We’ve paired up with Trimarc in order to offer you a training service designed to provide insight into how to best protect your Active Directory environment. The information used in the Trimaric training is sourced and developed internally based on their research. While some of the training material is available elsewhere, much of it is not available anywhere else.

Active Directory Attack
and Defense Seminar

A Two Day Exploration into Attacker Techniques
and Effective Defense Methods

Session Overview

Active Directory is leveraged by approximately 90% of the world's enterprises, many of which comprise over 100k systems and were stood up a decade (or more) ago. Responsible for the identity and authentication in most enterprises, Active Directory is key when it comes to securing the enterprise. However, most organizations don't have a consistent or comprehensive view of how to tackle enterprise security.

Modern Active Directory (AD) environments are not aligned to protect the enterprise from the current threats. The attack vectors that were theoretical 10 years ago are now practical. While the threats have changed over the past decade, the way systems and networks are managed often have not. We continue with the same operations and support paradigm despite the fact that internal systems are compromised regularly. We must embrace the new reality of “Assume Breach.”

Going from the compromise of a single workstation to complete compromise of the enterprise network often takes less than an hour. The weekly news headlines call out an all too clear emerging pattern: years of security complacence has made full compromise too easy. A solid perimeter defense used to be enough to protect the internal network and we managed our corporate network with the assumption that only authorized users were able to access it. The weakest link in an organization's security strategy can lead to complete Active Directory forest compromise costing tens of thousands of hours in recovery time and millions of dollars in direct and indirect costs. Unfortunately, the best case strategy for recovering from an AD forest compromise is rebuild from scratch. Most organizations can't afford the down-time or the cost associated with this "scorched earth" scenario.

Helping organizations better understand the shift from "defend the perimeter" to "assume breach" is key to moving from the defense techniques of 10 to 20 years ago to ones better suited to the current threat. The "Assume Breach" mentality is a paradigm shift where instead of wondering if an attacker could get into the internal network, we assume they are already there performing reconnaissance and mapping out enterprise resources more thoroughly than the current IT documentation. "Defense in Depth" has never been more relevant and this presentation shows how effective this strategy can be in mitigating some of the most tenacious attacks. This session focuses on the "Assume Breach" mentality and how it can help shape a strong defense against the current attack profile carefully mapping out current attack techniques and the effective mitigation techniques.

It’s more important than ever to understand how attackers enter, recon, access and exfiltrate data, and elevate permissions to gain Domain Admin rights. Understanding the methods, tactics, and techniques of one’s adversary is critical in order to mount effective defenses.

This two-day session sets the scene for how modern Active Directory environments are configured including common scenarios that lead to full compromise of the AD forest and completes the day walking through several methods attackers are using today to gain full access. Day two focuses on defense and mitigation, showing how the effective defenses work including the level of effort.


  • Better understand what attackers are doing once they gain a foothold and how to mitigate the impact of this access.
  • Identify the areas in which traditional security methods fall short.
  • Learn what defensive measures are effective and how they mitigate current threats.

Who should attend?

  • Active Directory system administrators, engineers, and architects.
  • Technical cybersecurity staff.
  • Personnel with IA roles within the enterprise.

Course Syllabus

Day One: Overview and Attacking AD

  • Active Directory and PowerShell overview
  • Domain Controllers & authentication
  • Intrusion methods – gaining a foothold
  • Recon – mapping the network and finding weaknesses
  • Finding credentials (passwords)
  • Cracking service account passwords as a domain user
  • Credential Theft and Re-use
  • Privilege Escalation
  • Kerberos Attacks: Golden Tickets, Silver Ticket, Trust Tickets, etc.
  • Persistence Methods
    • Forged Kerberos Tickets (Golden Tickets, Silver Tickets, etc.)
    • WMI

Day Two: Defending the Enterprise

  • Traditional defense methods and why they fail
  • PowerShell attacks and detection
  • Windows Server security enhancements
  • Active Directory Domain security enhancements
  • Practical Active Directory defenses.
  • The future of Windows security
    • Windows 10
    • Windows Server 2016
    • PowerShell v5

About the presenter, Sean Metcalf

Sean Metcalf is one of about 100 Microsoft Certified Masters in Active Directory in the world and a recognized expert in Microsoft platform security. A Microsoft certified professional since 1997, he also holds the MCSE/MCITP certifications for Windows NT 4, Windows 2000, Windows 2003, Windows Server 2008, and Windows Server 2012. He has collaborated with organizations to help them assess and improve their security posture. Furthermore, his advice and recommendations have helped change how the federal government deals with breaches. Sean was invited to speak this summer on Active Directory attack and defense at Black Hat (Las Vegas), Shakacon (Hawaii), and DEF CON (Las Vegas), to share his findings and recommendations on “Active Directory Attacks, Detection, and Protection”.

As a consultant on Microsoft platform infrastructure for nearly 20 years, Sean has designed and implemented solutions involving Active Directory, Exchange, SharePoint, and network & system security for a wide range of customers including the private sector, government, and military. Working with U.S. cabinet agencies, Mr. Metcalf has been key in designing and implementing transformative solutions for these agencies during the past decade. In addition, he has been involved in designing, modernizing, and optimizing some of the largest, globally distributed Active Directory and Exchange environments in the world.

Contact Us Today!