I’m not sponsored by ZeroPointSecurity nor have I received anything from them. This is just my personal review on the Red Team Ops course and exam.
I recently finished the RTO course and passed the exam. This was my second try - I first enrolled back when I was still in school, and had to drop it because I had too much on my plate (job hunting/interview, graduation, projects, CPTC, part-time job, school courses, etc.). When I saw HuskyHack’s review and the newly updated 2021 version of the course, I decided to give it another go. Since I learned so much from the course and had a great time, I decided to share my review of the course. Hope this review helps someone to make their decisions.
ZeroPointSecurity (ZPS)’s Red Team Ops (RTO) “is an online course that teaches basic principals, tools, and techniques” related to red teaming. And this description from the course overview webpage really sums up the course well. You’ll learn the TTPs while focusing on the operations side of the red teaming, with a sprinkle of research / tool modification on the side. Overall, RTO is a great course for beginners to get introduced to red teaming.
Basic information including the course syllabus, pricing, FAQ, and the lab information are all summarized in the course website. I won’t reiterate them in this post - you can take a look for yourself. Instead, I’ll focus on sharing my experience. What kind of experience I had when I first enrolled, what I liked, disliked, and what I learned.
Course Description: https://www.zeropointsecurity.co.uk/red-team-ops/overview
I believe it’s crucial to provide a reviewer's background because their experience and opinion on the course/certification is strongly influenced by their personal background.
I consider myself as an average joe in infosec. I started learning computer science, programming, and security during my college years. I’m not a rockstar who started coding at the age of 8 and gave defcon talks at the age of 17. At the same time, I’m not a complete beginner (just a beginner) in offensive security. I just graduated from college a couple of months ago, and I just started my first career as a penetration tester.
Pros & Cons
- Instructional Style - Clear and Concise
- Topics covered are up-to-date and relevant
- Private lab environment and Snaplabs platform is very fast, stable, and efficient
- Access to CobaltStrike
- OPSEC considerations and detection guide with in-lab Splunk
- Great pricing (imo)
- Web access with guacamole (Can be a pro/con)
- Web access with guacamole (Can be a pro/con)
- No access to your own box or the internet means less tool customization and bring-your-own-tool is impossible (understandable because of CobaltStrike licensing issues)
- Focus on operational side of Red Teaming
Instructional Design - Clear & Concise
As mentioned in Husky’s review, this part is also my favorite part of the course. The entire learning experience during the course is logical, clear, and concise. This results in a more efficient and more effective learning experience for the student.
The course is divided into multiple sections, which are then further divided into individual TTPs. Each TTP follows a format of: Explanation of the TTP → Show how the TTP is executed → You follow the TTP inside the lab. With some TTPs, this 3 step process is also extended to include: OPSEC consideration → Hunt your own IoC through Splunk.
This was some of the most straightforward learning experience I’ve ever had. All of the information is there, the TTPs and tools work perfectly and you can practice all you want in your private lab. This type of teaching is not for everyone; some people prefer the struggle while learning new things. While I understand this, I think RTO’s style of clear & concise teaching method fits better for the main target audience of the course - beginners in red teaming.
There are some times where this clear and concise instructions seem too concise. In this case, you can always proactively research on your own using the keywords from the instructions. If you are too stuck, make sure to make use of the discord channel - the community is nice.
Snaplabs - The Good
RTO uses a platform called Snaplabs for the lab environment. Snaplabs spins up a private lab environment for each student. This means that you will have a full lab - target domains, attacker kali machine, CobaltStrike, and various open-source tools up and ready for you, and just for you.
Turning on/off the entire lab lab can be done within 5~10 minutes. You have full control over each box like console access, rebooting, and reverting individual boxes. If something really went wrong or if you want to practice all over again, you can revert the entire lab environment as well.
Not only is this extremely comfortable, but it is also effective for learning some TTPs. For example, Constrained Delegation, Extracting Kerberos Tickets, and Outbound Trust RDPInception (RDP drive sharing) requires some kind of user interaction. While user simulation can be done through powershell scripts or other means, these are prone to errors and might not be reiterable. Instead, you can simply hop on any box with prepared user accounts and prepare the attack scenario yourself. Messed up? No worries - reboot the individual box in 1 minute and try again. After all, you have control over the environment.
Personally I haven’t even heard of Snaplabs before, but I was very impressed with the platform.
SnapLabs - The Sad
At the time of writing, RTO’s Snaplabs environment is configured to be accessed only from a web browser through Apache Guacamole - a remote desktop gateway. This can be a pro or a con. The fact that there will be no VPN issues can be appealing to some students. Others will not be a huge fan of the janky web browser remote desktop experience. Personally I was not a huge fan, but I just got used to it in the end.
The lab environment also does not allow any outbound traffic. This means that you can’t bring your own tool. There is a Visual Studio, but modifying existing tools or developing your own tool is difficult without the access to the internet (git clone, libraries, nuget packages, etc.). Personally I wanted to use some BOFs because I heard professional red teamers develop these for advanced CobaltStrike usage. However, this was not possible.
Edit * (10/14) Rastamouse mentioned (discord/twitter) that there is a plan to allow bring-your-own-tool in the future. Can't wait for the change!
That being said, the Guacamole and no internet access is understandable considering there is the CobaltStrike licensing issue.
The lab has a minimalistic design that consists of 14 boxes spread across 4 domains. Every box has its purpose in the lab and all of the boxes are vulnerable to one or more TTP. It’s not a humongous lab that has 50~60 boxes, and I think I prefer this approach since it’s better for learning the TTP. It’s not about the amount of boxes, it’s about how they are (mis)configured and what kind of TTP you can use against them.
One of the highlights of the lab would be the access to CobaltStrike. Don’t get me wrong, a tool is a tool and a C2 is a C2. Just because you have used Cobaltstrike through a course doesn’t mean you are suddenly a red teamer. Nor just because you have access to CobaltStrike, you suddenly become an elite haxxor.
That being said, it is still pretty freaking cool to use one of the industry standard(?) C2 framework. Every TTP and material in the course is done through CS. There are even some modules that cover modification of CS for detection bypass. You won’t be developing BOFs and doing all the fancy stuff, but the course will cover all the basics of CS.
Operational vs. Development/Research
I’m not a red teamer, but I’m aware there are two sides of red teaming. The operation side executes the client engagment as an operator. The development side covers developing internal tools, payloads, automation, and infrastructure. Ideally you want to be proficient in both sides in order to get into red teaming.
RTO, as it states in the course description, focuses heavily on the operational side of red teaming. This is obvious if you think about the target audience of the course. You can’t really expect beginners to start writing custom c/assembly payloads that bypass EDRs and reverse engineering operating system components. Those are not the purpose of this course.
That being said, Rastamouse is a magician. So maybe, just maybe, he might be preparing another advanced course focusing on development, evasion, and stealth. Only time will tell.
There’s really not that much to say about the exam. It’s very straightforward, and all of the TTPs you need for the exam is straight from the course materials. However, if you focused on just following the course materials module by module, you might feel lost when you first start the exam. I would highly recommend going through the course materials, taking a 1~2 week break to reset your brain, and then re-doing all the lab on your own.
Another thing to note is that you might, or might not have all the tools that you were using during the course. Make sure you have your alternatives instead of depending too much on specific set of tools.
The exam lasts for 48 hours over 4 days. In case you need a break or need to be afk, you can stop the exam environment just like your lab. Just beware, every machine will be turned off - so prepare your persistences! Personally, I was able to pass the exam within the first 12 hours. I decided to push further to get all the flags, but hit a hard wall. After 8 hours (or maybe more, I was slowly going crazy) of enumeration, I decided to call it a day and went to do other work/side projects. I'm not happy/satisfied with my performance at all - so, back to the labs!
RTO is an overall great course to learn the basics of red team operations while using real world tools and TTP. Whether you are an experienced pentester looking for some guidance to pivot into red teaming, or a beginner looking to upskill your AD pwning skills, you will learn a lot from the course. With great instructional design, private lab, CS licensing, up-to-date TTPs and nice pricing, I highly recommend the course to others.