Documentation & Tools →
Sign In

Active Directory Security for Defenders

Detect the domain compromise in the logs you already have

An attacker who lands one phishing click and walks out with Domain Admin rarely uses a zero-day. They use Kerberos the way it was designed, a service account nobody rotated, a delegation right nobody reviewed. Every step writes a record in the Windows Security log. This course teaches you to read that record, write the detection as a rule you can carry anywhere, and harden the weakness so the next attacker does not get the same run.

Preview Course See Pricing
ARC403 | Premium tier | 12 modules across 6 phases | 36-40 hours at your own pace | 40 CPE credits | Free preview, no account needed | All tools free | Updated June 2026
Course Agenda View all 1 modules

Course Orientation

ADS0
Course Orientation

Course overview

Active Directory Security for Defenders teaches you to detect and shut down the attacks that turn one foothold into a whole domain. You work against a real compromised Northgate Engineering domain in the browser, reading the same Windows events a working analyst reads, and you leave with detections you can run anywhere. Learn how to:

Read Kerberoasting, AS-REP roasting, DCSync, golden tickets, and AD CS abuse directly off the Windows Security log
Write each detection once as portable Sigma, then render it for Windows, Sentinel KQL, and Splunk SPL
Detect privilege escalation through delegation, SPN abuse including CVE-2026-25177, and the Server 2025 dMSA path
Harden the configuration that removes each attack path, and recover a domain once trust is broken

By the end you detect a full domain compromise the way a working defender does, with nothing more than the events every domain already produces, and you know which tools sharpen that picture where you have them.

Who this course is for

You are a SOC analyst, detection engineer, incident responder, threat hunter, or systems administrator who owns or defends Active Directory and wants to detect the attacks against it rather than only patch it. The course is self-contained, every concept explained at first use, and built so it works whether or not you have a SIEM. It is for you if you want to:

Understand why a fully patched domain still falls, and learn to see the abuse of features working as designed
Detect AD attacks with the Windows Security log alone, then add Defender for Identity where you have it
Carry your detections between tools and jobs instead of relearning one vendor's query language
Turn detection into hardening, closing the path rather than only alerting on it

What you'll learn

By the end of Active Directory Security for Defenders you will be able to:

Map every stage of an AD attack, from recon to domain dominance, to the exact Windows event that records it
Build and tune detections for Kerberoasting, credential replay, delegation abuse, DCSync, golden tickets, and AD CS ESC1 through ESC8
Render any detection across four surfaces and reason about its false positives in each
Audit your own domain with free tooling such as BloodHound, PingCastle, Locksmith, and setspn, and reduce what an attacker's recon yields
Detect the on-premises to Entra pivot at the hybrid seam, and hand off cleanly to cloud-side investigation
Apply tiering, Protected Users, LAPS, gMSA, and KRBTGT rotation, and run AD-specific incident response through to forest recovery

Key course takeaways

A source-first detection habit that does not depend on owning any particular SIEM
A library of AD detections you can run from a domain controller, a collector, or any SIEM that reads Windows events
The judgment to tell an attack from the legitimate activity that looks just like it, by the field that distinguishes them
A hardening and recovery playbook for the attacks a patch does not fix

Hands-on: the Northgate AD corpus

You work against one correlated intrusion in a real Northgate Engineering domain: recon, Kerberoasting, AS-REP roasting, an SPN write, the Server 2025 dMSA path, resource-based delegation, DCSync, a golden ticket, an AD CS issuance, and the pivot into Entra. The events sit in the browser corpus, so there is no lab to build before you can detect.

Every detection runs across four surfaces. You read the canonical Sigma rule, then run the same logic as Windows Get-WinEvent, Sentinel KQL, and Splunk SPL against the corpus, and watch it fire on the seeded attack. No SIEM license is required to complete the course.

Things you need to know

What are the prerequisites for this course?

None beyond a working familiarity with Active Directory as an administrator or defender. You do not need prior detection-engineering experience. Every attack, event, and query is explained from first use, and an experienced reader can skip past what they already know using the anchor at the start of each section.

Do I need a SIEM or Defender for Identity?

No. The course is source-first by design. Every core detection rests on the Windows Security log that every domain produces. Where you have Defender for Identity, the course shows you the extra signal it adds, especially for reconnaissance, as an enhancement rather than a requirement.

How will the course benefit your career?

Active Directory remains the backbone of most enterprise identity, and the attacks against it are among the most common paths to full compromise. Defenders who can detect and harden AD, rather than only operate it, are valuable to any SOC, detection-engineering, or incident-response team. The portable, source-first approach means the skill travels with you regardless of which tools an employer runs.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may not redistribute course content or share account credentials.

Attack techniques: All offensive detail is taught from the defender's side, against a synthetic corpus, for detection and hardening only. Running these techniques against systems you do not own or have permission to test is illegal.

Fictional environment: All scenarios use Northgate Engineering. Any resemblance to real organizations is coincidental.

Version and changelog

Current version: 0.1 (in development)  |  Last updated: June 2026

June 2026 - v0.1: Course in active development. Module 0 orientation published for preview. Northgate on-premises AD corpus, detection library, and four-surface query model built.

This course is being authored module by module and is not yet complete.