Course Overview
The Certified Red Team Operator (CRTO) course covers the fundamental principles of red teaming, including OPSEC, C2 infrastructure, and adversary simulation. You will learn to use Cobalt Strike and other tools to execute realistic attacks in a controlled environment.
Course Syllabus
A comprehensive curriculum covering every stage of the attack lifecycle:
C2 & Infrastructure
Cobalt Strike, Listener Management, Payload Generation, Reviewing Logs.
Initial Compromise
Phishing, Password Spraying, VBA Macros, HTML Smuggling, and more.
Host Relevance
Enumeration, Keylogging, Screen Capture, Persistence, and Privilege Escalation.
Lateral Movement
WinRM, WMI, DCOM, Pass the Hash/Ticket, and SSH Pivoting.
Active Directory Attacks
Kerberoasting, ASREP Roasting, Delegation Attacks, ADCS Abuse, and Golden Tickets.
Defense Evasion
AppLocker Bypass, AMSI Bypass, Defender Evasion, and Malleable C2.
Detailed Modules
- 1. Getting Started: OPSEC, Attack Lifecycle, Engagement Planning.
- 2. Command & Control: Cobalt Strike, Listeners, Payloads, Pivoting.
- 3. External Reconnaissance: DNS Records, Social Media, Google Dorks.
- 4. Initial Compromise: Password Spraying, Phishing, VBA Macros.
- 5. Host Reconnaissance: Seatbelt, Screenshots, Keylogger, Clipboard.
- 6. Host Persistence: Task Scheduler, Registry AutoRun, COM Hijacks.
- 7. Credential Theft: Mimikatz, SAM, DCSync, Kerberos Tickets.
- 8. Password Cracking: Wordlists, Rules, Masks.
- 9. Domain Reconnaissance: PowerView, SharpView, ADSearch.
- 10. User Impersonation: Pass the Hash, Overpass the Hash, Token Manipulation.
- 11. Lateral Movement: WinRM, WMI, DCOM, PsExec.
- 12. Session Passing: Beacon Passing, Foreign Listeners.
- 13. Data Protection API: Credential Manager, Vaults.
- 14. Kerberos Attacks: Kerberoasting, ASREP Roasting, Delegation, Shadow Credentials.
- 15. Pivoting: SOCKS Proxies, NTLM Relaying, Reverse Port Forwards.
- 16. AD Certificate Services: Misconfigured Templates, NTLM Relaying to ADCS.
- 17. Group Policy: Abusing GPO, Modifying/Creating GPOs.
- 18. MS SQL Servers: Impersonation, Command Execution, Lateral Movement.
- 19. MS Configuration Manager: Network Access Accounts, Lateral Movement.
- 20. Domain Dominance: Golden/Silver/Diamond Tickets.
- 21. Forest & Domain Trusts: Parent/Child, One-Way Trusts.
- 22. LAPS: Reading Passwords, Backdoors.
- 23. Microsoft Defender: Artifact Kit, Resource Kit, AMSI Bypass.
- 24. Application Whitelisting: AppLocker, PowerShell CLM, DLL Bypasses.
- 25. Data Exfiltration: File Shares, Databases.
- 26. Extending Cobalt Strike: BOFs, Aggressor Scripts.
Exam Preparation
48-Hour Exam
The exam is a 48-hour practical assessment in a dedicated exam environment.
Flag Capture
Capture flags from various target systems to pass the exam.