AS2Go 2026 – Attack Scenario To Go is Back

Herr HoZi 
Some Active Directory findings only become real when they are demonstrated.

That is exactly why I updated AS2Go – Attack Scenario To Go. What started as a PowerShell-based attack simulation script has now become a PowerShell 7 module for lab-based Active Directory attack simulation, awareness, and detection validation.

AS2Go 2026 follows a classic kill-chain approach and helps generate realistic events and alerts for security solutions such as Semperis Directory Services Protector, Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Sentinel, and other EDR or SIEM platforms.

Some findings look harmless on paper, e.g.:

  • A weak service account password.
  • A misconfigured certificate template.
  • Too much access to a privileged group.
  • A missing separation between administrative tiers.
  • An old configuration nobody really owns anymore.

In a report, these findings may look like individual issues. In a real attack path, they can become connected steps.

That is one of the reasons why I like practical demonstrations so much. During assessments, workshops, and internal discussions, the same thing happens again and again: once people see how a misconfiguration can actually be abused, the risk becomes much easier to understand.

That was the original idea behind AS2Go – Attack Scenario To Go.

After quite some time, I finally gave the project a major update.

AS2Go 2026 is now a PowerShell 7 module.

  • It is still about Active Directory.
  • It is still about attack simulation.
  • But it is now more structured, more flexible, and much better suited for modern lab environments.

What is AS2Go?

AS2Go stands for Attack Scenario To Go.

It is a PowerShell 7 module designed to simulate common Active Directory attack scenarios in a controlled lab environment.

The goal is not to be just another offensive tool. The goal is to make Active Directory attack paths easier to understand, easier to demonstrate, and easier to validate from a detection perspective.

AS2Go can be used to deliberately generate security-relevant activity for solutions such as:

  • Semperis Directory Services Protector
  • Microsoft Defender for Identity
  • Microsoft Defender for Endpoint
  • Microsoft Sentinel
  • other EDR, SIEM, or monitoring solutions

The focus is on three things:

awareness, repeatability, and defensive visibility.

A finding in a report explains the risk.
A simulation shows what that risk can look like in practice.

Why I Updated AS2Go

The first version of AS2Go started as a PowerShell script.

It worked, but over time the idea became bigger. I wanted something that could be reused more easily, installed more cleanly, and adapted to more realistic lab environments.

So the 2026 version was rebuilt with a stronger focus on:

  • PowerShell 7
  • module-based structure
  • Active Directory preparation routine
  • multi-domain forest support
  • better scope control
  • a more guided attack workflow
  • parallel processing where it makes sense

The move to PowerShell 7 was especially important. It allows AS2Go to use more modern PowerShell features and better handle larger lab scenarios.

AS2Go 2026 is also designed with a multi-domain Active Directory forest in mind. This makes it possible to run simulations at different levels, for example:

  • OU level
  • current domain
  • selected domain
  • forest level

That flexibility is important because not every test should target everything. Sometimes a focused simulation against a specific OU is enough. Sometimes a broader domain or forest-level scenario is useful.

The Kill Chain Approach

AS2Go follows a classic attack-chain structure.

The current flow includes:

  1. Brute Force or Password Spray
  2. Reconnaissance
  3. Privilege Escalation
  4. Data Access & Exfiltration
  5. Domain Compromise & Persistence

Each phase can be started separately, or AS2Go can guide the operator step by step along the kill chain.

That was an important design decision.

Sometimes only one specific detection needs to be tested.
Sometimes only one attack technique should be demonstrated.
Sometimes the full story from initial access to domain compromise is the most useful approach.

AS2Go supports both.

Attack Phase:
Brute Force or Password Spray

Password spraying is still one of the most relevant attack techniques against Active Directory environments.

It is simple.
It is easy to understand.
And in many environments, it is still effective.

In AS2Go, this phase can be used to simulate password spraying behavior and validate whether the environment detects and responds to it properly.

AS2Go Password Spray phase with forest, domain, current domain, and OU-level scope selection

One thing I wanted to include is flexible scope selection.

The simulation can be started at different levels:

  • Forest Level
  • Domain Level
  • Current Domain
  • OU Level

This makes the test more realistic and more controlled.

For example, a password spray can be limited to a dedicated demo OU, or it can be executed against a broader domain scope in a lab. This makes it easier to compare how detection tools behave depending on the target scope.

Password spraying is also a good starting point for awareness sessions. Almost everyone working with Active Directory understands failed logons, lockout thresholds, and password policies.

That makes this phase easy to explain — and very useful to demonstrate.

Attack Phase:
Privilege Escalation

Initial access is only the beginning.

The more interesting question is:

What can happen next?

The Privilege Escalation phase is where AS2Go demonstrates how common Active Directory and ADCS weaknesses can be abused to move from access to higher privileges.

AS2Go 2026 includes scenarios around:

  • Pass-the-Hash
  • Pass-the-Ticket
  • Kerberoasting
  • misconfigured certificate templates, including ESC1
  • PsExec execution as Local System
  • credential theft via memory access

This phase is especially useful because it connects technical findings with practical attacker behavior.

Kerberoasting is a good example. A weak service account password may be documented as a finding, but the impact becomes much clearer when the attack is demonstrated.

ADCS is another good example. A vulnerable ESC1 certificate template may look like a very technical configuration issue. But once it is used to impersonate a privileged user, the impact becomes obvious.

AS2Go currently integrates well-known tools such as Rubeus, Certify 2.0, PsExec, and Mimikatz for these simulation paths.

The intention is not to hide what is happening.
The intention is to make the steps visible, understandable, and repeatable in a lab.

Attack Phase:
Domain Compromise & Persistence

The final highlighted phase is Domain Compromise & Persistence.

This is where the impact becomes very clear.

At this point, the scenario is no longer about initial access or a single compromised system. It is about control of the Active Directory environment, persistence, and operational impact.

AS2Go includes actions such as:

  • creating a persistent backdoor domain account
  • disabling users or resetting passwords
  • manipulating Tier 0 group memberships
  • tampering with Group Policy Template files
  • encrypting backup files stored on a domain controller
  • exporting the DPAPI master key
  • forging a Kerberos Golden Ticket
  • rebooting available machines in the domain

This phase is intentionally impactful.

It helps demonstrate why topics like Tier 0 protection, privileged access hygiene, secure backup handling, and identity recovery planning matter so much.

Once an attacker reaches this stage, the discussion changes.

It is no longer only about prevention.
It is about containment, recovery, trust, and business impact.

That is exactly the kind of discussion AS2Go is meant to support in a lab environment.

Why ADCS is Part of the Story

Active Directory Certificate Services is one of those areas that often exists quietly in the background.

It is deployed.
It works.
And sometimes it has not been reviewed for years.

That makes ADCS a very interesting topic for attack simulation and awareness.

AS2Go includes scenarios around vulnerable certificate templates, especially ESC1-style abuse. This helps demonstrate how a certificate template misconfiguration can become a direct privilege escalation path.

I like this scenario because it shows something important:

A certificate template is not just a configuration object.
In the wrong configuration, it can become an identity compromise path.

Built for Lab Environments

AS2Go is intended for lab and test environments only.

It is designed for controlled simulations, demos, workshops, and detection validation — not for production use.

Typical use cases include:

  • Active Directory security awareness
  • blue team validation
  • detection engineering
  • lab-based workshops
  • security assessment demonstrations
  • ADCS attack path demonstrations
  • alert validation in Defender, Sentinel, Semperis DSP, or other platforms

The idea is simple:

Make Active Directory attack paths visible without having to rebuild every step manually.

Installation

To get started with AS2Go, you do not need a huge lab. A simple single-domain Active Directory environment is enough for the initial configuration. The lab should contain at least one Domain Controller and one domain-joined victim machine, for example a server or workstation. For the best experience, run the initial AS2Go configuration from the victim machine. Administrative privileges are required, and Enterprise Admin privileges are recommended when the full configuration should be applied.

AS2Go is available on GitHub and via the PowerShell Gallery.

Install-Module -name AS2Go -Scope AllUsers

GitHub repository:

https://github.com/HerrHoZi/AS2Go

PowerShell Gallery profile:

https://www.powershellgallery.com/profiles/HerrHoZi

Release Candidate Status

AS2Go 2026 is currently in a release candidate state.

The core functionality is ready, but more features are in work already. Some parts are already visible in the menu and marked as Coming Soon.

I like this approach because it allows the project to evolve step by step while already being useful for testing, demos, and feedback.

Final Thoughts

For me, AS2Go connects three things:

Active Directory findings, attacker behavior, and defensive visibility.

A report can explain a risk.
A diagram can show an attack path.
But a simulation can make it real.

That is why I built AS2Go.

Not to replace security assessments.
Not to replace detection engineering.
Not to replace existing offensive tools.

But to provide a structured, repeatable, and understandable way to demonstrate what can happen when Active Directory and ADCS misconfigurations are abused.

If you work with Active Directory, ADCS, identity security, detection engineering, or security assessments, feel free to try AS2Go in your own lab environment.

Feedback is always welcome.

Links

Topics Covered

  • Active Directory attack simulation
  • PowerShell 7 security lab automation
  • Password spraying detection validation
  • Privilege escalation with Kerberoasting and ADCS ESC1
  • Domain compromise and persistence in lab environments
  • Detection testing with Microsoft Defender for Identity, Microsoft Sentinel, and Semperis DSP

Leave a comment