Red Team Ops exam review

Intro

In the fast-paced world of cybersecurity, professionals must constantly outpace threats. The Red Team Ops Exam (RTO) certification is at the highest level of offensive security expertise.

Having just completed this rigorous certification, I’m excited to share my in-depth review of the course and my personal experiences.

Understanding the Red Team Ops Exam

The RTO exam is a rigorous 48-hour practical engagement, usable within a 4 day window, that simulates real-world red teaming operations. Designed to test candidates on a multitude of skills, including adversary simulation, command and control techniques, engagement planning, and time management, this exam demands not only technical expertise but also strategic thinking and adaptability.

Preparation with RastaMouse’s Red Team Ops Course

My journey to RTO success began with Daniel Duggan’s (RastaMouse) Red Team Ops course. This immersive learning experience provided a solid foundation in offensive security operations, with a key focus on mastering Cobalt Strike, a versatile tool for command and control in red team engagements. The course’s emphasis on hands-on experience and practical exercises proved invaluable in preparing for the challenges ahead.

Course Highlights

The Red Team Ops course comprises 27 comprehensive chapters, each meticulously crafted to delve deep into various offensive security techniques. From initial compromise strategies to Active Directory exploitation and bypassing antivirus measures, the course covers a wide array of topics essential for success in the RTO exam.

Key highlights of Red Team Ops course include

  • OPSEC (Operational Security): A critical aspect of red teaming operations, OPSEC ensures that attackers remain undetected while executing their strategies. The course emphasizes the importance of considering operational security throughout every stage of an engagement.
  • Cobalt Strike Mastery: With Cobalt Strike as the primary command and control tool, students gain hands-on experience in leveraging its capabilities to orchestrate sophisticated attacks and maintain stealthy persistence within target environments. I’ve never used Cobalt Strike before, so it was a very exciting experience for me, from setting it up and up to running all TTPs through it and also learning how to customize it in order to bypass Microsoft Defender. I really enjoyed running the entire attack life-cycle through CS and also the nice graph it displays with all the machines you compromised.
  • Active Directory Exploitation: Delving into the intricacies of Active Directory, the course equips students with the knowledge and skills needed to navigate and exploit AD environments effectively.
  • Bypassing Antivirus Measures: In a landscape where adversaries constantly evolve their tactics, understanding how to bypass antivirus defenses is paramount. The course provides insights into basic techniques for evading detection and executing payloads successfully.

Red Team Ops Course Lab Experience

The practical component of the course, facilitated through a meticulously designed lab environment, offers students the opportunity to apply theoretical knowledge in a hands-on setting. With multiple Windows hosts across different AD forests, the lab provides a realistic simulation of red teaming scenarios, allowing students to hone their skills and experiment with various techniques.

Something very important to mention here, you will first go through the labs with Microsoft Defender disabled. Once you finish the labs, you MUST enable Microsoft Defender and go through the labs again. I can’t emphasize this enough, this step is very important in order to pass the exam. It’s more than 50% of the exam preparation process because it will teach you what gets detected and provide valuable experience in how to bypass Defender. ThreatCheck, Ghidra and Get-MpThreatDetection will be your friends.

Support and Community

Throughout my journey, the support network provided by Daniel himself, the active Discord community, and the comprehensive forums on the learning management system proved instrumental. Whether seeking clarification on course content or troubleshooting technical challenges, the community’s collective expertise and willingness to assist were invaluable resources.

My Red Team Ops Exam Experience

Entering the CRTO exam, I was prepared for a difficult test of my capabilities. Over the course of 48 intense hours, I navigated through a series of challenges designed to push me to my limits. From initial examination to stealthy infiltration and exfiltration of sensitive data, every moment demanded focus, creativity, and resilience.

My personal experience with the exam was a testament to the breadth and depth of knowledge gained through the Red Team Ops course. While some flags were relatively straightforward to capture, others required innovative thinking and strategic planning. Despite encountering obstacles along the way, the satisfaction of overcoming each challenge reaffirmed my passion for offensive security and the pursuit of excellence in this field.

Make sure to turn off the machines when not working on them. The way I did it was basically doing the exam from 9am to 9pm and then turned everything off. Yes, I needed a few days to pass the exam, the exam is not on the easy side of things, at least it wasn’t for me. In the morning I had to re-hack all the machines I’ve hacked in the previous day(s) so make sure you set up persistence properly. This will be very helpful and it will save you a lot of time.

RTO tips – AV Evasion

Start by focusing on AV evasion. You will definitely need to do that during the exam. You need to have a good understanding of how signatures work, what is detected, learn basic usage of Ghidra and then basic knowledge of the C language is required to adapt Cobalt Strike so that it becomes undetected by MS Defender. As a matter of fact this should be how you start the exam. Before anything you need to make sure all your payloads exes, Dlls, shellcode, svc payloads are not detected by AV. Don’t forget about Powershell scripts as well, you’ll need those too😉Also make sure you prepare your malleable profile beforehand. The profile I’ve used in the labs is the same profile I’ve used in the exam, nothing extra.

RTO tips – Backup

Another important tip which I learned the hard way. Make a backup of the Cobalt Strike folders before you modify them. I’ve once messed up something when trying to bypass AV and I wasn’t getting any shells back, I’ve broken the payloads. Had to revert the machine and start from scratch. On the same note, test your payloads on your local machine first after you’ve made the .C source code modifications to make sure you get your shell back. Once AV is bypassed go ahead and start hacking machines, it’s a pretty standard pentest from this point on. 

OPSEC

Check out all the OPSEC advice from the RTO course, you will need it.  Additionally I recommend you to check some additional OPSEC advice from the Cobalt Strike documentation. Prepare your CS profile beforehand, you don’t want to waste time during the exam reinventing the wheel. What’s in the course is in the exam as well. Prepare a cheatsheet of the most common commands, it will save you a lot of time. You don’t want to struggle through the exam and search for commands through the course like I did🙂 Always try alternative methods for doing the same thing( lateral move). On occasion you might have to google some Windows API error codes to understand what the issue is, so be prepared for that as well.

Some other random tips

  • Use both DNS & HTTP payloads for reverse shell
  • Use both SMB/TCP payloads locally
  • Use service payloads where needed
  • Pay attention when the system proxy is used and when not by your payloads

Red Team Ops Exam – Conclusion

I highly recommend doing this course and taking the exam if you’re interested in Red Teaming. The content is very well structured and the price is very affordable. The way I see it, it’s like a Burp license, great value for money. I bought this together with the Red Team Lead course(write-up soon) last December and it was a great idea. Highly recommended!

Red Team Ops badge
Red Team Ops badge

About Post Author