Creating Active Directory Labs for Blue and Red Teams

redteaming vulnerability

Nowadays most enterprises are using Active Directory for building their internal infrastructure. Therefore, it is important to understand common pitfalls and how to detect adversarial activities in the network.

Sec Admin logon screen main pic - SEC Consult

In this article, Sven Bernhard will describe how Blue and Red Teams can create Active Directory Labs for training and testing purposes. He explains how to set up the Active Directory environment as well as how to introduce common misconfigurations / vulnerabilities on purpose. Furthermore, a monitoring server setup using Microsoft ATA is described.

Think about how you like to set up your lab environment:

  1. Cloud
  2. Hardware


Setup of the lab environment on one of the different cloud hosting providers like AWS, Azure or Google Cloud.


  • Unlimited resources
  • Easily accessible from anywhere
  • You pay only if the lab is running


Can be very expensive (7 Machines with 2 CPU, 4GB RAM and 80 Gigs of storage will cost around 300-400 USD per month – if they are running 24/7)


The easiest way is to build a lab just on your personal computer is with a virtualization software like VirtualBox, VMware Workstation or Hyper-V, but a lot of resources are needed to have all machines up and running. Therefore, I recommend building a dedicated lab server.
Used server hardware is cheap nowadays. Following an example configuration:

Part Amount Price ($)
Intel Xeon E5-2690v2 CPU 2x 290,00
Supermicro X9DRi-LN4F+ Motherboard 1x 170,00
128GB (8×16 GB) DDR3 PC3-12800R (1600 Mhz) ECC RAM 1x 250,00
256 GB SSD 1x 30,00
1 TB SSD 1x 100,00
EE-ATX Case (e.g. Zofos Evo Window Bit-Tower) 1x 150,00
750-Watt Power Supply (e.g. Corsair XC Series 750 Watt 80 Plus Bronze) 1x 90,00
ZOTAC GeForce GT 730 Zone Edition 4GB DDR3 GPU 1x 80,00
Noctua NH-U9S, Premium CPU Cooler 2x 60,00
TOTAL 1570,00

To check how many rearms are left just enter the following command:

PS > slmgr -dlv

Lab Setup

To install the Windows Operating Systems, Microsoft Windows Server Evaluation versions can be used. The versions are valid for 180 days, the trial period can be extended up to six times for additional 180 days.

The evaluation versions can be downloaded here:

To extend the period the following command must be issued once the trial period comes to an end:

PS > slmgr -rearm

To check how many days are left in the trial period just issue the following command:

PS > slmgr -dli

Windows Script Host Timebased Activation Expiration screen - SEC Consult

To check how many rearms are left just enter the following command:

PS > slmgr -dlv

Windows Script Host Rearm count screen - SEC Consult

Another option is to get a MSDN/VisualStudio subscription where the most Microsoft products are included, the subscription costs $1,199 for the first year and $799 for the renewal per year.

VisualStudio subscription screen - SEC Consult

Installing The Domain Environment

Create VMs and install the number of servers (with Windows Server 2016 / 2019) you like to have in your lab, I recommend 2-3 Domain Controllers and 2-3 Servers first. The lab can be extended over time. After installing a few Windows Server 2016 / 2019 VMs , it is time to create forests, promote the domain controllers and add some servers or workstations.

Create a Root Domain

The first step is to promote a parent domain controller in the forest root:

Open the Server Manager and go to Local Server.


Click on Computer name:

Selecting computer name screen - SEC Consult
Change option screen - SEC Consult

Click on Change:

Computer name/Domain changes screen - SEC Consult

Change the Computer name:

Computer restart CTA screen - SEC Consult

Restart the machine:

Adding roles and features from Server Manager screen - SEC Consult

After the reboot, open Server Manager and click on Add roles and features:

Selecting Role-Based or feature-based installation screen - SEC Consult

As Installation Type choose Role-Based or feature-based installation:

Automatic server set up screen - SEC Consult

“Select a server from the server pool” will automatically set up your server, you just need to click on Next:

Addiing  Features from Active Directory Domain Services popup window - SEC Consult

Choose Active Directory Domain Services and click on Add Features in the popup window:

Next CTA before Install confirmation screen - SEC Consult

Confirm 3 times with Next and then on Install:

Selecting Promote this server to a domain controller CTA screen - SEC Consult

Wait for the installation to finish and click on yellow exclamation mark on top right of the Server Manager and choose Promote this server to a domain controller:

Entering root domain name screen - SEC Consult

Choose the deployment configuration – Add a new forest and enter your root domain name:

Prerequisites Check CTA screen - SEC Consult

Enter a password and click on Next until you can click on Install:

Domain login as admin screen - SEC Consult

Login to the domain as administrator:

Static IP address set up screen - SEC Consult

Set a static IP address for your server in Control Panel\Network and Internet\Network Connections:

DNS to DC01 configuration for static IP screen - SEC Consult

Child Domain

The root domain controller is up and running, it is time to promote a child domain controller and build a trust relationship between the parent and the child domain. For this purpose, we will do almost the same steps as for the parent domain. The only difference is that we will not create a new forest but adding a new domain to an existing forest (Deployment Configuration of the parent dc). A user who is in the enterprise admin group of the parent domain must be used to enroll the domain.

Set a static IP for the machine and point its DNS to DC01:

Adding a new domain to an existing forest as deployment configuration screen - SEC Consult

Repeat the steps previous steps (how to promote a domain controller) until choosing the deployment configuration.

As Deployment Configuration, choose Add a new domain to an existing forest and enter your details:

DSRM password setting and confirmation until installation CTAs screen - SEC Consult

Set a DSRM password and confirm the installation by clicking on Next until you can choose Install:

Login to the child domain controller post reboot screen - SEC Consult

After the reboot you can log in to the child domain controller:

Static IP address configuration and DNS pointing to domain’s DNS server/DC screen - SEC Consult

Enrolling Computers

Now, some workstations / servers need to be installed and added to the network.

Give the computers also a static IP address and point the DNS to the domain’s DNS server / DC:

Renaming the computer in Server Manager screen - SEC Consult

Click on Computer name in the Server Manager and rename the computer:

Joining domain under Workgroup screen - SEC Consult

After the restart, join the domain under Workgroup (below Computer name in the Server Manger):

User of enterprise admins group of the domain PW prompt screen - SEC Consult

Enter the password of a user of the enterprise admins group of the domain:

Permissions to service command prompt screen - SEC Consult

Repeat this step for every machine you want to add to your test network.

Introducing Vulnerabilities / Misconfigurations

Following, some examples on how to introduce vulnerabilities / misconfigurations to the systems.

Vulnerable Services

To introduce a vulnerable service, you can either search for a software which already contains a vulnerable service, or you can just modify an existing service. For example, change the permissions of a service to a user / group to manage it. Vulnerable services must be configured directly on the machine where the service is running using the local administrator of the computer.

To change the permissions of a service one of the following methods can be used:


A standard built-in Windows method to manage system service permissions supposes using the Service Controller utility (sc.exe). You can get the current permissions to the service like this:

PS > sc.exe sdshow <SERVICE NAME>

The first letter after brackets means: allow (A) or deny (D).
Next symbols granting different rights on the service:

CC — SERVICE_QUERY_CONFIG (request service settings)
LC — SERVICE_QUERY_STATUS (service status polling)

The last 2 characters are objects (user group or SID) that are granted permissions.

Following a list of possible aliases:

Alias Meaning
AU Authenticated Users
AO Account Operators
RU Alias to allow previous Windows 2000
AN Anonymous Login
BA Built-in Administrators
BG Built-in Guests
BO Backup Operators
BU Built-in Users
CA Certificate Server Administrators
CG Creator Group
CO Creator Owner
DA Domain Administrators
DC Domain Computers
DD Domain Controllers
DG Domain Guests
DU Domain Users
EA Enterprise Administrators
ED Enterprise Domain Controllers
WD Everyone
PA Group Policy Administrators
IU Interactively Logged-on User
LA Local Administrator
LG Local Guest
LS Local Service Account
SY Local System
NU Network Logon User
NO Network Configuration Operators
NS Network Service Account
PO Printer Operators
PS Personal Self
PU Power Users
RS RAS Servers Group
RD Terminal Server Users
RE Replicator
RC Restricted Code
SA Schema Administrators
SO Server Operators
SU Service Logon User
Microsoft Management Console opening prompt - SEC Consult

To set the permissions the following syntax can be used:

PS > sc.exe sdset <service name> <Security Descriptor in SDDL format>

For example, the spooler service permissions can be changed, that any user can restart the service, using the following command:


Windows Security Templates:

Another option to grant rights to a service is a Security Template.

First, press Windows + R and open the Microsoft Management Console (mmc.exe):

Adding the Security Templates snap-in screen - SEC Consult

Add the Security Templates snap-in (CTRL+M for add or remove snap ins). Add Security Configuration and Analysis and Security Templates:

New Template Creation screen - SEC Consult

It is possible to specify an own path by right-clicking on Security Templates from the console tree and selecting New Template Search Path…. If no path is selected the default path %username%\documents\security\templates is used.

Right click on the path in the tree structure and choose New Template…:

New Template visible screen - SEC Consult

Choose a Template name and click OK. A new template is visible in the console:

Naming the database screen - SEC Consult

Security Database is required. Right-click Security Configuration and Analysis from the console tree and select Open Database… Enter a name for the database and click Open:

Import Template window with created templates screen - SEC Consult

An Import Template window appears. Browse to the previously created template and select it:

Creation of tree structure for Security Configuration and Analysis screen - SEC Consult

Right-click Security Configuration and Analysis from the console tree and select Analyze Computer …

A tree structure for Security Configuration and Analysis was created:

Defining the policy in the database selection screen - SEC Consult

Double-Click System Services and scroll down to find the service you need to change, e.g. Print Spooler and double click on it. Tick the box Define this policy in the database:

 Edit Security… button click screen - SEC Consult

Click the Edit Security button click on Add and type in the group or user you want to grant permissions to:

Permission granting for group or user screen - SEC Consult

With the account selected grant the needed permissions and click OK.

X mark and Investigate message on Permission column screen - SEC Consult

Click OK on the Service Properties to bring you back to the console. The service now will appear with an X next to it as well as an Investigate message on the Permission column:

Windows+R and regedit to open registry screen - SEC Consult

This is because the new permissions causing a conflict with what is configured on the local machine. To apply the new permissions, right click on Security Configuration and Analysis from the console tree and select Configure Computer…

Now the service can be abused by the configured user / group.

PowerShellAccessControl Module:

It will be also possible to use PowerShell to misconfigure a service on a computer. A PowerShell module called PowerShellAccessControl can be found in TechNet gallery. This module can be used for managing permissions for different Windows objects.

To download the module just click here:

Import the module to your current PowerShell session:

PS > Import-Module PowerShellAccessControl

View granted permissions:
PS > Get-Service spooler | Get-EffectiveAccess -Principal SEC\user01

Change the permissions of a non-administrative user to interact with a service:
Get-Service spooler | Add-AccessControlEntry -ServiceAccessRights Start,Stop -Principal SEC\user01

Now SEC\user01 will be able to start and stop the spooler service.

PS > Import-Module PowerShellAccessControl

View granted permissions:

PS > Get-Service spooler | Get-EffectiveAccess -Principal SEC\user01

Change the permissions of a non-administrative user to interact with a service:

Get-Service spooler | Add-AccessControlEntry -ServiceAccessRights Start,Stop -Principal SEC\user01

Now SEC\user01 will be able to start and stop the spooler service.

Unquoted Service Paths:

If a service is created which executable path contains spaces and isn’t enclosed within quotes, the service is exposed to a vulnerability known as Unquoted Service Path which enables adversaries to elevate privileges.

Edit the ImagePath in the Windows Registry of any installed Service to make it vulnerable:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Name of Service]

To open the registry editor just use Windows+R and type regedit.

Modifying the service prompt screen - SEC Consult

Next open the services folder in the tree structure and modify the service as follows:

Autologon screen - SEC Consult

Service abuse usually leads to local privilege escalation. Once an adversary took over such a user/group which can interact with a service, it will for example be possible to stop the service, exchange its binary with a malicious one and restart the service. More information on local privilege escalation can be found at the SEC Consult article “Windows Privilege Escalaction – an Approach for Penetration Testers“.

Active Sessions

To create an active session, you can either just login to the server manually (and do a snapshot while the machine is running).

Or, use Autologon from the Sysinternals Suite:

It is a portable executable where you just enter the credentials and the domain name and click on Enable. From now on, the selected user will automatically logon to the machine once the machine starts.

runas command to save user credentials in local credential manager screen - SEC Consult

The password is encrypted, it is not possible to browse through the registry to find it.


Different credentials can be saved in the Windows Credential Manager. Credentials of local or domain users as well as credentials for other programs like Internet Explorer.

To save website credentials for Internet Explorer just browse to a web application and login, click on save credentials. The credentials will now be saved in the credential manager and can be obtained by adversaries.

To expose domain or local credentials the runas command with the parameter /savecred can be used:

PS > runas /user:<DOMAIN\USERNAME> /savecred <PROGRAM>

This will save the user credentials in the local credential manager:

Windows credentials modification notification screen - SEC Consult

SPN Misconfiguration (Kerberoast)

Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs are associated with at least one service logon account.

Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller. The hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline brute force attacks. Cracked hashes may enables adversaries to perform persistence, privilege escalation, and lateral movement via access to valid accounts.

To make an SPN vulnerable, make sure a weak password is used.

Commands to type on the domain controller screen - SEC Consult

Enter the following commands on the domain controller:

PS > net user user01 ‘Pa$$w0rd’ /ADD /DOMAIN

PS > setspn -s http/srv01.sec.lab.local:80 user01

SPN Misconfiguration RHC Active Directory Users and Computers selection screen - SEC Consult

SPN Misconfiguration (AS-REP Roast)

In order to exploit AS-REP Roast, Kerberos preauthentication needs to be disabled. Without Kerberos Pre-Authentication an adversary can directly send a request for authentication. The KDC will return an encrypted TGT and the attacker can brute force it offline.

The misconfiguration can be introduced on the domain controller like:

Click on Active Directory Users and Computers:

User tab click for New user creation screen - SEC Consult

Create a New User by expanding the domain tree and right click on the User tab:

“Do not require Kerberos preauthentication” option config screen - SEC Consult

After the user was created and the password was set, right click on the user and open Properties, click on Account and set the option “Do not require Kerberos preauthentication”:

 Tools and Group Policy Manager click prompts screen - SEC Consult

GPO Misconfiguration

A Group Policy Object is an Active directory container and used for group policy settings which can be used as a resource to control users and computers. GPOs can be used to allow or disallow certain actions for a group of users or computers such as disable local admin access.

In our example we will create a GPO which grants local administrator permissions on a specific server. We will then delegate the permissions to another user. If an adversary takes over this user, it will be possible to change the GPO and create own local administrators on the machines which are linked to that GPO.

Perform the following steps on a domain controller:

Click on Tools and on Group Policy Manager:

Linking the GPO to the OU prompt screen - SEC Consult

Link the GPO to the desired OU, click on Create a GPO in this domain, and Link it here:

New Group creation on desired OU in Active Directory Users and Computers screen - SEC Consult

Create a Group and link it to the GPO. Go to Active Directory Users and Computers, right click on the desired OU and click on New and choose Group:

New Group creation screen - SEC Consult

Create the group:

GPO configuration prompt screen - SEC Consult

Configure the GPO:

Group Policy Management Editor CTAs screen - SEC Consult

Press Edit… and the Group Policy Management Editor will pop up. In the editor choose Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups right click and add the previously created group to the GPO. Select This group is a member of administrators:

Validation screen - SEC Consult

Click on OK:

Updating Group Policy settings screen - SEC Consult

Update the Group Policy settings using gpupdate:

PS > gpupdate /force

. Adding user of the domain with edit rights on the GPO screen - SEC Consult

Now all users in the LocalAdmin group have local admin permission on the linked machines. Add a user of the domain having edit rights on the GPO. Click on the created GPO and go to delegation and Add… a user.

User permissions granted to Edit settings, delete, modify security on the GPO screen - SEC Consult

SEC\user01 has permissions to Edit settings, delete, modify security on the GPO now, and will be able to abuse the permissions in several ways to compromise machines/users which are affected by the GPO. For example, adversaries can push malicious startup scripts or installing a backdoor.

Misconfigured Permissions

ACLs and ACEs define the permissions on specific objects like users, computers or groups (e.g. change accounts names, reset passwords, etc.) in Active Directory.

Following table shows some permissions which can be abused by adversaries:

CL/ACE Function
GenericAll Full permissions on an Object
GenericWrite Almost full permissions on an Object, many attributes can be updated.
WriteOwner Change object owner
WriteDACL Object can be modified – will allow adversaries to gain full access on the object
AllExtendedRights Permission adding users to a group or reset user’s passwords
ForceChangePassword Permission to change user’s passwords
Self Permission to add yourself to a group
Adding Builtin Administrators screen - SEC Consult

In this example we will be using the previously created LocalAdmins group and grant GenericAll permissions to a specific user:

Open Active Directory Users and Computers on the domain controller and right click on our group and click on Properties, then we choose Member Of and add the Builtin Administrators:

Choosing a domain user with permissions to manage group screen - SEC Consult

Go to the tab Managed By and click on Change to choose a domain user which will have the permissions managing this group:

Manager can update membership list box ticking screen - SEC Consult

Click on Manager can update membership list:

Delegation option selection screen - SEC Consult

Apply the settings. Adversaries, who compromised SEC\user02, would now be able to add and modify all objects for the LocalAdmins group.

Unconstrained Delegation

Delegation is used when a server or service account needs to impersonate a user. For example, a front-end webserver impersonates users when accessing a backend database. If unconstrained delegation is configured on a server, it allows the server to impersonate connecting users. Computer and user objects can get unconstrained delegation assigned. Normally it will be assigned to computers running services.

How to setup unconstrained delegation:

Go to Active Directory Users and Computers on the domain controller and right click on the computer where the service is running, choose Delegation and tick the following:

Advanced Features selection for verification screen - SEC Consult

Click on OK and verify if everything worked. To verify click on View and tick Advanced Features:

Trusted for delegation entry in attribute UserAccountControl screen - SEC Consult

Open Properties of the computer again and click on Attribute Editor. The attribute UserAccountControl should contain the following entry:

Adding services screen - SEC Consult
Trust this computer for delegation to specific services only – User Kerberos only selection screen - SEC Consult

The TGT of every user who is connecting to this server will be saved in memory and can be extracted by an adversary.

Constrained Delegation

Constrained Delegation limits what services a machine, which is trusted for delegation, can access on behalf of an authenticated user. If there is a compromised user or computer account where constrained delegation is enabled, it’s possible to impersonate any domain user and authenticate to the service where the account is trusted for delegation.

How to setup constrained delegation:

Open Active Directory Users and Computers on the domain controller and click on the Properties of the computer. Choose Trust this computer for delegation to specific services only – User Kerberos only and click on Add to choose the service:

msDS-AllowedToDelegateTo attribute set verification screen - SEC Consult

Verify in the server’s Properties, if our configuration worked by checking if the msDS-AllowedToDelegateTo attribute is set:

Attaching downloaded ISO to monitoring server in Explorer screen - SEC Consult

In this case constrained delegation limits the server to authenticate on behalf of a user to the SPN CIFS/SRV01.SEC.LAB.LOCAL.

If an adversary compromises the server, he will be able to receive the TGS from the machine. If a server is trusted for CIFS delegation on a machine, it will allow him to read the files on the target system by extracting the cached TGS ticket.


Installing Detection Capabilities

To detect malicious behavior, tools like Splunk, Kibana or Microsoft ATA are being used. In this example we will setup Microsoft ATA as detection capability.

Advanced Threat Analytics (ATA) is a platform that helps protect enterprises from multiple types of cyber-attacks and insider threats. ATA is using a network parsing engine to capture and parse network traffic of multiple protocols (such as Kerberos, DNS, RPC, NTLM, and others) for authentication, authorization, and information gathering. It is monitoring the network using port mirroring from Domain Controllers and other important computers.

More information about ATA can be found at:

To download a 90-day trial version of ATA visit the following link:

Before we start the installation, make sure that the computer where you install ATA is internet connected. Use a dedicated monitoring machine to set it up, make sure to give the machine enough resources (6GB+ of RAM).

In this example we will setup our ATA on a second domain controller. The installation process is straight forward. First, we attach the downloaded ISO to our monitoring server and open it in the Explorer:

Language selection in  Microsoft ATA Center Setup screen - SEC Consult

Just double click on Microsoft ATA Center Setup. Choose your language:

Terms and conditions next step CTA screen - SEC Consult

Accept terms and conditions and click next:

Updates yes or no screen - SEC Consult

Check for updates

Installing a self-signed certificate screen - SEC Consult
Installation progress screen - SEC Consult

Choose Database and install path and install a self-signed certificate:

Launch prompt screen - SEC Consult

Click on Launch:

Accepting the certificate warning prompt screen - SEC Consult

Internet Explorer will open, accept the certificate warning (only do this for your lab setup, don’t accept certificate warnings for production machines!):

 ATA user creation on the DC screen - SEC Consult

Create an ATA user on the DC in Active Directory Users and Computers:

Download Gateway Setup and Install the first Gateway selection screen- SEC Consult

Figure 75 – Create ATA userEnter the credentials of the ATA user to the ATA instance and click on Test connection and if the connection succeeded, click on Save:

Save command prompt upon successful connection screen - SEC Consult

Click on Download Gateway Setup and Install the first Gateway to install the ATA Gateway:

Gateway Setupdownload screen - SEC Consult

Click on and the Gateway file to your computer:

Gateway Setupdownload

Gateway Setup start screen - SEC Consult

Download the file to your and start the Gateway Setup:

CopyDomain ControllerMicrosoft ATA Gateway Setup

Language selection CTA screen - SEC Consult

Choose and click on :


Processing screen - SEC Consult
Waiting on Installation progress screen - SEC Consult

Click on and wait until the process is done:


Finish process CTA screen - SEC Consult

As soon as the installation process is done click on Finish:

Domain Controller added as Gateway screen - SEC Consult

Back on the ATA Server, the Domain Controller is added as Gateway:

Activation of Domain synchronizer Candidate screen - SEC Consult

Click on the name of the and set to :

Domain ControllerDomain synchronizer CandidateOn

Synchronisation of gateway screen - SEC Consult

The Gateway will be synced:Please note that this process will take some time:


Congratulations, you build your first Active Directory Lab. With such a basic setup you will be able to perform different types of attacks and check if an alert will be triggered and how it looks like. Of course, you can extend the lab to your needs and add different servers and workstations as well as exchange ATA to your favorite solution.