This course will equip the students with Active Directory Attacks and Defense skills from a Red Teamer's approach. It is categorised into two main broad categories: Attack and Defense. This will lay a solid foundation on how various default misconfiguration/system administrator's common mistakes can lead to compromise the AD environment. In order to understand "WHY" a certain attack worked, it is important to know the intricacies involved in performing the same. 

Hence, a test lab environment will be built so that you can easily replicate all the attacks and defense discussed in this course. This will help in configuring the AD environment as per your will and examining it from both offensive and defensive sides.

The course is structured in various modules from a Red Team Operations Attack Lifecycle where you will delve into each phase and perform the attacks using industry standard tools and manually. Once we are thorough with the attacks involved, their defenses will be discussed, since the goal of a Red Team engagement is also about making the Blue Team know their weak points in the AD infrastructure and to patch the same in an effective manner.​​ ​​​​


Who is this course for?

Security Professionals, those who want to start with AD Red Teaming, Penetration Testers, Red Teamers, Blue Teamers, System Administrators, etc.

Why take it NOW?

AD is now being adopted more than ever. Medium and Big enterprises are both moving to Microsoft AD and deploying it within their premise. Due to Microsoft being able to handle large scale deployments, companies prefer using AD from them. How an attacker is able to compromise the AD environment can really lead you to incur huge loss if compromised. It is really a need of the hour for both Red Teamers and Blue Teamers alike.

Why this course?

Those who want to understand the nitty-gritty details along with building a strong foundation in attacking and defending AD infrastructure should pursue this course.

When it comes to large enterprise environments, it is necessary to manage computers, networks, users, groups, etc in a centralized manner. Active Directory is the need of the hour where it caters to the same, perhaps, it comes with its own drawbacks if not configured securely. Pentesting can only help the organisations/companies which is limited to an extent to the scope of the application/asset in question. But when it comes to measuring the security posture of your overall AD infrastructure, a specialized team known as a Red Team is required. Obviously, Red Team is not only limited to Active Directory Attacks and Defense but Social Engineering, Internal Adversary Simulation, Cyber Threat Intelligence, etc, but we shall be discussing a small portion of it, Attacking and Defending Active Directory Infrastructure using tactics, techniques and procedures from a Red Teamer's mindset. 

  • Most of the courses out there have their labs hosted in the cloud and all, thus, giving you access for a short time. But the problem arises when you don't know why a certain attack took place. If you configure your lab environment yourself, it really helps to replicate that certain attack along with investigating such an issue if it doesn't work.
  • Secondly, it really helps in knowing "why" a certain attack worked/not worked at the first place.
  • Thirdly, what are common pitfalls to avoid if you need to create a secure AD infrastructure. All the above points shall be covered since we shall be creating our own lab setup.

Course benefits:

What skills will you gain?​​ ​​​ ​​ ​ ​​​​​

You will become a "Red Teamer" with fair knowledge of AD attacks and defense, ready to take up new challenges and get hired to perform "Internal Adversary Simulation" of your AD environment and help to provide effective remediations to mitigate these attacks.

What will you learn about?

  • How a Red Teamer’s mindset works when he is given a computer which is AD-joined.
  • Why providing a Local Administrator account permission, even though it is not domain-joined, is really a bad idea.
  • How moving laterally within the AD can allow an attacker to compromise the same.
  • How misconfiguration by system administrators can lead to compromising certain assets within the AD infrastructure.
  • Analyzing why a certain attack took place.
  • Defense and mitigations to remediate the pitfalls.

What tools will you Use?

ADRecon, Get-GPPPassword, BloodHound, PowerUp, Responder, Sherlock, Nishang, DomainPasswordSpray, Mimikatz, LaZagne, PsExec, DeathStar, Impacket, PowerView, Rubeus, Powerview, PowerUpSQL, Kekeo, Covenant C2 Framework and many more


Course general information: 

DURATION: 24 hours

CPE POINTS: On completion you get a certificate granting you 24 CPE points. 

Course launch date: December 17th 2020

Course format: 

  • Self-paced
  • Pre-recorded
  • Accessible even after you finish the course
  • No preset deadlines
  • Materials are video, labs, and text
  • All videos captioned
  • Module 1 (workload) : 1.5 hours
  • Module 2 (workload) : 2.5 - 3.5 hours
  • Module 2 Practicals (Graded Assignments) : 15 - 30 minutes
  • Module 3 (workload) : 2 - 3 hours
  • Module 3 Practicals (Graded Assignments) : 15 - 30 minutes
  • Module 4 (workload) : 3 - 4 hours
  • Module 4 Practicals (Graded Assignments) : 15 - 30 minutes
  • Module 5 (workload) : 2.5 - 3 hours
  • Module 5 Practicals (Graded Assignments) : 15 - 30 minutes
  • Module 6 (workload) : 3 hours
  • Module 6 Practicals (Graded Assignments) : 15 - 30 minutes
  • Module 7 (workload) : 2.5 - 3 hours
  • Module 7 Practicals (Graded Assignments) : 15 - 30 minutes
  • Module 8 (workload) : 3-4 hours
  • Module 8 Practicals (Graded Assignments) : 30 - 45 minutes
  • Final Exam (quiz): 1.5 hours

What will you need?

  • The instructor will be using an AWS setup, and configuration will be presented in detail in the course. 
  • As per https://www.scaleway.com/en/pricing/​, 3 DEV1-M and 2 DEV1-L virtual instances (This is only a rough estimate and may increase/decrease depending on the resource consumption)
  • ​1 domain for Redirector server (from GoDaddy/Namecheap) to be used with Covenant C2 (costs approx. $8.88).
  • You can acquire any equivalent setup from any provider, or set up your own instances with equivalent parameters to the ones mentioned above (for example, AWS) 
  • You will also need an Active Directory account. 

What should you know before you join?

Basic networking concepts, any programming language (Python, C#, PowerShell, C, C++, JAVA, PHP) familiarity, prior pentesting experience.​​​​ ​​


YOUR INSTRUCTOR: SUMIT VERMA

Currently, I am working as a Security Analyst. The work mostly involves, but is not limited to, performing Vulnerability Assessment and Penetration Testing (VAPT) and Red Teaming. I have found my passion in Capture The Flag (CTF) events and pwning vulnerable machines. Being intrigued by the APT, VAPT, Active Directory Attack and Defense, I always look forward to work in Red Team engagements.

I believe that one comprehends best by explaining it to both tech and a non-tech individual in an easily-understandable form. I am a blend of both the sides and act as a bridge to make them understand the risks and business impact involved in the reported security issues.

 


COURSE SYLLABUS


Module 1

Course Setup

In this module we will set up and configure the course lab. 

  • 4 Windows Victim Machines
  • 1 Attacker Machine
  • Active Directory Layout

Module 2

Reconnaissance/Domain Enumeration 

To begin with, enumerating the current domain is important to know, to understand the users, groups, computers, etc are there in the domain network. This helps in identifying from where to look for interesting targets. Without domain enumeration, an attacker cannot map its target environment and know where to begin from. This helps to find out the information of all the targets.

  • Enumerating users, groups, computers, etc
  • Discovering SPNs [The service ticket provided by AD during authentication can be cracked offline to retrieve plain-text password of the service account]
  • Discovering DONT_REQUIRE_PREAUTH accounts
  • Discovering DONT_EXPIRE_PASSWORD accounts [Discovering accounts with password that never expires]
  • Enumerate Group Policies
  • Discovering servers that support Unconstrained Delegation [Unconstrained Kerberos Delegation gives the ability a service the ability to impersonate you to any other service it likes hence attackers target on these as well]
  • Reading Configuration in SYSVOL
  • BloodHound for mapping attack targets [Discover ACL based attacks using BloodHound]

Practical graded assignments:

15 - 30 minutes (Depends on the student in how much time will it be completed. 3-5 questions would be provided)


Module 3

Local Privilege Escalation 

A lower privilege user is restricted to perform enumeration within its bounds that is defined by its ACL. It is mandatory to escalate its privileges to a higher privilege level to run certain scripts/functions/enumeration, etc. Once a foothold is obtained as an underprivileged user, it is mandatory to escalate to a higher privilege access (such as Administrator) which enables an attacker to perform further enumeration/attacks. Some scripts require a higher privilege level in order to enumerate further, hence, an attacker should have knowledge of how to escalate its privileges locally on the machine in which it is present.

  • Unquoted Service Paths
  • Services with Vulnerable Privileges - Insecure Registry Permissions, Insecure Service Permissions, Insecure File/Folder Permissions
  • AlwaysInstallElevated
  • DLL Hijacking
  • Playing with Windows Tokens

Practical graded assignments:

15 - 30 minutes (Depends on the student in how much time will it be completed. 3-5 questions would be provided)


Module 4

Lateral Movement 

After gaining a higher privilege account, it is now time to move inside the network to other assets with the domain. This helps to increase the attack surface and look for more juicy information and exploit them further. Moving laterally within the network allows an attacker to find which privileged user has access to what asset within the domain. Our goal is to find more information about the target machine in question and use it to further move towards the Domain Controller.

  • Moving laterally with Backup Operators [From an attacker's perspective. Backup Operators have the rights to move laterally to the Domain Controller and compromise the entire AD.]
  • Moving laterally with Server Operators [Since, a number of administrative tasks on servers within the domain, including creating and deleting shared resources, etc can be done with server operators, a significant damage can be done to a DC with the group. Hence, users should be added with caution accordingly.]
  • Moving laterally with Account Operators [Members of Account Operators group can create and modify most types of accounts, including those of users, local groups, and global groups, and members of Account Operators can log on locally to domain controllers. Account Operators have GenericAll permissions on all Exchange groups, which means that it could add themselves to the Exchange Windows Permissions and from there grant the privileges that are required to perform a DCSync attack.]
  • Pass-the-Hash Attack [There is no need for an attacker to know the plaintext password of the user account. A hash can be used which bypasses the standard authentication mechanism.]
  • ​Pass-the-Ticket attack [Impersonating users on AD domain using pass-the-ticket will be discussed which leverages Kerberos Ticket Granting Ticket from LSASS memory on a system. This is then used on another system to request Kerberos service ticket (TGS) to gain access to other resources on the network]
  • Over-pass-the-hash - It's a combination of pass-the-hash and pass-the-ticket attack. This is for an attacker who leverages the NTLM hash of another user account to obtain a Kerberos ticket which can be used to access network resources.
  • Internal Monologue Attack:
  • Retrieving NTLM Hashes without Touching LSASS [In secure environments, where Mimikatz should not be executed, an adversary can perform an Internal Monologue Attack.]

Practical graded assignments:

15 - 30 minutes (Depends on the student in how much time will it be completed. 3-5 questions would be provided)


Module 5

Domain Privilege Escalation 

Finding domain accounts that can be delegated to Domain Admins or equivalent. Finding GenericAll​ / GenericWrite accounts and escalating to reach the Domain Controller to compromise the domain. Moving towards the DC and escalating it to compromise the Domain Admin is the ultimate dream of every Red Teamer out there. It is the highest domain privilege which an attacker can gain after compromising the domain.

  • Unconstrained Delegation [A TGT which is an authentication ticket, a client is allowed to request an additional Kerberos ticket to authenticate to other resources on the network. It could go to a DC and change the Enterprise Admin group. It can also get the hash of the krbtgt account, etc.]
  • Constrained Delegation [Resource Based Constrained Delegation can be exploited to give a user code execution on a computer.]
  • PyKEK (Python Kerberos Exploitation Kit) will be discussed where the attacker will exploit MS14-680 vulnerability on an un-patched domain controller of an Active Directory domain to get a Kerberos ticket for an existing domain user account with the privileges of the some other domain groups.

Practical graded assignments:

15 - 30 minutes (Depends on the student in how much time will it be completed. 3-5 questions would be provided)


Module 6

Establish Persistence

Maintaining persistence is important for an attacker since in case of detection, it is necessary a backup is present before moving forward to attack other assets in the network. Find various methods where tickets can be cracked offline or used as a service account or used to escalate further to compromise the AD.

  • Kerberoasting [This lab explores an attack that allows any domain user to request kerberos tickets from TGS that are encrypted with NTLM hash of the plaintext password of a domain user account that is used as a service account and crack them offline avoiding AD account lockouts]
  • Golden Ticket [This attack assumes a Domain Controller compromise where KRBTGT account hash will be extracted which is a requirement for a successful Golden Ticket attack]
  • Silver Ticket [This lab looks at the technique of forging a cracked TGS Kerberos ticket in order to impersonate another user and escalate privileges from the perspective of a service the TGS was cracked for]
  • DCSync Attack [DCSync impersonates the behavior of Domain Controller and requests account password data from the targeted Domain Controller. This requires Domain Admin or equivalent.]
  • LOLBAS Project

Practical graded assignments: 

15 - 30 minutes (Depends on the student in how much time will it be completed. 3-5 questions would be provided)


Module 7

Establishing C2 Channel

Sometimes all TCP/UDP traffic is blocked but only port 53 or ICMP is allowed from the network to the outside world. Data exfiltration in that case becomes tad bit difficult, hence, using covert channel is the need of the hour then. In order to exfiltrate data outside the network, it is important to use covert channel techniques. These techniques also help in being stealthy and avoid detection and causing alarms to the SOC team.

  • Data Exfiltration
  • ICMP Tunneling
  • DNS Tunneling
  • Introducing Covenant C2 Framework and using it with a Redirector

Practical graded assignments - 15 - 30 minutes (Depends on the student in how much time will it be completed. 1-2 question would be provided)


Module 8

Mitigations/Defense Against the Attacks Performed 

Various attacks that were discussed above can be prevented from happening. Their mitigations will be discussed in this module. 

Practical graded assignments: 30 - 45 minutes (Depends on the student in how much time ​will it be completed. 7-10 questions would be provided)


Final exam

Quiz: 1.5 hours


QUESTIONS? 

If you have any questions, please contact our eLearning Manager Marta at [email protected].

Course Reviews

N.A

ratings
  • 5 stars0
  • 4 stars0
  • 3 stars0
  • 2 stars0
  • 1 stars0

No Reviews found for this course.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013