Attacking and Defending Active Directory: Beginner's Edition [March 2023]
Our 4-week beginner bootcamp teaches you to attack and defend Enterprise Active Directory environments. Covers AD enumeration, trust mapping, Kerberos based attacks and more! Earn the Certified Red Team Professional (CRTP) certification.
Starts: 05 March 2023 Duration: 4 weeks
Recordings of live sessions included!
What You Will Learn
This is a 4-week beginner-friendly bootcamp, designed to teach security professionals how to identify and analyze threats in a modern Active Directory environment. The bootcamp will cover topics like Active Directory (AD) enumeration, trust mapping, domain privilege escalation, Kerberos based attacks, SQL server trusts, defenses and bypasses of defenses.
The bootcamp will teach you how to attack and defend Enterprise Active Directory environments and will give you an opportunity to become a Certified Red Team Professional.
4 Live Sessions
3 Hrs Per Session
4 Weeks Access
40 Flags To Be Collected
22 Lab Exercises
1 CRTP Attempt
Recordings Of Live Sessions
Build Your Cybersecurity Credentials
Become a Certified Red Team Professional (CRTP)
This certification on your CV" with A certificate holder has demonstrated the understanding of AD security. She can identify and enumerate interesting information and execute variety of attack techniques like local and domain privilege escalation, persistence, trust abuse and antivirus evasion with minimal chances of detection.
Bootcamp Completion Certificate
Attendees will also get a course completion certificate after completing Learning Objectives covered during the course.
Live Session Schedule
Weekly 3.5 hr sessions start at 10:00am ET and end at 2:00pm ET.
05 March 2023
Introduction to Active Directory, Enumeration and Local Privilege Escalation
12 March 2023
Lateral Movement, Domain Privilege Escalation and Persistence
19 March 2023
Domain Persistence, Dominance and Escalation to Enterprise Admins
26 March 2023
Defenses, Monitoring and Bypassing Defenses
The course is split in four modules across four weeks:
Module I: Active Directory Enumeration and Local Privilege Escalation
Enumerate useful information like users, groups, group memberships, computers, user
properties, trusts, ACLs etc. to map attack paths
Learn and practice different local privilege escalation techniques on a Windows machine
Hunt for local admin privileges on machines in the target domain using multiple methods
Abuse enterprise applications to execute complex attack paths that involve bypassing antivirus and pivoting to different machines
Module II: Lateral Movement, Domain Privilege Escalation and Persistence
Learn to find credentials and sessions of high privileges domain accounts like Domain Administrators, extracting their credentials and then using credential replay attacks to escalate privileges, all of this with just using built-in protocols for pivoting
Learn to extract credentials from a restricted environment where application whitelisting is enforced. Abuse derivative local admin privileges and pivot to other machines to escalate privileges to domain level
Understand the classic Kerberoast and its variants to escalate privileges
Understand and exploit delegation issues
Learn how to abuse privileges of Protected Groups to escalate privileges
Abuse Kerberos functionality to persist with DA privileges. Forge tickets to execute attacks like Golden ticket and Silver ticket to persist
Subvert the authentication on the domain level with Skeleton key and custom SSP
Abuse the DC safe mode Administrator for persistence
Abuse the protection mechanism like AdminSDHolder for persistence
Module III: Domain Persistence, Dominance and Escalation to Enterprise Admins
Abuse minimal rights required for attacks like DCSync by modifying ACLs of domain
Learn to modify the host security descriptors of the domain controller to persist and
execute commands without needing DA privileges
Learn to elevate privileges from Domain Admin of a child domain to Enterprise Admins on the forest root by abusing Trust keys and krbtgt account
Execute intra-forest trust attacks to access resources across forest
Abuse database links to achieve code execution across forest by just using the databases
Module IV: Monitoring, Architecture Changes, Bypassing Advanced Threat Analytics and Deception
Learn about useful events logged when the discussed attacks are executed
Learn briefly about architecture changes required in an organization to avoid the discussed attacks. We discuss Temporal group membership, ACL Auditing, LAPS, SID Filtering, Selective Authentication, credential guard, device guard (WDAC), Protected Users Group, PAW, Tiered Administration and ESAE or Red Forest
Learn how Microsoft's Advanced Threat Analytics and other similar tools detect domain attacks and the ways to avoid and bypass such tools
Understand how Deception can be effective deployed as a defense mechanism in AD
MEET THE INSTRUCTOR
Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, Azure and active directory security, attack research, defense strategies and post exploitation research. He has 15+ years of experience in red teaming.
He specializes in assessing security risks at secure environments that require novel attack vectors and "out of the box" approach. He has worked extensively on Azure AD, Active Directory attacks, defense and bypassing detection mechanisms.
Nikhil has trained more than 10000 security professionals in private trainings and at the world’s top information security conferences.
He has spoken/trained at conferences like DEF CON, BlackHat, BruCON and more.
He is the founder of Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com/