An RTO2 Review

A great (and cheap) cert from ZeroPoint Security

Posted on November 7, 2024

This is my review of the CRTL training from ZeroPoint Security, and incidentally, of the Elastic EDR, which is the solution used in the course and its lab. The CRTL (or RTO2) is a fairly new certification following-up on RTO which has been around for a much longer time and has established itself as a kind of standard for Red Teamers.

I will assume you are familiar with the RTO course.

The Syllabus

Although this is not its main focus, the course covers the basics of malware development. Interestingly, these are covered both in C and C#, which is a great way of letting you pick one way that you may feel more comfortable with, while upskilling on the other language at the same time. The malware development chapters are fairly basic though, and the real purpose of the course is the next topic: evasion.

While RTO covers a wide range of red teaming techniques performed via Cobalt Strike, the RTO2 mostly focuses on EDR evasion and what will get you caught. This reflects the evolution of the field, since more and more resources are now dedicated to being able to run a beacon and keep it undetected.

Cobalt Strike is a complex beast made of various elements and features, which all have their own IOCs and footprints. Running it “as is” without any understanding of how a beacon is started, staged in memory, etc, is a sure way of getting caught during an engagement. The course does a good job at demonstrating those IOCs in real-time (usually picked up by the Elastic EDR), before showing how Cobalt Strike malleable profile options or BOFs would (partially) address those. Techniques such as Sleepmask, Callstack spoofing, BOFs, etc, are also demonstrated with Cobalt Strike.

This culminates with the chapter showcasing the User-Defined Reflective Loader (UDRL), which is a fairly new feature of Cobalt Strike giving you the reins as to how you are going to stage the beacon yourself. This is quite complex and the course could have been a bit deeper on this and on the topic of Reflective Loading in general, as it is central and sometimes misunderstood. Unlike for other courses (OSCP/OSEP/OSED) which have a different philosophy, you will not be taken through all the intricacies of the theory, all the way up to the actual cases, in a bottom-up approach, but rather the opposite: see something in practice, then check the theory yourself.

Aside from EDR evasion and Cobalt Strike, certain defensive mechanisms used in Windows are also covered, such as Attack Surface Reduction or Windows Defender Application Control.

Praising the Elastic EDR

Spending time in the lab trying out techniques and payloads will no doubt make you very intimate with the Elastic EDR and its popups telling you that you have been busted.

While some of Elastic’s rules are open-source, many of its detections are not and will leave you scratching your head as to how something was detected. The set of Elastic rules is incredibly long, see for yourself on their repo. The diversity of rules will make you well-aware of the thousands of ways of getting caught and make you think hard about every single step you are taking when allocating memory, communicating over network, calling APIs, creating processes, etc… I thought that finding bypasses would be trivial but was surprised to be challenged that much.

The team at Elastic has been producing top-notch research on malware analysis and indicators lately, so it is safe to assume that a lot of the logic implemented in this EDR will somehow have been replicated at least partially in many other products.

The Exam

I found the exam to be on par with the course in terms of difficulty. The main difference is that the EDR will be silently killing your activities, which means that you will not be able to tell if your payload was detected or if is simply failed in some way. It is still easier than in a real-life engagement, since at least there is no SOC to hunt you down while you are trying to grab the required (4 out of 6 when I went for it) !

A very strong advice would be to come prepared, and, similarly to a real-life engagement, have techniques and payloads already tested and ready to go. If I had 6 hours to chop down a tree, I’d spend the first 4 hours testing my payloads…

What Next ?

If you are in the Red Team space and would like some practice against an EDR, go for it. On the market, this course is very well-priced and has a unique offer. You will get more value out of it if you are a Cobalt Strike user, although most of the principles and considerations would also apply to other C2 frameworks. But the course is Cobalt Strike centric.

This aspect leads my to my last observation. Cobalt Strike is now becoming more customizable at every release, and bringing in significant changes to how it functions. I alluded to the UDRL. More recent releases (end of 2024 at time of writing) build up on this with Beacon User Data, or BeaconGate, which will gradually make the course less relevant with an up-to-date usage of Cobalt Strike. This is a reality that affects all courses and training: things move fast in the offensive security field and techniques which are “advanced” at a given time quickly become fairly standard.

Share: X (Twitter)