2025-08-05 –, Emerald
This hands-on class provides students with practical experience attacking and defending Active Directory (AD) environments. Designed for system administrators, IT professionals, and security practitioners, the course covers foundational AD infrastructure, common misconfigurations, and real-world attack techniques. Students will gain insight into threats like NTLM Relay, Kerberoasting, Machine Account Quota abuse, and Unconstrained Delegation.
Each student will access a dedicated lab environment in Azure featuring three virtual machines: a Windows 10 client, a Windows Server 2019 domain controller, and an Ubuntu VM configured with relevant attack tools (including Docker containers for NTLM relay). Participants will perform each attack step-by-step, then implement defensive measures such as restricting delegation, reducing MachineAccountQuota, disabling unnecessary services, and enabling LDAP signing.
The class also covers defensive logging practices, including increasing LDAP diagnostic levels and configuring Windows Event Forwarding (WEF) from the domain controller to a log aggregator. Students will leave with a solid understanding of how to identify, exploit, and mitigate common AD weaknesses.
This class balances theory and hands-on labs, giving students actionable skills to improve the security posture of their AD environments.
Active Directory remains a critical and often vulnerable component in enterprise environments. Misconfigurations, legacy protocols, and overly permissive defaults frequently expose organizations to high-impact attacks. This 4-hour technical workshop equips attendees with both offensive and defensive AD skills, focusing on real-world threats and mitigation strategies.
The session begins with a quick primer on AD architecture—covering domain controllers, LDAP, Kerberos, NTLM, and common user/computer misconfigurations. Students will learn how attackers enumerate domains and locate exploitable targets using built-in Windows tools and open-source utilities.
Students will then perform impactful attacks in their own isolated Azure lab environments including:
- NTLM Relay using an Ubuntu Docker machine to capture and relay credentials to AD services.
- Kerberoasting, where students request service tickets for SPNs and crack them offline.
- Machine Account Quota abuse, exploiting the default ability for authenticated users to create computer accounts.
- Unconstrained Delegation, showing how attackers impersonate users when delegation is misconfigured.
After each attack, students will implement defenses including:
- Configure SMB and LDAP signing to prevent relay attacks.
- Restrict MachineAccountQuota and delegate computer creation privileges.
- Convert Unconstrained Delegation to Constrained/Resource-Based Delegation.
- Using Blue Team tools such as Bloodhound CE and PingCastle to investigate a possible breach.
Logging and detection are core to any defense. Students will learn how to increase LDAP diagnostic logging levels on the DC, identify key logs associated with each attack, and configure Windows Event Forwarding (WEF) to send critical events to a centralized Ubuntu-based log collector. The lab demonstrates how increasing visibility makes even stealthy attacks detectable.
All scenarios will be demonstrated live and reinforced through guided student lab exercises. Lab guides include screenshots and command snippets for easy reference. Students will walk away with a reusable lab environment and deeper insight into AD threats, defense-in-depth strategies, and hardening techniques suitable for real-world environments.
This course is ideal for Windows administrators, red teamers, blue teamers, and anyone responsible for defending Microsoft environments.
Darryl G. Baker, CISSP, CEH is a seasoned cybersecurity professional with extensive experience in securing enterprise environments and conducting in-depth security assessments. With a strong background in both offensive and defensive security, Darryl specializes in identifying and mitigating risks within Active Directory and cloud-based infrastructures.
Over the course of his career, Darryl has led numerous security engagements across a variety of industries, helping organizations improve their security posture through technical assessments, red team operations, and strategic guidance. He holds certifications including the Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH), reflecting his broad expertise in information security.
Darryl is passionate about sharing knowledge and advancing the cybersecurity community. He regularly speaks at industry events, where he delivers practical insights on threat detection, identity security, and real-world attack techniques. His presentations are known for combining deep technical detail with actionable takeaways.