I’ve recently attempted and attained the eCPTXv2 certification which is aimed at experienced penetration testers whom want to specialize in the area of infrastructure security. In this review I’ll go through the end-to-end process, looking at the course materials, the labs, the exam and concluding with my personal opinions of the course. The course comes with course notes, videos and lab access as well as an exam attempt (there is a retake attempt in case you did not manage to clear it the first time).

Course materials

eCPTXv2 is a refreshed version of the older version of the course with the same name, and the biggest update is the inclusion of much more depth for the Active Directory exploitation portion section. There are much more details in this area which takes students from the basics of the AD services, traditional approach to enumeration and ramps it up all the way to modern exploitation techniques. There are also multiple AD labs where students can practice the TTPs (Tactics, Techniques and Procedures) which are covered in the course itself.

Syllabus

The [new] official website lists the following areas of competencies:

• Advanced Penetration Testing Processes and Methodologies
• Advanced Exploitation using Metasploit and Empire
• Network/traffic manipulation
• Pivoting
• Advanced Lateral Movement (WMI, PS Remoting, DCOM, etc.)
• Advanced Active Directory Information Gathering, Enumeration and Reconnaissance
• Custom Attack Vector Development
• Deep knowledge of Active Directory and Windows internals
• Knowledge of Windows authentication weaknesses
• Web application Manual exploitation
• Stealthy Scanning and Profiling the target
• Advanced Persistence / Backdooring
• Privilege escalation

The course notes are very detailed for each section, taking students from the very basics of a particular piece of technology, the ways in which misconfigurations can occur and finally, how to leverage this misconfigurations for abuse. I do feel that this course excels in the courseware and for the price that one pays for it (I bought it before INE’s acquisition of eLearnSecurity so the full package costs about $1,169 USD for full version with a free upgrade to the elite version), there are very little courses out there that can deliver on the listed areas of competencies.

It is highly recommended that students should go through the notes multiple times purely due to the sheer volume of the content inside (almost all the course notes provided have ~700 pages each). Personally, I’ve gone through the course notes multiple times and divided it up into chunks so that I do not get burned out easily. This coupled with your own research should help students to understand the fundamental concepts and get a firm grasp of the TTPs taught inside the course.

Unfortunately, the videos included inside the course package did little to reinforce the concepts taught in the course notes as they seem to be showcasing more advanced techniques which are not covered in the notes. Although they are still pretty interesting and useful to a certain extent, it is completely fine not to go too deep into the videos (unless it’s your own interest) in order to advance in the course.

The Labs

My most favourite part about the labs are huge AD domains which have varying levels of difficulty, with the first lab being a guided one that teaches users to setup a C2, getting a foothold all the way to owning the entire domain as well as its trusting/trusted domains. Once user is comfortable with the first lab, there are also multiple other AD labs that user should attempt to compromise via multiple paths.

There are also other labs included which should help students to be more familiar with developing custom exploits that evade AV/EDR for initial access, persisting on machines via malicious updates pushed through WSUS and web application attacks that could lead to exfiltration of critical information.

Initially, I was using the eLearnSecurity’s native platform to do the lab - however, after the INE takeover, all current users are provided with an option to migrate to the INE platform. Stability wise the eLearnSecurity native platform seems to be better as I did not face any intermittent connection issues. However, when I migrated over to the INE platform, there seem to be random disconnections when there is user inactivity for a certain period of time (about 30 minutes in my case), which can be frustrating if user has to maintain active connections to all the internal networks that they have managed to compromise. Hopefully INE does improve on this by handling session timeouts better just to save that bit of frustration.

The Exam

Once user presses the “Start Certification” button, there will be a letter of engagement which details the items in-scope and the conditions necessary to obtain the eCPTXv2 certification. I won’t be going too deep into the details but if you have digested the course notes and videos as well as done the lab multiple times, there shouldn’t be any issue in attaining the certification. It is important to instil the mindset of a security consultant whose goal is to find as many misconfigurations in the environment as possible, instead of a red teamer whose goal is to purely attain DA.

Personal advice from me to you:

• You will (most likely) hit roadblocks, remember that you have 48 hours so take a break if you feel too overwhelmed, get some fresh air/good sleep and then come back with a fresh mind. It’s a marathon, not a sprint.
• Screenshots, screenshots and screenshots. Even if you have hit the exam objectives, your report is the only end product that the grading team receives. Ensure that you have taken a screenshot of every piece of information (flags, hostnames, Bloodhound data etc.) and note down all the commands that you have used. My tip is to start doing a rough report when attempting the exam - you will be too drained to start on the reporting component after the exam.
• Treat the exam as a real-life penetration testing engagement and try to find all possible avenues of exploitation. This will not only help you attain the exam objectives but also will make you a better security consultant.

During my attempts, I have tried to stick to a schedule of working on a task for a couple of hours and then force myself to take a break so that I will not feel burned out - even so, there were times when I got sucked into an objective for too long that I start to feel exhausted. My key advice is to force yourself to take breaks regularly, drink plenty of water, have light meals and go for a walk to get some fresh air. Don’t forget to get some sleep too - 6 to 7 hours of good quality shut-eye does wonders to your body by clearing your head and replenishing your energy.

After about 3 weeks from submitting the final report (the report grading takes anywhere from 1 to 30 business days as per the eLearnSecurity team), I finally received the news that I have cleared the examination.

My Opinions

This course is pretty fulfilling and I’d rank it as one of the best Active Directory penetration testing courses that I’ve taken. As I have cleared other Active Directory based certifications (CRTE, OSEP, CRTO), I can grasp the AD concepts pretty well even though the exam still turned out to be pretty challenging. I would rate this course on par with OSEP in terms of quality as well as difficulty and would recommend it to any aspiring red teamer.

Pros

• The course covers every part of a red teaming engagement from initial access, gaining persistence, moving laterally and owning the domain.
• The additional AD labs made it pretty worth purchasing since most avenues of misconfigurations are covered.
• The coverage of each area of competency is detailed, with real updated TTPs.
• The exam was pretty challenging - even though the course covers all the necessary information to pass, user still needs to think out of the box.

Cons

• Possibly lab environment instability with random timeouts and intermittent connectivity issues. It’s not uncommon to take a short break and come back to realize all my beacons are dead because the VPN connection went down. This can be frustrating due to the amount of pivoting required for internal network access.
• Exam support - there is no chat hotline that one can rely on when technical issues arise during the exam (or during lab access for that matter). If there are any issues, one has to rely on the good old email support which might not be that responsive. Even though the exam environment is pretty stable for me, adding a 24/7 support will greatly benefit students should they need one.

References

The following blogs and certifications came in handy during my pursuit of the eCPTXv2 certification:

Certifications

Offensive Security Experienced Penetration Tester

Certified Red Team Operator

Certified Red Team Expert

Certified Red Team Professional

Blogs

Sean Metcalf’s blog

Will Harmjoy’s blog

Nikhil Mittal’s blog

Gentil Kiwi’s blog

I had loads of fun going through the courseware, doing the labs and felt massive satisfaction attempting the exam - even if you didn’t manage to clear it the first round, try to work on your weaknesses and your shortcomings. Afterall, nothing good comes easy, so good luck on your journey!