Certified Red Team Operator (CRTO) - 2023 Review

A few months ago I passed the Certified Red Team Operator (CRTO) exam with full points (barely). The purpose of this post is to document my thoughts and experience from this journey in retrospect to help others gauge their readiness.

What is the CRTO?

Red Team Ops is the flagship red teaming course from Zero Point Security. The Certified Red Team Operator (CRTO) is the certification earned upon successfully passing the associated 48 hour practical exam over a 4-day testing window.

The RTO course is focused on learning and applying fundamental skillsets and techniques commonly used in red teaming. It is widely considered to be the de-facto red team course/certification to learn the foundations of this security niche. Before diving further, here is some context to better understand what “red teaming” actually means (from my experience).

What is “Red Teaming”…?

…And how does it compare to penetration testing?

This term gets tossed around the industry quite a bit and it’s relatively easy to go down a rabbit hole when researching semantics. Most online sources credit its origins to military “war games” with some stating as far back as the early 19th century. The US Department of Defense gave it some traction when the decision was made to implement “red teaming activities” across the different military branches. One DoD report way back from 2003 provides some interesting context into red teaming as it was understood 20+ years ago: The Role and Status of DoD Red Teaming Activities.

In the most basic sense, a “red team” serves as the devil’s advocate against a “blue team”, i.e. the entity being tested or assessed. The goal of these exercises is to simulate various adversarial threats and attack scenarios to assess and improve the security posture and response capabilities of the blue team. Applying these concepts to the security industry today can raise some questions as red teaming has some overlap with traditional penetration testing. My current understanding is as follows:

Penetration Testing or “pentesting” involves practical security testing to discover and validate system vulnerabilities with the goal of determining true business risk. Pentesting is typically performed in a limited, time-boxed engagement (usually 1-3 weeks) against a controlled environment, and adheres to a strict scope and rules of engagement. Pentesting aims to find as many vulnerabilities as possible within the given timeframe/scope and is typically overt (and noisy). The primary deliverable of a pentest is the final report including but not limited to: testing methodology, findings (tailored by business risk), and recommended remediations.

Red Teaming takes an (arguably) deeper and more holistic approach, with a greater focus towards assessing the detection and response capabilities of the target (i.e. Blue Team). Depending on the testing narrative, the red team may emulate the tactics, techniques, and procedures (TTPs) of a real-world adversary such as an Advanced Persistent Threat (APT) or other high profile, nation-state threat actor. Compared to pentesting, red team “engagements” are typically much longer, sometimes spanning multiple months and vary based on the attack narrative or scenario, such as phishing a user, compromising a specific server, exfiltrating test data, or gaining domain admin privileges.

In contrast to pentesting, red teaming strives to be more covert with an increased effort to maintain strong operational security (OPSEC) to avoid detection and alarms during the engagement. Additionally, there is often a strong emphasis on post-exploitation activities, such as persistence, privilege escalation, lateral movement, and domain dominance (most commonly in Active Directory environments). The starting point for the engagement could be from an external, unauthenticated perspective or an internal, authenticated one. The latter can also be considered an “assumed breach” perspective where the red team starts with basic user access and goes from there - attempting to elevate privileges and pivot throughout the environment. As these covert Red Team engagements are typically “low and slow” in practice, it’s common to leverage a command and control (C2) framework as a means of maintaining extended and covert access.

What’s so special about command and control (C2)?

Deeper into the rabbit hole we go… It could be argued that the bulk of a Red Team engagement is in the “post-exploitation” stage of a typical attack lifecycle. One cybersecurity firm, Mandiant, has a great example with their Targeted Attack Lifecycle that breaks this concept down further. The post-exploitation stage is commonly conducted using a C2 framework and there are many of them out there with different strengths and weaknesses. However most of them share a common trait in that they leverage a small piece of software (malware) called an “agent”. These agents are implanted on a target machine and communicate to the C2 server (sometimes called a “team server”) over a covert or encrypted channel. Using these C2 frameworks, a red team can collaborate via the team server and control any number of agents by sending commands over the encrypted channels. In some frameworks, these agents and their communication methods can take many forms with the ability to mimic real adversarial threats or legitimate web services (like music streaming apps).

TL;DR: Given the increased complexity and planning efforts to orchestrate, red teaming is generally considered a step above in “security assessment maturity” when compared to traditional penetration testing.

Important Prerequisites Before Registering

The CRTO is a fundamental, “beginner” red teaming course. However, it is generally considered an intermediate level cybersecurity course overall as the offensive security niche is generally more advanced in and of itself. Zero Point Security lists some brief prerequisites on the course page that calls out the following:

• Experience with Windows and Active Directory environments
• Prior penetration testing experience
• Familiarity with C, C# and PowerShell

I found these to hold true when going through the course and exam. Here are some additional recommendations from my experience:

• Consider taking the PEN-200 | Offensive Security Certified Professional (OSCP) course/exam first if you’re new to penetration testing or the offensive security in general. This course/exam provides an excellent foundation across the broader scope of pentesting. The OSCP has changed a bit since I went through the course in 2019 but the updated course syllabus and exam now have a significant Active Directory component, which can be very beneficial to CRTO studies. Speaking of…

• Review your Active Directory and Kerberos knowledge. Period. Full Stop. Seriously though, Active Directory and Kerberos are practically ubiquitous for red team engagements as these technologies are widely used in the majority of government and corporate environments (thanks Microsoft…) In fact, an article from 2020 claimed that 90% of Fortune 1000 companies use Active Directory. As such, it is extremely important to be comfortable or at least familiar with these two monster topics. As seen in the RTO course syllabus, the Kerberos module is the largest, and for a good reason - it can be a nightmare to understand.

  • For Active Directory, I would recommend the following resources:
    • HackTricks - Active Directory Methodology - The curated HackTricks resources come in handy for a ton of different pentesting methodologies, this AD one is a great reference.
    • PayloadsAllTheThings - AD - Same thoughts as above +1.
    • AD Cheat Sheet by S1ckB0y1337 - Another great resource inspired by the above.
    • Orange Cyberdefense AD mindmaps - Maybe not as practical, but certainly an interesting reference to see AD attack paths from a different perspective.
    • Anything from SpecterOps and ADSecurity. These folks are at the forefront of Active Directory security research.
  • For Kerberos specifically, I would recommend the following resources to learn a bit more on the technology and inherent vulnerabilities:
    • Kerberos and Attacks 101
    • Kerberosity Killed the Domain: An Offensive Kerberos Overview
    • Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain
    • How Attackers Use Kerberos Silver Tickets to Exploit Systems

• Get familiar with C2 tooling such as Cobalt Strike because it’s used every step of the way in the RTO course. As previously mentioned, command and control (C2) frameworks are commonly used in red team engagements as they provide a methodical approach of maintaining extended and covert access. Cobalt Strike is a popular commercial C2 framework that is considered a de-facto standard for red team operations and adversarial simulations. It is used exclusively in the RTO course (as of June 2023) and is a fantastic tool that implements the powerful “Beacon” agent and employs Team Servers for beacon management (command and control). Cobalt Strike was initially created (and solely maintained to my knowledge) by Raphael Mudge of Strategic Cyber, LLC in 2012. The software was eventually acquired by HelpSystems (which later turned into Fortra) in 2020. Given this long-standing development, most of the available training, blog posts and documentation are all from Raphael Mudge himself. I would recommend the following resources to get familiar and dig deeper with Cobalt Strike:

  • Cobalt Strike Introduction and Demo (40 min video.) - This is the official intro/demo from Fortra. It’s not Raphael Mudge but this showcases Cobalt Strike in it’s modern form and interface. Great for the basics and learning the capabilities of the framework.
  • Red Team Operations - Training Course (9 part video series, ~11 hours) - Not to be confused with the RTO course, this training series was created by Raphael Mudge in 2015 and is a fantastic deep dive into the framework capabilities, showcasing practical (and very technical) examples of adversarial threat emulation. Only downside is it’s age but many of the tactics and techniques still apply today, they just may be in a slightly different syntax or interface.
  • Cobalt Strike User Guide - Definitely not “light reading” by any means but a good reference nonetheless.
  • Archived blog posts from Raphael
  • HackTricks - Cobalt Strike

Fun fact: Cobalt Strike originally developed out of Armitage, an precursor tool that was initially built as a front-end interface for the popular Metasploit Framework. Armitage is still being maintained today and is built into the Kali Linux pentesting distro.

What’s Included in the RTO Course?

As seen on the course page, the curriculum is very robust and includes a plethora of foundational red team material, covering the full attack lifecycle: “from initial compromise to full domain takeover, data hunting and exfiltration”. There is also significant consideration towards operational security (OPSEC) throughout the course which is a nice supplement to see the Indicators of Compromise (IoCs) and general “noise” from attacks through a defensive (blue team) lens.

The course content is hosted online within an Immersive Labs (formerly Snap Labs) environment. This was a nice alternative to the typical PDF + video file format that you see from other certification vendors. The majority of the RTO content is text and picture based with some modules having video demos to supplement. There’s also a student forum as well as a Discord channel with regular chatter.

Additionally, there is an RTO lab environment, also hosted through Immersive Labs to follow along with the course content. Although it’s a separate subscription, I found it to be an excellent value and a critical piece to get the most of the course. The lab is accessed in the browser via the modern web magic of Apache Guacamole, so no fiddling with VPNs, VMs and the like. In my opinion, the best part of the lab is that it includes a fully licensed version of Cobalt Strike and an complex Active Directory lab to tinker with as you work through the course.

Lastly, the course provides one included exam attempt.

Few awesome things about the way this course is provided:

1. You get lifetime access to the course content in addition to the support channels.
2. The course content is updated periodically.
3. You can login and view the course on a mobile device.
4. The lab is fully setup and accessible through a web browser.

What’s Required to Pass the CRTO Exam?

As described on the exam page, the CRTO exam includes a practical 48 hour challenge conducted over 4-day testing window. The exam is conducted through the Immersive Labs environment and is very similar to the course lab. The style of the exam is “capture-the-flag” (CTF) where students must find 6/8 flags throughout the exam environment to pass. The exam follows an “assume breach” methodology and requires the configuration of an adversarial “threat profile” to mimic TTPs. The methodology closely follows what is taught throughout the course including initial (low level) access, persistence, privilege escalation and lateral movement. There’s also some OPSEC considerations!

One nice thing about this exam format is there are no formal reporting requirements and no video proctoring, so you don’t need to IM your proctor every time you need to use the restroom. 😆

The Journey Begins

I started the course at the beginning of January 2023 and purchased 40 hours of lab time (conducted through the Immersive Labs/Snap Labs environment). I studied for about 2-3 hours daily over the course of about 6 weeks. My general workflow was:

1. Read the module content.
2. Watch any included videos.
3. Take notes with Obsidian (great tool btw!).
4. Do the lab exercise.
5. Check references and external resources.
6. Take more notes!

Overall, the course did a great job of introducing new concepts in a logical fashion following the various “stages” of a typical attack lifecycle. Per the course curriculum, you start with the initial Cobalt Strike (C2) setup, where you configure various Beacon agent listeners (for command and control) and learn about how they communicate on a target network. Then you move to external recon and initial compromise, which teaches some open-source intelligence gathering (OSINT) methods along with some modern phishing techniques to gain initial (user) access into the target environment.

The course then moves into a heavy post-exploitation focus starting with host reconnaissance, persistence, and privilege escalation. This is where the Windows and Active Directory familiarity comes in, as the techniques taught in this course are leveraging vulnerabilities and misconfigurations in these environments. From there, the course goes into specific attack techniques to pivot and move laterally throughout the target network. Kerberos comes into play here with the various types of delegation (unconstrained, constrained, resource-based constrained). This was a very heavy module, that one took awhile to get through. There’s also a few modules on extracting trust material (domain credentials and the like) from various Active Directory components and “features”. 😄

The course ends with a few modules focusing on domain dominance - showcasing techniques to leverage your elevated domain access throughout the environment, gaining domain persistence, and pivoting to external trusted domains within another forest. This is where you dig deeper into Kerberos and learn about the magic of golden tickets and the like. There’s also a few modules that discuss various antivirus and application whitelisting bypasses and evasion techniques.

I especially enjoyed working through the Cobalt Strike methodology, the persistence techniques, and all the evasion tricks with malleable C2 and A/V bypasses.

After about 6-7 weeks of studying the course content and going through motions of refining notes and methodology, I scheduled the exam…

CRTO Exam

The exam was an incredible experience overall. Compared to an OffSec exam (OSCP, OSWE, etc.) which feels like a sprint, the CRTO exam felt like a marathon. You’re given 48 hours of exam runtime spread across a 4 day testing window. This is a generous amount of time given the task requirement of capturing 6/8 flags, but time management is still very important. As previously mentioned, the exam is conducted within the Immersive Labs (Snap Labs) environment. Since there’s no proctoring requirements, scheduling was very flexible with practically no wait time. Looking at the exam booking page today, you can schedule the exam on the same day as early as two hours out.

It’s now been a few months since I was knee deep in the exam, and it’s giving me a headache looking at my notes… 😆 So I won’t attempt to walk you through a comprehensive play-by-play (while avoiding sensitive exam details). As an alternative, here are some daily highlights from my exam experience:

Day 1

Starting at 8:00AM sharp, the first day went relatively smoothly. Given the provided threat profile, I set up my attacking environment with Cobalt Strike, closely following my course notes. Although I had a little trial and error while I was getting my feet wet, the first few flags weren’t too bad which was a nice confidence boost. I finished out the day around midnight with 4 flags down. It was a long day but off to a good start. Now only 2 flags away from passing…

Day 2

Progress started to slow down (and backpedal) a bit on day 2. Eager to start the day off strong, I logged into the exam environment only to find that my prior access (which I had established on day 1) had ceased to exist…??? This was nerve racking and cut my confidence level a bit. “What was I doing wrong?” was the theme of the morning which put me in a frazzled state. I later discovered where my oversight was and essentially had to re-establish all my access from the day prior… 😑 Around mid-day, I grabbed flag #5 and #6, securing my passing score… Woohoo!! But of course I couldn’t stop there, still more to do… This is when my brain started yelling at me.

Day 3

No flags on Day 3. This day was a grind of desperation towards flag #7. But I refused to quit, so I kept digging… for the rest of the day… to no avail. 😖

Day 4++

Pandemonium. I was now very exhausted after working in hyper-focus mode for the past 72 hours. This was the last full exam day, but still no flag #7… what am I missing? I kept grinding away… Later that day, now nearing the end of the exam, I finally got a spark and started gaining some traction in the right direction. After exhausting all other options, I took a (mental) step back and started connecting the dots in my head. I think I figured it out. At that point, I had a feasible solution to the seemingly insurmountable problem I was encountering. As I began to implement my solution that evening around 6:30PM, my exam environment breaks… 😟😟😟

Crap. Well that’s an unfortunate time for an outage. There I was, heads down and finally coming up with a solution and my exam is scheduled to end the next morning at 8:00AM. This was a major bummer since I was on a roll towards flag #7 but couldn’t progress any further. I accepted my fate and went to sleep.

I later learned that there was a widespread environment outage due to infrastructure or service issues on the Immersive Labs side. Thankfully, this was resolved with great follow-up support from Daniel Duggan himself at Zero-Point Security.

Several hours later, I received notice (in the middle of the night while I was sleeping) that the exam environment was back up. Only problem was I saw the email once I awoke the next morning with about 40 minutes left on the exam clock… 😬 I already had 6/8 flags at this point which was enough to pass but since I technically had extra exam runtime and the motivation to keep going, I had to go for it…

Thankfully, after bashing my head against the wall the previous day in relentless pursuit of flag #7, I finally found it, but it was right at 7:59AM… one minute before my exam ended. I was super excited BUT I couldn’t submit it in time. What’s worse is at that point, I was 95% sure I knew the route to flag #8 thanks to all the recon going after #7, but I needed #7 to advance… However, I reached out to Daniel and asked if I could submit the flag given I had additional exam runtime (and since there was the outage). He was quick to respond and thankfully, let me submit flag #7. Even better, he let me use some additional exam time to go for #8! Sure enough, I secured #8, the final flag, about 20 minutes later and got that submitted for full points!

CRTO Achievement Unlocked! 😎 Certified Red Team Operator (CRTO) badge

Course Takeaways

• Subscribe to the Red Team Ops Lab. I’d consider this an imperative supplement to the course unless you are a seasoned expert. The lab environment is configured to follow the course content all the way through. It’s also relatively inexpensive ($45+) given it’s value to the course.
• Manage your lab time wisely. As of the time of this post (June 2023), the subscription model for the lab has changed for the better so it’s not as much of an issue now. The old model provided monthly chunks of lab time but it was only 40 hours that wouldn’t reset until the following month. So if you used the 40 hours within the first couple weeks, you’d have to wait another couple weeks to get more hours due to how the subscription was billed. This impacted my learning schedule as I would leave the lab running while going through the course content, however there were sections where the lab wasn’t needed, so I either felt rushed to get through the lab or that time was wasted. With the current subscription model, the lab time is split into run times that are capped at 120hr/30-day, 250hr/180-day, and 365hr/500-day.
• Go through the course content a few times. There’s a lot to absorb, and although the content is presented in a well-structured manner, it took a me a couple times before I started connecting some dots in my head. Take the opportunity to tinker with Cobalt Strike a bit if you subscribed to the lab to solidify the methodology. Each time I went through the lab content, I refined my notes until I felt the methodology was strong and concise. Speaking of notes…
• Make sure you have a solid note taking system! I’ve used CherryTree extensively in the past, but switched to Obsidian last year mainly due to the simple file structures and markdown formatting - not to mention the awesome GUI. Obsidian worked great for this course and I would highly recommend it if you don’t currently have a go-to. Whatever your tool of choice is, make sure you’re comfortable with it to function as your “second brain”!

Exam Takeaways

• Pace yourself, don’t rush. As previously mentioned, I’d consider the CRTO more of a marathon rather than a sprint. The time provided is generous - 48 hours of exam lab time spread across 4 days. Manage your time wisely by taking breaks and taking care of your mental and physical wellbeing. If you’re running up against a wall, step away and go take a walk. Scientific research shows this will help your mental acuity, stress levels, and overall mood.
• Follow the course methodology. “Use the course, Luke.” Seriously though, the course content provides everything you need to pass the exam. Be logical in your attack path and don’t put the cart before the horse. 😄
• Be mindful of your OPSEC. If I paid more attention to this at the beginning of the exam, I would have saved myself some time and brain-cycles. The course discusses these OPSEC considerations throughout, and there’s even a few modules dedicated to foundational security controls and their applicable bypasses. Considering that modern environments often implement these controls by default, it’s very important to familiarize yourself with the proper evasion techniques to avoid low-hanging fruit alarms due to attacker OPSEC failures.

Conclusion

Overall, this was an amazing experience from Zero-Point Security. The content was awesome and the exam was challenging. I absolutely recommend this course for security enthusiasts interested in red teaming. Looking forward to taking more courses with Zero-Point Security. Red Team Ops II is certainly on the bucket list for the future. 😎