SecurityBSides Trainings
Course Description
Enterprises are managed using Active Directory (AD) and it often forms the backbone of the
complete enterprise network. Therefore, to secure an enterprise from an adversary, it is
inevitable to secure its AD environment. To secure AD, you must understand different techniques
and attacks used by adversaries against it. Often burdened with maintaining backward
compatibility and interoperability with a variety of products, AD environments lack ability to
tackle latest threats.
This training is aimed towards attacking modern AD Environment using built-in tools, trusted OS
resources and abuse of features. The training is based on real world penetration tests and Red
Team engagements for highly secured environments. Some of the techniques (see the course
content for details), used in the course:
- Extensive AD Enumeration
- Active Directory trust mapping and abuse
- Privilege Escalation (User Hunting, Delegation issues, LAPS abuse, gMSA abuse, SPN Hijacking, Shadow Credentials and more)d
- Advanced Kerberos Attacks and Defense (Diamond, Golden, Silver ticket, Kerberoast and more)
- Advanced cross forest trust abuse (Over-PTH, Token Replay, Certificate Replay etc.)
- Credentials Replay Attacks
- Attacking Azure AD integration (Hybrid Identity)
- Abusing trusts for MS products (AD CS, SQL Server etc.)
- Persistence (WMI, GPO, Domain and Host ACLs and more)
- Monitoring Active Directory
- Defenses (JEA, PAW, LAPS, Selective Authentication, Deception, App Allowlisting, Microsoft Defender for Identity etc.)
- Bypassing defenses
Prerequisite
- Understanding of networks and network technologies
- Experience and skills in administrative infrastructure
- Knowledge of attack path in Active Directory
Instructor - Chirag Savla (Altered Security)
Chirag Savla is an information security professional whose areas of interest include penetration testing,
red teaming, azure, active directory security, and post-exploitation research. He has over 7+ years of
experience in information security. Chirag likes to research new attack methodologies and create opensource tools that can be used during the red team assessments. He has worked extensively on Azure,
Active Directory attacks, defense, and bypassing detection mechanisms. He is the author of multiple
Open Source tools such as Process Injection, Callidus, etc. He has spoken in multiple conferences and
local meetups.
He works as a Senior Security Researcher at Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com/
Key Learning Objective
Agenda
-
-
Room: TBD
Day 1: – AD Essentials, Tradecraft and escalating privileges
- Introduction to Active Directory and Kerberos
- Introduction to Attack methodology and tradecraft
- Offensive C# and PowerShell
- Domain Enumeration (Attacks and Defense)
- Trust and Privileges Mapping
-
Room: TBD
Day 2: Local and Domain privilege escalation
- Local Privilege Escalation (User Hunting, Delegation issues, LAPS abuse, gMSA abuse, SPN Hijacking, Shadow Credentials and more)
- Credential Replay Attacks (Over-PTH, Token Replay, Certificate Replay etc)
- Domain Privilege Escalation (User Hunting, Delegation issues and more)
-
Room: TBD
Day 3: Persistence and Lateral movement across trusts
- Dumping System and Domain Secrets
- Advanced Kerberos Attacks and Defense (Diamond, Golden, Silver ticket, Kerberoast and more)
- Advanced cross forest trust abuse (Lateral movement across forest, PrivEsc and more)
- Persistence (WMI, GPO, Domain and Host ACLs and more)
-
Room: TBD
Day 4: Lateral movement across trusts, Defense bypasses
- Attacking Azure integration and components
- Abusing trusts for MS products (ADCS, SQL Server etc.)
- Monitoring AD
- Defenses (JEA, PAW, LAPS, Selective Authentication, Deception, App Allowlisting, Microsoft Defender for Identity etc.)
- Bypassing Defenses
-