Red Team Ops II exam review

In today’s ever-evolving cybersecurity landscape, staying ahead of the curve is important. That’s where certifications like the Red Team Ops II (or Red Team Lead or RTO II) Exam come into play.

Having just completed this rigorous certification, I’m thrilled to provide you with an insider’s look at the course and my journey through it.

What is the RTO II Exam?

First things first, let’s talk about what the RTO II exam is all about. The Red Team Ops II certification (or RTO II or RTL) is a continuation of the Red Team Operator I (RTO) course. It’s designed to take your red teaming skills to the next level by focusing on advanced tactics in evasion and defense bypass strategies against modern EDR agents.

Preparing for the Exam

Before diving into the exam, I made sure to revisit the foundational knowledge from RTO. Understanding the core concepts from the previous course was crucial for grasping the more advanced techniques covered in the RTL exam.

The course is structured to provide a balance between theoretical understanding and hands-on practice. It includes lab exercises hosted in Snaplabs, which offer a simulated environment for practical learning. The course emphasizes self-research and experimentation, encouraging students to explore beyond the provided material.

Course Structure and Content

The RTL course covers a wide range of topics, including infrastructure build-up, malicious tactics using WinAPI, defense evasion strategies, attack surface reduction (ASR), Windows Defender Application Control (WDAC), and custom Endpoint Detection and Response (EDR) evasion techniques. 

Each topic is presented in a clear and concise manner, making it easy to understand and apply in real-world scenarios.

Hands-On Practice

One of the best parts of the RTL course was the hands-on practice. The lab exercises provided a simulated environment where I could put my newfound knowledge to the test. From setting up C2 infrastructure to bypassing advanced security controls, the practical exercises were invaluable in reinforcing key concepts.

RTO II Exam Experience

Now, let’s talk about the exam itself. Spread over a 72-hour period, the exam consisted of practical challenges that required me to apply the skills learned throughout the course. From collecting flags to demonstrating proficiency in red teaming tactics, the exam was a true test of my abilities.

Tips for Success

If you’re considering taking the RTL exam, here are a few tips to help you succeed:

  • Review all my tips for RTO: Everything from RTO exam, applies here as well, because you still have to bypass MS Defender.
  • Review the Course Material: Make sure to revisit the course material and understand the core concepts thoroughly.
  • Practice, Practice, Practice: Hands-on practice is key to success. Take advantage of the lab exercises to reinforce your skills.
  • Stay Calm and Focused: The exam may be challenging, but staying calm and focused will help you tackle each task with confidence.
  • Don’t Forget to Take Breaks: Remember to take breaks and recharge when needed. A clear mind is essential for problem-solving.

RTO II Practical Tips

The first thing you should focus on is ensuring your Cobalt Strike payload can completely bypass AV & EDR. You should test with Yara both the file and disk and also perform in-memory scanning of the process to ensure your payloads are ok. The course offers plenty of examples on how to customize the CS beacon to bypass signatures.

The “EVR Evasion” chapter is great as it concisely summarizes all the basic techniques you need to know to bypass common detections implemented by EDR agents, such as hooking, image load events, suspicious call stacks, etc.

Once you’ve managed to customize your agent in the labs so that it flies under the radar, you should have no problem in the exam. At this point, it becomes just a standard network pentest.

More references on Cobalt Strike OPSEC will be provided at the end of this article. You should study them and become very familiar with them.

Conclusion

In conclusion, the Red Team Lead (RTO ||) exam was an enriching experience that pushed me to expand my red teaming skills. From mastering advanced evasion tactics to overcoming complex challenges, the journey was both rewarding and fulfilling.

References

https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/malleable-c2-extend_pe-memory-indicators.htm

https://www.cobaltstrike.com/blog/cobalt-strike-and-yara-can-i-have-your-signature

Red Team Lead (RTO II) badge

About Post Author