AWS RedTeam ADLab

AWS RedTeam ADLab

This lab consists of 3 servers across 2 domains. It includes almost all pure AD attacks that I have exploited. The only edges in Bloodhound it doesn’t yet have are LAPS and GMSA I believe.

Once the setup steps are done you can just launch the lab using terraform apply and it will do it all for you. After applying you will need to give the lab about 35 mins. When you apply it will complete and tell you a timestamp. Take that timestamp, add 35 minutes onto it and wait that time. That will give it the time it needs to do all the setup. After 35 mins it will be good to go.

Attacks Covered

  • Kerberoasting
  • ASRepRoasting
  • Constrained Delegation (computer and user)
  • Unconstrained Delegation
  • Resource Based Constrained Delegation
  • Write ACL of user
  • Write ACL of computer
  • WriteDACL over domain
  • Write ACL of group
  • DnsAdmin members
  • Write ACL of GPO
  • Password in AD Attributes
  • Cross-domain trusts
  • SMBSigning disabled on all machines for relay attacks
  • Defender uninstalled so no need to worry about AV
  • Multiple machines so you can practice tunneling, double hop problem, etc
  • All the default things like lateral movement, persistence, pass the hash, pass the ticket, golden tickets, silver tickets, etc

Machine Summary

  • First-DC = Domain Controller of the domain first.local (
  • Second-DC = Domain Controller of the domain second.local (in trust with first) (
  • User-Server = Server to be the foothold on. Any domain user can RDP to this box (
  • Attack-Server = Debian server set up with Covenant and Impacket for you to jump in and attack from (

Install & Use

Source: Penetration Testing

Leave a Reply