ADAttack : Active Directory (in)Security

  Active Directory... a critical technology, present in many companies... but long ago designed.

  Many companies configured it by default. You install DNS, run the old DCPROMO, define some administrators, and you can start working. Different companies, with different needs... but ending with the same default installation... which is highly insecure.

   Active Directory was designed with a clear security approach in mind : the enemy is outside my network.

   But nowadays, this is only partially true.

  Besides classical hackers, attacking our systems from the outside, we can find other attacks and issues :

    - Legit Administrators, inside our domains, but who sometimes make mistakes. Maybe unintended, but with devastating effects.

     - Users who run malicious code in our domains. Maybe unaware of the fact... or not.

    -  The Enemy Inside : Users who are formally in our payroll... but who are in fact working for our competitors, for a foreign government or agency, or for a criminal organization... inside our premises.


       Undercover, infiltrate workers, sleeper IT terrorists...  companies seldom talk about these, but they are much more frequent than it seems. If you want to devastate a company, it is much easier to bribe or infiltrate an Administrator, than attacking from the outside.

  If we promote a user to be an Administrator, is there a way to limit his/her actions ? Can we control and limit all their activities ? Can we separate the right, needed admin tasks, from errors or attacks ?  Can we log all their activities and movements ? Can they delete these logs ? Can they create new accounts for their 'friends' ? How to avoid they run some malicious code which would destroy the company the day he's ordered to do so ?


     Do we know all our Admins ?  Do we really trust all of them ?

    What if they are not persons but service accounts ? Or users with the DEBUG privilege ? Developers in the Production environment ?

    Will the best Antivirus save us... if the user is running code as Administrator ?  Is the Antivirus a solution, or maybe a part of the problem ?

    Do we have any users with local permissions to their computer, and a good knowledge of the latest attacks ?


Any user with physical access to their computer (any Local Admin, Developer, subdomain Administrator) can read and reuse other users' credentials as they could be stored into its memory... and even become Enterprise Admin.

This is now a trivial process (as many scripts already do it for you), and opens many doors to other attacks.


Is there any effective solution, which does not imply migrating all my computers to Windows 10 and 2016 ?

   This intensive course is dedicated to Active Directory security, and the protocols and mechanisms used in Windows.

   But being primarily focused on insecurity. We cover, amongst others, the latest vulnerabilities which affect the whole design of Active Directory, allowing every local administrator or developer to become Enterprise Administrator.
   Old, misleading concepts and frequent misconceptions are also discussed. Security configurations which might be in place several years ago, but are no longer valid nowadays.

   The course covers the different protocols and their relationships, the security architecture (both Windows and AD), some ways and tools to attack them, the Persistent Threat approach, and some possible mitigations.

   We reuse the experience acquired in some other large companies which are already implementing these countermeasures.

   The course is entirely face-to-face, and as usual, combines theory, concepts, demos, practical exercises taken from real life, discussion on the possible options, doubts and questions.

   Taught by Juan Carlos Ruiz. Computer Science Engineer, and highly skilled trainer, with a huge experience in training in the Windows environment. Previously PFE Master Trainer in Microsoft Corporation, has collaborated in the creation of similar workshops, and taught them a number of times, to Premier customers across all EMEA, and other trainers inside Microsoft. 

Intended for :

Active Directory administrators. IT Security Managers.

Because of the sensitive nature of the concepts and tools described in this course, we highly recommend to select the audience. The CIO, IT or Security Manager will have to designate the trusted personnel for this session.

   The trainer and all students will sign a NDA agreement. The trainer agrees to not use any of the described knowledge to attack any of the company's environments. The client agrees to not start any legal action against the trainer or his company because of the potentially dangerous use of the techniques learnt. Students agree to use the given materials with a specific goal.

Prerequisites :

Knowledge and practical experience on Windows, Active Directory, and their management.

Some of the examples will use PowerShell, as attackers will also use automated tools. A minimum knowledge of this scripting technology is not necessary but highly recommended. If you are interested we can arrange a small introductory session based on the “PowerShell concepts” course.


To be determined, depending on the company needs and student level. (Orientative : 2 to 4 days)

Agenda :

More detailed information under demand.

Get-JC © August 2016.
All rights reserved. Get-PowerShell | Use-PowerShell -Force