Exploitation and Investigation Training Course
In this condensed training program, Banshie invites IT administrators, network engineers, network security, SOC, and internal security testing staff to explore and learn about practical offensive security testing techniques, tailored for Active Directory environments. This course offers a well-rounded approach to understanding, identifying and addressing common vulnerabilities present in modern Active Directory environments, as experienced by Banshie operators through decades of offensive testing and forensic examinations.
Participants will gain practical experience in various attack methods, including password spraying, Kerberos delegation attacks (constrained delegation, resource-based constrained delegation, unconstrained delegation), credential dumping, lateral movement, and explore contemporary means of bypassing security controls. Throughout the course, attendees will learn to identify and exploit these vulnerabilities, enabling them to discover similar issues in their own Active Directory setups, and proactively secure and mitigate these as well as explore and investigate potential past exploitation attempts.
Duration: 3 day course from 9:00 to 16:00 on (last day from 9:00 to 13:30)
Date: 19. – 21. August
Price: DKK 24.950,-
Location: Edison Huset – Holmbladsgade 133, 2300 Copenhagen S
Detailed course description:
Banshie’s experienced offensive operators and forensic investigators will introduce attendees to the following needed background knowledge
- Attacker lifecycle, the MITRE ATT&CK framework and The Unified Kill Chain model
- A condensed and pragmatic introduction to Active Directory objects (OU, Users, Security Groups, GPOs)
- A condensed and pragmatic introduction to Windows authentication methods, focusing on the known shortcomings of each (Kerberos, NTLM, Access Tokens, etc.)
- Offensive, defensive and investigative techniques will be introduced, including:
- Active Directory attacker techniques (PTH, PTT, Kerberoasting, Credential dumping, delegation, etc.)
- Sound forensic principles (ACPO) and investigative process (SANS 6-Step Process)
Hands-on exercises will be inserted throughout the course training days, to keep the content interactive and support retention of the newly acquired knowledge and put it into practice. This will include:
- Installation and configuration of offensive tooling
- Basic obfuscation and AV/EPP/EDR bypass methods
- Actual discovery and exploitation of security issues
- Identifying attack paths leading from initial foothold to domain compromise
- Data collection and analysis At the end of the exercises, participants will be able to introduce the covered tooling into their own estate in a secure and controlled fashion. Sessions will include discussions on challenging aspects of introducing offensive and potentially dangerous tooling, along with challenges of data collection and retention.
Target audience:
- Technical staff tasked with identifying vulnerabilities and misconfigurations within the corporate estate
- Technical staff tasked with monitoring and protecting Active Directory environments
- Technical staff tasked with building, integrating and maintaining Active Directory environments
- Technical staff tasked with investigating internal breaches and abuse This course is designed for system administrators and technical IT security specialists seeking to gain new insight into the threat actor mindset, and to adopt new perspectives on Active Directory environments in order to recognize typical attack paths exploited during breaches. Prior experience in covered topics is not a prerequisite for enrollment in this course. The labs will provide comprehensive instructions and commands, ensuring that participants of varying skill levels can successfully complete the exercises and learn from the experience. Prior experience with incident response and forensics is also not a requirement.