Active Directory for Red Teamers

Course Synopsis

A focused one-day intensive that takes you from AD fundamentals to full domain compromise. Six modules cover how Active Directory is built, how its authentication protocols actually work, how to map a target environment systematically, and how to execute the attacks that matter - from credential theft to persistence.

The course is hands-on throughout. Every concept is demonstrated with working tooling in a lab environment that mirrors a realistic corporate deployment.

Coming Soon →
Module 01

Active Directory Architecture

How the Domain Hierarchy Works

  • Forests, domains, and trees - what each boundary means for attackers
  • How domain controllers relate to each other and why that matters for lateral movement
  • The roles that make a domain function and what happens when you target them

How Objects are Organized

  • How users, computers, and groups are represented and queried over LDAP
  • The identifiers AD uses to track objects - and which ones are useful to attackers
  • Extended attributes that expose delegation settings, certificate enrollment, and more

Identity, Privilege, and Groups

  • How Windows builds an access token and what determines what you can do with it
  • Which built-in groups are high-value targets and which are commonly overlooked
  • How group nesting creates hidden privilege escalation paths
  • Group Policy - how it is structured and how write access to a GPO becomes code execution

Red Team Toolkit Overview

  • BloodHound for visualizing attack paths across the entire domain
  • Rubeus for Kerberos ticket operations
  • Impacket for Python-based protocol interaction and credential extraction
  • PowerView for LDAP enumeration and ACL analysis
  • Mimikatz for credential extraction and ticket forgery
Module 02

How Authentication Actually Works

Kerberos End-to-End

  • The full ticket-granting flow - what each exchange does and what it proves
  • How pre-authentication works and what happens when it is disabled on an account
  • How service tickets carry authorization data and why that matters for forging them
  • Encryption types in use and what changes depending on which one is negotiated

NTLM Authentication

  • The challenge-response flow and where NTLM appears across SMB, LDAP, and HTTP
  • How the response is computed and why it can be captured and cracked offline
  • Pass-the-hash - reusing a credential without ever knowing the plaintext password

LDAP as a Protocol

  • How LDAP queries are structured and what authentication options are available
  • How to interact with LDAP directly without relying on high-level tooling
  • The extensions that expose additional AD data and how attackers use them
Module 03

The AD Protocol Landscape

LDAP and the Directory

  • What an attacker can read without authentication versus what requires a valid account
  • How the Global Catalog differs from a standard domain controller query
  • Signing and channel binding protections and when relay attacks still work despite them

Domain Controller Discovery

  • How clients find domain controllers and how to use the same mechanism for reconnaissance
  • What information DC discovery leaks about the environment with no credentials required

RPC Interfaces Attackers Use

  • The interfaces that expose user enumeration, SID resolution, and trust information
  • The replication interface that DCSync relies on and why it works from an ordinary workstation
  • How named pipes over SMB carry most of these operations under the hood

Supporting Protocols

  • SMB as the transport layer for most AD management traffic
  • AD-integrated DNS zones and how to enumerate them without zone transfer access
  • WinRM and WMI as remote execution channels and the authentication each one accepts
Module 04

Enumeration and Reconnaissance

A Structured Approach to Mapping a Domain

  • Starting with silent LDAP queries before touching anything that generates alerts
  • Progressing from broad domain-wide enumeration to targeted attack identification
  • Knowing which actions are noisy and which are effectively invisible to defenders

Finding Attack Targets

  • Querying for accounts vulnerable to Kerberoasting and AS-REP roasting
  • Identifying delegation configurations that can be abused for privilege escalation
  • Spotting misconfigured certificate templates before running any exploits

Attack Path Mapping with BloodHound

  • Collecting data without triggering most common detections
  • Reading the graph to find the shortest path from a low-privilege account to Domain Admin
  • Identifying cross-domain pivot opportunities and high-value session targets

Understanding Object Permissions

  • Reading access control lists on AD objects to surface misconfigured permissions
  • The specific rights that enable password resets, group manipulation, and DCSync
  • Turning raw ACL data into a concrete attack path

Where Credentials Live

  • What is cached in memory on a live system and the different ways to extract it
  • How to pull the full domain credential database from a domain controller
  • Credentials stored in Group Policy, LDAP attributes, and local secrets storage
Module 05

Core Attacks and Exploitation

Credential Attacks - Kerberoasting and AS-REP Roasting

  • How any domain account can request an encrypted service ticket and crack it offline
  • How accounts with a specific misconfiguration leak crackable data with no interaction required
  • Choosing the right targets and handling accounts configured for stronger encryption

DCSync - Pulling Domain Credentials Over the Network

  • How the domain replication protocol can be abused to retrieve any account's credential hash
  • Which permissions make an account capable of performing this attack
  • Running DCSync without ever touching a domain controller directly

Abusing Misconfigured Permissions

  • Turning write access on an AD object into account takeover or group membership changes
  • Granting yourself replication rights through a DACL misconfiguration
  • Chaining multiple permission edges into a path from nothing to Domain Admin

NTLM Relay

  • Forcing a target machine to authenticate to an attacker-controlled server
  • Relaying that authentication to SMB for lateral movement or to LDAP for account changes
  • Combining relay with certificate services to obtain persistent domain credentials

Delegation Abuse

  • How unconstrained delegation lets an attacker capture tickets from any authenticating user
  • When write access to a computer account is enough to impersonate any user in the domain
  • Requesting service tickets on behalf of privileged users to move laterally
Module 06

Persistence, Advanced Techniques, and OPSEC

Ticket Forgery

  • Golden tickets - forging domain authentication offline that survives most remediation attempts
  • Silver tickets - forging direct service access without touching the KDC at all
  • Converting a credential hash into a valid Kerberos ticket without the plaintext password

Certificate Services Abuse

  • Certificate templates that allow any enrollee to impersonate any user in the domain
  • Relaying authentication to the certificate authority to issue a domain controller certificate
  • Using a certificate to authenticate and recover account credential hashes

GPO Attacks and Cross-Domain Escalation

  • Turning write access to a Group Policy Object into code execution across linked machines
  • Escalating from a child domain to the forest root by abusing inter-domain trust
  • Understanding where domain trust boundaries hold and where they can be bypassed

Long-Term Persistence

  • AdminSDHolder - planting an access control entry that propagates to all protected accounts automatically
  • DCShadow - pushing changes into Active Directory through a rogue replication partner
  • SID history injection for hidden privilege that survives account audits

Staying Under the Radar

  • Which attacks generate the most noise and how to approach them more quietly
  • Structuring enumeration and attacks to stay below detection thresholds
  • Understanding what defenders see in modern AD monitoring tooling and factoring that into your approach