Global Central Bank (CRTM)

Global Central Bank: An Enterprise Cyber Range:

Global Central Bank (GCB) is a one of a kind Enterprise Windows and Active Directory Cyber Range. It helps enterprises test capabilities of both their Red and Blue teams in an Enterprise Windows network.

GCB is a true multi-forest environment that mimics a financial institution's network. Teams can test cutting-edge TTPs as GCB is built completely on fully patched Server 2019 machines. It includes abuse or bypass of many recommended defence mechanisms LAPS, JEA, WSL, RBCD, WDAC, ASR, AWL, Credential Guard, CLM, virtualization and more. User simulation is used to make it a true enterprise network.

It is useful for both Red and Blue teams as very verbose logging is configured across the lab and teams can analyse the logs using the ELK installation in the labs.

GCB enables enterprises to simulate actual adversaries by focusing on goals rather than just getting privileged access to machines. For effective adversary simulation and exciting gamification, the end goal of GCB is to initiate a fake transfer of funds from the target bank.

What's Included

Red Team Lab, Red Team Certifications, Red Team Trainings, Azure Pentesting, Azure Security

Access to a lab environment (One/Two/Three months) with updated Server 2019 machines. Lab can be accessed using a web browser or VPN.
3+ hours of video course that covers important concepts required to begin with the lab
Course slides
Attack Path diagrams for hints in the lab
One Certification Exam attempt

What will you Learn?

GCB is ideal for:

Understanding and practicing current and futuristic threats.
Any TTP tested in GCB will be usable for years to come as it uses fully patched Server 2019 machines.
Sharpen your AD security skills by applying them to a unique multi-forest environment.
Understand that getting Domain Admin privileges is just the beginning of Enterprise compromise, even in Active Directory!
Testing lateral movement and domain dominance from a beachhead.
Abuse or bypass modern Windows features like LAPS, JEA, WSL, RBCD, WDAC, ASR, AWL, Credential Guard, CLM, virtualization and more.
Analyzing the adversary attack methodology using logs.

The following are the prerequisites for the lab:

Basic understanding of red teaming/penetration testing or blue teaming/security administration of AD environment
Ability to think like an adversary and inclination towards abusing features of AD rather than exploits.

Like a real world red team operation, GCB challenges your understanding of TTPs. With basic understanding of Enterprise security and Windows environment, you can crack the lab although we still expect GCB to be very challenging

If you are not familiar with how to approach attacking Windows and Active Directory based enterprise environments, you may like to go for our Active Directory labs

Purchase On Demand Lab

On Demand Lab

30 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$399

Extension

30 DAYS
LAB EXTENSION
+
ONE CERTIFICATION EXAM ATTEMPT

$349

On Demand Lab

60 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$599

Reattempt

EXAM
REATTEMPT

$99

On Demand Lab

90 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$749

Exam Reattempt is only for existing or past students of this course who have already purchased this course in the past.

Certificate Renewal - Only For Existing CRTM Certified Students

Course access and one renewal exam attempt is free. If you want to access the lab for practice or need another renewal exam attempt, purchase that from here.

Extension

30 DAYS LAB ACCESS FOR CERT RENEWAL

$239

Reattempt

ADDITIONAL
RENEWAL EXAM

$29

Terms of Purchase and Use:

You can start your lab access anytime within 90 days of purchase
One Certification Exam attempt is included in the pricing. Additional exam attempts will be $99 each
Once connected over VPN, consider the lab to be a hostile environment and you are responsible for your computer's security
The above lab is a shared environment and certain pre-specified machines will be off-limits
If you want a dedicated lab just for yourself, please use the form in the Contact-Us tab

Nikhil: Founder of Altered Security, BlackHat USA Trainer, DEF CON Speaker

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, Azure and active directory security, attack research, defense strategies and post exploitation research. He has 15+ years of experience in red teaming.

He specializes in assessing security risks at secure environments that require novel attack vectors and "out of the box" approach. He has worked extensively on Azure AD, Active Directory attacks, defense and bypassing detection mechanisms.

Nikhil has trained more than 10000 security professionals in private trainings and at the world’s top information security conferences.

He has spoken/trained at conferences like DEF CON, BlackHat, BruCON and more.

He is the founder of Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com/

Selected Conference Talks

1 Evading Microsoft ATA for Active Directory Domination (BlackHat USA 2017 and BruCON 2017)

3 PowerShell for Practical Purple Teaming
(x33fcon 2017)

5 RACE - Minimal Rights and ACE for Active Directory Dominance (DEF CON 2019)

2 AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well it Does it (BlackHat USA 2016)

4 PowerShell for Practical Purple
Teaming (DEF CON 21)

6 0wn-premises: Bypassing Microsoft Defender for Identity (BruCON 2022)

Purchase On Demand Lab

On Demand Lab

30 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$399

Extension

30 DAYS
LAB EXTENSION
+
ONE CERTIFICATION EXAM ATTEMPT

$349

On Demand Lab

60 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$599

Reattempt

EXAM
REATTEMPT

$99

On Demand Lab

90 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$749

Exam Reattempt is only for existing or past students of this course who have already purchased this course in the past.

Certificate Renewal - Only For Existing CRTM Certified Students

Course access and one renewal exam attempt is free. If you want to access the lab for practice or need another renewal exam attempt, purchase that from here.

Extension

30 DAYS LAB ACCESS FOR CERT RENEWAL

$239

Reattempt

ADDITIONAL
RENEWAL EXAM

$29

Terms of Purchase and Use:

You can start your lab access anytime within 90 days of purchase
One Certification Exam attempt is included in the pricing. Additional exam attempts will be $99 each
Once connected over VPN, consider the lab to be a hostile environment and you are responsible for your computer's security
The above lab is a shared environment and certain pre-specified machines will be off-limits
If you want a dedicated lab just for yourself, please use the form in the Contact-Us tab

Certified Red Team Master (CRTM)

To earn the CRTM certification (previously known as PACES), students need to compromise a multi-forest exam lab environment. The 48-hour hands-on exam tests students' ability to apply both attack and defense concepts. Success in the exam depends on the quality of report submitted after the exam, forests compromised with minimal alerts and forests secured.

To keep the certificate updated with changing skills and technologies, there is an expiry time of three years for it.

In case you have to retake the exam, a re-attempt fee of $99 is applicable. There is a cool down period of one month before a student can appear in the exam again. The student will get an exam environment from the pool of our different exam labs. After total 3 attempts (1 included with the lab and two additional attempts), a student must wait for a cool down period of 6 months.

Certificate Expiry and Renewal

To keep the certificate updated with changing skills and technologies, there is an expiry time of three years for it. The renewal exam is FREE before the certificate expires. Please take a look at this blog post for more details: https://www.alteredsecurity.com/post/renewal-process-for-altered-security-certifications

Exam Structure

The students get access to a dedicate exam lab which contains multiple active directory forests with fully patched Windows Server 2019 machines. In order to clear the exam, students need to:

Compromise multiple forests with a minimal footprint.
Secure the forest where they have full access from the beginning.
Submit a report that contains details of attacks on target forests and details of security controls/best practices implemented on the 'home' forest.

Certificate Benefits

A CRTM holder is a specialist in enterprise AD security. They have the ability to identify, exploit, demonstrate and fix security issues in an enterprise.

They have demonstrated the ability to understand and secure the modern enterprise network by executing a silent red team operation starting from a beachhead leading to compromise of multiple forests.

46 Challenges and >450 Hours of Torture :)

Section 1: Abuse defence mechanisms, exploit modern Windows features, extract secrets

Difficulty Level: High

Estimated Completion Time: 16 hours

Number of challenges: 3

Section Objective: You have to enumerate the target forest for interesting information and use that to get access to a server by abusing a defence mechanism.

Learning Elements:

Domain Enumeration
Abusing secrets management solution
Permissions abuse
Local Privilege Escalation
Extracting secrets without popular tools

Section 2: Hunt for privileges, replay credentials, pivot across forest trusts

Difficulty Level: High

Estimated Completion Time: 46 hours

Number of challenges: 6

Section Objective: Cross a forest boundary in this objective! You have to pivot through multiple machines and a forest trust. Extract credentials, replay them, solve Kerberos double hop issue across forest and battle network segmentation!

Learning Elements:

Domain Enumeration
Pivoting
Extracting clear text credentials across forest trust
Tackle Kerberos double hop across forest
Use administrative tools to elevate privileges

Section 3: Enumerate permissions, exploit delegation, abuse enterprise application, utilize network sniffers, abuse user simulation

Difficulty Level: High

Estimated Completion Time: 34 hours

Number of challenges: 4

Section Objective: Exploit delegation issues in this one and execute lateral movement to access other machines. Using password of an enterprise application retrieved from a third machine, extract multiple clear-text credentials that will be useful later.

Learning Elements:

Extracting system secrets
Understanding and abusing enterprise applications on the fly.
Abuse built-in tools for extracting credentials
Exfiltration of information
Understand and abuse delegation

Section 4: Bypass logon restrictions, lateral movement across forest trust, play with Kerberos tickets

Difficulty Level: Medium

Estimated Completion Time: 16 hours

Number of challenges: 2

Section Objective: Use credentials extracted earlier to laterally move across forest. But before that, bypass logon restrictions to be able to access machines which have network connectivity across forests.

Learning Elements:

Understand logon types and their limitations.
Forge and replay Kerberos tickets
Enumerate credentials usable across forest

Section 5: Bypass AV, tackle Kerberos double-hop, abuse delegation, extract credentials from DC in the other forest, escalate from child to forest root in the other forests

Difficulty Level: High

Estimated Completion Time: 44 hours

Number of challenges: 6

Section Objective: Bypass AV, extract credentials and use the credentials to move across forest. Tackle the kerberos double-hop issue and delegation to be able to move laterally in the target forest. Escalate privileges in the other forest to domain admin. From DA, escalate to enterprise admin in the root domain of the target forest. All this from a single foothold machine in the target forest, which introduces some super interesting manoeuvres.

Learning Elements:

Bypassing AntiVirus
Forging Kerberos tickets
Tackle Kerberos double hop
Understand and abuse delegation for privilege escalation
Child to forest root privilege escalation
Pivoting across forest trust
Enumeration across forest trust

Section 6: Enumerate across forest, access documents and emails to collect information, abuse remoting endpoints, modify ACLs, exploit delegation

Difficulty Level: High

Estimated Completion Time: 40 hours

Number of challenges: 5

Section Objective: This objective requires extensive enumeration of the target forest to be able to access machines there. Escalate privileges on one of the machines by modifying ACLs and bypassing application restrictions. Abuse delegation to escalate privileges to domain administrator.

Learning Elements:

Abusing PowerShell Remoting endpoints
ACL modification for privilege escalation
Enumerate and bypass application restrictions
Delegation for domain privilege escalation

Section 7: Abuse user simulation, craft payloads, bypass AV, bypass privilege restrictions, impersonate users, abuse exchange permissions, modify ACLs, escalate privileges to domain admin

Difficulty Level: High

Estimated Completion Time: 56 hours

Number of challenges: 8

Section Objective: You need to abuse user simulation to get a beachhead in the target forest. Bypass multiple restrictions and countermeasures on that machine to be able to move ahead. Impersonate users, enumerate the target domain from the foothold and abuse the permissions of MS Exchange groups to escalate to forest root.

Learning Elements:

Crafting payloads to bypass AV
Use previously collected information to abuse user simulation
User impersonation
Bypassing user privilege restrictions without GUI access
Understanding and bypassing MS Exchange group permissions

Section 8: Retrieve credentials from process memory dump and replay them, Bypass Windows Defender Application Guard, ASR and CLM to extract credentials, escalate privileges on domain

Difficulty Level: High

Estimated Completion Time: 36 hours

Number of challenges: 2

Section Objective: For this one, you need to extract credentials from a memory dump and replay them to get a foothold in the target forest. The foothold is designed to be very challenging and uses WDAG and ASR rules to block most of the well-known tools. Extract credentials from the foothold and replay them to escalate privileges to DA.

Learning Elements:

Understand the restrictions by WDAC and bypass them.
Using NTLM authentication to access domain joined machines.

Section 9: Abuse forest trust to hop to a third forest, enumerate privileges from the first hop forest and pivot to the second hop, avoid Kerberos double hop issue, extract secrets

Difficulty Level: High

Estimated Completion Time: 36 hours

Number of challenges: 3

Section Objective: This objective takes hopping across forest trusts to the next level. You need to compromise a forest and then hop from that forest to a second one. Escalating privileges remains a challenge but the most difficult part is to avoid the Kerberos double hop problem from the first hop forest to the second hop. Also, getting privileges on the second hop forest is going to be very challenging.

Learning Elements:

Understanding and abusing special forest trusts
Pivoting across multiple forests

Section 10: Collect information from various compromised forests, escalate to DA, escalate to forest root

Difficulty Level: High

Estimated Completion Time: 36 hours

Number of challenges: 2

Section Objective: This one is a bit non-conventional. Instead of looking for direct domain enumeration, this objective needs using the already collected information and 'connecting the dots' to be able to compromise the target domain and forest. The commands required are well-known but the information collection is the challenge.

Learning Elements:

Using the collected information to design an attack path

Section 11: Abuse built-in Windows mechanisms, craft payloads,
compromise air-gapped/not-reachable servers

Difficulty Level: High

Estimated Completion Time: 48 hours

Number of challenges: 3

Section Objective: You need to compromise a server in the target forest that is used for a particular Windows mechanism. Using access to this particular server, compromise servers in another forest that is not reachable over the network.

Learning Elements:

Understanding abuse of trusted Windows mechanisms
Crafting payloads which bypass AV and are trusted by Windows

Section 12: Abuse virtual servers, extract credentials from offline domain controllers and extract secrets to initiate the fund transfer

Difficulty Level: High

Estimated Completion Time: 32 hours

Number of challenges: 2

Section Objective: This is the final objective regardless of the path used. To complete the fake fund transfer, you need to extract secret by abusing an offline domain controller by abusing virtualization.

Learning Elements:

Abusing virtualization on Windows
Extract credentials from offline domain controllers

gcb purchase

30 DAYS LAB ACCESS + LIFE TIME ACCESS TO COURSE MATERIAL + ONE CERTIFICATION EXAM ATTEMPT

$399

​30 DAYS LAB EXTENSION + ONE CERTIFICATION EXAM ATTEMPT

$349

60 DAYS LAB ACCESS + LIFE TIME ACCESS TO COURSE MATERIAL + ONE CERTIFICATION EXAM ATTEMPT

$599

EXAM REATTEMPT

$99

90 DAYS LAB ACCESS + LIFE TIME ACCESS TO COURSE MATERIAL + ONE CERTIFICATION EXAM ATTEMPT

$749

Exam Reattempt is only for existing or past students of this course who have already purchased this course in the past.

Course access and one renewal exam attempt is free. If you want to access the lab for practice or need another renewal exam attempt, purchase that from here.

30 DAYS LAB ACCESS FOR CERT RENEWAL

$239

ADDITIONAL RENEWAL EXAM

$29

Terms of Purchase and Use:

You can start your lab access anytime within 90 days of purchase

One Certification Exam attempt is included in the pricing. Additional exam attempts will be $99 each

Once connected over VPN, consider the lab to be a hostile environment and you are responsible for your computer's security

The above lab is a shared environment and certain pre-specified machines will be off-limits

If you want a dedicated lab just for yourself, please use the form in the Contact-Us tab

30 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

30 DAYS
LAB EXTENSION
+
ONE CERTIFICATION EXAM ATTEMPT

60 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

EXAM
REATTEMPT

90 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

ADDITIONAL
RENEWAL EXAM