CRTE Review

The Certified Red Team Expert (CRTE) is Altered Security’s trial by fire. It validates your ability to compromise a modern, multi-domain Active Directory environment. This isn’t about running scripts; it’s about demonstrating deep, practical knowledge of AD exploitation and lateral movement.

Exam Structure

• Phase 1: The Assault (48 Hours)
  • You are dropped into a fully-patched network with a single user foothold.
  • Your objective is to achieve code execution on five target servers across multiple forests.
  • This is a test of your methodology, persistence, and ability to think on your feet.
• Phase 2: The Debrief (48 Hours)
  • You must deliver a professional-grade report detailing your entire attack path.
  • This includes every command, every vulnerability, and every misconfiguration you exploited.
  • Crucially, you must also provide actionable remediation advice for each finding.

The Arsenal: Essential Skills

Success in the CRTE hinges on your mastery of the following domains:

• Advanced Active Directory Attacks: This is the core of the exam. You must be an expert in:
  • Kerberos Abuse: Kerberoasting, AS-REP Roasting, and all forms of delegation (Unconstrained, Constrained, RBCD).
  • Trust Exploitation: Abusing forest and domain trusts to move laterally across the network.
  • Certificate Services: Exploiting AD CS (Active Directory Certificate Services) for privilege escalation and persistence.
  • Modern AD Features: Abusing features like gMSA, LAPS, and SID-History.
• Evasion and Bypasses: The environment is defended. You will face AV, AMSI, ETW, and application whitelisting. You need to know how to bypass these and operate without being detected.
• Pivoting and Lateral Movement: You will need to move through the network with precision. This includes SQL Server pivoting and abusing trust relationships to jump between domains.

The Proving Grounds: Building Your Skills

Classroom theory is useless without practice. To prepare for the CRTE, you need to live and breathe Active Directory exploitation. I personally used the following to sharpen my skills:

• Private Lab with GOAD: I used the Game of Active Directory (GOAD) to build my own private, vulnerable AD lab. This allowed me to practice techniques repeatedly until they became second nature. It’s an invaluable tool for understanding how these attacks work in a controlled environment.
• Hack The Box Pro Labs: For a more challenging and realistic experience, I used Hack The Box Pro Labs.

Tips & Tricks

• Methodology is Everything: Don’t just run tools randomly. Have a clear, repeatable process for enumeration, exploitation, and post-exploitation.
• Enumerate, Enumerate, Enumerate: The more information you gather, the more attack paths you’ll uncover. BloodHound is essential, but you must also be able to enumerate manually with PowerShell.
• Report as You Go: Don’t leave your report to the last minute. Document your steps, take screenshots, and write down your findings as you progress through the exam. This will save you from a world of pain when the 48-hour assault phase is over.
• Don’t Get Tunnel Vision: If you’re stuck on a particular host or attack path, move on. There are multiple ways to compromise the targets.
• Think Like a Defender: The course material covers detection and defense. Understanding how to defend against these attacks will make you a more effective attacker.
• Toolkit: Here is a toolkit designed to help you succeed in the exam.