Protecting Active Directory Training

Learn how to properly secure an (Azure) Active Directory.

Protecting Active Directory Training

Active Directory (AD) is a central component of many corporate networks and a popular target for ransomware and other attacks. In this training, you will learn how attackers operate and how to effectively protect your AD environment.

This training will show:

  • Attack techniques such as pass the hash, delegation vulnerabilities, and misconfigurations of permissions on objects in a domain.
  • Ways to secure their AD environment by finding and fixing misconfigurations and vulnerabilities. This can be supported by offensive tools such as PowerView and Bloodhound as well as audit tools such as PingCastle.
  • Hardening measures such as granular privilege assignment and the establishment of different management levels.
  • Attacks on on-premises AD environments through logging and monitoring or the targeted use of Deception Technology software.

For reasons of time and efficiency, you will not perform any practical exercises in this intensive training. The instructor will give recommendations and provide documents on the basis of which you can practice independently afterwards.



  • Objects in an AD, including users, computers, and groups
  • Authentication protocols: Kerberos and Net-NTLM
  • Other protocols important in AD, including DHCP, DNS, NetBIOS, LDAP, and SMB
  • Basis for granular privilege assignment decisions: Access Token, Security Descriptor, and Access Control Lists (ACLs)
  • Access credentials: Passwords, NT hashes, AES keys, tickets
  • Targets and mindset of attackers in targeted attacks or ransomware

How Attackers Operate: Carrying Out Attacks

  • Information collection in AD
  • Frequent misconfigurations
  • Other privileged groups besides domain admins
  • Password spraying and Net-NTLM relaying
  • Kerberoasting and AS-REP Roasting
  • Accessing credentials with Mimikatz and other attack tools
  • Exploiting credentials: (Over) Pass the Hash, Pass the Key, Pass the Ticket
  • User Hunting and Lateral Movement
  • Insecure entries in access control lists (ACLs) and group policies (GPOs)
  • Unrestricted, restricted and resource-based-restricted delegation (RBCD)
  • Attack surface of SQL servers, Microsoft Exchange, synchronization to Azure Active Directory (AAD) and Active Directory Certificate Services (AD CS)
  • Exploiting trusts between domains (and forests) – a domain is not a security boundary
  • Possibilities for persistence – how attackers gain a long-term foothold without being detected

Preventing Attacks

  • Make initial access more difficult
  • Restrict applications with AppLocker
  • Recommended settings in group policies
  • Local Administrator Password Solution (LAPS)
  • Level model and the least privilege principle
  • Privileged Access Workstations (PAW)
  • Better secure access data with Credential Guard
  • Protect administrative users and service accounts
  • Audits of your own AD environment with offensive and defensive tools

Recognizing Attacks

  • Activation of log and audit settings
  • Centralized evaluation of the resulting logs
  • Detecting attacks using the resulting logs
  • Commercial security solutions such as Microsoft ATA and Defender for Identity
  • Trick and deceive – trap attackers using honeypots, honeytokens and services

Target Group

The “Protecting Active Directory” training is aimed at administrators, IT managers, IT security managers and security specialists who want to deal more intensively with the attacks on and the securing of the on-premises Active Directory. It is designed for individuals but can also be set up as a company course.


  • Location: Online
  • Duration: 2 days


Protect your (Azure) Active Directory and your business properly. The training is organized in cooperation with heise academy.

Company Course

Do you want to book the Active Directory training for all of your employees? Oneconsult develops and organizes courses adapted to the needs of your company. Contact us for an individual offer.

You might also be interested in

Don’t miss anything! Subscribe to our free newsletter.

Your security is our top priority – our specialists provide you with professional support.

Availability Monday to Friday 8:00 a.m. – 6:00 p.m (exception: customers with SLA – please call the 24/7 IRR emergency number).

Private individuals please contact your trusted IT service provider or the local police station.

For more information about our DFIR services here:

Add CSIRT to contacts