Introduction to Certified Red Team Professional (CRTP)

CRTP is a beginner-to-intermediate level certification designed to assess real-world red teaming skills in Windows AD environments. Unlike certifications that focus on CVEs or publicly known exploits, CRTP emphasizes abusing legitimate AD features and misconfigurations, offering a realistic simulation of internal threat actor tactics.

The exam is 100% hands-on, taken in a controlled lab, and tests one’s ability to enumerate, pivot, escalate privileges, persist, and avoid detection across a fully patched Windows domain.

CRTP Study Notes

Certified Red Team Professional (CRTP) Study Notes & Guide is a comprehensive guide and study note compilation for the Certified Red Team Professional (CRTP) certification. It provides practical strategies, tools, and step-by-step procedures to penetrate and manipulate Active Directory (AD) environments, focusing on real-world tactics over theoretical vulnerabilities.

blank
blank
blank
blank

Table of Contents

  • About CRTP
  • Exam Strategy
  • Writing the Final Report
  • Other Exam Preparation Tips
  • Key Areas to Focus On:
  • Methodology
  • Initial Access; Starting Point
  • Reconnaissance:
  • Local Privilege Escalation
  • Enumeration
  • Persistence Techniques:
  • Compromised Machines Checklists
  • PowerShell
  • Windows Pentesting
  • AD Pentesting
  • Security

Page count: 138

Format: PDF

Note: This product is not eligible for a refund.

If you have concerns regarding the product, kindly contact consultation@motasem-notes.net and clarify your issue and explain why the eligibility for a refund.

Testimonials (LinkedIn)

How to buy the CRTP Study Notes?

You can buy the book directly by clicking on the button below

After you buy the book, you will be able to download the PDF book.

Who Should Take CRTP?

CRTP is ideal for:

Individuals preparing for more advanced certifications like CRTE or OSEP

Red teamers and penetration testers new to Active Directory security

Blue teamers and SOC analysts seeking to understand attacker techniques

Security professionals aiming to build foundational AD attack and defense skills

CRTP Prerequisites

A basic understanding of Active Directory and the ability to use Windows command-line tools are recommended. The course is designed to be beginner-friendly, providing all necessary tools and guidance.

CRTP Course Material

Upon enrolling in the course, candidates receive access to Altered Security’s CRTP lab. This virtual lab consists of:

Mimics a corporate IT setup, useful for real-world red teamers

A domain with multiple machines (DC, Windows 10, Windows Server)

Tools pre-installed (BloodHound, PowerView, CrackMapExec, Mimikatz)

No internet access to encourage command-line and offline capabilities

The CRTP course is delivered through a 14-hour video series supplemented with a structured lab guide. Unlike many high-level theoretical certifications, CRTP takes a step-by-step, walkthrough-style approach. Each video shows a complete attack method followed by opportunities for students to replicate the attack in a guided lab environment.

The learning flow is linear and methodical, ideal for those new to Active Directory (AD) exploitation. Videos are well-paced, and every concept is tied to a hands-on lab segment, which solidifies both understanding and retention.

A recurring theme in CRTP is comprehensive enumeration. Success in the exam hinges on how well you understand the environment before launching attacks.

Essential enumeration actions include:

  • Identifying all Domain Controllers using tools like nltest and PowerView
  • Dumping all user and group information
  • Analyzing trust relationships and session info
  • Scanning for misconfigurations like unconstrained delegation or Kerberoastable accounts

To pivot across machines and escalate privileges, several red team techniques are necessary:

  • Using credential dumping tools like Mimikatz to extract NTLM hashes
  • Abusing SMB signing misconfigurations
  • Exploiting privilege delegation or using the “net session” trick
  • Gaining RDP access to privileged machines
  • Using tools like Rubeus for Kerberoasting and ticket manipulation

Privilege escalation might occur both locally (via services) and at the domain level (via ACL abuse).

The exam is designed to mimic a fully patched and monitored Windows environment. Hence, bypassing:

  • Windows Defender
  • AMSI (Antimalware Scan Interface)
  • ScriptBlock Logging

…is a must.

I would emphasize using:

  • Invoke-Obfuscation to evade signature detection
  • AMSI bypass techniques such as patching in-memory DLLs
  • Manual payload crafting to avoid common command indicators

Practicing these bypasses in the lab is essential because automated tools often get flagged.

Persistence methods help maintain access even after a reboot or logout. Required CRTP skills include:

  • DCShadow attacks for backdooring domain replication
  • Skeleton Key attacks to allow logins using a master password
  • Golden Ticket attacks using forged Kerberos tickets
  • DSRM (Directory Services Restore Mode) abuse

These actions demonstrate advanced knowledge and help in solidifying post-exploitation control.

CRTP Labs

Students get access to a lab network comprising a multi-domain AD environment with realistic targets. The lab environment is the same as that used in the exam, offering continuity and confidence.

The lab emphasizes PowerShell-based AD attacks, deviating from the more common Kali Linux-centric approaches in red teaming. Tools such as PowerView, SharpHound, BloodHound, and Mimikatz are demonstrated, but students are encouraged to install and configure them manually during the exam, mimicking real-world conditions.

CRTP Exam

The exam is a 24-hour hands-on assessment in a fully patched enterprise AD environment with multiple domains and forests. Candidates must gain OS-level command execution on five target servers, starting from a foothold machine, by exploiting AD features and misconfigurations.

CRTP Cost

On-Demand Course: $249 for 30 days of lab access, lifetime course material access, and one certification exam attempt.

Instructor-Led Bootcamp: $299 for a 4-week bootcamp with 30 days of lab access

Extended lab access options are also available:

  • 60 days: $379
  • 90 days: $499

CRTP Exam Tips & Preparation Strategies

Preparation time varies based on experience:

  • Beginner (No prior experience): 3 months
  • Intermediate (Some red team/enterprise security experience): 2 months
  • Expert (Extensive red team/enterprise security experience): 1 month

What’s the difference between On-Demand and Bootcamp options?

  • On-Demand: Self-paced learning with access to course materials and labs.
  • Bootcamp: Instructor-led sessions over four weekends, including live interactions, group learning, and networking opportunities.

Does the CRTP certificate expire?

Yes, the CRTP certificate is valid for three years. Renewal is free before expiry and involves an 8-hour hands-on exam. Alternatively, completing the CRTE certification extends CRTP by three years, and completing the CRTM certification extends it by six years.

What happens if I fail the exam?

If you do not pass the exam, you can retake it for a fee of $99. There is a one-month cooldown period before retaking the exam. After three attempts, a six-month cooldown period applies.

CRTP Certification Review & Recognition

CRTP is built on a “learn-by-hacking” philosophy, beginning from an assumed breach and progressing through the post-exploitation lifecycle in an AD setup. Its main objectives are to:

  • Teach enumeration and abuse of AD components using native tools
  • Develop capabilities to conduct privilege escalation, lateral movement, and persistence
  • Emphasize stealth and real-world operational techniques

The course structure includes:

A cloud-based Active Directory lab environment with multiple machines simulating enterprise setups

Lecture recordings by Nikhil Mittal (renowned AD security expert)

PDF slide decks and handouts

The labs are central to the learning process, replicating real-world red team scenarios such as:

  • Local Privilege Escalation
  • Credential dumping and Pass-the-Hash
  • Kerberoasting and AS-REP Roasting
  • Exploiting ACLs and misconfigurations in GPOs and LAPS
  • Using PowerView and SharpHound for enumeration

These labs are hands-on and do not include pre-installed tools, forcing candidates to practice tool management, such as uploading scripts via SMB shares, Python HTTP servers, and WinRM.

A key takeaway is repetition and documentation, students are urged to repeat exercises and take detailed notes that will serve as their personalized cheat sheet during the exam.

The CRTP is not beginner-friendly, but incredibly valuable for those with foundational AD knowledge.

Completing CRTP:

  • Demonstrates hands-on capability in Active Directory red teaming
  • Adds weight to resumes for roles like Red Teamer, Penetration Tester, or Security Analyst
  • Serves as a gateway to more advanced certs like CRTE (Red Team Expert) or OSCP/OSCE

Many employers now list CRTP as a preferred qualification for red team roles due to its focus and lab-based learning.

Watch Also: THM PT1 vs OSCP vs HackTheBox CPTS