A CRTL Review

A few months ago (August 18 to be precise), @Rastamouse's Zero-Point Security released the course Red Team Ops II, or RTO-2 for short:

RTO-2 is meant to be a follow-up to the RTO course, focusing on advanced OPSEC tactics, including bypassing modern enterprise Windows endpoint controls. This means that RTO-2 is an advanced course, and it's recommended to have taken and passed at least the RTO exam to try this course and the associated certification.

Early this year, I took and completed the RTO course and associated CRTO exam, after which I gave a talk (in Spanish) on how to pass it.

RTO focused on how to perform Red Team operations on a multi-forest AD environment using Cobalt Strike.

OPSEC (Operations Security) notes and tips are given throughout the course but the main focus is not that. RTO-2 was born to compliment RTO on the OPSEC realm.

Currently, the RTO-2 course is divided into seven chapters:

The chapter C2 Infrastructure presents a way to have a versatile, resilient and secure C2 architecture, including the use of redirectors, custom Apache redirect rules to avoid detection of the C2 infrastructure, SSL certificates for Beacon and strategies for beaconing failover. This is very useful for real engagements on mature corporate environments and, thus, something a Red Team operator should be aware of.

The chapters Windows APIs and Process Injection are both heavily focused on offensive tooling development. First, there's an overview of commonly used Windows APIs used for offensive purposes, how to call those functions from C++ and how to make use of unmanaged APIs from managed languages like C# and VBA by the use of P/Invoke and D/Invoke. Then, in the Process Injection chapter, those capabilities are used to inject code into processes using a wide range of techniques, from injecting arbitrary code into the current process to injecting code into a remote process or using undocumented functions on ntdll.dll to create a new executable section on a running process and inject the shellcode in it, and even creating a new suspended benign process, queuing an Asynchronous Procedure Call with the desired shellcode and dispatching it on a new thread. They are a couple of fun chapters.

The chapter Defense Evasion explains capabilities used for endpoint controls to detect anomalous behavior and the way to bypass them. Cobalt Strike provides some interesting OPSEC features out of the box, like PPID spoofing, command line spoofing, avoiding RWX sections, at-rest Beacon memory encryption and thread stack spoofing. There is also mention of what is and how to bypass Event Tracing for Windows (ETW), which is a Windows mechanism that is used to give EDRs feedback on events dispatched from user-mode, without the need of API hooking.

The next chapter describes Attack Surface Reduction, which is composed of a set of rules that can be enforced by a GPO to prevent common techniques used by attackers. The rules include blocking API calls from Office macros, creating child processes from Office applications, blocking processes originating from PSExec and WMI, and blocking credential stealing from the LSASS process (which is a complement to mitigations like PPL and Credential Guard). Those rules can be used together, providing a defense-in-depth protection. However, they are based mainly on blacklists and the chapter describes ways to bypass some of them.

Then comes the chapter Windows Defender Application Control or WDAC, which is about the protection that allows for the specification of what applications can be run on a machine, based on things like its path, digital signature and file hash. As this is a security boundary, WDAC bypasses are actually fixed by Microsoft. However, misconfigurations can allow an attacker to circumvent the control to gain further access to the machine. So, this chapter teaches us a way to find common scenarios which can be abused.

And finally, the chapter EDR evasion provides an overview of how modern EDRs work and some bypasses, including API unhooking, indirect syscalls and unregistering kernel callbacks. A fun chapter that even includes kernel-mode exploits to bypass EDR controls.

The RTO-2 course comes with a companion lab in Cyber Ranges (formerly Snaplabs) that can be accessed for up to 40 hours. In the lab, you can practice everything that's presented in the written material. It's composed of several machines with different configurations:

After I was enrolled in RTO-2, it took me about three weeks to complete the material twice (yes, twice) because there were a lot of new concepts for me to digest.

For the exam, you are given 72 hours or five days (whatever happens first) to obtain four flags on a given set of machines in an AD environment. Unlike CRTO (in which you need 6 out of 8 flags to pass), you must collect all the flags to pass this exam.

I've taken several certifications to date related to Red Teaming, including eCPTXv2, CRTE, CRTP, CRTO, PNPT and OSCP. Most of them are focused on exploiting misconfigurations and vulnerabilities, some of them in realistic AD environments. As RTO-2 is heavily focused on defense evasion, the certifications that come closer to it are eCPTXv2 and CRTE, the former includes some of the contents found in RTO-2 like evasions on ETW, EDRs and things like syscall unhooking and stealth Office macros.

Attack Surface Reduction and Windows Defender Application Control are the chapters that were new to me.

The exam is fun (s/fun/HARD AS HELL/g), but I think that the 72 hours/five days given are enough to go through all the stages: from rage, sadness and stress to, finally, joy.