Active Directory attacks for Red and Blue Teams – Advanced Edition

Course Description

More than 95% of Fortune 500 companies use Active Directory! Enterprises are managed using Active Directory (AD) and it often forms the backbone of the complete enterprise network. Therefore, to secure an enterprise from an adversary, it is inevitable to secure its AD environment. To secure AD, you must understand different techniques and attacks used by adversaries against it. Often burdened with maintaining backward compatibility and interoperability with a variety of products, AD environments lack ability to tackle latest threats.

This training is aimed towards attacking modern AD Environment using built-in tools and trusted OS resources. The training is based on real world penetration tests and Red Team engagements for highly secured environments.

Some of the techniques (see the course content for details), used in the course:

  • Extensive AD Enumeration
  • Active Directory trust mapping and abuse.
  • Privilege Escalation (User Hunting, Delegation issues, LAPS abuse, gMSA abuse, SPN Hijacking, Shadow Credentials and more)
  • Advanced Kerberos Attacks and Defense (Diamond, Golden, Silver ticket, Kerberoast and more)
  • Advanced cross forest trust abuse (Lateral movement across forest, PrivEsc and more)
  • Credentials Replay Attacks (Over-PTH, Token Replay, Certificate Replay etc.)
  • Attacking Azure AD integration (Hybrid Identity)
  • Abusing trusts for MS products (AD CS, SQL Server etc.)
  • Persistence (WMI, GPO, Domain and Host ACLs and more)
  • Monitoring Active Directory
  • Defenses (JEA, PAW, LAPS, Selective Authentication, Deception, App Allowlisting, Microsoft Defender for Identity etc.)
  • Bypassing defenses

The course is a mixture of fun, demos, exercises, hands-on and lecture. You start from compromise of a user desktop and work your way up to multiple forest pwnage. The training focuses more on methodology and techniques than tools.

Attendees will get free one month access to an Active Directory environment comprising of multiple domains and forests, during and after the training. This training aims to change how you test an Active Directory Environment.

Course contents

Day 1 – AD Essentials, Tradecraft and escalating privileges

  • Introduction to Active Directory and Kerberos
  • Introduction to Attack methodology and tradecraft
  • Offensive C# and PowerShell
  • Domain Enumeration (Attacks and Defense)
  • Trust and Privileges Mapping
  • Local Privilege Escalation (User Hunting, Delegation issues, LAPS abuse, gMSA abuse, SPN Hijacking, Shadow Credentials and more)

Day 2 – Domain privilege escalation, Persistence

  • Credential Replay Attacks (Over-PTH, Token Replay, Certificate Replay etc)
  • Domain Privilege Escalation (User Hunting, Delegation issues and more)
  • Dumping System and Domain Secrets
  • Advanced Kerberos Attacks and Defense (Diamond, Golden, Silver ticket, Kerberoast and more)

Day 3 – Lateral movement across trusts, Defense bypasses

  • Advanced cross forest trust abuse (Lateral movement across forest, PrivEsc and more)
  • Persistence (WMI, GPO, Domain and Host ACLs and more)
  • Attacking Azure integration and components
  • Abusing trusts for MS products (ADCS, SQL Server etc.)
  • Monitoring AD
  • Defenses (JEA, PAW, LAPS, Selective Authentication, Deception, App Allowlisting, Microsoft Defender for Identity etc.)
  • Bypassing Defenses

What would the attendees gain?

  • One month access to the online Lab, solutions to exercises and Lab manual.
  • The attendees would learn powerful attack techniques which could be applied from day one after the training.
  • The attendees would understand that it is not always required to use third party executables, non-native code or memory corruption exploits on the targets in AD.

Requirements

  • Basic understanding of how penetration tests are done.
  • Basic understanding of Active Directory.
  • An open mind.

System Requirements

System with 4 GB RAM and ability to install OpenVPN client and RDP to Windows boxes.

Trainer Biography

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, Azure and active directory security, attack research, defense strategies and post exploitation research. He has 13+ years of experience in red teaming. He specializes in assessing security risks at secure environments that require novel attack vectors and “out of the box” approach. He has worked extensively on Azure AD, Active Directory attacks, defense and bypassing detection mechanisms.

Nikhil has trained more than 7000 security professionals in private trainings and at the world’s top information security conferences. He has spoken/trained at conferences like DEF CON, BlackHat, BruCON and more. He is the founder of Altered Security – a company focusing on hands-on enterprise security learning – https://www.alteredsecurity.com/

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.