CRTO Certification Review

Certified Red Team Operator

Updated 12/06/21 

Recently I had the opportunity to enroll into the CRTO course by RastaMouse at ZeroPointSecurity. This course focuses on red team engagements in multiple forest active directory environments with the goal of teaching the basic principles of operating under specific TTPs to emulate an attack scenario to full domain compromises. The full site description can be found below:

Red Team Ops is an online course that teaches the basic principals, tools and techniques, that are synonymous with red teaming.
Students will first cover the core concepts of adversary simulation, command & control, and how to plan for an engagement. They will then learn about each stage of the attack lifecycle from initial compromise, to full domain takeover, data hunting, and exfiltration. Students will also take various OPSEC concerns into account and learn how to bypass defences such as Windows Defender, AMSI and AppLocker. Finally, they will cover reporting and post-engagement activities.

Read more here: https://www.zeropointsecurity.co.uk/red-team-ops/overview

I bought the course early November with plans to schedule my exam for right before the December holidays. I ended up scheduling for December 1st and successfully passed with results coming back on the 5th. This is the updated version compared to the old CRTO format that used Covenant/CS as the C2 platforms supported. The latest version is using SnapLabs for hosting of both the lab environment and exam. The designated C2 is a licensed Cobalt Strike instance running via Kali and a development attacking windows box for C# tooling and various offensive/admin windows utilities. The course material is hosted via Canvas.

I will begin with in my opinion, this is not targeted to beginners in the industry and penetration testing. You're going to want to have a solid foundation of Networking Basics, general coding skills (able to read and understand what's going on in C# and scripts), and a some experience in performing basic penetration testing operations. Having experience with active directory, C# tooling via Visual Studio, and the Windows OS will be very helpful during this course. This course will require experience in AV and security control bypasses for some cases, but the course provides a decent module on working with Cobalt Strike to accomplish it if you don't have much experience in that area.

Lab

The labs are hosted via SnapLabs, a web based platform that integrates with AWS to create, modify, and deploy template labs for use in cybersecurity training. It's very easy to use and really helps avoid a lot of the trouble of having to download mass amount of VMs or building the lab yourself. You're given an event tied to your account that allows you to access the RTO lab. The key thing to note here is you need to buy runtime for the course. It comes with 1 free hour, but you will definitely need more time than that. In total, I purchased around 21 hours total of lab time, which was less than $30 USD. You have the ability to start and stop the lab at any time to reserve runtime. Snapshot functionality is also there for dealing with the entire deployment or individual machines. You're given credentials to be used during the lab to help facilitate certain scenarios and you can login to any system via the SnapLab web portal. As previously mentioned, the course material is hosted via Thinkific (EDIT) with a mixture of module based markdown pages and supplementary videos.

Update 2/27/2022 - Course Content is now hosted via Thinkific on https://courses.zeropointsecurity.co.uk/

The course is streamlined to work from start of the engagement to finish with some supplementary modules for topics that encompass various stages or setup. The start of the material goes quickly into the red team theory and role, OPSEC consideration, scope, rules of engagement etc...

From there we go into external recon via OSINT sources and more directed attacks against online services, with Exchange being the target in the course. Building malicious payloads for phishing attacks and hosting files via Cobalt strike to gain that initial access from our "user" which is us using the login for a workstation to get a low privilege user who is phished. This is where we start building out our host enumeration tools, discovering where we are the network, and getting higher access. The course goes over various tools and techniques to find persistence possibilities, finding privilege escalation, the moving to domain enumeration with tools like Bloodhound, Powershell, and ADsearch. You'll learn how to use Cobalt Strike to build payloads, get beacons and how to pivot in the network to create beacon chains, use proxies, and modify it to bypass AV solutions. After extensive domain enumeration, you learn how to exploit various common configuration issues, or intended features found in production domains to move laterally from system to system and user to user. The enumeration portion of this course is extremely important as if you are unable to identify the possible issues or routes, you will most likely not pass come exam time. One of the biggest strengths in this course is its coverage of working with multiple domains and learning how domain trusts work and abusing certain scenarios to jump across more restrictive trusts. Overall the course material in Canvas lines up well for the most part with working in the lab. Some sections are very well done and match verbatim with what you see in the lab. Some are more vague and usually the sectional videos help clear that up if they are available. The lab provides everything you need to pass the exam and you are only restricted to using what's provides on the attack machines since these systems are isolated from being able to reach out to the internet. Thankfully RastaMouse has provided everything needed in the builds. I spent about 3 weeks in the labs before deciding I was ready to test. I also made sure to add some holiday spirit into my studies!


Trying to find all the flags for my Cobalt Strike Christmas tree.

Exam

You are free to schedule the exam right after buying the course. There is no limit on retakes but they are charged at £99.00 which is around $131. You are provided a voucher for the exam if you buy the full course package. The exam is allocated 48 runtime hours with 4 days of access from the start of the exam booking date. I began my exam on December 1st, and received my graded score on the 5th after it ended. You can stop, start, and reset the exam the same way as the labs. You are not provided with web access to the exam machines for obvious reasons except the initial compromise vector. Scoring is based on flags in the environment, with a total of 8 possible flags. To pass, you must get 6/8 flags submitted in SnapLabs. In comparison to the lab environment, you will not find anything not covered in the course material as some point, but it will not be streamlined like the lab. Each exam will have its own specific paths that you will have to figure out with proper enumeration and understanding how to work in the environment. My exam had me hitting a few walls of frustration trying to find the correct paths, but I eventually prevailed with 7 out of 8 possible points after about 36 hours of my exam time used. The exam difficulty really comes down to your attention to detail and having a solid methodology to help avoid making avoidable mistakes. Anyone who has extensive pentesting/red team experience will most likely not find it difficult to take this exam, but I would not recommend this as a first exam for a newcomer. There is quite a bit of assumed knowledge that really helps to speed up the process when working in the environment. One of the huge benefits for this exam is that it is not webcam proctored and the ability to manage lab runtime helps pull a lot of that crunch time stress away for people who have issues with exam based testing.

Overall Course Conclusion

Overall I found the course to be fantastic in terms of quality of information, experience gained, and takeaways compared to its price point. Below is a quick list of my pros/cons:

Pros

  • Affordable! The quality of content with the ease of use of the lab environment makes this one of the most worth while courses IMHO.
  • Packed with amazing information from one of the industries rockstars who is well known for content like Rastalabs on HTB.
  • Easy to read/copy course material with video demos for a majority of the modules.
  • Plenty of allocated course time and exam time to reduce anxiety for test takers
  • The ability to work with Cobalt Strike, which is one of the most well known and used threat emulation platforms by both legitimate teams and malicious actors.
  • Access to the community of fellow students and RastaMouse himself where you can continue to learn, ask questions etc...
  • The information provided is useful not only to aspiring red team operators, but blue teams for the ability to work with certain attacks and view TTPs around them.
  • Rolling course - with updates for new content being provided

Cons

  • The certification is very early stage in comparison to other well known certifications like OSEP, eCPTX or CRTE. Someone in the industry may know of this certification and its quality, but it will not carry the same weight as a SANs or Offsec certification will bring to most HR processes.
  • Some modules are explained at a general level, but don't apply directly to the lab context for that module. This is usually resolved by the demo videos that show the needed changes or explanations, but it would be nice to see some of the topics fleshed out a little more and more emphasis on the enumeration and being able to piece together the puzzle.
  • Some portions of the enumeration sections are shown using specific tools, but they may not be provided in the actual exam, which then requires you to adapt to using what is provided. This can be considered a pro to some, but may be a barrier to others when it comes to efficient enumeration.

I highly recommend this course for any looking to get a solid grasp on red team operations for an amazing price currently. As this course continues to mature, I predict it will become one of the more recommended and standard courses on the market. I'd be excited to see what improvements and additions get added over time. Feel free to hit me up for any questions (Not exam content related)!

Till next time, farewell and happy hacking!