Book a meeting
Cart
Register
Sign in

Active Directory Purple Teaming: Operational Exploitation & Detection

Includes 2 instructor-led training sessions + CYBER RANGES hands-on labs

A joint Active Directory training experience built around real-world attack and detection scenarios, combining CYBER RANGES’ high-fidelity simulation platform with Cyber Helmets’ expert-led offensive and defensive instruction, in a unified purple teaming methodology. 

Fill in the following form to get course updates & enrollment info.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. 

In collaboration with:

This training is delivered through custom-built, guided instruction by Cyber Helmets, enriched with CYBER RANGES’ high-fidelity lab environments and enterprise-grade infrastructure.

What you’ll gain:

  • Holistic AD Visibility: Identify, exploit, detect, and prevent the most critical vulnerabilities across modern Active Directory and hybrid environments.
  • The Attacker-to-Defender Loop: Apply offensive techniques to bypass controls, then immediately switch perspective to detect and investigate those same attacks through logs, alerts, and telemetry.
  • A Unified Detection Strategy: Develop a structured methodology to assess AD objects and PKI infrastructure, validate attack paths using BloodHound, and build reliable detection logic.
  • Operational Readiness: Gain the practical experience needed to perform internal security audits, hardening initiatives, and real-time incident response in enterprise AD environments.

Intermediate

Duration:
2 days
(6h/day)

Who this course is designed for

This workshop supports professionals aiming to develop strong, real-world Active Directory exploitation and detection skills through guided practice, telemetry analysis, and advanced lab work. It’s ideal for those seeking to bridge the gap between offensive and defensive security, expanding their understanding of enterprise identity security, or preparing for high-level infrastructure security roles.

Penetration Testers & Red Teamers transitioning into Purple Teaming who need a structured methodology for validating detections against modern AD attack techniques.

SOC Analysts & Blue Teamers (Tier 1 & 2) who want to stop “alert fatigue” by understanding the attacker’s logic and the deep-level artifacts left in Windows Events and Wazuh.

System Administrators & Security Engineers looking to harden their environments, identify hidden attack paths in BloodHound, and implement resilient GPO and PKI defenses.

Key takeaways:

> Understand the full Active Directory attack lifecycle, from enumeration to domain dominance, and validate detections against real attack scenarios.

> Map attack paths and misconfigurations using BloodHound and LDAP across complex AD environments.

> Exploit Kerberos (roasting, delegation, tickets) and NTLM/SMB authentication weaknesses.

> Chain abuse paths through misconfigured GPOs, object permissions, and ACLs.

> Leverage ADCS and PKI misconfigurations (ESC1, ESC8) for certificate-based attacks.

> Validate findings with Wireshark by inspecting Kerberos and NTLM traffic.

> Build detections using Windows Event logs and Wazuh rules.

> Prioritize remediation to harden environments and reduce attack paths.

How the training works:

> Instructor-led sessions guide you through the full purple teaming lifecycle, from identifying attack paths to exploiting, detecting, and defending against them.

> Hands-on labs run in a CYBER RANGES environment, providing access to a realistic Active Directory infrastructure for continuous practice.

> You work within an integrated detection stack using tools like Wazuh, BloodHound, and Wireshark to validate attacks and build detections.

> Training materials include guided labs, slides, and detection rules to support both the exercises and post-training reference.

> The focus is on practical application, ensuring you can translate techniques directly into real-world security operations.

> Participants receive a certificate of completion upon finishing the training.

FAQs:

Accordion Content

Yes, provided you have a foundational understanding of networking and Windows environments. While the workshop is classified as Intermediate, it is designed to guide learners through the “Purple Loop” step-by-step. We start with fundamental enumeration and gradually build up to complex, multi-stage attacks like ADCS exploitation and Kerberos Delegation. If you understand what a Domain Controller is and how to use a command line, you will be able to follow the curriculum effectively.

This AD Purple Teaming course is designed for professionals who want to obtain technical competency in Active Directory security, from offensive pathfinding to defensive telemetry analysis.To ensure a successful outcome and keep pace with the lab exercises, the following prerequisites are recommended:
  • Core Windows & AD Knowledge: A foundational understanding of Active Directory components, including Users, Groups, OUs, GPOs, and the role of the Domain Controller.
  • Networking Fundamentals: Familiarity with common enterprise protocols such as DNS, SMB, LDAP, and RPC, as well as the basics of the OSI model.
  • Command-Line Proficiency: Comfort navigating and executing commands within both Windows PowerShell and the Linux CLI.
  • Identity Concepts: A high-level understanding of authentication vs. authorization and the general purpose of protocols like NTLM and Kerberos.
  • Methodological Mindset: Experience in interpreting security requirements and an interest in bridging the gap between identifying a vulnerability and engineering its detection.
  • Professional Communication: The ability to translate technical findings (such as a packet capture or a Windows event log) into actionable hardening recommendations.

Participants have access to a dedicated support team for any technical issues, as well as access to instructors during designated office hours for questions related to the course material. Additionally, you can reach out to your instructor during office hours for personalized assistance.

The course includes simulated real-world scenarios in a controlled lab environment. You will not be conducting tests on live, unauthorized systems, but you will gain the skills needed to perform real-world penetration tests in a professional setting.

Unfortunately we don’t record our sessions therefore you’ll need to catch up with the rest of the group. The support team can help you to catch up with the previous sessions and guide you on the materials that you need to read.

Syllabus:

Intro to GCP

  • GCP Hierarchy
  • Google Workspace
  • gcloud config
  • Basic Hacking Techniques

Exploitation of GCP Services

  • IAM
  • KMS
  • Secrets 
  • Storage
  • Compute Instances & VPC
  • Cloud Functions
  • CloudSQL
  • Pub/Sub
  • App Engine
  • Google APIs
  • Cloud Shell

Methodologies

  • White box

Security Services

  • GCP Logging & Monitoring

Syllabus:

Intro to AWS

  • AWS Organization
  • AWS Principals
  • Basic Hacking Techniques

Exploitation of AWS Services

  • IAM
  • STS
  • KMS
  • Secrets Manager
  • S3
  • EC2 & VPC
  • Lambda
  • RDS
  • SQS
  • SNS

Methologies

  • White box

Common Detection Mechanisms

  • CloudTrail

Syllabus:

Azure Basics

  • Azure Organization
  • Entra ID
  • Azure Tokens & APIs
  • Basic Enumeration Tools

 

Exploitation of Azure Services

  • Entra ID IAM
  • Azure IAM
  • Azure Applications
  • Azure Key Vault
  • Azure Virtual Machine & Networking
  • Storage Accounts
  • Azure File Share
  • Azure Table Storage
  • Azure SQL Database
  • Azure MySQL & PostgreSQL
  • Azure CosmosDB
  • Azure App Service
  • Basic Azure Research Technique
  • Azure Function Apps
  • Static Web Apps
  • Azure Container Registry
  • Azure Container
  • Instances, Apps & Jobs
  • Azure Queue
  • Azure Service Bus
  • Azure Automation Account
  • Azure Logic Apps
  • Azure Cloud Shell
  • Azure Virtual Desktop

 

Methologies

  • White box
  • Black box
  • Pivoting between Entra ID & AD

 

Common Detection Mechanisms

  • Azure & Entra ID Logging & Monitoring
  • Microsoft Sentinel
  • Microsoft Defender for Cloud & Microsoft Defender EASM

Fundamentals and Setup

  1. Overview of Android’s architecture and ecosystem dynamics.
  2. Exploration of security features native to Android using Java, Kotlin, C++, and Rust.
  3. Mobile Application Threat Model
    a) Differences between mobile and web application threat models.
    b) Applying threat modeling techniques specifically to mobile applications.
    c) Case studies highlighting potential threats and vulnerabilities.
    d) How do we secure and test cross platform apps (e.g. ReactNative, Xamarin, etc).
  4. Introduction to industry mobile security standards
    a) OWASP Mobile Application Security (MAS) project
    b) Effective usage of the Mobile Application Security Verification Standard (MASVS).
    c) Effective usage of the Mobile Security Testing Guide (MSTG).
    d) Overview of the OWASP top 10 for mobile.
  5. Setting up and preparing a mobile security testing lab
    a) Configuration of industry-standard tools and guidance on their appropriate use.
    b) Setup of virtual mobile devices using Corellium, including its advantages.
    c) Introductory exercises to familiarize with the tools.
  6. Secure Coding Overview
    a) Exercises to identify vulnerabilities in code examples
    b) Discussion of the appropriate mechanisms for remediation
    c) Practical session on remediation and re-testing the app
  7. Secure storage
    a) Overview of application storage mechanisms.
    b) Introduction to cryptographic storage solutions on Android.

Advanced Techniques and Practical Application

  • Mobile penetration testing methodology
    a) Methodologies used in real-world scenarios with practical tips and tricks.
  • Identifying issues with backend APIs
    a) Examination of client-side trust issues.
    b) Analysis of insecure communications including certificate validation and pinning.
  • Cryptography in Android apps
    a) Utilization of Android’s Crypto APIs.
    b) Implementation of native cryptography using libraries like libnacl and OpenSSL.
    c) Management of cryptographic keys.
  • Authentication and Authorization
    a) Testing client-side authentication mechanisms, including secure usage of biometrics.
    b) Strategies to detect and bypass authentication flaws.
    c) Security measures for API authentication.
  • Android IPC
    a) Detailed exploration of Intents, deep links, Binders/services, and broadcast receivers.
  • Webviews
    a) Identifying and resolving common security issues in Android Webview configurations.
  • Software Composition Analysis (SBOM)
    a) Techniques to determine the components of an Android app.
    b) Identifying known vulnerabilities within these components.
  • Mobile Device Management (MDM)
    a) Introduction to Mobile Device Management: definition, core features, and its role in enhancing organizational security.
    b) Discussion on the benefits and practical applications of MDM in controlling and securing mobile devices across an enterprise.
  • Mobile Application Management (MAM)
    a) Overview of Mobile Application Management: what it entails and its significance in enterprise environments.
    b) Exploration of how MAM contributes to managing and securing applications specifically, detailing its utility for enterprise security strategies.

Advanced Techniques and Practical Application

  • Mobile penetration testing methodology
    a) Methodologies used in real-world scenarios with practical tips and tricks.
  • Identifying issues with backend APIs
    a) Examination of client-side trust issues.
    b) Analysis of insecure communications including App Transport Security issues & certificate pinning.
  • Cryptography in IOS apps
    a) Utilization of iOS’s CryptoKit & CommonCrypto APIs.
    b) Implementation of native cryptography using libraries like libnacl and OpenSSL.
    c) Management of cryptographic keys and leveraging the secure enclave.
  • Authentication and Authorization
    a) Testing client-side authentication mechanisms, including secure usage of Local Authentication (biometrics).
    b) Strategies to detect and bypass authentication flaws.
    c) Security measures for API authentication.
    d) Using Device Check and App Attest
  • iOS IPC
    a) Detailed exploration of URL schemes, deep (universal) links, and extensions.
  • Webviews
    a) Identifying and resolving common security issues in iOS Webview configurations.
  • Software Composition Analysis (SBOM)
    a) Techniques to determine the components of an iOS app.
    b) Identifying known vulnerabilities within these components.
  • Implementing App Integrity
    a) What to look for
    b) How to implement
  • Mobile Device Management (MDM)
    a) Introduction to Mobile Device Management: definition, core features, and its role in enhancing organizational security.
    b) Discussion on the benefits and practical applications of MDM in controlling and securing mobile devices across an enterprise.
  • Mobile Application Management (MAM)
    a) Overview of Mobile Application Management: what it entails and its significance in enterprise environments.
    b) Exploration of how MAM contributes to managing and securing applications specifically, detailing its utility for enterprise security strategies.

Fundamentals & Setup

  1. Overview of iOS’s architecture and ecosystem dynamics.
  2. Exploration of security features native to to iOS using Objective-C, Swift, and C(++).
  3. Mobile Application Threat Model
    a) Differences between mobile and web application threat models.
    b) Applying threat modeling techniques specifically to mobile applications.
    c) Case studies highlighting potential threats and vulnerabilities.
    d) How do we secure and test cross platform apps (e.g. ReactNative, Xamarin, etc).
  4. Introduction to industry mobile security standards
    a) OWASP Mobile Application Security (MAS) project
    b) Effective usage of the Mobile Application Security Verification Standard (MASVS).
    c) Effective usage of the Mobile Security Testing Guide (MSTG).
    d) Overview of the OWASP top 10 for mobile.
  5. Setting up and preparing a mobile security testing lab
    a) Configuration of industry-standard tools and guidance on their appropriate use.
    b) Setup of virtual mobile devices using Corellium, including its advantages.
    c) Introductory exercises to familiarize with the tools.
  6. Secure Coding Overview
    a) Exercises to identify vulnerabilities in iOS code examples
    b) Discussion of the appropriate mechanisms for remediation
    c) Practical session on remediation and re-testing the app
  7. Secure storage
    a) Overview of application storage mechanisms.
    b) Introduction to cryptographic storage solutions on iOS.