Are you the victim of a security incident? Contact our CERT


Security for an internal network based on Active Directory

The aim of this training course is to learn and understand the most common techniques used to compromise an Active Directory environment, their causes, and how to remedy them. The course simulates an internal penetration test, from connecting the workstation without a valid domain account, to the total compromise of the forest by obtaining the company’s administrator privileges.

Several techniques will be presented and explained for each stage of this compromise, with most participants putting the attacks into practice.

Course overview

  • Understand the main vulnerabilities associated with internal networks based on Active Directory.
  • Know how to detect the presence of these vulnerabilities
  • Acquire good security administration practices

Course Curriculum

Day 1

  • Introduction: why target Active Directory
  • Authentication protocols (NTLM and Kerberos)
  • Main application protocols (LDAP, SMB and RDP)
  • Obtaining a first domain account
    • Techniques:
      • Obtain an NTLM response with network poisoning: ARP, DHCPv4/v6, LLMNR, NBT-NS, mDNS
      • Break or relay this NTLM response.
      • Get a list of users (via relay, NULL sessions, Kerbrute), to set up password spraying or ASREPRoasting.
      • Network enumerations: web applications and network services
    • Tools:
      • Responder
      • Impacket
      • Bettercap
      • Mitm6
      • Kerbrute
      • Wireshark
    • Additional access via a domain account

Day 2

  • Obtain local administrator rights on machines
    • Techniques:
      • NTLM to LDAP authentication relays (RBCD, Shadow Credentials), ADCS and SMB
      • Kerberoast
      • Local elevation of privileges (PrivescCheck)
      • Downgrade NTLMv1
      • Update faults (PrintNightmare, MS17-010)
      • Unencrypted disk on user workstation
    • Tools:
      • BloodHound
      • Pingcastle
      • Impacket
      • PrivescCheck
    • Additional access with local administrator access

Day 3

  • Raising domain privileges
    • Techniques:
      • Lateral movements (WMI, SMB, WinRM)
      • Administrator sessions open on machines
      • Extraction of passwords from service accounts and scheduled tasks
      • Extraction of cached password fingerprints
      • Kerberos delegations
      • ADCS certificate templates
      • Update defaults (ZeroLogon, SamAccountName Spoofing, Certifried)
      • Intra-forest privilege elevation: child domain to parent domain.
    • Tools:
      • Rubeus
      • Impacket
      • Certipy
  • Attacking approval relationships
    • Techniques:
      • SID Filtering
      • TGT Delegation
      • Password reuse
      • Inter-forest accounts in administration groups

Method of Assessment

  • Course validation through practical exercises
  • Completion of a final online questionnaire covering all the concepts learned

Training benefits

  • Training provided by an Active Directory security expert who has carried out numerous internal intrusion tests.
  • Practical exercises carried out by participants themselves.

Who should attend?

  • Team of system and network administrators
  • Information systems security team
  • User support team

Entry Requirements

Computer basics:

  • Networking (protocols, OSI model, etc.)
  • Active Directory environment
  • Windows operating system

How and when to access

he participant is considered registered when:

  • The prerequisites and needs are identified and validated
  • The training agreement is signed

Registration requests can be sent up to 10 working days before the start of the training.


Whether you are recognized as having a disability or not, making our training accessible to everyone is part of our commitment.

If you need compensation or adaptation for the content, the supports, the “venue”, the material used, the schedules, the rhythm, we are at your disposal.


3 days


€ 2750 excl. tax


OPCO support

Download the training sheet in PDF format

Would you like more information?

+33 (0)2 55 59 01 11

Almond commits itself to ensure that the collection and processing of your data, carried out from the site, are in conformity with the General Data Protection Regulation (GDPR) and with the modified law n° 78-17 of January 6, 1978, relating to the protection of personal data. The information collected on this form is recorded in a file computerized by Almond, in order to answer the requests for information. You can access the data concerning you, ask for their correction or their deletion. You also have a right of opposition, and a right to limit the processing of your data (see for more information on your rights). You can exercise your rights by contacting Almond's Data Protection Officer at the following address: [email protected]. Your data will be kept within the European Union, in accordance with the regulations in force.