Certified Red Team Professional (CRTP) 9 GB 2025

Certified Red Team Professional Lab Objective:​

What's Included​

• Access to a lab environment (One/Two/Three months) with updated Server 2022 machines. Lab can be accessed using a web browser or VPN.
• A ready to use student VM in the cloud that has all the tools and Sliver C2 pre-installed.
• Life time access to all the learning material (including course updates).
• 14+ hours of video course with English captions.
• Course slides.
• Two lab manuals. One for solving the lab using standalone tools. Second for solving the labs using C2.
• Walk-through videos.
• One exam attempt for the Certified Red Team Professional (CRTP) certification.
• Support on email and Discord.

What will you Learn?​

• Practice various attacks in a fully patched realistic Windows environment with Server 2022 and SQL Server 2017 machine.
• Multiple domains and forests to understand and practice cross trust attacks.
• Learn and understand concepts of well-known Windows and Active Directory attacks.
• Learn to use Windows as an attack platform and using trusted features of the OS like .NET, PowerShell and others for attacks.
• Bypassing defenses like Windows Defender, Microsoft Defender for Endpoint (MDE) and Microsoft Defender for Identity (MDI).

Prerequisites for the course​

• Basic understanding of Active Directory.
• Ability to use command line tools on Windows.

What will you Learn?​

I. Active Directory Enumeration​

• Use scripts, built-in tools and Active Directory module to enumerate the target domain.
• Understand and practice how useful information like users, groups, group memberships, computers, user properties etc. from the domain controller is available to even a normal user.
• Understand and enumerate intra-forest and inter-forest trusts. Practice how to extract information from the trusts.
• Enumerate Group policies.
• Enumerate ACLs and learn to find out interesting rights on ACLs in the target domain to carry out attacks.
• Learn to use BloodHound and understand its applications in a red team operation.

II. Offensive PowerShell Tradecraft​

• Learn how PowerShell tools can still be used for enumeration.
• Learn to modify existing tools to bypass Windows Defender.
• Bypass PowerShell security controls and enhanced logging like System Wide Transcription, Anti Malware Scan Interface (AMSI), Script Blok Logging and Constrained Language Mode (CLM)

III. Offensive .NET Tradecraft​

• Learn how to modify and use .NET tools to bypass Windows Defender and Microsoft Defender for Endpoint (MDE).
• Learn to use .NET Loaders that can run assemblies in-memory.

IV. Local Privilege Escalation​

• Learn and practice different local privilege escalation techniques on a Windows machine.
• Hunt for local admin privileges on machines in the target domain using multiple methods.
• Abuse enterprise applications to execute complex attack paths that involve bypassing antivirus and pivoting to different machines.

V. Domain Privilege Escalation​

• Learn to find credentials and sessions of high privileges domain accounts like Domain Administrators, extracting their credentials and then using credential replay attacks to escalate privileges, all of this with just using built-in protocols for pivoting.
• Learn to extract credentials from a restricted environment where application whitelisting is enforced. Abuse derivative local admin privileges and pivot to other machines to escalate privileges to domain level.
• Understand the classic Kerberoast and its variants to escalate privileges.
• Enumerate the domain for objects with unconstrained delegation and abuse it to escalate privileges.
• Find domain objects with constrained delegation enabled. Understand and execute the attacks against such objects to escalate privileges to a single service on a machine and to the domain administrator using alternate tickets.
• Learn how to abuse privileges of Protected Groups to escalate privileges

VI. Domain Persistence and Dominance​

• Abuse Kerberos functionality to persist with DA privileges. Forge tickets to execute attacks like Golden ticket, Silver ticket and Diamond ticket to persist.
• Subvert the authentication on the domain level with Skeleton key and custom SSP.
• Abuse the DC safe mode Administrator for persistence.
• Abuse the protection mechanism like AdminSDHolder for persistence.
• Abuse minimal rights required for attacks like DCSync by modifying ACLs of domain objects.
• Learn to modify the host security descriptors of the domain controller to persist and execute commands without needing DA privileges.

VII. Cross Trust Attacks​

• Learn to elevate privileges from Domain Admin of a child domain to Enterprise Admin on the forest root by abusing Trust keys and krbtgt account.
• Execute intra-forest trust attacks to access resources across forest.
• Abuse SQL Server database links to achieve code execution across forest by just using the databases.

VIII. Abusing AD CS​

• Learn about Active Directory Certificate Services and execute some of the most popular attacks.
• Execute attacks across Domain trusts to escalate privileges to Enterprise Admins.

IX. Defenses and bypass – MDE EDR​

• Learn about Microsoft’s EDR – Microsoft Defender for Endpoint.
• Understand the telemetry and components used by MDE for detection.
• Execute an entire chain of attacks across forest trust without triggering any alert by MDE.
• Use Security 365 dashboard to verify MDE bypass.

X. Defenses and bypass – MDI​

• Learn about Microsoft Identity Protection (MDI).
• Understand how MDI relies on anomaly to spot an attack.
• Bypass various MDI detections throughout the course.

XI. Defenses and bypass – Architecture and Work Culture Changes​

• Learn briefly about architecture and work culture changes required in an organization to avoid the discussed attacks. We discuss Temporal group membership, ACL Auditing, LAPS, SID Filtering, Selective Authentication, credential guard, device guard, Protected Users Group, PAW, Tiered Administration and ESAE or Red Forest

XII. Defenses – Monitoring​

• Learn about useful events logged when the discussed attacks are executed.

XIII. Defenses and Bypass – Deception​

• Understand how Deception can be effective deployed as a defense mechanism in AD.
• Deploy decoy user objects, which have interesting properties set, which have ACL rights over other users and have high privilege access in the domain along with available protections.
• Deploy computer objects and Group objects to deceive an adversary.
• Learn how adversaries can identify decoy objects and how defenders can avoid the detection.

Certification​

19 January 2025
- Added back the slides on Loader.exe in the Offensive .NET section of the slides.
- Fixed a typo in Learning Objective - 5 of the slides and lab manual.

17 January 2025
- Updated Lab Diagram, Attack Paths Diagram and minor corrections to trust diagrams.
- Updated Slides and SLides Notes to include updated diagrams.

10 January 2025
- MAJOR UPDATE - Updated slides, lab manual, Tools.zip and walktrhough videos.
- You can now see both MDE and MDI alerts in dashboard that is accessible using lab portal.

1 October 2024
- Updated Tools.zip to include updated AMSI bypass.
- Updated AMSI bypass in the lab manual.

5 September 2024
- Added videos on how to connect to the lab. Check out the 'ConnectingToTheLab' directory.

29 July 2024
Changes to the Sliver Lab Manual
- Replaced C:\AD\Tools with C:\AD\Tools\Sliver across all the Learning Objectives.

4 July 2024
Lab Manual Changes
- Fixed missing 'Get-DomainGroupMember -Identity "Domain Admins"' command in Learning Objective - 1
- Fixed minor typos.
31 May 2024
- Modified the Offensive .NET slides to include new obfuscation tools.
- Modified tool paths in the Sliver lab manual.
- Updated Tools.zip

20 May 2024
Changes to the Sliver Lab Manual
- Added Learning Objective 23
- Fixed winrm extension issues

15 April 2024
Changes to the Lab Manual
- Updated AMSI bypass in the lab manual.
- Included the method to create Invoke-PowerShjellTCPEx in Learning Objective - 22
- Added the missing 'netsh' command in Learning Objective - 7
- Fixed a typo for 'echo %Pwn% in Learning Objective - 18

27 February 2024
- Fixed typos in the lab manual - Pages 80, 82 and 105.

19 February 2024

- Added Sliver C2 Lab Manual
- Removed Covenant C2 Lab Manual
- Updated Tools.zip

2 February 2024

Changes in the lab manual
- Added a missing screenshot of BloodHound CE in Learning Objective - 6
- OPSEC changes to all Rubeus and Safetykatz commands.

19 January 2024
Changes in the Slides
- Added golden ticket forging using Rubeus
- Added silver ticket forging using Rubeus
- Modified Learning Objective 9 that now includes forging silver ticket for HTTP.
- Modified Learning Objetives 8,18,19 and 20 to include ticket forging using Rubeus.

Changes in the lab Manual
- Modified Learning Objetives 8,9,18,19 and 20 to include ticket forging using Rubeus.

- Updated walkthrough videos of Learning Objetives 8,18,19 and 20 to include ticket forging using Rubeus.

20 November 2023

Changes in the Lab Manual
- Made changes to Leanrning Objecitve 23. We are now saving the memory dump directly to studentVM file share.

13 November 2023

Changes in Slides
- Removed command from AD CS section for listing Certificate templates.
- Updated slides on Bypassing AV Signatures for Invoke-Mimikatz
- Added a section on MDE and a new Learning Objective 23

Changes in Lab Manual
- Added Learning Objective 23

- Updated walkthrough video for Learning Objective 6  to include BloodHound CE