Advanced Active Directory Exploitation


John Latridis


Mere vulnerability scanning has been rendered obsolete, in particular for more conscious and mature organisations. Penetration testing, red team and purple team engagements against Active Directory environments deployed on the premises require, among others, robust knowledge of the relationships between domain objects and of the Kerberos protocol, in order to meet their goals.

Although many tools have been made available which aid in the enumeration of domain environments and the discovery and abuse of misconfigurations thereof, they are rarely used efficiently. Rather than the tools themselves, this most often stems from the fundamental misconception and misinterpretation of those relationships and protocols in place. In consequence, contributing to further confusion and to the failure to attack and defend a domain environment appropriately.

Standing on the shoulders of giants in the industry, the Advanced Active Directory Exploitation (AADE) course provides a meticulous and thorough examination of domain object relationships and of the quite complicated Kerberos protocol, the latter being scrutinized on a request and response level. The end goal being to enable attackers and defenders into engaging with domain environments deployed on the premises with efficiency and precision. This is achieved by comprehensive theory in conjunction with a series of practical exercises within a unique to each student domain environment.

Come join us for an intense deep dive on Active Directory exploitation!

Training Format

  • 2-day course
  • 60% practical and 40% theoretical
  • A multi-domain lab environment unique to each student.
  • 20+ practicals, including bonus ones.

Key Learning Objectives

  • Domain object relationships and abuse thereof.
  • Kerberos protocol and abuse thereof.
  • Active Directory Certificate services and abuse thereof.
  • Understanding domain objects and the relationships between them.
  • Exploring the mostly misunderstood Kerberos protocol and its delegation flavours.
  • Learning how to attack or defend a domain environment.

Training Syllabus:

Windows authentication and access tokens:

  • How does Windows authentication work in a domain environment?
  • What are the differences between local and domain authentication?
  • Access tokens; what are they and how can they be compromised?

Relayed and coerced authentication:

  • What are network spoofing and relay attacks?
  • What is coerced authentication and cross-protocol relaying?

Domain object relationships:

  • What constitutes a domain object?
  • What are the relationships between them?
  • What are the access controls imposed on them?
  • What is inheritance and how does it work?

Group Policy Objects:

  • What are Group Policy Objects?
  • How can they be abused?
  • Can they facilitate lateral movement?

Kerberos Protocol:

  • How does Kerberos work on a request and response level?
  • What are the roasting attacks against the Kerberos protocol?
  • What is the double-hop problem and how does delegation solve it?
  • What is domain user impersonation and how does it aid in delegation?
  • How does delegation work on a request and response level?
  • How can each delegation flavour be configured or misconfigured?
  • How can each delegation flavour be abused?

Domain Compromise:

  • What are some significant persistence avenues?
  • What are Kerberos Silver and Golden Tickets?
  • What is credential dumping?

Domain Trust Relationships:

  • What are trust relationships between domains?
  • How can they be abused?

Who should do this course:

Penetration testers, network administrators, security professionals, and IT security enthusiasts who have a need to acquaint themselves with real-world offensive tactics, techniques and tools used to target Active Directory environments.

Experience required:

Extensive experience is not required for this course, albeit a solid technical grounding is an absolute must. We recommend familiarity with the Windows operating system and its command line at a minimum.

What you should bring:

Just your laptop. You will be able to access our virtual labs through any modern browser (Firefox / Chrome).

What you will get:

  • Access to our web class portal containing slides, practicals, walkthroughs and tools and prerequisites. This is accessible during and after the training.
  • Access to your own individual lab with numerous targets and capabilities, used for the practicals. This is accessible during the training.