Hello! 👋 Almost a couple of weeks before writing this, I passed the Certified Red Team Professional (CRTP) certification by Altered Security, and this is my review of the course and exam material.

The Course

Altered Security published the course and lab environment called Attacking and Defending Active Directory. As the name suggests, the course covers various attack vectors within Active Directory and covers remediation strategies for the vulnerabilities discussed. Once you purchase the course, you will need to wait about a day to gain access to the lab environment, as support will reach out to you and ask when you would like to start the lab time.

Purchase Options

Altered Security offers a 30/60/90-day lab period, with the prices going for $249, $379, and $499 USD, respectively. I signed up for the 60-day lab time, which is more than enough time to take the exam, but I had admittedly dragged my feet throughout the study process 🙃. Thirty days is plenty of lab time to take the exam if you are pragmatic with your time management, as the videos is approximately 14 hours long at the time I took the course.

Material and Lab Access

I love that this course is taught from a unique angle, as you are tasked to attack the environment from the context of a Windows environment, as many popular courses (e.g., OSCP) instruct you to attack the environment via Kali Linux. The course demonstrates how you can use PowerShell to enumerate and attack the lab environment, in addition to somewhat living off the land using applications native to Windows. As a heads-up, you do need to perform some basic antivirus evasion and AMSI bypasses during the course and exam; however, this isn’t as daunting as it seems for the purposes of the lab and passing the exam.

The course material focuses on testing a patched AD environment, so you cannot rely on exploiting published CVEs to complete the lab and exam. This deviates from other courses such as OSCP, so you need to understand the fundamentals of AD to successfully complete the material.

At a high level, the course covers the following concepts below (with some anecdotes): You can find the full syllabus at the What will you learn? tab: https://www.alteredsecurity.com/adlab

• Enumeration
  • Use PowerShell to enumerate the target domain via PowerView and Active Directory module.
  • Use BloodHound to map the domain. - This is great for spotting any gaps in coverage from your enumeration phase, and it will also provide reference links for exploiting identified misconfigurations.
  • Discover ACLs, interesting group policies, and directional trusts between forests.
  • Identify users, groups, group memberships, computers, properties, etc.
• Local Privilege Escalation
  • Identify local administrator access across different computers with credentials you already have.
• Domain Privilege Escalation
  • Extract credentials from high-value targets (e.g., Domain Administrators) and replaying their credentials.
  • Abusing the Kerberos protocol (e.g., Kerberoasting).
  • Abuse unconstrained delegation, constrained delegation, and resource-based constrained delegation (RBCD).
• Domain Persistence and Dominance
  • Ticket forgery (e.g., Golden and Silver tickets).
  • Modify host security descriptors of the DC for command execution.
• Cross-Trust Attacks
  • Elevate privileges from a domain administrator to an enterprise administrator on the forest root. - Probably my favorite part of the course.
• Defenses
  • Implement changes to the AD domain to avoid the covered attack vectors (e.g., implementing LAPS, credential guard, auditing ACLs, following the principle of least privilege).

After signing up for the course via Google SSO, you will receive access to a lab portal, containing links to the course materials (videos and PDF lab walk through) to Google Drive and OneDrive. You can download the contents and save it for offline use. Additionally, you will be provided VPN access to RDP into your attacking machine, which already contains the tools necessary for you to complete the course. However, I used my browser to interface with the attacking machine the whole time, as it supports Apache Guacamole as well (though copying and pasting can become tricky at times).