Author: Holger Zimmermann | zimmermannn.holger@live.de
Current Version: 2026.5.21.1342
Last Update: 2026-05-21
AS2Go (Attack Scenario To Go) is a PowerShell-based Active Directory attack simulation and training framework designed for demos, workshops, security awareness sessions, and purple team exercises.
The project provides a controlled lab environment that demonstrates how attackers can move through an Active Directory infrastructure by following a realistic cyber kill chain — from initial access to full domain compromise.
AS2Go helps security professionals, consultants, and defenders better understand how common weaknesses in Active Directory can be abused in practice, while providing a safe and repeatable environment for learning and demonstrations.
It is designed for:
- Security awareness and blue team training
- Detection engineering and incident response exercises
- Demonstrating Semperis Directory Services Protector (DSP), Microsoft Defender and Sentinel alert behavior
- Repeatable SOC tabletop and hands-on lab sessions
- Author: Holger Zimmermann
- Project: https://github.com/HerrHozi/AS2Go
- Blog: https://herrhozi.com
- License: MIT
AS2Go is intended for educational use in isolated, authorized lab environments only.
Do not run this module in production or in any environment you do not own or explicitly control. You are responsible for legal, policy, and compliance requirements in your organization.
AS2Go follows a realistic multi-phase attack chain to generate observable behavior for defenders. Depending on your setup and enabled phases, the simulation can include:
- Initial account abuse and access attempts
- Reconnaissance activities
- Privilege escalation paths
- Sensitive data access and exfiltration simulation
- Domain compromise and persistence scenarios
The goal is not stealth, but visibility and learning.
- Public/: Entry points and phase orchestrators
- Core-Functions/: Internal helper and attack action functions
- Tools/: External binaries or dependencies used in lab workflows
- LabSetup/: Optional lab preparation scripts
- CleanUp/: Runtime output and exported artifacts
- Windows lab environment
- PowerShell 7.1 or higher
- Active Directory test domain (recommended for full scenario)
- ActiveDirectory
- GroupPolicy
- Certify.exe
- Mimikatz.exe
- Rubeus.exe
- NetSess.exe
- PsExec.exe
Note: Tool availability and security controls in your lab influence which actions are executed successfully.
- Single-domain Active Directory environment
- At least one Domain Controller (DC)
- At least one domain-joined victim machine, such as a server or workstation
- Initial configuration should preferably be executed on the victim machine
- Administrative privileges are required
- Enterprise Admin privileges are recommended for full configuration
Import-Module <PathToModule>\AS2Go.psd1 -ForceInstall-Module -Name AS2Go -Scope AllUsers -Force
Import-Module AS2Go -ForceStart-AS2GoDemo# Setup the lab
Initialize-AS2GoLabConfiguration
# Run a Password Spray
Invoke-ASPhase04BruteForceAttack
# Phase Privilege Escalation
Invoke-ASPhase07PrivilegeEscalation
# Last phase Domain Compromise and Persistence
Invoke-ASPhase12DomainCompromisePersistence
# Troubleshooting friendly output
ASP12 -EnableLogging -SkipImages -SkipClearHost- Prepare a fresh lab snapshot.
- Start AS2Go and run one phase at a time.
- Observe telemetry in Defender/Sentinel/SIEM.
- Validate detections and enrich incident playbooks.
- Reset lab and repeat with different switches.
- Start-AS2GoDemo
- Invoke-ASPhase04BruteForceAttack
- Invoke-ASPhase06Reconnaissance
- Invoke-ASPhase07PrivilegeEscalation
- Invoke-ASPhase09ReconnaissancePriviledged
- Invoke-ASPhase10AccessSensitiveData
- Invoke-ASPhase11ExfiltrateSensitiveData
- Invoke-ASPhase12DomainCompromisePersistence
Use Get-Help for command documentation:
Get-Help Start-AS2GoDemo -Full
Get-Help Invoke-ASPhase12DomainCompromisePersistence -FullAS2Go can produce logs and temporary output files for review and cleanup.
- Use -EnableLogging for verbose execution logging.
- Review generated files in your configured cleanup/output folders.
- Archive artifacts for training evidence and detection tuning history.
- Use isolated virtual networks only.
- Use non-production accounts and data only.
- Snapshot systems before each run.
- Restrict internet egress in the lab if possible.
- Document each run (phase, time, expected alerts, observed alerts).
- Additional simulation profiles for different defender maturity levels
- Built-in reporting templates for SOC training outcomes
- Extended cloud/hybrid identity telemetry mappings
Issues and pull requests are welcome. If you share improvements, include:
- Lab assumptions
- Reproduction steps
- Expected vs. observed behavior
- Sample logs/screenshots (sanitized)
Thanks to the security community and tool authors whose research and utilities support realistic defensive training labs.