Understands and can identify the different types of domain trusts, including: • One-way and two-way trusts
• Explicit and transitive trusts

–

Can identify and analyse Service Principal Names

–

Can identify and analyse internal browse lists

–

Can enumerate accessible Windows shares

–

Can identify forests, domains, domain controllers, domain members and work groups

–

Can identify Windows hosts on a target network

Can identify and leverage significant vulnerabilities in common windows applications for which there is public exploit code available

Understands and can perform common attack vectors for Microsoft Exchange Server

–

Can identify and analyse Microsoft Exchange servers

Understands OS lifecycle management

Can perform privilege escalation techniques from a desktop environment

–

Understands and can demonstrate techniques to break out of a locked down Windows desktop or Citrix environment

Understands and can perform common post exploitation activities, including:
• Obtaining password hashes, both from the local SAM and cached credentials
• Obtaining locally stored clear-text passwords
• Cracking password hashes
• Obtaining patch levels
• deriving a list of missing security patches
• Reverting to a previous state
• Lateral and horizontal movement

Demonstrate the ability to extract service credentials from LSA secrets

–

Understand the difference between “Local Service”, “Network Service and “Local System”

–

Understands and can demonstrate local privilege escalation techniques, e.g. through the manipulation of insecure file system or service permissions

–

Understands and can demonstrate the remote exploitation of Windows operating system and third-party software application vulnerabilities

–

Understands the use of tools and techniques to identify new OS and software vulnerabilities

Understands and can demonstrate the remote exploitation of Windows operating system and third-party software application vulnerabilities

–

Understands the use of tools and techniques to identify new OS and software vulnerabilities

Understands how passwords are stored and protected and can demonstrate how they can be recovered

–

Understands how to avoid causing a denial of service by locking-out accounts

–

Can demonstrate the recovery of password hashes when given physical access to a Windows host

–

Understands Windows password hashing algorithms and their associated security attributes

–

Understands the security attributes of the above protocols and technologies

–

Understands password policies, including complexity requirements and lock-out

–

Understands and can demonstrate off-line password cracking using dictionary and brute-force attacks, including the use of rainbow tables

Can demonstrate the recovery of password hashes when given physical access to a Windows host

–

Obtain passwords from Group Policy Preferences

–

Exploit shared local administrative accounts by passing-the-hash

–

Perform basic SPN/kerberoasting

–

Identify inappropriate accounts or group memberships

–

Understands and can demonstrate off-line password cracking using dictionary and brute-force attacks, including the use of rainbow tables

–

Understands user accounts and can manipulate these accounts to gain further access to a target system, e.g. by escalating privileges from a domain user to a domain admin

–

Understands Local Security Policy

–

Understands Group Policy

–

Understand the security weaknesses of shared local administrative accounts

–

Understand difference between local and domain users

–

Understands the reliance of Active Directory on DNS and LDAP

–

Understands Active Directory structure