$4,299.00
| Date | Day | Time | Duration |
| 16 Oct | Monday | 09:00-17:00 SGT/GMT +8 | 8 Hours |
| 17 Oct | Tuesday | 09:00-17:00 SGT/GMT +8 | 8 Hours |
| 18 Oct | Wednesday | 09:00-17:00 SGT/GMT +8 | 8 Hours |
| 19 Oct | Thursday | 09:00-17:00 SGT/GMT +8 | 8 Hours |
To address these issues, our courses cover not only On-Premises, Hybrid, and Azure AD but also thoroughly cover the latest attack techniques. We focus on core concepts, enabling students to not only use attack tools but also understand their theoretical background and effectively respond to changes in various environments.
Moreover, in response to the increasingly sophisticated detection capabilities of the blue team, we also delve deeply into how the blue team implements detection in the course. We introduce the concept and application of Operation Security to completely avoid detection by the blue team and continue to complete the attack operation.
For either On-Premises, Hybrid, or Azure environments, Microsoft Active Directory (AD) is widely used by enterprises as a backbone for identity and access management. AD is recognized by adversaries for providing access to a company’s crown jewels. Although AD has critical functionalities for enterprise operation, attackers can abuse these mechanisms provided by AD services to compromise an enterprise network to achieve their operations.
In this training course, we will take a deep dive into On-Premises, Hybrid, and Azure AD, exploring different kinds of AD services and technologies. We will cover various AD attack techniques by abusing the underlying mechanisms. This course is expected to be lab-intensive with hands-on practices. For each training LAB, there will be an in-depth discussion as a core concept to enable the student to understand the theoretical background and effectively implement an attack technique.
For every attack technique introduced, we will also cover the indicators that are used by defenders. Students will learn how Defender discovers the AD attacks from the detection lab. As this training covers the detailed concept of each attack technique, we aim to equip the student with the ability to consider the OPSEC for potential indicators to complete the operation, This allows the offensive operator to stay under the defender’s radar.
Active Directory(AD) Background Knowledge Overview
- Introduction to On-Premises, Hybrid, and Azure AD
- MITRE ATT&CK mapping domain (AD)
- Security threats of the domain (AD)
- Introduction to Environment and Course Tools
How does Blue Team Leverage Detection for AD attack techniques?
Telemetry and Detection Mechanism On-Premises and Azure AD
- On-Premises AD – Event Log
- On-Premises AD – SACL
- Azure AD – Audit Log
- Other Concept
- Lab Build Detection Mechanism for AD Attack Techniques
Attack and Detection Techniques for All AD Threat Terrain
On-Premises AD (Each Lab includes an attack concept explanation, attack exercise, and detection exercise, which lasts about 20–50 minutes, and will be determined according to the actual situation of the students.)
- Lab Use PowerShell to build AD
- Lab AD Reconnaissance
- Lab Credential Access – Password Spraying
- Lab Privilege Escalation – AS-REP Roasting (Disable Pre-authentication)
- Lab Privilege Escalation – Kerberoasting
- Lab Persistence – Pass the Ticket (Golden Ticket)
Attack and Detection Techniques for All AD Threat Terrain (All Day)
On–Premises AD (Each Lab includes an attack concept explanation, attack exercise, and detection exercise, which lasts about 20–50 minutes, and will be determined according to the actual situation of the students.)
- Lab Persistence – Pass the Ticket (Diamond Ticket)
- Lab Persistence – Pass the Ticket (Silver Ticket)
- Lab Persistence – Pass the Hash (PtH)
- Lab Persistence – Over Pass the Hash
- Lab Persistence – Ticket Harvest
- Lab Persistence – DPAPI
- Lab Other AD Persistence Techniques
- Lab Privilege Escalation – Group Managed Service Account
- Lab Credential Access – NTLM Relay
- Lab Privilege Escalation – Unconstrained Delegation
- Lab Privilege Escalation – Traditional Constrained Delegation (Use any authentication only)
- Lab Privilege Escalation – Resource–based Constrained Delegation
- Lab Privilege Escalation – Traditional Constrained Delegation(Kerberos only)
- Lab Privilege Escalation – ACL Abuse
Attack and Detection Techniques for All AD Threat Terrain (All Day)
On-Premises AD (Each Lab includes an attack concept explanation, attack exercise and detection exercise, which lasts about 20–50 minutes, and will be determined according to the actual situation of the students.)
- Lab Privilege Escalation – DNSAdmin Abuse
- Lab Privilege Escalation – Domain Default Group Abuse
- Lab GPO Abuse – Persistence – Edit GPO to set C2 script (Limited User)
- Lab GPO Abuse – Ransomware Infection (Domain Admin)
- Lab Trust and Forest – SID–History + Golden Ticket (Parent/Child trust)
- Lab Trust and Forest – Forged Trust ticket (Parent/Child trust)
- Lab Trust and Forest – Printer bug with Two–way forest trust
- Lab AD Certificate Service – Enumeration
- Lab AD Certificate Service – Account Persistence
- Lab AD Certificate Service – Certificate Theft
- Lab AD Certificate Service – Domain Escalation
- Lab AD Certificate Service – Domain Persistence
Attack and Detection Techniques for All AD Threat Terrain
Hybrid AD
- ADFS – Credentials Dump
- ADFS – Golden SAML
Azure AD (In this part, we expect to combine some concepts and implement them together)
- Lab Azure AD Reconnaissance – Outside/Inside Tenant
- Lab Azure AD Initial Access – Application Consent – Phishing
- Lab Azure AD Initial Access – Device Code – Phishing
- Lab Azure AD Initial Access – Password Spraying
- Lab Azure AD Credential Access – Primary Refresh Token
- Lab Azure AD Credential Access – Service Principal Abuse
- Lab Azure AD Privilege Escalation – Service Principals
- Lab Azure AD Privilege Escalation – API Permissions
- Lab Azure AD Execution – Managed Device Scripting
- Lab Azure AD Execution – Virtual Machine Scripting
- Lab Azure AD Persistence – OAUTH2 APPLICATION
Evade Blue Team Detection – Apply Operation Security(OPSEC)
- Introduction to Operation Security Concept
- Attack Techniques indicators deep–dive for OPSEC consideration
Dexter Chen is a threat researcher at TXOne Networks Inc. with a primary focus on penetration testing, red teaming, and Active Directory security. He spoke at several international cyber security conferences including CODE BLUE, HITCON, Black Hat MEA, and CYBERSEC.
He used to be a red teamer that specialized in lateral movement and operation security in Trend Micro. He was the instructor of several trainings including HITCON training, Cybersecurity Center of Excellence (CCOE), and Ministry of National Defense.
Dexter is a cyber security enthusiast who likes playing labs, researching vulnerabilities, and exploring various attack techniques and he is currently the holder of OSCP and OSWE.
Mars Cheng (@marscheng_) is a threat research manager of TXOne Networks PSIRT and threat research team, responsible for coordinating product security and threat research, and is the executive director of the Association of Hackers in Taiwan. Mars blends a background and experience in both ICS/SCADA and enterprise cybersecurity systems.
Mars has directly contributed to more than ten CVE-IDs, and has had work published in three Science Citation Index (SCI) applied cryptography journals. Before joining TXOne, Cheng was a security engineer at the Taiwan National Center for Cyber Security Technology (NCCST).
Mars is a frequent speaker and trainer at several international cyber security conferences such as Black Hat USA/EU/MEA, RSA Conference, DEFCON, Troopers, SecTor, FIRST, HITB, ICS Cyber Security Conference Asia and USA, HITCON, SINCON, CYBERSEC, and CLOUDSEC. Mars was the general coordinator of HITCON (Hacks in Taiwan Conference) PEACE 2022, HITCON 2021, and vice general coordinator of HITCON 2020.
