MC-05

BloodHound, Kerberoasting, Pass-the-Ticket, DCSync and full domain takeover. From recon to Domain Admin.

18 lessons4 topicsAdvancedBloodHound + Mimikatz

Start Learning ← All Courses

kali@cyby-lab: ~

$ python3 GetNPUsers.py domain.local/ -usersfile users.txt

[*] Получаю TGT для валидных пользователей

[+] [email protected]:a8f...

[*] Брутфорсю через hashcat...

[+] Пароль: Welcome123!

$ █

Why this matters right now

Active Directory — the #1 target in corporate attacks

95%of Fortune 500 companies use AD

88%of successful attacks use compromised AD credentials

90%of corporations have been targeted via AD

Domain Adminreachable in 16 hours on average

After the course you will be able to

Not abstract knowledge — concrete skills you can demonstrate in an interview

BloodHound: build attack graphs and find paths to DA

Kerberoasting: crack service account hashes

AS-REP Roasting: attack accounts without pre-auth

Pass-the-Hash and Pass-the-Ticket techniques

DCSync: dump the entire domain via replication

Golden Ticket: persistent domain access

LDAP recon and SMB enumeration with PowerView

Mimikatz: extract credentials and tickets

Real attacks in the course

Every lesson is built on real incidents — not made-up examples

Real case2020

SolarWinds 2020

An APT group used Golden Ticket to move through the AD infrastructure of 18,000 organizations including Microsoft, FireEye and US Treasury. The compromise lasted 9 months.

Topic 04 · Golden Ticket attack

Real case2019

Ryuk Ransomware 2019

Ryuk operators compromised AD in an average of 5 hours after initial access. Kerberoasting → Lateral Movement → DCSync → DA → network encryption.

Topic 02 · Kerberoasting

Real case2017

NotPetya 2017

The worm spread through AD via EternalBlue and Mimikatz, automatically taking over domains. $10B in damages, affecting Maersk, Merck, FedEx.

Topic 03 · Lateral Movement in AD

Course Program

4 topics · 18 lessons · from AD recon to Golden Ticket and Domain Dominance

Active Directory architecture: key components

Enumeration with BloodHound and SharpHound

LDAP queries and object enumeration

Finding privileged accounts and groups

ACL analysis and delegation of rights

Where this course leads

MC-05 — a required course for three top cybersecurity specializations

$4,000 — $9,000/mo

AD/Identity Security Expert

Specialize in Active Directory security: attacks, defense, auditing and monitoring of AD infrastructure.

BloodHoundAD hardeningPingCastlePurple Team

Track:FC-04 → MC-05 → AD Security

$4,000 — $10,000/mo

Red Teamer

Conduct full AD takeover as part of Red Team operations, simulating APT groups.

AD attacksMimikatzC2OPSEC

Track:MC-04 → MC-05 → MC-06

$3,000 — $7,000/mo

Infrastructure Pentester

Test corporate networks and AD infrastructures, find paths to Domain Admin.

AD pentestingBloodHoundKerberoastingOSCP

Track:FC-04 → MC-05 → CRTP

Who this course is for

Pentesters

You test corporate infrastructures and want to master the full AD takeover cycle

Red Teamers

You simulate APT attacks and want to master advanced Domain Dominance techniques

Blue Team / AD Admin

You want to understand AD attacks to properly configure defense and monitoring

Master AD Attacks
and become Domain Admin
today

18 lessons, BloodHound, Mimikatz and practice on a full AD lab environment.

Start Learning ← All Courses

MC-05● Available

Active Directory Attacks

Level: advanced

18 lessons

video + practice

4 topics

by topic

Advanced

difficulty level

BloodHound + Mimikatz

core tools

BloodHound: graph paths to Domain Admin

Kerberoasting and AS-REP Roasting

DCSync and Golden Ticket

Pass-the-Hash and Pass-the-Ticket