Certified Red Team Lead (CRTL) Review
Review of the Red Team Ops II course and CRTL exam from Zero-Point Security.
Disclaimer: Please consider this article a point-in-time review. Zero-Point Security will always be updating this course and I will not be updating or amending this post in parallel. For the latest information about the course and exam, please see the official Zero-Point Security website.
After a great experience completing the Red Team Ops (RTO) course and Certified Red Team Operator (CRTO) certification last year, I jumped at the opportunity when Rasta Mouse recently announced the release of its “big brother” course, Red Team Ops II (RTO2) and the accompanying Certified Red Team Lead (CRTL) certification.
I enrolled in the course in November and studied the material over 3 months in preparation for the 72-hour practical exam. This week, I passed the exam, and I thought it would be valuable to share a summary of my experience and thoughts.
TL;DR - The exam was difficult but rewarding. Having lifetime access to the course material (with updates) makes this course a no-brainer for any red teamer.
Material and Content
The course is considered a direct follow-up to RTO, focusing on evading modern security defences using various strategies. Whilst RTO teaches how to execute common AD attacks with Cobalt Strike, RTO2 teaches you how to perform successful attacks in hardened network environments, going up against modern EDR solutions and blue teams. This course does not cover AD attacks, C2 principals or general Cobalt Strike ops, as this knowledge is assumed. Does this mean CRTO is a prerequisite for CRTL? Not necessarily, but ZPS suggests that all students are comfortable with every module covered in CRTO at the very least.
There are currently seven modules: C2 Infrastructure, Windows APIs, Process Injection, Defence Evasion, Attack Surface Reduction (ASR), Windows Defender Application Control (WDAC) and EDR Evasion. In my opinion, the best modules are Defence Evasion and EDR Evasion, which is where this course shines. I did find that some modules would lack in-depth explanations, resembling more of a "do this" approach rather than delving into the "why it works”. Considering the course has a very strong and clear emphasis on self-driven research (very much unlike RTO, which is far more spoon-fed), I think this is reasonable, especially given the price.
In my eyes, there are very few places where you can find this level of information while simultaneously practising with Cobalt Strike from your browser. Plus, like all Zero-Point courses, you receive lifetime access to the material even after updates have been made.
Lab Environment
The lab setup consists of a small Windows Active Directory domain featuring workstations, various servers, and a domain controller. It also provides multiple C2 redirector servers alongside “attacker-linux” and “attacker-windows” virtual machines. There are plenty of machines available for completing all the exercises and practising evasion techniques whilst you progress through the material.
Another way the course differs from RTO is how the content doesn't really follow alongside the lab environment. The lab is primarily for practising specific exercises or teachings from the material rather than following a narrative. While it still includes tasks like "do this on machine X to reach machine Y", it offers more freedom for tinkering rather than solely focusing on completing tasks.
Most of your time will be spent on the attacker-windows host, where you'll have access to Visual Studio, various tools, and your Cobalt Strike client. This attacker machine is equipped with everything you need since tools cannot be copied in or out of the lab environment (just like RTO, using Guacamole).
Exam
The course fee includes an exam attempt that you can schedule ad-hoc, which is great. The exam requires students collect all flags (unlike CRTO, which is 6/8) within the allotted 72 hours to pass. The exam environment is made "available" for 5 days and it's up to the student to start/stop the exam environment within that time. I think that 72 hours is very reasonable considering what the exam entails.
That being said, it's fair to say that the exam is very difficult. I found it far more difficult than I was expecting - primarily because it had some “surprises” in there that I didn’t see coming. The main difference between the CRTO exam and the CRTL exam is that everything to pass CRTO was in the material. With CRTL, this was not the case and requires some real-world experience to get through it. I think relying solely on the content from RTO2 simply isn’t enough to achieve a passing score - it requires some extra effort.
The exam does, however, do a great job of solidifying what was taught in the course and applying those skills under pressure. It took me ~30 hours of run-time before I had the final flag. Again, it’s a very difficult exam experience and I expect it'll stay this way as the course matures and updates over time.
One of the great things about Zero-Point Security exams is that you pretty much know when you've passed because it’s entirely flag-based. If you get all the flags, you pass. You do have to wait for the SnapLabs "event" to finish for the badge to arrive via email. I received mine about 30 minutes before the event officially ended.
Conclusion
To any current or future students, I strongly advise completing all exercises within the lab environment and making notes from the course material. I also found it beneficial to revisit some of the content in RTO, which had been updated since I took the CRTO exam. I’d also suggest taking full advantage of the lab setup, especially to practice setting up your Artifact Kit, SleepMask Kit, C2 profile, and redirectors multiple times.
It’s also worth checking out the following YouTube playlists created by Raphael Mudge, the original creator of Cobalt Strike. I found these helped solidify some of the teachings in various modules, even though they’re quite old at this point. Fair warning, he does talk very slowly in these videos - watching at 2x speed worked fine for me!
My personal experience with RTO2 and the CRTL exam has been fantastic. I think the only drawback of the course is the lack of support at times (as ZPS is a one-man operation, after all) and sometimes the content feels quite dry in the way it’s presented (in comparison to OffSec, for example). That said, the course has really boosted my confidence in operating in security-aware networks and I've already implemented several techniques to some of my internal tools. A solid 8/10!