🏰

Learning Track · 20 modules

Attacker Mindset — Active Directory

Fragile-by-design AD, BloodHound graphs, ACL abuse, ADCS (ESC1-16), trusts, delegation, hybrid attacks.

Why this track

Fragile-by-design AD, BloodHound graphs, ACL abuse, ADCS (ESC1-16), trusts, delegation, hybrid attacks. This track walks you from fundamentals through advanced techniques across 20 practitioner modules — the same body of knowledge senior security professionals build over years, structured for self-paced progression with India-specific context throughout.

Prerequisite: See module 1 for entry context. Most modules are self-contained but follow the suggested sequence for best results.

Modules

16.8 h

Total time

Free modules

∞

Quiz retries

Difficulty mix

Beginner · 1 Intermediate · 13 Advanced · 4 Expert · 2

Module sequence

Why AD Is Fragile by Design

AD's defaults accumulated risk for 20 years — authenticated-read-everything, NTLM, RC4, backwards compat.

Beginner 60 min →

AD Enumeration — Seeing Everything

BloodHound, SharpHound, Impacket, CrackMapExec, PowerView. Any authenticated user sees the whole directory.

Intermediate 75 min →

BloodHound — Graph Theory Meets AD

Edges, queries, custom Cypher. Why BloodHound changed offensive AD since 2017.

Intermediate 75 min →

AD ACL Abuse — Twenty Years of Accumulated Trust

GenericAll, GenericWrite, WriteDacl, AddMember, ForceChangePassword. Delegation sprawl = privilege escalation.

Advanced 90 min →

Group Policy Preferences — The Gift That Keeps Giving

cPassword in SYSVOL still found in 2026. MS14-025 didn't remove legacy files. Plus SYSVOL credential hunting.

Intermediate 75 min →

ADCS — ESC1 through ESC16

Active Directory Certificate Services attacks (Certified Pre-Owned). Template misconfigurations → domain compromise.

Advanced 90 min →

Trusts — Legacy Merger Paths

Trust types, SIDHistory attacks, cross-forest paths. Mergers leave trust relationships with security debt.

Advanced 90 min →

Kerberos Delegation Abuse

Unconstrained, constrained, RBCD. S4U2Self + S4U2Proxy, MachineAccountQuota, PetitPotam coercion.

Advanced 90 min →

Hybrid AD — On-Prem Meets Cloud

Entra Connect crown jewel, Golden SAML, Azure AD attacks, AZUREADSSOACC$ legacy, PRT theft.

Expert 120 min →

M10

AD Detection — What Good Looks Like

Event IDs, Sigma rules, Defender for Identity, Sentinel KQL queries. From generic SIEM to mature AD detection.

Expert 90 min →

M11

The Implicit Trust of AD

Active Directory assumes a cooperative environment. Members trust each other. Domain controllers trust members. Trusts between domains assumed friendly. Every “feature” — Kerberos delegation, ACL inheritance, group nesting — is a cooperation primitive. Each is exploitable when the cooperation assumption fails. The mindset: AD’s features are its attack surface. Each was designed for ease, not […]

Intermediate 15 →

M12

Service Accounts Outlive Their Purpose

Service accounts get created. They stay forever. The original requester left in 2019. The service was decommissioned in 2021. The account remains, with the same permissions, the same password. Audit reveals: 30-50% of high-priv service accounts have no current owner. 20%+ haven’t had password change in 5+ years. The mindset: service accounts need lifecycle. Ownership, […]

Intermediate 15 →

M13

Permission Drift

User joins team A. Gets group memberships. Moves to team B. Gets new memberships. Old memberships rarely removed. Repeats over years. Result: senior engineers have memberships from every team they’ve been on. The set of effective permissions is unknowable without explicit query. The mindset: permissions need negative review (what should be removed) more than positive […]

Intermediate 15 →

M14

Reading the Directory as a Graph

Microsoft Management Console shows AD as a tree. BloodHound shows it as a graph. The graph view changes everything. Nodes: users, groups, computers, GPOs, OUs. Edges: HasMember, AdminTo, GenericWrite, GenericAll, ForceChangePassword, etc. Attack paths emerge from graph structure. The mindset: think in graphs. Every node has incoming edges (who controls me) and outgoing edges (what […]

Intermediate 15 →

M15

Why GPO Defaults Matter

GPOs have defaults. Defaults from when AD launched. “Not Defined” usually means “system default” — which may be insecure. Examples: NTLM still allowed. LM hash still stored on some configs. Anonymous SID enumeration enabled. Each is a backdoor that nobody actively turned on. The mindset: assume nothing is restricted unless explicitly restricted. Apply CIS or […]

Intermediate 15 →

M16

The Time Aspect of Kerberos

TGT typical lifetime: 10 hours. Forged Golden Ticket: any lifetime. Until krbtgt rotates, attacker maintains DA via tickets attacker forges. Service ticket cache: residual access for hours after permission revocation. Cache flushing rare; impact uncertain. The mindset: time-bound credentials need time-bound revocation, not just permission revocation.

Intermediate 15 →

M17

Cross-Forest, Cross-Tenant Trust

M&A: company A acquires company B. Trust between forests established for “convenience.” Compromise of one becomes compromise of both. Hybrid AD + Entra: AD Connect bridges; compromise of either side reaches the other. Multi-tenant Entra: B2B guest accounts persist; compromise of guest tenant reaches host. The mindset: every trust relationship is a control merge. Document; […]

Intermediate 15 →

M18

The Backup-Account Anti-Pattern

Every AD has a “break glass” account: backup_admin, recovery_account, etc. Reasoning: “what if everything else fails?” Reality: account exists with full rights, no MFA, password unchanged for years. Attackers find it. Use it. Backup-admin compromise = full domain compromise with no anomaly detection. The mindset: break-glass accounts must be specifically monitored. Any login = SOC […]

Intermediate 15 →

M19

Why Passwords Persist 5+ Years

Service-account password rotation breaks services. Documentation incomplete. Owner unknown. Last person who knew has left. Result: passwords from 2018 still active. This is the structural reason Kerberoasting works at every internal pentest. The mindset: gMSA (Group Managed Service Account) where possible — Windows manages rotation. Where not possible, ≥25-char passwords (cracking economically unfeasible).

Intermediate 15 →

M20

Defenders’ Worst Assumption

Defenders frequently believe their AD is too complex, too custom, too unique for attackers to navigate. Attackers run BloodHound in 90 minutes. Get a complete map. Find the shortest path to DA. The complexity defenders rely on is a 30-second query for the attacker. The mindset: assume the attacker maps AD better than you do. […]

Intermediate 15 →

Common questions about this track

How long will this track take me? +

Most learners finish in 4-8 weeks at a sustainable 4-5 hours per week. Modules are self-paced so you can move faster or slower as life allows.

Do I need prior experience? +

Module 1 sets the entry baseline. The first module is always free; if it feels approachable, the track is for you.

Will this prepare me for industry certifications? +

Most modules align with the body of knowledge tested by senior security certifications. The Academy is not a cert-prep course but produces working knowledge that transfers to any cert exam in the same domain.

Ready to start?

Begin with Module 1. Work through at your own pace. Free modules require no signup — everything else unlocks with a free RingSafe Academy account.

Start Module 1 → View pricing tiers 🗺️ Explore Skill Map