Certified Red Team Operator — Review

I completed the Red Team Ops (RTO) certification last week and I want to share my experience to the community. In my opinion Daniel Duggan (@_RastaMouse) — the creator of the Red Team Ops training — did an amazing job. Thanks and Congrats Daniel for this course and certification.

Why RTO?

Below you’ll provide some reasons why I think the RTO course is a good starting point for learning how to attack Microsoft Active Directories and perform red teaming in general. In addition, I think this course also provides valuable information to experienced penetration testers and red teamers as it allows testing new techniques and tools in a comprehensive Microsoft Active Directory environment as well as improving existing toolkits and testing procedures:

• The RTO course provides a comprehensive learning environment for learning and practically applying major recon and abuse techniques on Microsoft Active Directories in a red teaming manner. All these attacks are taught and practically executed in a virtual company environment.
• Daniel started the RTO training this year. Therefore, it is up-to-date. In addition, the course material is constantly updated and all students have permanent access to the latest available version.¹ Considering that the infosec community publishes new content almost on a daily basis, this is an awesome feature and ensures that the RTO course material will remain a reference in my future engagements.
• The course is based on the C2 frameworks Covenant (open source) and Cobalt Strike (commercial). I did the training and exam with Covenant and had the opportunity to test Cobalt Strike in the training environment as well. Thereby, the training material was a helpful companion to switch from Covenant to Cobalt Strike. In addition, as Covenant is open source, it allows digging into its source code and gaining a much better understanding of how C2 frameworks internally work.
• RTO has an amazing community, which meets and exchanges experiences in RTO’s slack channel. Daniel is also constantly present and provides feedback to his community.

The RTO Course

The RTO course starts with a general introduction to Red Teaming, C2 frameworks, and the attack kill chain. Furthermore, it describes in detail how to efficiently set up your red teaming environment² (one Microsoft Windows and one Kali Linux VM) by, among other things, providing Boxstarter and Bash scripts.

Afterwards, the course guides you well through the various phases of the attack kill chain beginning with the external recon and initial compromise. These phases are already hands-on and will represent your first assignment in which you have to phish your way into the lab environment. As with all RTO assignments, you’ll complete the assignment by finding and submitting a flag.

After gaining access, you’ll operate in a comprehensive Microsoft Active Directory environment consisting of several domains. Based on this environment, the RTO course teaches you how to perform host/domain recon, persistence, lateral movement as well as how to abuse Kerberos functionality (e.g., Kerberoasting or constrained delegation), DPAPI, LAPS, domain trusts, Microsoft SQL Server environments, AppLocker, Defender, etc. using state-of-the-art open source tools (e.g., Seatbelt, Bloodhound, Rubeus, Mimikatz, etc.).

Although not required by the RTO course (and certainly not required by red teaming in general), I tried to compromise each target system in the lab environment in OSCP style (=interactive beacon on the target system) to ensure that I am able to fully leverage the presented abuse techniques in combination with lateral movement in case I have to.

The RTO Exam

Like the Offensive Security certifications, the RTO exam is a practical exam in which you have to collect at least three out of four flags to prove that you have gained a certain level of privileges within the exam environment.³

The RTO course does a great job in preparing you for the exam. Consequently, make sure that you understand all tools and techniques taught in the course. As in any penetration testing and red teaming engagement, think about what you can prepare in advance (e.g., processes, tools, etc.). The RTO exam is a great opportunity to test your knowledge and experience as well as your established processes and techniques.

If you are well prepared, then the RTO exam will be a lot of fun and you will certainly complete it within 24 hours with enough sleep in between.

—

¹ While I was working on the RTO course, the course material was already updated several times (e.g., the content of Cobalt Strike was added).
² It is worth mentioning that except for a computer, which is capable of running two VMs, an Internet connection and free time, you do not require anything else for this course (e.g., software licenses).
³ In contrast to the Offensive Security certifications, you do not have to submit a final report — the submitted flags are enough.