AD Threats and Detection
RCCE students will learn Active Directory security including AD architecture, authentication protocols (Kerberos, NTLM), group policy security, trust relationships, privilege escalation paths, and AD attack detection. RCCE students will learn to assess Active Directory environments for security weaknesses, identify misconfigured permissions, detect Kerberoasting, AS-REP roasting, DCSync, Golden Ticket, and Silver Ticket attacks, implement tiered administration models, configure AD security monitoring with Windows event logs, harden group policy configurations, clean up stale accounts and excessive permissions, and respond to AD compromise with containment and recovery procedures. This threat-focused course teaches students to think like adversaries while building robust defenses. Building on core knowledge, RCCE students will learn to analyze attack techniques, build detection logic, and implement defensive strategies that proactively identify threats before they cause damage. Students develop a threat-informed mindset that drives better security decisions across all operational activities.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing AD Threats and Detection
- Build detections and response workflows for privilege escalation
- Execute hands-on tasks for advanced cyber defense mastery
- Explain Executive Overview fundamentals
- Execute hands-on tasks for course threat focus areas — covering AD controls 90%+ enterprise identity, Kerberoasting & AS-REP Roasting.
- Execute hands-on tasks for attackers target ad in 80% of incidents — covering Kerberoasting & AS-REP Roasting.
- Design a scalable privilege management architecture with policy and enforcement
- Execute hands-on tasks for domain controller
- Execute hands-on tasks for global catalog
- Execute hands-on tasks for kerberos authentication protocol
- Execute hands-on tasks for ntlm security weaknesses — covering Client sends NEGOTIATE message.
- Execute hands-on tasks for server validates via dc (pass-through) — covering No mutual authentication.
- Execute hands-on tasks for group policy security
| Module 01 | AD Threats and Detection |
| Module 02 | Advanced Cyber Defense Mastery |
| Module 03 | Executive Overview |
| Module 04 | Course Threat Focus Areas |
| Module 05 | Attackers target AD in 80% of incidents |
| Module 06 | AD Architecture & Components |
| Module 07 | Domain Controller |
| Module 08 | Global Catalog |
| Module 09 | Kerberos Authentication Protocol |
| Module 10 | NTLM Security Weaknesses |
| Module 11 | Server validates via DC (pass-through) |
| Module 12 | Group Policy Security |
| Module 13 | Password Policies |
| Module 14 | Audit Policies |
All hands-on labs run on Rocheston Rose X OS. Students practice ad threats and detection by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Build detections and response workflows for privilege escalation
- Lab 2: Execute hands-on tasks for advanced cyber defense mastery
- Lab 3: Explain Executive Overview fundamentals
- Lab 4: Execute hands-on tasks for course threat focus areas
- Lab 5: Execute hands-on tasks for attackers target ad in 80% of incidents
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for AD Threats and Detection, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI