CSTL Microsoft Windows

Please click on the following tabs to reveal the knowledge depth required for a successful pass of the CSTL exam.

You will be given a random selection of questions. Please note exam content is subject to change due to circumstances beyond our control – use this as a guide and email us if you have any queries.

  • Can identify Windows hosts on a target network.
  • Can identify forests, domains, domain controllers, domain members and work groups.
  • Can enumerate accessible Windows shares.
  • Can identify and analyse internal browse lists.
  • Can identify and analyse Service Principle Names.
  • Understands and can identify the different types of domain trusts, including:

    • One-way and two-way trusts • Explicit and transitive trusts.

  • Can perform user and group enumeration on target systems and domains, using protocols including:

    • NetBIOS • LDAP • SNMP

  • Can obtain other information, such as password policies.
  • Can perform analysis of an AD (Global catalogue, Master Browser and FSMO).
  • Can perform SID enumeration and RID cycling.

  • Understands Active Directory structure.
  • Understands the reliance of Active Directory on DNS and LDAP.
  • Understand difference between local and domain users.
  • Understand the security weaknesses of shared local administrative accounts.
  • Understands Group Policy.
  • Understands Local Security Policy.
  • Understands user accounts and can manipulate these accounts to gain further access to a target system, e.g. by escalating privileges from a domain user to a domain admin.
  • Can demonstrate the recovery of password hashes when given physical access to a Windows host.
  • Understands and can demonstrate off-line password cracking using dictionary and brute-force attacks, including the use of rainbow tables.
  • Identify inappropriate accounts or group memberships.
  • Perform basic SPN/kerberoasting.
  • Exploit shared local administrative accounts by passing-the-hash.
  • Obtain passwords from Group Policy Preferences.
  • Perform more advanced Kerberos attacks (golden/silver tickets/etc).
  • Identify inappropriate or dangerous Group Policies or permissions.
  • Understands Active Directory roles (Global Catalogue, Master Browser, FSMO).
  • Understands password policies, including complexity requirements and lock-out.
  • Understands how to avoid causing a denial-of-service by locking-out accounts.
  • Understands the security attributes of the above protocols and technologies.
  • Understands Windows password hashing algorithms and their associated security attributes.
  • Understands how passwords are stored and protected and can demonstrate how they can be recovered.
  • Understands and can demonstrate off-line password cracking using dictionary and brute-force attacks, including the use of rainbow tables.
  • Can demonstrate the recovery of password hashes when given physical access to a Windows host.

  • Understands the use of tools and techniques to identify new OS and software vulnerabilities.
  • Understands and can demonstrate the remote exploitation of Windows operating system and third-party software application vulnerabilities.
  • Understands the techniques used to develop exploit code for existing and new vulnerabilities.
  • Understands and can demonstrate the remote exploitation of Windows operating system and third-party software application vulnerabilities.
  • Understands the use of tools and techniques to identify new OS and software vulnerabilities.
  • Understands the techniques used to develop exploit code for existing and new vulnerabilities.
  • Understands and can demonstrate local privilege escalation techniques, e.g. through the manipulation of insecure file system or service permissions.
  • Understand the difference between "Local Service", "Network Service" and "Local System".
  • Demonstrate the ability to extract service credentials from LSA secrets.

  • Understands and can perform common post exploitation activities, including:

• Obtaining password hashes, both from the local SAM and cached credentials

• Obtaining locally stored clear-text passwords

• Cracking password hashes

• Obtaining patch levels

• Deriving a list of missing security patches

• Reverting to a previous state

• Lateral and horizontal movement

  • Understands and can demonstrate techniques to break out of a locked down Windows desktop or Citrix environment.
  • Can perform privilege escalation techniques from a desktop environment.

  • Understands OS lifecycle management.
  • Understands patching in air-gapped environments.
  • Understands common windows patch management strategies, including:
    • SMS • SUS • WSUS

  • Can identify and analyse Microsoft Exchange servers.
  • Understands and can perform common attack vectors for Microsoft Exchange Server.

  • Can identify and leverage significant vulnerabilities in common windows applicationsfor which there is public exploit code available.