Active Directory Attacks for Red and Blue Teams - Basic Edition
This 3-days beginner class teaches you how to get started with Red Teaming. It covers AD enumeration, trust mapping, Kerberos based attacks, defense bypasses and more! Earn the Certified Red Team Professional (CRTP) certification.
Starts: 5th December 2025 Duration: 3 days
Video course included!
.png)
What You Will Learn
This 3-days beginner-friendly class is designed to get you started with Red Teaming. The course teaches security professionals how to identify and analyze threats in a modern Active Directory environment. The class will cover topics like Active Directory (AD) enumeration, trust mapping, domain privilege escalation, Kerberos based attacks, SQL server trusts, defenses and bypasses of defenses.
The class will teach you how to attack and defend Enterprise Active Directory environments and will give you an opportunity to become a Certified Red Team Professional (CRTP).
3 Days class
8 Hrs Per Session
8 Weeks Lab Access
40 Flags To Be Collected
23 Lab Exercises
1 CRTP Attempt
Video course included
Build Your Cybersecurity Credentials
Become a Certified Red Team Professional (CRTP)
Get the industry-recognized CRTP certification! A certificate holder has demonstrated the understanding of Red Teaming and AD security. She can enumerate and execute variety of attack techniques like local and domain privilege escalation, persistence, trust abuse and antivirus evasion with minimal chances of detection.
Course Completion Certificate
Attendees will also get a course completion certificate after completing Learning Objectives covered during the course.
.png)
Schedule
Daily 8 hours sessions start at 09:00am IST and end at 05:00pm IST.
DATE
Topics
05 December 2025
Enumeration, Offensive PowerShell and .NET Tradecraft
06 December 2025
Lateral Movement, Domain Privilege Escalation and Persistence
07 December 2025
Domain Persistence, Dominance and Escalation to Enterprise Admins.
Defenses, Monitoring and Bypassing Defenses
Prerequisites
1. A basic understanding of Active Directory
2. The ability to use command line tools on Windows
Syllabus
The course is split in four modules across three days:
Module I: Enumeration, Offensive PowerShell and .NET Tradecraft
Enumerate useful information like users, groups, group memberships, computers, user
properties, trusts, ACLs etc. to map attack paths
Learn and practice different local privilege escalation techniques on a Windows machine
Hunt for local admin privileges on machines in the target domain using multiple methods
Abuse enterprise applications to execute complex attack paths that involve bypassing antivirus and pivoting to different machines
Learn how PowerShell tools can still be used for enumeration.
Learn to modify existing tools to bypass Windows Defender.
Bypass PowerShell security controls and enhanced logging like System Wide Transcription, Anti Malware Scan Interface (AMSI), Script Blok
Logging and Constrained Language Mode (CLM).
Learn how to modify and use .NET tools to bypass Windows Defender and Microsoft Defender for Endpoint (MDE).
Learn to use .NET Loaders that can run assemblies in-memory.
Module II: Lateral Movement, Domain Privilege Escalation and Persistence
Learn to find credentials and sessions of high privileges domain accounts like Domain Administrators, extracting their credentials and then using credential replay attacks to escalate privileges, all of this with just using built-in protocols for pivoting
Learn to extract credentials from a restricted environment where application whitelisting is enforced. Abuse derivative local admin privileges and pivot to other machines to escalate privileges to domain level
Understand the classic Kerberoast and its variants to escalate privileges
Understand and exploit delegation issues
Learn how to abuse privileges of Protected Groups to escalate privileges
Abuse Kerberos to persist with DA privileges. Forge tickets to execute attacks like Golden ticket, Diamond ticket and Silver ticket to persist
Subvert the authentication on the domain level with Skeleton key and custom SSP
Abuse the DC safe mode Administrator for persistence
Abuse the protection mechanism like AdminSDHolder for persistence
Module III: Domain Dominance and Escalation to Enterprise Admins
Abuse minimal rights required for attacks like DCSync by modifying ACLs of domain
objects
Learn to modify the host security descriptors of the domain controller to persist and
execute commands without needing DA privileges
Learn to elevate privileges from Domain Admin of a child domain to Enterprise Admins on the forest root by abusing Trust keys and krbtgt account
Execute intra-forest trust attacks to access resources across forest
Abuse database links to achieve code execution across forest by just using the databases
Learn about Active Directory Certificate Services and execute some of the most popular attacks.
Execute attacks across Domain trusts to escalate privileges to Enterprise Admins.
Module IV: Monitoring, Architecture Changes, Bypassing MDE and MDI
Learn about useful events logged when the discussed attacks are executed
Learn briefly about architecture changes required in an organization to avoid the discussed attacks. We discuss Temporal group membership, ACL Auditing, LAPS, SID Filtering, Selective Authentication, credential guard, device guard (WDAC), Protected Users Group, PAW, Tiered Administration and ESAE or Red Forest
Learn how Microsoft's Advanced Threat Analytics and other similar tools detect domain attacks and the ways to avoid and bypass such tools
Understand how Deception can be effective deployed as a defense mechanism in AD
Learn about Microsoft’s EDR – Microsoft Defender for Endpoint and understand the telemetry and components used by MDE for detection.
Execute an entire chain of attacks across forest trust without triggering any alert by MDE.
Use Security 365 dashboard to verify MDE bypass.
Learn about Microsoft Identity Protection (MDI) and understand how MDI relies on anomaly to spot an attack.
Bypass various MDI detections throughout the course.
Purchase Options
Purchase Includes
60 DAYS LAB ACCESS + ONE COURSE COMPLETION CERTIFICATE +
LIFE TIME ACCESS TO COURSE MATERIAL + ONE CERTIFICATION EXAM ATTEMPT
₹39,999 + GST
.
.
Altered Security Instructors
MEET THE INSTRUCTOR
This class will be taught by security researchers from Altered Security.
All of our instructors regularly publish research, maintain open source tools, speak at conferences and local meet ups and have trained at conferences like Black Hat, DEF CON and other top hacker conferences.
As an organization Altered Security is an established industry expert in research and training on On Prem and Cloud Red Teaming.
Terms of Service © 2025 by Altered Security Solutions Pvt Ltd. All Rights Reserved Privacy Policy Code of Conduct