Certifications, Learning Material, Reviews, Training Labs

Certified Read Team Operator (CRTO) Review

January 2, 2025 | by Stefano Lanaro | Leave a comment

Introduction

Certified Red Team Operator (CRTO) is a penetration testing/red teaming certification and course that teaches the basic red team principles, tools and techniques, entirely through the Cobalt Strike command and control (C2) framework.

In this review, I take the time to talk about my experience with this certification, the pros, and cons of enrolling in the course, my thoughts after taking and passing the exam, and a few tips and tricks.

Pros

  • At about $450 USD, it provides great value at an affordable price.
  • When it comes to performing attacks using a C2, this is definitely one of the best and most comprehensive courses out there.
  • The forum and Discord channel were always very quick to reply and super helpful with any technical issue I had during the course.
  • The course is provided by Zero Point Security, which is well known in the industry for creating exceptional training resources and labs.
  • For almost every technique and attack used throughout the course, a corresponding detection and mitigation/remediation strategy is provided.
  • The course sometimes gets updated with new attacks and techniques, which I was pleasantly surprised about.

Cons

  • This certification probably won’t look as shiny as something from OffSec on your resume, despite the great material and value provided.
  • Some of the techniques taught throughout the course won’t always work in the lab environment or during the exam.
  • Guacamole is the only way to access the lab and exam resources, meaning that transferring files and tools to your VM will be quite difficult.
  • The lab time is limited in the total number of hours that it can be run for (40/80/120hours for the 30/60/90 day options respectively), meaning that if you forget to turn off your lab while taking a break, you will still be using lab time.
  • The exam environment felt a little empty, and not very realistic, which made finding the intended attack path a little too easy and straightforward.

Background

I decided to take on this course after having completed a bunch of other Active Directory and red teaming-related certifications as I become more interested in red team engagements.

While I was very familiar with Active Directory attacks and techniques, as I had been doing internal tests for a while, what I lacked was proficiency with a C2 framework such as Cobalt Strike and performing certain attacks in a more stealthy way.

I also heard a lot of great feedback from friends and colleagues who had taken this course before and recommended it to me, so this was a no-brainer to me.

Before enrolling I would recommend having a good knowledge of Active Directory/Windows attacks and tools as well as basic PowerShell and C#, in order to be able to understand all of the concepts taught throughout the course. Experience using C2 frameworks would also come in handy for this course.

The Course

The course provides text content and videos to follow along, it starts with setting up Cobalt Strike and then going through various enumeration, exploitation, lateral movement, privilege escalation, persistence and evasion techniques that can be used in an Active Directory environment, all using a C2. The material is very easy to follow, all of the commands and techniques are very well explained by the instructor, detailing how they work under the hood as opposed to just showcasing them.

The following are some of the areas covered by the course:

  • Command & Control Setup
  • External Reconnaissance
  • Initial Compromise
  • Host Reconnaissance & Privilege Escalation
  • Host Persistence
  • Host Privilege Escalation
  • Credential Theft & User Impersonation
  • Domain Reconnaissance
  • Lateral Movement
  • Kerberos Attacks
  • Pivoting
  • Active Directory Certificate Services
  • Group Policy
  • MS SQL Servers
  • Microsoft Configuration Manager
  • Forest & Domain Trusts
  • Local Administrator Password Solution (LAPS)
  • Defender Antivirus & Applocker
  • Data Hunting & Exfiltration
  • Extending Cobalt Strike

The course was extremely hands on, and it demonstrated attacks using different tools. From my experience, pretty much all of the attacks could be run in the lab without any major issues, and the support was always available for any questions.

I thoroughly enjoyed the course material and learning about all the functionality offered by Cobalt Strike. I was seriously impressed by how powerful it is and how easy it is to configure to simulate various APTs, evade detection and move laterally within a domain with ease. Pretty much all the attacks showcased in the course are applicable to real-world penetration testing that I have experienced in actual engagements.

As during red team engagements you are meant to be evading detection and generating as little noise as possible, as such the course doesn’t leverage any automated enumeration tooling such as BloodHound and instead focuses on manual enumeration using PowerView and built-in Windows binaries. While this approach can seem easy in a lab-like environment, it’s going to be very time consuming in a more realistic domain with hundred and thousands of objects.

What I also liked about the course is that it focused a lot on running attacks from a Windows environment, unlike more traditional internal tests that may be conducted from an attacking Linux machine using Python-based tooling such as Impacket, CrackMapExec or Certipy. This is often going to be the case in red team engagements, where access is provided through a compromised workstation.

While all the attacks are demonstrated with AV turned off, in the exam you will be expected to be performing them with Defender and Applocker being enabled, thankfully towards the end the course covers various evasion techniques that can be used to get around Microsoft defensive tooling such as Defender, Applocker and AMSI.

I recommended to perform all the techniques shown in the course with AV turned on prior to the exam, as this will better simulate that environment. I personally did not find any issues with the evasion techniques demonstrated in the course and I was able to use them to get around detection.

The Exam

The exam environment is composed of several Active Directory domains, with an assumed compromise approach, meaning that it starts with a low-privileged user access on a workstation, similar to how a red team engagement would occur.

There are eight flags in total throughout the environment, and six are required in order to pass. Luckily, no report writing is required, submitting the flags will suffice.

The exam lasts four days, and students have 48 hours of lab time to complete all of the objectives. A few days before the exam I had written down steps to setup Cobalt Strike and my payloads in a way that would easily bypass defender.

I started my exam on the 23rd of December 2024 at about 10am Sydney time, and within half an hour or so I had my C2 environment and payloads/listeners setup. I then started enumerating the domain and I quickly had my first flag.

I lost quite a bit of time due the Applocker bypass technique I was using not working as expected, so I just ended up using a different one from the course. I was able to move from one system to another fairly quickly without any major blockers, and by about 3:30pm I had the six flags required to pass.

While I probably should have called it a day, I decided I wanted to continue and get the last two flags. I was stuck for almost three hours trying to exploit something, when I realised it was probably due to the tool I was using. I ended up using a different tool which worked and I was able to get my fifth flag.

However, I once again got stuck, due to me not fully understanding how impersonation through pass-the-hash worked, and my tool which kept running in the wrong context, and after a few more hours of troubleshooting I changed my approach, which finally got me the final flag. At about 11pm I was done and ready for bed.

The exam was overall very straightforward, while still being fair. I feel like as long as you are familiar with the techniques shown in the course you shouldn’t have any trouble passing it within a day or two. Just make sure to do lots of prep before hand to save on time and stress during the exam.

Make sure you are keeping notes from your enumeration and exploitation steps so you can go back to them if you are stuck or if you lose access and need to quickly work your way back. Saving commands used will also speed up this process.

Ensure you know how to run the same attack in a couple different ways in case some of the tools are not working as expected during your exam.

After a night of well deserved sleep, I woke up to this email:

Conclusion

Overall this was an extremely great course, while it didn’t necessarily teach me many new techniques or attacks, I learned the ins and outs of Cobalt Strike and how to perform all the classic AD attacks through it, and in a more stealthy way. I am sure that even seasoned pentesters would find a lot of useful information out of this course.

If you would like to learn or expand your knowledge on Red Teaming, especially through a cutting-edge C2 framework, this course is definitely for you.