BadBlood by Secframe fills a Microsoft Active Directory Domain with a structure and thousands of objects. The output of BadBlood is a domain similar to one found in the real world.
It is a security tool for Active Directory. After BadBlood is ran on a domain, security analysts and engineers can practice using tools to gain an understanding and prescribe to securing Active Directory.
Each time this tool runs, it produces different results. The domain, users, groups, computers and permissions are different.
To run the BadBlood tool, simply download the repo, link below, and run the Invoke-BadBlood.ps1 PowerShell script. This file is at the root of the BadBlood repo. A few prompts appear designed to ensure this is only run in a testing or educational environment. PLEASE! Only run this is in testing. Follow the prompts to begin the deployment of BadBlood.
BadBlood is designed to be run with a user who is a Domain Admin and Schema Admin. Following the prompts, the tool begins by expanding the current domain’s schema by installing LAPS AD_Laps_install\InstallLAPSSchema.ps1
For details on that process, subscribe to my blog to get my presentation pack. I go into details on a 10 minute LAPS deployment in the presentation “Is the door to your active directory wide open and unsecure?”
BadBlood creates a new OU structure on your domain. The full details of this expansion can be viewed in the file
By personalizing the configuration file “3lettercodes.csv” BadBlood can customize the OUs that are added to the OUs I call "Top Level OUs".
The detailed sub-structure of the OUs can be expanded by modifying the variables in the createoustructure.ps1. The first release of the tool creates an OU structure similar to the one depicted to the right.
After the structure is complete, BadBlood begins to create a random number of users (500-10000) into the domain. This process is designed in the
During creation of each user BadBlood randomly selects an OU or container and places that person in a random path. The tool generates very random male and female users based on the text files located in the \Names folder under the AD_Users_Create folder.
The tool fills in a bit of information on the user account and moves onto the next step: Groups.
Note: If you would like to create more users with this tool, edit the variable $NumOfUsers in the Invoke-BadBlood script.
The first release of this tool does not have parameters so you’ll have to live with editing the ps1 file.
After the users are complete, the tool moves on to creating the groups in the domain. This is performed by
The groups are randomly named in this script pulling information from a hotmail.txt file located in the same folder as the script. The groups, just like the users, are randomly placed in random OUs and Containers in the domain.
Note: If you would like to create more groups with this tool, edit the variable $NumOfGroups in the Invoke-BadBlood script.
The tool now moves onto creating computers by calling
These computers also have randomly generated names. Like the other objects previously created the computers are placed in random OUs. If you would like to create more computers with this tool, edit the variable $NumOfComps in the Invoke-BadBlood script.
I played around a lot with Active Directory DACLs, and I made a generator to create random permissions every time this tool is run. No matter what, this tool adds very random and very invasive permissions.
The permission generator script is
This script calls and imports the functions from the folder AD_OU_SetACL. There are many scripts in this folder, with many functions inside of each script. They can be used to automate a lot of Active Directory permission tasks an admin might encounter during the work day.
In BadBlood, I call upon these scripts to ruin, flood, and berate a Domain. These scripts are the scripts that make this Domain the worst Domain in the history of Domains.
Back in the generaterandompermissions.ps1, all the permissions that are (randomly) set with BadBlood are found in the function “Create-PermissionSet.” There are a lot of permissions in this function. BadBlood randomizes which permissions to add. It randomizes the permissions every time the function is called. BadBlood calls the function many, many times.
BadBlood takes these random permissions, and chooses random users and sets the random permissions on random OUs. Then it chooses random groups and places the random permissions on random OUs. Then it does the same for random computers.
Note: I plan to expand the tool to place permissions directly on random users or random groups or random computers, but for now, placing the permissions on the OUs is good enough to release the tool.
The last and final step of Invoke-BadBlood is stored in Ad_Groups_Create\AddRandomToGroups.ps1. This script performs three major functions to finish up BadBlood
After BadBlood runs it’s time to gather data on the domain. Here is sample output created by running Bloodhound on the domain destroyed by BadBlood.
First: isnt that name awesome? Second Expand who can control Noemi
Naomi has 90+ explicit object controllers. This domain is a red teamers’ dream. It’s also a dream for one security consultant who would like you to contact him to perform an analysis on the domain and write a plan on how to secure this infrastructure. Please contact me with any requests on Active Directory Security
I hope you enjoy this tool in your DEVELOPMENT or TRAINING environment. It’s the first public tool out there that can load an immense number of spam into an Active Directory domain.