Overview

At the start of 2024, one of my primary objectives was to earn the CRTO certification. Having heard great things about the Red Team Ops course by Daniel Duggan (RastaMouse), I was particularly excited about the opportunity to gain hands-on experience with Cobalt Strike a tool I’d never had the chance to use before.

Last weekend, I achieved that goal, and I’d like to share my experiences, insights, and advice for anyone considering this course. The real-world experience with Cobalt Strike was invaluable, especially since the course challenges you to execute all TTPs within Cobalt Strike. The focus on operational security (OPSEC) was another standout feature, as it’s crucial not just to know how to execute attacks, but also to understand the traces you leave behind.

Course Insights

The course covers an extensive amount of material. Daniel Duggan (Rasta) guides you through every stage of an engagement, from configuring Cobalt Strike, managing listeners, and generating payloads, to carrying out the full attack lifecycle. For me, the chance to use Cobalt Strike was a highlight, as it was my first time working with this tool.

After mastering the basics, you delve into external reconnaissance, initial compromise, persistence, privilege escalation, credential dumping, lateral movement, pivoting, and domain dominance. As you can imagine, this is a lot to take in!

Throughout the course, Rasta emphasizes OPSEC, urging students to consider the traces they leave behind during attacks. Understanding how to perform attacks with minimal noise is vital for effective red teaming, and this aspect of the course was particularly valuable.

Lab Experience

The RTO lab is more of a guided experience than a challenge lab. As long as you follow the course, you’ll do well in the labs. It’s not a situation where you’re thrown into the deep end and left to figure things out on your own.

The labs allow you to practice the TTPs covered in the course, with a few instances where you’re encouraged to experiment on your own. I highly recommend taking these opportunities, as they will deepen your understanding and enhance your skills. Plus, you get to use Cobalt Strike even more—always a plus!

The labs are hosted on Snap Labs, which provides access to the machines via RDP through Apache Guacamole. Although it took some getting used to, the setup didn’t detract from the experience. The advantage is that everything is pre-configured, with all the tools you need already available on the attacking machine.

Remember to stop the lab when you’re done to avoid wasting lab time. On my first run through the labs, I focused on internalizing the course content rather than creating cheat sheets. During my second pass, I invested time in refining my notes and frequently used commands, which proved invaluable during the exam.

Challenge the Defender

A key tip: after completing the labs, revert the entire instance and go through it again with Defender enabled. During the first run, Defender and other protections are disabled, allowing you to focus on understanding the TTPs without the added challenge of bypassing defenses. However, for the exam, you’ll need to contend with Defender, so it’s crucial to practice making your payloads and techniques stealthy.

In the labs, I spent a considerable amount of time perfecting my bypasses. The process was intensive, involving repeated runs of Get-MpThreatDetection, but it taught me what could and couldn’t evade detection.

Fine-Tuning Your Profile and Kits

The course also covers techniques for bypassing Defender using Cobalt Strike’s arsenal kit. You’ll learn how to use the Artifact Kit and Resource Kit to customize your executables, DLLs, and scripts to bypass security measures.

Rasta explains how to craft a Malleable C2 profile that minimizes detection, and how to tweak Cobalt Strike’s behavior to remain undetected both in memory and on disk.

I recommend spending plenty of time refining your Malleable C2 profile and kits before re-running the labs with Defender enabled. This will allow you to thoroughly test your configurations and ensure they work as intended.

Make sure to document any changes you make, as you’ll need to replicate them in the exam environment.

Exam Preparation and Experience

Once you feel ready, it’s time to schedule the exam. The exam provides a threat profile outlining the objectives you need to meet. You have 48 hours spread over four days to complete the exam, which is unproctored and flexible. you can start and stop the environment as needed. Just be aware that stopping the environment will cause you to lose beacons.

To pass, you need to submit 6 out of 8 flags in the scoring portal. There’s no reporting requirement; simply submitting the flags is enough to pass. If you reach the required points by 2AM UTC, you’ll receive your badge via email.

I scheduled my exam for 11 AM. Once I began, I quickly configured my team server, uploaded my Malleable C2 profile, and dialed in my kits, thanks to thorough preparation in the labs.

It took me about 13 hours and 45 minutes to get all flags. The exam was fair, and everything needed to pass is covered in the course. While you can’t just copy-paste commands, understanding the TTPs will set you up for success.

The exam environment was stable, and my beacons remained active throughout. However when lateral movement, the beacon takes time to connect to you which was quite frustrating.

Keys to Success

• Practice with Defender enabled: Ensure you can bypass AMSI, memory detections, and on-disk detections.
• Refine your Malleable C2 profile: Ensure everything works as intended.
• Build and test your kits: Verify that your changes successfully bypass detection.
• Update and Recompile Certify Source code to be able to enumerate and abuse misconfigurations in Active Directory Certificate Services a cross domains.
• Take solid notes: Understand each attack, its purpose, and when to use it.
• Finally understand the techniques that are presented in the course dont just focus on the tools. Take time to comperhend them then you must make yourself familiar with the tools and their capabilities.

Conclusion

I thoroughly enjoyed the CRTO course and exam. The hands-on experience with Cobalt Strike, executing all TTPs through it. Cobalt Strike’s capabilities are impressive, and once you’re familiar with it, you’ll appreciate its power.

I highly recommend this course to anyone looking to advance their Active Directory skills and delve into red teaming. CRTO is an excellent next step after completing certifications like OSCP. It’s also perfect for anyone eager to get hands-on with Cobalt Strike, especially since opportunities to work with it outside of actual red team engagements are rare.