Pentest Active Directory 2 Advanced - 5 days
Description
For many companies, Active Directory is the heart of identity and access management. Its ubiquity within information systems makes it a prime target for computer attacks, and penetration testing is a key component of its defense against threats.
During this five-day training, you will deepen your intrusion skills in an Active Directory environment. Guided by our experts, study advanced techniques of reconnaissance, lateral movements, elevation of privileges, extraction of secrets and persistence. To illustrate new concepts, the learners will be put in situation on two complete company environments derived from real-world scenarios.
-
5 days (35 hours)
-
5 course modules covering all intrusion steps
-
2 corporate environments with 30+ machines and specific services such as ADCS and SCCM
Public and prerequisites
This training is intended for people who already have a good knowledge of Active Directory environments. It is mainly intended for pentesters, system administrators and security architects.
-
Pentesters
-
System administrators
-
Security architects
Good networking and Unix knowledge is also recommended.
Content
Day 1
Fundamentals: Active Directory mechanisms, general and specific intrusion principles for these environments. Recognition and first actions from authenticated access: information retrieval methods (ADIDNS, service detection via LDAP and GPO scans) advanced use of BloodHound (Cypher queries).
Day 2
Lateral movements: ADIDNS, WinRM and JEA poisoning, LAPS, gMSA/sMSA secrets extraction, MS-SQL trust abuse, NTLM relaying (dissection, cross-protocol relaying, WebDAV), authentication coercing, Kerberos relaying, cross-forest pivots.
Day 3
Local privilege elevation: access token and impersonation, study of potatoes vulnerabilities. Escalation of privileges on the domain: study and abuse of ACLs, advanced exploitation of Kerberos delegation, ADCS ESC1 to 15, SCCM mechanisms and exploitation primitives, abuse of privileged groups, analysis of public vulnerabilities.
Day 4
Secrets extraction: LSASS dump methods and tools, token spoofing, registry secrets analysis, DPAPI implementation, KeePass database.
Day 5
Persistence: ADCS (certificates), Kerberos tickets (golden, diamond, sapphire), DSRM, golden gMSA, AdminSDHolder abuse, skeleton key creation, Kerberos delegation, GPO poisoning, DC Shadow.