Master Active Directory Attacks.
Build the Defenses That Stop Them.
Execute real Kerberos attacks — Golden Tickets, Kerberoasting, delegation abuse — then build the detection and hardening strategies to shut them down. 24 lessons, 14 hands-on labs, taught by GIAC Security Expert #97.
Active Directory Is the #1 Target.
Most Teams Aren't Ready.
Active Directory controls authentication and authorization for over 90% of Fortune 500 companies. It is the single most targeted infrastructure component in enterprise breaches — from ransomware operators to nation-state adversaries.
Yet most security teams treat AD as a black box. Pentesters run Kerberoasting without understanding the protocol. Defenders monitor Event IDs without knowing what the attack actually looks like. The gap between offense and defense is where breaches happen.
Generic security courses cover AD as one module among many. You get a surface-level overview, run a few CTF-style challenges, and leave without the depth to secure a production environment or investigate a real compromise.
Deep AD Security. Both Sides. One Course.
Built by someone who investigates AD compromises for a living — not someone who just teaches about them. Every attack is paired with its detection strategy. Every lab uses real enterprise tools.
Attack and Defend Every Technique
Each attack — from DCSync to Diamond Tickets — is paired with its specific Event IDs, detection logic, and prevention controls. Offense and defense are integrated, the way real engagements work.
14 Labs on Real Infrastructure
Domain Controller, workstation, database server, Elastic SIEM with Sysmon and WEF. You deploy the same architecture used in production environments, not sandboxed CTF challenges.
MITRE ATT&CK Mapped Throughout
9+ ATT&CK techniques covered with specific sub-technique IDs (T1558.001 through T1558.004, T1003.006, T1557.001, and more). Every lab maps to the framework your SOC already uses.
What You Will Be Able to Do
Execute and detect Kerberos attacks end-to-end
Kerberoasting, AS-REP Roasting, Golden/Silver/Diamond Ticket forgery, and delegation abuse, with the exact Event IDs and Elastic SIEM queries to catch each one.
Compromise a domain from initial access to full control
Walk the complete attack chain: credential theft, privilege escalation through DACL abuse, lateral movement via NTLM relay, and persistence through ticket forging.
Build production-grade AD monitoring
Configure Windows Event Forwarding, Sysmon, and Elastic SIEM to detect the techniques that matter, using the same architecture deployed in real enterprise environments.
Harden Active Directory against the attacks you just performed
Implement tiered admin models, Protected Users Group, LAPS, SMB signing, LDAP signing, and constrained delegation controls.
Map your findings to MITRE ATT&CK and communicate risk
Every technique is mapped to ATT&CK sub-techniques, giving you the language to write actionable reports and brief leadership.
Built for Both Sides of the Engagement
Whether you are breaching Active Directory or defending it, you get practical skills you can use on your next engagement.
Red Team
Forge Golden/Silver/Diamond Tickets
Achieve domain persistence through ticket forgery techniques.
Extract credentials via Kerberoasting, AS-REP Roasting, DCSync
Target service accounts, weak configurations, and replication protocols.
Abuse NTLM relay, DACL misconfigs, and delegation
Escalate privileges through protocol-level and configuration attacks.
Chain techniques for full domain compromise
Walk from initial foothold to complete domain control.
Blue Team
Detect ticket forgery, roasting, and DCSync
Through specific Event IDs: 4768, 4769, 4662, 5136, and more.
Build centralized logging with WEF, Sysmon, and Elastic SIEM
Deploy production-grade monitoring across your lab environment.
Harden AD with tiered admin, Protected Users, and LAPS
Implement the controls that prevent the attacks you just learned.
Hunt for malicious GPOs, delegation, and DACL backdoors
Identify persistence mechanisms and misconfigurations attackers exploit.
Your Lab. Real Infrastructure. Not a Sandbox.
You deploy a Domain Controller, workstation, database server, and an ELK stack with centralized logging via Windows Event Forwarding. Provision locally with VMware or in Azure. Automate everything with Ansible.
client1 (WEF client) ──┐
├─> dc1 (WEF collector) ──> dc1 (Winlogbeat) ──> adsecvm (Elasticsearch/Kibana)
db-server (WEF client) ─┘Enterprise-Grade Training. Accessible Pricing.
Frequently Asked Questions
Stop Guessing. Start Knowing.
24 lessons. 14 labs. Both sides of every AD attack. Built by a practitioner, not a full-time instructor.
Join the Waitlist