├── dsc
    ├── Lab
    │   └── filler.txt
    └── adlab.ps1
├── terraform
    ├── keys
    │   └── filler.txt
    ├── vars.tf
    └── aws.tf
├── .gitignore
└── README.md


/dsc/Lab/filler.txt:
--------------------------------------------------------------------------------
1 | This folder will contain the MOF files you need for DSC once you execute the DSC script on your local machine
2 | 


--------------------------------------------------------------------------------
/terraform/keys/filler.txt:
--------------------------------------------------------------------------------
1 | This folder stores your private and public key made from AWS for terraform to set it all up for you
2 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | terraform/keys/*
2 | terraform/.terraform.lock.hcl
3 | terraform/.terraform/
4 | dsc/Lab/*
5 | terraform/terraform*
6 | terraform/.terraform*
7 | 


--------------------------------------------------------------------------------
/terraform/vars.tf:
--------------------------------------------------------------------------------
 1 | variable "PATH_TO_PUBLIC_KEY" {
 2 |   # Add the path to the public key you made in AWS like below
 3 |   # default = "./keys/terraform-key.pub"
 4 |   default = "YOUR_PUBLIC_KEY"
 5 | }
 6 | 
 7 | variable "PATH_TO_PRIVATE_KEY" {
 8 |   # Add the path to the private key you made in AWS like below
 9 |   # default = "./keys/terraform-key.pem"
10 |   default = "YOUR_PRIVATE_KEY"
11 | }
12 | 
13 | variable "VPC_CIDR" {
14 |   default = "10.0.0.0/16"
15 | }
16 | 
17 | variable "FIRST_SUBNET_CIDR" {
18 |   default = "10.0.1.0/24"
19 | }
20 | 
21 | variable "SECOND_SUBNET_CIDR" {
22 |   default = "10.0.2.0/24"
23 | }
24 | 
25 | variable "FIRST_DC_IP" {
26 |   default = "10.0.1.100"
27 | }
28 | 
29 | variable "USER_SERVER_IP" {
30 |   default = "10.0.1.50"
31 | }
32 | 
33 | variable "ATTACK_SERVER_IP" {
34 |   default = "10.0.1.10"
35 | }
36 | 
37 | variable "SECOND_DC_IP" {
38 |   default = "10.0.2.100"
39 | }
40 | 
41 | variable "PUBLIC_DNS" {
42 |   default = "1.1.1.1"
43 | }
44 | 
45 | variable "MANAGEMENT_IPS" {
46 |   # Add in the public IP Address you will be hitting the cloud from, for example the public IP of your home address or VPN
47 |   #default = ["1.2.3.4/32"]
48 |   default = ["YOUR_PUBLIC_IP"]
49 | }
50 | 
51 | variable "SSM_S3_BUCKET" {
52 |   # Add in the name of your S3 bucket like the example below
53 |   #default = "this-is-just-a-fake-bucket"
54 |   default = "YOUR_S3_BUCKET"
55 | }
56 | 
57 | data "aws_ami" "latest-windows-server" {
58 |   most_recent = true
59 |   owners      = ["amazon"]
60 | 
61 |   filter {
62 |     name   = "name"
63 |     values = ["Windows_Server-2019-English-Full-Base-*"]
64 |   }
65 | }
66 | 
67 | # Find Latest Debian
68 | data "aws_ami" "latest-debian" {
69 |   most_recent = true
70 |   owners = ["136693071363"]
71 | 
72 |   filter {
73 |     name   = "name"
74 |     values = ["debian-10-amd64-*"]
75 |   }
76 | 
77 |   filter {
78 |     name   = "architecture"
79 |     values = ["x86_64"]
80 |   }
81 | }
82 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # AWS-RedTeam-ADLab
 2 | 
 3 | ## Summary
 4 | 
 5 | This lab consists of 3 servers across 2 domains. It includes almost all pure AD attacks that I have exploited. The only edges in Bloodhound it doesnt yet have are LAPS and GMSA I believe. 
 6 | 
 7 | Once the setup steps are done you can just launch the lab using `terraform apply` and it will do it all for you. After applying you will need to give the lab about 35 mins. When you apply it will complete and tell you a timestamp. Take that timestamp, add 35 minutes onto it and wait that time. That will give it the time it needs to do all the setup. After 35 mins it will be good to go.
 8 | 
 9 | My blog post giving detailed setup information is here: https://philkeeble.com/automation/windows/activedirectory/AWS-RedTeam-ADLab-Setup/
10 | 
11 | ## Attacks Covered 
12 | 
13 | * Kerberoasting
14 | * ASRepRoasting
15 | * Constrained Delegation (computer and user)
16 | * Unconstrained Delegation 
17 | * Resource Based Constrained Delegation
18 | * Write ACL of user 
19 | * Write ACL of computer
20 | * WriteDACL over domain 
21 | * Write ACL of group
22 | * DnsAdmin members
23 | * Write ACL of GPO
24 | * Password in AD Attributes
25 | * Cross domain trusts 
26 | * SMBSigning disabled on all machines for relay attacks 
27 | * Defender uninstalled so no need to worry about AV 
28 | * Multiple machines so you can practise tunneling, double hop problem, etc
29 | * All the default things like lateral movement, persistence, pass the hash, pass the ticket, golden tickets, silver tickets etc
30 | 
31 | ## Machine Summary 
32 | 
33 | * First-DC = Domain Controller of the domain first.local (10.0.1.100)
34 | * Second-DC = Domain Controller of the domain second.local (in a trust with first) (10.0.2.100)
35 | * User-Server = Server to be the foothold on. Any domain user can RDP to this box (10.0.1.50)
36 | * Attack-Server = Debian server set up with Covenent and Impacket for you to jump in and attack from (10.0.1.10)
37 | 
38 | ## Setup Notes (Detailed Info in blog linked at top of README)
39 | ```
40 | Terraform
41 | Install terraform
42 | Install aws cli
43 | set up creds in aws cli 
44 | 
45 | DSC
46 | Install-module -name activedirectorydsc
47 | install-module -name networkingdsc 
48 | install-module -name ComputerManagementDsc
49 | install-module -name GroupPolicyDsc
50 | With these you can use ". .\adlab.ps1" to make the MOF files 
51 | 
52 | S3
53 | Create an S3 bucket for your account and replace the variable in terraform/vars.tf with your bucket name
54 | 
55 | Management IP 
56 | Change the management IP variable in vars.tf to be your IP
57 | 
58 | Keys
59 | Create an EC2 key pair, get public key from the pem with ssh-keygen -y -f /key.pem
60 | Store the file ./terraform/keys/terraform-key.pub 
61 | Update the file in the vars.tf to point to that public key (which will assign it to the created EC2 instances)
62 | Can use this key pair to get the administrator default password from AWS
63 | 
64 | When its launched give it like half and hour and it should set up properly 
65 | ```
66 | 
67 | Debugging 
68 | ```
69 | Logs are kept here C:\Windows\System32\Configuration\ConfigurationStatus on the targets for DSC 
70 | 
71 | The folder is owned by trusted installer so need to change owners to read or be system
72 | ```
73 | 
74 | Linux
75 | ```
76 | Attack server has covenant and impacket on
77 | 
78 | port forward 7443
79 | cd Covenant/Covenant 
80 | sudo dotnet run
81 | access in browser on localhost
82 | 
83 | 
84 | For impackt you can run python3 psexec.py ... etc 
85 | ```
86 | # Credits 
87 | 
88 | Massive credit to XPN with this project https://github.com/xpn/DemoLab. Almost all of the code I used is from this project and its blog post https://www.mdsec.co.uk/2020/04/designing-the-adversary-simulation-lab/. 
89 | 
90 | I have just taken that, made it less mass-spinup focused and added the vulnerabilties I would want in an AD lab. 
91 | 


--------------------------------------------------------------------------------
/terraform/aws.tf:
--------------------------------------------------------------------------------
  1 | # Basic AWS configuration which will grab our keys from the AWS CLI
  2 | # If you are not using the keys in the default profile of aws cli, then change below to the profile name 
  3 | provider "aws" {
  4 |   profile = "default"
  5 |   region     = "eu-west-2"
  6 | }
  7 | 
  8 | # Our AWS keypair
  9 | resource "aws_key_pair" "terraformkey" {
 10 |   key_name   = "${terraform.workspace}-terraform-lab"
 11 |   public_key = file(var.PATH_TO_PUBLIC_KEY)
 12 | }
 13 | 
 14 | # Our VPC definition, using a default IP range of 10.0.0.0/16
 15 | resource "aws_vpc" "lab-vpc" {
 16 |   cidr_block           = var.VPC_CIDR
 17 |   enable_dns_support   = true
 18 |   enable_dns_hostnames = true
 19 | }
 20 | 
 21 | # Default route required for the VPC to push traffic via gateway
 22 | resource "aws_route" "first-internet-route" {
 23 |   route_table_id         = aws_vpc.lab-vpc.main_route_table_id
 24 |   destination_cidr_block = "0.0.0.0/0"
 25 |   gateway_id             = aws_internet_gateway.lab-vpc-gateway.id
 26 | }
 27 | 
 28 | # Gateway which allows outbound and inbound internet access to the VPC
 29 | resource "aws_internet_gateway" "lab-vpc-gateway" {
 30 |   vpc_id = aws_vpc.lab-vpc.id
 31 | }
 32 | 
 33 | # Create our first subnet (Defaults to 10.0.1.0/24)
 34 | resource "aws_subnet" "first-vpc-subnet" {
 35 |   vpc_id = aws_vpc.lab-vpc.id
 36 | 
 37 |   cidr_block        = var.FIRST_SUBNET_CIDR
 38 |   availability_zone = "eu-west-2a"
 39 | 
 40 |   tags = {
 41 |     Name = "First Subnet"
 42 |   }
 43 | }
 44 | 
 45 | # Create our second subnet (Defaults to 10.0.2.0/24)
 46 | resource "aws_subnet" "second-vpc-subnet" {
 47 |   vpc_id = aws_vpc.lab-vpc.id
 48 | 
 49 |   cidr_block        = var.SECOND_SUBNET_CIDR
 50 |   availability_zone = "eu-west-2a"
 51 | 
 52 |   tags = {
 53 |     Name = "Second Subnet"
 54 |   }
 55 | }
 56 | 
 57 | # Set DHCP options for delivering things like DNS servers
 58 | resource "aws_vpc_dhcp_options" "first-dhcp" {
 59 |   domain_name          = "first.local"
 60 |   domain_name_servers  = [var.FIRST_DC_IP, var.PUBLIC_DNS]
 61 |   ntp_servers          = [var.FIRST_DC_IP]
 62 |   netbios_name_servers = [var.FIRST_DC_IP]
 63 |   netbios_node_type    = 2
 64 | 
 65 |   tags = {
 66 |     Name = "First DHCP"
 67 |   }
 68 | }
 69 | 
 70 | # Associate our DHCP configuration with our VPC
 71 | resource "aws_vpc_dhcp_options_association" "first-dhcp-assoc" {
 72 |   vpc_id          = aws_vpc.lab-vpc.id
 73 |   dhcp_options_id = aws_vpc_dhcp_options.first-dhcp.id
 74 | }
 75 | 
 76 | # Our first domain controller of the "first.local" domain
 77 | resource "aws_instance" "first-dc" {
 78 |   ami                         = data.aws_ami.latest-windows-server.image_id
 79 |   instance_type               = "t2.small"
 80 |   key_name                    = aws_key_pair.terraformkey.key_name
 81 |   associate_public_ip_address = true
 82 |   subnet_id                   = aws_subnet.first-vpc-subnet.id
 83 |   private_ip                  = var.FIRST_DC_IP
 84 |   iam_instance_profile        = aws_iam_instance_profile.ssm_instance_profile.name
 85 | 
 86 |   tags = {
 87 |     Workspace = "${terraform.workspace}"
 88 |     Name      = "${terraform.workspace}-First-DC"
 89 |   }
 90 | 
 91 |   vpc_security_group_ids = [
 92 |     aws_security_group.first-sg.id,
 93 |   ]
 94 | }
 95 | 
 96 | # The User server which will be main foothold
 97 | resource "aws_instance" "user-server" {
 98 |   ami                         = data.aws_ami.latest-windows-server.image_id
 99 |   instance_type               = "t2.small"
100 |   key_name                    = aws_key_pair.terraformkey.key_name
101 |   associate_public_ip_address = true
102 |   subnet_id                   = aws_subnet.first-vpc-subnet.id
103 |   private_ip                  = var.USER_SERVER_IP
104 |   iam_instance_profile        = aws_iam_instance_profile.ssm_instance_profile.name
105 | 
106 |   tags = {
107 |     Workspace = "${terraform.workspace}"
108 |     Name      = "${terraform.workspace}-User-Server"
109 |   }
110 | 
111 |   vpc_security_group_ids = [
112 |     aws_security_group.first-sg.id,
113 |   ]
114 | }
115 | 
116 | # Our second domain controller of the "second.local" domain
117 | resource "aws_instance" "second-dc" {
118 |   ami                         = data.aws_ami.latest-windows-server.image_id
119 |   instance_type               = "t2.small"
120 |   key_name                    = aws_key_pair.terraformkey.key_name
121 |   associate_public_ip_address = true
122 |   subnet_id                   = aws_subnet.second-vpc-subnet.id
123 |   private_ip                  = var.SECOND_DC_IP
124 |   iam_instance_profile        = aws_iam_instance_profile.ssm_instance_profile.name
125 | 
126 |   tags = {
127 |     Workspace = "${terraform.workspace}"
128 |     Name      = "${terraform.workspace}-Second-DC"
129 |   }
130 | 
131 |   vpc_security_group_ids = [
132 |     aws_security_group.second-sg.id,
133 |   ]
134 | }
135 | 
136 | # The C2 teamserver
137 | resource "aws_instance" "attack-server" {
138 |   ami                         = data.aws_ami.latest-debian.image_id
139 |   instance_type               = "t2.small"
140 |   key_name                    = aws_key_pair.terraformkey.key_name
141 |   associate_public_ip_address = true
142 |   subnet_id                   = aws_subnet.first-vpc-subnet.id
143 |   private_ip                  = var.ATTACK_SERVER_IP
144 |   iam_instance_profile        = aws_iam_instance_profile.ssm_instance_profile.name
145 | 
146 |   tags = {
147 |     Workspace = "${terraform.workspace}"
148 |     Name      = "${terraform.workspace}-Attack-Server"
149 |   }
150 | 
151 |   vpc_security_group_ids = [
152 |     aws_security_group.first-sg.id,
153 |   ]
154 | }
155 | 
156 | resource "null_resource" "attack-server-setup" {
157 |   connection {
158 |     type        = "ssh"
159 |     host        = aws_instance.attack-server.public_ip
160 |     user        = "admin"
161 |     port        = "22"
162 |     private_key = file(var.PATH_TO_PRIVATE_KEY)
163 |     agent       = false
164 |   }
165 | 
166 |   provisioner "remote-exec" {
167 |     inline = [
168 |       "sudo apt update",
169 |       
170 |       # Install dotnet
171 |       "wget https://packages.microsoft.com/config/debian/10/packages-microsoft-prod.deb -O packages-microsoft-prod.deb",
172 |       "sudo dpkg -i packages-microsoft-prod.deb",
173 |       "sudo apt-get update",
174 |       "sudo apt-get install -y apt-transport-https",
175 |       "sudo apt-get update",
176 |       
177 |       # Install Covenant Stable
178 |       "sudo apt-get install -y dotnet-sdk-3.1",
179 |       "sudo apt-get install -y git",
180 |       "git clone --recurse-submodules https://github.com/cobbr/Covenant",
181 |       
182 |       # Install Covenant Dev
183 |       #"sudo apt-get install -y dotnet-sdk-5.0",
184 |       #"git clone -b dev --recurse-submodules https://github.com/cobbr/Covenant",
185 |       
186 |       # Install PoshC2
187 |       #"git clone https://github.com/nettitude/PoshC2.git",
188 |       #"cd PoshC2",
189 |       #"sudo ./Install.sh -b master -p /home/admin/PoshC2"
190 |       #"cd ../"
191 |       
192 |       # Install Impacket
193 |       "sudo apt install -y python3-pip",
194 |       "git clone https://github.com/SecureAuthCorp/impacket.git",
195 |       "cd impacket",
196 |       "sudo python3 -m pip install --upgrade pip",
197 |       "sudo python3 -m pip install .",
198 |       "cd ../"
199 |     ]
200 |   }
201 | }
202 | 
203 | # IAM Role required to access SSM from EC2
204 | resource "aws_iam_role" "ssm_role" {
205 |   name               = "${terraform.workspace}_ssm_role_default"
206 |   count              = 1
207 |   assume_role_policy = <<EOF
208 | {
209 |   "Version": "2012-10-17",
210 |   "Statement": [
211 |     {
212 |       "Action": "sts:AssumeRole",
213 |       "Principal": {
214 |         "Service": "ec2.amazonaws.com"
215 |       },
216 |       "Effect": "Allow",
217 |       "Sid": ""
218 |     }
219 |   ]
220 | }
221 | EOF
222 | }
223 | 
224 | resource "aws_iam_role_policy_attachment" "ssm_role_policy" {
225 |   role       = aws_iam_role.ssm_role.0.name
226 |   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
227 | }
228 | 
229 | resource "aws_iam_instance_profile" "ssm_instance_profile" {
230 |   name  = "${terraform.workspace}_ssm_instance_profile"
231 |   role  = aws_iam_role.ssm_role.0.name
232 | }
233 | 
234 | # Security group for first.local
235 | resource "aws_security_group" "first-sg" {
236 |   vpc_id = aws_vpc.lab-vpc.id
237 | 
238 |   # Allow second zone to first
239 |   ingress {
240 |     protocol    = "-1"
241 |     cidr_blocks = [var.SECOND_SUBNET_CIDR]
242 |     from_port   = 0
243 |     to_port     = 0
244 |   }
245 | 
246 |   ingress {
247 |     protocol    = "-1"
248 |     cidr_blocks = [var.FIRST_SUBNET_CIDR]
249 |     from_port   = 0
250 |     to_port     = 0
251 |   }
252 | 
253 |   # Allow management from our IP
254 |   ingress {
255 |     protocol    = "-1"
256 |     cidr_blocks = var.MANAGEMENT_IPS
257 |     from_port   = 0
258 |     to_port     = 0
259 |   }
260 | 
261 |   # Allow global outbound
262 |   egress {
263 |     protocol    = "-1"
264 |     cidr_blocks = ["0.0.0.0/0"]
265 |     from_port   = 0
266 |     to_port     = 0
267 |   }
268 | }
269 | 
270 | # Security group for second.local
271 | resource "aws_security_group" "second-sg" {
272 |   vpc_id = aws_vpc.lab-vpc.id
273 | 
274 |   # Allow secure zone to first
275 |   ingress {
276 |     protocol    = "-1"
277 |     cidr_blocks = [var.FIRST_SUBNET_CIDR]
278 |     from_port   = 0
279 |     to_port     = 0
280 |   }
281 | 
282 |   ingress {
283 |     protocol    = "-1"
284 |     cidr_blocks = [var.SECOND_SUBNET_CIDR]
285 |     from_port   = 0
286 |     to_port     = 0
287 |   }
288 | 
289 |   # Allow management from Our IP
290 |   ingress {
291 |     protocol    = "-1"
292 |     cidr_blocks = var.MANAGEMENT_IPS
293 |     from_port   = 0
294 |     to_port     = 0
295 |   }
296 | 
297 |   # Allow global outbound
298 |   egress {
299 |     protocol    = "-1"
300 |     cidr_blocks = ["0.0.0.0/0"]
301 |     from_port   = 0
302 |     to_port     = 0
303 |   }
304 | }
305 | 
306 | # Add first.local MOF's to S3
307 | resource "aws_s3_bucket_object" "first-dc-mof" {
308 |   bucket     = var.SSM_S3_BUCKET
309 |   key        = "Lab/First.mof"
310 |   source     = "../dsc/Lab/First.mof"
311 |   etag       = filemd5("../dsc/Lab/First.mof")
312 | }
313 | 
314 | # Add second.local MOF's to S3
315 | resource "aws_s3_bucket_object" "second-dc-mof" {
316 |   bucket     = var.SSM_S3_BUCKET
317 |   key        = "Lab/Second.mof"
318 |   source     = "../dsc/Lab/Second.mof"
319 |   etag       = filemd5("../dsc/Lab/Second.mof")
320 | }
321 | 
322 | # Add userserver MOF's to S3
323 | resource "aws_s3_bucket_object" "user-server-mof" {
324 |   bucket     = var.SSM_S3_BUCKET
325 |   key        = "Lab/UserServer.mof"
326 |   source     = "../dsc/Lab/UserServer.mof"
327 |   etag       = filemd5("../dsc/Lab/UserServer.mof")
328 | }
329 | 
330 | # SSM parameters used by DSC
331 | resource "aws_ssm_parameter" "admin-ssm-parameter" {
332 |   name  = "admin"
333 |   type  = "SecureString"
334 |   value = "{\"Username\":\"admin\", \"Password\":\"Password@1\"}"
335 | }
336 | 
337 | resource "aws_ssm_parameter" "local-user-ssm-parameter" {
338 |   name  = "local-user"
339 |   type  = "SecureString"
340 |   value = "{\"Username\":\"local-user\", \"Password\":\"Password@1\"}"
341 | }
342 | 
343 | resource "aws_ssm_parameter" "first-admin-ssm-parameter" {
344 |   name  = "first-admin"
345 |   type  = "SecureString"
346 |   value = "{\"Username\":\"first.local\\\\admin\", \"Password\":\"Password@1\"}"
347 | }
348 | 
349 | resource "aws_ssm_parameter" "regular-user-ssm-parameter" {
350 |   name  = "regular.user"
351 |   type  = "SecureString"
352 |   value = "{\"Username\":\"regular.user\", \"Password\":\"Password@1\"}"
353 | }
354 | 
355 | resource "aws_ssm_parameter" "dnsadmin-user-ssm-parameter" {
356 |   name  = "dnsadmin.user"
357 |   type  = "SecureString"
358 |   value = "{\"Username\":\"dnsadmin.user\", \"Password\":\"Password@1\"}"
359 | }
360 | 
361 | resource "aws_ssm_parameter" "unconstrainer-user-ssm-parameter" {
362 |   name  = "unconstrained.user"
363 |   type  = "SecureString"
364 |   value = "{\"Username\":\"unconstrained.user\", \"Password\":\"Password@1\"}"
365 | }
366 | 
367 | resource "aws_ssm_parameter" "constrained-user-ssm-parameter" {
368 |   name  = "constrained.user"
369 |   type  = "SecureString"
370 |   value = "{\"Username\":\"constrained.user\", \"Password\":\"Password@1\"}"
371 | }
372 | 
373 | resource "aws_ssm_parameter" "userwrite-user-ssm-parameter" {
374 |   name  = "userwrite.user"
375 |   type  = "SecureString"
376 |   value = "{\"Username\":\"userwrite.user\", \"Password\":\"Password@1\"}"
377 | }
378 | 
379 | resource "aws_ssm_parameter" "userall-user-ssm-parameter" {
380 |   name  = "userall.user"
381 |   type  = "SecureString"
382 |   value = "{\"Username\":\"userall.user\", \"Password\":\"Password@1\"}"
383 | }
384 | 
385 | resource "aws_ssm_parameter" "compwrite-user-ssm-parameter" {
386 |   name  = "compwrite.user"
387 |   type  = "SecureString"
388 |   value = "{\"Username\":\"compwrite.user\", \"Password\":\"Password@1\"}"
389 | }
390 | 
391 | resource "aws_ssm_parameter" "gpowrite-user-ssm-parameter" {
392 |   name  = "gpowrite.user"
393 |   type  = "SecureString"
394 |   value = "{\"Username\":\"gpowrite.user\", \"Password\":\"Password@1\"}"
395 | }
396 | 
397 | resource "aws_ssm_parameter" "lapsread-user-ssm-parameter" {
398 |   name  = "lapsread.user"
399 |   type  = "SecureString"
400 |   value = "{\"Username\":\"lapsread.user\", \"Password\":\"Password@1\"}"
401 | }
402 | 
403 | resource "aws_ssm_parameter" "groupwrite-user-ssm-parameter" {
404 |   name  = "groupwrite.user"
405 |   type  = "SecureString"
406 |   value = "{\"Username\":\"groupwrite.user\", \"Password\":\"Password@1\"}"
407 | }
408 | 
409 | resource "aws_ssm_parameter" "writedacldc-user-ssm-parameter" {
410 |   name  = "writedacldc.user"
411 |   type  = "SecureString"
412 |   value = "{\"Username\":\"writedacldc.user\", \"Password\":\"Password@1\"}"
413 | }
414 | 
415 | resource "aws_ssm_parameter" "readgmsa-user-ssm-parameter" {
416 |   name  = "readgmsa.user"
417 |   type  = "SecureString"
418 |   value = "{\"Username\":\"readgmsa.user\", \"Password\":\"Password@1\"}"
419 | }
420 | 
421 | resource "aws_ssm_parameter" "clearpass-user-ssm-parameter" {
422 |   name  = "clearpass.user"
423 |   type  = "SecureString"
424 |   value = "{\"Username\":\"clearpass.user\", \"Password\":\"Password@1\"}"
425 | }
426 | 
427 | resource "aws_ssm_parameter" "dcsync-user-ssm-parameter" {
428 |   name  = "dcsync.user"
429 |   type  = "SecureString"
430 |   value = "{\"Username\":\"dcsync.user\", \"Password\":\"Password@1\"}"
431 | }
432 | 
433 | resource "aws_ssm_parameter" "roast-user-ssm-parameter" {
434 |   name  = "roast.user"
435 |   type  = "SecureString"
436 |   value = "{\"Username\":\"roast.user\", \"Password\":\"Password@1\"}"
437 | }
438 | 
439 | resource "aws_ssm_parameter" "asrep-user-ssm-parameter" {
440 |   name  = "asrep.user"
441 |   type  = "SecureString"
442 |   value = "{\"Username\":\"asrep.user\", \"Password\":\"Password@1\"}"
443 | }
444 | 
445 | output "first-dc_ip" {
446 |   value       = "${aws_instance.first-dc.public_ip}"
447 |   description = "Public IP of First-DC"
448 | }
449 | 
450 | output "user-server_ip" {
451 |   value       = "${aws_instance.user-server.public_ip}"
452 |   description = "Public IP of User Server"
453 | }
454 | 
455 | output "attack-server_ip" {
456 |   value       = "${aws_instance.attack-server.public_ip}"
457 |   description = "Public IP of Attacking Linux Team Server. SSH to this using your private key and start Covenant / Cobalt and then SSH port forward to interact."
458 | }
459 | 
460 | output "second-dc_ip" {
461 |   value       = "${aws_instance.second-dc.public_ip}"
462 |   description = "Public IP of Second-DC"
463 | }
464 | 
465 | output "timestamp" {
466 |   value = formatdate("hh:mm", timestamp())
467 | }
468 | 
469 | # Apply our DSC via SSM to first.local
470 | resource "aws_ssm_association" "first-dc" {
471 |   name             = "AWS-ApplyDSCMofs"
472 |   association_name = "${terraform.workspace}-First-DC"
473 | 
474 |   targets {
475 |     key    = "InstanceIds"
476 |     values = [aws_instance.first-dc.id]
477 |   }
478 | 
479 |   parameters = {
480 |     MofsToApply    = "s3:${var.SSM_S3_BUCKET}:Lab/First.mof"
481 |     RebootBehavior = "Immediately"
482 |   }
483 | 
484 | }
485 | 
486 | # Apply our DSC via SSM to second.local
487 | resource "aws_ssm_association" "second-dc" {
488 |   name             = "AWS-ApplyDSCMofs"
489 |   association_name = "${terraform.workspace}-Second-DC"
490 | 
491 |   targets {
492 |     key    = "InstanceIds"
493 |     values = [aws_instance.second-dc.id]
494 |   }
495 | 
496 |   parameters = {
497 |     MofsToApply    = "s3:${var.SSM_S3_BUCKET}:Lab/Second.mof"
498 |     RebootBehavior = "Immediately"
499 |   }
500 | 
501 | }
502 | 
503 | # Apply our DSC via SSM to User-Server
504 | resource "aws_ssm_association" "user-server" {
505 |   name             = "AWS-ApplyDSCMofs"
506 |   association_name = "${terraform.workspace}-User-Server"
507 | 
508 |   targets {
509 |     key    = "InstanceIds"
510 |     values = [aws_instance.user-server.id]
511 |   }
512 | 
513 |   parameters = {
514 |     MofsToApply    = "s3:${var.SSM_S3_BUCKET}:Lab/UserServer.mof"
515 |     RebootBehavior = "Immediately"
516 |   }
517 | 
518 | }
519 | 


--------------------------------------------------------------------------------
/dsc/adlab.ps1:
--------------------------------------------------------------------------------
  1 | configuration Lab {
  2 | 
  3 |     param
  4 |     (
  5 |         [Parameter(Mandatory)]
  6 |         [pscredential]$safemodeAdministratorCred,
  7 |         [Parameter(Mandatory)]
  8 |         [pscredential]$domainCred,
  9 |         [Parameter(Mandatory)]
 10 |         [string]$firstDomainName,
 11 |         [Parameter(Mandatory)]
 12 |         [string]$secondDomainName,
 13 |         [Parameter(Mandatory)]
 14 |         [pscredential]$firstDomainCred
 15 |     )
 16 | 
 17 |     Import-DscResource -ModuleName ActiveDirectoryDsc
 18 |     Import-DscResource -ModuleName NetworkingDsc
 19 |     Import-DscResource -ModuleName ComputerManagementDsc
 20 |     Import-DscResource -ModuleName PSDesiredStateConfiguration
 21 | 
 22 |     Node "First" {
 23 | 
 24 |         Computer NewName {
 25 |             Name = "First-DC"
 26 |         }
 27 |         
 28 |         WindowsFeature ADDSInstall {
 29 |             Ensure = "Present"
 30 |             Name = "AD-Domain-Services"
 31 |         }
 32 | 
 33 |         WindowsFeature ADDSTools {
 34 |             Ensure = "Present"
 35 |             Name = "RSAT-ADDS"
 36 |         }
 37 | 
 38 |         FirewallProfile DisablePublic {
 39 |             Enabled = "False"
 40 |             Name   = "Public"
 41 |         }
 42 |         
 43 |         FirewallProfile DisablePrivate {
 44 |             Enabled = "False"
 45 |             Name   = "Private"
 46 |         }
 47 |         
 48 |         FirewallProfile DisableDomain {
 49 |             Enabled = "False"
 50 |             Name   = "Domain"
 51 |         }
 52 | 
 53 |         User AdminUser {
 54 |             Ensure = "Present"
 55 |             UserName = $domainCred.UserName
 56 |             Password = $domainCred
 57 |         }
 58 | 
 59 |         Group Administrators {
 60 |             GroupName = "Administrators"
 61 |             MembersToInclude = $domainCred.UserName
 62 |             DependsOn = "[User]AdminUser"
 63 |         }
 64 | 
 65 |         ADDomain CreateDC {
 66 |             DomainName = $firstDomainName
 67 |             Credential = $domainCred
 68 |             SafemodeAdministratorPassword = $safemodeAdministratorCred
 69 |             DatabasePath = 'C:\NTDS'
 70 |             LogPath = 'C:\NTDS'
 71 |             DependsOn = "[WindowsFeature]ADDSInstall"
 72 |         }
 73 | 
 74 |         WaitForADDomain waitFirstDomain {
 75 |             DomainName = $firstDomainName
 76 |             DependsOn = "[ADDomain]CreateDC"
 77 |         }
 78 | 
 79 |         DnsServerAddress DnsServerAddress
 80 |         {
 81 |             Address        = '127.0.0.1', '10.0.2.100'
 82 |             InterfaceAlias = 'Ethernet'
 83 |             AddressFamily  = 'IPv4'
 84 |             Validate       = $false
 85 |             DependsOn = "[WaitForADDomain]waitFirstDomain"
 86 |         }
 87 | 
 88 |         Script SetConditionalForwardedZone {
 89 |             GetScript = { return @{ } }
 90 | 
 91 |             TestScript = {
 92 |                 $zone = Get-DnsServerZone -Name $using:secondDomainName -ErrorAction SilentlyContinue
 93 |                 if ($zone -ne $null -and $zone.ZoneType -eq 'Forwarder') {
 94 |                     return $true
 95 |                 }
 96 | 
 97 |                 return $false
 98 |             }
 99 | 
100 |             SetScript = {
101 |                 $ForwardDomainName = $using:secondDomainName
102 |                 $IpAddresses = @("10.0.2.100")
103 |                 Add-DnsServerConditionalForwarderZone -Name "$ForwardDomainName" -ReplicationScope "Domain" -MasterServers $IpAddresses
104 |             }
105 | 
106 |             DependsOn = "[WaitForADDomain]waitFirstDomain"
107 |         }
108 | 
109 |         ADGroup DomainAdmin {
110 |             Ensure = "Present"
111 |             GroupName = "Domain Admins"
112 |             MembersToInclude = $domainCred.UserName
113 |             DependsOn = "[WaitForADDomain]waitFirstDomain"
114 |         }
115 | 
116 |         ADUser 'regular.user'
117 |         {
118 |             Ensure     = 'Present'
119 |             UserName   = 'regular.user'
120 |             Password   = (New-Object System.Management.Automation.PSCredential("regular.user", (ConvertTo-SecureString "DoesntMatter" -AsPlainText -Force)))
121 |             DomainName = 'first.local'
122 |             Path       = 'CN=Users,DC=first,DC=local'
123 |             DependsOn = "[WaitForADDomain]waitFirstDomain"
124 |         }
125 | 
126 |         ADUser 'dnsadmin.user'
127 |         {
128 |             Ensure     = 'Present'
129 |             UserName   = 'dnsadmin.user'
130 |             Password   = (New-Object System.Management.Automation.PSCredential("dnsadmin.user", (ConvertTo-SecureString "DoesntMatter" -AsPlainText -Force)))
131 |             DomainName = 'first.local'
132 |             Path       = 'CN=Users,DC=first,DC=local'
133 |             DependsOn = "[WaitForADDomain]waitFirstDomain"
134 |         }
135 | 
136 |         ADGroup DnsAdmin {
137 |             Ensure = "Present"
138 |             GroupName = "DnsAdmins"
139 |             MembersToInclude = "dnsadmin.user"
140 |             DependsOn = "[WaitForADDomain]waitFirstDomain", "[ADUser]dnsadmin.user"
141 |         }
142 | 
143 |         ADUser 'unconstrained.user'
144 |         {
145 |             Ensure     = 'Present'
146 |             UserName   = 'unconstrained.user'
147 |             Password   = (New-Object System.Management.Automation.PSCredential("unconstrained.user", (ConvertTo-SecureString "DoesntMatter" -AsPlainText -Force)))
148 |             DomainName = 'first.local'
149 |             Path       = 'CN=Users,DC=first,DC=local'
150 |             DependsOn = "[WaitForADDomain]waitFirstDomain"
151 |         }
152 | 
153 |         Script "unconstrained.user Unconstrained Delegation Set"
154 |         {
155 |             SetScript = {
156 |                 Set-ADAccountControl -Identity "unconstrained.user" -TrustedForDelegation $True
157 |             }
158 |             TestScript = { 
159 |                 $false 
160 |             }
161 |             GetScript = { 
162 |                 @{ Result = (Get-ADUser "unconstrained.user" ) } 
163 |             }
164 |             DependsOn = "[WaitForADDomain]waitFirstDomain", "[ADUser]unconstrained.user"
165 |         }
166 | 
167 |         ADUser 'constrained.user' 
168 |         {
169 |             Ensure     = 'Present'
170 |             UserName   = 'constrained.user'
171 |             Password   = (New-Object System.Management.Automation.PSCredential("constrained.user", (ConvertTo-SecureString "DoesntMatter" -AsPlainText -Force)))
172 |             DomainName = 'first.local'
173 |             Path       = 'CN=Users,DC=first,DC=local'
174 |             DependsOn = "[WaitForADDomain]waitFirstDomain"
175 |         }
176 | 
177 |         Script "constrained.user constrained Delegation Set"
178 |         {
179 |             SetScript = {
180 |                 $user = (Get-ADUser -Identity "constrained.user").DistinguishedName
181 |                 Set-ADObject -Identity $user -Add @{"msDS-AllowedToDelegateTo" = @("CIFS/First-DC","CIFS/First-DC.First.local","CIFS/First-DC.first.local/first.local")}
182 |             }
183 |             TestScript = { 
184 |                 $false 
185 |             }
186 |             GetScript = { 
187 |                 @{ Result = (Get-ADUser "constrained.user" ) } 
188 |             }
189 |             DependsOn = "[WaitForADDomain]waitFirstDomain", "[ADUser]constrained.user"
190 |         }
191 | 
192 |         ADComputer "Constrained.Computer" 
193 |         {
194 |             Ensure = "Present"
195 |             ComputerName = "Suspicious-PC"
196 |             Path = "CN=Computers,DC=first,DC=local"
197 |             DependsOn = "[WaitForADDomain]waitFirstDomain"
198 |         }
199 | 
200 |         Script "Suspicious-PC constrained Delegation Set"
201 |         {
202 |             SetScript = {
203 |                 $comp = (Get-ADComputer -Identity "Suspicious-PC").DistinguishedName
204 |                 Set-ADObject -Identity $comp -Add @{"msDS-AllowedToDelegateTo" = @("HTTP/First-DC","HTTP/First-DC.First.local","HTTP/First-DC.first.local/first.local")}
205 |             }
206 |             TestScript = { 
207 |                 $false 
208 |             }
209 |             GetScript = { 
210 |                 @{ Result = (Get-ADComputer "Suspicious-PC" ) } 
211 |             }
212 |             DependsOn = "[WaitForADDomain]waitFirstDomain"
213 |         }
214 | 
215 |         ADUser 'userwrite.user'
216 |         {
217 |             Ensure     = 'Present'
218 |             UserName   = 'userwrite.user'
219 |             Password   = (New-Object System.Management.Automation.PSCredential("userwrite.user", (ConvertTo-SecureString "DoesntMatter" -AsPlainText -Force)))
220 |             DomainName = 'first.local'
221 |             Path       = 'CN=Users,DC=first,DC=local'
222 |             DependsOn = "[WaitForADDomain]waitFirstDomain"
223 |         }
224 | 
225 |         Script "userwrite.user Write Permissions on User Node"
226 |         {
227 |             SetScript = {
228 |                 $Destination = (Get-ADUser -Identity "constrained.user").DistinguishedName
229 |                 $Source = (Get-ADUser -Identity "userwrite.user").sid
230 |                 $Rights = "GenericWrite"
231 |                 $ADObject = [ADSI]("LDAP://" + $Destination)
232 |                 $identity = $Source
233 |                 $adRights = [System.DirectoryServices.ActiveDirectoryRights]$Rights
234 |                 $type = [System.Security.AccessControl.AccessControlType] "Allow"
235 |                 $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
236 |                 $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
237 |                 $ADObject.psbase.ObjectSecurity.AddAccessRule($ACE)
238 |                 $ADObject.psbase.commitchanges()
239 |             }
240 |             TestScript = { 
241 |                 $false 
242 |             }
243 |             GetScript = { 
244 |                 @{ Result = (Get-ADUser "userwrite.user" ) } 
245 |             }
246 |             DependsOn = "[WaitForADDomain]waitFirstDomain", "[ADUser]userwrite.user"
247 |         }
248 | 
249 |         ADUser 'userall.user'
250 |         {
251 |             Ensure     = 'Present'
252 |             UserName   = 'userall.user'
253 |             Password   = (New-Object System.Management.Automation.PSCredential("userall.user", (ConvertTo-SecureString "DoesntMatter" -AsPlainText -Force)))
254 |             DomainName = 'first.local'
255 |             Path       = 'CN=Users,DC=first,DC=local'
256 |             DependsOn = "[WaitForADDomain]waitFirstDomain"
257 |         }
258 | 
259 |         Script "userall.user GenericAll Permissions on User Node"
260 |         {
261 |             SetScript = {
262 |                 $Destination = (Get-ADUser -Identity "userwrite.user").DistinguishedName
263 |                 $Source = (Get-ADUser -Identity "userall.user").sid
264 |                 $Rights = "GenericAll"
265 |                 $ADObject = [ADSI]("LDAP://" + $Destination)
266 |                 $identity = $Source
267 |                 $adRights = [System.DirectoryServices.ActiveDirectoryRights]$Rights
268 |                 $type = [System.Security.AccessControl.AccessControlType] "Allow"
269 |                 $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
270 |                 $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
271 |                 $ADObject.psbase.ObjectSecurity.AddAccessRule($ACE)
272 |                 $ADObject.psbase.commitchanges()
273 |             }
274 |             TestScript = { 
275 |                 $false 
276 |             }
277 |             GetScript = { 
278 |                 @{ Result = (Get-ADUser "userall.user" ) } 
279 |             }
280 |             DependsOn = "[WaitForADDomain]waitFirstDomain", "[ADUser]userall.user"
281 |         }
282 | 
283 |         ADUser 'compwrite.user'
284 |         {
285 |             Ensure     = 'Present'
286 |             UserName   = 'compwrite.user'
287 |             Password   = (New-Object System.Management.Automation.PSCredential("compwrite.user", (ConvertTo-SecureString "DoesntMatter" -AsPlainText -Force)))
288 |             DomainName = 'first.local'
289 |             Path       = 'CN=Users,DC=first,DC=local'
290 |             DependsOn = "[WaitForADDomain]waitFirstDomain"
291 |         }
292 | 
293 |         Script "compwrite.user Write Permissions on Comp Node"
294 |         {
295 |             SetScript = {
296 |                 $Destination = (Get-ADComputer -Identity "First-DC").DistinguishedName
297 |                 $Source = (Get-ADUser -Identity "compwrite.user").sid
298 |                 $Rights = "GenericWrite"
299 |                 $ADObject = [ADSI]("LDAP://" + $Destination)
300 |                 $identity = $Source
301 |                 $adRights = [System.DirectoryServices.ActiveDirectoryRights]$Rights
302 |                 $type = [System.Security.AccessControl.AccessControlType] "Allow"
303 |                 $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
304 |                 $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
305 |                 $ADObject.psbase.ObjectSecurity.AddAccessRule($ACE)
306 |                 $ADObject.psbase.commitchanges()
307 |             }
308 |             TestScript = { 
309 |                 $false 
310 |             }
311 |             GetScript = { 
312 |                 @{ Result = (Get-ADUser "compwrite.user" ) } 
313 |             }
314 |             DependsOn = "[WaitForADDomain]waitFirstDomain", "[ADUser]compwrite.user"
315 |         }
316 | 
317 |         ADUser "gpowrite.user"
318 |         {
319 |             Ensure     = 'Present'
320 |             UserName   = 'gpowrite.user'
321 |             Password   = (New-Object System.Management.Automation.PSCredential("gpowrite.user", (ConvertTo-SecureString "DoesntMatter" -AsPlainText -Force)))
322 |             DomainName = 'first.local'
323 |             Path       = 'CN=Users,DC=first,DC=local'
324 |             DependsOn = "[WaitForADDomain]waitFirstDomain"
325 |         }
326 | 
327 |         Script "gpowrite.user Write Permissions on GPO"
328 |         {
329 |             SetScript = {
330 |                 Set-GPPermission -Name "Default Domain Controllers Policy" -TargetName "gpowrite.user" -TargetType "User" -PermissionLevel "GpoEdit"
331 |             }
332 |             TestScript = { 
333 |                 $false 
334 |             }
335 |             GetScript = { 
336 |                 @{ Result = (Get-ADUser "gpowrite.user" ) } 
337 |             }
338 |             DependsOn = "[WaitForADDomain]waitFirstDomain", "[ADUser]gpowrite.user"
339 |         }
340 | 
341 |         ADUser 'lapsread.user'
342 |         {
343 |             Ensure     = 'Present'
344 |             UserName   = 'lapsread.user'
345 |             Password   = (New-Object System.Management.Automation.PSCredential("lapsread.user", (ConvertTo-SecureString "DoesntMatter" -AsPlainText -Force)))
346 |             DomainName = 'first.local'
347 |             Path       = 'CN=Users,DC=first,DC=local'
348 |             Description = 'LAPS yet to be implemented'
349 |             DependsOn = "[WaitForADDomain]waitFirstDomain"
350 |         }
351 | 
352 |         ADUser 'groupwrite.user'
353 |         {
354 |             Ensure     = 'Present'
355 |             UserName   = 'groupwrite.user'
356 |             Password   = (New-Object System.Management.Automation.PSCredential("groupwrite.user", (ConvertTo-SecureString "DoesntMatter" -AsPlainText -Force)))
357 |             DomainName = 'first.local'
358 |             Path       = 'CN=Users,DC=first,DC=local'
359 |             DependsOn = "[WaitForADDomain]waitFirstDomain"
360 |         }
361 | 
362 |         Script "groupwrite.user Write Permissions on Group"
363 |         {
364 |             SetScript = {
365 |                 $Destination = (Get-ADGroup -Identity "Domain Admins").DistinguishedName
366 |                 $Source = (Get-ADUser -Identity "groupwrite.user").sid
367 |                 $Rights = "GenericAll"
368 |                 $ADObject = [ADSI]("LDAP://" + $Destination)
369 |                 $identity = $Source
370 |                 $adRights = [System.DirectoryServices.ActiveDirectoryRights]$Rights
371 |                 $type = [System.Security.AccessControl.AccessControlType] "Allow"
372 |                 $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
373 |                 $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
374 |                 $ADObject.psbase.ObjectSecurity.AddAccessRule($ACE)
375 |                 $ADObject.psbase.commitchanges()
376 |             }
377 |             TestScript = { 
378 |                 $false 
379 |             }
380 |             GetScript = { 
381 |                 @{ Result = (Get-ADUser "groupwrite.user" ) } 
382 |             }
383 |             DependsOn = "[WaitForADDomain]waitFirstDomain", "[ADUser]groupwrite.user"
384 |         }
385 | 
386 |         ADUser 'writedacldc.user'
387 |         {
388 |             Ensure     = 'Present'
389 |             UserName   = 'writedacldc.user'
390 |             Password   = (New-Object System.Management.Automation.PSCredential("writedacldc.user", (ConvertTo-SecureString "DoesntMatter" -AsPlainText -Force)))
391 |             DomainName = 'first.local'
392 |             Path       = 'CN=Users,DC=first,DC=local'
393 |             DependsOn = "[WaitForADDomain]waitFirstDomain"
394 |         }
395 | 
396 |         Script "writedacldc.user WriteDACL Permissions on DC"
397 |         {
398 |             SetScript = {
399 |                 $Destination = (Get-ADComputer -Identity "First-DC").DistinguishedName
400 |                 $Source = (Get-ADUser -Identity "writedacldc.user").sid
401 |                 $Rights = "WriteDACL"
402 |                 $ADObject = [ADSI]("LDAP://" + $Destination)
403 |                 $identity = $Source
404 |                 $adRights = [System.DirectoryServices.ActiveDirectoryRights]$Rights
405 |                 $type = [System.Security.AccessControl.AccessControlType] "Allow"
406 |                 $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
407 |                 $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
408 |                 $ADObject.psbase.ObjectSecurity.AddAccessRule($ACE)
409 |                 $ADObject.psbase.commitchanges()
410 |             }
411 |             TestScript = { 
412 |                 $false 
413 |             }
414 |             GetScript = { 
415 |                 @{ Result = (Get-ADUser "writedacldc.user" ) } 
416 |             }
417 |             DependsOn = "[WaitForADDomain]waitFirstDomain", "[ADUser]writedacldc.user"
418 |         }
419 | 
420 |         ADUser 'readgmsa.user'
421 |         {
422 |             Ensure     = 'Present'
423 |             UserName   = 'readgmsa.user'
424 |             Password   = (New-Object System.Management.Automation.PSCredential("readgmsa.user", (ConvertTo-SecureString "DoesntMatter" -AsPlainText -Force)))
425 |             DomainName = 'first.local'
426 |             Path       = 'CN=Users,DC=first,DC=local'
427 |             Description = 'GMSA yet to be implemented'
428 |             DependsOn = "[WaitForADDomain]waitFirstDomain"
429 |         }
430 | 
431 |         ADUser 'clearpass.user'
432 |         {
433 |             Ensure     = 'Present'
434 |             UserName   = 'clearpass.user'
435 |             Password   = (New-Object System.Management.Automation.PSCredential("clearpass.user", (ConvertTo-SecureString "DoesntMatter" -AsPlainText -Force)))
436 |             DomainName = 'first.local'
437 |             Path       = 'CN=Users,DC=first,DC=local'
438 |             DependsOn = "[WaitForADDomain]waitFirstDomain"
439 |         }
440 | 
441 |         Script "clearpass.user Password in AD"
442 |         {
443 |             SetScript = {
444 |                 Set-ADUser -Identity "clearpass.user" -Description "Remember to remove this! Password@1"
445 |             }
446 |             TestScript = { 
447 |                 $false 
448 |             }
449 |             GetScript = { 
450 |                 @{ Result = (Get-ADUser "clearpass.user" ) } 
451 |             }
452 |             DependsOn = "[WaitForADDomain]waitFirstDomain", "[ADUser]clearpass.user"
453 |         }
454 | 
455 |         ADUser 'roast.user'
456 |         {
457 |             Ensure     = 'Present'
458 |             UserName   = 'roast.user'
459 |             Password   = (New-Object System.Management.Automation.PSCredential("roast.user", (ConvertTo-SecureString "DoesntMatter" -AsPlainText -Force)))
460 |             DomainName = 'first.local'
461 |             Path       = 'CN=Users,DC=first,DC=local'
462 |             ServicePrincipalNames = "MSSQL/sql.first.local"
463 |             DependsOn = "[WaitForADDomain]waitFirstDomain"
464 |         }
465 | 
466 |         ADUser asrep
467 |         {
468 |             Ensure     = 'Present'
469 |             UserName   = 'asrep.user'
470 |             Password   = (New-Object System.Management.Automation.PSCredential("asrep.user", (ConvertTo-SecureString "DoesntMatter" -AsPlainText -Force)))
471 |             DomainName = 'first.local'
472 |             Path       = 'CN=Users,DC=first,DC=local'
473 |             DependsOn = "[WaitForADDomain]waitFirstDomain"
474 |         }
475 | 
476 |         Script "asrep.user PreAuth Disable"
477 |         {
478 |             SetScript = {
479 |                 Set-ADAccountControl -Identity "asrep.user" -DoesNotRequirePreAuth $true
480 |             }
481 |             TestScript = { 
482 |                 $false 
483 |             }
484 |             GetScript = { 
485 |                 @{ Result = (Get-ADUser "asrep.user" ) } 
486 |             }
487 |             DependsOn = "[WaitForADDomain]waitFirstDomain", "[ADUser]asrep"
488 |         }
489 | 
490 |         Script "User-Server-RDP"
491 |         {
492 |             SetScript = {
493 |                 Start-Sleep -Seconds 300
494 |                 Invoke-Command -ComputerName "User-Server" -Scriptblock {net localgroup "Remote Desktop Users" "first\domain users" /add}
495 |             }
496 |             TestScript = { 
497 |                 $false 
498 |             }
499 |             GetScript = { 
500 |                 @{ Result = (Get-ADComputer "User-Server" ) } 
501 |             }
502 |             PsDscRunAsCredential = $firstDomainCred
503 |             DependsOn = "[WaitForADDomain]waitFirstDomain"
504 |         }
505 | 
506 |         Script "User-Server constrained Delegation Set"
507 |         {
508 |             SetScript = {
509 |                 $comp = (Get-ADComputer -Identity "User-Server").DistinguishedName
510 |                 Set-ADObject -Identity $comp -Add @{"msDS-AllowedToDelegateTo" = @("HOST/First-DC","HOST/First-DC.First.local","HOST/First-DC.first.local/first.local")}
511 |             }
512 |             TestScript = { 
513 |                 $false 
514 |             }
515 |             GetScript = { 
516 |                 @{ Result = (Get-ADComputer "User-Server" ) } 
517 |             }
518 |             DependsOn = "[WaitForADDomain]waitFirstDomain"
519 |         }
520 | 
521 |         Script DisableSMBSign 
522 |         {
523 |             GetScript = { 
524 |                 return @{ } 
525 |             }
526 | 
527 |             TestScript = {
528 |                 $false
529 |             }
530 | 
531 |             SetScript = {
532 |                 Set-SmbClientConfiguration -RequireSecuritySignature 0 -EnableSecuritySignature 0 -Confirm -Force
533 |             }
534 |         }
535 | 
536 |         Script DisableDefender
537 |         {
538 |             GetScript = { 
539 |                 return @{ Result = (Get-Content C:\Windows\Temp\DefenderDisable.txt) } 
540 |             }
541 | 
542 |             TestScript = {
543 |                 Test-Path "C:\Windows\Temp\DefenderDisable.txt"
544 |             }
545 | 
546 |             SetScript = {
547 |                 Uninstall-WindowsFeature -Name Windows-Defender
548 |                 $sw = New-Object System.IO.StreamWriter("C:\Windows\Temp\DefenderDisable.txt")
549 |                 $sw.WriteLine("Defender has been uninstalled")
550 |                 $sw.Close()
551 |                 $global:DSCMachineStatus = 1
552 |             }
553 |         }
554 |     }
555 | 
556 |     Node "UserServer" {
557 |         
558 |         WaitForAll DC
559 |         {
560 |             ResourceName      = '[ADUser]asrep'
561 |             NodeName          = 'First-DC'
562 |             RetryIntervalSec  = 60
563 |             RetryCount        = 15
564 |         }
565 |         
566 |         FirewallProfile DisablePublic {
567 |             Enabled = "False"
568 |             Name   = "Public"
569 |         }
570 |         
571 |         FirewallProfile DisablePrivate {
572 |             Enabled = "False"
573 |             Name   = "Private"
574 |         }
575 |         
576 |         FirewallProfile DisableDomain {
577 |             Enabled = "False"
578 |             Name   = "Domain"
579 |         }
580 |         
581 |         User localuser {
582 |             Ensure = "Present"
583 |             UserName = "local-user"
584 |             Password = $DomainCred
585 |         }
586 | 
587 |         Group Administrators {
588 |             GroupName = "Administrators"
589 |             MembersToInclude = "local-user"
590 |             DependsOn = "[User]localuser"
591 |         }
592 | 
593 |         DnsServerAddress DnsServerAddress
594 |         {
595 |             Address        = '10.0.1.100'
596 |             InterfaceAlias = 'Ethernet'
597 |             AddressFamily  = 'IPv4'
598 |             Validate       = $false
599 |             DependsOn      = "[Group]Administrators"
600 |         }
601 | 
602 |         Script DisableDefender
603 |         {
604 |             GetScript = { 
605 |                 return @{ Result = (Get-Content C:\Windows\Temp\DefenderDisable.txt) } 
606 |             }
607 | 
608 |             TestScript = {
609 |                 Test-Path "C:\Windows\Temp\DefenderDisable.txt"
610 |             }
611 | 
612 |             SetScript = {
613 |                 Uninstall-WindowsFeature -Name Windows-Defender
614 |                 $sw = New-Object System.IO.StreamWriter("C:\Windows\Temp\DefenderDisable.txt")
615 |                 $sw.WriteLine("Defender has been uninstalled")
616 |                 $sw.Close()
617 |             }
618 |         }
619 | 
620 |         Script DisableSMBSign 
621 |         {
622 |             GetScript = { 
623 |                 return @{ } 
624 |             }
625 | 
626 |             TestScript = {
627 |                 $false
628 |             }
629 | 
630 |             SetScript = {
631 |                 Set-SmbClientConfiguration -RequireSecuritySignature 0 -EnableSecuritySignature 0 -Confirm -Force
632 |             }
633 |         }
634 | 
635 |         WaitForADDomain waitFirstDomain {
636 |             DomainName = $firstDomainName
637 |             Credential = $firstDomainCred
638 |             WaitForValidCredentials = $true
639 |             WaitTimeout = 300
640 |             DependsOn = "[DnsServerAddress]DnsServerAddress"
641 |         }
642 | 
643 |         Computer JoinDomain {
644 |             Name = "User-Server"
645 |             DomainName = $firstDomainName
646 |             Credential = $firstDomainCred
647 |             DependsOn = "[WaitForADDomain]waitFirstDomain"
648 |         }
649 |     }
650 | 
651 |     Node "Second" {
652 | 
653 |         Computer NewName {
654 |             Name = "Second-DC"
655 |         }
656 |         
657 |         WindowsFeature ADDSInstall {
658 |             Ensure = "Present"
659 |             Name = "AD-Domain-Services"
660 |         }
661 | 
662 |         WindowsFeature ADDSTools {
663 |             Ensure = "Present"
664 |             Name = "RSAT-ADDS"
665 |         }
666 | 
667 |         FirewallProfile DisablePublic {
668 |             Enabled = "False"
669 |             Name   = "Public"
670 |         }
671 |         
672 |         FirewallProfile DisablePrivate {
673 |             Enabled = "False"
674 |             Name   = "Private"
675 |         }
676 |         
677 |         FirewallProfile DisableDomain {
678 |             Enabled = "False"
679 |             Name   = "Domain"
680 |         }
681 | 
682 |         User AdminUser {
683 |             Ensure = "Present"
684 |             UserName = $domainCred.UserName
685 |             Password = $domainCred
686 |         }
687 | 
688 |         Group Administrators {
689 |             GroupName = "Administrators"
690 |             MembersToInclude = $domainCred.UserName
691 |             DependsOn = "[User]AdminUser"
692 |         }
693 |         
694 |         ADDomain CreateDC {
695 |             DomainName = $secondDomainName
696 |             Credential = $domainCred
697 |             SafemodeAdministratorPassword = $safemodeAdministratorCred
698 |             DatabasePath = 'C:\NTDS'
699 |             LogPath = 'C:\NTDS'
700 |             DependsOn = "[WindowsFeature]ADDSInstall"
701 |         }
702 | 
703 |         WaitForADDomain waitSecondDomain {
704 |             DomainName = $secondDomainName
705 |             DependsOn = "[ADDomain]CreateDC"
706 |         }
707 | 
708 |         DnsServerAddress DnsServerAddress
709 |         {
710 |             Address        = '127.0.0.1', '10.0.1.100'
711 |             InterfaceAlias = 'Ethernet'
712 |             AddressFamily  = 'IPv4'
713 |             Validate       = $false
714 |             DependsOn = "[WaitForADDomain]waitSecondDomain"
715 |         }
716 | 
717 |         Script SetConditionalForwardedZone {
718 |             GetScript = { return @{ } }
719 | 
720 |             TestScript = {
721 |                 $zone = Get-DnsServerZone -Name $using:firstDomainName -ErrorAction SilentlyContinue
722 |                 if ($zone -ne $null -and $zone.ZoneType -eq 'Forwarder') {
723 |                     return $true
724 |                 }
725 | 
726 |                 return $false
727 |             }
728 | 
729 |             SetScript = {
730 |                 $ForwardDomainName = $using:firstDomainName
731 |                 $IpAddresses = @("10.0.1.100")
732 |                 Add-DnsServerConditionalForwarderZone -Name "$ForwardDomainName" -ReplicationScope "Domain" -MasterServers $IpAddresses
733 |             }
734 |         }
735 | 
736 |         ADGroup DomainAdmin {
737 |             Ensure = "Present"
738 |             GroupName = "Domain Admins"
739 |             MembersToInclude = $domainCred.UserName
740 |             DependsOn = "[WaitForADDomain]waitSecondDomain"
741 |         }
742 | 
743 |         ADUser 'regular.user'
744 |         {
745 |             Ensure     = 'Present'
746 |             UserName   = 'regular.user'
747 |             Password   = (New-Object System.Management.Automation.PSCredential("regular.user", (ConvertTo-SecureString "DoesntMatter" -AsPlainText -Force)))
748 |             DomainName = 'second.local'
749 |             Path       = 'CN=Users,DC=second,DC=local'
750 |             DependsOn = "[WaitForADDomain]waitSecondDomain"
751 |         }
752 | 
753 |         ADUser 'roast.user'
754 |         {
755 |             Ensure     = 'Present'
756 |             UserName   = 'roast.user'
757 |             Password   = (New-Object System.Management.Automation.PSCredential("roast.user", (ConvertTo-SecureString "DoesntMatter" -AsPlainText -Force)))
758 |             DomainName = 'second.local'
759 |             Path       = 'CN=Users,DC=second,DC=local'
760 |             ServicePrincipalNames = "MSSQL/sql.second.local"
761 |             DependsOn = "[WaitForADDomain]waitSecondDomain"
762 |         }
763 | 
764 |         ADUser 'asrep.user'
765 |         {
766 |             Ensure     = 'Present'
767 |             UserName   = 'asrep.user'
768 |             Password   = (New-Object System.Management.Automation.PSCredential("asrep.user", (ConvertTo-SecureString "DoesntMatter" -AsPlainText -Force)))
769 |             DomainName = 'second.local'
770 |             Path       = 'CN=Users,DC=second,DC=local'
771 |             DependsOn = "[WaitForADDomain]waitSecondDomain"
772 |         }
773 | 
774 |         WaitForADDomain waitFirstDomain {
775 |             DomainName = $firstDomainName
776 |             Credential = $firstDomainCred
777 |             WaitTimeout = 600
778 |             RestartCount = 2
779 |             DependsOn = "[Script]SetConditionalForwardedZone"
780 |         }
781 | 
782 |         ADDomainTrust DomainTrust {
783 |             TargetDomainName = $firstDomainName
784 |             TargetCredential = $firstDomainCred
785 |             TrustType = "External"
786 |             TrustDirection = "Bidirectional"
787 |             SourceDomainName = $secondDomainName
788 |             DependsOn = "[WaitForADDomain]waitFirstDomain"
789 |             Ensure = "Present"
790 |         }
791 | 
792 |         Script DisableSMBSign 
793 |         {
794 |             GetScript = { 
795 |                 return @{ } 
796 |             }
797 | 
798 |             TestScript = {
799 |                 $false
800 |             }
801 | 
802 |             SetScript = {
803 |                 Set-SmbClientConfiguration -RequireSecuritySignature 0 -EnableSecuritySignature 0 -Confirm -Force
804 |             }
805 |         }
806 | 
807 |         Script DisableDefender
808 |         {
809 |             GetScript = { 
810 |                 return @{ Result = (Get-Content C:\Windows\Temp\DefenderDisable.txt) } 
811 |             }
812 | 
813 |             TestScript = {
814 |                 Test-Path "C:\Windows\Temp\DefenderDisable.txt"
815 |             }
816 | 
817 |             SetScript = {
818 |                 Uninstall-WindowsFeature -Name Windows-Defender
819 |                 $sw = New-Object System.IO.StreamWriter("C:\Windows\Temp\DefenderDisable.txt")
820 |                 $sw.WriteLine("Defender has been uninstalled")
821 |                 $sw.Close()
822 |                 $global:DSCMachineStatus = 1
823 |             }
824 |         }
825 |     }
826 | }
827 | 
828 | $ConfigData = @{
829 |     AllNodes = @(
830 |         @{
831 |             Nodename                    = "First"
832 |             Role                        = "First DC"
833 |             RetryCount                  = 0
834 |             RetryIntervalSec            = 0
835 |             PsDscAllowPlainTextPassword = $true
836 |         },
837 |         @{
838 |             Nodename                    = "UserServer"
839 |             Role                        = "User Server"
840 |             RetryCount                  = 0
841 |             RetryIntervalSec            = 0
842 |             PsDscAllowPlainTextPassword = $true
843 |             PsDscAllowDomainUser        = $true
844 |         },
845 |         @{
846 |             Nodename                    = "Second"
847 |             Role                        = "Second DC"
848 |             RetryCount                  = 0
849 |             RetryIntervalSec            = 0
850 |             PsDscAllowPlainTextPassword = $true
851 |         }
852 |     )
853 | }
854 | 
855 | Lab -ConfigurationData $ConfigData `
856 |     -firstDomainName "first.local" `
857 |     -secondDomainName "second.local" `
858 |     -domainCred (New-Object System.Management.Automation.PSCredential("admin", (ConvertTo-SecureString "DoesntMatter" -AsPlainText -Force))) `
859 |     -safemodeAdministratorCred (New-Object System.Management.Automation.PSCredential("admin", (ConvertTo-SecureString "DoesntMatter" -AsPlainText -Force))) `
860 |     -firstDomainCred (New-Object System.Management.Automation.PSCredential("first-admin", (ConvertTo-SecureString "DoesntMatter" -AsPlainText -Force))) 
861 | 
862 | 


--------------------------------------------------------------------------------