Note: This review is based on the pre-Elastic EDR version of the Red Team Ops II course, and there have been some rather comprehensive changes since then.
About the Course
Red Team Ops II (RTO2) is the follow-up course to Red Team Ops (RTO) by Zero-Point Security and builds on the foundational skills acquired during RTO. The course does require some familiarity with C++ and/or C# and also assumes that the course-taker has some experience with penetration testing or red teaming.
The course goes deeper into operational security (OPSEC), EDR evasion, and bypassing defenses such as Attack Surface Reduction (ASR), and Windows Defender Application Control (WDAC).
Course Timeline
Course Purchased: Feb 14th, 2023
Lab Access Purchased: April 6th, 2023
– It was at this point I started studying the material thoroughly. Previously I had only lightly reviewed the material in the course.
Exam Start: April 28th, 2023
Exam End: April 30th 2023
The Course
The course for RTO2 consists of fewer sections than its predecessor, but the material is in my opinion much denser, and took me roughly twice the time that RTO took. This is partially because the material is a lot more “learn as you go”, with programming problems and learning about Windows API, but it also holds your hand much less than RTO and expects you to do a decent amount of research on your own.
For me, the biggest struggles were firstly that I only knew some basic C# at the time and barely any C++, so I struggled a bit with converting code and API calls from C++ to C#. Secondly, I struggled a fair bit with re-formatting my injector to work with GadgetToJScript, due to issues with debugging.
The course as a whole is well laid out and does a good job of explaining a lot of things, but as previously, it does expect you to research things by yourself. So if you expect everything to be handed to you on a silver platter, you will be sorely disappointed. But if you take the time to read, research, and try to understand what everything you’re doing does, it can potentially serve as a good base for doing your own research in the future.
The Exam
The exam itself was, just like in the first course, great fun, and a big challenge. For this one, it had four (4) flags when I did it, with I believe a 74-hour window, and you had to get all of them to pass. I did have an exam bug that caused some issues, but ZPS Support (a.k.a. RastaMouse) helped me sort it out quickly, despite him being on vacation.
The exam now has changed and consists of six (6) flags, where you need five (5) to pass. The exam is now 96 hours within an eight (8) hour window, and you can stop the VMs when you need to preserve time. This is especially useful when you need to go to sleep, or if something comes up during the day that takes you away from the exam for an extended time (such as work or social obligations). Worth noting is when you stop the exam environment, it is NOT frozen or a snapshot, but as actual machines. As such, if you have not properly set up persistence, you will lose your beacons as the machines power off.
The Verdict
As with the previous RTO course, I can’t recommend it enough. For me it was an amazing experience, and gave me a newfound interest in malware development and, with some guidance from RastaMouse and the community, made me want to embark on doing my own research in the field.
As previously stated, the course has been updated since I did it, and both the lab and exam now include actual EDR (Elastic EDR), making it both much harder, but also a much more rewarding experience. So if you are interested in expanding your red teaming and malware development skills, I’d recommend giving Red Team Ops II a try!