Daniel Pramatarov

Daniel Pramatarov

Red/Blue Teamer & Malware Developer

CESP ADCS Reveiw

3 minute read

The Course Content

In short summary, the course covers a wide range of topics, including:

  • AD CS Enumeration
  • Stealing Certificates using Windows Crypto APIs, DPAPI, User store, Machine store and disk. -> THEFTx Attacks
  • Domain Privilege Escalation by abusing settings and misconfigurations -> ESCx Attacks
  • Machine and User Persistence by requesting and renewing certificates -> PERSTISTx Attacks
  • Domain Persistence using Forged certificates, Stolen Trusted Root certificates and more. -> DPERSTISTx Attacks
  • Bypassing CBA Patch and abusing some of the ESCx with enforced CBA in environment
  • Abusing VPN with Certificate-based authentication to pivot to different networks.
  • Pivoting to Azure by abusing Azure AD CBA.

Full information about pricing and carriculum of the course could be found HERE

Course Features:

  • Detailed explanations and materials provided.
  • Access to videos and course materials upon purchase.
  • Exploitation paths demonstrated from both Windows and Linux environments.

Target Audience:

  • Red Teamers or Penetration Testers: To expand their arsenal of tools and techniques.
  • Blue Teamers: To understand attack methodologies, remediation strategies, and detection methods.

Prerequisites:

  • To be comfortable with the course material, you should have an understanding of how Active Directory, Kerberos works, as well as knowledge of attacks such as Delegations, Pass-the-Hash (PtH), Silver/Golden Ticket, DCSync, Lateral Movement, ACL enumeration, and others. In other words, if you have a level of knowledge equivalent to CRTP, it’s more than enough

The Lab

The whole course is based on “Assume Breach” scenario. You are given and Credentials to a Windows machine that is connected to the AD environment and also you have installed WSL to try the attacks from Linux environemtn, also you have a option to use a VPN to connnect to the lab.

The lab is impressively stable, considering it is a shared environment among all students. There is a section that includes a Capture The Flag (CTF) challenges, where you must find and answer 40 questions related to the objectives. These questions run parallel to the videos and lab manual.Furthermore, there is a webpage where you can enter the flags you discover during the CTF challenge.

What surprised me was the scale of the lab, which was quite large. Combined with the objectives, it resembles mini scenarios that you might encounter in real-world environments.

Description of the image

There are three forests to explore, each with different misconfigurations and various entry points. Additionally, there is one Azure instance connected to the environment.

In short summary, I found the lab to be amazing.

My advice to prepare for the exam is to try to understand each of the topics and replicate them in the lab. And you should be well-prepared for the exam.

The Exam

The exam is much smaller in scale compared to the lab, consisting of four machines that need to be compromised.

You will be given 24 hours to compromise the network, followed by an additional 24 hours to write a report. Everything you need to pass the exam, including tools, will be provided.

Once you submit the exam report, you will receive results from Altered Security within 7 business days (excluding Saturday and Sunday).

With successful compromise of all machines and a well-written report, you should receive certification.

CESP - ADCS CERT