They say the richest person is not the one who has the most, but the one who shares the most. The thing is I’m not rich, but I like to share. That’s why today I’m here to give a short (but honest) review of CRTO II, also known as Red Team Leader (CRTL).
The certification focuses on being the continuation of the famous CRTO but with evasion in mind. That is, you’re going to do what you did in CRTO but evading Elastic’s EDR while also dealing with Windows Defender.
To do this, the course equips you with the following knowledge:
- C2 Infrastructure
- Windows APIs
- Process Injection
- Defence Evasion
- Attack Surface Reduction (ASR)
- Windows Defender Application Control (WDAC)
- Protected Processes
- EDR Evasion
As you progress through the course, you will learn new evasion techniques that, above all, can be applied to Cobalt Strike in its profile, such as sleep mask, thread stack spoofing, PPID spoofing, etc.
Honestly, the course gives you a very good foundation on more advanced evasion techniques on which you have to continue building knowledge on your own. Don’t expect to bypass Kaspersky’s EDR just like that after taking this course.
Is it necessary to have CRTO before doing CRTL?
In short, yes, unless you already have vast knowledge of AD exploitation. As I said before, CRTL is the continuation of CRTO, so the attacks are very similar but with more defensive solutions in between (EDR).
Additionally, CRTO will allow you to understand the basics of Cobalt Strike, which is essential to be able to tackle CRTL.
Labs VS Exam
The labs are a faithful copy of the exam. This is not OffSec asking you for things you haven’t seen during the course. If you’ve managed to do well in the labs, then rest easy. Additionally, the exam lasts 96 hours, so you have 12 hours a day for 8 days to get the 5/6 flags needed to pass.
Additional Resources
To make sure your payloads are completely undetectable by EDR/AV, I recommend you check out the following resources:
- Defining Cobalt Strike Reflective Loader
- magic_mz_x86 and magic_mz_x64
- PE and Memory Indicators
- Revisiting the User-Defined Reflective Loader Part 1: Simplifying Development
- An Introduction into Sleep Obfuscation
- GregsBestFriend - Tool designed to bypass AV/EDR systems
- Unleashing the Unseen: Harnessing the Power of Cobalt Strike Profiles for EDR Evasion
- Cobalt Strike and YARA: Can I Have Your Signature?
- Advanced Module Stomping & Heap/Stack Encryption
- Memory Encryption/Decryption with SystemFunction033
- sRDI - Shellcode Reflective DLL Injection
Conclusion
To summarize and in my personal opinion, I can say that it’s one of the best certifications I’ve done. Additionally, its price is very affordable (€500 in total) compared to the knowledge you gain. If you’ve always wanted to be a hacker but the AV prevents you, CRTL will be very helpful.
Farewell
Alright, see you later.