Advanced Active Directory Exploitation


John Iatridis


Defenders are becoming more aware of the tactics and techniques used by attackers. Common attacks performed in the past to compromise enterprise networks are being left behind due to the security industry improvements and awareness. Although enterprise networks are now more secure, mature networks could continue making use of obsolete configurations that have been maintained for business requirements. This is the case of Active Directory.

Active Directory was developed by Microsoft as a solution to manage company networks, becoming usual for employees to interact and make use of its features. From Windows 2000 to nowadays, Active Directory has evolved keeping in mind compatibility and thus, configurations implemented in the past have been inherited by modern enterprise networks. Additionally, new implementations and configurations can introduce new security issues that could aid an attacker in successfuly compromising a company's network.

During the Advance Active Directory Exploitation (AADE) course, you will dive into an inmersive, real-world simulated and isolated Active Directory enterprise network. We will take advantage of common misconfigurations we have found in real-world environments that can be abused to totally compromise multi-forest domains.

Top 3 takeaways you will learn:

  • Understanding how Active Directory enterprise environments function
  • How to make use of built-in as well as public tools to conduct Active Directory exploitation
  • Understanding the real-world abuses and adversarial attacks that could occur on any AD environment

Course Syllabus:

We will be covering methodologies, techniques, tools and procedures utilised in real-word Active Directory exploitations. Some of the topics we will cover can be seen below:

  • Obtaining a foothold
    • Network enumeration
    • Low-hanging fruits
    • SMB signing and relay attacks
  • Host Reconnaissance and Domain Enumeration
    • PowerUp
    • PowerView
    • Seatbelt
    • BloodHound
  • Local Privilege Escalation
    • Kernel vulnerabilities
    • Misconfigured services
    • Passwords gathering
    • AlwaysInstallElevated
  • Windows Authentication
    • Credential management
    • LM & NT hashes
    • Session Tokens
  • Post-Exploitation
    • Credential Gathering
    • User Impersonation
  • Lateral Movement
    • PsExec
    • WMI
    • WinRM
  • Security Descriptors
    • User abuses
    • Group abuses
    • GPO abuses
    • Computer abuses
    • Domain abuses
  • Kerberos
    • Ticket Granting Tickets (TGT) and Ticket Granting Services (TGS)
    • Kerberoasting
    • Targeted Kerberoasting
  • Kerberos Delegation
    • Unconstrained Delegation
    • Constrained Delegation
    • Resource-based Constrained Delegation
  • Domain Trusts
    • One way trust relationships
    • Bidirectional trust relationships
  • Domain Compromise
    • DCSync
    • Golden Tickets
    • Silver Tickets

Who should do this course:

Penetration testers, network administrators, security professionals, and IT security enthusiasts who have a need to acquaint themselves with real-world offensive tactics, techniques and tools used to target Active Directory environments.

Experience required:

Extensive hacking experience is not required for this course, but a solid technical grounding is an absolute must. We recommend having at least 1 year of pentesting experience before doing this course and be familiar with Windows and Linux environments.

What you should bring:

Just your laptop. You will be able to access our virtual labs through any modern browser.

What you will get:

  • Access to our web class portal containing slides, practicals, walkthroughs and tools and prerequisites. This is accessible during and after the training.
  • Access to your own individual lab with numerous targets and capabilities, used for the practicals. This is accessible during the training.