Attacking and Defending Active Directory: Beginner's Edition [June 2022]

Build expertise in attacking and defending real-world enterprise Active Directory environments.
Write your awesome label here.
Starts: 05 June 2022  Duration: 4 weeks
Recordings of live sessions included!

Enrollment ends in:

What You'll Learn

This is a 4-week beginner-friendly bootcamp, designed to teach security professionals how to identify and analyze threats in a modern Active Directory environment. The bootcamp will cover topics like Active Directory (AD) enumeration, trust mapping, domain privilege escalation, Kerberos based attacks, SQL server trusts, defenses and bypasses of defenses.

The bootcamp will teach you how to attack and defend Enterprise Active Directory environments and will give you an opportunity to become a Certified Red Team Professional.
  • 4 live sessions

  • 3 hrs per session

  • 4 weeks access

  • 40 flags to be collected

  • 22 lab exercises

  • 1 CRTP attempt

  • Recordings of Live Sessions

Build Your Cybersecurity Credentials

  • Become a Certified Red Team Professional (CRTP)

The CRTP is a major achievement for anyone who wants to show they have serious skills in attacking and defending real-world enterprise Active Directory environments. This certification on your CV prepares you for Red Team, Blue Team and pentesting roles in enterprises across the globe – more than 90% of Fortune 1000 companies use Active Directory.
  • Bootcamp Completion Certificate

Attendees will also get a course completion certificate after completing Learning Objectives covered during the course.

Live Session Schedule

Weekly 3 hr sessions start at 11:00am ET and end at 2:00pm ET.
05 June 2022
12 June 2022
19 June 2022
26 June 2022
Introduction to Active Directory, Enumeration and Local Privilege Escalation
Lateral Movement, Domain Privilege Escalation and Persistence
Domain Persistence, Dominance and Escalation to Enterprise Admins
Defenses, Monitoring and Bypassing Defenses


1. A basic understanding of Active Directory
2. The ability to use command line tools on Windows

Course reviews

The bootcamp was awesome! I learned all sorts of Red Teaming techniques, tactics and procedures that I have already applied and can't wait to apply in future engagements. The bootcamp was the best training for the dollar that I have received, and I anxiously look forward to attending additional offerings and highly recommend the course.
Kenneth Nevers
Penetration tester and business owner, USA
Attacking and Defending Active Directory: Beginner's Edition Batch 1

Bootcamp Syllabus

Write your awesome label here.
The course is split in four modules across four weeks:

Module I: Active Directory Enumeration and Local Privilege Escalation

  • Enumerate useful information like users, groups, group memberships, computers, user
    properties, trusts, ACLs etc. to map attack paths
  • Learn and practice different local privilege escalation techniques on a Windows machine
  • Hunt for local admin privileges on machines in the target domain using multiple methods
  • Abuse enterprise applications to execute complex attack paths that involve bypassing antivirus and pivoting to different machines

Module II: Lateral Movement, Domain Privilege Escalation and Persistence

  • Learn to find credentials and sessions of high privileges domain accounts like Domain Administrators, extracting their credentials and then using credential replay attacks to escalate privileges, all of this with just using built-in protocols for pivoting
  • Learn to extract credentials from a restricted environment where application whitelisting is enforced. Abuse derivative local admin privileges and pivot to other machines to escalate privileges to domain level
  • Understand the classic Kerberoast and its variants to escalate privileges
  • Understand and exploit delegation issues
  • Learn how to abuse privileges of Protected Groups to escalate privileges
  • Abuse Kerberos functionality to persist with DA privileges. Forge tickets to execute attacks like Golden ticket and Silver ticket to persist
  • Subvert the authentication on the domain level with Skeleton key and custom SSP
  • Abuse the DC safe mode Administrator for persistence
  • Abuse the protection mechanism like AdminSDHolder for persistence

Module III: Domain Persistence, Dominance and Escalation to Enterprise Admins

  • Abuse minimal rights required for attacks like DCSync by modifying ACLs of domain
  • Learn to modify the host security descriptors of the domain controller to persist and
    execute commands without needing DA privileges
  • Learn to elevate privileges from Domain Admin of a child domain to Enterprise Admins on the forest root by abusing Trust keys and krbtgt account
  • Execute intra-forest trust attacks to access resources across forest
  • Abuse database links to achieve code execution across forest by just using the databases

Module IV: Monitoring, Architecture Changes, Bypassing Advanced Threat Analytics and Deception

  • Learn about useful events logged when the discussed attacks are executed
  • Learn briefly about architecture changes required in an organization to avoid the discussed attacks. We discuss Temporal group membership, ACL Auditing, LAPS, SID Filtering, Selective Authentication, credential guard, device guard (WDAC), Protected Users Group, PAW, Tiered Administration and ESAE or Red Forest
  • Learn how Microsoft's Advanced Threat Analytics and other similar tools detect domain attacks and the ways to avoid and bypass such tools
  • Understand how Deception can be effective deployed as a defense mechanism in AD
Meet the instructor

Nikhil Mittal

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, active directory security, attack research, defense strategies and post exploitation research. He has 12+ years of experience in red teaming.

He specializes in assessing security risks at secure environments that require novel attack vectors and "out of the box" approach. He has worked extensively on Active Directory, Azure AD attacks, defense and bypassing detection mechanisms and Offensive PowerShell for red teaming. He is creator of multiple tools like Nishang, a post exploitation framework in PowerShell, Deploy-Deception a framework for deploying Active Directory deception and RACE toolkit for attacking Windows ACLs. In his spare time, Nikhil researches on new attack methodologies and updates his tools and frameworks.

Nikhil has held trainings and bootcamps for various corporate clients (in US, Europe and SE Asia), and at the world’s top information security conferences. He has spoken/trained at conferences like DEFCON, BlackHat, BruCON and more.

He blogs at
Nikhil Mittal - Principal Instructor

Can't attend this bootcamp? Get informed about future bootcamps!

Thank you!
Thank you!