Course Reviewed
Format:
This course is online.
Materials:
The course materials include access to the Red Team Ops course material online (which provides the training mainly in text/graphics with some video content), and access to Snap Labs.
Class size:
The class size is just for you.
Environment
The lab environment is for the student only and is not shared.
Estimated cost:
At the time of this review, the course prices were listed as follows (Check the web site for actual prices!)
40 hour lab bundle and course for £399.00
About the Course:
Red Team Ops is an online course that teaches the basic principals, tools and techniques, that are synonymous with red teaming.
My motivation:
It is a red team training class and it has Cobalt Strike 4.5. I just wanted to see what the course was like.
My Review:
Registration was easy. I went to their webpage and selected the Buy button next to Course and Lab. Then I went through normal registration stuff, and got access to the course materials.
I started reading the first part of the material, and then when I had some free time, I logged in to Snap Labs and started the environment and went back and started stepping through the stuff I had already covered.
I think I must have chosen the wrong day to start because I had a number of disconnects to the Snap Labs environment. A minor pain, but nothing too horrible. I had no other issues at the time of my disconnects, so I am guessing just luck of the draw on a Sunday afternoon.
Stepping through the course work was pretty easy in the beginning. I did have some issues with the licenses on Office, and followed the information Zero-Point Security provided. It seemed fine until I had to change boxes and could not finish a step due to Office not being registered and the rearm steps required elevated privileges. I didn't bother to finish that step, but I noticed on the info they provided, I had a way to get an elevated window to rearm if I had really wanted to. Kind of sorta wished that was spelled out a little better on the lab information sheet, but it was super simple to figure out, and if you want to go through that part of the process... see if you can figure it out and rearm the license. It will be good practice.
The Red Team Ops course begins with a course introduction, and then an overview of command and control (and needed Cobalt Strike information.)
This is followed by a quick section on external reconnaissance and then a section on initial compromise. Next up is a section on doing some reconnaissance on the host machine that you land on, followed by common host persistence methods.
The host privilege escalation and domain reconnaissance sections are pretty detailed and provide good information on common privilege escalation techniques and general information gathering for the domain you are on.
Next there are sections for lateral movement, credentials, password cracking, session passing, and pivoting. This is followed by a small section on data protection API, then Kerberos, Active Directory Certificate Services, group policy, and DACLs.
Some good information on MS SQL Servers is next, followed by domain dominance, forest and domain trust information, LAPS, bypassing defences (antivirus, applocker, etc), data hunting and exfiltration and finally post-engagement reporting and a section on extending Cobalt Strike.
You can see the outline at the above link, and there are a couple of free previews on the page.
So my thoughts on the class. It was good. It covered a fair amount of material and the lab seemed to be a good size for learning and practicing. The only class similar to this one was RTAC and the classes aren't really the same. This class covered a variety of open source tools and provided a good overview of AD domain enumeration.
Misc:
I think this course is very good for people who need an introduction to Cobalt Strike and general use of it in a Microsoft Windows Environment.
The Exam:
WOW!!!! That was pretty cool. I woke the morning of the test feeling horrible (tired and just not 100% and very blah, plus nervous because I realized how unprepared I thought I was). I should have actually prepared for the exam, but I didn't. So I grabbed a cup of coffee and started.
You are given a PDF of a threat profile you are to emulate when you book the test, so I had looked it over and was prepared to do that. So when the test started, I began setting up to emulate the threat. One hour later I had my first beacon. Two hours later the whole environment was reset and I started over and had my second first beacon. My first profile's beacon evaded AV and called home, but it would not return any data when I ran commands, and only the PowerShell was AV evading, so I just blew it away and started over. Also, I didn't see the compiled binaries on the system until after I compiled a project, and when I ran the binary I compiled it failed. I then noticed the other compiled binaries and when I rebooted, they all ran fine.
Once the setup was complete, it was pretty nice, but then I noticed I didn't have any flags and I had taken my second box. I did a quick scan of the ZeroPoint Security Discord and found that it was common if the environment was reset. Easy fix. Reboot the AdminBox. Speaking of which, I had four boxes listed on my start screen. An Attack Windows, an Attack Kali, the entry point machine, and the AdminBox. All boxes, EXCEPT the AdminBox, had a way to connect to the console.
Twelve hours into the exam and I was feeling somewhat better physically. The latest HTB machine had released, and I had a quick break to work with the team I am on and then it was back to the exam. By about fourteen hours in, I had 7 of the 8 flags, and I decided to call it a night.
Day two. Woke up feeling ok, but not great. Jumped in the lab. Everything was stopped. Oops. So I had to start the lab and setup my team server (the profile was still there) and then rehost my payloads (which were also still there). The course materials tells you how to make this part easy, but I didn't not make life easy on myself... don't make the same mistake I did. So I spent a while setting up everthing and connecting back. Payloads and stuff on boxes were still there and all the hash dumps were still valid, so it was super easy to get back to where I left off.
Final flag. I must have tried a bazillion things and nothing worked. I had done some research the night before on some things I saw and I looked over my notes. Nothing came to mind. So I went to the course material and began looking harder. And there it was. Flag 8. And I was kind of sad the lab ended.
So let me give you some advice. When you take the course, pay attention. Practice and learn from the materials. When you go to take the test, use the materials to refresh your mind. Use the materials to verify commands. And keep a notepad somewhere....in the lab or on your home computer or something. When/if the lab pauses on you, or you pause it, those notes will come in handy.
But if you forget to take notes... don't forget your Cobalt Strike logs. I had to look up a few commands that I didn't write down, and it helped me to find what I had hosted as what name and what payload. Super easy way to get the exact commands that worked and not go trying stuff again. One last thing. When I was taking the exam, every box had a flag on it. If you don't see the flags after a beacon or two, you might want to do what I did and reboot the AdminBox.
For now, the CoC:
My two cents:
I wasn't that impressed with Snap Labs for the labs (but I was super impressed with them during the exam...super impressed!) I guess my expectations were pretty high for the lab. That isn't to say Snap Labs is bad or anything, just that it wasn't what I expected. I am hoping that they do really well and get bigger and much better as time goes on (and it seems they have gotten bigger and better since I wrote the review). Also, I really can't wait for Red Team Ops II to be released as I am looking forward to that course (It was released! I signed up for the exam and the next day I signed up for RTOII). Over all, RastaMouse and SnapLabs did a fantastic job.