Active Directory NTLM Relay Attacks

Hands-on Workshop (2 days)

From exploitation to mitigation: mastering NTLM relay end-to-end. 

Glyfada,
Athens

October 2–3
10:00-16:00

Limited
seats

Join us for an exclusive limited-seat workshop on Active Directory NTLM relay attacks.

Register now and gain two days of hands-on instructor led training, guided HTB-powered labs and practical mastery of NTLM relay, from exploitation to deployable defenses. Workshop syllabus, venue information, and preparation details will be sent to all registered participants prior to the event.

(VAT excluded)

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

  • Eager to expand your red-team toolkit with real-world NTLM relay tactics?
  • Struggling to protect Active Directory from credential relay?
  • Not sure how attackers really abuse NTLM authentication?
  • Want to move beyond theory and actually defend your environment?

This is not another slide-based seminar. It’s a 2-day, scenario-driven workshop where you’ll get hands-on inside real NTLM relay attacks and vulnerabilities and learn how to exploit, detect, and defend against them in live Active Directory environments.

In collaboration with:

This workshop is delivered through custom-built, guided training by Cyber Helmets, enriched with Hack The Box Academy’s sophisticated labs and curated content.

What you’ll do

  • Exploit NTLM relay paths to understand real attacker workflows
  • Detect relays and post-relay activity with practical signals and tooling
  • Implement layered mitigations that survive production constraints
  • Leave with repeatable lab notes and a personal action plan for your environment

What you’ll gain

  • Deep understanding of NTLM
    relay vulnerabilities and attacker techniques
  • Practical exploitation exercises
    in a controlled lab environment
  • Proven defense strategies
    you can immediately apply in your organization

Format & what’s included

  • Live expert-led instruction
  • Guided labs on real AD-style environments (via HTB Academy)
  • Certificate of Completion to showcase your expertise
  • Exclusive Cyber Helmets swag

Who it’s for

Blue Teamers, Purple Teamers, Windows/AD admins, Incident Responders, Security Engineers with basic AD/Windows familiarity. If you’ve read about NTLM relay but never executed it end-to-end, this is for you.

Requirements

  • Familiarity with Windows authentication basics (high-level understanding is fine).
  • Practical hands-on experience with command line on Windows and Linux (PowerShell + Bash)
  • Solid understanding of Active Directory concepts, including users, groups, organizational units, and related structures.
  • Knowledge of Active Directory enumeration techniques and common attack vectors.
  • Comfort installing and running common lab tooling on Linux (Impacket, Responder, ntlmrelayx, etc)

Agenda: Your 2-day training journey.

Day 1 – Offense to Understand Risk

NTLM protocol refresher → Relay mechanics and tooling → Same-/cross-protocol relays → Post-relay paths (local admin, secrets extraction, lateral movement) → Lab blocks after each module.

 

Day 2 – Detection & Defense

Relayed traffic fingerprints → Log sources & correlations → Hardening playbook (SMB signing, EPA, mitigations without breaking stuff) → Blue-team labs → Personalization: draft your rollout checklist.

Instructor

Marios Pappas

The workshop will be led by Marios Pappas, an experienced penetration tester and red teamer with deep expertise in Active Directory security.

Learn more about Cyber Helmets

Join us for an exclusive limited-seat workshop on Active Directory NTLM relay attacks.

Register now and gain two days of hands-on instructor led training, guided HTB-powered labs and practical mastery of NTLM relay, from exploitation to deployable defenses. Workshop syllabus, venue information, and preparation details will be sent to all registered participants prior to the event.

2-day workshop – €490

(VAT excluded)

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Syllabus:

Intro to GCP

  • GCP Hierarchy
  • Google Workspace
  • gcloud config
  • Basic Hacking Techniques

Exploitation of GCP Services

  • IAM
  • KMS
  • Secrets 
  • Storage
  • Compute Instances & VPC
  • Cloud Functions
  • CloudSQL
  • Pub/Sub
  • App Engine
  • Google APIs
  • Cloud Shell

Methodologies

  • White box

Security Services

  • GCP Logging & Monitoring

Syllabus:

Intro to AWS

  • AWS Organization
  • AWS Principals
  • Basic Hacking Techniques

Exploitation of AWS Services

  • IAM
  • STS
  • KMS
  • Secrets Manager
  • S3
  • EC2 & VPC
  • Lambda
  • RDS
  • SQS
  • SNS

Methologies

  • White box

Common Detection Mechanisms

  • CloudTrail

Syllabus:

Azure Basics

  • Azure Organization
  • Entra ID
  • Azure Tokens & APIs
  • Basic Enumeration Tools

 

Exploitation of Azure Services

  • Entra ID IAM
  • Azure IAM
  • Azure Applications
  • Azure Key Vault
  • Azure Virtual Machine & Networking
  • Storage Accounts
  • Azure File Share
  • Azure Table Storage
  • Azure SQL Database
  • Azure MySQL & PostgreSQL
  • Azure CosmosDB
  • Azure App Service
  • Basic Azure Research Technique
  • Azure Function Apps
  • Static Web Apps
  • Azure Container Registry
  • Azure Container
  • Instances, Apps & Jobs
  • Azure Queue
  • Azure Service Bus
  • Azure Automation Account
  • Azure Logic Apps
  • Azure Cloud Shell
  • Azure Virtual Desktop

 

Methologies

  • White box
  • Black box
  • Pivoting between Entra ID & AD

 

Common Detection Mechanisms

  • Azure & Entra ID Logging & Monitoring
  • Microsoft Sentinel
  • Microsoft Defender for Cloud & Microsoft Defender EASM

Fundamentals and Setup

  1. Overview of Android’s architecture and ecosystem dynamics.
  2. Exploration of security features native to Android using Java, Kotlin, C++, and Rust.
  3. Mobile Application Threat Model
    a) Differences between mobile and web application threat models.
    b) Applying threat modeling techniques specifically to mobile applications.
    c) Case studies highlighting potential threats and vulnerabilities.
    d) How do we secure and test cross platform apps (e.g. ReactNative, Xamarin, etc).
  4. Introduction to industry mobile security standards
    a) OWASP Mobile Application Security (MAS) project
    b) Effective usage of the Mobile Application Security Verification Standard (MASVS).
    c) Effective usage of the Mobile Security Testing Guide (MSTG).
    d) Overview of the OWASP top 10 for mobile.
  5. Setting up and preparing a mobile security testing lab
    a) Configuration of industry-standard tools and guidance on their appropriate use.
    b) Setup of virtual mobile devices using Corellium, including its advantages.
    c) Introductory exercises to familiarize with the tools.
  6. Secure Coding Overview
    a) Exercises to identify vulnerabilities in code examples
    b) Discussion of the appropriate mechanisms for remediation
    c) Practical session on remediation and re-testing the app
  7. Secure storage
    a) Overview of application storage mechanisms.
    b) Introduction to cryptographic storage solutions on Android.

Advanced Techniques and Practical Application

  • Mobile penetration testing methodology
    a) Methodologies used in real-world scenarios with practical tips and tricks.
  • Identifying issues with backend APIs
    a) Examination of client-side trust issues.
    b) Analysis of insecure communications including certificate validation and pinning.
  • Cryptography in Android apps
    a) Utilization of Android’s Crypto APIs.
    b) Implementation of native cryptography using libraries like libnacl and OpenSSL.
    c) Management of cryptographic keys.
  • Authentication and Authorization
    a) Testing client-side authentication mechanisms, including secure usage of biometrics.
    b) Strategies to detect and bypass authentication flaws.
    c) Security measures for API authentication.
  • Android IPC
    a) Detailed exploration of Intents, deep links, Binders/services, and broadcast receivers.
  • Webviews
    a) Identifying and resolving common security issues in Android Webview configurations.
  • Software Composition Analysis (SBOM)
    a) Techniques to determine the components of an Android app.
    b) Identifying known vulnerabilities within these components.
  • Mobile Device Management (MDM)
    a) Introduction to Mobile Device Management: definition, core features, and its role in enhancing organizational security.
    b) Discussion on the benefits and practical applications of MDM in controlling and securing mobile devices across an enterprise.
  • Mobile Application Management (MAM)
    a) Overview of Mobile Application Management: what it entails and its significance in enterprise environments.
    b) Exploration of how MAM contributes to managing and securing applications specifically, detailing its utility for enterprise security strategies.

Advanced Techniques and Practical Application

  • Mobile penetration testing methodology
    a) Methodologies used in real-world scenarios with practical tips and tricks.
  • Identifying issues with backend APIs
    a) Examination of client-side trust issues.
    b) Analysis of insecure communications including App Transport Security issues & certificate pinning.
  • Cryptography in IOS apps
    a) Utilization of iOS’s CryptoKit & CommonCrypto APIs.
    b) Implementation of native cryptography using libraries like libnacl and OpenSSL.
    c) Management of cryptographic keys and leveraging the secure enclave.
  • Authentication and Authorization
    a) Testing client-side authentication mechanisms, including secure usage of Local Authentication (biometrics).
    b) Strategies to detect and bypass authentication flaws.
    c) Security measures for API authentication.
    d) Using Device Check and App Attest
  • iOS IPC
    a) Detailed exploration of URL schemes, deep (universal) links, and extensions.
  • Webviews
    a) Identifying and resolving common security issues in iOS Webview configurations.
  • Software Composition Analysis (SBOM)
    a) Techniques to determine the components of an iOS app.
    b) Identifying known vulnerabilities within these components.
  • Implementing App Integrity
    a) What to look for
    b) How to implement
  • Mobile Device Management (MDM)
    a) Introduction to Mobile Device Management: definition, core features, and its role in enhancing organizational security.
    b) Discussion on the benefits and practical applications of MDM in controlling and securing mobile devices across an enterprise.
  • Mobile Application Management (MAM)
    a) Overview of Mobile Application Management: what it entails and its significance in enterprise environments.
    b) Exploration of how MAM contributes to managing and securing applications specifically, detailing its utility for enterprise security strategies.

Fundamentals & Setup

  1. Overview of iOS’s architecture and ecosystem dynamics.
  2. Exploration of security features native to to iOS using Objective-C, Swift, and C(++).
  3. Mobile Application Threat Model
    a) Differences between mobile and web application threat models.
    b) Applying threat modeling techniques specifically to mobile applications.
    c) Case studies highlighting potential threats and vulnerabilities.
    d) How do we secure and test cross platform apps (e.g. ReactNative, Xamarin, etc).
  4. Introduction to industry mobile security standards
    a) OWASP Mobile Application Security (MAS) project
    b) Effective usage of the Mobile Application Security Verification Standard (MASVS).
    c) Effective usage of the Mobile Security Testing Guide (MSTG).
    d) Overview of the OWASP top 10 for mobile.
  5. Setting up and preparing a mobile security testing lab
    a) Configuration of industry-standard tools and guidance on their appropriate use.
    b) Setup of virtual mobile devices using Corellium, including its advantages.
    c) Introductory exercises to familiarize with the tools.
  6. Secure Coding Overview
    a) Exercises to identify vulnerabilities in iOS code examples
    b) Discussion of the appropriate mechanisms for remediation
    c) Practical session on remediation and re-testing the app
  7. Secure storage
    a) Overview of application storage mechanisms.
    b) Introduction to cryptographic storage solutions on iOS.