Attacking and Defending Active Directory — Review
Due to my growing interest with Active Directory security, I began my journey to get experience and better understand how it works. There are very few trainings out there that provides Active Directory security training that is accompanied by a lab, and one of those few is Pentester Academy. You can learn more about their courses and training on their website.
I recently enrolled in the Attacking and Defending Active Directory Lab, which was the easiest red team lab they offer. They have 2 more red team AD labs, “Advanced Red Team Labs” and “Global Central Bank: Enterprise Cyber Range”. Technically, the labs gets harder as the security controls are more stringent and the environment gets larger(more domains and forests). Lab access can be 30,60, or 90 days.
I did not enroll in this lab with zero AD knowledge. I previously completed the Offshore lab from Hack the Box, which I believe was an awesome experience albeit the side CTF challenges. I was looking for a structured training which earns you a certification if you pass a hands-on exam, something I can afford(since I’m paying for this on my own), and something that can polish my methodology when doing assessments. That being said, I already have experience in doing some of the techniques discussed here in the lab, but not all of it.
Course and Lab
After paying for the lab access, you will get access to the materials. This includes the videos, slides, cheat sheet in solving the learning objectives in the labs, and other materials that would be helpful in your journey. Check out the “What will you learn” tab in their website for more details of the contents. You can access the lab environment either thru the browser or thru a VPN which you have to RDP to a Windows machine. You will start with a domain-joined computer and would need to work your way into compromising the domains and forests in the lab. The lab was always accessible, and you can continue your progress either using the VPN or the browser. Utilize the labs! Experiment on it especially if you do not have much experience dealing with an Active Directory environment. Focus on understanding how Active Directory works. I suggest that you compliment the course(yes, more studying!) by reading on how Kerberos works, as this plays a major role in securing Active Directory networks.
Also, the support team(which you can reach out via email) are very impressive. Their response is simple and straight forward and usually the response time is very minimal.
I then decided to book my exam on the day my lab time expires. Make sure to book your exams early as during my time, the exam slots for the whole month was full(most likely due to COVID). My lab time ended and I was not able to complete all the learning objectives because I felt lazy and was demotivated.
The exam is completely hands-on. You will be given 24 hours to solve the machines, and another 24 hours to write your report which should demonstrated how you solved the machines. This should include the commands and the screenshots. Reports with mitigations and recommendations receive a higher score, but this is not a requirement. Around 30 minutes before your exam, you will be given the information needed to access the exam environment. According to their site:
The students are provided access to an individual Windows environment, which is fully patched and contains the latest Windows operating systems with configurations and privileges like a real enterprise environment.
To be successful, students must solve the challenges by enumerating the environment and carefully constructing attack paths. The students will need to understand how Windows domains work, as most exploits cannot be used in the target network.
At the end of the exam, students need to submit the detailed solutions to challenges along with practical mitigations.
I scheduled my exam to start at 6pm on a weekend. I enumerated rigorously and took notes of all the information I was able to gather. It took me quite a while to get going as I was missing a “step” to complete the path. I felt frustrated because I just need this part and things would get easier. I stayed calm since I was able to construct the path in my head(and my notes!). After I identified the missing “step”, I hit the bed knowing that I already know what to do to solve all the machines. By the next day, I woke up around 7am and started working on the exam. At around 3pm in the afternoon, I was able to solve all the target machines and submit my 43-page report. After almost a day, I received an email confirming that I successfully cleared the exam! It was satisfying that I passed the exam with enough sleep! Knowing myself, I could have easily pulled out an all-nighter to complete the exam. I’m glad I stuck with my mantra for the exam: Treat it like a normal day. Get enough sleep.
If you are interested into learning Active Directory security(even if you have no background on AD), this is one of the best courses out there. I would not say that this course is for someone who has no security background though, as there are concepts and exercises here that has a steep learning curve, but can easily be reduced if you take a much longer lab time. If you have no background, I think taking a 60 day or 90 day lab would give you ample time to catch up. Also, even if you are a blue teamer, you will still appreciate this course as it also provides mitigations and detection. I might take the Advanced Windows Red Team Lab really soon(who knows) to gain be a CRTE(Certified Red Team Expert), but we’ll see! Thank you Pentester Academy and Nikhil Mittal for the course!