Active Directory for Red Teamers
Course Synopsis
A focused one-day intensive that takes you from AD fundamentals to full domain compromise.
Six modules cover how Active Directory is built, how its authentication protocols actually work,
how to map a target environment systematically, and how to execute the attacks that matter -
from credential theft to persistence.
The course is hands-on throughout. Every concept is demonstrated with working tooling
in a lab environment that mirrors a realistic corporate deployment.
Coming Soon →
Module 01
Active Directory Architecture
How the Domain Hierarchy Works
- Forests, domains, and trees - what each boundary means for attackers
- How domain controllers relate to each other and why that matters for lateral movement
- The roles that make a domain function and what happens when you target them
How Objects are Organized
- How users, computers, and groups are represented and queried over LDAP
- The identifiers AD uses to track objects - and which ones are useful to attackers
- Extended attributes that expose delegation settings, certificate enrollment, and more
Identity, Privilege, and Groups
- How Windows builds an access token and what determines what you can do with it
- Which built-in groups are high-value targets and which are commonly overlooked
- How group nesting creates hidden privilege escalation paths
- Group Policy - how it is structured and how write access to a GPO becomes code execution
Red Team Toolkit Overview
- BloodHound for visualizing attack paths across the entire domain
- Rubeus for Kerberos ticket operations
- Impacket for Python-based protocol interaction and credential extraction
- PowerView for LDAP enumeration and ACL analysis
- Mimikatz for credential extraction and ticket forgery
Module 02
How Authentication Actually Works
Kerberos End-to-End
- The full ticket-granting flow - what each exchange does and what it proves
- How pre-authentication works and what happens when it is disabled on an account
- How service tickets carry authorization data and why that matters for forging them
- Encryption types in use and what changes depending on which one is negotiated
NTLM Authentication
- The challenge-response flow and where NTLM appears across SMB, LDAP, and HTTP
- How the response is computed and why it can be captured and cracked offline
- Pass-the-hash - reusing a credential without ever knowing the plaintext password
LDAP as a Protocol
- How LDAP queries are structured and what authentication options are available
- How to interact with LDAP directly without relying on high-level tooling
- The extensions that expose additional AD data and how attackers use them
Module 03
The AD Protocol Landscape
LDAP and the Directory
- What an attacker can read without authentication versus what requires a valid account
- How the Global Catalog differs from a standard domain controller query
- Signing and channel binding protections and when relay attacks still work despite them
Domain Controller Discovery
- How clients find domain controllers and how to use the same mechanism for reconnaissance
- What information DC discovery leaks about the environment with no credentials required
RPC Interfaces Attackers Use
- The interfaces that expose user enumeration, SID resolution, and trust information
- The replication interface that DCSync relies on and why it works from an ordinary workstation
- How named pipes over SMB carry most of these operations under the hood
Supporting Protocols
- SMB as the transport layer for most AD management traffic
- AD-integrated DNS zones and how to enumerate them without zone transfer access
- WinRM and WMI as remote execution channels and the authentication each one accepts
Module 04
Enumeration and Reconnaissance
A Structured Approach to Mapping a Domain
- Starting with silent LDAP queries before touching anything that generates alerts
- Progressing from broad domain-wide enumeration to targeted attack identification
- Knowing which actions are noisy and which are effectively invisible to defenders
Finding Attack Targets
- Querying for accounts vulnerable to Kerberoasting and AS-REP roasting
- Identifying delegation configurations that can be abused for privilege escalation
- Spotting misconfigured certificate templates before running any exploits
Attack Path Mapping with BloodHound
- Collecting data without triggering most common detections
- Reading the graph to find the shortest path from a low-privilege account to Domain Admin
- Identifying cross-domain pivot opportunities and high-value session targets
Understanding Object Permissions
- Reading access control lists on AD objects to surface misconfigured permissions
- The specific rights that enable password resets, group manipulation, and DCSync
- Turning raw ACL data into a concrete attack path
Where Credentials Live
- What is cached in memory on a live system and the different ways to extract it
- How to pull the full domain credential database from a domain controller
- Credentials stored in Group Policy, LDAP attributes, and local secrets storage
Module 05
Core Attacks and Exploitation
Credential Attacks - Kerberoasting and AS-REP Roasting
- How any domain account can request an encrypted service ticket and crack it offline
- How accounts with a specific misconfiguration leak crackable data with no interaction required
- Choosing the right targets and handling accounts configured for stronger encryption
DCSync - Pulling Domain Credentials Over the Network
- How the domain replication protocol can be abused to retrieve any account's credential hash
- Which permissions make an account capable of performing this attack
- Running DCSync without ever touching a domain controller directly
Abusing Misconfigured Permissions
- Turning write access on an AD object into account takeover or group membership changes
- Granting yourself replication rights through a DACL misconfiguration
- Chaining multiple permission edges into a path from nothing to Domain Admin
NTLM Relay
- Forcing a target machine to authenticate to an attacker-controlled server
- Relaying that authentication to SMB for lateral movement or to LDAP for account changes
- Combining relay with certificate services to obtain persistent domain credentials
Delegation Abuse
- How unconstrained delegation lets an attacker capture tickets from any authenticating user
- When write access to a computer account is enough to impersonate any user in the domain
- Requesting service tickets on behalf of privileged users to move laterally
Module 06
Persistence, Advanced Techniques, and OPSEC
Ticket Forgery
- Golden tickets - forging domain authentication offline that survives most remediation attempts
- Silver tickets - forging direct service access without touching the KDC at all
- Converting a credential hash into a valid Kerberos ticket without the plaintext password
Certificate Services Abuse
- Certificate templates that allow any enrollee to impersonate any user in the domain
- Relaying authentication to the certificate authority to issue a domain controller certificate
- Using a certificate to authenticate and recover account credential hashes
GPO Attacks and Cross-Domain Escalation
- Turning write access to a Group Policy Object into code execution across linked machines
- Escalating from a child domain to the forest root by abusing inter-domain trust
- Understanding where domain trust boundaries hold and where they can be bypassed
Long-Term Persistence
- AdminSDHolder - planting an access control entry that propagates to all protected accounts automatically
- DCShadow - pushing changes into Active Directory through a rogue replication partner
- SID history injection for hidden privilege that survives account audits
Staying Under the Radar
- Which attacks generate the most noise and how to approach them more quietly
- Structuring enumeration and attacks to stay below detection thresholds
- Understanding what defenders see in modern AD monitoring tooling and factoring that into your approach