Complete Course Curriculum
24 lessons across 6 sections • 16 hands-on labs • 5 instructor demos • ~16 hours of video content
Attack Techniques Covered
- • Golden Ticket — Forged TGT with KRBTGT hash
- • Silver Ticket — Forged service ticket
- • Kerberoasting — Offline service account cracking
- • AS-REP Roasting — Pre-auth disabled account cracking
- • Skeleton Key — In-memory DC backdoor
- • DCSync — Credential replication attack
- • NTLM Relay — LLMNR/NBT-NS poisoning & relay
- • Forced Authentication — Printer Bug / SpoolSample
Event IDs for Detection
- • 4624 — Account Logon
- • 4627 — Group Membership Information
- • 4662 — Operation Performed on Object
- • 4668 — Application Attempted to Use Sensitive Privilege
- • 4698 — Scheduled Task Created
- • 4728 — Member Added to Security-Enabled Global Group
- • 4768 — Kerberos TGT Requested
- • 4769 — Kerberos Service Ticket Requested
- • 4770 — Kerberos Service Ticket Renewed
- • 4771 — Kerberos Pre-Authentication Failed
- • 4776 — Attempted to Validate Credentials
- • 5136 — Directory Service Object Modified
- • 5137 — Directory Service Object Created
Tools & Technologies
Offensive Tools
Defensive Tools
Course Sections
Section 1: Introduction & Setup
4 lessons • ~2 hours 30 min
- Lesson 01: Course Introduction and Lab Setup
- Lesson 02: Introduction to Active DirectoryDemo
- Lesson 03: Group PolicyDemo
- Lesson 04: Enabling Logging and Auditing
Labs: Lab 0A (Provisioning Infrastructure), Lab 0B (Configuring the Lab), Lab 0C (Configuring the Lab in Azure), Lab 0D (Configuring the Lab (Azure))
Section 2: Active Directory Fundamentals
4 lessons • ~2 hours 20 min
- Lesson 05: Key AD Accounts and GroupsDemo
- Lesson 06: Securing Windows AccountsDemo
- Lesson 07: Windows Access Control ModelDemo
- Lesson 08: DACL Abuse Attacks
Labs: Lab 1 (Review the Domain), Lab 2 (Understanding Identities and Accounts), Lab 3 (DCSync)
Section 3: Windows Authentication
4 lessons • ~1 hour 30 min
- Lesson 09: Windows Authentication
- Lesson 10: NTLM
- Lesson 11: Kerberos
- Lesson 12: Kerberos Logs Revisited
Labs: Lab 4 (NTLM Relay & Responder)
Section 4: Ticket Roasting Attacks
3 lessons • ~35 min
- Lesson 13: AS-REQ Roasting
- Lesson 14: AS-REP Roasting
- Lesson 15: Kerberoasting
Labs: Lab 5 (AS-REQ Roasting), Lab 6 (AS-REP Roasting), Lab 7 (Kerberoasting)
Section 5: Ticket Forging Attacks
4 lessons • ~35 min
- Lesson 16: Golden Ticket
- Lesson 17: Diamond Ticket
- Lesson 18: Silver Ticket
- Lesson 19: Skeleton Key
Labs: Lab 8 (Golden Ticket), Lab 9 (Silver Ticket)
Section 6: Kerberos Delegation
4 lessons • ~2 hours
- Lesson 20: Intro to Kerberos Delegation
- Lesson 21: Unconstrained Delegation
- Lesson 22: Constrained Delegation
- Lesson 23: Resource-Based Constrained Delegation (RBCD)
Labs: Lab 10 (Unconstrained Delegation), Lab 11 (Constrained Delegation), Lab 12 (Resource-Based Constrained Delegation)
Wrapup
1 lesson • ~18 minutes
- Lesson 24: Course Summary & Next Steps
Lab Architecture
Production-Grade Centralized Logging
The lab uses Windows Event Forwarding (WEF) to centralize logs from all systems to an Elastic SIEM for real-world detection practice:
client1 (WEF client) ──┐
├─> dc1 (WEF collector) ──> dc1 (Winlogbeat) ──> adsecvm (Elasticsearch/Kibana)
db-server (WEF client) ─┘Lab Environment
- • adsecvm: 192.168.100.1
- • dc1: 192.168.100.11
- • client1: 192.168.100.21
- • db-server: 192.168.100.31
- • Domain: talespin.lab
Deployment Options
- • VMware: Local deployment
- • Azure: Cloud alternative
- • Ansible: Automated setup
- • Setup time: ~30-45 min
Requirements
- • RAM: 16GB min (32GB rec.)
- • Storage: 100GB free
- • CPU: x86 with VT-x
- • OS: Windows/Mac/Linux
Ready to Master Active Directory Security?
Enroll now and get started. $599 for 1-year access.
1-Year Access • All Future Updates Included