CRTO - Certified Red Team Operator
Certified Red Team Operator (CRTO) by Zero-Point Security
Last updated
Certified Red Team Operator (CRTO) by Zero-Point Security
Last updated
The Certified Red Team Operator (CRTO) is a red-team certification offered by Zero-Point Security that covers the core concepts of adversary simulation, command & control (C2), engagement planning and reporting.
Unlike most other red teaming & pentesting certifications, the CRTO goes through each stage of the attack life cycle- from initial compromise to domain takeover, data hunting & exfiltration.
I passed the CRTO exam last weekend with 6 out of 8 flags! The exam was really interesting and fun, so I wanted to share my experience with the course and potentially offer some advice and guidance to those who are considering buying the course / taking the exam.
I am currently a second-year student at Singapore Polytechnic doing a Diploma in Cybersecurity & Digital Forensics, however the CRTO was far outside the syllabus of the course I was pursuing.
Prior to CRTO, I had a little bit of experience with pentesting (eJPTv2) and some malware development research but nothing directly related to red-teaming.
I strongly recommend familiarizing yourself with Kerberos as a large portion of the course involves really complex techniques for exploiting the protocol. Personally, I found this article really useful.
I purchased the course for Β£310.25 (15% discount) but the original price is Β£365.00.
And 30 days of lab access for Β£36.00
This added up to Β£346.25 or S$575.33 which is a lot more affordable than some other certifications.
As mentioned above, the course covers the entire attack life cycle from initial access via phishing to compromising domain admins & pivoting between cross-domain trusts.
The course curriculum currently contains 29 modules, some of which include: Initial Compromise, Host Privilege Escalation, Credential Theft, User Impersonation, Lateral Movement etc.
An exhaustive list can be found at their official page here.
The labs are meant to be complimented with the course, however the course materials are not a direct walkthrough of the lab- instead you are expected to infer from the material what the next step is.
However, usually at the start of each new section, the materials do show you what users / domains should have been compromised in the previous section so you shouldn't find yourself lost because you missed out on a user.
The course primarily uses cobalt strike as its C2, and the labs have their own toolsets preinstalled that can be used with cobalt strike via execute-assembly
.
You will not need any tools that are not already preinstalled!
The course recommends that the student finishes the lab twice, the first run with windows defender disabled and another with it enabled.
My first run of the labs went really smoothly, my beacons were stable (take note of this) and the commands worked exactly as they should- it was almost perfect.
After having such a smooth run with the labs, I decided that the second run with windows defender was unnecessary. I mean, how bad could windows defender possible be right...?
Disclaimer: All materials required for Windows Defender evasion are littered throughout the course, if you diligently follow the course and respect the OPSEC concerns- you should get through your AV-enabled run smoothly.
As I don't want to spoil the exam scenario too much for potential CRTO takers, I will only very briefly talk about my struggles with Windows Defender during the exam.
A lot of the commands in the course will not work if done with Windows Defender enabled- not only will it not work properly, the beacon session will die... This meant that every time I ran a command that Windows Defender didn't like, I would have to restart my entire exploit chain as the beacon I dropped to disk would be flagged and deleted...
Needless to say, the exam was a... learning experience...
I just wanted to very quickly mention that there is only one person from Zero-Point Security managing support and that is Daniel Duggan aka Rastamouse. Personally, I didn't need to contact him during the course preparation time but it is important to note that Rasta is a human being and takes weekends off, so you should try your best not to book your exam on a weekend.
I thought I had an issue during the exam and tried to contact him on a Saturday but didn't get a reply, but I ended up fixing the issue on my own after rabbit-holeing for a while.
Aside from Windows Defender trolling me, the rest of the exam was extremely fun and not guessy at all.
I started the exam at 6pm and only got the first flag roughly ~1 hour later due to the above reasons, and the rest of the exam was relatively simple.
I got 4 flags and shut off the lab at 1 am (roughly ~7 hours since the start of the exam). I woke up the next day and got the last 2 flags in an hour and shut off the exam lab and went back to sleep.
In total, the exam took me ~8 hours
It was my goal to spend my semester break grinding out CRTO, and I'm really glad that my efforts have paid off!
I spent 2 hours a day reading through the course materials and it took me about 2 weeks. Then, I bought 30 days of lab time and here the grind started.
I wasn't very diligent about doing the labs every day but I would spent about 6-8 hours per session every week where I would finish 6 modules in one sitting. I found this the most convenient to me as I wanted to minimize the number of times I had to restart the labs.
In total, I used up about ~20 hours of lab time before finishing the course.