Certified Red Team Operator (CRTO) in 2024 — My review & tips

CRTO — I certification badge

Yesterday I had successfully passed the CRTO exam. Today I received the above badge in my email. I want to document my whole experience about the certification — the course and the exam, and share my tips with you if you’re looking to go after this.

Background

Around a month ago, owing to some unfortunate interviews, I decided to go after certifications. This is not my first cert, but it’s been a while. I classify certs into two categories — “for skills” and “for the HR” (a few certs are both, including this one). The former gives you knowledge, the latter shows it to the HR. So far I only had a few of the former, none of the latter.

The “Certified Red Team Operator” is a red-teaming certification offered by Zero-Point Security. This certification optionally comes with a course, and a lab hosted by Immersive Labs. I purchased the “Course + 60 Days Lab” (80 hours) option, which includes an exam attempt voucher. The course is NOT mandatory; you can purchase just an exam voucher too.

Course Content & Quality

Table of contents of the course

Above is the table of contents of the course offered. The material is hosted on Zero-Point Security’s training website. It took me 3 weeks to go through it all from start to finish.

The course takes you all the way from recon to post-exploitation of “Cyberbotic” — a fictional company and their Active Directory environment. Along the way you learn to use Cobalt Strike from a beginner’s perspective. The course also shows you OPSEC considerations for certain TTPs — what noise you make and footprints you leave behind after certain attacks. It’s useful to look at it from a defender’s perspective.

The list of areas that the course touches on is definitely comprehensive. However, certain individual modules and sections felt lacking in depth, and I certainly would have enjoyed reading more. But then again, the course is not designed for someone new to all this; you’re expected to have some experience before you take this up.

Throughout the engagement you’re to use Cobalt Strike — a C2 framework. The course does a fantastic job of introducing CS. It shows you the whole “infrastructure” that CS requires, and how you can configure and set it up. You’re taught about setting up listeners and beacon payloads, and how to interact with the beacons to achieve your goals. Towards the end, you’re taught about malleable C2 profiles, and the Arsenal Kit’s artifact kit, resource kit and mimikatz kit. This is in conjunction with the course’s Defender Evasion part.

In the Defender Evasion parts, you’re taught how to bypass Windows Defender and AMSI, and execute the tools you want without getting booted off the target. You use tools to check if Defender and AMSI catches your beacon payloads, and keep modifying them till they don’t. The Arsenal Kit is taught for this. Once done, you’re to go through all the TTPs again, to check if indeed you can do it all without getting detected. This is because Defender was disabled in the entire environment all along (for easier learning).

With the course, you start off with a low-privileged access in Cyberbotic (a fictional company), and work your way up to move laterally everywhere, get domain dominance, and hunt for data.

Lab Quality

If you purchase the “Course + X days lab” option, you get access to the accompanying lab — the same one used in the course content I described above. You can directly follow along the course with this. I got v2.4.4 of the lab.

The lab is hosted on Immersive Labs, and you get Guacamole access to each individual host in the environment. Guacamole offers an “in-browser” remote-desktop connection.

On your Attacker machines, you get Cobalt Strike’s teamserver and client installed. You get all the tools necessary for the TTPs too. You also get access to a PowerDNS instance that works for your entire lab, and a Kibana instance to see your TTP’s IOCs live.

All the victim machines are individually accessible too, if you need to set them up before certain attacks. They all run Beats agents that collect and feed telemetry to the Kibana instance.

The whole lab comes with an overall snapshot and individual snapshots for all hosts, and you can revert to them at any time. Bear in mind that you get limited hours with the lab, so take care to stop the lab once you’re done.

The lab was mostly stable, though the latency really tested my patience. I had certain issues with the lab at one point — first, the machines were stuck in a “Storing” state and would not turn off for 48 hours, and secondly, they would fail to revert to base snapshot. Thankfully, this did not consume from my lab hours. However, I’m certainly not happy with how Immersive Labs support (scarecely) responded to the whole situation.

Support from Zero-Point Security

Zero-Point Security has a Discord server, and there’s a dedicated channel for CRTO students. Daniel Duggan (aka rastamouse, the course author) is always active there, and answers students whenever he can.

During the whole issue with Immersive Labs, Zero-Point Security kept in touch with them as best as they could, and their persistent communication is probably what made Immersive actually look into the issue and fix it.

Exam experience

Exam timeline (captured from the lab)

The exam gives you 48 hours of lab-time expendable over a 4-day window. This is the environment where you are to emulate a red-teaming scenario and compromise it. Like your course lab, this lab is similarly hosted on Immersive, and is likewise accessible and stable.

The exam is CTF-ish. There are a total of 8 flags, one on each individual host. You only need 6 flags to pass. And no, there’s no report writing involved.

The environment is very similar to the course’s lab. Windows Defender is enabled on all your targets. The course material is all you need to know to compromise and move across the hosts.

I started my exam at 1 pm, and it was almost midnight when I got my 6th flag. In between I took breaks. Initially I had planned to go for the 7th and 8th flag today, but I woke up to the email with the CRTO badge today, and did not want to proceed further.

My preparation (& my tips for you)

1. Take extensive notes while going through the course. The notes must be separated by TTPs, and searchable by keywords. Include any tool that the attacks need, and sample commands. This is an advice not just for CRTO, but for any course. I have an ever-growing repository from doing this. When I need to lookup something, it’s the first place I go to.
2. Few areas in the course felt lacking, so I set out to do additional research on them to learn more — blogs, official docs, tweets, anything I could find. And yes, I added my findings in my notes too. To understand an attack, you must understand the underlying services involved first. Prior experience definitely helps.
3. In the end, the course recommends you to go through the course lab again, but this time with Defender enabled. Definitely do that. Play around with it, and see what gets detected and why. During the exam, spend the first hour or two configuring and testing your Arsenal Kit, otherwise you will keep getting flagged and booted off all your targets. Make sure your beacons work by running them on the Attacker host first, with Defender enabled. Try executing .NET assemblies and powershell scripts with the local test beacon. If it works on Attacker, there’s a good chance it will work on your targets too.

Overall

Overall, this was a welcome and fun challenge for me. The course and the lab adequately helped me with the exam. It helped me revise and expand upon Active Directory concepts.

After this, now I plan to move on to other certs. I wanna keep the flow.