Zero Point Security’s Red Team Ops II (RTO2) Course and Certified Red Team Lead (CRTL) Exam Review
Ethics Disclaimers
First thing’s first, I wish to disclose a few things prior to getting into the review proper. I was unexpectedly given an early preview of the Red Team Operator II course by Zero Point Security after posting my review of their CRTO Certification. I had access to the course until it was released generally. I then purchased the course on the first day it was available because I didn’t want to wait for the lengthy approvals process with my employer. In early December my employer reimbursed me for the course however. Like the CRTO exam, I took this one twice. The first attempt was in October, and second attempt ended on December 14th, with certification being administered on the day of publication. As of the date of publishing, I am not, or have not received compensation for the express purpose of taking this course, exam or writing this review by Zero Point Security, RastaMouse, my employer, or anyone else. The thoughts and opinions expressed herein are mine, and mine alone.
Introduction
The Red Team Operator II (RTO2) course and Certified Red Team Lead (CRTL) Certification is billed as a continuation of the original Red Team Operator (RTO, or RTO1) course and Certified Red Team Operator (CRTO) certification with an emphasis more focused on OPSEC safe tactics, and additional defense bypass strategies. It aims to build on the knowledge gained in the RTO1 course while throwing more defenses at you such as WDAC, more aggressive Defender settings, and a custom-built EDR. The course also goes into how to properly set up a C2 infrastructure for your operations, and is still dependent on Cobalt Strike. Personally, the C2 infrastructure and the EDR were the most interesting to me as the C2 buildup was something I was left wondering about after taking RTO1, and EDRs have become a subject of interest of mine as I have been learning about lower level Windows internals.
Course Notes
The Build Up
The first section of the course covers infrastructure build-up. It discusses how your C2 architecture should be built for an operation and how the architecture is built within the lab. This gives the theory as to why the recommended setup procedures are what they are, and how to implement them. Afterwards it covers how to install and configure Apache to handle the redirection and TLS certificates to enable an HTTPS connection in Cobalt Strike with some of the idiosyncrasies of handling certificates in Java programs (the teamserver, to be specific). Then there comes a very large section of various .htaccess
file rules types, and how to implement them. As a former firewall junkie, I found this part to be very intriguing as the fundamentals of defining .htaccess
rules are similar to firewall rules, but with more contextual switching and much more regex. Overall, this section of the course was excellent and I really enjoyed it. Well done.
Basic Malice with WinAPI
This section has a little overlap with some other training I completed this year, specifically the SEKTOR7 Malware Development Essentials and Intermediate courses (okay, not done with intermediate yet, but I am mostly there). If you are familiar with either of these courses, you will feel at home here. There is a twist however, because RTO2 not only covers how to manipulate these APIs in C/C++ like the SEKTOR7 courses, but also how to do it in C# and .NET. The programming aspects of this course also focus on the use of Visual Studio as your IDE for development. In discussing WinAPI, RastaMouse covers some C# concepts such as Platform Invoke (P/Invoke) and Dynamic Invoke (D/Invoke), including their differences and what value they bring to red team operators, how to use them outside the .NET ecosystem, and opening doors for malice.
There is also a section on process injection where RastaMouse covers some ways to achieve process injection using a variety of WinAPI abuses. This was the section I was probably least interested in going in due to having gotten some overlapping experience with the SEKTOR7 courses. However, after completing the course I will be taking the time to learn C# and .NET at some point in the future because it just seems so much easier than doing it all in C++ and C. It would be a very useful tool to have in the belt. I wish that with the course better called out what language was being used for the code samples. I had no C# experience coming into this course, so it was sometimes difficult to determine from what languages the code samples were using throughout the course as I do not have an adept eye to tell them apart quite yet.
Dancing Around Defenses
The Defense Evasion section focuses on avoiding getting caught by Defender, some things that can be done to avoid behavioral detections, spoofing to throw off IR teams, along with the implications on using these strategies coupled with Cobalt Strike affect the operation being performed. As with RTO1, RTO2 continues it’s excellent highlights of both attacker’s and defender’s perspective. RTO2 also continues to show you additional options for defining and handling your Malleable C2 profile, also building on the concepts presented in RTO1. The beginning of the Defense Evasion section is mostly focused on spoofing, with some goodies thrown in showing how Cobalt Strike handles it’s fork and run and other post-ex behaviors. Each sub-section in this portion of the course does an excellent job showing how to perform actions in Cobalt Strike, how to implement it in in WinAPI, and what it looks like to defenders. If you ever wish to write a C2, or an implant for a C2, this could be invaluable information for code examples on performing these actions.
This section of RTO2 also covers some newer aspects of the Arsenal Kit introduced in Cobalt Strike 4.6, specifically the Sleep Mask kit. I will also note, at the time of writing, RTO1 now uses Cobalt Strike 4.7, so if you take the newest version of the CRTO certification, then you will be familiar with the new way the kits work in Cobalt Strike. The Defense Evasion portion of RTO2 is really the bread and butter of how you are meant to perform actions as a hands-on-keyboard operator. I thoroughly enjoyed this section of the course, and as mentioned it’s the bread and butter of the actual operation portion of the exam. As I continue to learn and work on lower level windows internals, learning the WinAPI abuse patterns to accomplish what is demonstrated here is immensely valuable.
A Harder Outer Shell
Next up is the Attack Surface Reduction portion. RTO2 does not cover huge portions of ASR, but it does cover some that would affect phishing and lateral movement. It covers enumerating the ASR rules with Group Policy, Registry, Powershell. Then covers a few rules directly and shows what the rule does, and how to bypass the intention of the rule with weak rulesets. I don't have any strong feelings about this section of the course being included. This may be due to my relative inexperience with red teaming as I don’t do it for work however. I mostly see it as a nice to have, although it is relevant to the exam.
The Bane of My Existence
Ah WDAC. The crux of the next generation of Windows Application Control. RTO2 starts off by discussing some differences between AppLocker and WDAC in the way each program is administered by Microsoft and quickly goes into how to enumerate WDAC and how to abuse misconfigurations utilizing LOLBAS, and how to abuse weak rulesets to skirt around execution rules. This section turned out to be fairly straightforward, but was critical to learn in the exam. The presented material was well demonstrated and described. There isn’t much more to say without spoiling the contents of the chapter.
Custom EDR
My personal favorite highlight. I absolutely love this section of the course. It explains the basic architecture of how EDRs work at both an infrastructure, service, and code level. Then goes on to explain how API hooking works in a few ways, including giving you examples on how to do it yourself and what happens when the EDR detects something malicious, following with how you can detect what the EDR is hooked into. Detecting the behaviors of how EDRs work was a highlight, even if it took me a time or two extra to really understand what was going on. Finally, it covers a bypass strategy in integrating Syscalls with Artifact Kit. Syscalls are admittedly still a weak point of mine, but I intend to continue to learn about them as I continue learning about how malware works. Wrapping up the EDR content talks about User Defined Reflective Loaders, kernel level callbacks and a teaser for the Offensive Driver Development course. Overall this section was one I was incredibly excited to tackle, and I got a lot out of it. It’s a highlight of this course.
Labbing
Like the CRTO labs, the CRTL labs are once again hosted in Snaplabs (now Immersive Labs) managed through Apache Guacamole and ran on an EC2 backend. This lab was significantly smaller than the CRTO and because Zero Point Security sells them at cost, it ends up being cheaper by £0.50 an hour at £0.75 an hour as compared to £1.25 an hour. I will note, that I have had some more connectivity issues with Guacamole in the CRTL lab than I did the CRTO lab, but I think that is mostly due to Immersive Labs integrating Snaplabs into the parent company, and not really within Zero Point Security’s domain of control. It was not unusable, but something you may want to keep in mind. I also had some initial domain resolution issues immediately upon purchasing the course, but when RastaMouse updated the lab to v0.2 and any issues went away. Additionally like the CRTO labs, you may purchase additional time a la carte, which is a huge benefit of Zero Point Security courses for me. The labs are well done as always. Great job RastaMouse.
Exam
The exam is a similar idea to the CRTO exam, but smaller in scope, and with much more prep needed. The CRTL exam is 5 days at 72 hours of lab time as opposed to the CRTO at 4 days and 48 hours. In my case, I started with the C2 profile, Artifact Kit, and Resource Kit I used in my CRTO exam, and made adjustments to them as needed throughout the course as I made my way through new content. In doing so, I made my life far easier when it came to preparing for the exam and I would highly recommend anyone taking the course to do the same. The CRTL exam requires 4/4 flags to pass, as opposed to 6/8 in the CRTO exam. My exam experience I would consider to be mostly good. I have 1 significant grievance with it though.
There is a flag in the CRTL exam that the method to obtain it is not discussed anywhere in the course. The tool required to discover it is not in the lab either as of the date of publication. After passing the exam, I contacted other users of the Zero Point Security Discord Server who had previously passed the exam and they were able to confirm that they did not have that tool in their lab either. Personally, I find this incredibly annoying. One of the things I like most about the CRTO exam is that everything on the exam was taught in the course. In this case, one of the flags are not taught in the course. After failing the exam on my first attempt, I followed up with RastaMouse and he said “ideally, you need actual experience between RTO and RTOII”. I expect this to be why the flag is the way it is. If this is the intended design of the course, I think that needs to be more explicitly called out in the marketing the course. The flag is not obtuse, but I hadn’t ever encountered that scenario before my first CRTL exam attempt and killed 3 days of the attempt and burned myself out only earning 1/4 flags. So, how’s the rest of the exam? Difficult but rewarding. I enjoyed the rest of it, despite nearly going crazy during the attempt. It was well done apart from the gripe with the flag that didn’t get covered in the course.
Final Thoughts
Overall, I thoroughly enjoyed my CRTL experience. The course material was engaging and well thought out. I feel as though I got a lot of value out of the course, and that it was well presented and organized. It builds on the strengths of the CRTO in ways that continue to be beneficial and interesting in showing multiple facets on how, why, and the impacts of what it teaches. For £399.99, I like that it is not a large jump up in price, even if it looks to be less content (it really isn’t with all the exercises). If you took CRTO and continue to have a passion for red teaming, I would say it is worth taking this. I will once again however reiterate that the intended progression from RastaMouse is that after obtaining CRTO, you find a red team role before working on CRTL. I suspect that if this is adhered to, you should not find any problems with the materials as presented. Bravo RastaMouse. Another kick ass course. Red Team Ops II may be purchased directly from Zero Point Security here.