Skip to main content
back to List back
on this page

Achieving Full Visibility: Developing Advanced Threat Detection for On-premises AD

live online
price $1,400
Mars
Intermediate
2 Days
Threat Focus
Sun 6 Dec - Mon 7 Dec
price $1,400
Register


Online, Available in English

Topics:

  • Lab Use PowerShell to build AD (~45 mins) 
  • Lab Build Detection Mechanism with Wazuh (~35 mins)
  • Lab Discovery  - AD Reconnaissance (~45 mins) 
  • Lab Privilege Escalation - Kerberoasting  (~30 mins)
  • Lab Persistence - Pass the Ticket (Golden Ticket) (~90 mins)
  • Lab Persistence - Pass the Ticket (Diamond Ticket) (~35 mins) 
  • Lab Persistence - Pass the Ticket (Sapphire Ticket) (~35 mins) 
  • Lab Persistence - Pass the Ticket (Silver Ticket) (~40 mins) 
  • Lab Persistence - Ticket Harvest (~35 mins)
  • Lab Persistence - DPAPI (50 mins)
  • Lab Lateral Movement - Unconstrained Delegation I and II (60 mins)
  • Lab Lateral Movement - Constrained Delegation (Traditional and Resource-based) (60mins)
  • Lab Privilege Escalation - ACL Abuse I, II and III (80mins) 
  • Lab Privilege Escalation - Group Managed Service Account (40 mins) 
  • Lab Privilege Escalation - DNSAdmin Abuse and Domain Default Group Abuse (60mins) 
  • Lab GPO Abuse - Persistence-Edit GPO to setting C2 script (Limited User) (60mins) 
  • Lab Lateral Movement - Domain Trust (Golden Ticket with SID-History, Trust Ticket with SID-History) 
  • Lab Credential Access - NTLM Relay
  • AD Certificate Service Abuse (Enumeration, Account Persistence, Certificate Theft, Domain Escalation, and Domain Persistence) 
  • M9: Envoy Lua AI output PII redaction + Cosign-attested RAG corpus


Overview

This training delivers a deep dive into On-Premises AD architectures with a strong defender-centric focus. It emphasizes practical detection engineering against real-world AD abuse techniques through 20+ hands-on labs, enabling participants to translate theory into operational defensive capabilities.

Students will learn how to identify, analyze, and respond to advanced attacks, while also understanding attacker OPSEC to build more resilient detection coverage from isolated signals to full attack chains.

 

By the end of this course, the participant will learn about: 

  • MITRE ATT&CK Mapping: Learn to align enterprise defenses with standard industry frameworks.
  • Hands-on SIEM Experience: Direct practice building actual detection rules in Wazuh
  • Advanced Threat Coverage: Deep dive into cutting-edge persistence methods like Diamond and Sapphire tickets, as well as Active
  • Directory Certificate Services (ADCS) abuseAdvanced Defensive
  • Chaining and OPSEC Countermeasures: Develop the strategic ability to chain multiple detection logics and maintain continuous visibility across the environment, effectively neutralizing sophisticated attacker OPSEC measures and ensuring successful.