Skip to main content
CRTO

CRTO

·935 words·5 mins
Certs
Table of Contents

This entry should give you a summary about my experience in obtaining CRTO. In the end I give you some tips and tricks, if you want to go through the course yourself.

Overview
#

Certified Red Team Operator (CRTO) is a entry level red team operator course fully utilizing Cobalt Strike. Officially it is described by the creator with following words:

Holders of the CRTO have the knowledge and skills necessary to perform adversary simulation and emulation exercises with Cobalt Strike. They can carry out every stage of an engagement from initial access to acting on the objective and reporting.

Creator of the course is RastaMouse (Daniel Duggan), a handle that is well known in the offensive cyber security space. He is also the creator of RastaLab (ProLab) over on Hack The Box.

Who is it for?
#

In my opinion the course is very well suited for anyone striving to extend their knowledge in the domain of red teaming and is interested getting hands-on experience with Cobalt Strike. As the latter is quiet an expensive tool, which entry folk normally can not get their hands on, this is an unique opportunity to do so. The obtained knowledge logically is tighten down to Cobalt Strike, but in knowing how the tool works, it is also a great course for defenders.

Prerequisites
#

There are no official prerequisites for this course. But I recommend being “fluent” in the Active Directory domain, especially on the Kerberos (Rubeus) side. There is also some C# coding / code adjustments on the course, so basic code reading ability is a must. The course really extends, when you have some offensive security experience like CPTS or OSCP.

Review
#

The course itself has 20 sections, almost each with one or more short practical training lab. The sections are well structured and matching the cyberkillchain. The overall course is quiet short and doable in 40 hours (official time is even only 20 hours, which isn’t realistic in my opinion). There were sections, which I think could have an overhaul:

  • Law & Compliance
    • It only contemplates UK law, and feels completely off for such a technical course.
  • `Defence Evasion
    • As the exam heavily focuses on being OPSEC safe like utilizing AV evasion and avoiding monitored processes like LSASS, this section was definitively a bit short handed.

To pass the exam a participant is needed to gain access on a specified machine and drop a text file as proof. This machine is only reachable through a specific path and with a chain of exploitation of multiple machines. Exploitation types are very limited to the methods taught in the course. Achieving the operational goal rewards you 50 points, to pass you need a minimum of another 35 points, totaling 85 out of 100. The last 50 points are assessed base on OPSEC and only viewable after completing the exam. The environment is heavily monitored by a elkstack log monitoring instance. These criteria are monitored:

  • Blocked code execution by security controls like Defender and AppLocker.
  • Outbound network connections from unusual processes.
  • Default Cobalt Strike indicators including named pipe names and process injection techniques.
  • Suspicious lateral movement indicators.
  • Suspicious handles to LSASS.
  • Disabling security controls like Defender and the Windows firewall.

In other words you can only lose 15 points to pass the exam OPSEC wise. I successfully passed the CRTO exam on my first attempt in August 2025 with exactly 85 points. I had some problems with defender detecting my binary used for lateral movement, which lead to my point deduction. Time-wise you have 48 hours to complete the exam. This time frame is plenty in my opinion. I completed the exam in 6 hours (no preparation included).

In addition you have unlimited exam attempts and life time access to the course material (including updates).

I liked the exam very much, as I found it to be a great opportunity to test your evasion skills. Your actions on the environment really matters and you can very easily fail the exam by triggering too many OPSEC criteria. In addition there is no report needed and the exam result is immediate, when submitting the exam.

Overall I learned a lot on the course and can recommend it for anyone working in a cyber security field (pentester, soc, DFIR, etc.). Price/Performance wise it will not match CPTS or any other cert of Hack The Box, but my guess is, that licenses for Cobalt Strike are quiet expensive. And Zeropoint Security is really a small team.

Tips & Tricks
#

  • Make good notes on the course material, they will come in handy.
  • Get used to Cobalt Strike and its syntax. It is the main tool you will use for the exam. You’re limited to the tools they give you (no full fledged kali linux, no internet connection to side load other tools). Theoretically there is a possibility via clipboard to copy in some easy scripts, but it is not necessary.
  • If you get stuck, just look up the sections again, as only taught techniques are needed to proceed.
  • To get all OPSEC points:
    • Know your technique to bypass AppLocker, which does not use rundll32.exe as it would be a suspicious outbound network connection
    • Have your fully prepared malleable C2 profile ready, which changes the common indicators.
    • For lateral movement avoid psexec, use scshell64.
    • To avoid LSASS process handles, don’t use:
      • mimikatz sekurlsa::logonpasswords
      • mimikatz sekurlsa::ekeys
      • Any Pass-The-Hash technique
      • You mainly need Rubeus for credential stuff.
    • Pro Tip: It is not allowed to disable Defender or Windows Firewall, but no one said you can’t add exclusions or add single firewall rules :).