• Can perform user and group enumeration on target systems and domains, using protocols including:

  • NetBIOS • LDAP • SNMP

• Can obtain other information, such as password policies.
• Can perform analysis of an AD (Global catalogue, Master Browser and FSMO).
• Can perform SID enumeration and RID cycling.

• Understands Active Directory structure.
• Understands the reliance of Active Directory on DNS and LDAP.
• Understand difference between local and domain users.
• Understand the security weaknesses of shared local administrative accounts.
• Understands Group Policy.
• Understands Local Security Policy.
• Understands user accounts and can manipulate these accounts to gain further access to a target system, e.g. by escalating privileges from a domain user to a domain admin.
• Can demonstrate the recovery of password hashes when given physical access to a Windows host.
• Understands and can demonstrate off-line password cracking using dictionary and brute-force attacks, including the use of rainbow tables.
• Identify inappropriate accounts or group memberships.
• Perform basic SPN/kerberoasting.
• Exploit shared local administrative accounts by passing-the-hash.
• Obtain passwords from Group Policy Preferences.
• Perform more advanced Kerberos attacks (golden/silver tickets/etc).
• Identify inappropriate or dangerous Group Policies or permissions.
• Understands Active Directory roles (Global Catalogue, Master Browser, FSMO).

• Understands password policies, including complexity requirements and lock-out.
• Understands how to avoid causing a denial-of-service by locking-out accounts.
• Understands the security attributes of the above protocols and technologies.
• Understands Windows password hashing algorithms and their associated security attributes.
• Understands how passwords are stored and protected and can demonstrate how they can be recovered.
• Understands and can demonstrate off-line password cracking using dictionary and brute-force attacks, including the use of rainbow tables.
• Can demonstrate the recovery of password hashes when given physical access to a Windows host.

• Understands and can demonstrate the remote exploitation of Windows operating system and third-party software application vulnerabilities.
• Understands the use of tools and techniques to identify new OS and software vulnerabilities.
• Understands the techniques used to develop exploit code for existing and new vulnerabilities.
• Understands and can demonstrate local privilege escalation techniques, e.g. through the manipulation of insecure file system or service permissions.
• Understand the difference between "Local Service", "Network Service" and "Local System".
• Demonstrate the ability to extract service credentials from LSA secrets.

• Understands and can perform common post exploitation activities, including:

• Obtaining password hashes, both from the local SAM and cached credentials

• Obtaining locally stored clear-text passwords

• Cracking password hashes

• Obtaining patch levels

• Deriving a list of missing security patches

• Reverting to a previous state

• Lateral and horizontal movement

• Understands and can demonstrate techniques to break out of a locked down Windows desktop or Citrix environment.
• Can perform privilege escalation techniques from a desktop environment.

• Can identify and analyse Microsoft Exchange servers.
• Understands and can perform common attack vectors for Microsoft Exchange Server.

• Can identify and leverage significant vulnerabilities in common windows applicationsfor which there is public exploit code available.