BadBlood by @davidprowe, Secframe.com, fills a Microsoft Active Directory Domain with a structure and thousands of objects. The output of the tool is a domain similar to a domain in the real world. After BadBlood is ran on a domain, security analysts and engineers can practice using tools to gain an understanding and prescribe to securing Active Directory. Each time this tool runs, it produces different results. The domain, users, groups, computers and permissions are different. Every. Single. Time.
I downloaded the zip, extracted to desktop.
Then opened up powershell and executed the command .\invoke-badblood.ps1
I'm not sure if it's my problem or what but I can't get it to work in any way.
Maybe it's a good idea to add -passwordneverexpires $true to the New-ADUser cmdlet in AD_Users_Create/CreateUsers.ps1 in line 293.
Otherwise they will expire after about a month and that's usually not super realistic.
I stumbled upon your tool while searching for training resources for blue teamers. I love the idea of creating a deliberately vulnerable Active Directory environment.
I would like to discuss a feature suggestion:
It would be interesting to work towards a known-good state of the domain. A predefined state of how the domain should look like in the end. This way trainees can reflect on gaps of their applied changes and the predefined result of the known-good state.
Usage of BadBlood in training sessions would look like this:
Generate objects of known-good state in domain
Apply randomize*-Scripts
Trainee starts discovering domain
Trainee applies changes to domain
End training session, run check script / reflect on coverage of changes
I guess the problem on implementing a known-good state is, that the domain objects are not setup with any special permissions at the beginning. According to the current code in InvokeBadBlood.ps1 the permissions are set in the last step
(
write-host"Creating Permissions on Domain"-ForegroundColor Green
). This means the freshly generated AD-Objects before this line have no special permission setup and the setup does not represent any real world experience.
i am able to install badblood without any error but when i look into the AD, i can see that no machine was added to my DC. is it just me facing this issue or everyone else is facing this too?? attached is a screenshot
First of all, I REALLY like what you're doing with Bad Blood. I've had it bookmarked forever and was super excited to give it a spin in the lab today. I have a fresh 2016 DC and ran BB on it and now my domain is very dirty - awesome.
Question for you on user credentials. For grins I used ntdsutil to dump out all the hashes and was having some folks test cracking passwords on those accounts. After not cracking a single password for quite a while, I looked at the CreateUsers.ps1 and can see the function for adding random/strong passwords to users.
To make this environment feel a little more like a typical customer network, I'd like to tweak that script to have a minimum length of 8 and maximum length of 12 character passwords. I think I see where to do that in the script, but ideally I'd also have the password itself come from a list of passwords I specify.
I'm not too sharp with PowerShell so if you have any advice please let me know, otherwise yes I'll certainly RTFM for PowerShell if that's the next best step ๐