Certified Red Team Operator (CRTO)
There is a huge list of topics that you will be guided through, like:
- Command & Control w. Cobalt Strike
- Initial Compromise
- Domain Reconnaince
- Credential Theft
- Pivoting via. SOCKS proxies, NTML Relaying, etc.
- Different techniques for Kerberos Abuse
- Custom C2-profiling via. malleable profiles
- In-memory & On-Disk evasion of Microsoft Defender
A complete list can be found on the course link above.
The course material is heavily focused on the provided lab environment, where you have a fully functional Microsoft Enterprise Environment that you have to compromise and move laterally through.
The C2 framework that is taught in this course is the famous Cobalt Strike (newest version), and as I’m aware the CRTO is the only course that gives access to training on this tool (which is a huge plus).
Throughout the course material, you will learn OPSEC considerations, so you know what each command is doing, and what impact it has on the compromised system - this is super important on a Red Team Assessment. There is connected an Elastic collector on each host, so all logs will be shipped to an Elastic instance - to which you are also provided access. This emphasizes that you can see what artifacts are left on the host when you are compromising it.
An example of this is when you get taught how to bypass Microsoft Defender via artifact kits and resource kits to sneak through on-disk, in-memory & behavioral detections.
The exam is based upon an assumed breach assignment, where you will have to emulate a threat actor. You will have to utilize everything that you learned, like configuring a custom C2-malleable profile for evasion. I can’t disclose too much about the exam, as I want you to have the same experience with the exam as I did.
I can say though, that this has been by far, the most fun and challenging (in a good way) exam that I’ve tried. It touches on aspects that can be frustrating to encounter, but it is bearable after several hours of staring into the same Cobalt Strike Terminal.
The exam is not proctored, which means that you have access to all external resources (like in a real assessment), and is covered over 4 days, or 48 hours of lab time. This will make the exam much more enjoyable, as you don’t have a person looking at your screen/you for 24 hours (like you do in e.g. OSCP, or other certs from OffSec.)
The lab environment provided for the exam is similar to the one in the course material, and you will have to submit 6/8 flags in order to pass.
I can only say good things about this course. I highly recommend this course to someone who wants to understand the different attack methods underlying an Assumed Breach assessment. This course is also good for consultants working with detection engineering, as different artifacts is being taught.
However, you will need to have some knowledge about basic Active Directory, Networking, and the kill chain in order to benefit the most from this.
I would say, that this exam is the most realistic and close to a real assessment you would get as an offensive consultant, compared to the certifications I’ve done and heard of.