Active Directory Attacks for Red and Blue Teams – Advanced Edition - Altered Security - DCSG2026

Name of Training: Active Directory Attacks for Red and Blue Teams – Advanced Edition
Trainer(s): Altered Security
Dates: April 26-27, 2026
Time: TBD
Venue: Marina Bay Sands
Early Bird Cost (GST included): $2,016 USD / equivalent to $2,600

Early bird price valid until February 8, 2026.

Short Summary:

This hands-on class is aimed towards attacking modern AD with focus on OPSEC and Stealth. We  target a lab environment that has Server 2025 machines with effective countermeasures. 

Course Description:

More than 95% of Fortune 500 companies use Active Directory! Enterprises are managed using  Active Directory (AD) and it often forms the backbone of the complete enterprise network.  Therefore, to secure an enterprise from an adversary, it is inevitable to secure its AD environment.  To secure AD, you must understand different techniques and attacks used by adversaries against  it. Often burdened with maintaining backward compatibility and interoperability with a variety of  products, AD environments lack ability to tackle latest threats. 

This training is aimed towards attacking modern AD Environment with focus on OPSEC and Stealth.  The training is based on real world penetration tests and Red Team engagements for highly secured  environments. Some of the techniques, used in the course: 

• Introduction to OPSEC and Stealth used in the class.  
• Offensive .NET and PowerShell tradecraft 
• Extensive AD Enumeration 
• Active Directory trust mapping and abuse. 
• Privilege Escalation (User Hunting, Delegation issues, LAPS abuse, gMSA abuse, SPN Hijacking,  Shadow Credentials and more) 
• Advanced Kerberos Attacks and Defense (Diamond, Golden, Silver ticket, Kerberoast and more)
• Advanced cross forest trust abuse (Lateral movement across forest, PrivEsc and more)
• Credentials Replay Attacks (Over-PTH, Token Replay, Certificate Replay etc.)
• Attacking Entra ID integration (Hybrid Identity) 
• Abusing trusts for MS products (AD CS, SQL Server etc.)  
• Persistence (WMI, GPO, Domain and Host ACLs and more) 
• Monitoring Active Directory
• Defenses (JEA, PAW, LAPS, Selective Authentication, Deception, App Allowlisting, MDE EDR,  Microsoft Defender for Identity etc.) 
• Bypassing defenses (MDE, MDI and Elastic) 

You get two months access to an enterprise-like lab that has multiple forests with Identity and  Endpoint countermeasures during and after the class. You also get an attempt to Certified Red  Team Expert (CRTE) certification exam. 

Course Outline: 

Day 1  

• Introduction OPSEC and Stealth used in the class. 
• Attack methodology and tradecraft 
• Extensive AD Enumeration (Attacks and Defense) 
• Trust and Privileges Mapping 
• Local Privilege Escalation 
• Credential Replay Attacks with MDI bypass (Over-PTH, Token Replay etc.) 
• Domain Privilege Escalation (User Hunting, Delegation issues, LAPS abuse, gMSA abuse, SPN  Hijacking, Shadow Credentials and more) 
• Dumping System and Domain Secrets with EDR bypass 
• Advanced Kerberos Attacks and Defense (Golden, Silver ticket, Kerberoast and more) 

Day 2 

• Advanced cross forest trust abuse (Lateral movement across forest, PrivEsc and more) 
• Persistence (WMI, GPO, Domain and Host ACLs and more) 
• Attacking Azure integration and components  
• Abusing trusts for MS products (AD CS, SQL Server etc.) 
• Monitoring AD using Defender 365 and Elastic Dashboard 
• Defenses (JEA, PAW, LAPS, Selective Authentication, Deception, App Allowlisting, MDE EDR  Microsoft Defender for Identity etc.) 
• Bypassing Defenses (MDE, MDI and Elastic) 

Difficulty Level:

Intermediate/Advanced

Intermediate Definition - The student has education and some experience in the field and familiarity with the topic being presented. The student has foundational knowledge that the course will leverage to provide practical skills on the topic.

Advanced Definition - The student is expected to have significant practical experience with the tools and technologies that the training will focus on.

Suggested Prerequisites:

A basic knowledge of Active Directory security and ability to use command line tools.

What Students Should Bring:

• System with 4 GB RAM and ability to install OpenVPN client and RDP to Windows boxes.  
• Privileges to disable/change any antivirus or firewall. 

What the Trainer Will Provide:

• Attendees will get free two months access to a lab configured like an Enterprise network, during  and after the training.  
  
• An attempt to completely hands-on Certified Red Team Expert (CRTE) certification exam. 
  
• In addition to that, lifetime access to learning aid like course slides, lab manual, walk-through  videos and lab support till the lab access is active. 
  

Trainer(s) Bio:

Nikhil is the founder of Altered Security - a company focusing on hands-on enterprise security  learning - https://www.alteredsecurity.com/ 

Nikhil’s areas of interest include red teaming, Azure and active directory security, attack research,  defense strategies and post exploitation research. He has 15+ years of experience in red teaming.  

He specializes in assessing security risks at secure environments that require novel attack vectors  and "out of the box" approach. He has worked extensively on Azure, Active Directory attacks,  defense and bypassing detection mechanisms. Nikhil has held trainings and boot camps for  various corporate clients (in US, Europe and SE Asia), and at the world's top information security  conferences.  

He has spoken/trained at conferences like DEF CON, BlackHat, BruCON and more. 

Registration Terms and Conditions: 

Trainings are refundable before March 27, 2026, minus a non-refundable processing fee of $250.

Between March 27, 2026 and April 21, 2026 partial refunds will be granted, equal to 50% of the course fee minus a processing fee of $250.

All trainings are non-refundable after April 21, 2026.

Training tickets may be transferred to another student. Please email us at training@defcon.org for specifics.

If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

Failure to attend the training without prior written notification will be considered a no-show. No refund will be given.

DEF CON Training may share student contact information, including names and emails, with the course instructor(s) to facilitate sharing of pre-work and course instructions. Instructors are required to safeguard this information and provide appropriate protection so that it is kept private. Instructors may not use student information outside the delivery of this course without the permission of the student.

By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

Several breaks will be included throughout the day. Please note that food is not included.

All courses come with a certificate of completion, contingent upon attendance at all course sessions. Some courses offer an option to upgrade to a certificate of proficiency, which requires an additional purchase and sufficient performance on an end-of-course evaluation.