Red Team Operator 2 Review

Red Team Operator 2 is the continuation of the educational content and certifications from RastaMouse at Zero Point Security. This builds upon RTO 1 foundations and ramps up the difficulty by throwing AV and EDR into the mix. The goal is to educate users on common and modern tactics to evade defenses while using Cobalt Strike, a commercial Command n Control software from Help Systems.

RTO II is a continuation (not a replacement) of Red Team Ops and aims to build on its foundation.  The primary focus of this course is to provide more advanced OPSEC tactics and defence bypass strategies.

Students will:

• Learn how to build secure and resilient on-premise C2 infrastructure, using public cloud redirectors and HTTPS.
• Go deeper into C++ and C# programming with Windows APIs, leading into writing custom tooling for a variety of offensive actions including process injection, PPID spoofing, and command line spoofing.
• Learn how to clean up memory indicators of Cobalt Strike's Beacon, and leverage in-memory obfuscation to bypass some memory scanning techniques.
• Employ strategies for enumerating, identifying, and exploiting weaknesses in Attack Surface Reduction and Windows Defender Application Control technologies.
• Bypass AV and EDR agents by circumventing ETW, userland hooking, and kernel callbacks.

As I have already taken a majority of the Sektor classes around malware development, the C++ and Windows API content was familiar to me. The introduction of C# content and working with various tools to use this language as well was a great inclusion and will be added to the list of languages to learn. This follows the previous RTO as the designated C2 is a licensed Cobalt Strike instance running via Ubuntu and a development attacking windows box for C# tooling and various offensive/admin windows utilities. The course material is now hosted at https://training.zeropointsecurity.co.uk/. New additions include linux hosts to act as redirectors for C2 traffic as boxes are now firewalled off directly from the teamserver. You will have to be able to setup properly configured beacons and redirectors to achieve successful callbacks. No worries, as this is gone over pretty well and straight forward in the course. The lab is also hosted via Snaplabs as before.

Getting Started:

Pretty self explanatory, basic information about the course, how to use the lab, etc.

C2 Infrastructure:

Learn how to configure Apache redirectors and beacons. This module also covers SSL certificates and keystores for signing generated payloads within cobalt strike. You'll also learn how to modify C2 profiles and some cool tricks to keep your teamserver safe from prying eyes.  

Windows API:

Module goes over the basic windows API and how to write skeleton code to achevie simple objects first such as a MessageBox, then moving into some more useful tactics around calling use API functions from C++ and C#. You'll also be introduced to use tools like D/Invoke and how to use Ordinals versus API function names.

Process Injection:

Pretty much a continuation of the previous module, except it's all about process injection using various different API functions with skeleton code provided to give you a working sample to build from. Points are given around the OPSEC of each one and why you may use one technique over another depending on the situation.  

Defence Evasion:

Exactly as it sounds, this module goes into all things evasive while working with Cobalt Strike. This goes over what happens behind the scenes with various CS functions such as Spawnto, ppid, and pipes. You'll also learn about the Sleep Mask kit, bypassing things such as ETW (Event Tracing for Windows), and memory protections.

Attack Surface Reduction

This module goes into various aspects of ASR (Attack Surface Reduction), a security rule system enforced by Windows Defender that allows various rules to be enabled that restrict common attack signatures. A sample of these are:

• Block abuse of exploited vulnerable signed drivers
• Block Adobe Reader from creating child processes
• Block all Office applications from creating child processes
• Block credential stealing from the Windows local security authority subsystem (lsass.exe)
• Block executable content from email client and webmail
• Further reading - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide

You'll learn how to identify and bypass some of these rules.

Windows Defender Application Control (WDAC)

This module goes into WDAC, a windows policy tool that can control drivers and applications being executed on a host. You will learn how to find these policies, parse them, and read them in order to identify possible weaknesses in the policy. This may include things like exploiting custom applications, trusted code signers or applications (LOLBAS), and weak application permissions.

EDR Evasion

The final module goes into detail around EDR's and how they work. You'll go into how they hook applications, detecting the hooks and some bypass strategies. You'll segway into working with direct Syscalls and implementing them into your Cobalt Strike arsenal and custom code templates. Finally this ends with a tease into driver enforcement/exploitation and learning about User Defined Reflective Loaders.

Exam

You are free to schedule the exam right after buying the course. There is no limit on retakes but they are charged at £99.00 which is around $131. You are provided a voucher for the exam if you buy the full course package. The exam is allocated 72 runtime hours with 5 days of access from the start of the exam booking date. You are not provided with web access to the exam machines for obvious reasons except the initial compromise vector. Scoring is based on flags in the environment, with a total of 4 possible flags. To pass, you must get all 4 flags submitted in SnapLabs. I initially began my exam on October first, but due to some initial lab and life trouble and a death in the family, I did not complete my exam. I plan on returning to this in the near feature. Completion of this exam rewards the Red Team Lead badge and certification.

Booking:

Red Team Ops II Exam

Zero-Point Security

Overall Course Conclusion

Overall I found the course to be fantastic in terms of quality of information, experience gained, and takeaways compared to its price point. Below is a quick list of my pros/cons:

Pros

• Affordable! Just as with RTO 1, the quality of content with the ease of use of the lab environment makes this one of the most worth while courses IMHO.
• Easy to read/copy course material with demos for some of the modules.
• Plenty of allocated course time and exam time to reduce anxiety for test takers
• The ability to work with Cobalt Strike, which is one of the most well known and used threat emulation platforms by both legitimate teams and malicious actors.
• The information provided is useful not only to aspiring red team operators/leads, but blue teams for the ability to work with how attackers build and use evasive TTPs.

Cons

• The certification is very early stage in comparison to other well known certifications like OSEP, eCPTX or CRTE. Someone in the industry may know of this certification and its quality, but it will not carry the same weight as a SANs or Offsec certification will bring to most HR processes.
• If you have very little experience in Visual Studio, writing code and compiling code, or are not brushed up on material from RTO 1, you may find some issues that are not covered in the course material.
• Unlike RTO1, there are very few video demo's in this course which may be an issue for some. To be fair, the ones are available are for the important modules you'd want them for.
• While there is plenty covered here, some of it is exclusive to CS. If you use another platform, you will have to adapt or find alternative strategies for some of the in house provided functionality.
• The exam has a few "gotchas" in terms of needing to think outside the box. You will most likely not be able to follow course notes word for word and pass, at least in my experience I did not. Best advice is keep good notes and don't be afraid to reboot the lab if something looks like its setup for a certain attack path, and the key you need is not there. While this is a templated exam environment, glitches in the Matrix do happen!

I highly recommend this course for any looking to get a solid grasp on red team evasion tactics and learning techniques to improve the usability of Cobalt Strike in an evasive manner.