{"id":50105006,"url":"https://github.com/kurobeats/sparkler","last_synced_at":"2026-05-23T10:01:27.885Z","repository":{"id":82599891,"uuid":"305981600","full_name":"kurobeats/Sparkler","owner":"kurobeats","description":"The tool creates a Microsoft Active Directory Domain with a structure and objects for learning.","archived":false,"fork":false,"pushed_at":"2021-06-01T12:59:39.000Z","size":784,"stargazers_count":26,"open_issues_count":0,"forks_count":4,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-05-21T22:46:30.810Z","etag":null,"topics":["active-directory","educational","security"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kurobeats.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2020-10-21T10:00:26.000Z","updated_at":"2023-10-13T12:38:57.000Z","dependencies_parsed_at":null,"dependency_job_id":"24a72332-3769-449f-a1a0-909bcce901f5","html_url":"https://github.com/kurobeats/Sparkler","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/kurobeats/Sparkler","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kurobeats%2FSparkler","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kurobeats%2FSparkler/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kurobeats%2FSparkler/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kurobeats%2FSparkler/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kurobeats","download_url":"https://codeload.github.com/kurobeats/Sparkler/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kurobeats%2FSparkler/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33390972,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-23T04:15:53.637Z","status":"ssl_error","status_checked_at":"2026-05-23T04:15:53.242Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["active-directory","educational","security"],"created_at":"2026-05-23T10:01:23.274Z","updated_at":"2026-05-23T10:01:27.832Z","avatar_url":"https://github.com/kurobeats.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Sparkler 💥\n\n**Sparkler Bomb** /ˈspɑːklə bɒm/ *noun*\n\n\u003e A bottle full of sparkler dust that once lit, is highly unpredictable.\n\n---\n\n## Overview\n\nSparkler is a comprehensive Active Directory (AD) lab deployment and vulnerability injection tool designed for **security professionals, penetration testers, and students** learning Active Directory security. It creates realistic, enterprise-grade AD environments with intentional security weaknesses for hands-on learning.\n\nForked from [BadBlood](https://github.com/davidprowe/BadBlood) by David Rowe, mashed together with kurobeats' [Active-Directory-User-Script](https://github.com/kurobeats/Active-Directory-User-Script) and WazeHell's [vulnerable-AD](https://github.com/WazeHell/vulnerable-AD).\n\n### Key Features\n\n- 🏢 **Realistic Enterprise Structure** - Multi-tier OU hierarchy with geographic and functional divisions\n- 👥 **Randomized Object Generation** - Thousands of users, groups, and computers with realistic naming\n- 🔓 **22+ Vulnerability Modules** - Comprehensive attack surface for AD penetration testing practice\n- 🔄 **Non-Deterministic Output** - Every deployment creates a unique environment\n- 🎓 **Educational Focus** - Designed for training and certification preparation (OSCP, CRTP, CRTE, etc.)\n- ✅ **Windows Server 2022 Compatible** - Supports modern AD features and legacy configurations\n\n---\n\n## ⚠️ WARNING\n\n**This tool is for authorized security training and research only.**\n\n- **NEVER** run in production environments\n- **NEVER** run on systems without explicit authorization\n- Creates intentionally vulnerable Active Directory configurations\n- Leaves systems in an insecure state\n\n---\n\n## Table of Contents\n\n- [Installation](#installation)\n- [Quick Start](#quick-start)\n- [Architecture](#architecture)\n- [Vulnerability Modules](#vulnerability-modules)\n- [Learning Objectives](#learning-objectives)\n- [Windows Server Compatibility](#windows-server-compatibility)\n- [Troubleshooting](#troubleshooting)\n- [Contributing](#contributing)\n- [License](#license)\n\n---\n\n## Installation\n\n### Prerequisites\n\n- Windows Server 2016, 2019, or **2022** (Domain Controller)\n- PowerShell 5.1 or later\n- Active Directory Domain Services role\n- Administrative privileges\n\n### Setup\n\n1. Clone or download the repository to your lab Domain Controller:\n```powershell\ngit clone https://github.com/kurobeats/Sparkler.git\ncd Sparkler\n```\n\n2. Review and modify `01-AD_Setup_Domain/config.json` for your environment:\n```json\n{\n \"shell\": {\n \"DefaultShell\": \"explorer.exe\"\n },\n \"domain\": {\n \"DomainName\": \"sparkler.bmb\",\n \"DomainNetbiosName\": \"SPARKLER\",\n \"SafeModeAdministratorPassword\": \"Password123!\"\n }\n}\n```\n\n---\n\n## Quick Start\n\n### First Run (Domain Setup)\n\nOn a fresh Windows Server installation:\n\n```powershell\n.\\Invoke-Sparkler.ps1\n```\n\nType `yes` when prompted. The system will:\n1. Install AD Domain Services\n2. Create the forest/domain\n3. **Reboot automatically**\n\n### Second Run (Population \u0026 Vulnerabilities)\n\nAfter reboot, run again:\n\n```powershell\n.\\Invoke-Sparkler.ps1\n```\n\nThis will populate the domain with:\n- 1,000-5,000 randomized user accounts\n- 100-500 security groups\n- 50-150 computer accounts\n- Complex OU structure\n- **22+ vulnerability configurations**\n\n---\n\n## Architecture\n\n### Directory Structure\n\n```\nSparkler/\n├── Invoke-Sparkler.ps1 # Main orchestration script\n├── 01-AD_Setup_Domain/ # Domain controller setup\n│ ├── DCSetup.ps1\n│ └── config.json\n├── 02-AD_LAPS_Install/ # LAPS installation (Legacy \u0026 Windows LAPS)\n├── 03-AD_OU_CreateStructure/ # Organizational Unit hierarchy\n├── 04-AD_Users_Create/ # User generation with realistic data\n├── 05-AD_Groups_Create/ # Security group creation\n├── 06-AD_Computers_Create/ # Computer account generation\n├── 07-AD_Permissions_Randomiser/ # ACL randomization\n├── 08-AD_Random_Groups/ # Group membership randomization\n├── 09-AD_Misc_Vulns/ # 🎯 Vulnerability injection\n└── AD_OU_SetACL/ # ACL permission functions\n```\n\n### OU Hierarchy Created\n\n```\nDC=sparkler,DC=bmb\n├── OU=Admin\n│ ├── OU=Enterprise (T0-*)\n│ ├── OU=Global (T1-*)\n│ └── OU=National (T2-*)\n├── OU=Global\n│ └── [3-Letter Affiliate Codes]\n├── OU=National\n│ └── [3-Letter Affiliate Codes]\n├── OU=Staff\n├── OU=SCADA\n├── OU=Quarantine\n└── [Regional OUs: Russia, Australia, Asia, etc.]\n```\n\nEach affiliate code OU contains:\n- `ServiceAccounts`\n- `Groups`\n- `Devices`\n- `Test`\n- `Managed`\n\n---\n\n## Vulnerability Modules\n\nSparkler includes **22 comprehensive vulnerability modules** across multiple attack categories:\n\n### 🔐 Credential Attacks\n\n| Module | Description | Attack Technique |\n|--------|-------------|------------------|\n| **Kerberoasting** | Service accounts with weak passwords \u0026 SPNs | T1558.003 |\n| **AS-REP Roasting** | Accounts with \"Do not require Kerberos preauthentication\" | T1558.004 |\n| **Password Never Expires** | Long-term credential validity | T1078 |\n| **Reversible Encryption** | Store passwords using reversible encryption | T1003 |\n| **LM Hash Storage** | Legacy LM hash compatibility | T1003.002 |\n| **Sensitive Data Exposure** | Credentials in SYSVOL scripts \u0026 GPP | T1552.001 |\n\n### 🎯 Access Control Abuse\n\n| Module | Description | Attack Technique |\n|--------|-------------|------------------|\n| **Bad ACLs** | Dangerous permissions (GenericAll, WriteDACL, etc.) | T1222 |\n| **DCSync** | Replicate directory changes permissions | T1003.006 |\n| **AdminSDHolder Abuse** | Protected group membership | T1078 |\n| **Weak GPO Permissions** | Non-privileged GPO modification rights | T1552.010 |\n\n### 🔄 Delegation Attacks\n\n| Module | Description | Attack Technique |\n|--------|-------------|------------------|\n| **Unconstrained Delegation** | TrustedForDelegation enabled | T1558 |\n| **Constrained Delegation** | S4U2Proxy configuration | T1558 |\n| **Resource-Based Constrained Delegation** | msDS-AllowedToActOnBehalfOfOtherIdentity | T1558 |\n\n### 🌐 Network Protocol Attacks\n\n| Module | Description | Attack Technique |\n|--------|-------------|------------------|\n| **SMB Signing Disabled** | No SMB message signing | T1557 |\n| **LDAP Security Weaknesses** | Unsigned LDAP \u0026 no channel binding | T1557 |\n| **NTLM Relay Vulnerabilities** | Multi-protocol relay configuration | T1557 |\n| **Pre-Windows 2000 Compatibility** | Anonymous SID translation | T1087 |\n\n### 🖨️ Service-Specific Attacks\n\n| Module | Description | Attack Technique |\n|--------|-------------|------------------|\n| **DnsAdmins** | DNS admin group membership abuse | T1078 |\n| **Print Spooler Vulnerabilities** | PrintNightmare configuration | T1569 |\n| **Certificate Template Vulnerabilities** | ADCS ESC1-ESC8 scenarios | T1550 |\n\n### 🏢 Domain Configuration\n\n| Module | Description | Attack Technique |\n|--------|-------------|------------------|\n| **MachineAccountQuota** | High computer join limits | T1133 |\n| **Trust Relationship Abuse** | Cross-domain trust attacks | T1550 |\n\n---\n\n## Learning Objectives\n\n### For Penetration Testers\n\nPractice real-world AD attack chains:\n1. **Reconnaissance** - LDAP enumeration, user/computer discovery\n2. **Initial Access** - AS-REP Roasting, credential exposure\n3. **Privilege Escalation** - Kerberoasting, delegation abuse, ACL exploitation\n4. **Lateral Movement** - NTLM relay, pass-the-hash, pass-the-ticket\n5. **Domain Compromise** - DCSync, Golden/Silver tickets\n\n### For Defenders\n\nLearn to detect and prevent:\n- Abnormal LDAP queries\n- Kerberos ticket anomalies\n- Privileged group modifications\n- DCSync detection (Event ID 4662, 5136)\n- NTLM authentication patterns\n\n### For Certification Preparation\n\nRelevant certifications supported:\n- **OSCP** - AD attack methodology\n- **CRTP** (Certified Red Team Professional) - Full AD exploitation\n- **CRTE** (Certified Red Team Expert) - Advanced AD attacks\n- **OSWE** - Web app + AD integration scenarios\n\n---\n\n## Windows Server Compatibility\n\n| Version | Status | Notes |\n|---------|--------|-------|\n| Windows Server 2016 | ✅ Supported | Legacy LAPS required |\n| Windows Server 2019 | ✅ Supported | Legacy LAPS required |\n| Windows Server 2022 | ✅ **Fully Supported** | Native Windows LAPS + Win2022 Domain Mode |\n\n### Windows Server 2022 Features\n\n- **Automatic detection** and configuration of `Win2022` domain/forest functional level\n- **Native Windows LAPS** support (built-in, no separate installation)\n- **Modern security features** with intentional misconfigurations for testing\n\n---\n\n## Troubleshooting\n\n### Common Issues\n\n**Issue**: Script fails with \"AD: drive not found\"\n```powershell\n# Solution: Import module manually\nImport-Module ActiveDirectory\n.\\Invoke-Sparkler.ps1\n```\n\n**Issue**: LAPS installation fails on Server 2022\n```powershell\n# Windows Server 2022 uses built-in LAPS\n# The script auto-detects and uses the correct version\n```\n\n**Issue**: Computer creation loops indefinitely\n```powershell\n# Fixed in latest version - safety limits (10,000 iterations) prevent infinite loops\n```\n\n### Safety Features\n\n- **Loop iteration limits** on all `do-while` loops\n- **Try-catch error handling** throughout\n- **Progress indicators** for long-running operations\n- **Automatic AD: drive validation**\n\n---\n\n## Contributing\n\nContributions welcome! Areas for expansion:\n- Additional vulnerability modules\n- Detection rules for defenders\n- Reporting/analytics features\n- Cloud (Azure AD) integration\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.\n\n---\n\n## Acknowledgments\n\n- **David Rowe** - Original BadBlood creator\n- **kurobeats** - Active Directory user generation scripts\n- **WazeHell** - Vulnerable-AD concepts\n- **Microsoft** - Active Directory and security research\n\n---\n\n## License\n\nThis project is provided for educational purposes only. See [LICENSE](LICENSE) for details.\n\n**Remember**: With great power comes great responsibility. Only use this tool in authorized lab environments.\n\n---\n\n## Quick Reference Card\n\n```powershell\n# Deploy complete vulnerable AD lab\n.\\Invoke-Sparkler.ps1 # Run twice (once for setup, once after reboot)\n\n# Individual modules (advanced usage)\n.\\01-AD_Setup_Domain\\DCSetup.ps1\n.\\04-AD_Users_Create\\CreateUsers.ps1\n.\\09-AD_Misc_Vulns\\Add-MiscVulns.ps1\n```\n\n**Estimated deployment time**: 30-60 minutes depending on object count\n\n**Recommended VM specs**: 4+ vCPUs, 8GB+ RAM, 100GB+ disk\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkurobeats%2Fsparkler","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkurobeats%2Fsparkler","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkurobeats%2Fsparkler/lists"}