In June 2023, I completed the Certified Red Team Operator (CRTO) exam. I learned a lot about Active Directory exploitation and about how Command & Control (C2) frameworks work. I also learned a bit about bypassing defense mechanisms and evading detection. This is my (mostly spoiler-free) review of the course and the exam.
The course contained everything an aspiring Red Teamer would want to know.
From basic organizational stuff and scoping over the fundamentals of C2 (mostly Cobalt Strike) to bypassing Windows Defender and maintaing good OpSec.
And on top of that, basically all known Active Directory exploits known to our species - an exaggeration, to be sure, but an apt one.
The amount of Offensive Active Directory knowledge contained in this course is just astounding.
However, a brief warning, basic knowledge of networking, Windows systems and Active Directory is required to understand the concepts presented in the CRTO.
But, to be honest, since there is no time limit on the course material, anyone can just dive in and - should they find something they don't understand - they can just browse the web for it, read up on it and come back later.
The course is a good indicator of where to look and what to look for.
My personal hightlight, however, was the way the information was presented. Instead of hundreds or thousands of pages in a PDF file,
the course was presented on brief HTML pages that, if printed out, would probably not span more than two pages per chapter.
The information was concise, on point and - in its own way - complete.
For every topic, links and keywords were provided to easily dive deeper into any chosen topic.
In addition, the course contained several videos, displaying and explaining exploits or attack techniques.
In summary, the presentation felt as it was made specifically to cater to the way my brain handles information.
Rather refreshing after lots of bureaucracy and formality in other courses.
The course material itself comes with lifetime access. From time to time, I still use it as a resource during real engagements.
The course lab access is purchased separately. For me, personally, the option of 120 hours over 60 days was perfect - but mileage may vary. Additional lab time can be bought at any time and is well worth its price.
The lab was huge. A whole forest of Active Directory domains, each coming with several servers of which each require different attack techniques to 0wn it. Apart from a well-designed hands-on experience to deepen and put into practice the knowledge contained in the course material, the lab also serves as a huge playground for Active Directory hacking. There are even some servers that don't have any vulnerabilities discussed in the course material, providing an extra challenge for those willing to go the extra mile, forcing hackers to think outside of the box. But - not to worry - these additional servers and the attack techniques required to 0wn them are not necessary to pass the exam. In other words, understanding the course material and successfully applying it in the course lab is enough to be sufficiently prepared for the exam.
The exam lab came with 48 hours of access - which could be paused. That way, the exam could be spread out over 5 days in total, if required (the maximum exam duration).
The lab consisted of 8 systems and just as many flags - however, only 6 of these flags were required to pass.
No report writing needed, that is not part of the scope of this certification.
The flags require almost all of the knowledge provided in the course material - and more.
It took me around 7 hours to get the 6 flags required to pass. The rest of the exam lab access time I spent on flag 7,
which was a real challenge for me, especially since I skipped over the part of the preparation required for the flag - that's Karma for you.
Overall, the exam was super fun. Better than any CTF I had ever played before.
What can I say? The content, its presentation, the course lab, the exam...
I think there are few certifications that can compete with the CRTO.
And I am of the personal and professional opinion that anyone who acquired this certification
is prepared to start as an Active Directory pentester. Or even take a first step into professional Red Teaming.
It's just that comprehensive.
And all of that for a fraction of the price of most other certifications.
So, without hesitation, I wholeheartedly recommend this certification to any aspiring Red Teamer or Penetration Tester.