We know times are tough right now because of COVID-19 so we are offering a MASSIVE Discount. Stay safe and happy learning!

Global Central Bank: An Enterprise Cyber Range:

Global Central Bank (GCB) is a one of a kind Enterprise Windows and Active Directory Cyber Range. It helps enterprises test capabilities of both their Red and Blue teams in an Enterprise Windows network.

GCB is a true multi-forest environment that mimics a financial institution's network. Teams can test cutting-edge TTPs as GCB is built completely on fully patched Server 2019 machines. It includes abuse or bypass of many recommended defence mechanisms LAPS, JEA, WSL, RBCD, WDAC, ASR, AWL, Credential Guard, CLM, virtualization and more. User simulation is used to make it a true enterprise network.

It is useful for both Red and Blue teams as very verbose logging is configured across the lab and teams can analyse the logs using the ELK installation in the labs.

GCB enables enterprises to simulate actual adversaries by focusing on goals rather than just getting privileged access to machines. For effective adversary simulation and exciting gamification, the end goal of GCB is to initiate a fake transfer of funds from the target bank.

GCB comes with a video course that covers the concepts required to challenge the lab. All students will be provided with 3 hours of video course material. This will be cover important concepts required to begin with the lab.

What will your learn?

GCB is ideal for:

  • Understanding and practicing current and futuristic threats.
  • Any TTP tested in GCB will be usable for years to come as it uses fully patched Server 2019 machines.
  • Sharpen your AD security skills by applying them to a unique multi-forest environment.
  • Understand that getting Domain Admin privileges is just the beginning of Enterprise compromise, even in Active Directory!
  • Testing lateral movement and domain dominance from a beachhead.
  • Abuse or bypass modern Windows features like LAPS, JEA, WSL, RBCD, WDAC, ASR, AWL, Credential Guard, CLM, virtualization and more.
  • Analyzing the adversary attack methodology using logs.
The following are the prerequisites for the lab:

  • Basic understanding of red teaming/penetration testing or blue teaming/security administration of AD environment
  • Ability to think like an adversary and inclination towards abusing features of AD rather than exploits.

Like a real world red team operation, GCB challenges your understanding of TTPs. With basic understanding of Enterprise security and Windows environment, you can crack the lab although we still expect GCB to be very challenging

If you are not familiar with how to approach attacking Windows and Active Directory based enterprise environments, you may like to go for our Active Directory Attack-Defense lab

46 Challenges and >450 Hours of Torture :)


Section 1: Abuse defence mechanisms, exploit modern Windows features, extract secrets

Difficulty Level: High

Estimated Completion Time: 16 hours

Number of challenges: 3

Section Objective: You have to enumerate the target forest for interesting information and use that to get access to a server by abusing a defence mechanism.

Learning Elements:

  • Domain Enumeration
  • Abusing secrets management solution
  • Permissions abuse
  • Local Privilege Escalation
  • Extracting secrets without popular tools

Section 2:Hunt for privileges, replay credentials, pivot across forest trusts

Difficulty Level: High

Estimated Completion Time:  46 hours

Number of challenges: 6

Section Objective:  Cross a forest boundary in this objective! You have to pivot through multiple machines and a forest trust. Extract credentials, replay them, solve Kerberos double hop issue across forest and battle network segmentation!

Learning Elements:

  • Domain Enumeration
  • Pivoting
  • Extracting clear text credentials across forest trust
  • Tackle Kerberos double hop across forest
  • Use administrative tools to elevate privileges

 


Section 3:Enumerate permissions, exploit delegation, abuse enterprise application, utilize network sniffers, abuse user simulation

Difficulty Level: High

Estimated Completion Time:  34 hours

Number of challenges: 4

Section Objective:  Exploit delegation issues in this one and execute lateral movement to access other machines. Using password of an enterprise application retrieved from a third machine, extract multiple clear-text credentials that will be useful later.

Learning Elements:

  • Extracting system secrets
  • Understanding and abusing enterprise applications on the fly.
  • Abuse built-in tools for extracting credentials
  • Exfiltration of information
  • Understand and abuse delegation

 


Section 4:Bypass logon restrictions, lateral movement across forest trust, play with Kerberos tickets

Difficulty Level: Medium

Estimated Completion Time:  16 hours

Number of challenges: 2

Section Objective:  Use credentials extracted earlier to laterally move across forest. But before that, bypass logon restrictions to be able to access machines which have network connectivity across forests.

Learning Elements:

  • Understand logon types and their limitations.
  • Forge and replay Kerberos tickets
  • Enumerate credentials usable across forest

 


Section 5:Bypass AV, tackle Kerberos double-hop, abuse delegation, extract credentials from DC in the other forest, escalate from child to forest root in the other forests

Difficulty Level: High

Estimated Completion Time:  44 hours

Number of challenges: 6

Section Objective:  Bypass AV, extract credentials and use the credentials to move across forest. Tackle the kerberos double-hop issue and delegation to be able to move laterally in the target forest. Escalate privileges in the other forest to domain admin. From DA, escalate to enterprise admin in the root domain of the target forest. All this from a single foothold machine in the target forest, which introduces some super interesting manoeuvres.

Learning Elements:

  • Bypassing AntiVirus
  • Forging Kerberos tickets
  • Tackle Kerberos double hop
  • Understand and abuse delegation for privilege escalation
  • Child to forest root privilege escalation
  • Pivoting across forest trust
  • Enumeration across forest trust

 


Section 6:Enumerate across forest, access documents and emails to collect information, abuse remoting endpoints, modify ACLs, exploit delegation

Difficulty Level: High

Estimated Completion Time:  40 hours

Number of challenges: 5

Section Objective: This objective requires extensive enumeration of the target forest to be able to access machines there. Escalate privileges on one of the machines by modifying ACLs and bypassing application restrictions. Abuse delegation to escalate privileges to domain administrator.

Learning Elements:

  • Abusing PowerShell Remoting endpoints
  • ACL modification for privilege escalation
  • Enumerate and bypass application restrictions
  • Delegation for domain privilege escalation

 


Section 7:Abuse user simulation, craft payloads, bypass AV, bypass privilege restrictions, impersonate users, abuse exchange permissions, modify ACLs, escalate privileges to domain admin

Difficulty Level: High

Estimated Completion Time:  56 hours

Number of challenges: 8

Section Objective: You need to abuse user simulation to get a beachhead in the target forest. Bypass multiple restrictions and countermeasures on that machine to be able to move ahead. Impersonate users, enumerate the target domain from the foothold and abuse the permissions of MS Exchange groups to escalate to forest root.

Learning Elements:

  • Crafting payloads to bypass AV
  • Use previously collected information to abuse user simulation
  • User impersonation
  • Bypassing user privilege restrictions without GUI access
  • Understanding and bypassing MS Exchange group permissions

 


Section 8: Retrieve credentials from process memory dump and replay them, Bypass Windows Defender Application Guard, ASR and CLM to extract credentials, escalate privileges on domain

Difficulty Level: High

Estimated Completion Time:  36 hours

Number of challenges: 2

Section Objective: For this one, you need to extract credentials from a memory dump and replay them to get a foothold in the target forest. The foothold is designed to be very challenging and uses WDAG and ASR rules to block most of the well-known tools. Extract credentials from the foothold and replay them to escalate privileges to DA.  

Learning Elements:

  • Understand the restrictions by WDAC and bypass them.
  • Using NTLM authentication to access domain joined machines.

 

Section 9: Abuse forest trust to hop to a third forest, enumerate privileges from the first hop forest and pivot to the second hop, avoid Kerberos double hop issue, extract secrets

Difficulty Level: High

Estimated Completion Time:  36 hours

Number of challenges: 3

Section Objective:  This objective takes hopping across forest trusts to the next level. You need to compromise a forest and then hop from that forest to a second one. Escalating privileges remains a challenge but the most difficult part is to avoid the Kerberos double hop problem from the first hop forest to the second hop. Also, getting privileges on the second hop forest is going to be very challenging.

Learning Elements:

  • Understanding and abusing special forest trusts
  • Pivoting across multiple forests

 


Section 10: Collect information from various compromised forests, escalate to DA, escalate to forest root

Difficulty Level: High

Estimated Completion Time:  36 hours

Number of challenges: 2

Section Objective: This one is a bit non-conventional. Instead of looking for direct domain enumeration, this objective needs using the already collected information and 'connecting the dots' to be able to compromise the target domain and forest. The commands required are well-known but the information collection is the challenge.

Learning Elements:

  • Using the collected information to design an attack path

 


Section 11: Abuse built-in Windows mechanisms, craft payloads, compromise air-gapped/not-reachable servers

Difficulty Level: High

Estimated Completion Time:  48 hours

Number of challenges: 3

Section Objective: You need to compromise a server in the target forest that is used for a particular Windows mechanism. Using access to this particular server, compromise servers in another forest that is not reachable over the network.

Learning Elements:

  • Understanding abuse of trusted Windows mechanisms
  • Crafting payloads which bypass AV and are trusted by Windows

 


Section 12: Abuse virtual servers, extract credentials from offline domain controllers and extract secrets to initiate the fund transfer

Difficulty Level: High

Estimated Completion Time:  32 hours

Number of challenges: 2

Section Objective: This is the final objective regardless of the path used. To complete the fake fund transfer, you need to extract secret by abusing an offline domain controller by abusing virtualization.

Learning Elements:

  • Abusing virtualization on Windows
  • Extract credentials from offline domain controllers

 


PentesterAcademy Certified Enterprise Security Specialist (PACES)

To earn the PACES certification, students need to compromise a multi-forest exam lab environment. The 48-hour hands-on exam tests students' ability to apply both attack and defense concepts. Success in the exam depends on the quality of report submitted after the exam, forests compromised with minimal alerts and forests secured.

Exam Structure

The students get access to a dedicate exam lab which contains multiple active directory forests with fully patched Windows Server 2019 machines.

In order to clear the exam, students need to:

  • Compromise multiple forests with a minimal footprint.
  • Secure the forest where they have full access from the beginning.
  • Submit a report that contains details of attacks on target forests and details of security controls/best practices implemented on the 'home' forest.

Certification Benefits

A PACES holder is a specialist in enterprise AD security. They have the ability to identify, exploit, demonstrate and fix security issues in an enterprise.

They have demonstrated the ability to understand and secure the modern enterprise network by executing a silent red team operation starting from a beachhead leading to compromise of multiple forests.

Nikhil Mittal: BlackHat USA Trainer, DEF CON Speaker, Discoverer of Windows Threats

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, active directory security, attack research, defense strategies and post exploitation research. He has 9+ years of experience in red teaming.

He specializes in assessing security risks at secure environments that require novel attack vectors and "out of the box" approaches. He has worked extensively on Active Directory attacks and bypassing detection mechanisms and Offensive PowerShell for red teaming. He is creator of Kautilya, a toolkit that makes it easy to use HIDs in penetration tests and Nishang, a post exploitation framework in PowerShell. In his spare time, Nikhil researches new attack methodologies and updates his tools and frameworks.

Nikhil has held trainings and boot camps for various corporate clients (in US, Europe and SE Asia), and at the world’s top information security conferences. He has spoken/trained at conferences like DEF CON, Black Hat, CanSecWest, BruCON, 44CON and more. He blogs at https://www.labofapenetrationtester.com/


Selected Conference Talks:

Purchase Lab:

We know times are tough right now because of COVID-19 so we are offering a MASSIVE Discount. Stay safe and happy learning!

Pay with Paypal:

Select Duration
Student Name:
Student Email:
For alternate payment methods or enterprise team purchase please use the Contact-Us section

Terms of Purchase and Use:

  • You can start your lab access anytime within 90 days of purchase
  • 3 hours of lab course material videos will be provided
  • One Certification Exam attempt is included in the pricing. Additional exam attempts will be $99 each
  • Once connected over VPN, consider the lab to be a hostile environment and you are responsible for your computer's security
  • The above lab is a shared environment and certain pre-specified machines will be off-limits
  • If you want a dedicated lab just for yourself, please use the form in the Contact-Us tab

Please use the form below: