Roy Stultiens

Cloud security enthousiast and everything else that comes to mind

2 minute read

cartp certificate

Last week I passed my CARTP exam.
In this blogpost I’ll share my view on the course and the exam.

The Course

The course, “Attacking and Defending Azure AD Cloud: Beginner’s Edition” included 4 live sessions ranging from 3.5 to 4 hours, lab access and one exam attempt.

The live sessions were hosted by Nikhil Mittal. He took all the time to elaborate and answer questions outside of the course content. Most (if not all) live sessions took longer then the planned 3 hours. Since all sessions were recorded, this was not an issue for the people struggling to keep their minds focussed.

Content wise the course advertises to cover the following topics:

  • Azure services discovery
  • Initial Access Attacks (Enterprise Apps, App Services, Logical Apps, Function Apps, Unsecured Storage, Phishing, Consent Grant Attacks)
  • Authenticated Enumeration (Storage Accounts, Key vaults, Blobs, Automation Accounts, Deployment Templates etc)
  • Privilege Escalation (RBAC roles, Azure AD Roles, Across subscriptions)
  • Lateral Movement (Pass-the-PRT, Pass-the-Certificate, Across Tenant, cloud to on-prem, on-prem to cloud)
  • Persistence techniques (Hybrid Identity, Golden SAML, Service Principals, Dynamic Groups)
  • Data Mining
  • Defenses

All of these were actually covered, with in-depth theoretical information and a practical assignment, either in the labs or performed live by Nikhil. Talking about the lab, it was really well developed. You get access to a cloud VM and an Azure tenant, in which you have to perform several ‘challenges’. All of these were techniques learned in the course, such as an illicent grant attack by phishing a (fake) user of the target tenant. Expect some of these techniques to show up in separate posts ;).

One thing to note about this is that the lab time could not be extended, except for repurchasing the course. So make sure you finish your challenges and play with it before the time ends.

The Exam

Without spoiling any information about the exam, I can say it was a good and fun experience. The exam was 24 hours access time and 48 hours reporting time. To pass the exam, you had to apply the techniques tought in the course to ‘hack’ into an Azure tenant, escalate privileges and pivot to fetch a ‘final flag’.

The time was plenty, I completed the exam within 4 hours and finished reporting in the same day. There are rabbit holes that you can go into, but most of the time ‘the next step’ was quite obvious if you followed the course well.

Final Thoughts

In my opinion, Certified Az Red Team Professional course and exam was well worth the money. The teacher was very knowledgable and responded to all questions in the Discord channel (also outside class hours). Content wise it went really in-depth and offers true insights in how Azure (AD) works, which common misconfigurations occur and how they can be abused.

I would recommend this for sure, but note that some knowledge about Azure will help you in following the course.

You May Also Enjoy

Kubernetes Attack Surface

less than 1 minute read

This is a short (and incomplete) overview of the attack surface for a Kubernetes cluster.

Cloud Security - Azure Fundamentals

5 minute read

You want to get started in cloud security, but don’t know how? In this post I’ll give you some pointers on where to start and what to keep in mind.