CRTO (Certified Red Team Operator)

3 min readJan 28, 2021

Recently I completed the Certified Red Team Operator certification by Zero-Point Security. Overall my experience for this certification was simply “Awesome” and I would recommend it for anyone willing to up their game when it comes to Windows environment red teaming techniques.

To give a little background I am not a red teamer, I mostly do application security testing and some security research for web, so most of the stuff presented was new for me.

The certification consists of 2 parts the course with labs and exam. You must get all of the flags within the labs and get a minimum of 3/4 flags in the exam to earn the certification.

The course

C2 Framework

When it comes to doing the course you are given a choice between Cobalt Strike or Covenant (obviously you can also pick a different C2 framework, but than it will be harder to use the course materials). The choice is clear between these two, if you manage to get your hands on Cobalt Strike, use that. No doubt Cobalt Strike is more stable and advanced when it comes red teaming compared to Covenant. Now to be fair Covenant is a really cool framework and it has a bunch of really cool features, but the stability of the thing is insane, like it just randomly kept on dying or hanging up and the DB for Covenant was cleaned like 10+ times during the course, which made all the existing shells irrelevant. I always had to keep a spare shell on Metasploit just to have a way back in when I had to restart Covenant.

Recently Zero-Point Security forked Covenant and now have their own repository, which is much more stable when it comes to SMB pipes, however, don’t expect it to be perfect.

https://github.com/ZeroPointSecurity/Covenant/tree/master

Materials

The course materials themselves were top-notch, all the techniques were up to date and explained in a well organized manner. If something wasn’t clear, which was a rarity, than the amazing Slack channel always helped. I must give massive props for the support during the course, it’s just on another level compared to other certifications like OSCP.

The exam

The exam itself is 48 hours and should be medium difficult if you have completed the lab, which you must do anyhow to earn the certification. It can be completed in the first day under 12 hours with normal breaks easily. Overall all the techniques employed in the labs were crammed into the exam in a different order, so there were no “suprises” when it comes to out-of-scope items that you are suddenly presented with. Obviously it wasn’t 1:1, there were items written in the course materials that didn’t need to be done in the labs, so when doing the course read it thoroughly and make sure you understand everything.

Summary

As I already summed it up on the start I would recommend this course to anyone in a heartbeat and it felt really awesome to learn how to properly use all of the attack techniques.