Pentest Active Directory 2 Advanced - 5 days


For many companies, Active Directory is the heart of identity and access management. Its ubiquity within information systems makes it a prime target for computer attacks, and penetration testing is a key component of its defense against threats.

During this five-day training, you will deepen your intrusion skills in an Active Directory environment, as well as on hybrid Azure environments. Guided by our experts, study advanced techniques of reconnaissance, lateral movements, elevation of privileges, extraction of secrets and persistence. To illustrate new concepts, the learners will be put in situation on two complete company environments.

  • 5 days ( 35 hours )

  • 5 course modules covering all intrusion steps

  • 2 corporate environments with more than 40 machines and an Azure environment

Public and prerequisites

This training is intended for people who already have a good knowledge of Active Directory environments. It is mainly intended for pentesters, system administrators and security architects.

  • Pentesters

  • System administrators

  • Security architects

Good networking and Unix knowledge is also recommended.


Day 1

Reminder of the fundamentals: Active Directory mechanisms, general and specific intrusion principles for these environments. Recognition and first actions from authenticated access: information retrieval methods ( ADIDNS, service detection via LDAP and GPO scans ) advanced use of BloodHound ( Cypher queries ).

Day 2

Lateral movement: ADIDNS, WinRM and JEA poisoning, LAPS, gMSA/sMSA secrets extraction, MS-SQL trust abuse, NTLM relaying ( dissection, cross-protocol relaying, WebDAV ), authentication coercing, Kerberos relaying, cross-forest pivots, pivoting to Azure ( PHS, PTA, ADFS ), pivoting from Azure ( Intune ).

Day 3

Local privilege elevation: access token and impersonation, study of potatoes vulnerabilities. Escalation of privileges on the domain: study and abuse of ACLs, advanced exploitation of Kerberos delegation, ADCS ESC1 to 11, abuse of privileged groups, analysis of public vulnerabilities.

Day 4

Secrets extraction: LSASS dump methods and tools, token spoofing, registry secrets analysis, DPAPI implementation, KeePass database.

Day 5

Persistence: ADCS ( certificates ), Kerberos tickets ( golden, diamond, sapphire ), DSRM, golden gMSA, AdminSDHolder abuse, skeleton key creation, Kerberos delegation, GPO poisoning.