Crown Jewel on Enterprise – Active Directory (AD/AAD) Primitive Abuse and Detection Mechanism

Our course is biased toward the attacker's perspective. While many courses in the market discuss abusing AD services using various tools, unfortunately, most of these courses focus only on tool usage, with uneven coverage of attack techniques. These classes have evolved as the BLUE team has gradually provided detection and defense in the AD portion.
To address these issues, our courses cover not only On-Premises, Hybrid, and Azure AD but also thoroughly cover the latest attack techniques (collected before the deadline). We focus on core concepts, enabling students to not only use attack tools but also understand their theoretical background and effectively respond to changes in various environments.
Moreover, in response to the increasingly sophisticated detection capabilities of the blue team, we also delve deeply into how the blue team implements detection in the course. We introduce the concept and application of Operation Security to completely avoid detection by the blue team and continue to complete the attack operation.

USD $4,299.00

Duration

4 days

Delivery Method

in-person

Level

beginner / intermediate

Seats Available

20

Duration

4 days

Delivery Method

in-person

Level

beginner / intermediate

ATTEND IN-PERSON: Onsite at Dubai

DATE: 16-19 October 2023

TIME: 09:00 to 17:00 GST/GMT+4

Date Day Time Duration
16 Oct Monday 09:00 to 17:00 GST/GMT+4 8 Hours
17 Oct Tuesday 09:00 to 17:00 GST/GMT+4 8 Hours
18 Oct Wednesday 09:00 to 17:00 GST/GMT+4 8 Hours
19 Oct Thursday 09:00 to 17:00 GST/GMT+4 8 Hours

 

For either On-Premises, Hybrid, or Azure environments, Microsoft Active Directory (AD) is widely used by enterprises as a backbone for identity and access management. AD is recognized by adversaries for providing access to a company’s crown jewels. Although AD has critical functionalities for enterprise operation, attackers can abuse these mechanisms provided by AD services to compromise an enterprise network to achieve their operations.
In this training course, we will take a deep dive into On-Premises, Hybrid, and Azure AD, exploring different kinds of AD services and technologies. We will cover various AD attack techniques by abusing the underlying mechanisms. This course is expected to be lab-intensive with hands-on practices. For each training LAB, there will be an in-depth discussion as a core concept to enable the student to understand the theoretical background and effectively implement an attack technique.

For every attack technique introduced, we will also cover the indicators that are used by defenders. Students will learn how Defender discovers the AD attacks from the detection lab included. As this training covers the detailed concept of each attack technique, we aim to equip the student with the ability to consider the OPSEC for potential indicators to complete the operation, This allows the offensive operator to stay under the defender’s radar.

 

The hand on labs includes the following parts:

  • On-Premises AD Credential Access (NTLM Relay, Password Spraying, etc.)
  • On-Premises AD Privilege Escalation(AS-REP Roasting, Kerberoasting, Delegation series, ACL, DNSAdmin, Domain Default Group, and gMSA Abuse, etc.)
  • On-Premises AD Persistence (Forge Ticket, Pass the Golden/Silver/Diamond/Sapphire Ticket, Pass the Hash, Over Pass the Hash, Ticket Harvest, DPAPI, etc.)
  • On-Premises AD Trust and Forest(SID-History Injection, Trust Ticket Abuse, Two-way Forest Trust Abuse, etc.)
  • On-Premises GPO Abuse(Edit GPO to setting C2 scrip, Ransomware Infection, etc.)
  • On-Premises Certificate Service(Enumeration, Account Persistence, Certificate Theft, Golden Certificate, Domain Escalation and Persistence, etc.)
  • Hybrid AD Federation Service(AD Connect, Credentials Dump, Golden SAML)
  • Azure AD Initial Access(Password Spraying, etc.)
  • Azure AD Credential Access(Primary Refresh Token, Service Principal Certificate)
  • Azure AD Privilege Escalation(API Permissions Abuse, Service Principals, Automation Accounts, Storage Accounts)
  • Azure AD Execution(Managed Device Scripting, Virtual Machine Scripting, etc.)
  • Azure AD Persistence(Seamless SSO and Kerberos, etc.)
  • Blue Team AD Detection
  • Operation Security (OPSEC) to evade detection

 

Agenda/Topics Covered
Day 1

Active Directory(AD) Background Knowledge Overview (40 mins)

o Introduction to OnPremises, Hybrid, and Azure AD
o MITRE ATT&CK mapping domain (AD)
o Security threats of the domain (AD)
o Introduction to Environment and Course Tools

 

How does Blue Team Leverage Detection for AD attack techniques? (1~1.5 hrs)

o Telemetry and Detection Mechanism OnPremises and Azure AD

OnPremises AD Event Log
OnPremises AD SACL
Azure AD Audit Log
Other Concept
Lab Build Detection Mechanism for AD Attack Techniques

 

Attack and Detection Techniques for All AD Threat Terrain (4 + hrs)


o OnPremises AD (Each Lab includes an attack concept explanation, attack exercise and
detection exercise, which lasts about 2050 minutes, and will be determined according to the
actual situation of the students.)

Lab Use PowerShell to build AD
Lab AD Reconnaissance
Lab Credential Access Password Spraying
Lab Privilege Escalation ASREP Roasting (Disable Preauthentication)
Lab Privilege Escalation Kerberoasting
Lab Persistence Pass the Ticket (Golden Ticket)
Lab Persistence Pass the Ticket (Diamond Ticket)
Lab Persistence Pass the Ticket (Silver Ticket)


Day 2


Attack and Detection Techniques for All AD Threat Terrain (All day)


o OnPremises AD (Each Lab includes an attack concept explanation, attack exercise and
detection exercise, which lasts about 2050 minutes, and will be determined according to the
actual situation of the students.)

Lab Persistence Pass the Ticket (Sapphire Ticket)
Lab Persistence Pass the Hash (PtH)
Lab Persistence Over Pass the Hash
Lab Persistence Ticket Harvest
Lab Persistence DPAPI
Lab Other AD Persistence Techniques
Lab Privilege Escalation Group Managed Service Account
Lab Credential Access NTLM Relay
Lab Privilege Escalation Unconstrained Delegation
Lab Privilege Escalation Traditional Constrained Delegation (Use any authentication only)
Lab Privilege Escalation Resourcebased Constrained Delegation
Lab Privilege Escalation Traditional Constrained Delegation(Kerberos only)
Lab Privilege Escalation ACL Abuse
Lab Privilege Escalation DNSAdmin Abuse
Lab Privilege Escalation Domain Default Group Abuse


Day 3


Attack and Detection Techniques for All AD Threat Terrain (All day)


o OnPremises AD (Each Lab includes an attack concept explanation, attack exercise and detection exercise, which lasts about 2050 minutes, and will be determined according to the actual situation of the students.)

Lab GPO Abuse PersistenceEdit GPO to setting C2 script (Limited User)
Lab GPO Abuse Ransomware Infection (Domain Admin)
Lab Trust and Forest SIDHistory + Golden Ticket (Parent/Child trust)
Lab Trust and Forest Forged Trust ticket (Parent/Child trust)
Lab Trust and Forest Printer bug with Twoway forest trust
Lab AD Certificate Service Enumeration
Lab AD Certificate Service Account Persistence
Lab AD Certificate Service Certificate Theft
Lab AD Certificate Service Domain Escalation
Lab AD Certificate Service Domain Persistence


o Hybrid AD

Lab ADFS AD Connect
Lab ADFS Credentials Dump
Lab ADFS Golden SAML


Day 4

Attack and Detection Techniques for All AD Threat Terrain


o Azure AD (In this part, we expect to combine some concepts and implement them together)

Lab Azure AD Reconnaissance Outside/Inside Tenant
Lab Azure AD Initial Access Application Consent Phishing
Lab Azure AD Initial Access Password Spraying
Lab Azure AD Credential Access Primary Refresh Token
Lab Azure AD Credential Access Service Principal Certificate
Lab Azure AD Credential Access Azure AD Kerberos and cloud Kerberos
Lab Azure AD Privilege Escalation API Permissions Abuse
Lab Azure AD Privilege Escalation Service Principals
Lab Azure AD Privilege Escalation Automation Accounts
Lab Azure AD Privilege Escalation Storage Account
Lab Azure AD Privilege Escalation Logic Apps
Lab Azure AD Privilege Escalation Managed Identity Assignments
Lab Azure AD Execution Managed Device Scripting
Lab Azure AD Execution Virtual Machine Scripting
Lab Azure AD Persistence Seamless SSO and Kerberos
Lab Azure AD Persistence OAUTH2 APPLICATION
Lab Azure AD Defense Evasion Conditional Access MFA bypass

 

o Evade Blue Team Detection Apply Operation Security(OPSEC) (2 hrs)

Introduction to Operation Security Concept
Attack Techniques indicators deepdive for OPSEC consideration
Lab AD Attack Techniques Evasion (We will select a few cases for implementation, but expect to provide)

Why You Should Take This Course

Our course is biased toward the attacker’s perspective. While many courses in the market discuss abusing AD services using various tools, unfortunately, most of these courses focus only on tool usage, with uneven coverage of attack techniques. These classes have evolved as the BLUE team has gradually provided detection and defense in the AD portion.
To address these issues, our courses cover not only On-Premises, Hybrid, and Azure AD but also thoroughly cover the latest attack techniques (collected before the deadline). We focus on core concepts, enabling students to not only use attack tools but also understand their theoretical background and effectively respond to changes in various environments.
Moreover, in response to the increasingly sophisticated detection capabilities of the blue team, we also delve deeply into how the blue team implements detection in the course. We introduce the concept and application of Operation Security to completely avoid detection by the blue team and continue to complete the attack operation.

Who Should Attend

  • Red Team
  • Blue Team
  • AD infrastructure Team
  • InfoSec Team
  • Penetration tester
  • Anyone interested on AD Security

Key Learning Objectives

  • Trainees will learn the architecture and theoretical knowledge behind the operation of Active Directory (AD)/Azure AD(AAD).

  • Trainees will learn the latest and most complete attack methods for AD/AAD, understand the concepts and principles of AD/AAD abuse, and be able to successfully implement attacks using various methods, tools, and techniques. They will also learn about the various side effects that may occur in the environment when performing these attacks.

  • Trainees will learn how to chain various AD/AAD attack methods to achieve the ultimate mission goal of the red team.

  • Trainees will learn about the defense detection mechanisms and specific implementations of each AD/AAD attack abuse method.
  • Prerequisite Knowledge

    • Have the basic ability to operate Windows/Linux operating systems.
    • Have a basic understanding of PowerShell.
    • Experience with Active Directory (AD)/Azure AD(AAD) operations.

    Hardware / Software Requirements

    • You will need a laptop with RDP and browser capabilities to connect to the cloud lab environment (The instructor will provide the environment).
    • Trainees who wish to build a lab environment on their own machine should prepare VMware Workstation/VMware Fusion. The course is expected to provide 6 sets of virtual machines (ova), and the hard disk space requirement is more than 80G, with a memory requirement of more than 32G.
      • If you’re using a Mac, please use the Intel x86 core version.
     

    Your Instructor

    Dexter Chen is a threat researcher at TXOne Networks Inc. with a primary focus on penetration testing, red teaming, and Active Directory security. He spoke at several international cyber security conferences including CODE BLUE, HITCON, Black Hat MEA, and CYBERSEC.

    He used to be a red teamer that specialized in lateral movement and operation security in Trend Micro. He was the instructor of several trainings including HITCON training, Cybersecurity Center of Excellence (CCOE), and Ministry of National Defense.

    Dexter is a cyber security enthusiast who likes playing labs, researching vulnerabilities, and exploring various attack techniques and he is currently the holder of OSCP and OSWE.

    Mars Cheng (@marscheng_) is a threat research manager of TXOne Networks PSIRT and threat research team, responsible for coordinating product security and threat research, and is the executive director of the Association of Hackers in Taiwan. Mars blends a background and experience in both ICS/SCADA and enterprise cybersecurity systems.

    Mars has directly contributed to more than ten CVE-IDs, and has had work published in three Science Citation Index (SCI) applied cryptography journals. Before joining TXOne, Cheng was a security engineer at the Taiwan National Center for Cyber Security Technology (NCCST).

    Mars is a frequent speaker and trainer at several international cyber security conferences such as Black Hat USA/EU/MEA, RSA Conference, DEFCON, Troopers, SecTor, FIRST, HITB, ICS Cyber Security Conference Asia and USA, HITCON, SINCON, CYBERSEC, and CLOUDSEC. Mars was the general coordinator of HITCON (Hacks in Taiwan Conference) PEACE 2022, HITCON 2021, and vice general coordinator of HITCON 2020.