Zero-Point Security's Certified Red Team Operator (CRTO) Review

Zero-Point Security's Certified Red Team Operator (CRTO) Review

ยท

7 min read

Red Team Ops is a course that teaches the basic principles, tools and techniques, that are synonymous with red teaming. Students will first cover the core concepts of adversary simulation, command & control, and how to plan an engagement. They will then learn about each stage of the attack lifecycle from initial compromise to full domain takeover, data hunting, and data exfiltration.

Background

I enrolled into Zero-Point Security's Red Team Operator course about 2 months and cleared the exam with 8/8 flags on the 13th of October. Throughout the year, I've been experimenting and playing around with Active Directory Exploitation and Opensource C2 Frameworks in my lab.

Both Zero-Point's CRTO and Pentester Academy's CRTP have been on my radar for a while now. Looking into the outline of these courses, I realized that RTO focuses more on the entire attack lifecycle from the initial compromise to full domain take over. That was what pushed me over the fence to pursue this course.


The Course

The course alone costs ยฃ365.00. There is also an option which gets you 40 hours of lab time with the course which costs ยฃ399.00. Zero Point Security also recently added an option which allows students to split the payment up into 4 smaller payments.


Course Content

The course contains 27 comprehensive chapters. Each chapter goes in-depth with well documented explanations, commands and screenshots to back them up. The content was fairly easy to absorb given that I was actively trying the TTPs in the course lab which I'll talk about in the next section.

Whenever I felt lost with any of the chapters, there were a fleet of videos which I could refer to that demoed the attacks taught in the course. However, I do have to preface this by saying that not all chapters and sections have their own video. I heavily enjoyed the red teaming techniques & concepts that this course brought across. Here are some of my favorite sections this course had to offer.

OPSEC

One thing I really appreciated was that the course didn't just teach you how to throw tools and techniques at the target. It placed emphasize on performing attacks with opsec in mind which I haven't seen before. Educates you on what a red teamer has to have in mind when conducting engagements.

Initial Compromise

I've gone through a number of Initial Access modules of other organizations. However, what stood out to me in RTO was that the course teaches you how you can build a detection system with the help of Kibana. This was my first time doing that and noticing what the blue teamers actually see.

Active Directory Exploitation

This Course taught quite a number of AD Attacks. From credential/User impersonation to Kerberos attacks to Domain Dominance Techniques & Persistence, this course covered it all. The learning was also extremely hands on. I was able to execute each, and every attack taught in the course, in the lab.

Cobalt Strike

Prior to this I've heard some great things about Cobalt Strike, but I've only ever used Free & Opensource ones. Although this course teaches Session Passing in between C2s, it uses Cobalt Strike as its primary C2. The course also provides you with a valid copy of Cobalt Strike to play around in the lab with no extra charges on top of your lab cost. I've also been wanting to learn Cobalt for a while now. This course killed 2 birds with one stone :)

Bypassing Antivirus

The course also covers some basics of bypassing an active antivirus on a target host. This chapter ties in well with the use of cobalt strike to generate payloads and using them in action. Students will not be able to bypass an up-to-date AV as this is just an intro to the topic. However, the concept taught is still extremely valid. If you're interested in dealing with EDRs, check out CRTO II.


Course Lab

I was very contempt with what I got for the price I had paid. The lab consists of a couple Windows hosts in a few AD Forests. As you go along with the course, you'll pick up techniques to own all Forests.

Backend

As someone who runs their own home lab, I'm naturally someone who's extremely interested in infra. I was impressed on how Zero-Point Security had set the lab up. The lab is deployed on AWS with the help of Snap Labs. Students are required to create a snaplabs account to redeem the lab.

There's also an admin box which runs Apache's Guacamole (same solution that I use ๐Ÿ˜„) to facilitate the remote desktop connection via a web browser. Yeap, you can only access the labs via the web RDP. I was initially pretty upset with this as the latency was extremely bad (I'm based in SG). However, I learnt that this was a requirement to have a valid copy of Cobalt Strike for us to play around with in the lab.

Content

The machines and setup of the lab were more than enough to learn and practice the TTPs taught throughout the course. I didn't find anything lacking and there were sufficient hosts, forests to conduct tests on.

I was given 40 hours of lab time with the default package. I ended up using about 35.5 hours for my practice. However, if you require more lab time you are able to purchase it here for ยฃ1.25 a month.

Support

Support is provided thru 3 main channels.

  • Rasta himself via support mail & Discord

  • Active community on discord

  • Community forums on the LMS

The community is extremely helpful in most of the cases. The discord server also acts as an archive of all issues other students have faced. It has helped me countless times and couldn't be more thankful for it!


The Exam

The CRTO Certification exam is a 48 hour-long practical engagement which sets out to simulate a realistic red team engagement which tests students on adversary simulation, command & control, engagement planning and time management. Students are required to collect 6 out of the 8 flags in the environment to pass the exam.

The exam absolutely picks your brain on all the content that was taught through the course. It's not a direct paste of the course lab and requires you to think out of the box and chain multiple TTPs in order to gain access to the machines. The exam's 40 hours can be spread over 4 days. This is to give u ample time to relax, refresh and get some quality sleep.

My Exam Experience

My personal experience with the exam was mostly positive! I used up about 32 out of the 48 hours for the exam. I was able to rake up 6 flags to secure the pass in about 6 hours. However, I hit a mental block after that. I tried various methods and followed false leads to get the last 2 flags. But nothing was working. After taking a mini break I was able to secure the 7th flag 4 hours after the 6th.

The last flag however, had me going crazy. I was trying all sorts of attacks to get to it. At a point I even started thinking if there was a technical issue and reached out to the creator who confirmed that there were no such issues. There was a point in the exam where I started throwing ZeroLogon at the DCs ๐Ÿ˜…. I ended up logging off for the night, went to work the next day, had dinner with friends and restarted the exam environment the following night. After about a good 7 hours and trying almost all attacks, something struck me, and I got to the final flag. Was a solid journey IMO! Worth the pain.


Improvements

Overall, I'm really happy with what I got from this course. I learn a ton and it didn't break the bank. Rasta also recently upgraded the cobalt strike deployed in the lab to the latest version and reworked some of the sections which includes new screenshots and demo videos!

The only suggestion I have is to expand the AWS region. Let the students choose the region closest to them to enable the best learning experience! Other than that, that's it from me! Highly recommended course ๐Ÿ˜

ย