← Academy Hub
🏰
Learning Track · 22 modules

Active Directory Security

Red-team and blue-team AD. Kerberos, BloodHound, defensive hardening, ADFS.

Why this track

Active Directory is still the operational backbone of most Indian enterprises and almost every red-team engagement ends in compromised domain admin. This track teaches both sides — how attackers go from foothold to forest compromise via Kerberoasting, ACL abuse, ADCS exploitation, and trust manipulation, and how defenders detect and prevent each step. You will learn BloodHound, Mimikatz responsibly, and the defensive countermeasures that actually stop these attacks at scale.

What you will be able to do
  • Enumerate any Active Directory environment with BloodHound and live off the land
  • Execute and explain Kerberoasting, AS-REP, DCSync, Golden Ticket, and ADCS ESC1-ESC8
  • Design AD tier model and PAW deployments that block lateral movement
  • Detect AD attacks via Event ID monitoring + EDR + Microsoft Defender for Identity
  • Harden ADCS, GPOs, and trust relationships against modern adversary toolkits
Prerequisite: Networking fundamentals + comfort with Windows command line.
22
Modules
18.7 h
Total time
22
Free modules
Quiz retries
Difficulty mix
Beginner · 1 Intermediate · 2 Advanced · 15 Expert · 4

Module sequence

M1
AD Architecture Fundamentals
Active Directory is the authentication backbone of ~95% of enterprise environments in India and globally. Every enterprise breach of note — from Colonial Pipeline to Maersk to countless Indian banks — involved AD compromise somewhere on the kill chain. Understand AD and you understand enterprise attack paths; stay ignorant and you audit blind. This module […]
Beginner 60 min
M2
Kerberoasting in Practice
Kerberoasting is the single most common Active Directory attack encountered on pen-test engagements. It’s low-noise, low-skill, highly reliable, and when it succeeds, the attacker holds privileged service account credentials — often Domain Admin. Understanding it is essential for both the offence and defence sides. This is a hands-on module. You will see the exact attacker […]
Advanced 90 min
M3
BloodHound for Attack Paths
Individual AD misconfigurations look innocuous on their own. A group with a few extra members. A computer with delegation enabled. A user with GenericWrite on a colleague’s account. In isolation, each is a “maybe low risk.” When graph-analysed together, they form attack paths — concrete, stepwise routes from any foothold to Domain Admin. BloodHound is […]
Advanced 90 min
M4
NTLM Relay Attacks
NTLM Relay is one of the most effective attacks against modern Windows environments — and it works even on fully-patched systems if defenders haven’t enabled specific hardening. This module covers how relay works, common exploit chains, and the defences that actually block it. How NTLM authentication works NTLM is a challenge-response protocol. Client sends NTLM_NEGOTIATE; […]
Advanced 90 min
M5
Golden and Silver Tickets
Forged Kerberos tickets are the ultimate AD compromise. A Golden Ticket grants domain-wide impersonation for 10 years. A Silver Ticket grants service-specific impersonation without ever touching the DC. Understanding both is essential for any practitioner serious about AD. Kerberos ticket refresher Two ticket types in a Kerberos flow: TGT (Ticket Granting Ticket) — issued by […]
Advanced 90 min
M6
Active Directory Certificate Services Attacks
Active Directory Certificate Services (ADCS) is how Windows issues certificates — for user authentication, computer authentication, web services, VPN, code signing. It’s also, since SpecterOps’s 2021 “Certified Pre-Owned” research, one of the fastest paths from user to Domain Admin. This module covers the attack classes (ESC1-ESC8+) and defences. ADCS primer Certification Authority (CA) — issues […]
Advanced 90 min
M7
Hybrid AD & ADFS Attack Surface
Entra Connect crown jewel, ADFS Golden SAML, PHS attacks, on-prem ↔ cloud lateral movement, Tier 0 isolation.
Expert 120 min
M8
AS-REP Roasting — The Quiet Cousin of Kerberoasting
Why this module exists. Every AD pentester checks Kerberoasting first. Most check AS-REP Roasting second. The astonishing thing is how often it works in 2026 — accounts with DONT_REQ_PREAUTH set, often “temporarily” by an admin in 2014 and never unset. One vulnerable account is enough to crack a domain user’s password offline. The bug, structurally […]
Advanced 30
M9
Pass-the-Hash & Pass-the-Ticket
Why this module exists. Pass-the-Hash was first published in 1997. Microsoft has shipped 28 years of mitigations and the technique still works on most enterprise networks. Understanding why it persists, and what actually stops it, is foundational to defending AD. NTLM in 30 seconds NTLM authentication doesn’t transmit the password. The client transmits the NT […]
Advanced 35
M10
DCSync — Domain Replication Abuse
Why this module exists. DCSync is the technique that lets an attacker dump every credential in your domain — without ever touching a domain controller’s filesystem. It’s not an exploit; it’s a feature being abused. Most AD environments have multiple non-DC accounts that can DCSync, and most defenders don’t know who. The mechanic Active Directory […]
Advanced 30
M11
Kerberos Delegation Abuse — Unconstrained, Constrained, RBCD
Why this module exists. Kerberos delegation is one of the most-misunderstood AD features and one of the most-abused. Three flavours, all dangerous when misconfigured: Unconstrained (legacy, terrifying), Constrained (better, still bad), and Resource-Based Constrained Delegation (the new one, with its own attack class). Every red team checks all three. Why delegation exists Tiered apps need […]
Expert 40
M12
DPAPI — Windows Data Protection API Attacks
Why this module exists. DPAPI is how Windows stores “secrets” — Wi-Fi passwords, browser-saved credentials, RDP credentials, OneDrive tokens, certificates. Attackers who understand DPAPI extract dozens of credentials per compromised host. Defenders who don’t understand it can’t tell which alert means “credential theft” vs “noise”. The DPAPI mental model Each Windows user has a master […]
Advanced 30
M13
Azure AD / Entra ID Attack Surface
Why this module exists. Indian enterprises moved their identity to Microsoft 365 / Entra ID (formerly Azure AD) in waves between 2019 and 2024. Attackers followed. The 2023-25 surge in token-theft and consent-phishing attacks is now the dominant initial-access technique against Microsoft-shop enterprises. Different concepts, different tools, different defenders. How Entra ID is different from […]
Advanced 35
M14
Group Policy Object (GPO) Abuse
Why this module exists. Group Policy was designed in 2000 to centralise Windows administration. It’s still the primary configuration mechanism for AD-joined hosts in 2026. Attackers learned its weaknesses long ago; defenders mostly still don’t audit GPO ACLs. Three flavours of GPO abuse pay off in nearly every internal pentest. The GPP cpassword bug — […]
Advanced 30
M15
Password Spraying Against AD in 2026
Why this module exists. Brute force = trying many passwords against one account → triggers lockout. Spraying = trying one password against many accounts → stays under lockout thresholds. The result of spraying every Indian enterprise’s user list with “Password@2026” is, statistically, 2-5% success — sometimes including admins. The math Default AD account lockout: 5 […]
Intermediate 25
M16
AD Tier-0 Hardening — The Defender’s Playbook
Why this module exists. Most AD breaches succeed because Domain Admin credentials end up exposed on workstations or member servers. Microsoft’s Tiered Administration Model (originally “Securing Privileged Access” / “Enterprise Access Model”) is the structural fix. It’s well-documented and rarely implemented in full. This module is the practical playbook. The model Three tiers, in increasing […]
Advanced 40
M17
Read-Only Domain Controllers (RODCs) — Attack & Defence
Why this module exists. RODCs were Microsoft’s 2008 answer to “we need a DC at a branch office, but the branch office has no physical security.” The model: cache only specific user passwords; if the RODC is stolen, only those users’ hashes are exposed. The reality: misconfigured RODCs cache more than admins realise, and compromised […]
Advanced 30
M18
AdminSDHolder & SDProp Persistence
Why this module exists. AdminSDHolder is one of the cleanest persistence primitives in AD because it abuses a feature, not a bug. Microsoft built SDProp to protect privileged accounts from accidental ACL drift. Attackers turned that protection into a self-healing backdoor. If you have ever seen an environment where the IR team cleaned up the […]
Advanced 30
M19
SID History Abuse & Cross-Forest Trust Attacks
Why this module exists. Forest trusts were Microsoft’s promise that the forest boundary was a hard security boundary. SID Filtering — enabled by default on external trusts since Windows Server 2003 — was the control that made the promise real. But every year, a new variation on SID-History abuse shows it is not as hard […]
Expert 35
M20
AD Trust Relationships Deep Dive — Forest, External, Shortcut
Why this module exists. AD has six distinct trust types. Each has different transitivity, SID Filtering defaults, Kerberos behaviour, and attacker-reachable abuse pattern. The median Indian-bank AD environment we audit has at least one trust whose properties the owning team cannot explain. This module is the missing reference. The six trust types — at a […]
Advanced 35
M21
LAPS Bypass & Local Admin Password Strategy
Why this module exists. Before LAPS, the canonical AD post-exploitation move was: dump the local Administrator hash from any workstation, then Pass-the-Hash to every other workstation in the estate. LAPS killed that move by making each machine’s password independent. But LAPS adoption is incomplete in Indian enterprises (typically 60-80% coverage in audits) and the ACLs […]
Intermediate 30
M22
DCShadow — Stealth Domain Replication Abuse
Why this module exists. DCShadow is the textbook example of “stealth persistence”. An attacker with sufficient privileges does not need to keep dropping files, scheduling tasks, or modifying registry keys — they push the change into the directory itself via the replication protocol, and the change is now part of the canonical AD state. Defender […]
Expert 35

Related tracks

🏰
Track
Attacker Mindset — Active Directory
Fragile-by-design AD, BloodHound graphs, ACL abuse, ADCS (ESC1-16), trusts, delegation, hybrid attacks.
🎭
Track
Red Team Operations
Adversary simulation: initial access, C2, lateral movement, defeating modern EDR.
📡
Track
Blue Team / SOC Operations
How defenders actually work. SOC structure, SIEM, detection engineering, EDR, malware triage.

Common questions about this track

Is this an offensive or defensive track? +

Both. Each major attack technique is paired with the defender perspective: how to detect it, prevent it, and respond. Red and blue teams need each other; this track teaches both.

Do I need a Windows lab? +

Yes — modules walk through building a small AD lab in VirtualBox / VMware. We provide build scripts. Costs nothing beyond evaluation Windows licences.

Is Mimikatz still relevant in 2026? +

Yes — modern derivatives (BetterSafetyKatz, NimplantC2 modules) follow Mimikatz design. Understanding the original is foundational for both attackers and defenders.

Does this cover Entra ID hybrid attacks? +

Yes — hybrid identity attacks (PrintNightmare-class, on-prem-to-cloud movement, Pass-the-PRT) are increasingly common in Indian enterprises and are covered.

Ready to start?

Begin with Module 1. Work through at your own pace. Free modules require no signup — everything else unlocks with a free RingSafe Academy account.

Start Module 1 → View pricing tiers 🗺️ Explore Skill Map