Context
The recent release of the Red Team OPS II course by Zero-point Security caught my attention on Twitter in August. Since the Red Team Ops I course was, in my opinion, very good content, I decided to buy the RTO II bundle and give it a go.
Course
The course description and syllabus can be found on Zero-point Security website. Zero-point Security makes it clear this is a deeper dive into red teaming and I can only agree. While taking the RTO I course is not mandatory, I would advise to do so if you are unexperienced with red team subjects. Though, for those feeling confident in only taking RTO II, I would say you will gain interesting insight even if you are familiar with red teaming.
Cost is 425 pounds (roughly 490 euros) for the course + 40 hours lab access. As for RTO I, the course is a rolling-release you acquire for life. You then get updates whenever Zero-point Security decides to publish them.
Content is divided into small text-and-screenshots sections on Zero-point’s website. You can see how far you are into it at the top and divide your work easily. It also includes videos.
The lab consist in a small virtual Active Directory environment with workstations for the different parts of the content. You access it via Guacamole on any recent browser, it allows to work from different machines. Different exercises are to be completed using Cobalt Strike.
I had a few issues with the lab, including slow connection to the workstations. This happened only on a particular day, so I wonder if snaplabs (the lab provider) was not under the water. Apart from that, I completed the course and the lab in 30 hours of work, taking my time so 40 hours of lab time does not seem too short.
The course focuses on both red team (more) advanced tactics and evading systems' defences. The parts I find relevant are the following:
- Bypassing up-to-date AVs such as Microsoft Defender on patched Windows systems.
- Bypassing WDAC, ASR and other “modern” defences that can be seen on red team assessments an pentests as of today.
- Bypassing EDR that are “simple” compared to Crowdstrike or other commercial products helps reducing the learning curve.
- Windows API programming is explained clearly, without fuss.
- Introduction to drivers on Windows
For most exercises, you have to code your own tools using different bypass techniques (e.g. for shell injection). You spend quite some time in Microsoft Visual Studio. Note that the code used for the exercises is given. That is, you can correct your own attempt with it once exercises are done.
I appreciated the OPPSEC notes of Duggan all course long. It is obvious that code has been tested in real-assessment conditions and his input is valuable.
Exam
The exam is a 72 hours practical CTF spread on 5 calendar days. The goal is to gather and submit four flags on a virtual environment. You have to score 4/4 to pass. This is more demanding than RTO I where 6/8 flags were needed (not sure if this has changed or not).
I think it is realistic. Some parts are “made easier”, but only because the exam is time-limited in my opinion.
It took me approximately 50 hours to complete, spread on four days, and it was a struggle. As what seems usual for me now, I got stuck for a full day on the wrong path. I finally found the last flag, validated it and passed the exam.
A word of caution here, I think that not everything this exam requires is explained in the RTO II course. So if you are planning to take it without taking RTO I, be sure to know whatever it contains in its syllabus. It also includes some parts that require creativity.
Conclusion
Pros:
- cost is correct
- up-to-date quality content and evasion techniques
- course works on any recent browser, you can study anywhere
- insight “from the field” on red team operations
Cons:
- limited lab time
- lab and exam are in hermetic environments where external tools cannot be used
- no HR will know what this is, probably only technical people in the field
I definitely recommend the course to anyone interested in taking a deeper dive into red team operations. Content from Zero-point Security is very good.
Next step for may be taking the driver developement course ;)… to be continued.