top of page
Active Directory Attacks for Red and Blue Teams - Basic Edition (CRTP)

Active Directory Attacks for Red and Blue Teams - Basic Edition

This training is also available as Attacking and Defending Active Directory - Basic Edition as a bootcamp and on-demand class

Overview & Course Content

Enterprises are managed using Active Directory (AD) and it often forms the backbone of the complete enterprise network. Therefore, to secure an enterprise from an adversary, it is inevitable to secure its AD environment. To secure AD, you must understand different techniques and attacks used by adversaries against it. Often burdened with maintaining backward compatibility and interoperability with a variety of products, AD environments lack ability to tackle latest threats.This training is aimed towards attacking modern AD Environment using built-in tools like PowerShell and other trusted OS resources.

The training is based on real world penetration tests and Red Team engagements for highly secured environments.

  • Enumerate useful information like users, groups, group memberships, computers, user properties, trusts, ACLs etc. to map attack paths​

  • Learn and practice different local privilege escalation techniques on a Windows machine​

  • Hunt for local admin privileges on machines in the target domain using multiple methods​

  • Abuse enterprise applications to execute complex attack paths that involve bypassing antivirus and pivoting to different machines​

  • Learn how PowerShell tools can still be used for enumeration.​

  • Learn to modify existing tools to bypass Windows Defender.​

  • Bypass PowerShell security controls and enhanced logging like System Wide Transcription, Anti Malware Scan Interface (AMSI), Script Blok Logging and Constrained Language Mode (CLM).​

  • Learn how to modify and use .NET tools to bypass Windows Defender and Microsoft Defender for Endpoint (MDE).​

  • Learn to use .NET Loaders that can run assemblies in-memory.

  • Learn to find credentials and sessions of high privileges domain accounts like Domain Administrators, extracting their credentials and then using credential replay attacks to escalate privileges, all of this with just using built-in protocols for pivoting​

  • Learn to extract credentials from a restricted environment where application whitelisting is enforced. Abuse derivative local admin privileges and pivot to other machines to escalate privileges to domain level​

  • Understand the classic Kerberoast and its variants to escalate privileges​

  • Understand and exploit delegation issues​

  • Learn how to abuse privileges of Protected Groups to escalate privileges​

  • Abuse Kerberos to persist with DA privileges. Forge tickets to execute attacks like Golden ticket, Diamond ticket and Silver ticket to persist​

  • Subvert the authentication on the domain level with Skeleton key and custom SSP​

  • Abuse the DC safe mode Administrator for persistence

  • Abuse the protection mechanism like AdminSDHolder for persistence

  • Abuse minimal rights required for attacks like DCSync by modifying ACLs of domain objects

  • Learn to modify the host security descriptors of the domain controller to persist and execute commands without needing DA privileges

  • ​Learn to elevate privileges from Domain Admin of a child domain to Enterprise Admins on the forest root by abusing Trust keys and krbtgt account

  • Execute intra-forest trust attacks to access resources across forest

  • Abuse database links to achieve code execution across forest by just using the databases

  • Learn about Active Directory Certificate Services and execute some of the most popular attacks.

  • Execute attacks across Domain trusts to escalate privileges to Enterprise Admins.

  • Learn about useful events logged when the discussed attacks are executed

  • Learn briefly about architecture changes required in an organization to avoid the discussed attacks. We discuss Temporal group membership, ACL Auditing, LAPS, SID Filtering, Selective Authentication, credential guard, device guard (WDAC), Protected Users Group, PAW, Tiered Administration and ESAE or Red Forest

  • Learn how Microsoft's Advanced Threat Analytics and other similar tools detect domain attacks and the ways to avoid and bypass such tools

  • Understand how Deception can be effective deployed as a defense mechanism in AD

  • Learn about Microsoft’s EDR – Microsoft Defender for Endpoint and understand the telemetry and components used by MDE for detection.

  • Execute an entire chain of attacks across forest trust without triggering any alert by MDE.

  • Use Security 365 dashboard to verify MDE bypass.​

  • Learn about Microsoft Identity Protection (MDI) and understand how MDI relies on anomaly to spot an attack.

  • Bypass various MDI detections throughout the course.

Who should take this course?

Aspiring red teamers who would like to get started with red teaming. Blue teamers who want to understand the approach and techniques of adversaries.

What's Included

  • Access to a lab environment (One/Two/Three months) with updated Server 2022 machines. Lab can be accessed using a web browser or VPN. 

  • A ready to use student VM in the cloud that has all the tools and Sliver C2 pre-installed.

  • Life time access to all the learning material (including course updates).

  • 14+ hours of video course with English captions.  

  • Course slides.

  • Two lab manuals. One for solving the lab using standalone tools. Second for solving the labs using C2. 

  • Walk-through videos.

  • One exam attempt for the Certified Red Team Professional (CRTP) certification.

  • Support on email and Discord.

What will you Learn?

The Attacking and Defending Active Directory Lab enables you to:

  • Practice various attacks in a fully patched realistic Windows environment with Server 2022 and SQL Server 2017 machine.

  • Multiple domains and forests to understand and practice cross trust attacks.

  • Learn and understand concepts of well-known Windows and Active Directory attacks.

  • Learn to use Windows as an attack platform and using trusted features of the OS like .NET, PowerShell and others for attacks.

  • Bypassing defenses like Windows Defender, Microsoft Defender for Endpoint (MDE) and Microsoft Defender for Identity (MDI).​

Prerequisites for the course

  • Basic understanding of Active Directory.

  • Ability to use command line tools on Windows.

Top 3 takeaways

1

The course focuses on understanding 'how' an attack technique works. This helps in developing an attacker mindset, regardless of what technology a student encounters.

2

The enterprise-like, always-on lab allows ample of time to practice. You just need a web browser (or a VPN client) to access the lab, so learning starts immediately.

3

The course is based on real-world red team operations by the instructors and is continuously updated with new attack techniques and community feedback.

About the Trainer

Red Team Lab, Red Team Certifications, Red Team Trainings, Azure Pentesting, Azure Security

Nikhil is the founder of Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com. As a global leader in cybersecurity education, he has nurtured the field, helping bring it from niche groups to the mainstream.

Nikhil’s areas of interest include red teaming, Azure and active directory security, attack research, defense strategies and post exploitation research. He has 15+ years of experience in red teaming.

He specializes in assessing security risks at secure environments that require novel attack vectors and "out of the box" approach. He has worked extensively on Azure, Active Directory attacks, defense and bypassing detection mechanisms. Nikhil has held trainings and boot camps for various corporate clients (in US, Europe and SE Asia), and at the world's top information security conferences.

He has spoken/trained at conferences like DEF CON, BlackHat, BruCON and more.

bottom of page