Certified Red Team Lead (CRTL)

Post Created: 10 May, 2023

Background

After experiencing the amazing Red Team Ops I course firsthand, I decided to push my boundaries and attempt Red Team Ops II several months after its release. As an undergraduate student who had essentially 0 experience in Red Teaming, CRTL felt like a final boss to conquer, so here's my personal take on the course & exam that nobody asks for.

Disclaimer

Please take this review with a grain of salt as it concludes my personal thought on the course combined with some clown fiesta shit-posting. If you're looking for some serious review on RTO 2, here are some good resources:

• A CRTL Review - Andres Roldan

• Red Team Ops 2 Review - Sunggwan Choi

• A quick review of my CRTL journey - ferreirasc

• Zero Point Security’s Red Team Ops II (RTO2) Course and Certified Red Team Lead (CRTL) Exam Review - TheAssHat

Course

No Babysit 👍

One thing that I like the most from the previous course is the clarity in explaining advanced and complex concepts. As opposed to the previous course, RastaMouse does not babysit you as much this time around, providing just enough information (in a good way) for you to continue exploring on your own.

This approach is effective for me, because it forces you to seek for help from external resources. This can come in the form of blog posts or engaging with peeps from the discord community to debug and troubleshoot certain problems like compatibility of HTTPS download cradle in your dropper.

Big shoutout to Yizhigou#1664 and The_Asshat#0001 for their active involvement in the discord channel!

No Perfect Solution 👍

As the course is heavily revolved around custom offensive development & evasion, you will soon realize that there is no "ideal" way to achieve your goals. You will often find old solutions that once worked behaving outside of your expectations especially when it comes to behavioral detection. Mix-and-match combined with a little creativity and brain cells is often the way you want to do things.

Lab

Horrendous Latency 😡

Personally, I did not spend much time in the lab due to the latency between interactions with Guacamole Lab, and mainly because it's unnecessary to do so. Besides C2 Infrastructure, ASR and WDAC, you are better off setting up your own cracked Cobalt Strike and Windows VM for development and testing purposes. I also find that a fully updated Windows Defender on Windows 11 is able to detect some of my tooling more efficiently, which helps to improve the way I implement them.

Exam

Having slept just under 5 hours, I booked the exam and hope to clear it within 2 days. As easy as it sounds, I spent the first 2 days staring at my Cobalt Strike client with 0 beacons 🤡. During my second night of sleeping, I recalled what TheAssHat wrote in his CRTL review and realized I was over-complicating things.

Indeed, having something that wasn't taught in the course, will require thinking outside the box. Once you are through this part that deprives you of sleep, the remaining flags can be captured even when you're high on meth.

Tips 🤓

• Read all old discord conversations in the red-team-ops-ii channel

• Be comfortable with coding in .NET

• Don't over complicate things

• Gitgud

What's Next?

Honestly speaking, I think that RTO 2 is a good stepping stone that opens up a lot of doors for future learning, especially in Offensive Development. In my opinion, if you are uninterested in learning things outside of RTO 2's curriculum after passing the exam, or you just want to have the certification badge on your portfolio, you are better off saving your money for Happy Meals. Based on quick maths, this will allow you to buy £399/3.29 = 121 Happy Meals in the UK, which is a fat W if you ask me.

Based on the foundation that has been set, here are some examples that I can think of, for those who would like to continue learning red team tradecrafts beyond RTO 2:

• Process Injection: Threadless Injection

• EDR Evasion: Indirect Syscall

• AMSI/ETW: Offset Patching & Provider Patching

• Protected Process Light (PPL): PPLMedic, PPLFault

• Done With User-land: Move to kernel maybe??

With that being said, I am hoping to see RastaMouse's unique approach to teaching User Defined Reflective Loader (UDRL) development, perhaps in RTO 3? or on a separate course.

Last Words (my personal take, no roast plz)

As a final piece of advice, Red Team Ops II is arguably the most ideal & affordable training you can get for personal growth and skill development in the field of Red Teaming.

However, the sad reality is that not many companies, in fact 0, that I have come across will recognize this masterpiece due to the lack of exposure in the job market. Even interviewers from companies that provide so-called "Red Teaming" services do not know about the existence of Zero-Point Security & RTO (yikes).

If you're looking to land a job with this certificate, I sadly announce that you will end up just like me in an endless loop of insanity. But I have to say though, credit where credit's due, it did help me to land an interview on a Red Team job, at McDonald's.