b/ansible/scripts/init.ps1
@@ -0,0 +1,10 @@
+New-Item -Path C:\Logs -ItemType Directory -Force
+New-Item -Path C:\BgInfo -ItemType Directory -Force
+New-Item -Path C:\setup -ItemType Directory -Force
+
+Write-Host "[INFO] Disabling password complexity policy"
+secedit /export /cfg C:\secpol.cfg
+(Get-Content C:\secpol.cfg).replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File C:\secpol.cfg
+secedit /configure /db C:\Windows\security\local.sdb /cfg C:\secpol.cfg /areas SECURITYPOLICY
+Remove-Item -Force C:\secpol.cfg -Confirm:$false
+
diff --git a/ansible/scripts/install-software.ps1 b/ansible/scripts/install-software.ps1
new file mode 100644
index 0000000..db0f10d
--- /dev/null
+++ b/ansible/scripts/install-software.ps1
@@ -0,0 +1,10 @@
+$scriptName = $MyInvocation.MyCommand.Name
+$logFile = "C:\Logs\${scriptName}_log.txt"
+Start-Transcript -Path $logFile -Append
+
+Set-MpPreference -DisableRealtimeMonitoring $true -ErrorAction SilentlyContinue
+Start-Process -FilePath "C:\software\Sysmon64.exe" -ArgumentList "-accepteula -i C:\software\sysmonconfig-export.xml" -Wait -Verbose
+Start-Process -FilePath "C:\Windows\System32\MsiExec.exe" -ArgumentList "/i C:\software\googlechromestandaloneenterprise64.msi /qb" -Wait -Verbose
+Start-Process -FilePath "C:\software\npp.exe" -ArgumentList "/S" -Wait -Verbose
+[Microsoft.Win32.Registry]::SetValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "bginfo", "C:\BgInfo\Bginfo.exe C:\BgInfo\BgInfo.bgi /timer:00 /nolicprompt /silent")
+Stop-Transcript
+\ No newline at end of file
diff --git a/ansible/scripts/join-domain.ps1 b/ansible/scripts/join-domain.ps1
new file mode 100644
index 0000000..08c90b2
--- /dev/null
+++ b/ansible/scripts/join-domain.ps1
@@ -0,0 +1,14 @@
+param
+(
+    [string]$DomainName = "contoso.com",
+    [string]$Username   = "Administrator",
+    [string]$Password   = "packer"
+)
+$scriptName = $MyInvocation.MyCommand.Name
+$logFile = "C:\$scriptName_log.txt"
+Start-Transcript -Path $logFile -Append
+
+$p = ConvertTo-SecureString $Password -AsPlainText -Force
+$c = New-Object System.Management.Automation.PSCredential($Username, $p)
+Add-Computer -DomainName $DomainName -Credential $c
+Stop-Transcript
+\ No newline at end of file
diff --git a/ansible/scripts/join-domain.sh b/ansible/scripts/join-domain.sh
new file mode 100644
index 0000000..24c87b0
--- /dev/null
+++ b/ansible/scripts/join-domain.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+[[ $EUID -ne 0 ]] && printf "%s\n" "run as root" && exit 1
+
+while getopts "d:n:p:" arg; do
+    case $arg in
+        d) domain="${OPTARG}";;
+        n) nameserver="${OPTARG}";;
+        p) password="${OPTARG}";;
+    esac
+done
+
+DEBIAN_FRONTEND=noninteractive apt-get update -yqq &>/dev/null
+DEBIAN_FRONTEND=noninteractive apt-get install -yqq realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit krb5-user &>/dev/null
+DEBIAN_FRONTEND=noninteractive apt-get autoremove --purge -yqq &>/dev/null
+DEBIAN_FRONTEND=noninteractive apt-get clean &>/dev/null
+DEBIAN_FRONTEND=noninteractive apt-get autoclean &>/dev/null
+
+if systemctl is-active systemd-resolved; then
+    systemctl disable --now systemd-resolved --no-pager
+    systemctl mask systemd-resolved --no-pager
+fi
+
+rm -rf /etc/resolv.conf
+cat > /etc/resolv.conf << EOF
+nameserver ${nameserver}
+EOF
+chattr +i /etc/resolv.conf
+
+if realm discover $domain; then
+    echo $password | realm join $domain
+    printf "%s\n" "[INFO] Joined ${domain}"
+else
+    printf "%s\n" "[ERR] Failed to discover ${domain}"
+fi
+
+mkdir -p /usr/share/pam-configs &>/dev/null
+cat > /usr/share/pam-configs/mkhomedir << EOF
+Name: Create home directory on login
+Default: yes
+Priority: 900
+Session-Type: Additional
+Session:
+        optional                        pam_mkhomedir.so
+EOF
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable mkhomedir
diff --git a/ansible/scripts/populate-ad.ps1 b/ansible/scripts/populate-ad.ps1
new file mode 100644
index 0000000..0b57c77
--- /dev/null
+++ b/ansible/scripts/populate-ad.ps1
@@ -0,0 +1,318 @@
+param
+(
+    [string]$DomainName          = "contoso.com",
+    [string]$FunctionalLevel     = "WinThreshold",
+    [string]$UserPassword        = "User1234!",
+    [string]$ServiceUserPassword = "Svc1234!"
+)
+$scriptName = $MyInvocation.MyCommand.Name
+$logFile = "C:\Logs\${scriptName}_log.txt"
+Start-Transcript -Path $logFile -Append
+
+$DomainNameDN        = "DC=$($DomainName.Split(".")[0]),DC=$($DomainName.Split(".")[1])"
+$DomainOU            = $DomainName.Split(".")[0]
+$UsersOU             = "Users"
+$ComputersOU         = "Computers"
+$ServiceAccountsOU   = "Service Accounts"
+
+Function Get-RandomObject {
+    [CmdletBinding()]
+    param(
+        [Parameter()]
+        [switch]$User,
+        [Parameter()]
+        [switch]$Computer
+    )
+
+    if ($User) {
+        return (Get-ADUser -Filter 'Description -notlike "*"' -SearchBase "OU=$UsersOU,OU=$DomainOU,$DomainNameDN" -Properties Description | Get-Random)
+    }
+
+    if ($Computer) {
+        return (Get-ADComputer -Filter 'Description -notlike "*"' -SearchBase "OU=$ComputersOU,OU=$DomainOU,$DomainNameDN" -Properties Description | Get-Random)
+    }
+}
+
+Function SetAcl($for, $to, $right, $inheritance)
+{
+    Set-Location AD:
+    $forSID = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $for).SID
+    $objOU = ($to).DistinguishedName
+    $objAcl = get-acl $objOU
+    $adRight =  [System.DirectoryServices.ActiveDirectoryRights] $right
+    $type =  [System.Security.AccessControl.AccessControlType] "Allow"
+    $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] $inheritance
+    $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $forSID,$adRight,$type,$inheritanceType
+    $objAcl.AddAccessRule($ace)
+    Set-Acl -AclObject $objAcl -path $objOU
+    Set-ADObject $for -Description "$right on $($to | Select-Object -ExpandProperty Name)"
+    Set-ADObject $to -Description "$($for | Select-Object -ExpandProperty Name) has $right on this object"
+}
+
+Function SetAclExtended($for, $to, $right, $extendedRightGUID, $inheritance)
+{
+    Set-Location AD:
+    $forSID = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $for).SID
+    $objOU = ($to).DistinguishedName
+    $objAcl = get-acl $objOU
+    $adRight =  [System.DirectoryServices.ActiveDirectoryRights] $right
+    $type =  [System.Security.AccessControl.AccessControlType] "Allow"
+    $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] $inheritance
+    $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $forSID,$adRight,$type,$extendedRightGUID,$inheritanceType
+    $objAcl.AddAccessRule($ace)
+    Set-Acl -AclObject $objAcl -path $objOU
+    Set-ADObject $for -Description "$right, $extendedRightGUID on $($to | Select-Object -ExpandProperty Name)"
+    Set-ADObject $to -Description "$($for | Select-Object -ExpandProperty Name) has $right, $extendedRightGUID on this object"
+}
+
+Write-Host "[INFO] Setting weak NTLM compatibility level"
+Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 1 -Force
+
+If (-Not (Get-ADOrganizationalUnit -SearchBase "$DomainNameDN" -Filter "Name -like '$DomainOU'")) {
+    New-ADOrganizationalUnit -Name "$DomainOU" -Path "$DomainNameDN"
+}
+
+if (-Not (Get-ADOrganizationalUnit -SearchBase "OU=$DomainOU,$DomainNameDN" -Filter "Name -like '$UsersOU'")) {
+    New-ADOrganizationalUnit -Name "$UsersOU" -Path "OU=$DomainOU,$DomainNameDN"
+}
+
+if (-Not (Get-ADOrganizationalUnit -SearchBase "OU=$DomainOU,$DomainNameDN" -Filter "Name -like '$ComputersOU'")) {
+    New-ADOrganizationalUnit -Name "$ComputersOU" -Path "OU=$DomainOU,$DomainNameDN"
+}
+
+if (-Not (Get-ADOrganizationalUnit -SearchBase "OU=$DomainOU,$DomainNameDN" -Filter "Name -like '$ServiceAccountsOU'")) {
+    New-ADOrganizationalUnit -Name "$ServiceAccountsOU" -Path "OU=$DomainOU,$DomainNameDN"
+}
+
+$users = @("michael","christopher","jessica","matthew","ashley","jennifer","joshua","amanda","daniel","david","james","robert","john","joseph","andrew","ryan","brandon","jason","justin","sarah","william","jonathan","stephanie","brian","nicole","nicholas","anthony","heather","eric","elizabeth","adam","megan","melissa","kevin","steven","thomas","timothy","christina","kyle","rachel","laura","lauren","amber","brittany","danielle","richard","kimberly","jeffrey","amy","crystal","michelle","tiffany","jeremy","benjamin","mark","emily","aaron","charles","rebecca","jacob","stephen","patrick","sean","erin","zachary","jamie","kelly","samantha","nathan","sara","dustin","paul","angela","tyler","scott","katherine","andrea","gregory","erica","mary","travis","lisa","kenneth","bryan","lindsey","kristen","jose","alexander","jesse","katie","lindsay","shannon","vanessa","courtney","christine","alicia","cody","allison","bradley","samuel")
+
+$created_users = @()
+ForEach ($user in $users) {
+    try {
+        New-ADUser -Name "$user" `
+            -SamAccountName "$user" `
+            -EmailAddress "$user@$($DomainName.ToLower())" `
+            -Path "OU=$UsersOU,OU=$DomainOU,$DomainNameDN" `
+            -AccountPassword (ConvertTo-SecureString -AsPlainText -Force $UserPassword) `
+            -Enabled $true `
+            -PasswordNeverExpires $true
+        $created_users += $user
+    } catch {
+        Write-Host "[ERR] Failed to create user $user"
+    }
+}
+
+Get-RandomObject -User | % { Add-ADGroupMember -Identity "Domain Admins" -Members $_; Set-ADUser -Identity $_ -Description "domain admin" }
+Get-RandomObject -User | % { Add-ADGroupMember -Identity "Domain Admins" -Members $_; Set-ADUser -Identity $_ -Description "domain admin" }
+
+Write-Host "[INFO] Created users: $($created_users -Join ', ')"
+
+$created_computers = @()
+1..20 | % {
+    $servers = @("srv", "sql", "smb")
+    ForEach ($server in $servers) {
+        try {
+            New-ADComputer -SamAccountName "$server$_" -Name "$server$_" -DNSHostName "$server$_.$DomainName" -Path "OU=$ComputersOU,OU=$DomainOU,$DomainNameDN"
+            $created_computers += $server
+        } catch {
+            Write-Host "[ERR] Failed to create server $server$_"
+        }
+    }
+}
+
+Write-Host "[INFO] Created computers: $($created_computers -Join ', ')"
+
+$svc_users = @{
+    "svc_mssql01"           = @{"type" = "spn"; "value" = "MSSQLSVC"}
+    "svc_mssql02"           = @{"type" = "spn"; "value" = "MSSQLSVC"}
+    "svc_cifs01"            = @{"type" = "spn"; "value" = "CIFS"}
+    "svc_cifs02"            = @{"type" = "spn"; "value" = "CIFS"}
+    "svc_iis01"             = @{"type" = "spn"; "value" = "HTTP"}
+    "svc_iis02"             = @{"type" = "spn"; "value" = "HTTP"}
+    "svc_backup01"          = @{"type" = "group"; "value" = "Backup Operators"}
+    "svc_backup02"          = @{"type" = "group"; "value" = "Backup Operators"}
+    "svc_dns01"             = @{"type" = "group"; "value" = "DnsAdmins"}
+    "svc_dns02"             = @{"type" = "group"; "value" = "DnsAdmins"}
+    "svc_srvoperator01"     = @{"type" = "group"; "value" = "Server Operators"}
+    "svc_srvoperator02"     = @{"type" = "group"; "value" = "Server Operators"}
+    "svc_evtvwr01"          = @{"type" = "group"; "value" = "Event Log Readers"}
+    "svc_evtvwr02"          = @{"type" = "group"; "value" = "Event Log Readers"}
+    "svc_acctoperator01"    = @{"type" = "group"; "value" = "Account Operators"}
+    "svc_acctoperator02"    = @{"type" = "group"; "value" = "Account Operators"}
+    "svc_printoperator01"   = @{"type" = "group"; "value" = "Print Operators"}
+    "svc_printoperator02"   = @{"type" = "group"; "value" = "Print Operators"}
+    "svc_mgmtuser01"        = @{"type" = "group"; "value" = "Remote Management Users"}
+    "svc_mgmtuser02"        = @{"type" = "group"; "value" = "Remote Management Users"}
+}
+
+$created_svc_users = @()
+ForEach ($user in $svc_users.keys) {
+    $type   = $svc_users[$user]["type"]
+    $value  = $svc_users[$user]["value"]
+
+    Switch ("$type") {
+        "spn" {
+            try {
+                $comp = (Get-RandomObject -Computer | Select-Object -ExpandProperty DNSHostName)
+                $u = New-ADUser -Name "$user" `
+                    -SamAccountName "$user" `
+                    -AccountPassword (ConvertTo-SecureString -AsPlainText -Force $ServiceUserPassword) `
+                    -Path "OU=$ServiceAccountsOU,OU=$DomainOU,$DomainNameDN" `
+                    -Enabled $true `
+                    -PasswordNeverExpires $true `
+                    -PassThru
+                Set-ADUser -Identity "$u" -ServicePrincipalNames @{Add="$value/$comp"}
+                Set-ADObject $u -Description "SPN on $value/$comp"
+
+                $created_svc_users += "$user ($value/$comp)"
+            } catch {
+                Write-Host "[ERR] Failed to create $value/$comp for $user"
+            }
+        }
+        "group" {
+            try {
+                $u = New-ADUser -Name "$user" `
+                    -SamAccountName "$user" `
+                    -AccountPassword (ConvertTo-SecureString -AsPlainText -Force $UserPassword) `
+                    -Path "OU=$ServiceAccountsOU,OU=$DomainOU,$DomainNameDN" `
+                    -Enabled $true `
+                    -PasswordNeverExpires $true `
+                    -PassThru
+                Add-ADGroupMember -Identity "$value" -Members $u
+                Set-ADObject $u -Description "member of $value"
+                
+                $created_svc_users += "$user ($value)"
+            } catch {
+                Write-Host "[ERR] Failed to add $user to $value"
+            }
+        }
+    }
+}
+
+Write-Host "[INFO] Created svc users: $($created_svc_users -Join ', ')"
+
+$dcsync_user = Get-RandomObject -User
+$acl = Get-Acl -Path "AD:$DomainNameDN"
+$sid = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $dcsync_user).SID
+$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
+    -ArgumentList @($sid, [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight, [System.Security.AccessControl.AccessControlType]::Allow, [Guid]"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2")))
+$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
+    -ArgumentList @($sid, [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight, [System.Security.AccessControl.AccessControlType]::Allow, [Guid]"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2")))
+Set-Acl -Path "AD:$DomainNameDN" -AclObject $acl
+Set-ADObject $dcsync_user -Description "DCSync rights on $DomainName"
+
+$adminsdholder_user = Get-RandomObject -User
+$adminsdholder = "CN=AdminSDHolder,CN=System,$DomainNameDN"
+$acl = Get-Acl -Path "AD:$adminsdholder"
+$sid = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $adminsdholder_user).SID
+$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
+    -ArgumentList @($sid, [System.DirectoryServices.ActiveDirectoryRights]::GenericAll, [System.Security.AccessControl.AccessControlType]::Allow)))
+Set-Acl -Path "AD:$adminsdholder" -AclObject $acl
+Set-ADObject $adminsdholder_user -Description "GenericAll on AdminSDHolder"
+
+Write-Host "[INFO] Configuring anonymous LDAP binding via dsHeuristics for contoso.com"
+$rootDSE = Get-ADRootDSE
+$configNC = $rootDSE.ConfigurationNamingContext
+$directoryServicePath = "CN=Directory Service,CN=Windows NT,CN=Services,$configNC"
+$directoryService = Get-ADObject -Identity $directoryServicePath -Properties dsHeuristics
+$currentHeuristics = $directoryService.dsHeuristics
+$newHeuristics = "0000002"
+Write-Host "[INFO] Overwriting dsHeuristics with '0000002'"
+Set-ADObject -Identity $directoryServicePath `
+    -Replace @{"dsHeuristics" = $newHeuristics} `
+    -Description "Anonymous LDAP enabled for contoso.com" `
+    -ErrorAction Stop
+Write-Host "[INFO] Successfully set dsHeuristics to '$newHeuristics'"
+
+Set-ADDomain -Identity $DomainName -Replace @{"ms-DS-MachineAccountQuota"=50}
+
+$dc = (Get-ADDomainController | Select-Object -ExpandProperty HostName)
+$u = New-ADUser -Name "svc_iis03" `
+    -SamAccountName "svc_iis03" `
+    -Path "OU=$ServiceAccountsOU,OU=$DomainOU,$DomainNameDN" `
+    -AccountPassword (ConvertTo-SecureString -AsPlainText -Force $ServiceUserPassword) `
+    -Enabled $true `
+    -PasswordNeverExpires $true `
+    -PassThru
+Set-ADUser -Identity "$u" -ServicePrincipalNames @{Add="HTTP/web01"}
+Set-ADObject $u -Description "SPN on HTTP/web01"
+
+$genericAllUserSrc = Get-RandomObject -User
+$genericAllUserTgt = Get-RandomObject -User
+SetAcl $genericAllUserSrc $genericAllUserTgt "GenericAll" "None"
+Set-ADObject $genericAllUserSrc -Description "User with GenericAll rights over $($genericAllUserTgt.Name)"
+
+$genericAllDomainAdminsSrc = Get-RandomObject -User
+$domainAdminsGroup = Get-ADGroup "Domain Admins"
+SetAcl $genericAllDomainAdminsSrc $domainAdminsGroup "GenericAll" "None"
+Set-ADObject $genericAllDomainAdminsSrc -Description "User with GenericAll rights over Domain Admins group"
+
+$genericAllComputerSrc = Get-RandomObject -User
+$genericAllComputerTgt = Get-RandomObject -Computer
+SetAcl $genericAllComputerSrc $genericAllComputerTgt "GenericAll" "None"
+Set-ADObject $genericAllComputerSrc -Description "User with GenericAll rights over computer $($genericAllComputerTgt.Name)"
+
+$writePropertyDomainAdminsSrc = Get-RandomObject -User
+SetAcl $writePropertyDomainAdminsSrc $domainAdminsGroup "WriteProperty" "All"
+Set-ADObject $writePropertyDomainAdminsSrc -Description "User with WriteProperty rights over Domain Admins group (all properties)"
+
+$selfDomainAdminsSrc = Get-RandomObject -User
+SetAclExtended $selfDomainAdminsSrc $domainAdminsGroup "Self" "bf9679c0-0de6-11d0-a285-00aa003049e2" "None"
+Set-ADObject $selfDomainAdminsSrc -Description "User with Self membership control over Domain Admins group"
+
+$writePropertyExtDomainAdminsSrc = Get-RandomObject -User
+SetAclExtended $writePropertyExtDomainAdminsSrc $domainAdminsGroup "WriteProperty" "bf9679c0-0de6-11d0-a285-00aa003049e2" "All"
+Set-ADObject $writePropertyExtDomainAdminsSrc -Description "User with WriteProperty rights to modify Domain Admins group membership"
+
+$forceChangePwdSrc = Get-RandomObject -User
+$forceChangePwdTgt = Get-RandomObject -User
+SetAclExtended $forceChangePwdSrc $forceChangePwdTgt "ExtendedRight" "00299570-246d-11d0-a768-00aa006e0529" "None"
+Set-ADObject $forceChangePwdSrc -Description "User with ForceChangePassword rights over $($forceChangePwdTgt.Name)"
+
+$writeOwnerDomainAdminsSrc = Get-RandomObject -User
+SetAcl $writeOwnerDomainAdminsSrc $domainAdminsGroup "WriteOwner" "None"
+Set-ADObject $writeOwnerDomainAdminsSrc -Description "User with WriteOwner rights to take ownership of Domain Admins group"
+
+$genericWriteUserSrc = Get-RandomObject -User
+$genericWriteUserTgt = Get-RandomObject -User
+SetAcl $genericWriteUserSrc $genericWriteUserTgt "GenericWrite" "None"
+Set-ADObject $genericWriteUserSrc -Description "User with GenericWrite rights over $($genericWriteUserTgt.Name)"
+
+$writeDaclDomainAdminsSrc = Get-RandomObject -User
+SetAcl $writeDaclDomainAdminsSrc $domainAdminsGroup "WriteDacl" "None"
+Set-ADObject $writeDaclDomainAdminsSrc -Description "User with WriteDacl rights to modify Domain Admins group permissions"
+
+$asreproast_user = Get-RandomObject -User
+Set-ADAccountControl -Identity $asreproast_user -DoesNotRequirePreAuth $True
+Set-ADObject $asreproast_user -Description "DoesNotRequirePreAuth"
+
+$kerberoast_user = Get-RandomObject -User
+$kerberoast_spn = Get-RandomObject -Computer
+Set-ADUser -Identity "$kerberoast_user" -ServicePrincipalNames @{Add="HTTP/$($kerberoast_spn)"}
+Set-ADObject $kerberoast_user -Description "$($kerberoast_user | Select-Object -ExpandProperty Name) is kerberoastable on http/$($kerberoast_spn | Select-Object -ExpandProperty Name):80"
+
+$unconstrained_delegation_comp = Get-RandomObject -Computer
+$unconstrained_delegation_comp | Set-ADAccountControl -TrustedForDelegation $true
+Set-ADObject $unconstrained_delegation_comp -Description "TrustedForDelegation"
+
+$constrained_delegation_comp1 = Get-RandomObject -Computer 
+$constrained_delegation_comp2 = Get-RandomObject -Computer
+Set-ADObject -Identity $constrained_delegation_comp1 -Add @{'msDS-AllowedToDelegateTo'=@("HOST/$($constrained_delegation_comp2)/example")}
+Set-ADAccountControl -Identity $constrained_delegation_comp1 -TrustedForDelegation $false -TrustedToAuthForDelegation $true
+Set-ADObject $constrained_delegation_comp1 -Description "msDS-AllowedToDelegateTo to $($constrained_delegation_comp2 | Select-Object -ExpandProperty Name)"
+
+Write-Host "[INFO] Created vulnerable ACLs, delegation, and Kerberos configurations"
+
+@"
+Domain content
+--------------
+"@ | Out-File C:\README.txt
+
+Get-AdObject `
+    -SearchBase "OU=$DomainOU,$DomainNameDN" `
+    -Filter {ObjectClass -ne "OrganizationalUnit"} `
+    -Properties Name, ObjectClass, Description `
+        | Select-Object Name, ObjectClass, Description `
+        | Format-Table -AutoSize `
+        | Out-File -Append C:\README.txt
+Stop-Transcript
diff --git a/ansible/scripts/setup-adcs-esc.ps1 b/ansible/scripts/setup-adcs-esc.ps1
new file mode 100644
index 0000000..44fc8d5
--- /dev/null
+++ b/ansible/scripts/setup-adcs-esc.ps1
@@ -0,0 +1,20 @@
+param (
+    [string]$DomainName = "contoso.com"
+)
+$scriptName = $MyInvocation.MyCommand.Name
+$logFile = "C:\$scriptName_log.txt"
+Start-Transcript -Path $logFile -Append
+
+Import-Module ADCSTemplate
+
+Get-ChildItem -Path "C:\setup\templates" -Filter *.json | % {
+    $TemplateName = $_.BaseName
+    if (-not(Get-ADCSTemplate -DisplayName $TemplateName)) {
+        New-ADCSTemplate `
+            -DisplayName $TemplateName `
+            -JSON (Get-Content "C:\setup\templates\$_" -Raw) `
+            -Identity "$DomainName\Domain Users" `
+            -Publish
+    }
+}
+Stop-Transcript
+\ No newline at end of file
diff --git a/ansible/scripts/setup-adcs.ps1 b/ansible/scripts/setup-adcs.ps1
new file mode 100644
index 0000000..134b9a9
--- /dev/null
+++ b/ansible/scripts/setup-adcs.ps1
@@ -0,0 +1,50 @@
+param
+(
+    [string]$DomainName = "contoso.com",
+    [string]$Username   = "Administrator",
+    [string]$Password   = "packer"
+)
+$scriptName = $MyInvocation.MyCommand.Name
+$logFile = "C:\Logs\${scriptName}_log.txt"
+Start-Transcript -Path $logFile -Append
+
+$p = ConvertTo-SecureString $Password -AsPlainText -Force
+$c = New-Object System.Management.Automation.PSCredential("$DomainName\$Username", $p)
+$CACommonName = "$($DomainName.Split(".")[0].ToUpper())-CA"
+
+try {
+    Install-WindowsFeature -Name AD-Certificate -IncludeAllSubFeature -IncludeManagementTools
+    Install-WindowsFeature -Name ADCS-Cert-Authority
+    Install-WindowsFeature -Name ADCS-Web-Enrollment
+    Install-WindowsFeature -Name RSAT
+
+    Write-Host "[INFO] Installed ADCS Windows Features"
+} catch {
+    Write-Host "[ERR] Failed to install ADCS Windows Features"
+}
+
+try {
+    Install-AdcsCertificationAuthority `
+        -Credential $c `
+        -CAType EnterpriseRootCA `
+        -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
+        -KeyLength 2048 `
+        -HashAlgorithmName SHA256 `
+        -ValidityPeriod Years `
+        -ValidityPeriodUnits 5 `
+        -CACommonName $CACommonName `
+        -Force
+
+    Write-Host "[INFO] Installed ADCS Certification Authority"
+} catch {
+    Write-Host "[ERR] Failed to install ADCS Certification Authority"
+}
+
+try {
+    Install-AdcsWebEnrollment -Force
+
+    Write-Host "[INFO] Installed ADCS Web Enrollment"
+} catch {
+    Write-Host "[ERR] Failed to install ADCS Web Enrollment"
+}
+Stop-Transcript
+\ No newline at end of file
diff --git a/ansible/scripts/setup-child-domain.ps1 b/ansible/scripts/setup-child-domain.ps1
new file mode 100644
index 0000000..ad23d45
--- /dev/null
+++ b/ansible/scripts/setup-child-domain.ps1
@@ -0,0 +1,50 @@
+param
+(
+    [string]$ParentDomainName       = "contoso.com",
+    [string]$ChildDomainName        = "dev",
+    [string]$SafeModePassword       = "P4ssw0rd1234!",
+    [string]$Username               = "Administrator",
+    [string]$Password               = "packer"
+)
+
+$scriptName = $MyInvocation.MyCommand.Name
+$logFile = "C:\Logs\${scriptName}_log.txt"
+Start-Transcript -Path $logFile -Append
+
+$p = ConvertTo-SecureString $Password -AsPlainText -Force
+$c = New-Object System.Management.Automation.PSCredential("$ParentDomainName\$Username", $p)
+
+Write-Host "[INFO] Setting Administrator password"
+$computerName = $env:COMPUTERNAME
+$adminPassword = $Password
+$adminUser = [ADSI] "WinNT://$computerName/Administrator,User"
+$adminUser.SetPassword($adminPassword)
+
+Write-Host "[INFO] Installing AD-Domain-Services feature"
+Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
+
+Write-Host "[INFO] Importing ADDSDeployment module"
+Import-Module ADDSDeployment
+
+try {
+    Write-Host "[INFO] Installing New Child Domain in Existing Forest"
+    Install-ADDSDomain `
+        -InstallDns `
+        -ParentDomainName $ParentDomainName `
+        -NewDomainName $ChildDomainName `
+        -DomainType ChildDomain `
+        -DatabasePath "C:\Windows\NTDS" `
+        -LogPath "C:\Windows\NTDS" `
+        -SysvolPath "C:\Windows\SYSVOL" `
+        -NoRebootOnCompletion `
+        -Force `
+        -Credential $c `
+        -SafeModeAdministratorPassword (ConvertTo-SecureString -AsPlainText -Force "$SafeModePassword")
+
+    Write-Host "[INFO] Successfully added new child domain: $ChildDomainName"
+} catch {
+    Write-Host "[ERR] Failed to add new child domain: $ChildDomainName"
+    Write-Host $_.Exception.Message
+}
+
+Stop-Transcript
diff --git a/ansible/scripts/setup-gpo.ps1 b/ansible/scripts/setup-gpo.ps1
new file mode 100644
index 0000000..8d0bb5d
--- /dev/null
+++ b/ansible/scripts/setup-gpo.ps1
@@ -0,0 +1,29 @@
+param (
+    [string]$DomainName = "contoso.com"
+)
+$scriptName = $MyInvocation.MyCommand.Name
+$logFile = "C:\Logs\${scriptName}_log.txt"
+Start-Transcript -Path $logFile -Append
+
+$DomainNameDN = "DC=$($DomainName.Split(".")[0]),DC=$($DomainName.Split(".")[1])"
+$DomainUsers = Get-ADGroup "Domain Users"
+try {
+    $GPO1 = New-GPO -Name "TestGPO1"
+    $GPO2 = New-GPO -Name "TestGPO2"
+    Set-GPPermission -Name $GPO1.DisplayName -PermissionLevel GpoEditDeleteModifySecurity -TargetName $DomainUsers.Name -TargetType Group
+    Set-GPPermission -Name $GPO2.DisplayName -PermissionLevel GpoEditDeleteModifySecurity -TargetName $DomainUsers.Name -TargetType Group
+
+    Write-Host "[INFO] Created insecure GPOs $($GPO1.DisplayName), $($GPO2.DisplayName) with GpoEditDeleteModifySecurity"
+} catch {
+    Write-Host "[ERR] Failed to create insecure GPOs $($GPO1.DisplayName), $($GPO2.DisplayName) with GpoEditDeleteModifySecurity"
+}
+
+try {
+    New-GPLink -Name $GPO1.DisplayName -Target "$DomainNameDN" -LinkEnabled Yes
+    New-GPLink -Name $GPO2.DisplayName -Target "$DomainNameDN" -LinkEnabled Yes
+    
+    Write-Host "[INFO] Created GP links for $($GPO1.DisplayName), $($GPO2.DisplayName) on $DomainNameDN"
+} catch {
+    Write-Host "[ERR] Failed to create GP links for $($GPO1.DisplayName), $($GPO2.DisplayName) on $DomainNameDN"
+}
+Stop-Transcript
diff --git a/ansible/scripts/setup-iis.ps1 b/ansible/scripts/setup-iis.ps1
new file mode 100644
index 0000000..1bbe48d
--- /dev/null
+++ b/ansible/scripts/setup-iis.ps1
@@ -0,0 +1,128 @@
+ param
+(
+    [string]$DomainName  = "contoso.com",
+    [string]$SvcUsername = "svc_iis03",
+    [string]$SvcPassword = "Svc1234!"
+)
+$scriptName = $MyInvocation.MyCommand.Name
+$logFile = "C:\Logs\${scriptName}_log.txt"
+Start-Transcript -Path $logFile -Append
+
+$wwwroot1 = "C:\inetpub\wwwroot"
+$wwwroot2 = "C:\inetpub\wwwroot2"
+
+try {
+    Install-WindowsFeature -Name Web-Server -IncludeManagementTools
+    Install-WindowsFeature -Name Web-Asp-Net45
+    New-WebSite -Name "MyASPXSite" -Port 80 -PhysicalPath "C:\inetpub\wwwroot" -ApplicationPool "DefaultAppPool"
+    Set-ItemProperty "IIS:\AppPools\DefaultAppPool" -Name processModel -Value @{userName="$SvcUsername";password="$SvcPassword";identityType=3}
+    New-NetFirewallRule -DisplayName "HTTP (80)" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow
+    Restart-WebAppPool -Name "DefaultAppPool"
+
+    Write-Host "[INFO] Created first IIS WebSite, Firewall rule and AppPool"
+} catch {
+    Write-Host "[ERR] Failed to create first IIS WebSite, Firewall rule and AppPool"
+}
+
+try {
+    $svcIIS03Rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$DomainName\$SvcUsername", "Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
+    $acl = Get-Acl $wwwroot1
+    $acl.SetAccessRule($svcIIS03Rule)
+    Set-Acl -Path $wwwroot1 -AclObject $acl
+
+    Write-Host "[INFO] Set ACL for $wwwroot1"
+} catch {
+    Write-Host "[ERR] Failed to set ACL for $wwwroot1"
+}
+
+@"
+using System;
+using System.IO;
+using System.Web.UI;
+
+public partial class UploadPage : Page
+{
+    protected void UploadFile(object sender, EventArgs e)
+    {
+        if (fileUpload.PostedFile != null && fileUpload.PostedFile.ContentLength > 0)
+        {
+            try
+            {
+                string filename = Path.GetFileName(fileUpload.PostedFile.FileName);
+                fileUpload.PostedFile.SaveAs(Server.MapPath(filename));
+                lblMessage.Text = "File uploaded successfully!";
+            }
+            catch (Exception ex)
+            {
+                lblMessage.Text = "Error: " + ex.Message;
+            }
+        }
+        else
+        {
+            lblMessage.Text = "Please select a file to upload.";
+        }
+    }
+}
+"@ | Out-File C:\inetpub\wwwroot\upload.aspx.cs
+
+@"
+<%@ Page Language="C#" AutoEventWireup="true" CodeFile="upload.aspx.cs" Inherits="UploadPage" %>
+
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head runat="server">
+    <title>File Upload Page</title>
+</head>
+<body>
+    <form id="form1" runat="server">
+        <div>
+            <input type="file" id="fileUpload" runat="server" />
+            <br />
+            <asp:Button ID="btnUpload" runat="server" Text="Upload" OnClick="UploadFile" />
+            <br />
+            <asp:Label ID="lblMessage" runat="server" Text=""></asp:Label>
+        </div>
+    </form>
+</body>
+</html>
+"@ | Out-File C:\inetpub\wwwroot\upload.aspx
+
+@"
+<?xml version="1.0"?>
+<configuration>
+    <system.web>
+        <compilation debug="true" targetFramework="4.5"/>
+        <httpRuntime targetFramework="4.5"/>
+        <customErrors mode="Off"/>
+    </system.web>
+</configuration>
+"@ | Out-File C:\inetpub\wwwroot\Web.config
+
+Restart-WebAppPool -Name "DefaultAppPool"
+
+try {
+    Copy-Item "C:\inetpub\wwwroot" -Destination "C:\inetpub\wwwroot2" -Recurse
+    New-WebAppPool -Name "DefaultAppPool2"
+    New-WebSite -Name "MyASPXSite2" -Port 8080 -PhysicalPath "C:\inetpub\wwwroot2" -ApplicationPool "DefaultAppPool2"
+    Set-ItemProperty "IIS:\AppPools\DefaultAppPool2" -Name processModel -Value @{ identityType=2 }
+    New-NetFirewallRule -DisplayName "HTTP (8080)" -Direction Inbound -Protocol TCP -LocalPort 8080 -Action Allow
+
+    Write-Host "[INFO] Created second IIS WebSite, Firewall rule and AppPool"
+} catch {
+    Write-Host "[ERR] Failed to create second IIS WebSite, Firewall rule and AppPool"
+}
+
+try {
+    $acl = Get-Acl $wwwroot2
+    $iisIUSRSGroup = "IIS_IUSRS"
+    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("IIS_IUSRS", "Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
+    $acl.SetAccessRule($rule)
+    Set-Acl -Path $wwwroot2 -AclObject $acl 
+
+    Write-Host "[INFO] Set ACL for $wwwroot2"
+} catch {
+    Write-Host "[ERR] Failed to set ACL for $wwwroot2"
+}
+
+Restart-WebAppPool -Name "DefaultAppPool2"
+Stop-Transcript
+\ No newline at end of file
diff --git a/ansible/scripts/setup-main-domain.ps1 b/ansible/scripts/setup-main-domain.ps1
new file mode 100644
index 0000000..75500ab
--- /dev/null
+++ b/ansible/scripts/setup-main-domain.ps1
@@ -0,0 +1,45 @@
+param
+(
+    [string]$DomainName          = "contoso.com",
+    [string]$FunctionalLevel     = "WinThreshold",
+    [string]$SafeModePassword    = "P4ssw0rd1234!"
+)
+$scriptName = $MyInvocation.MyCommand.Name
+$logFile = "C:\Logs\${scriptName}_log.txt"
+Start-Transcript -Path $logFile -Append
+
+$NetBiosName = $DomainName.Split(".")[0].ToUpper()
+
+Write-Host "[INFO] Setting Administrator password"
+$computerName = $env:COMPUTERNAME
+$adminPassword = "packer"
+$adminUser = [ADSI] "WinNT://$computerName/Administrator,User"
+$adminUser.SetPassword($adminPassword)
+
+Write-Host "[INFO] Installing Ad-Domain-Services Windows feature + subfeatures"
+Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
+
+Write-Host "[INFO] Importing ADDSDeployment module"
+Import-Module ADDSDeployment
+
+try {
+    Write-Host "[INFO] Installing ADDSForest"
+    Install-ADDSForest `
+        -InstallDns `
+        -CreateDnsDelegation:$false `
+        -ForestMode $FunctionalLevel `
+        -DomainMode $FunctionalLevel `
+        -DomainName $DomainName `
+        -DomainNetbiosName $NetBiosName `
+        -DatabasePath "C:\Windows\NTDS" `
+        -LogPath "C:\Windows\NTDS" `
+        -SysvolPath "C:\Windows\SYSVOL" `
+        -NoRebootOnCompletion `
+        -Force `
+        -SafeModeAdministratorPassword (ConvertTo-SecureString -AsPlainText -Force "$SafeModePassword")
+    Write-Host "[INFO] Created Active Directory domain for $DomainName"
+} catch {
+    Write-Host "[ERR] Failed to create Active Directory domain for $DomainName"
+    Write-Host $_.Exception.Message
+}
+Stop-Transcript
diff --git a/ansible/scripts/setup-mssql-link.ps1 b/ansible/scripts/setup-mssql-link.ps1
new file mode 100644
index 0000000..8f51058
--- /dev/null
+++ b/ansible/scripts/setup-mssql-link.ps1
@@ -0,0 +1,18 @@
+param
+(
+    [string]$LinkServer = "mssql01"
+)
+$scriptName = $MyInvocation.MyCommand.Name
+$logFile = "C:\Logs\${scriptName}_log.txt"
+Start-Transcript -Path $logFile -Append
+
+try {
+    SqlCmd -E -Q "EXEC master.dbo.sp_addlinkedserver @server = N'$LinkServer', @srvproduct=N'', @provider=N'SQLOLEDB', @datasrc=N'$LinkServer'"
+    SqlCmd -E -Q "EXEC master.dbo.sp_serveroption @server=N'$LinkServer', @optname=N'rpc', @optvalue=N'true'"
+    SqlCmd -E -Q "EXEC master.dbo.sp_serveroption @server=N'$LinkServer', @optname=N'rpc out', @optvalue=N'true'"
+    SqlCmd -E -Q "EXEC master.dbo.sp_addlinkedsrvlogin @rmtsrvname = N'$LinkServer', @locallogin = NULL , @useself = N'True'"
+    Write-Host "[INFO] Linked $LinkServer to mssql02"
+} catch {
+    Write-Host "[ERR] Failed to link $LinkServer to mssql02"
+}
+Stop-Transcript
+\ No newline at end of file
diff --git a/ansible/scripts/setup-mssql.ps1 b/ansible/scripts/setup-mssql.ps1
new file mode 100644
index 0000000..032490f
--- /dev/null
+++ b/ansible/scripts/setup-mssql.ps1
@@ -0,0 +1,90 @@
+param
+(
+    [string]$DomainName   = "contoso.com",
+    [string]$SvcUsername  = "svc_mssql01",
+    [string]$SvcPassword  = "Svc1234!"
+)
+$scriptName = $MyInvocation.MyCommand.Name
+$logFile = "C:\Logs\${scriptName}_log.txt"
+$NetBiosName = $DomainName.Split(".")[0].ToUpper()
+Start-Transcript -Path $logFile -Append
+
+New-Item -Path "C:\setup\media" -ItemType "Directory" -Force
+
+@"
+;SQL Server Configuration File
+[OPTIONS]
+IACCEPTSQLSERVERLICENSETERMS="True"
+ACTION="Install"
+ENU="True"
+QUIET="True"
+QUIETSIMPLE="False"
+UpdateEnabled="False"
+ERRORREPORTING="False"
+USEMICROSOFTUPDATE="False"
+FEATURES=SQLENGINE,FULLTEXT
+UpdateSource="MU"
+HELP="False"
+INDICATEPROGRESS="False"
+X86="False"
+INSTALLSHAREDDIR="C:\Program Files\Microsoft SQL Server"
+INSTALLSHAREDWOWDIR="C:\Program Files (x86)\Microsoft SQL Server"
+INSTANCENAME="SQLEXPRESS"
+SQMREPORTING="False"
+INSTANCEID="SQLEXPRESS"
+RSINSTALLMODE="DefaultNativeMode"
+INSTANCEDIR="C:\Program Files\Microsoft SQL Server"
+AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
+AGTSVCSTARTUPTYPE="Automatic"
+COMMFABRICPORT="0"
+COMMFABRICNETWORKLEVEL="0"
+COMMFABRICENCRYPTION="0"
+MATRIXCMBRICKCOMMPORT="0"
+SQLSVCSTARTUPTYPE="Automatic"
+FILESTREAMLEVEL="0"
+ENABLERANU="False"
+SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
+SQLSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
+SAPWD="$SvcPassword"
+SQLSYSADMINACCOUNTS="BUILTIN\Administrators"
+ADDCURRENTUSERASSQLADMIN="True"
+TCPENABLED="1"
+NPENABLED="0"
+BROWSERSVCSTARTUPTYPE="Disabled"
+RSSVCSTARTUPTYPE="manual"
+FTSVCACCOUNT="NT Service\MSSQLFDLauncher"
+"@ | Out-File "C:\setup\sql_conf.ini"
+
+try {
+    Start-Process -FilePath "C:\setup\SQL2019-SSEI-Expr.exe" -ArgumentList "/configurationfile=C:\setup\sql_conf.ini /IACCEPTSQLSERVERLICENSETERMS /MEDIAPATH=C:\setup\media /QUIET /HIDEPROGRESSBAR" -Wait
+    Write-Host "[INFO] Installed SQL Server Express"
+} catch {
+    Write-Host "[ERR] Failed to install SQL Server Express"
+}
+
+try {
+    Set-ItemProperty -Path "HKLM:\Software\Microsoft\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQLServer\SuperSocketNetLib\Tcp\IPAll" -Name "TcpPort" -Value "1433" -Force
+    Write-Host "[INFO] Set MSSQL port to 1433"
+} catch {
+    Write-Host "[ERR] Failed to set MSSQL port to 1433"
+}
+
+Restart-Service -Name "MSSQL`$SQLEXPRESS"
+
+try {
+    $env:Path += ";C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn"
+    SqlCmd -E -Q "CREATE LOGIN [$NetBiosName\$SvcUsername] FROM WINDOWS"
+    SqlCmd -E -Q "SP_ADDSRVROLEMEMBER '$NetBiosName\$SvcUsername', 'SYSADMIN'"
+
+    SqlCmd -E -Q "ALTER LOGIN sa ENABLE"
+    SqlCmd -E -Q "ALTER LOGIN sa WITH PASSWORD = '$SvcPassword', CHECK_POLICY=OFF"
+    Write-Host "[INFO] Added $NetBiosName\$SvcUsername as MSSQL login and sysadmin"
+    Write-Host "[INFO] Enabled SA login"
+} catch {
+    Write-Host "[ERR] Failed to add $NetBiosName\$SvcUsername as MSSQL login and sysadmin"
+    Write-Host "[ERR] Failed to enable SA login"
+
+}
+
+New-NetFirewallRule -DisplayName "SQLServer default instance" -Direction Inbound -LocalPort 1433 -Protocol TCP -Action Allow
+Stop-Transcript
+\ No newline at end of file
diff --git a/ansible/scripts/setup-tree-domain.ps1 b/ansible/scripts/setup-tree-domain.ps1
new file mode 100644
index 0000000..0f661a1
--- /dev/null
+++ b/ansible/scripts/setup-tree-domain.ps1
@@ -0,0 +1,50 @@
+param
+(
+    [string]$ParentForestRootDomain = "contoso.com",
+    [string]$NewTreeDomainName      = "msp.org",
+    [string]$SafeModePassword       = "P4ssw0rd1234!",
+    [string]$Username               = "Administrator",
+    [string]$Password               = "packer"
+)
+
+$scriptName = $MyInvocation.MyCommand.Name
+$logFile = "C:\Logs\${scriptName}_log.txt"
+Start-Transcript -Path $logFile -Append
+
+$p = ConvertTo-SecureString $Password -AsPlainText -Force
+$c = New-Object System.Management.Automation.PSCredential("$ParentForestRootDomain\$Username", $p)
+
+Write-Host "[INFO] Setting Administrator password"
+$computerName = $env:COMPUTERNAME
+$adminPassword = $Password
+$adminUser = [ADSI] "WinNT://$computerName/Administrator,User"
+$adminUser.SetPassword($adminPassword)
+
+Write-Host "[INFO] Installing AD-Domain-Services feature"
+Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
+
+Write-Host "[INFO] Importing ADDSDeployment module"
+Import-Module ADDSDeployment
+
+try {
+    Write-Host "[INFO] Installing New Tree Domain in Existing Forest"
+    Install-ADDSDomain `
+        -InstallDns `
+        -ParentDomainName $ParentForestRootDomain `
+        -NewDomainName $NewTreeDomainName `
+        -DomainType TreeDomain `
+        -DatabasePath "C:\Windows\NTDS" `
+        -LogPath "C:\Windows\NTDS" `
+        -SysvolPath "C:\Windows\SYSVOL" `
+        -NoRebootOnCompletion `
+        -Force `
+        -Credential $c `
+        -SafeModeAdministratorPassword (ConvertTo-SecureString -AsPlainText -Force "$SafeModePassword")
+
+    Write-Host "[INFO] Successfully added new tree domain: $NewTreeDomainName"
+} catch {
+    Write-Host "[ERR] Failed to add new tree domain: $NewTreeDomainName"
+    Write-Host $_.Exception.Message
+}
+
+Stop-Transcript
author	heqnx <root@heqnx.com>	2025-07-11 21:55:20 +0300
committer	heqnx <root@heqnx.com>	2025-07-11 21:55:20 +0300
commit	6ec2eb61a02f9e55ef5b8d22a5ca61ca53ca05e7 (patch)
tree	d975569e35991a02c73706ce81c0fc1f2e92405c
parent	742fa0d51cd384ea3d856438861bb86738fdabb8 (diff)
download	ansible-active-directory-range-6ec2eb61a02f9e55ef5b8d22a5ca61ca53ca05e7.tar.gz ansible-active-directory-range-6ec2eb61a02f9e55ef5b8d22a5ca61ca53ca05e7.zip