Red Team Lab Objective:

Most enterprise networks today are managed using Windows Active Directory and it is imperative for a security professional to understand the threats to the Windows infrastructure. Our Windows Red Team Lab is designed to provide a platform for security professionals to understand, analyze and practice threats and attacks against a modern Windows network infrastructure.

Our Red Teaming Exercises simulate real world attack-defense scenarios and require you to start with a non-admin user account in the domain and work your way up to enterprise admin of multiple forests. The focus is on exploiting the variety of overlooked domain features and not just software vulnerabilities.

The lab has multiple interesting tasks that are designed and built upon years of the author’s experience of red teaming windows environments. These labs are harder than those the author uses for his BlackHat USA 2018 and BlackHat Europe 2018 trainings. Every lab task is comprised of multiple challenges like active directory enumeration, local and forest privilege escalation, network pivoting, application whitelisting bypass, active user simulation, Kerberos delegation issues, SQL Servers, forest trusts and more! Whether you are a beginner, a seasoned red teamer, or a veteran blue teamer, the lab has something for everyone!

All students will be provided with 3.5 hours of video course material. This will be cover important concepts required to begin with the lab

What will your learn?

The Windows Red Team Lab enables you to:

  • Practice various attacks in a fully patched real world Windows environment with Server 2012, Windows 10 and SQL Server 2017 machines.
  • Understand concepts of well known Windows and Active Directory attacks.
  • Execute and visualize the attack path used by the modern adversaries.
  • Learn to use Windows as an attack platform and using trusted features of the OS like PowerShell and others for attacks.
  • Try scripts, tools and new attacks in a fully functional AD environment.
The following are the prerequisites for the lab:
  • Basic understanding of red teaming/penetration testing or blue teaming/security administration of AD environment
  • Basic familiarity with using PowerShell scripts.
  • Ability to think like an adversary and inclination towards abusing features of AD rather than exploits.

The Windows Red Team Lab like other challenging certifications requires you to learn by exploring. If you understand the basics of how a Windows domain works and have used Powershell scripts for pentesting/red teaming, then you should be right at home. We expect the rest to be researched as the student encounters a roadblock.

Having said that, we do have some background material on Pentester Academy which can be of help, but this is optional: This lab is based on real world scenarios exploited during red teaming exercises by the author. We are confident if you take up this challenge and complete it, you will have the same know-how in Windows domain red teaming as some of the top professionals in the field.

42 Challenges, 60 Flags, >200 Hours of Torture :)

Section 1: Abuse Applications, Impersonate Users, Escalate Privileges

Difficulty Level: High

Estimated Completion Time: 36 hours

Number of challenges: 10

Section Objective: You will need to abuse nested impersonations to escalate privileges on the application level. After executing code on the operating system, escalate privileges on the OS level and capture flags. Hunt for active directory write or modify permissions, abuse the permissions and extract password in clear text for a user.

Learning Elements:

  • Domain Enumeration
  • Single sign-on in Active Directory
  • Privilege escalation in enterprise applications
  • Abusing built-in functionality for code execution
  • Local privileges escalation on Windows
  • Credential Replay
  • Domain privileges abuse
  • Offline brute force attack against domain objects

Section 2:Gain Admin Privileges, Defeat Countermeasures and Restrictions, Hunt for Domain Privileges, Escalate

Difficulty Level: High

Estimated Completion Time:  24 hours

Number of challenges: 4

Section Objective:  You will need to get local admin privileges on a server and then enumerate and defeat the aggressive countermeasures on that server. You may also like to find some flags in the process.

Learning Elements:

  • Domain Enumeration
  • Situation Awareness on foothold machine
  • Extracting credentials from Windows machine
  • Credential Replay
  • Domain privileges abuse


Section 3:Pivot through Machines, Defeat Countermeasures, Abuse Kerberos, Exfiltrate Juicy Data

Difficulty Level: High

Estimated Completion Time:  36 hours

Number of challenges: 5

Section Objective:  You will need to get local admin privileges on a server and then hop subnets and machines to access other machines. Make extensive use of built-in tools and administration mechanisms to replay credentials and impersonate domain users. Abuse Kerberos functionality to land on firewalled machines to access interesting piece of information from databases. Capture flags in the process and credit card numbers from a database.

Learning Elements:

  • Using administration tools to compromise other machines
  • Pivot through machines
  • Kerberos functionality abuse
  • Using administration tools to access data from databases.
  • Search interesting data in databases


Section 4:Pivot through Machines and Forest Trusts, Low Privilege Exploitation of Forests, Capture Flags and Database

Difficulty Level: High

Estimated Completion Time:  12 hours

Number of challenges: 4

Section Objective:  Understand the concept of database links. Use it to get access to a trusted forest and enumerate the domains there. Achieve code execution in the target forest, which is located in an isolated network segment. Extract interesting information from the databases there.

Learning Elements:

  • Trust abuse in databases
  • Pivot through forests
  • Built-in tools for command execution
  • Using administration tools to access data from databases.
  • Search interesting data in databases


Section 5:Enumerate Users and Emails, Create Emails, Custom Payloads, Exploit End-User Machines

Difficulty Level: High

Estimated Completion Time:  24 hours

Number of challenges: 5

Section Objective:  Simulate a real phishing attack. Get a foothold in the target forest and enumerate the domains. Capture flags from multiple machines.

Learning Elements:

  • Create emails with weaponized attachments
  • Craft payloads which provide code execution
  • Utilize available information to chain attacks
  • Bypass countermeasures
  • Find privileges in domain


Section 6:Compromise Applications, Achieve Command Execution, Impersonate Users, Move Laterally, Escalte Privileges

Difficulty Level: High

Estimated Completion Time:  36 hours

Number of challenges: 7

Section Objective: You need to compromise an enterprise application and achieve command execution on the OS. Enumerate the privileges and permissions for the users and move laterally to find a configuration, which allows you to escalate privileges to domain administrator. Capture some interesting flags during the task.

Learning Elements:

  • Abusing functionality of enterprise applications
  • Using architecture specific payloads
  • User Impersonation
  • User hunting for high privileges
  • Dumping system secrets
  • Credential Replay
  • Lateral movement


Section 7:Obtain Domain Privileges, Compromise Forest

Difficulty Level: High

Estimated Completion Time:  8 hours

Number of challenges: 2

Section Objective: Get domain admin privileges on one of the domains and compromise the forest root by escalating privileges. 

Learning Elements:

  • Abuse Kerberos functionality
  • Understand and abuse intra-forest trust
  • Understand and abuse various groups in root domain of forest


Section 8: Compromise a Forest from another Trusted Forest

Difficulty Level: High

Estimated Completion Time:  24 hours

Number of challenges: 5

Section Objective: Get enterprise admins privileges on a forest root and compromise a trusted forest. You have to enumerate both the forests, look for interesting ways to execute code and credential replay to solve this task. 

Learning Elements:

  • Forest enumeration
  • Abuse Kerberos functionality
  • Understand and abuse inter-forest trust
  • Using administrator tools for command execution


Certified Red Teaming Expert

The Certified Red Teaming Expert is a completely hands-on certification. The certification requires students to solve practical and realistic challenges in our fully patched Windows infrastructure labs containing multiple Windows domains and forests. The certification challenges students to look at the complete infrastructure like a true enterprise network and does not rely only on breaking individual machines. Students will have 48 hours to complete the hands-on certification exam.

A certification holder has the expertise to assess security of an enterprise windows infrastructure having multiple domains and forests by just abusing the functionality and trusts.

Exam Structure

The students are provided access to an individual Windows environment, which is fully patched and contains the latest Windows operating systems with configurations and privileges like a real enterprise environment.

To be successful, students must solve the challenges by enumerating the environment and carefully constructing attack paths. The students will need to understand how Windows domains work, as most exploits cannot be used in the target network.

At the end of the exam, students need to submit the detailed solutions to challenges along with practical mitigations.

Certification Benefits

A certificate holder has demonstrated the capability of enumerating and understanding an unknown Windows network and can identify misconfigurations, functionality abuse and trusts abuse. She can use, write and modify PowerShell scripts and can abuse other built-in tools to perform enumeration, local privileges escalation, impersonation, pivoting, whitelisting bypasses, and antivirus evasion as well as identify sensitive data with minimal chances of detection.

Nikhil Mittal: BlackHat USA Trainer, DEF CON Speaker, Discoverer of Windows Threats

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, active directory security, attack research, defense strategies and post exploitation research. He has 9+ years of experience in red teaming.

He specializes in assessing security risks at secure environments that require novel attack vectors and "out of the box" approaches. He has worked extensively on Active Directory attacks and bypassing detection mechanisms and Offensive PowerShell for red teaming. He is creator of Kautilya, a toolkit that makes it easy to use HIDs in penetration tests and Nishang, a post exploitation framework in PowerShell. In his spare time, Nikhil researches new attack methodologies and updates his tools and frameworks.

Nikhil has held trainings and boot camps for various corporate clients (in US, Europe and SE Asia), and at the world’s top information security conferences. He has spoken/trained at conferences like DEF CON, Black Hat, CanSecWest, BruCON, 44CON and more. He blogs at

Selected Conference Talks:

Purchase Lab:

Promotional Launch Pricing

Pay with Paypal:

Select Lab Access
Student Name:
Student Email:
For alternate payment methods or enterprise team purchase please use the Contact-Us section

Terms of Purchase and Use:

  • You can start your lab access anytime within 90 days of purchase
  • 3.5 hours of lab course material videos will be provided
  • One Certification Exam attempt is included in the pricing. Additional exam attempts will be $99 each
  • Once connected over VPN, consider the lab to be a hostile environment and you are responsible for your computer's security
  • The above lab is a shared environment and certain pre-specified machines will be off-limits
  • If you want a dedicated lab just for yourself, please use the form in the Contact-Us tab

Please use the form below: