We know times are tough right now because of COVID-19 so we are offering a MASSIVE Discount. Stay safe and happy learning!

Attacking and Defending Active Directory Lab Objective:

The importance of Active Directory in an enterprise cannot be stressed enough. Used by more than 90% of Fortune 1000 companies, the all-pervasive AD is the focal point for adversaries. Still, when it comes to AD security, there is a large gap of knowledge which security professionals and administrators struggle to fill. Over the years, we have taught numerous professionals in real world trainings on AD security and always found that there is a lack of quality material and specially, dearth of practice lab where one can practice AD attacks in a controlled environment.

Attacking and Defending Active Directory Lab is designed to provide a platform for security professionals to understand, analyze and practice threats and attacks in a modern Active Directory environment. The lab is beginner friendly and comes with a complete video course and lab manual. The course and the lab are based on our years of experience of making and breaking Windows and AD environments and teaching security professionals.

The lab is tightly integrated with the course and is designed as a practice lab rather than a challenge lab. We cover topics like AD enumeration, trusts mapping, domain privilege escalation, domain persistence, Kerberos based attacks (Golden ticket, Silver ticket and more), ACL issues, SQL server trusts, Defenses and bypasses of defenses.

If you want a difficult lab to challenge your skills, please check out our Windows RedTeam lab - https://www.pentesteracademy.com/redteamlab.

Whether you are a beginner, a red teamer or penetration tester or a blue teamer, the course and the lab has something for everyone!

What will your learn?

The Attacking and Defending Active Directory Lab enables you to:

  • Practice various attacks in a fully patched realistic Windows environment with Server 2016 and SQL Server 2017 machine.
  • Multiple domains and forests to understand and practice cross trust attacks.
  • Learn and understand concepts of well-known Windows and Active Directory attacks.
  • Learn to use Windows as an attack platform and using trusted features of the OS like PowerShell and others for attacks.
  • Try scripts, tools and new attacks in a fully functional AD environment.
The following are the prerequisites for the lab:
  • Basic understanding of Active Directory
  • Ability to use command line tools on Windows

Lab includes access to our Attacking and Defending Active Directory course (14 Hours of HD Content)

This Lab like other challenging certifications requires you to learn by exploring. If you understand the basics of how a Windows domain works and have used Powershell scripts for pentesting/red teaming, then you should be right at home. We expect the rest to be researched as the student encounters a roadblock.

23 Learning Objectives, 59 Tasks, >120 Hours of Torture :)

I. Active Directory Enumeration

  • Use scripts, built-in tools and Active Directory module to enumerate the target domain.
  • Understand and practice how useful information like users, groups, group memberships, computers, user properties etc. from the domain controller is available to even a normal user.
  • Understand and enumerate intra-forest and inter-forest trusts. Practice how to extract information from the trusts.
  • Enumerate Group policies.
  • Enumerate ACLs and learn to find out 'interesting rights on ACLs in the target domain to carry out attacks.

II. Local Privilege Escalation

  • Learn and practice different local privilege escalation techniques on a Windows machine.
  • Hunt for local admin privileges on machines in the target domain using multiple methods.
  • Abuse enterprise applications to execute complex attack paths that involve bypassing antivirus and pivoting to different machines.

III. Domain Privilege Escalation

  • Learn to find credentials and sessions of high privileges domain accounts like Domain Administrators, extracting their credentials and then using credential replay attacks to escalate privileges, all of this with just using built-in protocols for pivoting.
  • Learn to extract credentials from a restricted environment where application whitelisting is enforced. Abuse derivative local admin privileges and pivot to other machines to escalate privileges to domain level.
  • Understand the classic Kerberoast and its variants to escalate privileges.
  • Enumerate the domain for objects with unconstrained delegation and abuse it to escalate privileges.
  • Find domain objects with constrained delegation enabled. Understand and execute the attacks against such objects to escalate privileges to a single service on a machine and to the domain administrator using alternate tickets.
  • Learn how to abuse privileges of Protected Groups to escalate privileges

IV. Domain Persistence and Dominance

  • Abuse Kerberos functionality to persist with DA privileges. Forge tickets to execute attacks like Golden ticket and Silver ticket to persist.
  • Subvert the authentication on the domain level with Skeleton key and custom SSP.
  • Abuse the DC safe mode Administrator for persistence.
  • Abuse the protection mechanism like AdminSDHolder for persistence.
  • Abuse minimal rights required for attacks like DCSync by modifying ACLs of domain objects.
  • Learn to modify the host security descriptors of the domain controller to persist and execute commands without needing DA privileges.

V. Cross Trust Attacks

  • Learn to elevate privileges from Domain Admin of a child domain to Enterprise Admin on the forest root by abusing Trust keys and krbtgt account.
  • Execute intra-forest trust attacks to access resources across forest.
  • Abuse database links to achieve code execution across forest by just using the databases.

VI. Forest Persistence and Dominance

  • Understand forest persistence technique like DCShadow. Execute it to modify objects in the forest root without leaving change logs. Learn minimal permissions required to use DCShadow and avoid change logs for minimal permissions using Shadowception.

VII. Defenses – Monitoring

  • Learn about useful events logged when the discussed attacks are executed.

VIII. Defenses and bypass – Architecture and Work Culture Changes

  • Learn briefly about architecture and work culture changes required in an organization to avoid the discussed attacks. We discuss Temporal group membership, ACL Auditing, LAPS, SID Filtering, Selective Authentication, credential guard, device guard, Protected Users Group, PAW, Tiered Administration and ESAE or Red Forest.
  • Learn how Microsoft's Advanced Threat Analytics and other similar tools detect domain attacks and the ways to avoid and bypass such tools.

IX. Defenses and Bypass – Deception

  • Understand how Deception can be effective deployed as a defense mechanism in AD.
  • Deploy decoy user objects, which have interesting properties set, which have ACL rights over other users and have high privilege access in the domain along with available protections.
  • Deploy computer objects and Group objects to deceive an adversary.
  • Learn how adversaries can identify decoy objects and how defenders can avoid the detection.

X. Defenses and Bypass – PowerShell

  • Learn about various improvements in Windows PowerShell v5 and their significance in detecting attacks.
  • We will discuss System Wide Transcription, Enhance logging, Constrained Language Mode, AMSI etc. Learn how JEA helps in secure administration. Execute bypasses against the discussed defenses and the detection of bypasses.

Certified Red Team Professional

The Certified Red Team Professional is a completely hands-on certification. To be certified, a student must solve practical and realistic challenges in our fully patched Windows infrastructure labs containing multiple Windows domains and forests. The certification challenges a student to compromise Active Directory by abusing features and functionalities without relying on patchable exploits. Students will have 24 hours for the hands-on certification exam.

A certification holder has the skills to understand and assess security of an Active Directory

To keep the certificate updated with changing skills and technologies, there is an expiry time of three years for it.

In case you have to retake the exam, a re-attempt fee of $99 is applicable. There is a cool down period of one month before a student can appear in the exam again. The student will get an exam environment from the pool of our different exam labs. After total 3 attempts (1 included with the lab and two additional attempts), a student must wait for a cool down period of 6 months.

Exam Structure

The students are provided access to an individual Windows environment, which is fully patched and contains the latest Windows operating systems with configurations and privileges like a real enterprise environment.

To be successful, students must solve the challenges by enumerating the environment and carefully constructing attack paths. The students will need to understand how Windows domains work, as most exploits cannot be used in the target network.

At the end of the exam, students need to submit the detailed solutions to challenges along with practical mitigations.

Certification Benefits

A certificate holder has demonstrated the understanding of AD security. She can identify and enumerate interesting information and execute variety of attack techniques like local and domain privilege escalation, persistence, trust abuse and antivirus evasion with minimal chances of detection.

The certificate holder is ready for the next level that is Certified Red Team Expert: https://www.pentesteracademy.com/redteamlab

Nikhil Mittal: BlackHat USA Trainer, DEF CON Speaker, Discoverer of Windows Threats

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, active directory security, attack research, defense strategies and post exploitation research. He has 11+ years of experience in red teaming.

He specializes in assessing security risks at secure environments that require novel attack vectors and "out of the box" approaches. He has worked extensively on Active Directory attacks and bypassing detection mechanisms and Offensive PowerShell for red teaming. He is creator of Kautilya, a toolkit that makes it easy to use HIDs in penetration tests and Nishang, a post exploitation framework in PowerShell. In his spare time, Nikhil researches new attack methodologies and updates his tools and frameworks.

Nikhil has held trainings and boot camps for various corporate clients (in US, Europe and SE Asia), and at the world’s top information security conferences. He has spoken/trained at conferences like DEF CON, Black Hat, CanSecWest, BruCON, 44CON and more. He blogs at https://www.labofapenetrationtester.com/

Selected Conference Talks:

Purchase Lab:

We know times are tough right now because of COVID-19 so we are offering a MASSIVE Discount. Stay safe and happy learning!

Pay with Paypal:

Access Period
Student Name
Student Email
For alternate payment methods or enterprise team purchase please use the Contact-Us section

Terms of Purchase and Use:

  • You can start your lab access anytime within 90 days of purchase
  • Purchase includes access to our Attacking and Defending Active Directory video course 14 Hours HD Videos
  • One Certification Exam attempt is included in the pricing. Additional exam attempts will be $99 each
  • Once connected over VPN, consider the lab to be a hostile environment and you are responsible for your computer's security
  • The above lab is a shared environment and certain pre-specified machines will be off-limits
  • If you want a dedicated lab just for yourself, please use the form in the Contact-Us tab

Please use the form below: