Windows Red Team Lab (CRTE)

Red Team Lab Objective:

Most enterprise networks today are managed using Windows Active Directory and it is imperative for a security professional to understand the threats to the Windows infrastructure. Our Windows Red Team Lab is designed to provide a platform for security professionals to understand, analyze and practice threats and attacks against a modern Windows network infrastructure.

Our Windows Red Team lab simulates real world attack-defense scenarios and require you to start with a non-admin user account in the domain and work your way up to enterprise admin of multiple forests. The focus is on exploiting the variety of overlooked domain features and not just software vulnerabilities.

This huge lab has multiple interesting tasks that are designed and built upon years of the author’s experience of red teaming windows environments. Every lab task is comprised of multiple challenges like active directory enumeration, local and forest privilege escalation, network pivoting, application allowlisting bypass, active user simulation, Kerberos delegation issues, SQL Servers, forest trusts, Azure hybrid identity and more! Whether you are a beginner, a seasoned red teamer, or a veteran blue teamer, the lab has something for everyone!

What's Included

Red Team Lab, Red Team Certifications, Red Team Trainings, Azure Pentesting, Azure Security

Access to a lab environment (One/Two/Three months) with updated Server 2019 machines. Lab can be accessed using a web browser or VPN.
14+ hours of video course with English captions
Course slides
Two lab manuals. One for solving the lab using standalone tools. Second for solving the labs using C2.
Walk-through videos
One Certification Exam attempt

What will you Learn?

The Windows Red Team Lab enables you to:

Practice various attacks in a fully patched real world Windows environment with Server 2019 and SQL Server 2017 machines.
Abuse Active Directory and Windows features like LAPS, gMSA, AD CS and more
Execute and visualize the attack path used by the modern adversaries.
Attack Azure AD Integration (Hybrid Identity).
Try new TTPs in a fully functional AD environment.
Understand defenses and their bypasses for (JEA, PAW, LAPS, Selective Authentication, Deception, App Allowlisting, Microsoft Defender for Identity etc.)

The following are the prerequisites for the lab:

Basic understanding of red teaming/penetration testing or blue teaming/security administration of AD environment
Ability to think like an adversary and inclination towards abusing features of AD rather than exploits.

Purchase On Demand Lab

On Demand Lab

30 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$299

Extension

30 DAYS
LAB EXTENSION
+
ONE CERTIFICATION EXAM ATTEMPT

$249

On Demand Lab

60 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$499

Reattempt

EXAM
REATTEMPT

$99

On Demand Lab

90 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$699

Exam Reattempt is only for existing or past students of this course who have already purchased this course in the past.

Certificate Renewal - Only For Existing CRTE Certified Student

Course access and one renewal exam attempt is free. If you want to access the lab for practice or need another renewal exam attempt, purchase that from here.

Extension

30 DAYS LAB ACCESS FOR CERT RENEWAL

$179

Reattempt

ADDITIONAL RENEWAL EXAM

$29

Terms of Purchase and Use:

You can start your lab access anytime within 90 days of purchase
You need a Google account to access the lab portal advancedbootcamp.enterprisesecurity.io
Purchase includes access to our Attacking and Defending Active Directory video course 14 Hours HD Videos
One Certification Exam attempt is included in the pricing. Additional exam attempts will be $99 each
Once connected over VPN, consider the lab to be a hostile environment and you are responsible for your computer's security
The above lab is a shared environment and certain pre-specified machines will be off-limits
If you want a dedicated lab just for yourself, please use the form in the Contact-Us tab

Nikhil: Founder of Altered Security, BlackHat USA Trainer, DEF CON Speaker

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, Azure and active directory security, attack research, defense strategies and post exploitation research. He has 15+ years of experience in red teaming.

He specializes in assessing security risks at secure environments that require novel attack vectors and "out of the box" approach. He has worked extensively on Azure AD, Active Directory attacks, defense and bypassing detection mechanisms.

Nikhil has trained more than 10000 security professionals in private trainings and at the world’s top information security conferences.

He has spoken/trained at conferences like DEF CON, BlackHat, BruCON and more.

He is the founder of Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com/

Selected Conference Talks

1 Evading Microsoft ATA for Active Directory Domination (BlackHat USA 2017 and BruCON 2017)

3 PowerShell for Practical Purple Teaming
(x33fcon 2017)

5 RACE - Minimal Rights and ACE for Active Directory Dominance (DEF CON 2019)

2 AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well it Does it (BlackHat USA 2016)

4 PowerShell for Practical Purple
Teaming (DEF CON 21)

6 0wn-premises: Bypassing Microsoft Defender for Identity (BruCON 2022)

Purchase On Demand Lab

On Demand Lab

30 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$299

Extension

30 DAYS
LAB EXTENSION
+
ONE CERTIFICATION EXAM ATTEMPT

$249

On Demand Lab

60 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$499

Reattempt

EXAM
REATTEMPT

$99

On Demand Lab

90 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$699

Exam Reattempt is only for existing or past students of this course who have already purchased this course in the past.

Certificate Renewal - Only For Existing CRTE Certified Student

Course access and one renewal exam attempt is free. If you want to access the lab for practice or need another renewal exam attempt, purchase that from here.

Extension

30 DAYS LAB ACCESS FOR CERT RENEWAL

$179

Reattempt

ADDITIONAL RENEWAL EXAM

$29

Terms of Purchase and Use:

You can start your lab access anytime within 90 days of purchase
You need a Google account to access the lab portal advancedbootcamp.enterprisesecurity.io
Purchase includes access to our Attacking and Defending Active Directory video course 14 Hours HD Videos
One Certification Exam attempt is included in the pricing. Additional exam attempts will be $99 each
Once connected over VPN, consider the lab to be a hostile environment and you are responsible for your computer's security
The above lab is a shared environment and certain pre-specified machines will be off-limits
If you want a dedicated lab just for yourself, please use the form in the Contact-Us tab

Certified Red Team Expert (CRTE)

The Certified Red Teaming Expert is a completely hands-on certification. The certification requires students to solve practical and realistic challenges in our fully patched Windows infrastructure labs containing multiple Windows domains and forests. The certification challenges students to look at the complete infrastructure like a true enterprise network and does not rely only on breaking individual machines. Students will have 48 hours to complete the hands-on certification exam.

A certification holder has the expertise to assess security of an enterprise windows infrastructure having multiple domains & forests by just abusing the functionality & trusts.

To keep the certificate updated with changing skills and technologies, there is an expiry time of three years for it. In case you have to retake the exam, a re-attempt fee of $99 is applicable. There is a cool down period of one month before a student can appear in the exam again. The student will get an exam environment from the pool of our different exam labs. After total 3 attempts (1 included with the lab and two additional attempts), a student must wait for a cool down period of 6 months.

Certificate Expiry and Renewal

To keep the certificate updated with changing skills and technologies, there is an expiry time of three years for it. The renewal exam is FREE before the certificate expires. CRTE can also be renewed by taking CRTM. Please take a look at this blog post for more details: https://www.alteredsecurity.com/post/renewal-process-for-altered-security-certifications

Exam Structure

The students are provided access to an individual Windows environment, which is fully patched and contains the latest Windows operating systems with configurations and privileges like a real enterprise environment.

To be successful, students must solve the challenges by enumerating the environment and carefully constructing attack paths. The students will need to understand how Windows domains work, as most exploits cannot be used in the target network.

At the end of the exam, students need to submit the detailed solutions to challenges along with practical mitigations.

Certificate Benefits

A certificate holder has demonstrated the capability of enumerating and understanding an unknown Windows network and can identify misconfigurations, functionality abuse and trusts abuse. She can use, write and modify open source tools and can abuse other built-in tools to perform enumeration, local privileges escalation, impersonation, pivoting, whitelisting bypasses, and antivirus evasion as well as identify sensitive data with minimal chances of detection.

28 Learning Objectives, 62 Tasks, >300 Hours of Torture

I. Active Directory Enumeration

Leverage built-in binaries, tools, scripts, and open source tools such as Bloodhound for enumerating Active Directory.
Understand enumeration OPSEC to bypass detections from tools like Microsoft Defender for Identity (MDI) and other Identity defense tools.
Understand about Domain and Forest trust and ways to enumerate the trust.
Enumerate and understand about ACLs

II. Local Privilege Escalation

Understand the approach of escalating privileges locally on the Windows system.
Understand OPSEC to enumerate local admin access on remote machines.

III. Offensive .NET and PowerShell Tradecraft

Understand the approach of customizing/obfuscating tools and scripts and understand the approach to bypass Windows Defender Antivirus.
Understand about various logging mechanism and ways to evade them.
Learn about various ways to load scripts and tools in memory.
Use customized tools for extracting credentials, bypassing Windows Defender.

IV. Domain Privilege Escalation

Understand about Kerberos authentication.
Enumerate the domain environment and explore avenues to escalates the privileges.
Learn about Kerberoasting attack and OPSEC considerations for performing Kerberoasting attack.
Understand about gMSA and learn to generate the gMSA password offline with appropriate privileges.
Learn, understand and abuse delegation based configurations available in Active Directory environment.
Explore options to abuse misconfigured ACLs for escalating privileges.

V. Lateral Movement

Learn about various ways to extract credentials and use the same.
Understand various ways to gain remote access on the target machine and OPSEC considerations.
Abusing the ACLs to extract credentials from LAPS or generate gMSA credentials.

VI. Domain Dominance & Persistence

Understand how to leverage privileges in the domain environment to deploy persistence in the domain environment.
Learn about Golden, Silver and Diamond ticket usages and OPSEC considerations.
Understand about AdminSDHolder system container that can be leveraged for deploying persistence on Protected Groups.
Understand and abuse ACLs applied on the remote access protocols.
Understand about Skeleton Key, DSRM, Custom SSP based persistence techniques.
Computer and User account takeover – Shadow Credentials.

VII. Cross Domain Attacks

Understand how to leverage KRBTGT account hash or Trust key to move across the domain.
Learn and understand about Active Directory Certificate Services (AD CS) environment and ways to abuse the AD CS misconfigurations to escalate privileges.
Understand how delegation based attacks can be leverages to escalate privileges across the domain environment.
Understand about Azure Hybrid Identities and ways to abuse.

VIII. Cross Forest Attacks

Understand about various ways to enumerate ways to gain access across the forest trust.
Understand about sIDHistory, Trust Keys and leverage the same to move across the forest.
Understand how delegation based attacks can be leverages to escalate privileges across the forest.
Learn about ways to enumerate SQL Servers and leverage the DBLinks to move laterally across the forest.
Understand about Foreign Security Principals and ways to abuse the same to move across the forest.
Learn and Execute SID Filtering bypass.
Enumerate abusable ACLs and abuse the same to move across the forest.
Understand about PAM trust.

IX. Defenses

Understand about privileges groups, security flags/settings that can be configured on the privilege accounts / groups.
Learn and understand the need to leveraging Privilege Administrative Workstation.
Learn and understand about Time Bound Administrations (JIT & JEA).
Learn about Tier Model & ESAE environment.
Learn about various security features such as Credential Guard, WDAC, MDI, LAPS, Protected Users Group etc.

X. Detection & Detection Bypasses

Learn about ways to detect attacks such as Kerberoasting, Skeleton Keys, Golden Ticket, Custom SSP etc.
Learn ways to bypass detection & security solutions like MDI.

XI. Deception

Learn about various Deception techniques that can be deployed in an Active Directory Environment to deceive the attacker.

rd lab purchase

30 DAYS LAB ACCESS + LIFE TIME ACCESS TO COURSE MATERIAL + ONE CERTIFICATION EXAM ATTEMPT

$299

​30 DAYS LAB EXTENSION + ONE CERTIFICATION EXAM ATTEMPT

$249

60 DAYS LAB ACCESS + LIFE TIME ACCESS TO COURSE MATERIAL + ONE CERTIFICATION EXAM ATTEMPT

$499

EXAM REATTEMPT

$99

90 DAYS LAB ACCESS + LIFE TIME ACCESS TO COURSE MATERIAL + ONE CERTIFICATION EXAM ATTEMPT

$699

Exam Reattempt is only for existing or past students of this course who have already purchased this course in the past.

Course access and one renewal exam attempt is free. If you want to access the lab for practice or need another renewal exam attempt, purchase that from here.

30 DAYS LAB ACCESS FOR CERT RENEWAL

$179

ADDITIONAL RENEWAL EXAM

$29

Terms of Purchase and Use:

You can start your lab access anytime within 90 days of purchase

You need a Google account to access the lab portal advancedbootcamp.enterprisesecurity.io

Purchase includes access to our Attacking and Defending Active Directory video course 14 Hours HD Videos

One Certification Exam attempt is included in the pricing. Additional exam attempts will be $99 each

Once connected over VPN, consider the lab to be a hostile environment and you are responsible for your computer's security

The above lab is a shared environment and certain pre-specified machines will be off-limits

If you want a dedicated lab just for yourself, please use the form in the Contact-Us tab

30 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

30 DAYS
LAB EXTENSION
+
ONE CERTIFICATION EXAM ATTEMPT

60 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

EXAM
REATTEMPT

90 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT