Certified Red Team Lead (CRTL) Review

A long break since my last certification, which was OSCP back in February 2024. I have heard great things about the CRTO 2 course provided by ZeropointSecurity. I purchased it last year, however, quickly figured out the gap in knowledge which is why I started working on different certifications and then did some learning on one of THE best malware development courses, Maldev Academy. After finishing this academy, I came back to CRTO 2 and absolutely loved it.

Course

The course itself goes into the OPSEC approach of on how to set up your C2 infrastructure. Setting up multiple redirectors with HTTP and DNS traffic as well as configuring the redirectors to redirect traffic to and from the client’s network to our attacking network. Course also briefs on how to prevent our payload being executed with the use of Guardrails.

After setting up the infrastructure, it goes into details about WinAPIs as well as NTAPIs, the pros and cons of each, and various process injection techniques and their differences and effects on the memory.

The course then moves on to the intricate details of how to bypass various security controls by spoofing PPID/CLI arguments, using inline execution instead of fork and run, modify various toolsets to bypass both signature-based and behaviour-based detections.

After this, the course discusses various security controls like WDAC, ASR, and Protected Processes, and how to bypass them with techniques like custom tooling, researching the security solutions and finding loopholes/misconfigurations/exclusions.

Lastly, the favourite section of mine was regarding EDR evasion, I had so much fun with this section because this section requires a lot of research about the EDR itself, reading up the yara rules, reading blogs, articles, as well as whitepapers and coming up with your own methods to bypass EDR detections. As an example, I had issues with performing lateral movement without getting EDR detections, so I researched and worked on a different way for which I have written a blog about. You can read about it here: Bypassing Elastic EDR to Perform Lateral Movement

Exam

The exam itself was a rollercoaster, because unlike the lab, you can’t check what detections you are facing. So I had to research various hurdles that I faced and then making changes to my custom tool to bypass those hurdles as well as detections. For whatever reason, I chose to take the exam on Sunday which meant I couldn’t work on it the next day in the morning due to work, so it took me almost 2 days to get all 6 flags in the exam.

Some Tips for the Exam

• Test your custom loaders, configurations, C2 malleable profile in the lab environment.
• Read whitepapers and blogs by professional Red Teams on various techniques and bypasses.
• Read the manual by Fortra on Cobalt Strike.
• Join the course’s discord channel, being a group with other Red Teamers expands your knowledge in ways you can’t imagine.