Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
Healthcare Assessments
Healthcare Assessments
HITRUST CSF Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

How to Attack Active Directory: Which Training is For You? Blog Feature
Ryan Warren

By: Ryan Warren

Print/Save as PDF

How to Attack Active Directory: Which Training is For You?

Penetration Testing

While many companies are moving to the cloud, it's still common to find Active Directory (AD) deployed locally in Windows environments.  During internal network pen tests, I was pretty comfortable with lateral movement and privilege escalation (via missing patches or LLMNR/NBT-NS/IPv6, open network shares, etc.) but felt lacking in how I could leverage attacks against AD to provide more impact during the assessment.  In my journey to get better at attacking AD, I was able to enroll in different free and paid courses. This blog post will provide you with an overview of the four I found to be most beneficial personally.

Certified Red Team Operator (CRTO) - Zero Point Security 

The CRTO is a Red Team specific training course designed to teach the student how to gain initial access to internal Active Directory systems and pivot to a complete compromise of the internal network infrastructure. This is done through Cobalt Strike, making it unique among the other courses here in that the student uses one of the most utilized Command and Control (C2) frameworks in the industry. As of the time of writing, it’s likewise the only way to practice with Cobalt Strike outside of a professional license in the workplace, making CRTO an excellent choice for aspiring red-teamers and penetration testers alike. 

Course Highlights: 

  • Content Delivery: The course primarily uses text-based guides supplemented by videos for more complex attacks. This format allows students to take extensive notes and replicate attacks in the provided lab environment. 
  • Lab Environment: CRTO includes labs that start out simple and increase in complexity, including challenges requiring C# scripting for custom tool modifications. The labs simulate real-world scenarios and include operational security considerations to avoid triggering alerts. 
  • Cobalt Strike Focus: This course uniquely uses Cobalt Strike as the primary attack platform, making it highly applicable to actual engagements where a C2 framework is utilized. 

 

Certified Red Team Professional (CRTP) - Altered Security 

Another Red Team focused course, CRTP aims for a more manual approach to testing so that the student gains a firm grasp of what is being accomplished through each stage of an attack path, from initial access to total compromise of the domain. This is an excellent course for those who want to delve into the granularity behind each specific Active Directory attack, but might not be the first choice for newcomers to the field. 

Course Highlights: 

  • PowerShell Emphasis: Unlike other courses, CRTP focuses heavily on using PowerShell for conducting attacks within the AD environment. This emphasis makes it especially useful in scenarios where a penetration tester might only have console access to initiate their attack path. 
  • Real-World Scenarios: The course covers relevant AD attacks, including Kerberos abuse and lateral movement through ACL modification. It prepares students for real-world applications by considering evasive techniques that are essential in professional settings. 

 

Practical Ethical Hacking (PEH) - TCM Academy 

PEH is the flagship course from TCM Academy and has had multiple additions over the years since it was first released to keep it relevant. Though the course offers much more than Active Directory training, a large chunk of it is dedicated to AD network attacks, from initial access to domain compromise. This is an especially great course for beginners in the field. 

Course Highlights: 

  • Comprehensive Introduction: PEH is an introductory course that covers not just Active Directory but also buffer overflow attacks and basic web application hacking. It provides a solid foundation for understanding AD's architecture, making it suitable for beginners. 
  • DIY Lab Setup: Students are guided to set up their own lab environment using the provided instructions, which helps in gaining hands-on experience with AD configurations from an administrator's perspective. 
  • Interactive Learning: The course is video-based, and students apply the knowledge gained through videos in their self-created labs, enhancing practical skills. 

 

OffSec Certified Professional (OSCP) - OffSec 

OffSec (formally Offensive Security) offers Active Directory training as a subset of the main training material for OSCP. It presents the same introductory AD attack vectors as in most of the previously mentioned courses, but in general doesn’t go as deep into each attack. The depth of this course’s AD vector is closest to the PEH course in that it covers the absolute basics. That said, Offensive Security continues to provide updates to the course, and the newer content focuses more closely on real-world attacks than the absolute basics seen on earlier versions of the content. 

Course Highlights: 

  • Active Directory Coverage: OSCP includes Active Directory as a subset of its broader content, focusing on real-world attack scenarios. It regularly updates to stay current with evolving AD threats and penetration testing standards. 
  • Flexible Lab Environment: The lab environment is extensive, allowing students to apply knowledge in variable contexts without direct guidance. This flexibility encourages deeper understanding and problem-solving skills. 
  • Versatility: Being part of a broader certification, OSCP offers more than just AD training, covering various penetration testing domains, making it a comprehensive choice for those looking to broaden their skill set across different areas of cybersecurity. 

 

Which Will You Choose?

As you can see, each of these courses has its unique approach and focus within the realm of AD attacks. Depending on your prior knowledge, specific interests, and learning style preferences, you can choose a course that best suits your career goals in penetration testing. Regardless of your choice, each course offers valuable insights into penetration testing with Active Directory, preparing you for real-world engagements. 

If your organization is looking to have a penetration test performed, take the first step and complete our short scoping questionnaire! Expect us to be in touch within 24 hours to setup an initial call.

About Ryan Warren

Ryan Warren is a Senior Penetration Tester with Schellman in the Little Rock, AR area, where he performs several offensive security assessments including internal/external network testing, social engineering, and web application tests. Prior to joining Schellman in 2022, Ryan worked in city government as an Information Security Coordinator, which included vulnerability management and incident response.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.