Hi David,

I stumbled upon your tool while searching for training resources for blue teamers. I love the idea of creating a deliberately vulnerable Active Directory environment.
I would like to discuss a feature suggestion:

It would be interesting to work towards a known-good state of the domain. A predefined state of how the domain should look like in the end. This way trainees can reflect on gaps of their applied changes and the predefined result of the known-good state.

Usage of BadBlood in training sessions would look like this:

1. Generate objects of known-good state in domain
2. Apply randomize*-Scripts
3. Trainee starts discovering domain
4. Trainee applies changes to domain
5. End training session, run check script / reflect on coverage of changes

I guess the problem on implementing a known-good state is, that the domain objects are not setup with any special permissions at the beginning. According to the current code in InvokeBadBlood.ps1 the permissions are set in the last step
(

What do you think about this feature?

Line 31, wrong message. The option is for user groups, but the message says users

It seems that It can't load CSS files.

https://www.secframe.com/badblood/

i am able to install badblood without any error but when i look into the AD, i can see that no machine was added to my DC. is it just me facing this issue or everyone else is facing this too?? attached is a screenshot

I downloaded the zip, extracted to desktop.
Then opened up powershell and executed the command .\invoke-badblood.ps1
I'm not sure if it's my problem or what but I can't get it to work in any way.

Hello there,

First of all, I REALLY like what you're doing with Bad Blood. I've had it bookmarked forever and was super excited to give it a spin in the lab today. I have a fresh 2016 DC and ran BB on it and now my domain is very dirty - awesome.

Question for you on user credentials. For grins I used ntdsutil to dump out all the hashes and was having some folks test cracking passwords on those accounts. After not cracking a single password for quite a while, I looked at the CreateUsers.ps1 and can see the function for adding random/strong passwords to users.

To make this environment feel a little more like a typical customer network, I'd like to tweak that script to have a minimum length of 8 and maximum length of 12 character passwords. I think I see where to do that in the script, but ideally I'd also have the password itself come from a list of passwords I specify.

I'm not too sharp with PowerShell so if you have any advice please let me know, otherwise yes I'll certainly RTFM for PowerShell if that's the next best step 👍

Thanks!
Brian

Maybe it's a good idea to add -passwordneverexpires $true to the New-ADUser cmdlet in AD_Users_Create/CreateUsers.ps1 in line 293.
Otherwise they will expire after about a month and that's usually not super realistic.