Red Team Lab Objective:

Most enterprise networks today are managed using Windows Active Directory and it is imperative for a security professional to understand the threats to the Windows infrastructure. Our Windows Red Team Lab is designed to provide a platform for security professionals to understand, analyze and practice threats and attacks against a modern Windows network infrastructure.
Our Red Teaming Exercises simulate real world attack-defense scenarios and require you to start with a non-admin user account in the domain and work your way up to enterprise admin of multiple forests. The focus is on exploiting the variety of overlooked domain features and not just software vulnerabilities.
The lab has multiple interesting tasks that are designed and built upon years of the author’s experience of red teaming windows environments. These labs are harder than those the author uses for his BlackHat USA 2018 and BlackHat Europe 2018 trainings. Every lab task is comprised of multiple challenges like active directory enumeration, local and forest privilege escalation, network pivoting, application whitelisting bypass, active user simulation, Kerberos delegation issues, SQL Servers, forest trusts and more! Whether you are a beginner, a seasoned red teamer, or a veteran blue teamer, the lab has something for everyone!
All students will be provided with 3.5 hours of video course material. This will be cover
important concepts required to begin with the lab
What will your learn?

The Windows Red Team Lab enables you to:
- Practice various attacks in a fully patched real world Windows environment with Server 2012, Windows 10 and SQL Server 2017 machines.
- Understand concepts of well known Windows and Active Directory attacks.
- Execute and visualize the attack path used by the modern adversaries.
- Learn to use Windows as an attack platform and using trusted features of the OS like PowerShell and others for attacks.
- Try scripts, tools and new attacks in a fully functional AD environment.
- Basic understanding of red teaming/penetration testing or blue teaming/security administration of AD environment
- Basic familiarity with using PowerShell scripts.
- Ability to think like an adversary and inclination towards abusing features of AD rather than exploits.
- WMI Attack-Defense: https://www.pentesteracademy.com/course?id=34
- Abusing SQL Server Trust: https://www.pentesteracademy.com/course?id=35
- Powershell for Pentesters: https://www.pentesteracademy.com/course?id=21
42 Challenges, 60 Flags, >200 Hours of Torture :)
Section 1: Abuse Applications, Impersonate Users, Escalate Privileges
Difficulty Level: High
Estimated Completion Time: 36 hours
Number of challenges: 10
Section Objective: You will need to abuse nested impersonations to escalate privileges on the application level. After executing code on the operating system, escalate privileges on the OS level and capture flags. Hunt for active directory write or modify permissions, abuse the permissions and extract password in clear text for a user.
Learning Elements:
- Domain Enumeration
- Single sign-on in Active Directory
- Privilege escalation in enterprise applications
- Abusing built-in functionality for code execution
- Local privileges escalation on Windows
- Credential Replay
- Domain privileges abuse
- Offline brute force attack against domain objects
Section 2:Gain Admin Privileges, Defeat Countermeasures and Restrictions, Hunt for Domain Privileges, Escalate
Difficulty Level: High
Estimated Completion Time: 24 hours
Number of challenges: 4
Section Objective: You will need to get local admin privileges on a server and then enumerate and defeat the aggressive countermeasures on that server. You may also like to find some flags in the process.
Learning Elements:
- Domain Enumeration
- Situation Awareness on foothold machine
- Extracting credentials from Windows machine
- Credential Replay
- Domain privileges abuse
Section 3:Pivot through Machines, Defeat Countermeasures, Abuse Kerberos, Exfiltrate Juicy Data
Difficulty Level: High
Estimated Completion Time: 36 hours
Number of challenges: 5
Section Objective: You will need to get local admin privileges on a server and then hop subnets and machines to access other machines. Make extensive use of built-in tools and administration mechanisms to replay credentials and impersonate domain users. Abuse Kerberos functionality to land on firewalled machines to access interesting piece of information from databases. Capture flags in the process and credit card numbers from a database.
Learning Elements:
- Using administration tools to compromise other machines
- Pivot through machines
- Kerberos functionality abuse
- Using administration tools to access data from databases.
- Search interesting data in databases
Section 4:Pivot through Machines and Forest Trusts, Low Privilege Exploitation of Forests, Capture Flags and Database
Difficulty Level: High
Estimated Completion Time: 12 hours
Number of challenges: 4
Section Objective: Understand the concept of database links. Use it to get access to a trusted forest and enumerate the domains there. Achieve code execution in the target forest, which is located in an isolated network segment. Extract interesting information from the databases there.
Learning Elements:
- Trust abuse in databases
- Pivot through forests
- Built-in tools for command execution
- Using administration tools to access data from databases.
- Search interesting data in databases
Section 5:Enumerate Users and Emails, Create Emails, Custom Payloads, Exploit End-User Machines
Difficulty Level: High
Estimated Completion Time: 24 hours
Number of challenges: 5
Section Objective: Simulate a real phishing attack. Get a foothold in the target forest and enumerate the domains. Capture flags from multiple machines.
Learning Elements:
- Create emails with weaponized attachments
- Craft payloads which provide code execution
- Utilize available information to chain attacks
- Bypass countermeasures
- Find privileges in domain
Section 6:Compromise Applications, Achieve Command Execution, Impersonate Users, Move Laterally, Escalte Privileges
Difficulty Level: High
Estimated Completion Time: 36 hours
Number of challenges: 7
Section Objective: You need to compromise an enterprise application and achieve command execution on the OS. Enumerate the privileges and permissions for the users and move laterally to find a configuration, which allows you to escalate privileges to domain administrator. Capture some interesting flags during the task.
Learning Elements:
- Abusing functionality of enterprise applications
- Using architecture specific payloads
- User Impersonation
- User hunting for high privileges
- Dumping system secrets
- Credential Replay
- Lateral movement
Section 7:Obtain Domain Privileges, Compromise Forest
Difficulty Level: High
Estimated Completion Time: 8 hours
Number of challenges: 2
Section Objective: Get domain admin privileges on one of the domains and compromise the forest root by escalating privileges.
Learning Elements:
- Abuse Kerberos functionality
- Understand and abuse intra-forest trust
- Understand and abuse various groups in root domain of forest
Section 8: Compromise a Forest from another Trusted Forest
Difficulty Level: High
Estimated Completion Time: 24 hours
Number of challenges: 5
Section Objective: Get enterprise admins privileges on a forest root and compromise a trusted forest. You have to enumerate both the forests, look for interesting ways to execute code and credential replay to solve this task.
Learning Elements:
- Forest enumeration
- Abuse Kerberos functionality
- Understand and abuse inter-forest trust
- Using administrator tools for command execution
Certified Red Teaming Expert

The Certified Red Teaming Expert is a completely hands-on certification. The certification requires students to solve practical and realistic challenges in our fully patched Windows infrastructure labs containing multiple Windows domains and forests. The certification challenges students to look at the complete infrastructure like a true enterprise network and does not rely only on breaking individual machines. Students will have 48 hours to complete the hands-on certification exam. A certification holder has the expertise to assess security of an enterprise windows infrastructure having multiple domains and forests by just abusing the functionality and trusts.
To keep the certificate updated with changing skills and technologies, there is an expiry time of three years for it.
In case you have to retake the exam, a re-attempt fee of $99 is applicable. There is a cool down period of one month before a student can appear in the exam again. The student will get an exam environment from the pool of our different exam labs. After total 3 attempts (1 included with the lab and two additional attempts), a student must wait for a cool down period of 6 months.
Exam Structure
Certification Benefits
Nikhil Mittal: BlackHat USA Trainer, DEF CON Speaker, Discoverer of Windows Threats

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, active directory security, attack research, defense strategies and post exploitation research. He has 11+ years of experience in red teaming.
He specializes in assessing security risks at secure environments that require novel attack vectors and "out of the box" approaches. He has worked extensively on Active Directory attacks and bypassing detection mechanisms and Offensive PowerShell for red teaming. He is creator of Kautilya, a toolkit that makes it easy to use HIDs in penetration tests and Nishang, a post exploitation framework in PowerShell. In his spare time, Nikhil researches new attack methodologies and updates his tools and frameworks.
Nikhil has held trainings and boot camps for various corporate clients (in US, Europe and SE Asia), and at the world’s top information security conferences. He has spoken/trained at conferences like DEF CON, Black Hat, CanSecWest, BruCON, 44CON and more. He blogs at https://www.labofapenetrationtester.com/
Selected Conference Talks:
1. Evading Microsoft ATA for Active Directory Domination (BlackHat USA 2017 and BruCON 2017)
2. AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well it Does it (BlackHat USA 2016)
3. PowerShell for Practical Purple Teaming (x33fcon 2017)
4. PowerShell for Practical Purple Teaming (DEF CON 21)
Purchase Lab:

Pay with Paypal:
Terms of Purchase and Use:
- You can start your lab access anytime within 90 days of purchase
- 3.5 hours of lab course material videos will be provided
- One Certification Exam attempt is included in the pricing. Additional exam attempts will be $99 each
- Once connected over VPN, consider the lab to be a hostile environment and you are responsible for your computer's security
- The above lab is a shared environment and certain pre-specified machines will be off-limits
- If you want a dedicated lab just for yourself, please use the form in the Contact-Us tab