Overview
Certified Red Team Operator (CRTO) is a certification opportunity presented by ZeroPointSecurity. The certification ties directly to the Red Team Ops I course offering, which is a fundamental yet thorough introduction to maneuvering through an Active Directory environment and abusing misconfigurations with CobaltStrike and open-source tooling.
The Course
The course does an outstanding job covering the attack lifecycle, the CobaltStrike C2 framework and how to employ it in an engagement, common misconfigurations that can be abused in Active Directory environments, and opsec considerations when performing operations and evading Windows Defender. It is self-paced but offers great support via the course Discord, where RastaMouse (the course developer) and other students discuss course material and help brainstorm through questions and challenges encountered.
Prior to the course, I had completed AlteredSecurity's Attacking and Defending Active Directory course and achieved the CRTP. I completed this a year prior and had a gap in using the course material, so I did have to relearn some of the topics, but it definitely did help to have the previous exposure. Some light coding experience, especially in C# and PowerShell, would be beneficial but isn't a deal breaker if you're dedicated and diligent.
The Lab
Lab time is offered as a subscription through SnapLabs. The lab is a critical part of the course; I highly advise going through all of the course material with Windows Defender disabled (the default setting of the lab), and afterward going through all of the course material and labs with Windows Defender enabled. The lab instructions are pretty clear and if something isn't, the Discord is there to support you.
The Exam
The exam was a fun challenge. In my opinion, if you complete the course material and lab work with Windows Defender enabled and can achieve all of the objectives, you will be ok on the exam. Everything you need for the exam is covered in the course material.
Booking the exam is pretty simple; it is booked through the link here. There are plenty of timeslots available, some even same-day. Once you book your exam, you will immediately be provided with a threat profile that explains the adversary you will be emulating on the engagement along with other details.
As far as the exam experience goes, access to the lab environment starts precisely at the time you booked the exam for. You must find and submit flags to the SnapLabs dashboard and need at least 6 out of the 8 total flags to pass the exam. You are allotted 48 hours across 4 days to complete the exam objectives. You are able to pause the exam environment if needed.
The exam took me longer than I would've preferred, but ultimately I achieved the 6 flags I needed to pass. I started to work towards the 7th, but something went awry and things broke, so I called it good where I was at.
I highly encourage you to pace yourself, take breaks, eat, go for a walk, etc. Have a notepad/paper and pen available to sketch out what you're trying to achieve, it may be helpful. 48 hours is plenty of time to compromise the provided environment pending having prepared appropriately.
Related Reading
"Certified Pre-Owned: Abusing Active Directory Certificate Services" by Will Schroeder and Lee Christensen
"Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory" by Elad Shamir
"Delegating Like a Boss: Abusing Kerberos Delegation in Active Directory" by Kevin Murphy
Comments