Introduction
In the interest of expanding the contents of this journal I wanted to write about my experience with the new CRTO course and exam1. Given that you can no longer buy the “old” course, and that I did not do the “old” one I will/can not compare the two.
I started the CTRO course, immediately after passing the HTB CTPS exam, as a means to procrastinate and well learn about more interesting topics. As said above I went into the course with the knowledge from CPTS, some 100+ HTB box completions and detection/attacker knowledge from my Blue Team job.
This course provides you with the knowledge and skills necessary to excel in performing adversary simulation and emulation exercises with Cobalt Strike.
- Author: Daniel Duggan
- Level: Practitioner
- Study time: 20 hours
- Certification: Red Team Operator https://www.zeropointsecurity.co.uk/course/red-team-ops
Since the exact content of the course is detailed extensively on the ZPS website I won’t go into details about each section. Suffice to say you will get exactly what is stated in the course table of contents. On top of this you will obviously get hands-on experience with Cobalt Strike, be exposed to lots of different tools/techniques and a slight bit of programming. And of course one the keys to not being detected: OPSEC.
Reflections
So in the end it took me almost exactly two weeks to complete the course, the LMS tells me I spent 42 hours on the course (including? the ~6 hour exam). Which feels about right considering I could only work in the materials in the evening and on the weekends, while not completely no-lifing it.
The very first aspect that I loved was the opportunity to get hands-on with Cobalt Strike. Most of the time before this i used almost exclusively Sliver and only saw Cobalt Strike in reports. So both the blue and red teamer within me were quite happy to play around with it. Both to see how it behaves, where it could be detected and how it feels as an operator. From my time with it these were some of my favorite features:
- Built-In Report Generation with MITRE ATT&CK mapping
- General Malleability (Artifact/Resource-Kit and C2 Profiles)
- Comfortably using PTT and impersonating users without injecting into lots of processes (Looking at the missing
steal_tokenfor Sliver, which I will miss dearly) - No need for ”\“advanced ‘quoting’ techniques”\” (passing arguments to Mimikatz, commands and .NET assemblies can be convoluted in Sliver)
- Robustness, never had any issues with longer running or maybe erroneous commands killing my Beacon
Regarding the contents of the course I’d be hard pressed to name a favorite section, since all of them taught me something (some more, some less). But I’d say personally I got the most value from the Kerberos and Forest & Domain Trusts sections. Since these were topics that I partially used in the past, but not fully understood all of them. So going through all the delegation and trusts attacks in there own labs was very welcome. Especially since multi Domain environments are quite rare on HTB (leaving me with little practice) and I did not setup up something like a LUDUS host yet.
Another part was the more manual enumeration process during Discovery of Active Directory using BOFHound for an initial lay of the land. Showing in the lab that you don’t always have to run SharpHound to get moving in a Domain.
Lastly I want to mention the OPSEC considerations that the course teaches you, range from somewhat obvious (if you have Blue Team experience) to I’d say very intriguing even if you have some experience. I was told there were some more in “old” course but I guess we will never know.
All in all the course was a really great experience and I’d say contains valuable information for almost anyone (no matter previous experience). The course is well worth it’s price, most definitely a steal. And combined with CPTS this really made me somewhat addicted to multi-machine labs. It also left me kowledge for potential threat detection use cases and how some of the more basic one can be effortlessly circumvented with the knowledge from the course.
Recommendations
- This one should be a no-brainer but take notes. Most of my more technical notes came from the labs, since they provided you with a full workflow to perform certain actions. By mimicking this style from the labs I ended up with all the necessary commands/tidbits from preparing through executing and cleaning up an attack.
- While some OPSEC considerations are very clearly highlighted in the course material, I’d recommend keeping that thought in mind and looking out for more indirect mentions (Well and your own ideas). Also (while being mindful of lab time) use the access to the lab machines to look at the local Windows / Sysmon Event logs to see what events you are producing. Some labs have an Elastic instance which make this is a lot more comfy.