param ( [string]$DomainName = "contoso.com", [string]$FunctionalLevel = "WinThreshold", [string]$UserPassword = "User1234!", [string]$ServiceUserPassword = "Svc1234!" ) $scriptName = $MyInvocation.MyCommand.Name $logFile = "C:\Logs\${scriptName}_log.txt" Start-Transcript -Path $logFile -Append $DomainNameDN = "DC=$($DomainName.Split(".")[0]),DC=$($DomainName.Split(".")[1])" $DomainOU = $DomainName.Split(".")[0] $UsersOU = "Users" $ComputersOU = "Computers" $ServiceAccountsOU = "Service Accounts" Function Get-RandomObject { [CmdletBinding()] param( [Parameter()] [switch]$User, [Parameter()] [switch]$Computer ) if ($User) { return (Get-ADUser -Filter 'Description -notlike "*"' -SearchBase "OU=$UsersOU,OU=$DomainOU,$DomainNameDN" -Properties Description | Get-Random) } if ($Computer) { return (Get-ADComputer -Filter 'Description -notlike "*"' -SearchBase "OU=$ComputersOU,OU=$DomainOU,$DomainNameDN" -Properties Description | Get-Random) } } Function SetAcl($for, $to, $right, $inheritance) { Set-Location AD: $forSID = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $for).SID $objOU = ($to).DistinguishedName $objAcl = get-acl $objOU $adRight = [System.DirectoryServices.ActiveDirectoryRights] $right $type = [System.Security.AccessControl.AccessControlType] "Allow" $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] $inheritance $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $forSID,$adRight,$type,$inheritanceType $objAcl.AddAccessRule($ace) Set-Acl -AclObject $objAcl -path $objOU Set-ADObject $for -Description "$right on $($to | Select-Object -ExpandProperty Name)" Set-ADObject $to -Description "$($for | Select-Object -ExpandProperty Name) has $right on this object" } Function SetAclExtended($for, $to, $right, $extendedRightGUID, $inheritance) { Set-Location AD: $forSID = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $for).SID $objOU = ($to).DistinguishedName $objAcl = get-acl $objOU $adRight = [System.DirectoryServices.ActiveDirectoryRights] $right $type = [System.Security.AccessControl.AccessControlType] "Allow" $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] $inheritance $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $forSID,$adRight,$type,$extendedRightGUID,$inheritanceType $objAcl.AddAccessRule($ace) Set-Acl -AclObject $objAcl -path $objOU Set-ADObject $for -Description "$right, $extendedRightGUID on $($to | Select-Object -ExpandProperty Name)" Set-ADObject $to -Description "$($for | Select-Object -ExpandProperty Name) has $right, $extendedRightGUID on this object" } Write-Host "[INFO] Setting weak NTLM compatibility level" Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 1 -Force If (-Not (Get-ADOrganizationalUnit -SearchBase "$DomainNameDN" -Filter "Name -like '$DomainOU'")) { New-ADOrganizationalUnit -Name "$DomainOU" -Path "$DomainNameDN" } if (-Not (Get-ADOrganizationalUnit -SearchBase "OU=$DomainOU,$DomainNameDN" -Filter "Name -like '$UsersOU'")) { New-ADOrganizationalUnit -Name "$UsersOU" -Path "OU=$DomainOU,$DomainNameDN" } if (-Not (Get-ADOrganizationalUnit -SearchBase "OU=$DomainOU,$DomainNameDN" -Filter "Name -like '$ComputersOU'")) { New-ADOrganizationalUnit -Name "$ComputersOU" -Path "OU=$DomainOU,$DomainNameDN" } if (-Not (Get-ADOrganizationalUnit -SearchBase "OU=$DomainOU,$DomainNameDN" -Filter "Name -like '$ServiceAccountsOU'")) { New-ADOrganizationalUnit -Name "$ServiceAccountsOU" -Path "OU=$DomainOU,$DomainNameDN" } $users = @("michael","christopher","jessica","matthew","ashley","jennifer","joshua","amanda","daniel","david","james","robert","john","joseph","andrew","ryan","brandon","jason","justin","sarah","william","jonathan","stephanie","brian","nicole","nicholas","anthony","heather","eric","elizabeth","adam","megan","melissa","kevin","steven","thomas","timothy","christina","kyle","rachel","laura","lauren","amber","brittany","danielle","richard","kimberly","jeffrey","amy","crystal","michelle","tiffany","jeremy","benjamin","mark","emily","aaron","charles","rebecca","jacob","stephen","patrick","sean","erin","zachary","jamie","kelly","samantha","nathan","sara","dustin","paul","angela","tyler","scott","katherine","andrea","gregory","erica","mary","travis","lisa","kenneth","bryan","lindsey","kristen","jose","alexander","jesse","katie","lindsay","shannon","vanessa","courtney","christine","alicia","cody","allison","bradley","samuel") $created_users = @() ForEach ($user in $users) { try { New-ADUser -Name "$user" ` -SamAccountName "$user" ` -EmailAddress "$user@$($DomainName.ToLower())" ` -Path "OU=$UsersOU,OU=$DomainOU,$DomainNameDN" ` -AccountPassword (ConvertTo-SecureString -AsPlainText -Force $UserPassword) ` -Enabled $true ` -PasswordNeverExpires $true $created_users += $user } catch { Write-Host "[ERR] Failed to create user $user" } } Get-RandomObject -User | % { Add-ADGroupMember -Identity "Domain Admins" -Members $_; Set-ADUser -Identity $_ -Description "domain admin" } Get-RandomObject -User | % { Add-ADGroupMember -Identity "Domain Admins" -Members $_; Set-ADUser -Identity $_ -Description "domain admin" } Write-Host "[INFO] Created users: $($created_users -Join ', ')" $created_computers = @() 1..20 | % { $servers = @("srv", "sql", "smb") ForEach ($server in $servers) { try { New-ADComputer -SamAccountName "$server$_" -Name "$server$_" -DNSHostName "$server$_.$DomainName" -Path "OU=$ComputersOU,OU=$DomainOU,$DomainNameDN" $created_computers += $server } catch { Write-Host "[ERR] Failed to create server $server$_" } } } Write-Host "[INFO] Created computers: $($created_computers -Join ', ')" $svc_users = @{ "svc_mssql01" = @{"type" = "spn"; "value" = "MSSQLSVC"} "svc_mssql02" = @{"type" = "spn"; "value" = "MSSQLSVC"} "svc_cifs01" = @{"type" = "spn"; "value" = "CIFS"} "svc_cifs02" = @{"type" = "spn"; "value" = "CIFS"} "svc_iis01" = @{"type" = "spn"; "value" = "HTTP"} "svc_iis02" = @{"type" = "spn"; "value" = "HTTP"} "svc_backup01" = @{"type" = "group"; "value" = "Backup Operators"} "svc_backup02" = @{"type" = "group"; "value" = "Backup Operators"} "svc_dns01" = @{"type" = "group"; "value" = "DnsAdmins"} "svc_dns02" = @{"type" = "group"; "value" = "DnsAdmins"} "svc_srvoperator01" = @{"type" = "group"; "value" = "Server Operators"} "svc_srvoperator02" = @{"type" = "group"; "value" = "Server Operators"} "svc_evtvwr01" = @{"type" = "group"; "value" = "Event Log Readers"} "svc_evtvwr02" = @{"type" = "group"; "value" = "Event Log Readers"} "svc_acctoperator01" = @{"type" = "group"; "value" = "Account Operators"} "svc_acctoperator02" = @{"type" = "group"; "value" = "Account Operators"} "svc_printoperator01" = @{"type" = "group"; "value" = "Print Operators"} "svc_printoperator02" = @{"type" = "group"; "value" = "Print Operators"} "svc_mgmtuser01" = @{"type" = "group"; "value" = "Remote Management Users"} "svc_mgmtuser02" = @{"type" = "group"; "value" = "Remote Management Users"} } $created_svc_users = @() ForEach ($user in $svc_users.keys) { $type = $svc_users[$user]["type"] $value = $svc_users[$user]["value"] Switch ("$type") { "spn" { try { $comp = (Get-RandomObject -Computer | Select-Object -ExpandProperty DNSHostName) $u = New-ADUser -Name "$user" ` -SamAccountName "$user" ` -AccountPassword (ConvertTo-SecureString -AsPlainText -Force $ServiceUserPassword) ` -Path "OU=$ServiceAccountsOU,OU=$DomainOU,$DomainNameDN" ` -Enabled $true ` -PasswordNeverExpires $true ` -PassThru Set-ADUser -Identity "$u" -ServicePrincipalNames @{Add="$value/$comp"} Set-ADObject $u -Description "SPN on $value/$comp" $created_svc_users += "$user ($value/$comp)" } catch { Write-Host "[ERR] Failed to create $value/$comp for $user" } } "group" { try { $u = New-ADUser -Name "$user" ` -SamAccountName "$user" ` -AccountPassword (ConvertTo-SecureString -AsPlainText -Force $UserPassword) ` -Path "OU=$ServiceAccountsOU,OU=$DomainOU,$DomainNameDN" ` -Enabled $true ` -PasswordNeverExpires $true ` -PassThru Add-ADGroupMember -Identity "$value" -Members $u Set-ADObject $u -Description "member of $value" $created_svc_users += "$user ($value)" } catch { Write-Host "[ERR] Failed to add $user to $value" } } } } Write-Host "[INFO] Created svc users: $($created_svc_users -Join ', ')" $dcsync_user = Get-RandomObject -User $acl = Get-Acl -Path "AD:$DomainNameDN" $sid = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $dcsync_user).SID $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` -ArgumentList @($sid, [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight, [System.Security.AccessControl.AccessControlType]::Allow, [Guid]"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"))) $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` -ArgumentList @($sid, [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight, [System.Security.AccessControl.AccessControlType]::Allow, [Guid]"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"))) Set-Acl -Path "AD:$DomainNameDN" -AclObject $acl Set-ADObject $dcsync_user -Description "DCSync rights on $DomainName" $adminsdholder_user = Get-RandomObject -User $adminsdholder = "CN=AdminSDHolder,CN=System,$DomainNameDN" $acl = Get-Acl -Path "AD:$adminsdholder" $sid = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $adminsdholder_user).SID $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` -ArgumentList @($sid, [System.DirectoryServices.ActiveDirectoryRights]::GenericAll, [System.Security.AccessControl.AccessControlType]::Allow))) Set-Acl -Path "AD:$adminsdholder" -AclObject $acl Set-ADObject $adminsdholder_user -Description "GenericAll on AdminSDHolder" Write-Host "[INFO] Configuring anonymous LDAP binding via dsHeuristics for contoso.com" $rootDSE = Get-ADRootDSE $configNC = $rootDSE.ConfigurationNamingContext $directoryServicePath = "CN=Directory Service,CN=Windows NT,CN=Services,$configNC" $directoryService = Get-ADObject -Identity $directoryServicePath -Properties dsHeuristics $currentHeuristics = $directoryService.dsHeuristics $newHeuristics = "0000002" Write-Host "[INFO] Overwriting dsHeuristics with '0000002'" Set-ADObject -Identity $directoryServicePath ` -Replace @{"dsHeuristics" = $newHeuristics} ` -Description "Anonymous LDAP enabled for contoso.com" ` -ErrorAction Stop Write-Host "[INFO] Successfully set dsHeuristics to '$newHeuristics'" Set-ADDomain -Identity $DomainName -Replace @{"ms-DS-MachineAccountQuota"=50} $dc = (Get-ADDomainController | Select-Object -ExpandProperty HostName) $u = New-ADUser -Name "svc_iis03" ` -SamAccountName "svc_iis03" ` -Path "OU=$ServiceAccountsOU,OU=$DomainOU,$DomainNameDN" ` -AccountPassword (ConvertTo-SecureString -AsPlainText -Force $ServiceUserPassword) ` -Enabled $true ` -PasswordNeverExpires $true ` -PassThru Set-ADUser -Identity "$u" -ServicePrincipalNames @{Add="HTTP/web01"} Set-ADObject $u -Description "SPN on HTTP/web01" $genericAllUserSrc = Get-RandomObject -User $genericAllUserTgt = Get-RandomObject -User SetAcl $genericAllUserSrc $genericAllUserTgt "GenericAll" "None" Set-ADObject $genericAllUserSrc -Description "User with GenericAll rights over $($genericAllUserTgt.Name)" $genericAllDomainAdminsSrc = Get-RandomObject -User $domainAdminsGroup = Get-ADGroup "Domain Admins" SetAcl $genericAllDomainAdminsSrc $domainAdminsGroup "GenericAll" "None" Set-ADObject $genericAllDomainAdminsSrc -Description "User with GenericAll rights over Domain Admins group" $genericAllComputerSrc = Get-RandomObject -User $genericAllComputerTgt = Get-RandomObject -Computer SetAcl $genericAllComputerSrc $genericAllComputerTgt "GenericAll" "None" Set-ADObject $genericAllComputerSrc -Description "User with GenericAll rights over computer $($genericAllComputerTgt.Name)" $writePropertyDomainAdminsSrc = Get-RandomObject -User SetAcl $writePropertyDomainAdminsSrc $domainAdminsGroup "WriteProperty" "All" Set-ADObject $writePropertyDomainAdminsSrc -Description "User with WriteProperty rights over Domain Admins group (all properties)" $selfDomainAdminsSrc = Get-RandomObject -User SetAclExtended $selfDomainAdminsSrc $domainAdminsGroup "Self" "bf9679c0-0de6-11d0-a285-00aa003049e2" "None" Set-ADObject $selfDomainAdminsSrc -Description "User with Self membership control over Domain Admins group" $writePropertyExtDomainAdminsSrc = Get-RandomObject -User SetAclExtended $writePropertyExtDomainAdminsSrc $domainAdminsGroup "WriteProperty" "bf9679c0-0de6-11d0-a285-00aa003049e2" "All" Set-ADObject $writePropertyExtDomainAdminsSrc -Description "User with WriteProperty rights to modify Domain Admins group membership" $forceChangePwdSrc = Get-RandomObject -User $forceChangePwdTgt = Get-RandomObject -User SetAclExtended $forceChangePwdSrc $forceChangePwdTgt "ExtendedRight" "00299570-246d-11d0-a768-00aa006e0529" "None" Set-ADObject $forceChangePwdSrc -Description "User with ForceChangePassword rights over $($forceChangePwdTgt.Name)" $writeOwnerDomainAdminsSrc = Get-RandomObject -User SetAcl $writeOwnerDomainAdminsSrc $domainAdminsGroup "WriteOwner" "None" Set-ADObject $writeOwnerDomainAdminsSrc -Description "User with WriteOwner rights to take ownership of Domain Admins group" $genericWriteUserSrc = Get-RandomObject -User $genericWriteUserTgt = Get-RandomObject -User SetAcl $genericWriteUserSrc $genericWriteUserTgt "GenericWrite" "None" Set-ADObject $genericWriteUserSrc -Description "User with GenericWrite rights over $($genericWriteUserTgt.Name)" $writeDaclDomainAdminsSrc = Get-RandomObject -User SetAcl $writeDaclDomainAdminsSrc $domainAdminsGroup "WriteDacl" "None" Set-ADObject $writeDaclDomainAdminsSrc -Description "User with WriteDacl rights to modify Domain Admins group permissions" $asreproast_user = Get-RandomObject -User Set-ADAccountControl -Identity $asreproast_user -DoesNotRequirePreAuth $True Set-ADObject $asreproast_user -Description "DoesNotRequirePreAuth" $kerberoast_user = Get-RandomObject -User $kerberoast_spn = Get-RandomObject -Computer Set-ADUser -Identity "$kerberoast_user" -ServicePrincipalNames @{Add="HTTP/$($kerberoast_spn)"} Set-ADObject $kerberoast_user -Description "$($kerberoast_user | Select-Object -ExpandProperty Name) is kerberoastable on http/$($kerberoast_spn | Select-Object -ExpandProperty Name):80" $unconstrained_delegation_comp = Get-RandomObject -Computer $unconstrained_delegation_comp | Set-ADAccountControl -TrustedForDelegation $true Set-ADObject $unconstrained_delegation_comp -Description "TrustedForDelegation" $constrained_delegation_comp1 = Get-RandomObject -Computer $constrained_delegation_comp2 = Get-RandomObject -Computer Set-ADObject -Identity $constrained_delegation_comp1 -Add @{'msDS-AllowedToDelegateTo'=@("HOST/$($constrained_delegation_comp2)/example")} Set-ADAccountControl -Identity $constrained_delegation_comp1 -TrustedForDelegation $false -TrustedToAuthForDelegation $true Set-ADObject $constrained_delegation_comp1 -Description "msDS-AllowedToDelegateTo to $($constrained_delegation_comp2 | Select-Object -ExpandProperty Name)" Write-Host "[INFO] Created vulnerable ACLs, delegation, and Kerberos configurations" @" Domain content -------------- "@ | Out-File C:\README.txt Get-AdObject ` -SearchBase "OU=$DomainOU,$DomainNameDN" ` -Filter {ObjectClass -ne "OrganizationalUnit"} ` -Properties Name, ObjectClass, Description ` | Select-Object Name, ObjectClass, Description ` | Format-Table -AutoSize ` | Out-File -Append C:\README.txt Stop-Transcript