Certified Red Team Operator (CRTO) Review

Ibad Altaf
3 min readApr 25, 2023

In my previous post, I stated that I’m interested in doing ZeroPointSecurity’s “Certified Red Team Ops” (CRTO) certification after completing “Certified Red Team Professional” (CRTP) in February. So that’s what I did and enrolled for CRTO.

CRTO Course

The CRTO course is all about looking for misconfigurations in an AD environment. There are various different courses that teach you about AD misconfigurations and how to exploit these misconfigurations but what RastaMouse’s (Author of CRTO) course does differently is, that you have to do it through a C2 server and they provide you with a licensed version of Cobalt Strike.

Cobalt Strike is a corporate-level C2 tool which allows you to conduct your red teaming activity efficiently.

The course curriculum teaches how to use the C2 server; emulating threat actors, OSINT, Phishing, privilege escalation, persistence techniques, and Active Direction exploitation through misconfiguration. It also teaches various evasion techniques for on-disk payloads, in-memory and behavioural detections.

The course is well-put with heavy reading material and several video content. It explains the methodology and the actual working of each misconfiguration instead of just listing the steps to exploit it which is neat. The course also focuses on operational security (opsec) techniques to stay undetected or to blend in with normal traffic.

CRTO Lab

The lab consists of Windows Server 2022 machines with Defender enabled and Application Whitelisting. The lab consists of 4 domains for you to play around with. The lab complements the course material perfectly with all the attacks working perfectly. The lab isn’t supposed to be a challenge lab, but RastaMouse does give a challenge in the midst of the course for us to do (not mandatory to do but recommended).

Another neat feature of the lab is that you get a centralized server using Kibana to gather the logs of your activity so that you can view and see if you’re getting detected.

The lab can only be accessed through a guacamole session (No VPNs). The labs sometimes do have issues (could have been just for me) when you start them initially, but after you reboot it a couple of times, it works flawlessly.

CRTO Exam

The exam was fun and challenging at the same time. There were points where I was scratching my head but after figuring it out, it felt pretty easy.

You have to get 6/8 flags to clear the exam. From setting up the C2 server to getting 8 flags, it took me a little over a day’s worth of “exam lab time”. The exam experience was pretty stunning and as I said fun and challenging. It felt like I was in a real engagement.

Conclusion

The CRTO course has changed the way I used to do Red Teaming assessments. I have learnt that patience and keeping your Beacons alive are highly important. Another thing that I have learnt which I felt is very important is not to trust the output (errors). Sometimes you need to analyse the output on your own. The course content was beyond my expectations, my plan was to go for OSCP right after CRTO. However, now I’m more inclined towards doing CRTO II first, which teaches advanced OPSEC tactics, AV, and EDR agents bypassing techniques.

--

--

Ibad Altaf

Penetration tester and a red teamer. Love to learn techniques to bypass various security solutions. Find me at linkedin.com/in/ibad-altaf