Along with Cn33liz, I recently had the pleasure of assisting Nikhil Mittal with his 2018 BruCON spring training: Active Directory Attacks for Red and Blue Teams.

This 3-day course is aimed towards attacking modern AD environments - focusing on abusing misconfigured enterprise applications like Jenkins; and leveraging native tools such as PowerShell and other trusted OS resources to carry out post-exploitation activities.

Nikhil covers a wide range of topics, including:

  • AD & PowerShell basics
  • Domain enumeration & mapping
    • PowerView
    • BloodHound
  • Privilege Escalation
    • PowerUp
    • Jenkins
    • Credential theft (Mimikatz)
  • Kerberos Attacks
    • Golden & Silver tickets
    • Kerberoasting
    • Kerberos Pre-Auth
    • Delegation
  • Domain & Forest trusts
    • Child -> Parent
    • X-Forest
  • MSSQL Server Database links
  • Credential abuse
    • PTH & Over-PTH
    • Token Manipulation
  • Persistence
    • Skeleton Keys
    • DCShadow
    • Directory Services Restore Mode
    • Security Support Provider
    • AdminSDHolder
    • ACLs & Security Descriptors
  • Bypassing Defence
    • AppLocker
    • ATA

The course material is a combination of lecture, demos and hands-on exercises. For the majority of topics we cover the theory, show a demo, then allow the students some time to try it out in the lab. The lab is a large, multi-forest environment which is full of the vulnerabilities discussed in the class. Each student receives a VPN key and credentials to their own instance of Windows 10, from which to launch their attacks on the forest.

Some areas of the lab are secured a little more than others - e.g. Applocker, just to introduce a bit of challenge and variety :)

The course covers a lot of material and consequently, a number of students may find they need more time with the hands-on to wrap their head around the various subjects. Unfortunately in order to keep to schedule, we sometimes just have to move on. The saving grace, is that every student is allowed to retain:

  • All the course materials, including slides and lab handouts.
  • VPN access to the lab for 1 month after the course.

So this gives each student plenty of time to re-visit any and all exercises they wish.

In terms of balance, the content is delivered more from the red perspective than blue. If you’re on the offensive side, you’ll (hopefully) pick up a bunch of new tricks for your engagements and gain some understanding of the artefacts and logs you leave behind. Defenders will gain a deeper understanding of how the red guys are operating and methods of detecting their activity.

If you have the opportunity to attend the course, I would highly recommend it.