These are my personal opinions based on my background and training experience.
This course is online.
The course materials included videos, course slides, course slide notes, attack path diagrams, and access to a shared lab environment.
The class is single user with a shared lab environment.
*NOTE* If you want a dedicated lab just for yourself, please use the form their Contact-Us tab to get more information.
The lab environment is shared with other students, and some, pre-specified, machines will be off-limits.
*NOTE* If you want a dedicated lab just for yourself, please use their form on the "Contact" tab to request more information.
At the time of this review, the course prices were listed as follows (Check the web site for actual prices!)
30 Days $249.00 USD
60 Days $379.00 USD
90 Days $499.00 USD
30 Days Lab Extension $199.00 USD
Exam Reattempt $99.00 USD
Certificate Renewal - Only For Existing CESP - ADCS Certified Students
30 Days Lab Access for Cert Renewal $149.00 USD
Additional Renewal Exam $29.00 USD
I had started learning about Active Directory Certificate Services from a variety of places, and when this course was announced, and knowing that Altered Security's training in the past has always been top notch, I signed up.
This course will teach you various operations against a modern AD CS environment from a Windows or Linux standpoint, and also how to defend against those techniques.
The initial landing page has a Lab Details tab with lab subscription information such as Subscription Start Date, Subscription End Date, Exam Attempt Last Date, and Region for the lab. It also has a blurb describing the lab:
"This is a beginner friendly lab that helps you in getting started with Attacking and Defending AD Certificate Services. The lab contains updated Server 2022 and Linux machines with an enterprise-like AD CS setup. Learn to execute a Red Team operation or Penetration Test against a modern AD CS environment."
The Certification Exam tab has information regarding the actual CESP - ADCS exam. There is an 'Overview' and a 'Note' section with information that you need before starting the exam.
The Flag Verification tab has a list of 'Sr.No', 'Learning Objective', 'Machine', 'Flag', 'Value' (which you fill in with the flag value) and 'Action' which shows Verified in green when the correct flag is submitted.
The Lab Materials tab has three pages (Access Lab Material, Walkthrough Videos, and Course Videos).
1) The Access Lab Material page has a section 'ADCS Attacks for Red & Blue Teams' that has two PDFs. A section 'Diagrams' with 12 image files in PNG format. A section 'LabManual' with a PDF. A section 'Tools' with a ZIP and a text file with the password needed to extract the ZIP file. A section 'ChangeLog' with a text file. And finally, a section 'ConnectingToTheLab' which had a PDF and three video files.
2) The Walkthrough Videos page had a section "Walkthrough Video Library" with 20 videos.
3) The Course Videos page had a section "Course Video Library" with 60 videos.
The How to use Discord tab has information on accessing the Altered Security Discord server, and how to add the ADCS role to your Discord account for the server.
The FAQs tab has a list of frequently asked questions and answers to those questions for both the "Practice Lab" and the "Exam Lab"
The course has 25 Modules (covered in the Course Video Library and the ADCS Attacks for Red & Blue Teams PDFs) and 20 learning objectives (covered in the Walkthrough Videos, the LabManual PDF and also the Attack Path Diagrams).
In this section, you will find two PDFs containing the course content. One is just the slides and the other is slides with notes (reference materials for topics covered in the slides). You will see each of these in action during the course videos.
The Diagrams section contains images in PNG format that give a visual representation of the attack paths covered in learning objectives. For example: 'LO-16.png' covers learning objective 16, and 'LO-1-2.png' covers learning objectives 1 and 2, while 'LO-3-4-7-8-9-10.png' covers learning objectives 3, 4, 7, 8, 9 and 10. These are helpful in showing the path the attack(s) follow. These are also brought into the course videos and explained after learning objective(s) is completed.
The LabManual section has the LabManual PDF containing over 200 pages of text, code blocks and images. It gives you each learning objective and then steps you through accomplishing these objectives from both Windows and Linux. I used the lab manual a lot while going through the labs and have it as a reference in case I need it.
The Tools.zip is a password protected zip file, the password is in ToolsPassword.txt included in this section and contains all the tools needed for the course.
The Changelog shows updates made to the materials. When I looked at the Changelog, I noticed that updates had been made to a video during the previous month. Since the course is being updated from time to time, this is how you can keep track of changes. Why does this matter? One of the questions in the FAQ section, as well as the answer is: Q: "How long do I have access to the course material?" A: "You can access the course material from the portal even after your lab subscription expires! This includes the future course updates." If you come back to the course content after some time has passed, use the changelog to see what has been updated.
The connecting to the lab section has a PDF that covers connecting with OpenVPN or a web browser. The videos do not have audio, but they do have text documents in the video which shows the steps to get connected using OpenVPN, for both Windows and Linux, and then they show how to accomplish the outlined steps, as well as how to access the lab via a web browser. Getting connected was super easy for me and I don't know if I read the PDF or even viewed those videos until I started writing this review.
There are 20 videos in this section with each video covering one of the 20 learning objectives. These videos don't have audio, but what they do have is a text document displayed at the start with the commands that will be run during the video (unfortunately the text document is not fully displayed at the start of the video but you will see it all as the video progresses). So if you want to watch a step-by-step walkthrough of each learning objective, or check your command against the command run in the video, this a a good resource to rely on. However, the course videos do a walkthrough, with audio, of the learning objectives as well.
I guess you could always take the LabManual, copy and paste from it, and make your own text files with all the commands if you want them in a handy dandy cheatsheat for later review. Or leverage A.I. if you must.
The first video is a course introduction, followed by a lab portal video which goes over stuff I covered above but with visuals and better explanations. The remaining videos alternate between the modules (slide focused) and the learning objectives (demonstration focused).
I started to try and write a blurb for each of the videos, but there are 60 course videos totaling over 11 hours of training content, so I opted to skip individual blurbs. The videos range from the shortest video, at 2 minutes and 8 seconds, to the longest video, at 33 minutes and 9 seconds. Some of the information in the videos might be more of a review (like enumerating Active Directory ACLs and stuff like that) if you have taken other Altered Security classes, but it is mostly new content related to AD CS.
The module videos cover the information you need to know for the AD CS attacks, while the learning objective videos are demonstrations with a few of the demonstration videos showing the attacks from both the Windows and the Linux attack perspective. I really like the way the Windows Subsystem for Linux (WSL) is used in this course, and I think I finally need to setup my personal computer to use WSL. The only thing I dread is configuring so many Python venvs for all the tools, but once that is done the system appears pretty solid.
There is so much information packed in to this entire course. Less than two years later, as I am going back through the materials a second time, I am seeing things that I had totally forgotten about. Did I mention that in the FAQ section one of the answers was: "You can access the course material from the portal even after your lab subscription expires! This includes the future course updates." Yes, I believe I did, but it was totally worth mentioning again!
One thing I appreciated while going through these videos is that there is mention of tradecraft issues (like when he mentioned using Certipy to configure ESC4 and how it doesn't allow you to specify a user and so it configures it for all domain users and thus downgrades the security of the target environment). The is also some discussion of cleanup after running some commands, and I think this is very important to cover things like this as many people don't understand the changes certain tools make and how to undue those changes once an assessment is over.
The Defense videos are mainly text slide based mixed with some images and a few demonstrations. It goes through how to configure your network to defend against and detect through logging the attacks covered in the course materials.
A few things worth mentioning for this section: you see a lot of the same commands over and over (that the nature of this whole certificate based stuff), which helps you remember them, but some of the commands are also very similar but not the same, which can be slightly confusing, but take your time and go through it slowly if you need to.
I did not watch the walkthrough videos, but I did open each of them and click forward through them. I did watch the course videos, but I actually used the speed up feature to play them at a faster speed.
And while this class did give me a good understanding of AD CS, it was only when I tried to build out my own lab to test a few things, that some of the information clicked in my brain.
To be honest, I took the exam in November of 2023. I had gotten about halfway through the materials, woke up one day and saw I had a little time left to complete the free certification exam attempt, and said "YOLO!". Luckily it worked out for me.
I don't remember much about the exam, but I do remember that I thought it was very straightforward and fair. You do have to write a report, but you have 24 hours for the exam, and they will tell you on the exam page how many hours you have after your exam expires to submit your report.
A link to my Altered Security's Certified Enterprise Security Professional – AD CS (CESP – ADCS) certificate, which I got several days after submitting the exam report and passing the exam.