SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

How to Attack Active Directory: Which Training is For You?

Penetration Testing

While many companies are moving to the cloud, it's still common to find Active Directory (AD) deployed locally in Windows environments.  During internal network pen tests, I was pretty comfortable with lateral movement and privilege escalation (via missing patches or LLMNR/NBT-NS/IPv6, open network shares, etc.) but felt lacking in how I could leverage attacks against AD to provide more impact during the assessment.  In my journey to get better at attacking AD, I was able to enroll in different free and paid courses. This blog post will provide you with an overview of the four I found to be most beneficial personally.

Certified Red Team Operator (CRTO) - Zero Point Security 

The CRTO is a Red Team specific training course designed to teach the student how to gain initial access to internal Active Directory systems and pivot to a complete compromise of the internal network infrastructure. This is done through Cobalt Strike, making it unique among the other courses here in that the student uses one of the most utilized Command and Control (C2) frameworks in the industry. As of the time of writing, it’s likewise the only way to practice with Cobalt Strike outside of a professional license in the workplace, making CRTO an excellent choice for aspiring red-teamers and penetration testers alike. 

Course Highlights: 

  • Content Delivery: The course primarily uses text-based guides supplemented by videos for more complex attacks. This format allows students to take extensive notes and replicate attacks in the provided lab environment. 
  • Lab Environment: CRTO includes labs that start out simple and increase in complexity, including challenges requiring C# scripting for custom tool modifications. The labs simulate real-world scenarios and include operational security considerations to avoid triggering alerts. 
  • Cobalt Strike Focus: This course uniquely uses Cobalt Strike as the primary attack platform, making it highly applicable to actual engagements where a C2 framework is utilized. 

 

Certified Red Team Professional (CRTP) - Altered Security 

Another Red Team focused course, CRTP aims for a more manual approach to testing so that the student gains a firm grasp of what is being accomplished through each stage of an attack path, from initial access to total compromise of the domain. This is an excellent course for those who want to delve into the granularity behind each specific Active Directory attack, but might not be the first choice for newcomers to the field. 

Course Highlights: 

  • PowerShell Emphasis: Unlike other courses, CRTP focuses heavily on using PowerShell for conducting attacks within the AD environment. This emphasis makes it especially useful in scenarios where a penetration tester might only have console access to initiate their attack path. 
  • Real-World Scenarios: The course covers relevant AD attacks, including Kerberos abuse and lateral movement through ACL modification. It prepares students for real-world applications by considering evasive techniques that are essential in professional settings. 

 

Practical Ethical Hacking (PEH) - TCM Academy 

PEH is the flagship course from TCM Academy and has had multiple additions over the years since it was first released to keep it relevant. Though the course offers much more than Active Directory training, a large chunk of it is dedicated to AD network attacks, from initial access to domain compromise. This is an especially great course for beginners in the field. 

Course Highlights: 

  • Comprehensive Introduction: PEH is an introductory course that covers not just Active Directory but also buffer overflow attacks and basic web application hacking. It provides a solid foundation for understanding AD's architecture, making it suitable for beginners. 
  • DIY Lab Setup: Students are guided to set up their own lab environment using the provided instructions, which helps in gaining hands-on experience with AD configurations from an administrator's perspective. 
  • Interactive Learning: The course is video-based, and students apply the knowledge gained through videos in their self-created labs, enhancing practical skills. 

 

OffSec Certified Professional (OSCP) - OffSec 

OffSec (formally Offensive Security) offers Active Directory training as a subset of the main training material for OSCP. It presents the same introductory AD attack vectors as in most of the previously mentioned courses, but in general doesn’t go as deep into each attack. The depth of this course’s AD vector is closest to the PEH course in that it covers the absolute basics. That said, Offensive Security continues to provide updates to the course, and the newer content focuses more closely on real-world attacks than the absolute basics seen on earlier versions of the content. 

Course Highlights: 

  • Active Directory Coverage: OSCP includes Active Directory as a subset of its broader content, focusing on real-world attack scenarios. It regularly updates to stay current with evolving AD threats and penetration testing standards. 
  • Flexible Lab Environment: The lab environment is extensive, allowing students to apply knowledge in variable contexts without direct guidance. This flexibility encourages deeper understanding and problem-solving skills. 
  • Versatility: Being part of a broader certification, OSCP offers more than just AD training, covering various penetration testing domains, making it a comprehensive choice for those looking to broaden their skill set across different areas of cybersecurity. 

 

Which Will You Choose?

As you can see, each of these courses has its unique approach and focus within the realm of AD attacks. Depending on your prior knowledge, specific interests, and learning style preferences, you can choose a course that best suits your career goals in penetration testing. Regardless of your choice, each course offers valuable insights into penetration testing with Active Directory, preparing you for real-world engagements. 

If your organization is looking to have a penetration test performed, take the first step and complete our short scoping questionnaire! Expect us to be in touch within 24 hours to setup an initial call.

About Ryan Warren

Ryan Warren is a Senior Penetration Tester with Schellman in the Little Rock, AR area, where he performs several offensive security assessments including internal/external network testing, social engineering, and web application tests. Prior to joining Schellman in 2022, Ryan worked in city government as an Information Security Coordinator, which included vulnerability management and incident response.