Red Teaming in Active Directory & Entra ID
Register Now
Training Schedule
Jan 22, 2026 – Jan 24, 2026
9:00 AM – 5:30 PM (GMT+05:30)
Objectives of Training:
Your organization's identity infrastructure, spanning Microsoft Active Directory (AD) and Entra ID, is the #1 target for sophisticated threat actors. With Microsoft tracking 600 million attacks per day and a 2.75x surge in human-operated ransomware, relying on basic penetration tests is no longer enough. This intensive, hands-on training moves beyond generic security checks. You will adopt the mindset and master the Tactics, Techniques, and Procedures (TTPs) of an elite Red Team Specialist to execute full-spectrum adversary simulation. Learn to exploit critical misconfigurations in On-Premises AD to lateral movement to Azure Cloud & achieve Global Admin Level Privs, and pivot seamlessly across hybrid environments. Equip yourself with the skills to find the flaws your Blue Team misses. Go beyond becoming traditional “Domain Admins”
Module 1: Red Teaming in Active Directory (AD) Environment
- Enterprise AD Infrastructure
- Unauthenticated Recon
- LDAP, DNS, SMB & RPC
- Core AD Queries
- AD Objects, GPO, SPNs & ACLs
- Identify privileged servers / workstations
- Get Initial Foothold into the domain environment
- Password Attacks
- Password Spraying
- AS-REP Roasting
- Authenticated Enumeration
- Mapping the entire Domain Infrastructure
- Domain Dominance
- Identifying Lateral Movement paths
- Privilege Escalation vectors
- Kerberos Abuse
- ACL Abuse
- Evasion & Tooling
- Custom toolkit for evading AD monitoring tools
- Customizing open-source tools to evade signatures
- Gain code execution on privileged servers
Module 2: Red Teaming in Entra ID (Azure AD)
- Fundamentals of Azure Cloud
- Entra ID, ARM, and M365
- Administrator Roles and Role-Based Access Control (RBAC)
- Microsoft Graph and Management API
- Enumeration
- Unauthenticated & Authenticated Enumeration
- Enumerating Azure services as external, guest, and internal users
- Mapping the attack surface as an authenticated user
- Initial Access
- Password Spray Attack
- Exploiting Web App, Azure App & Logic App
- Consent Grant Attack
- Persistence
- App Registration — Credentials & Permissions
- Automation Account
- Privilege Escalation
- Exploiting Entra ID App Permissions
- Administrator Role Assignment
- Privilege escalation using RBAC
- Credential Access & Data Exfiltration
- Token from IMDS
- Secrets from Key Vault and other resources
Module 3: Lateral Movement — On-Prem ↔ Cloud
- On-premises → Azure Cloud
- PRT Abuse
- Exploit Entra ID Connect to retrieve cloud credentials
- Golden Ticket Attack by abusing Seamless SSO
- Azure Cloud → On-premises
- Code execution on an on-premises device by abusing Microsoft Intune
- Azure ARC exploitation
- Cloud ↔ Cloud
- Azure Cloud to Azure Cloud access
- Cross-Tenant Access
Module 4: Red & Blue Team Case Study
- Red Team Ops in Enterprise AD & Azure AD Environment (Full Kill Chain)
- Detection & Investigation in Enterprise AD & Azure AD Environment
- System with at least 16GB RAM having VMWare workstation PRO installed.
- Attacker Linux VM [kali] With Internet Connectivity.
- Students will get ovpn file to connect to the cyber range lab during the training.
- An open mind :)
- CWL team will share customized scripts & other requirements details 10 days prior to the training date
- Penetration Testers / Red Teams.
- Security Architects / Engineers / Consultants
- Blue Team Analysts / Engineers / Consultants
- Last but not the least, anyone who is interested in strengthening their AD & Entra ID skills
- Technical deep dive into stealthy attack vectors against both Active Directory and EntraID.
- Hands-on practice lab of the entire red team cycle, from initial reconnaissance to silent execution.
- How NOT to setup the infrastructure and critical resources
- Lots of red team ideas with open discussion
- N Day or 0 Day of any commercial / open-source software
- Simple, point-and-click vulnerability scanning or reliance on automated tools.
- Theoretical content (nearly 85% of the training is practical)
- Entire course material (PDF) including commands, slides, and enterprise lab walkthrough with custom / internal scripts for technology exploitation. What is the maximum capacity of the students for the training?60
Manish Gupta, CEO at CyberWarFare Labs, possesses over 10.5 years of expertise in offensive Information Security. He previously served as a Red Team Operator and Team Lead at leading MNCs including Microsoft, Grab, and Citrix. Manish specializes in advanced Red Teaming activities across complex enterprise environments, encompassing both on-premises and multi- cloud infrastructures. His research focuses on real-world cyber-attack simulation and Advanced Persistent Threat (APT) methodologies. A recognized expert, Manish has presented his findings at prestigious conferences such as Black Hat, DEF CON, c0c0n, Nullcon, BSides Chapters, X33fcon Poland, and NorthSec.
Yash Bharadwaj, Security R&D Director at CyberWarFare Labs, brings over 8.5 years of expertise in offensive security and threat emulation. He specializes in the discovery and operationalization of novel TTPs, developing advanced Red/Blue Team infrastructure, dissecting security control internals, and exploiting multi-cloud and on-premises environments. Yash is a recognized industry contributor, having delivered expert Red, Blue, and Purple Team training at leading global events including Black Hat, DEF CON, c0c0n, Nullcon, X33fcon, NorthSec, and various BSides and OWASP chapters.
