deep knowledge technical trainings

APRIL 17 - 25 @ MOVENPICK AMSTERDAM

Abusing Active Directory (On-Prem & Azure)

Discover how APTs abuse Active Directory both on-prem and in the cloud. In this two-day training you will take a deep dive into modern day misconfigurations and attacks with labs built on fully patched Windows Server 2019, Windows 10 Enterprise and Azure Active Directory.

2,299.00

Duration

2-day

Delivery Method

In-Person

Level

intermediate

Seats Available

20

REGISTRATION CLOSED

DATE: 17-18 April 2023

TIME: 09:00 to 17:00 CEST/GMT+2

Date Day Time Duration
17 Apr Monday 09:00 to 17:00 CEST/GMT+2 8 Hours
18 Apr Tuesday 09:00 to 17:00 CEST/GMT+2 8 Hours

NO port scanning
NO vulnerability scanning
NO Metasploit

Discover how APTs abuse Active Directory both on-prem and in the cloud. For system engineers, defenders, penetration testers and aspiring blue teamers, get introduced to active directory hacking based on real life scenarios and misconfigurations.

In this two-day training you will take a deep dive into modern day misconfigurations and attacks with labs built on fully patched Windows Server 2019, Windows 10 Enterprise and Azure Active Directory.

The course is designed to be beginner friendly but does require some basic knowledge of security concepts. You will quickly get your hands dirty with enumerating Active Directory users, groups, OUs, ACLs, ACEs etc.

Shortly after spotting the issues, you will start exploiting them to slowly move through the network and escalate privileges until becoming a domain admin. Along the way, you will gain a deep understanding of concepts such as lateral movement, different authentication protocols and tools used by red teamers and APTs.

The second day of the course takes the perspective of pivoting from the on-premises AD to compromising Azure AD. And the other way around. You will understand the difference between on-premises and cloud Active Directory, the different attack vectors and how compromising one can lead to comprising the other.

You will get a solid understanding of hybrid environments, modern authentication protocols, different ways to get, escalate and maintain access.

 

The course will finish with a short CTF that helps test your understanding and solidify the concepts you’ve learned during the two days.
  • Enumeration deep dive into user account, groups, OUs, GPOs
  • Understanding and enumerating ACLs
  • Lateral movement
  • Different password attacks
  • Understanding authentication protocols and different attacks (NTLM relay, PTH, Over-PTH, etc.)
  • Kerberos deep dive and multiple attacks (AS-REP roasting, kerberoasting, silver ticket, golden ticket)
  • Pivoting between Azure AD and on-prem AD
  • Stealing tokens
  • Abusing playbooks
  • Looting secrets
  • Abusing VMs
  • Abusing container registries
  • And a lot more!

 

Key Learning Objectives
  • Practical hands-on training that allows for exploiting real-world on-premise and Azure misconfigurations.
  • Penesters, red teamers and sys admins will get a solid understanding of the root cause of the abusable misconfigurations.
  • Deep understanding of modern protocols, techniques and toolsets relavant to on-prem and Azure AD.

 

Student will be provided with

Course material

  • Cloud labs will be available for each student for 270 hours usage (within 90 days from the start of the training)
  • The instructors will share their own lab guide so students can replicate the setup in their private labs
  • Scripts to automate on-prem lab creation

 

Watch this video to get a feel of Tarek’s online training where he explains AS-REP Roasting – a topic that is covered in more detail in the training.

Topics Covered

 

Active Directory introduction

– Components
– Trees and forests
– Enumeration

 

User Account deep dive

– Security principles
– Security contexts
– SID/RIDs
– UPN
– User enumeration

 

Groups and OUs

– Types and scope
– Difference between groups and OUs
– Attributes
– Enumerating group and OUs

 

Computer Objects

– Understanding and enumerating computer objects

 

Access Control

– ACEs
– ACLs
– DACLs/SACLs
– Understanding bad permissions
– Enumerating permissions
– Abusing permissions

 

Password Attacks

– Password profiling
– Understanding password policies
– Enumerating password policies
– Password spraying

 

Lateral Movement

– PSExec, WMI, PS

 

Hash and Authentication Protocols

– Different types of hashes
– MS-NLMP
– Capture NTLMv2 hashes

 

Dumping Hashes

– Understanding LSASS
– Understanding Mimikatz modules and output
– Pass the hash

 

Kerberos

– Kerberos deep dive
– AS-REP Roasting
– Kerberoasting
– Silver Ticket
– Golden Ticket

Why You Should Take This Course

Discover how APTs abuse Active Directory both on-prem and in the cloud. In this two-day training you will take a deep dive into modern day misconfigurations and attacks with labs built on fully patched Windows Server 2019, Windows 10 Enterprise and Azure Active Directory.

Who Should Attend

  • System engineers
  • Azure engineers
  • SOC analysts
  • Penetration testers
  • Aspiring red teamers

Prerequisite Knowledge

Although this is beginner-friendly course, it does require some basic prerequisites. Attendees should be familiar with concepts such as:
  • Basics of OS and command line
  • Hashing
  • Encryption
  • Password cracking
  • Etc.

Hardware / Software Requirements

All labs are cloud based. Students should bring a laptop that allow them access to cloud based VMs. The VMs will be accessible using remote desktop on high TCP port numbers. Ensure that your firewall policies will allow this.

TRAINER

Founder

Offensivebits and Malcrove LLC

Khalifa (@kha1ifuzz) started his Penetration Testing career in 2014. He is a founder of a Offensivebits and Malcrove, companies specializing in Managed Cyber Defense and Offensive Security services. He led more than 60 projects in Penetration Testing and Red Teaming. He has worked as Strategic Technical Advisor to many organizations in UAE and worked on multiple projects such as developing Penetration Testing tools and discovering vulnerabilities.

 

Khalifa has also participated as an assistant trainer at the BlackHat course “Attacking and Securing APIs” and is regularly invited to deliver talks and workshops.

 

What students say about this training:

Abusing Active Directory (On-Prem & Azure) Course

“Lab setup with prepared toolset was a time saver and it allowed for focus on theory discussion. Unlike other sessions where 50% of course was story telling, the session presented by Mr Naja and Mr AlShamsi was 95% technical content and all valuable and current”

“Fantastic, informative course! Even knowing a bit about AD compromise before, I received a new perspective to strengthen my skillset.”

“Well presented. Fun. Good explanation of kerberos. Very good at explaining complex topics.”

“You explains the things really well and in simple english. I know what DACL ,SACL were. But I know how frustrating they where when I learned about them last year. You explained it really well that a beginner can understand.”

 

Abusing & Securing Azure Services

“The course was super fun and useful. I learned a lot, had a ton of fun, and became a better pen tester as a result. Teachers were great, classmates were great, and labs were awesome”

“It was really a great class. You explained it really well unlike other courses in which the instructors just put so many things at the same time. + it was really fun in your class.  Awesome work.”

“As usual, Tarek is the man. This course is very well thought out and he explains every topic thoroughly. Very well put together, great pace, highly interesting – plus you get labs to see exploits done in real time. Highly recommended!”

Technical Advisor

GISEC

Tarek (@DeanOfCyber), holds an MSc. in Information Security, is the technical advisor for GISEC, the largest security conference in the Middle East and is a previous OWASP Dubai Chapter Leader. He started his career as a security consultant for a boutique company in the UK where he delivered penetration tests for companies like BBC, Sky, Heinz, Ericsson, BT to name a few. Following that he relocated to Dubai as a senior penetration tester for Verizon. He then transitioned into leading security operations at the largest media organization in the middle east where he led high-end and complex projects. Currently, he is a subject matter expert working with a leading security vendor. As part of Hackers Academy, Tarek has delivered trainings to thousands of students both online and offline.

He currently contributes to the community through the monthly HAVOC event at havoc.hackersacademy.com in addition to regularly mentoring and tutoring university students and preparing them for the job market.

 

What students say about this training:

Abusing Active Directory (On-Prem & Azure) Course

“Lab setup with prepared toolset was a time saver and it allowed for focus on theory discussion. Unlike other sessions where 50% of course was story telling, the session presented by Mr Naja and Mr AlShamsi was 95% technical content and all valuable and current”

“Fantastic, informative course! Even knowing a bit about AD compromise before, I received a new perspective to strengthen my skillset.”

“Well presented. Fun. Good explanation of kerberos. Very good at explaining complex topics.”

“You explains the things really well and in simple english. I know what DACL ,SACL were. But I know how frustrating they where when I learned about them last year. You explained it really well that a beginner can understand.”

 

Abusing & Securing Azure Services

“The course was super fun and useful. I learned a lot, had a ton of fun, and became a better pen tester as a result. Teachers were great, classmates were great, and labs were awesome”

“It was really a great class. You explained it really well unlike other courses in which the instructors just put so many things at the same time. + it was really fun in your class.  Awesome work.”

“As usual, Tarek is the man. This course is very well thought out and he explains every topic thoroughly. Very well put together, great pace, highly interesting – plus you get labs to see exploits done in real time. Highly recommended!”