top of page
attacking and defending

Attacking and Defending Active Directory: Advanced Edition [March 2025]

A deep dive into Red Teaming – Practice attacks with focus on OpSec, Living Off the Land and bypassing security controls like MDI, WDAC and more in a secure multi-forest active directory lab environment. Earn the CRTE certification

Starts:  8th March 2025  Duration: 4 weeks
Recordings of live sessions included!

Attacking & Defending Active Directory: Advanced Edition (CRTE)

What You Will Learn

This advanced bootcamp is designed to help security professionals understand, analyze and practice threats and attacks in a modern, multi-forest Active Directory environment with fully patched Server 2019 machines.
 

In addition to learning the popular tactics, techniques and procedures (TTPs), you will also see how they change for attacks across forest trusts. You will also learn how to abuse or bypass modern Windows defenses like Advanced Threat Analytics, Local Administrator Password Solution (LAPS), Just Enough Administration (JEA), Resource-Based Constrained Delegation (RBCD), Windows Defender Application Control (WDAC), Application Whitelisting (AWL), Constrained Language Mode (CLM), virtualization and more.

Attacking & Defending Active Directory: Advanced Edition (CRTE)

​4 Live Sessions
4 Hrs Per Session
4 Weeks Access
60 Flags To Be Collected
29 Lab Exercises
1 CRTE Attempt
Recordings Of Live Sessions

Cracked Concrete Wall

Build Your Cybersecurity Credentials

Become a Certified Red Team Expert (CRTE)

A certificate holder has demonstrated the capability of enumerating and understanding an unknown Windows network and can identify misconfigurations, functionality abuse and trusts abuse. She can use, write and modify open source tools and can abuse other built-in tools to perform enumeration, local privileges escalation, impersonation, pivoting, whitelisting bypasses, and antivirus evasion as well as identify sensitive data with minimal chances of detection.
 

Bootcamp Completion Certificate

Attendees will also get a course completion certificate after completing Learning Objectives covered during the course.

Attacking & Defending Active Directory: Advanced Edition (CRTE)

Live Session Schedule

Weekly 4 hours sessions start at 09:00am ET and end at 01:00pm ET.

DATE
LIVE SESSIONS
08 March 2025
Introduction to Active Directory, Enumeration and Local Privilege Escalation
15 March 2025
Lateral Movement, Domain Privilege Escalation
22 March 2025
Dominance and Escalation to Enterprise Admins, Domain Persistence
29 March 2025
Defenses, Monitoring and Bypassing Defenses
Cracked Concrete Wall

Prerequisites

1. A good understanding of Active Directory security.
2. The ability to use command line tools.

Bootcamp Syllabus

The course is split in four modules across four weeks:

Image by Gabriella Clare Marino

Module I

Introduction to OPSEC followed in the course and focus on stealth

Introduction to Active Directory, attack methodology and tradecraft

Domain Enumeration (Attacks and Defense)

Enumerating information that would be useful in attacks with leaving minimal footprint on the endpoints

Understand and practice what properties and information to look for when preparing attack paths to avoid detection

Enumerate trust relationships within and across forests to map cross trust attack paths

Learn and practice escalating to local administrator privileges in the domain by abusing OU Delegation, Restricted Groups, LAPS, Nested group membership and hunting for privileges using remote access protocols

Credential Replay Attacks

Image by Gabriella Clare Marino

Module II

Understand Microsoft’s EDR – Microsoft Defender for Endpoint (MDE)

Evading application whitelisting (WDAC)

Extract credentials from a machine that has MDE and WDAC configured

Domain Privilege Escalation by abusing Unconstrained Delegation: understand how unconstrained delegation is useful in compromising multiple high privilege servers and users in AD

Abusing Constrained Delegation for Domain Privilege Escalation by impersonating high privilege accounts

Using ACL permissions to abuse Resource-based Constrained Delegation

Domain Persistence Techniques

Image by Gabriella Clare Marino

Module III

Advanced Cross Domain attacks. Learn and practice attacks that allow escalation from Domain Admins to Enterprise Admins by abusing MS Products and delegation issues

Lateral movement from on-prem to Azure AD by attacking Hybrid Identity infrastructure

Advanced Cross Forest attacks. Execute attacks like abuse of Kerberoast, SID Filtering misconfigurations etc. across forest trusts forests and understand the nuances of such attacks

Abusing SQL Server for cross forest attacks
More on advanced Cross Forest attacks like abuse of Foreign Security Principals, ACLs etc.
Abusing PAM trust and shadow security principals to execute attacks against a managed forest
Learn and execute attacks against trust transitivity.

Image by Gabriella Clare Marino

Module IV

Learn about Microsoft Identity Protection (MDI) and its telemetry collection
Understand how MDI relies on anomaly to spot an attack
Bypass various MDI detections throughout the course
Learn about the Elastic stack and Sysmon, and how they help defenders
Bypass various Sysmon logs throughout the course.
Understand about privileges groups, security flags/settings that can be configured on the privilege accounts / groups.
Learn and understand the need to leveraging Privilege Administrative Workstation.
Learn and understand about Time Bound Administrations (JIT & JEA).
Learn about Tier Model & ESAE environment.
Learn about various security features such as Credential Guard, WDAC, MDI, LAPS, Protected Users Group etc.

 

Bootcamp Syllabus
Image by Stepan Sargsyan
Anchor 1

Purchase Options

 BLACK FRIDAY DEALS

- Flat 20% OFF on All Courses and Bootcamps in Q1 & Q2 2025
- 25% OFF when you purchase more than one course
- No coupon code required
- Offer Valid From 25th October To 3rd December 2024

Bootcamp

​30 DAYS LAB ACCESS
+
BOOTCAMP
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
​ONE CERTIFICATION EXAM ATTEMPT

$399

Extension

30 DAYS
LAB EXTENSION
+
ONE COMPLEMENTARY EXAM ATTEMPT

$249

Bootcamp

​60 DAYS LAB ACCESS
+
BOOTCAMP
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
​ONE CERTIFICATION EXAM ATTEMPT

$599

Bootcamp

​90 DAYS LAB ACCESS
+
BOOTCAMP
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
​ONE CERTIFICATION EXAM ATTEMPT

$799

Exam Reattempt is only for existing or past students of this course who have already purchased this course in the past.

Reattempt


EXAM
REATTEMPT


 

$99

Nikhil Mittal

MEET THE INSTRUCTOR

BruCON-2022-66.png

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, Azure and active directory security, attack research, defense strategies and post exploitation research. He has 15+ years of experience in red teaming.
He specializes in assessing security risks at secure environments that require novel attack vectors and "out of the box" approach. He has worked extensively on Azure AD, Active Directory attacks, defense and bypassing detection mechanisms.

Nikhil has trained more than 10000 security professionals in private trainings and at the world’s top information security conferences.

 

He has spoken/trained at conferences like DEF CON, BlackHat, BruCON and more.
He is the founder of Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com/

Can't attend this bootcamp?
Get informed about future bootcamps!

Thanks for subscribing!

bottom of page