Building up on the knowledge from Part 1, this module advances into more sophisticated penetration testing techniques and post-exploitation strategies. Participants will explore relaying and coercing attacks, understanding how attackers can leverage these methods to escalate privileges and move laterally within a network. The module revisits the topic of detecting and exploiting vulnerable default configurations, reinforcing this critical skill. Additionally, post-exploitation tactics will be examined in depth, including advanced data exfiltration techniques to understand how sensitive information can be stealthily extracted. The module will conclude with the overview of log tampering techniques that help attackers cover-up their activities and advices for the defenders on how to recover the original logs from such attacks.

This module begins with a introduction to fundamental cryptography concepts as well as how are those used in the Public Key Infrastructure (PKI). PKI-specific concepts are then explained in detail to help Participants understand the theory behind designing a Public Key Infrastructure deployment. For more complex implementations, a Multi organization trust approach will be covered. The module will also include real life scenarios and lessons learned from PKI implementation projects as well as the common mistakes organizations make during them and how to avoid them.

This module offers an in-depth exploration of advanced techniques for escalating privileges to domain admin within a Windows environment, a critical skill for cybersecurity professionals. Participants will learn to identify and exploit certificate permission misconfigurations, a common yet overlooked vulnerability that can provide unauthorized administrative access. We will cover escalation methods through legacy solutions still prevalent in many networks, highlighting how outdated but standard practices can be exploited. Learners will also dive deep into leveraging default configurations, understanding how attackers can use these to their advantage. The module also addresses protection API issues and network insecurities, providing insights into how these weaknesses can be manipulated for achieving privilege escalation. Finally, a comprehensive analysis of privilege escalation through exploiting vulnerabilities will be covered.

In this module, we will discuss securing credentials both in the cloud and on-premises. Participants will start with an introduction to the Data Protection API (DPAPI) and system secrets, understanding their role in protecting sensitive information. The course covers the classic DPAPI flow and techniques for retrieving cached logon data, providing insights into potential vulnerabilities. Learners will explore advanced topics such as retrieving the golden key from the Local Security Authority (LSA) and the relationship between DPAPI and KeePass. Additionally, the module addresses credential retrieval from RDP connections and the use cases for DPAPI-NG. Finally, it delves into TBAL (Token Binding Authentication Layer) for protecting credentials in the cloud and offers a deep dive into the security and assessment of cloud credentials.

This module provides an in-depth look at modern threats and defenses for hybrid Active Directory environments. Participants will begin with reconnaissance and enumeration techniques, essential for mapping out the network and identifying potential entry points. Having done so, several initial access scenarios will be showcased. A key focus is on lateral movement using Public Key Infrastructure (PKI) and how attackers exploit AD and Entra ID for further steps of the attacks. Learners will also go extra mile into Entra ID security monitoring, gaining insights into detecting and mitigating identity-based threats. Finally, the module covers incident management from a Security Operations Center (SOC) analyst’s perspective, providing practical strategies for responding to and managing security incidents.

While we recognize that identity is the most important security boundary in today’s landscape, we also believe that properly configured firewalls still have a vital role to play in the defense-in-depth approach to information security.
Many guidelines on domain controller (DC), server, and workstation hardening recommend configuring host-based firewalls to reduce the attack surface, making it harder to perform remote code execution, lateral movement, and authentication relay attacks. However, there is no single comprehensive source of information on this topic, leading to overly permissive host-based firewalls in most organizations. Few admins have the knowledge and courage to change this status quo.
In this session, we will try to address this situation by discussing a set of highly restrictive DC firewall rules and Remote Procedure Call (RPC) filters that can be applied to most production environments. We will touch member servers and workstations as well and we will also discuss how to make the process of firewall configuration flexible and repeatable using PowerShell. After this talk, we hope to see fewer Any-to-Any firewall rules during future Active Directory security assessments.

This module focuses on the critical aspects of managing and securing privileged access within an enterprise. Participants will learn to apply tiering strategies for effective management, ensuring a structured and secure access hierarchy. The course covers deploying Privileged Access Management (PAM) to safeguard sensitive accounts from unauthorized access. Attendees will also explore the implementation of Privileged Access Workstations (PAWs), designed to provide a secure environment for administrators. Additionally, the module addresses deploying Privileged Identity Management (PIM) to enhance the oversight and control of privileged identities.

In this technical deep-dive session, we will test-drive all the new security, performance, and supportability features in Active Directory available in Windows Server 2025.

Yes, you are reading this right, there are new features in the on-prem Active Directory!

This module is basically exploration of digital forensics and incident response tailored for hybrid environments. Participants will start with an overview of digital forensics in hybrid settings, understanding the unique challenges and opportunities they present. The course then reviews effective incident response strategies, providing a solid foundation for managing security incidents. Advanced digital forensics techniques specific to hybrid environments will be covered, equipping learners with the skills to analyze and investigate complex security breaches. Additionally, securing monitoring operations and enhancing threat hunting capabilities are emphasized, ensuring continuous protection and proactive threat detection. Finally, we will discuss advanced incident detection methods and threat hunting practices, crucial for identifying and mitigating threats swiftly.

This module provides an in-depth exploration of advanced monitoring and threat hunting using Microsoft Defender XDR. Participants will begin by mastering the basics of Kusto Query Language (KQL), learning essential operators and data types, and understanding how to construct queries to extract critical information from specialized schemas. The course then focuses on detecting anomalies by writing custom KQL queries that identify unusual patterns, behaviors, and deviations, helping uncover hidden threats such as suspicious processes or unexpected network events. Learners will also engage in proactive threat hunting, exploring real-world scenarios to dissect PowerShell execution events, pivot on processes, and identify suspicious commands.

Although Microsoft advises their customers to migrate from Active Directory Federation Services (ADFS) to Entra ID, many large enterprises and academic institutions beg to differ. In this module, we will look at the security best practices and common misconfigurations of federation services.