Automated AD LAB with BadBlood installed automatically # Part 1

6 min readOct 25, 2020

There are many blogs and sites on how to use AutomatedLAb . I wanted to show you how you can use AutomatedLab to create an AD Lab as well as install BadBlood automatically without logging into the AD and then importing and running the scripts. Let’s begin.

The next part will demonstrate Phishing and User Simulation.

What is AutomatedLAB: AutomatedLab (AL) enables you to setup test and lab environments on Hyper-v or Azure with multiple products or just a single VM in a very short time. Click the link for more details.

What is BadBlood: It is not the song nor is it the movie. It is a security tool for Active Directory. After BadBlood is run on a domain, security analysts and engineers can practice using tools to gain an understanding and to prescribe securing the Active Directory.

Let’s begin.

Download AutomatedLab

Download the msi or you can use the powershell script to download it.

Click Next and select the Complete Option. Open Powershell and run the following command

Import-Module AutomatedLab

Under C: drive you will find a directory “LabSources” . If you see this congratulations you have installed AutomatedLab. Inside LabSources directory we have other folders. Don’t worry much about them the Installation docs are good enough! . The “ISOs” directory is where we shall copy our .iso images . For my lab I use windows 10, windows server 2019, Exchange server 2019 and SQL Server 2019.

For now we shall create a simple LAB. My domain is called WAKANDA.The setup includes;

  1. 1 DC
  2. 1 Machine joined to the AD.
  3. Add your Kali to the same network (optional)

I hope you have copied your iso image to the “ISOs” directory. Fire up powershell and type the following commands.

I will break down each step or if you can’t wait scroll down to get the full script at the end of the blog.

Oh i forgot to tell you if you use AutomatedLAb it will lower the security of your machine

Yea that’s right. This is because automatedlab will need to communicate to your VMS, thus following will be done to your host machine:

  1. Enables WinRM CredSSP
  2. Enters a wildcard in your system’s TrustedHosts file
  3. Allows credential delegation via local group policy settings
  4. Relaxes a setting for CredSSP patch CVE-2018–0886

Decided to use it?? Okay let's continue , I personally use this in my homelab and to train people.

Testing the ISO images.

Get-LabAvailableOperatingSystem -Path C:\LabSources

Great we have images we can use

We will be using “Windows Server 2019 Standard Evaluation (Desktop Experience)” or if you don’t like GUI go for the first option.

I like creating a new folder for every LAB I create . For this Lab I will name the folder “BADBLOOD” . Let’s start building our script.

What we are doing here is setting up the lab configs. This includes specifying where we want to install the LAB and the directory. The lab will be saved in C:\BADBLOOD .

The last command will create the directory for you in case you forgot to create the folder. This makes it easy to locate your labs and keeps things organized, especially if you have multiple labs.

Next we will define the network setting and the domain details as well as the local admin password details. In this case a new virtual switch will be created with a range of space . The Domain name will be called WAKANDA.LOCAL and the domain admin username and password “administrator:Password123”.

Please change it to something complex.

What I normally do, and this is optional, is I set a default base for all my Virtual Machines that will be installed. For Example I give all my virtual machines 2GB of RAM, set the DNS of the DC to be used for all my machines and the OS to be used. Which means all my machines in this lab will have;

  1. 2GB of RAM
  2. DNS setting of
  3. Windows Server 2019 Standard Evaluation (Desktop Experience)
  4. Use the name BADBLOOD for the VMS and store it in the directory we specified earlier

Now let us set up our DC which is just one command and add a role of -RootDC. If you want a child and parent forest environment, add another DC and give it a role of -FirstChildDC. You can setup a complex forest , it’s up to your requirements and RAM lol.

And the DC is ready. Now we shall add a server and join it to the WAKANDA Domain. Since it’s a normal server we don’t need to add any role. This is the same for adding a “windows 10” machine to the Domain.

That’s it. You have created your first LAB. But what about automating the installation of BADBLOOD ???. We will install that after the LAB is up and running. Let us install the lab and create a checkpoint before we mess up our hard work.

The Total time taken to set up this lab was 16 minutes.

So what about BadBlood. Well it’s dead simple to automate this process.


  1. Download BadBlood
  2. Extract it and put it in your tools folder
  3. Edit Invoke-BadBlood.ps1, remove the lines highlighted in the red box below, add a variable to execute BadBlood and replace line 30–47 with

$badblood = ‘badblood’

4. Save it.

In our Powershell script we shall add the following lines. This will copy the badblood directory to the DC and then execute it.

And that’s it. The entire process has been automated.

To confirm, we can check how many users, groups and computers have been added to our lab.

Start practising your skills like running bloodhound , getting passwords from user description profile, SPN,unconstrained delegation, ACL abuse etc etc.

Collecting data with the bloodhound ingestor

I Hope you found this useful and for the lazy people the full script is in the link below.

Preview Part 2 : User simulation and automated Phishing. This is good for red teamers to practice their phishing skills