Windows Red Team Lab (CRTE)

Advanced Red Team Lab Objective:

Most enterprise networks today are managed using Active Directory and it is imperative for a security professional to understand the threats to the Windows infrastructure. Our Certified Red Team Expert (CRTE) course and lab is designed to provide a platform for security professionals to understand, analyze and practice threats and attacks against a modern Windows network infrastructure.

Our Certified Red Team Expert (CRTE) course and lab simulates real world attack-defense scenarios and require you to start with a non-admin user account in the domain and work your way up to enterprise admin of multiple forests. The focus is on exploiting the variety of overlooked domain features and not just software vulnerabilities.

This huge lab has multiple interesting tasks that are designed and built upon years of the author’s experience of red teaming windows environments. Every lab task is comprised of multiple challenges like active directory enumeration, local and forest privilege escalation, network pivoting, application allowlisting bypass, active user simulation, Kerberos delegation issues, SQL Servers, forest trusts, Azure hybrid identity and more! Whether you are a beginner, a seasoned red teamer, or a veteran blue teamer, the lab has something for everyone!

What's Included

Red Team Lab, Red Team Certifications, Red Team Trainings, Azure Pentesting, Azure Security

Access to a lab environment (One/Two/Three months) with updated Server 2019 machines. Lab can be accessed using a web browser or VPN.
A ready to use student VM in the cloud that has all the tools and Sliver C2 pre-installed.
Life time access to all the learning material (including course updates).
14+ hours of video course with English captions.
Course slides.
Two lab manuals. One for solving the lab using standalone tools. Second for solving the labs using C2.
Walk-through videos.
One exam attempt for the Certified Red Team Expert (CRTE) certification.
Life time access to all the learning material (including course updates).

What will you Learn?

The Advanced Red Team Lab enables you to:

Practice various attacks in a fully patched real world Windows environment with Server 2019 and SQL Server 2017 machines.
Abuse Active Directory and Windows features like LAPS, gMSA, AD CS and more
Execute and visualize the attack path used by the modern adversaries.
Attack Azure AD Integration (Hybrid Identity).
Try new TTPs in a fully functional AD environment.
Understand defenses and their bypasses for (JEA, PAW, LAPS, Selective Authentication, Deception, App Allowlisting, etc.)
Bypassing defenses like Windows Defender, Microsoft Defender for Endpoint (MDE) and Microsoft Defender for Identity (MDI).

Basic understanding of red teaming/penetration testing or blue teaming/security administration of AD environment
Ability to think like an adversary and inclination towards abusing features of AD rather than exploits.
If you are new to Red Teaming, Enterprise security and Active Directory security, you may like to go for the beginner's level course - CRTP.

Prerequisites for the course

Purchase On-Demand Lab

On Demand Lab

30 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$299

Extension

30 DAYS
LAB EXTENSION
+
ONE COMPLEMENTARY EXAM ATTEMPT

$249

On Demand Lab

60 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$499

On Demand Lab

90 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$699

Exam Reattempt is only for existing or past students of this course who have already purchased this course in the past.

Reattempt

EXAM
REATTEMPT

$99

Certificate Renewal - Only For Existing CRTE Certified Student

Course access and one renewal exam attempt is free. If you want to access the lab for practice or need another renewal exam attempt, purchase that from here.

Extension

30 DAYS LAB ACCESS FOR CERT RENEWAL

$179

Reattempt

ADDITIONAL RENEWAL EXAM

$29

Add to cart

.

Purchase includes : 30 days lab access + course material + one certification exam attempt

Terms of Purchase and Use:

You can start your lab access anytime within 90 days (180 days in case you have purchased the lab on Diwali / Black Friday sale) of purchase
You need a Google account to access the lab portal enterprisesecurity.io
Purchase includes access to our Attacking and Defending Active Directory video course 14 Hours HD Videos
One Certification Exam attempt is included in the pricing. Additional exam attempts will be $99 each
Once connected over VPN, consider the lab to be a hostile environment and you are responsible for your computer's security
The above lab is a shared environment and certain pre-specified machines will be off-limits
If you want a dedicated lab just for yourself, please use the form in the Contact-Us tab

Nikhil: Founder of Altered Security, BlackHat USA Trainer, DEF CON Speaker

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, Azure and active directory security, attack research, defense strategies and post exploitation research. He has 15+ years of experience in red teaming.

He specializes in assessing security risks at secure environments that require novel attack vectors and "out of the box" approach. He has worked extensively on Azure AD, Active Directory attacks, defense and bypassing detection mechanisms.

Nikhil has trained more than 10000 security professionals in private trainings and at the world’s top information security conferences.

He has spoken/trained at conferences like DEF CON, BlackHat, BruCON and more.

He is the founder of Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com/

Selected Conference Talks

1 Evading Microsoft ATA for Active Directory Domination (BlackHat USA 2017 and BruCON 2017)

3 PowerShell for Practical Purple Teaming
(x33fcon 2017)

5 RACE - Minimal Rights and ACE for Active Directory Dominance (DEF CON 2019)

2 AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well it Does it (BlackHat USA 2016)

4 PowerShell for Practical Purple
Teaming (DEF CON 21)

6 0wn-premises: Bypassing Microsoft Defender for Identity (BruCON 2022)

Purchase On-Demand Lab

Exam Reattempt is only for existing or past students of this course who have already purchased this course in the past.

On Demand Lab

30 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$299

Extension

30 DAYS
LAB EXTENSION
+
ONE COMPLEMENTARY EXAM ATTEMPT

$249

On Demand Lab

60 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$499

On Demand Lab

90 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$699

Reattempt

EXAM
REATTEMPT

$99

Certificate Renewal - Only For Existing CRTE Certified Student

Course access and one renewal exam attempt is free. If you want to access the lab for practice or need another renewal exam attempt, purchase that from here.

Extension

30 DAYS LAB ACCESS FOR CERT RENEWAL

$179

Reattempt

ADDITIONAL RENEWAL EXAM

$29

Add to cart

.

Purchase includes : 30 days lab access + course material + one certification exam attempt

Terms of Purchase and Use:

You can start your lab access anytime within 90 days (180 days in case you have purchased the lab on Diwali / Black Friday sale) of purchase
You need a Google account to access the lab portal enterprisesecurity.io
Purchase includes access to our Attacking and Defending Active Directory video course 14 Hours HD Videos
One Certification Exam attempt is included in the pricing. Additional exam attempts will be $99 each
Once connected over VPN, consider the lab to be a hostile environment and you are responsible for your computer's security
The above lab is a shared environment and certain pre-specified machines will be off-limits
If you want a dedicated lab just for yourself, please use the form in the Contact-Us tab

Certified Red Team Expert (CRTE)

The Certified Red Teaming Expert is a completely hands-on certification. The certification requires students to solve practical and realistic challenges in our fully patched Windows infrastructure labs containing multiple domains and forests. The certification challenges students to look at the complete infrastructure like a true enterprise network and does not rely only on breaking individual machines. Students will have 48 hours to complete the hands-on certification exam.

A certification holder has the expertise to assess security of an enterprise windows infrastructure having multiple domains & forests by just abusing the functionality & trusts.

To keep the certificate updated with changing skills and technologies, there is an expiry time of three years for it. In case you have to retake the exam, a re-attempt fee of $99 is applicable. There is a cool down period of one month before a student can appear in the exam again. The student will get an exam environment from the pool of our different exam labs. After total 3 attempts (1 included with the lab and two additional attempts), a student must wait for a cool down period of 6 months.

Certificate Expiry and Renewal

To keep the certificate updated with changing skills and technologies, there is an expiry time of three years for it. The renewal exam is FREE before the certificate expires. CRTE can also be renewed by taking CRTM. Please take a look at this blog post for more details: https://www.alteredsecurity.com/post/renewal-process-for-altered-security-certifications

Exam Structure

The students are provided access to an individual AD environment, which is fully patched and contains the latest Windows operating systems with configurations and privileges like a real enterprise environment.

To be successful, students must solve the challenges by enumerating the environment and carefully constructing attack paths. The students will need to understand how Windows domains work, as most exploits cannot be used in the target network.

At the end of the exam, students need to submit the detailed solutions to challenges along with practical mitigations.

Certificate Benefits

CRTE is the next level after CRTP. CRTE is one of the well-known certifications that establishes your credentials as a security professional who has intermediate/expert level of hands-on and understanding of red team, enterprise security and Active Directory security skills.

A certificate holder has demonstrated the capability of enumerating and understanding an unknown Windows network and can identify misconfigurations, functionality abuse and trusts abuse. She can use, write and modify open source tools and can abuse other built-in tools to perform enumeration, local privileges escalation, impersonation, pivoting, whitelisting bypasses, and antivirus evasion as well as identify sensitive data with minimal chances of detection.

30 Learning Objectives, 62 Tasks, >300 Hours of Torture

I. Active Directory Enumeration

Leverage built-in binaries, tools, scripts, and open source tools such as Bloodhound for enumerating Active Directory.
Understand enumeration OPSEC to bypass detections from tools like Microsoft Defender for Identity (MDI) and other Identity defense tools.
Understand about Domain and Forest trust and ways to enumerate the trust.
Enumerate and understand about ACLs

II. Local Privilege Escalation

Understand the approach of escalating privileges locally on the Windows system.
Understand OPSEC to enumerate local admin access on remote machines.

III. Offensive .NET and PowerShell Tradecraft

Understand the approach of customizing/obfuscating tools and scripts and understand the approach to bypass Windows Defender Antivirus.
Understand about various logging mechanism and ways to evade them.
Learn about various ways to load scripts and tools in memory.
Use customized tools for extracting credentials, bypassing Windows Defender.

IV. Domain Privilege Escalation

Understand about Kerberos authentication.
Enumerate the domain environment and explore avenues to escalates the privileges.
Learn about Kerberoasting attack and OPSEC considerations for performing Kerberoasting attack.
Understand about gMSA and learn to generate the gMSA password offline with appropriate privileges.
Learn, understand and abuse delegation based configurations available in Active Directory environment.
Explore options to abuse misconfigured ACLs for escalating privileges.

V. Lateral Movement

Learn about various ways to extract credentials.
Understand various ways to gain remote access on the target machine and OPSEC considerations.
Abusing the ACLs to extract credentials from LAPS or generate gMSA credentials.

VI. Domain Dominance & Persistence

Understand how to abuse privileges in the domain environment to deploy persistence in the domain environment.
Learn about Golden, Silver and Diamond ticket usages and OPSEC considerations.
Understand about AdminSDHolder system container that can be leveraged for deploying persistence on Protected Groups.
Understand and abuse ACLs applied on the remote access protocols.
Understand about Skeleton Key, DSRM, Custom SSP based persistence techniques.
Computer and User account takeover – Shadow Credentials.

VII. Cross Domain Attacks

Understand how to leverage KRBTGT account hash or Trust key to move across the domain.
Learn and understand about Active Directory Certificate Services (AD CS) environment and ways to abuse the AD CS misconfigurations to escalate privileges.
Understand how delegation based attacks can be leverages to escalate privileges across the domain environment.

VIII. Cross Forest Attacks – Executing usual attacks across Forest Trusts

Enumerate information access across the forest trust.
Understand about sIDHistory and its abuse using Trustkeys and krbtgt to move across the forest trust.
Learn about ways to enumerate SQL Servers and leverage the Database Links to move laterally across the forest.

IX. Cross Forest Attacks – The lesser-known ones

Understand about Azure Hybrid Identities and ways to abuse.
Understand how delegation-based attacks can be used to escalate privileges across the forest.
Understand about Foreign Security Principals and ways to abuse the same to move across the forest.
Learn and Execute SID Filtering bypass.
Enumerate ACLs and abuse them to move across the forest.
Understand PAM trust and execute attacks by compromising the admin/bastion forest.
Learn and execute attacks against trust transitivity.

X. Defenses and bypass – MDE EDR

Learn about Microsoft’s EDR – Microsoft Defender for Endpoint.
Understand the telemetry and components used by MDE for detection.
Execute an entire chain of attacks across forest trust without triggering any alert by MDE.
Use Security 365 dashboard to verify MDE bypass.

XI. Defenses and bypass – MDI

Learn about Microsoft Identity Protection (MDI).
Understand how MDI relies on anomaly to spot an attack.
Bypass various MDI detections throughout the course.

XII. Defenses

Understand about privileges groups, security flags/settings that can be configured on the privilege accounts / groups.
Learn and understand the need to leveraging Privilege Administrative Workstation.
Learn and understand about Time Bound Administrations (JIT & JEA).
Learn about Tier Model & ESAE environment.
Learn about various security features such as Credential Guard, WDAC, MDI, LAPS, Protected Users Group etc.

XIII. Detection & Detection Bypasses

Learn about ways to detect attacks such as Kerberoasting, Skeleton Keys, Golden Ticket, Custom SSP etc.
Learn ways to bypass detection & security solutions like MDI.

XIV. Deception

Learn about various Deception techniques that can be deployed in an Active Directory Environment to deceive the attacker.

rd lab purchase

30 DAYS LAB ACCESS + LIFE TIME ACCESS TO COURSE MATERIAL + ONE CERTIFICATION EXAM ATTEMPT

$299

​30 DAYS LAB EXTENSION + ONE COMPLEMENTARY EXAM ATTEMPT

$249

60 DAYS LAB ACCESS + LIFE TIME ACCESS TO COURSE MATERIAL + ONE CERTIFICATION EXAM ATTEMPT

$499

90 DAYS LAB ACCESS + LIFE TIME ACCESS TO COURSE MATERIAL + ONE CERTIFICATION EXAM ATTEMPT

$699

Exam Reattempt is only for existing or past students of this course who have already purchased this course in the past.

EXAM REATTEMPT

$99

Course access and one renewal exam attempt is free. If you want to access the lab for practice or need another renewal exam attempt, purchase that from here.

30 DAYS LAB ACCESS FOR CERT RENEWAL

$179

ADDITIONAL RENEWAL EXAM

$29

.

Purchase includes : 30 days lab access + course material + one certification exam attempt

Terms of Purchase and Use:

You can start your lab access anytime within 90 days (180 days in case you have purchased the lab on Diwali / Black Friday sale) of purchase

You need a Google account to access the lab portal enterprisesecurity.io

Purchase includes access to our Attacking and Defending Active Directory video course 14 Hours HD Videos

One Certification Exam attempt is included in the pricing. Additional exam attempts will be $99 each

Once connected over VPN, consider the lab to be a hostile environment and you are responsible for your computer's security

The above lab is a shared environment and certain pre-specified machines will be off-limits

If you want a dedicated lab just for yourself, please use the form in the Contact-Us tab

30 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

30 DAYS
LAB EXTENSION
+
ONE COMPLEMENTARY EXAM ATTEMPT

60 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

90 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

EXAM
REATTEMPT