This project allows you to easily spin up Active Directory labs in Azure using Terraform/Ansible, and forward logs to a log analytics workspace which is connected to Microsoft Sentinel.
This is a fork of Adaz by christophetd.
- Microsoft Sentinel is used instead of Kibana (less cost as there is 1 less VM to be deployed)
- Auditing & QoL changes are deployed via group policy instead of being set locally
- Workstations are deployed with a range of tools such as: Sysinternals suite, Wireshark, AtomicRedTeam, Notepad++, 7-zip, Chrome, Firefox
- Includes capability for creating Sentinel alert rules using either:
- Rules downloaded from the Sigma repository via a script, which are converted to KQL using a modified version of the sigmac configs.
- Your own custom sigma rules
- Your own custom KQL queries
It uses a high-level configuration file for your domain to allow you to customize users, groups and workstations.
dns_name: hunter.lab
dc_name: DC-1
dc_ip: "10.0.10.10"
initial_domain_admin:
username: hunter
password: Hunt3r123.
organizational_units:
- OU=Workstations
- OU=Accounts
- OU=Roles
users:
- username: barry
OU: OU=Accounts
- username: iris
OU: OU=Accounts
groups:
- dn: CN=Hunters,OU=Roles
members: [barry, iris]
default_local_admin:
username: localadmin
password: Localadmin!
workstations:
- name: BARRY-WKS
local_admins: [barry]
- name: IRIS-WKS
local_admins: [iris]
enable_windows_firewall: no
Here's an incomplete and biased comparison with Adaz & DetectionLab:
FIELD1 | Adaz-Sentinel | Adaz | DetectionLab |
---|---|---|---|
Public cloud support | Azure | Azure | AWS Azure (beta) |
Expected time to spin up a lab | 18-25 minutes | 15-20 minutes | 25 minutes |
Log management & querying | Microsoft Sentinel | Elasticsearch+Kibana | Splunk Enterprise |
WEF | 🚫 | ✔️ | ✔️ |
Audit policies | ✔️ | ✔️ | ✔️ |
Sysmon | ✔️ | ✔️ | ✔️ |
YAML domain configuration file | ✔️ | ✔️ | 🚫 |
Multiple Windows 10 workstations support | ✔️ | ✔️ | 🚫 |
VirtualBox/VMWare support | 🚫 | 🚫 | ✔️ |
osquery / fleet | 🚫 | 🚫 | ✔️ |
Powershell transcript logging | ✔️ | 🚫 | ✔️ |
IDS logs | 🚫 | 🚫 | ✔️ |
Sigma rules | ✔️ | 🚫 | 🚫 |
Invoke-AtomicRedTeam | ✔️ | 🚫 | ✔️ |
-
Detection engineering: Having access to clean lab with a standard is a great way to understand what traces common attacks and lateral movement techniques leave behind.
-
Learning Active Directory: Useful for testing GPOs or various AD features (AppLocker, LAPS...).
Note: This has been tested on a M1 Macbook Air, and an Ubuntu VM. I have not tried this on Windows or WSL so please let me know if it works.
-
An Azure subscription. You can create one for free and you get $200 of credits for the first 30 days. Note that this type of subscription has a limit of 4 vCPUs per region, which still allows you to run 1 domain controller and 2 workstations (with the default lab configuration).
-
Terraform >= 0.12 (Tested on 1.2.5)
-
You must be logged in to your Azure account by running
az login
. You can useaz account list
to confirm you have access to your Azure subscription.
- Clone this repository
git clone https://github.com/Ben4FH/Adaz-Sentinel.git
- Create a virtual env and install Ansible dependencies
# Note: the virtual env needs to be in ansible/venv
cd Adaz-Sentinel/
python3 -m venv ansible/venv
source ansible/venv/bin/activate
pip install -r ansible/requirements.txt
deactivate
- Pull the latest sigma rules and convert them to KQL by using the provided script.
- The first time you run it it will take about 10 minutes as it needs to convert all the rules.
- Subsequent runs will take very little time as it will only convert new rules.
# Go to the sigma folder
cd terraform/files/sigma
./convert_rules.sh
- Initialize Terraform and apply.
- This process will take between 18 and 25 minutes.
# Go back to the terraform folder
cd ../../
terraform init
terraform apply
- Destroy the lab when finished using it by running the provided script. This script will purge the log analytics workspaces, remove the resource group, and delete the Terraform state file. This process should take 4-5 minutes.
- If you do not feel comfortable relying on this, feel free to check the Azure Portal to confirm that the resource group was deleted.
# More reliable than running terraform destroy
./destroy.sh
Optionally edit domain.yml
according to your needs (reference here), then run:
terraform apply
Resource creation and provisioning takes 18-25 minutes. As long as you do not get any errors, you will have an output similar to the below. If the error you got was for a rule, you can add it to failed.csv
and it will not use it next time, or you can fix the rule and move it to the override folder
If you get an error you can still view this output by running terraform output
.
dc_public_ip = 13.89.191.140
workstations_public_ips = {
"BARRY-WKS" = "52.165.182.15"
"IRIS-WKS" = "52.176.5.229"
}
what_next =
####################
### WHAT NEXT? ###
####################
Check your log analytics workspace to make sure logs are being received.
It may take around 2 minutes for the SecurityEvent table to start to populate.
If the below query returns results for the workstations then you should be fine.
SecurityEvent
| where TimeGenerated >= ago(5m)
| where EventID == "4688"
| summarize count() by Computer
By default, resources are deployed in the West Europe
region under a resource group ad-hunting-lab
. You can control the region with a Terraform variable:
terraform apply -var 'region=East US 2'
- Frequently Asked Questions
domain.yml
reference- Sigma Rule Conversion
- GPO list
- Detailed architecture
- Troubleshooting common issues
- Common Operations: adding users, destroying the lab, etc.
- Project structure and directory organization
- Terraform variables available
- Create additional parser for the SecurityEvent events so that parse_xml is not required in the ala-new.yml file
- Add functionality to ala-new.py to allow keyword searching.
Feel free to open an issue.