AD Security Training Created by an Operating Principal Cyber Security Consultant, Tinus Green

TryHackMe is comprised of cyber security experts with decades of combined experience. Our training aims to be engaging, guided, and based on real-world scenarios, to actively benefit our users in the real world.

With this, Tinus - part of the TryHackMe Content Engineering team - has created a series of Active Directory Security training labs, following scenarios he experiences as a Principal Cyber Security Consultant. We’re running through the launch, everything Active Directory, and interviewing Tinus on the reasoning behind these topics. Let’s dive in!

Active Directory training labs:

• Breaching Active Directory
• Enumerating Active Directory
• Lateral Movement and Pivoting
• Exploiting Active Directory
• Active Directory Persistence

What is Active Directory?

If you’ve ever worked from an office or used a school computer, it was most likely managed by Active Directory (AD). AD is a database and range of services connecting users with the resources needed to get their work done. This database (or directory) consists of crucial information about your environment, including user and device details, and access permissions.

Active Directory is Microsoft's proprietary directory service. Running via Windows, AD networks enable administrators to manage permissions and access network resources. Active Directory networks consist of the collection of machines and servers connected inside of domains, that are a component of the broader pool of domains. If needed, explore the basics of Active Directory before getting granular.

Active Directory is used by approximately 90% of the Global Fortune 1000 companies; if an organisation uses Microsoft Windows, you are almost guaranteed to find AD. It is used for Identity and Access Management of the entire estate, so it is a likely target for attackers.

Why study Active Directory?

Active Directory is prominently utilised across the globe as a centralised access management system, so is therefore prone to attack. With this, studying Active Directory can pose a number of job opportunities and benefit existing roles. If you have a cyber security position incorporating performing assessments for NetSec, or defending against it, you will have to focus on AD.

The TryHackMe Active Directory rooms will benefit two main job roles:

• Cyber Security professionals looking to further their knowledge of Active Directory and how to compromise it during a red team assessment.
• Security Analysts and Cyber Defence professionals looking to understand AD misconfigurations, how attackers exploit them, and how they can be defended against.

The largest problem with Active Directory is legacy configuration - if domains are not correctly configured at launch, constant changes are required. This is such a significant issue that a multitude of organisations start from scratch rather than tackle the problem of securing their existing domain. From a defender’s perspective, if AD is compromised, the chances of thoroughly flushing out attackers are rare; therefore, such an essential element to secure.

As cited by our expert Tinus, the best way to secure it is to understand the fundamentals of what can go wrong and why. This has inspired this series of training labs, teaching the principles for teams to understand the stakes and steps to secure.

An interview with Tinus Green, Principal Cyber Security Consultant and TryHackMe Content Engineer

Tinus Green is a TryHackMe content engineer with a plethora of cyber security expertise, sourcing from a range of roles in the industry. He currently works as part of the TryHackMe team, creating valuable content such as the Active Directory collection of training network rooms (/labs), whilst also operating as a Principal Cyber Security Consultant.

Being active in cyber security, Tinus has a wealth of experience to translate into training labs for the TryHackMe community, whilst also staying up to date with evolutions and threats in the industry. We chatted with Tinus about his history, skillset, and the creation of these training resources. Introducing Tinus!

Why did you get into cyber security?

Throughout varsity (university for the English folk), I didn’t have a huge cyber security knowledge base. I studied computer engineering and while the degree touched some cyber security principles, this was mainly limited to cryptography. However, a presentation performed by a cyber security consultancy firm piqued my interest in the field.

I accepted a graduate position as an Information Security Consultant for a research-led cyber security firm, meaning the company encouraged actively learning new things and exploring new cyber security niches. My very first niche was ATM hacking! This helped boost my knowledge, confidence, and opportunities for growth.

The reason joined this field is to contribute to a field where the main goal is about making things better, keeping countries and businesses safe.

Tell us about your work history

Backtracking slightly, my first real job was working for my university - the University of Pretoria. I was an assistant lecturer for a computer engineering module, where students learn how to work with microprocessors. I was responsible for creating the AGS (Automatic Grading System), which simulated the students’ microprocessor code, and graded it for exams. I still partially work as a project leader for final engineering students part-time.

After completing my degree, I started to work as a wide-eyed associate for a cyber security consultancy company. I worked my way up to Principal Consultant with numerous projects, bouts of research, and personal development.

My responsibilities have included looking after the entire Application Security (AppSec) division in the local office and managing the Network Security (NetSec) division - where I currently work alongside the Strategic Advisory Services team.

In 2022 I introduced another venture, working on creating training content for TryHackMe to help teach my areas of expertise to budding cyber security professionals. I believe the best way to learn is to get your hands dirty, so I bring this experience into my content role at TryHackMe, creating relevant, real-world rooms!

How did you bring this real-world experience into creating these AD training labs?

I have held a key focus on cyber defence in the last few years; cyber defence being slightly misleading as we do actual attacks! I lead a service called Attack Path Mapping, where we run threat modelling on specific assets of a company, determining various paths that could be taken to compromise the assets. After that, we perform testing to technically verify the paths.

Active Directory has always been the path of the least resistance for every assessment I have run over the last few years.

The first thing our team would compromise fully was the domain, every time. My team used to have a saying, “Domain Admin (DA) compromise before lunch,” we didn’t have to postpone lunch once!

Along with compromising the domain, I would run deeper dives for additional misconfigurations that never made it to the path of least resistance. I bring many of these misconfigurations into my TryHackMe training labs, to give learners hands-on relevant experience.

What real-world scenarios does this training benefit?

The biggest issues with Active Directory are the sheer size of the attack surface and legacy configuration. In organisations utilising AD, we find AD controls almost everything. As the estates are so large, it is very easy for a misconfiguration to slip through.

One small hole is not usually what sinks the AD security ship. Rather, several of these holes bring the boat down - together they create a significant problem. With this, it’s not often the case that an attack would exploit one misconfiguration to compromise AD, but rather combine the misconfigurations to achieve a full compromise and allow the attacker to reach their goals. The Bloodhound paths in Enumerating AD and Exploiting AD Networks show this well.

The training labs I have created focus on these types of real-world scenarios. You can’t simply click a button and control everything, but combining misconfigurations together allows you to compromise AD. Each of these misconfigurations were seen in real-life assessments.

Thank you Tinus, for your insight and Active Directory room creation!