No announcement yet.

CANCELED Chirag Savla - Active Directory Attacks for Red and Blue Teams - Advanced Edition

  • Filter
  • Time
  • Show
Clear All
new posts

  • CANCELED Chirag Savla - Active Directory Attacks for Red and Blue Teams - Advanced Edition

    Chirag Savla - Active Directory Attacks for Red and Blue Teams - Advanced Edition
    Latest details, requirements, description, cost:

    Training description:

    More than 95% of Fortune 500 companies use Active Directory! Enterprises are managed using Active Directory (AD) and it often forms the backbone of the complete network. To secure AD, you must understand different techniques and attacks used by adversaries against it. Often burdened with maintaining interoperability with a variety of products, AD lack ability to tackle latest threats.
    This training is aimed towards attacking modern AD using built-in tools, scripting and other trusted OS resources. Some of the techniques, used in the course:
    - Extensive AD Enumeration
    - Trust mapping and abuse
    - Privilege Escalation
    - Advanced Kerberos Attacks
    - Advanced cross forest trust abuse
    - Attacking Azure AD integration
    - Abusing trusts for MS products
    - Credentials Replay Attacks
    - Persistence
    - Defenses
    - Bypassing defenses

    You start from a user desktop and work your way up to multiple forest pwnage.
    Attendees will get free one month access to an AD environment comprising of multiple domains and forests.

    This course is very useful in securing the backbone of any Enterprise Environment. We have been teaching this course at BlackHat for many years now and the feedback has always been very good. The students have always enjoyed the course and the lab. We provide multiple ways of solving the lab that helps the students to utilize the lab to fullest!

    Course overview:

    Total 960 minutes

    Detailed outline - Day 1
    - Introduction to Active Directory and Kerberos (20 minutes)
    - Introduction to Attack methodology and tradecraft (20 minutes)
    - Extensive AD Enumeration (Attacks and Defense) (90 minutes)
    - Trust and Privileges Mapping (20 minutes)
    - Local Privilege Escalation (30 minutes)
    - Credential Replay Attacks (Over-PTH, Token Replay etc.) (30 minutes)
    - Domain Privilege Escalation (User Hunting, Delegation issues and more) (120 minutes)
    - Dumping System and Domain Secrets (30 minutes)
    - Advanced Kerberos Attacks and Defense (Golden, Silver ticket, Kerberoast and more) (120 minutes)

    Detailed outline - Day 2
    - Advanced cross forest trust abuse (Lateral movement across forest, PrivEsc and more) (120 minutes)
    - Persistence (WMI, GPO, Domain and Host ACLs and more) (90 minutes)
    - Attacking Azure integration and components (30 minutes)
    - Abusing trusts for MS products (AD CS, SQL Server etc.) (120 minutes)
    - Monitoring AD (30 minutes)
    - Defenses (JEA, PAW, LAPS, Selective Authentication, Deception, App Allowlisting, Microsoft Defender for Identity etc.) (60 minutes)
    - Bypassing Defenses (30 minutes)

    Takeaways for the students after completing the class:
    - The course has been very popular with students at BlackHat who are responsible for securing an Enterprise. We constantly work on feedback on what to improve in the course and keep it updated to address latest threats in Active Directory. This enable students to address real threats in their environments and therefore help them with their daily job!
    - Students get to practice in an environment that is fully patched, contains modern Windows machines, the latest Forest functional level and is pretty big. In addition, the course focuses only on abuse of functionality. This means whatever the students practice in the lab will be useful for many years.
    - Students get to know how threat actors move in a modern environment and therefore can develop detections to track attackers.

    Student skill level:

    Intermidiate/Advanced. A basic knowledge of Active Directory security and ability to use command line tools.

    What should students bring to the Training?:

    - System with 4 GB RAM and ability to install OpenVPN client and RDP to Windows boxes.
    - Privileges to disable/change any antivirus or firewall.


    Chirag Savla is an information security professional whose areas of interest include penetration testing, red teaming, azure, active directory security, and post-exploitation research. He has over 7+ years of experience in information security. Chirag likes to research new attack methodologies and create open-source tools that can be used during the red team assessments. He has worked extensively on Azure, Active Directory attacks, defense, and bypassing detection mechanisms. He is the author of multiple Open Source tools such as Process Injection, Callidus, etc. He has spoken in multiple conferences and local meetups.

    He works as a Senior Security Researcher at Altered Security - a company focusing on hands-on enterprise security learning -

    social media links: @chiragsavla94, @alteredsecurity

    Previous Trainings:

    BlackHat USA 2022 -
    BruCON 2022 -

    DATE:Aug 15th to 16th 2022
    TIME:9am to 5pm PDT
    VENUE:Caesars Forum Ballroom
    TRAINER:Chirag Savla

    A certificate of completion (no test) will be given for this class.

    - 16 hours of training with a certificate of completion for some classes
    - COVID safety: Masks required for indoor training
    - Note: Classes that do not meet their minimum class size by July 15 will be canceled, please register early
    - Note: Food is NOT included

    Last edited by number6; July 30, 2022, 20:47.

  • #2
    I had registered for this class and got an email saying that it was cancelled. I replied to the email but never got a response back. I'd like to switch to another class, but a refund is fine too and i'll register when I get a chance. Please just let me know who i need to contact. Thanks


    • number6
      number6 commented
      Editing a comment
      I do not run or control DEF CON Training; I post information about training as provided to me by the organizers of the training. The only email contact information I know about would be attached to email messages which is probably going to be an email address like "somethinghere" where you replace "somethinghere" with an email address for training. I do not have a sample email from the site for purchases to know the precise address that it might include. There may be a different email address which includes defcon in the name.
      Last edited by number6; July 18, 2022, 06:58.

  • #3
    I got an email stating that the training class I had registered for was cancelled. I replied to the email but didn't get a response. I'd like to register for one of the classes that is still open. If refunding is easier please let me know and I'll register for the other one on my own. Please just let me know who to contact. Thanks.