Adversary profiling Monitoring and Detection: Lab Series
RCCE students will learn Active Directory security including AD architecture, authentication protocols (Kerberos, NTLM), group policy security, trust relationships, privilege escalation paths, and AD attack detection. RCCE students will learn to assess Active Directory environments for security weaknesses, identify misconfigured permissions, detect Kerberoasting, AS-REP roasting, DCSync, Golden Ticket, and Silver Ticket attacks, implement tiered administration models, configure AD security monitoring with Windows event logs, harden group policy configurations, clean up stale accounts and excessive permissions, and respond to AD compromise with containment and recovery procedures. This monitoring course teaches comprehensive detection and observability strategies for proactive security operations. At an expert level, RCCE students will learn to instrument systems for security telemetry, build detection pipelines, configure alerting, and maintain monitoring coverage as environments evolve. Students gain the visibility and detection capabilities needed to catch threats early.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Adversary profiling Monitoring and Detection: Lab Series
- Monitor and audit privilege usage; detect escalation attempts
- Build detections and response workflows for privilege escalation
- Explain Course Overview and Learning Objectives fundamentals
- Execute hands-on tasks for core focus areas
- Execute hands-on tasks for lab methodology — covering Learning Outcomes.
- Design a scalable privilege management architecture with policy and enforcement
- Execute hands-on tasks for domain controllers
- Execute hands-on tasks for organizational units — covering Forest = top security boundary, Group objects for management.
- Execute hands-on tasks for host sysvol and policies — covering Forest = top security boundary.
- Execute hands-on tasks for kerberos authentication protocol deep dive — covering 2. AS-REP.
- Execute hands-on tasks for ntlm protocol flow — covering Challenge-response mechanism.
- Execute hands-on tasks for why ntlm persists — covering Legacy application compatibility.
| Module 01 | Adversary Profiling Monitoring |
| Module 02 | and Detection: Lab Series |
| Module 03 | Course Overview and Learning Objectives |
| Module 04 | Core Focus Areas |
| Module 05 | Lab Methodology |
| Module 06 | Active Directory Architecture Fundamentals |
| Module 07 | Domain Controllers |
| Module 08 | Organizational Units |
| Module 09 | Host SYSVOL and policies |
| Module 10 | Kerberos Authentication Protocol Deep Dive |
| Module 11 | NTLM Protocol Flow |
| Module 12 | Why NTLM Persists |
| Module 13 | NTLM Attack Surface |
| Module 14 | NTLM Hardening |
All hands-on labs run on Rocheston Rose X OS. Students practice adversary profiling monitoring and detection: lab series by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Monitor and audit privilege usage; detect escalation attempts
- Lab 2: Build detections and response workflows for privilege escalation
- Lab 3: Explain Course Overview and Learning Objectives fundamentals
- Lab 4: Execute hands-on tasks for core focus areas
- Lab 5: Execute hands-on tasks for lab methodology
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Adversary profiling Monitoring and Detection: Lab Series, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI