
CSTL Microsoft Windows
Please click on the following tabs to reveal the knowledge depth required for a successful pass of the CSTL exam.
You will be given a random selection of questions. Please note exam content is subject to change due to circumstances beyond our control – use this as a guide and email us if you have any queries.
- Can identify Windows hosts on a target network.
- Can identify forests, domains, domain controllers, domain members and work groups.
- Can enumerate accessible Windows shares.
- Can identify and analyse internal browse lists.
- Can identify and analyse Service Principle Names.
- Understands and can identify the different types of domain trusts, including:
• One-way and two-way trusts • Explicit and transitive trusts.
- Can perform user and group enumeration on target systems and domains, using protocols including:
• NetBIOS • LDAP • SNMP
- Can obtain other information, such as password policies.
- Can perform analysis of an AD (Global catalogue, Master Browser and FSMO).
- Can perform SID enumeration and RID cycling.
- Understands Active Directory structure.
- Understands the reliance of Active Directory on DNS and LDAP.
- Understand difference between local and domain users.
- Understand the security weaknesses of shared local administrative accounts.
- Understands Group Policy.
- Understands Local Security Policy.
- Understands user accounts and can manipulate these accounts to gain further access to a target system, e.g. by escalating privileges from a domain user to a domain admin.
- Can demonstrate the recovery of password hashes when given physical access to a Windows host.
- Understands and can demonstrate off-line password cracking using dictionary and brute-force attacks, including the use of rainbow tables.
- Identify inappropriate accounts or group memberships.
- Perform basic SPN/kerberoasting.
- Exploit shared local administrative accounts by passing-the-hash.
- Obtain passwords from Group Policy Preferences.
- Perform more advanced Kerberos attacks (golden/silver tickets/etc).
- Identify inappropriate or dangerous Group Policies or permissions.
- Understands Active Directory roles (Global Catalogue, Master Browser, FSMO).
- Understands password policies, including complexity requirements and lock-out.
- Understands how to avoid causing a denial-of-service by locking-out accounts.
- Understands the security attributes of the above protocols and technologies.
- Understands Windows password hashing algorithms and their associated security attributes.
- Understands how passwords are stored and protected and can demonstrate how they can be recovered.
- Understands and can demonstrate off-line password cracking using dictionary and brute-force attacks, including the use of rainbow tables.
- Can demonstrate the recovery of password hashes when given physical access to a Windows host.
- Understands the use of tools and techniques to identify new OS and software vulnerabilities.
- Understands and can demonstrate the remote exploitation of Windows operating system and third-party software application vulnerabilities.
- Understands the techniques used to develop exploit code for existing and new vulnerabilities.
- Understands and can demonstrate the remote exploitation of Windows operating system and third-party software application vulnerabilities.
- Understands the use of tools and techniques to identify new OS and software vulnerabilities.
- Understands the techniques used to develop exploit code for existing and new vulnerabilities.
- Understands and can demonstrate local privilege escalation techniques, e.g. through the manipulation of insecure file system or service permissions.
- Understand the difference between "Local Service", "Network Service" and "Local System".
- Demonstrate the ability to extract service credentials from LSA secrets.
- Understands and can perform common post exploitation activities, including:
• Obtaining password hashes, both from the local SAM and cached credentials
• Obtaining locally stored clear-text passwords
• Cracking password hashes
• Obtaining patch levels
• Deriving a list of missing security patches
• Reverting to a previous state
• Lateral and horizontal movement
- Understands and can demonstrate techniques to break out of a locked down Windows desktop or Citrix environment.
- Can perform privilege escalation techniques from a desktop environment.
- Understands OS lifecycle management.
- Understands patching in air-gapped environments.
- Understands common windows patch management strategies, including:
• SMS • SUS • WSUS
- Can identify and analyse Microsoft Exchange servers.
- Understands and can perform common attack vectors for Microsoft Exchange Server.
- Can identify and leverage significant vulnerabilities in common windows applicationsfor which there is public exploit code available.