Good afternoon everyone. As you well know, my posts are direct, concise but informative. (Almost) nobody cares about an introduction that looks like the Bible talking about what I had for lunch today.

Today we’re going to talk about the Certified Red Team Operator (A.K.A CRTO). Without a doubt, one of the most recognized Red Teaming certifications in the sector.

What is it about?

According to the official syllabus, these are the topics that will be covered during the course:

  • Command & Control
  • External Reconnaissance
  • Initial Compromise
  • Host Reconnaissance
  • Host Persistence
  • Host Privilege Escalation
  • Initial Compromise (Reprised)
  • Credential Theft
  • Password Cracking Tips & Tricks
  • Domain Reconnaissance
  • User Impersonation
  • Lateral Movement
  • Session Passing
  • Data Protection API
  • Kerberos
  • Pivoting
  • Active Directory Certificate Services
  • Group Policy
  • MS SQL Servers
  • Microsoft Configuration Manager
  • Domain Dominance
  • Forest & Domain Trusts
  • Local Administrator Password Solution
  • Microsoft Defender Antivirus
  • Application Whitelisting
  • Data Hunting & Exfiltration
  • Extending Cobalt Strike

Complete CRTO course syllabus

But don’t worry, Uncle Victor is here to simplify it for you: The most important thing is that you’re going to learn to use Cobalt Strike in a basic way while diving into the world of Active Directory, establishing persistence, MSSQL attacks, Windows credentials, and antivirus evasion (thanks to different options built into Cobalt Strike).

One of the things I’ve definitely loved about this course is that it’s very well structured. The content is taught gradually. This isn’t OffSec that tells you 1+1 = 2 in chapter 1 and then asks you what Mary’s dad’s name is if she’s 12 years old and wearing a red dress. This way, you’ll be able to apply the contents/concepts you’ve learned previously.

Practical Part

The labs are a faithful copy of the theory. Everything you need to know is in the course material. On the other hand, they are labs integrated into the browser (using Guacamole), so their stability and fluidity isn’t the best. Don’t hesitate to put everything you learn into practice, seriously. You’re going to need it.

One very good thing about this course (the next one a little less, the CRTL) is that the labs are a faithful copy of the theoretical material. You’re going to have to start from scratch, setting up Cobalt Strike configuration, its profile, configuring it, etc. Additionally, you’re going to have direct access to all the lab machines (including the attacker’s, obviously) where you’ll be able to do whatever you want, such as modifying X policy or Y permission. Once you have everything configured, it’s time to exploit! Be prepared, because you’re going to learn to abuse Kerberos (and its delegations), SQL servers, domain trusts and much, much more! Without a doubt, it’s a super practical and complete experience if you haven’t fought much with Active Directory before.

That said, it’s worth noting that the lab is not included and must be paid for by the hour, this wasn’t always the case and may change, so I’ll leave you the official Red Team Ops lab extension link where you’ll always have it updated.

Is it worth it?

Short and Clear: Yes. If you’re interested in red teaming and Active Directory, for approximately 500€ you’re going to learn a TON of things that are VERY APPLICABLE IN REAL LIFE. Later, if you want to continue delving into the subject, you have the continuation of the CRTO: The CRTL. In short, there you’ll learn advanced EDR and Cobalt Strike evasion techniques.

Exam

For obvious reasons I can’t talk about explicit topics from the official Red Team Ops exam. But what I can tell you is that EVERYTHING YOU NEED TO PASS IT IS IN THE COURSE. They won’t ask you anything they haven’t taught you before. Additionally, you have 48 hours spread over 4 days to get 6/8 necessary flags, so there’s plenty of time.

My personal recommendation is that as soon as you start the exam, take your time to make sure 100% of your techniques to evade Defender work.

Recommendations for the certification

Put everything you learn into practice. Don’t fall into tutorial hell (just watching theory without applying practice). If you don’t understand something, always ask people on the Zero-Point Security Discord server (or even better, the Deep Hacking Discord server).

Personally, what I do is read the entire course and take notes on ABSOLUTELY EVERYTHING (I almost copy the course content but in my own words and in Spanish). Then, I start again but doing the practical part while perfecting the notes I take. When I have the notes ready, I separate them by categories. For example: Kerberos, AV evasion, SQL Attacks, Persistence, etc.

If you have little time, you can activate the antivirus as soon as you start the lab (by default it’s disabled), so you practice not only the attacks you do but also evasion techniques and acquire that OPSEC mindset that’s talked about so much.

Once you feel comfortable in the labs and understand everything you do, you’ll be ready for the exam.

And that’s basically everything I have to say about the CRTO. In summary, a highly recommended certification if you’re interested in red teaming and Active Directory.

Share on X Share on LinkedIn Share on Telegram
Comment on Discord Visit the author page