top of page
attacking and defending

Attacking and Defending Active Directory: Beginner's Edition [January 2025]

Our 4-week beginner bootcamp teaches you how to get started with Red Teaming. It covers AD enumeration, trust mapping, Kerberos based attacks, defense bypasses and more! Earn the Certified Red Team Professional (CRTP) certification.

Starts:  11th January 2025  Duration: 4 weeks
Recordings of live sessions included!

Attacking & Defending Active Directory: Beginner's Edition (CRTP)

What You Will Learn

This is a 4-week beginner-friendly bootcamp is designed to get you started with Red Teaming. The course teaches security professionals how to identify and analyze threats in a modern Active Directory environment. The bootcamp will cover topics like Active Directory (AD) enumeration, trust mapping, domain privilege escalation, Kerberos based attacks, SQL server trusts, defenses and bypasses of defenses.
 

The bootcamp will teach you how to attack and defend Enterprise Active Directory environments and will give you an opportunity to become a Certified Red Team Professional (CRTP).

Attacking & Defending Active Directory: Beginner's Edition (CRTP)

​4 Live Sessions
4 Hrs Per Session
4 Weeks Access
40 Flags To Be Collected
23 Lab Exercises
1 CRTP Attempt
Recordings Of Live Sessions

Cracked Concrete Wall

Build Your Cybersecurity Credentials

Become a Certified Red Team Professional (CRTP)

Get the industry-recognized CRTP certification! A certificate holder has demonstrated the understanding of Red Teaming and AD security. She can enumerate and execute variety of attack techniques like local and domain privilege escalation, persistence, trust abuse and antivirus evasion with minimal chances of detection.

Bootcamp Completion Certificate

Attendees will also get a course completion certificate after completing Learning Objectives covered during the course.

Attacking & Defending Active Directory: Beginner's Edition (CRTP)

Live Session Schedule

Weekly 4 hours sessions start at 09:00am ET and end at 01:00pm ET.

DATE
LIVE SESSIONS
11 January 2025
Introduction to Active Directory, Enumeration and Local Privilege Escalation
18 January 2025
Lateral Movement, Domain Privilege Escalation and Persistence
25 January 2025
Domain Persistence, Dominance and Escalation to Enterprise Admins
01 February 2025
Defenses, Monitoring and Bypassing Defenses
Cracked Concrete Wall

Prerequisites

1. A basic understanding of Active Directory
2. The ability to use command line tools on Windows

Bootcamp Syllabus

The course is split in four modules across four weeks:

Image by Gabriella Clare Marino

Module I: Enumeration, Offensive PowerShell and .NET Tradecraft

Enumerate useful information like users, groups, group memberships, computers, user

properties, trusts, ACLs etc. to map attack paths

Learn and practice different local privilege escalation techniques on a Windows machine

Hunt for local admin privileges on machines in the target domain using multiple methods

Abuse enterprise applications to execute complex attack paths that involve bypassing antivirus and pivoting to different machines

Learn how PowerShell tools can still be used for enumeration.

Learn to modify existing tools to bypass Windows Defender.

Bypass PowerShell security controls and enhanced logging like System Wide Transcription, Anti Malware Scan Interface (AMSI), Script Blok
Logging and Constrained Language Mode (CLM).

Learn how to modify and use .NET tools to bypass Windows Defender and Microsoft Defender for Endpoint (MDE).

Learn to use .NET Loaders that can run assemblies in-memory.

Image by Gabriella Clare Marino

Module II: Lateral Movement, Domain Privilege Escalation and Persistence

Learn to find credentials and sessions of high privileges domain accounts like Domain Administrators, extracting their credentials and then using credential replay attacks to escalate privileges, all of this with just using built-in protocols for pivoting

Learn to extract credentials from a restricted environment where application whitelisting is enforced. Abuse derivative local admin privileges and pivot to other machines to escalate privileges to domain level

Understand the classic Kerberoast and its variants to escalate privileges

Understand and exploit delegation issues

Learn how to abuse privileges of Protected Groups to escalate privileges

Abuse Kerberos to persist with DA privileges. Forge tickets to execute attacks like Golden ticket, Diamond ticket and Silver ticket to persist

Subvert the authentication on the domain level with Skeleton key and custom SSP

Abuse the DC safe mode Administrator for persistence

Abuse the protection mechanism like AdminSDHolder for persistence

Image by Gabriella Clare Marino

Module III: Domain Dominance and Escalation to Enterprise Admins

Abuse minimal rights required for attacks like DCSync by modifying ACLs of domain

objects

Learn to modify the host security descriptors of the domain controller to persist and

execute commands without needing DA privileges

Learn to elevate privileges from Domain Admin of a child domain to Enterprise Admins on the forest root by abusing Trust keys and krbtgt account

Execute intra-forest trust attacks to access resources across forest

Abuse database links to achieve code execution across forest by just using the databases

Learn about Active Directory Certificate Services and execute some of the most popular attacks.

Execute attacks across Domain trusts to escalate privileges to Enterprise Admins.

Image by Gabriella Clare Marino

Module IV: Monitoring, Architecture Changes, Bypassing MDE and MDI

Learn about useful events logged when the discussed attacks are executed

Learn briefly about architecture changes required in an organization to avoid the discussed attacks. We discuss Temporal group membership, ACL Auditing, LAPS, SID Filtering, Selective Authentication, credential guard, device guard (WDAC), Protected Users Group, PAW, Tiered Administration and ESAE or Red Forest

Learn how Microsoft's Advanced Threat Analytics and other similar tools detect domain attacks and the ways to avoid and bypass such tools

Understand how Deception can be effective deployed as a defense mechanism in AD

Learn about Microsoft’s EDR – Microsoft Defender for Endpoint and understand the telemetry and components used by MDE for detection.

Execute an entire chain of attacks across forest trust without triggering any alert by MDE.

Use Security 365 dashboard to verify MDE bypass.​

Learn about Microsoft Identity Protection (MDI) and understand how MDI relies on anomaly to spot an attack.

Bypass various MDI detections throughout the course.

Bootcamp Syllabus
Image by Stepan Sargsyan
Anchor 1

 BLACK FRIDAY DEALS

Purchase Options

- Flat 20% OFF on All Courses and Bootcamps in Q1 & Q2 2025
- 25% OFF when you purchase more than one course
- No coupon code required
- Offer Valid From 25th October To 3rd December 2024

Bootcamp

​30 DAYS LAB ACCESS
+
BOOTCAMP
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
​ONE CERTIFICATION EXAM ATTEMPT

$299

Extension

30 DAYS
LAB EXTENSION
+
ONE COMPLEMENTARY EXAM ATTEMPT

$199

Bootcamp

​60 DAYS LAB ACCESS
+
BOOTCAMP
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
​ONE CERTIFICATION EXAM ATTEMPT

$429

Bootcamp

​90 DAYS LAB ACCESS
+
BOOTCAMP
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
​ONE CERTIFICATION EXAM ATTEMPT

$549

Exam Reattempt is only for existing or past students of this course who have already purchased this course in the past.

Reattempt


EXAM
REATTEMPT


 

$99

Nikhil Mittal

MEET THE INSTRUCTOR

Red Team Lab, Red Team Certifications, Red Team Trainings, Azure Pentesting, Azure Security

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, Azure and active directory security, attack research, defense strategies and post exploitation research. He has 15+ years of experience in red teaming.

He specializes in assessing security risks at secure environments that require novel attack vectors and "out of the box" approach. He has worked extensively on Azure AD, Active Directory attacks, defense and bypassing detection mechanisms. 

Nikhil has trained more than 10000 security professionals in private trainings and at the world’s top information security conferences.


He has spoken/trained at conferences like DEF CON, BlackHat, BruCON and more. 

He is the founder of Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com/

Can't attend this bootcamp?
Get informed about future bootcamps!

Thanks for subscribing!

bottom of page