Background

After completing OSWE on early October 2020, I was looking for some challenge to keep my motivation high. I came across Zero Point Security - Red Team Ops course from searching for any "Red Team" course as preparation for the new Offensive Security course (ETBD - OSEP) that was planned to be released on mid of November. Looking at the website https://courses.zeropointsecurity.co.uk/courses/red-team-ops, I found it interesting as it's not only cover specific attack on red teaming, but also cover the overall red team operation process and the usage of C2 frameworks. I think this could be a good introduction for me into the Red Team.

On 7th October 2020, I signed up for 60 days lab including the exam. The course cost at that time was £599 and it started on 16th October 2020. The course material does not provide any PDF file and videos, instead student will be given access to the web-based material using the Canvas that will contains the text and videos. Students will have lifetime access to the course material and it will be regularly updated by ZPS.



Course and Lab

At that time, the course has around 26 modules started from Introduction of Red Team engagement until Bypassing the AppLocker. The course material will cover following things:

1. Introduction to Red Teaming
2. External Recon
Perform information gathering against the target to gain the necessary information to compromise the target

3. Initial Compromise
Perform password spraying and any social engineering attack using C2 framework (Covenant and Cobalt Strike) to obtain the initial access

4. Host Reconnainsance
Perform situational awareness, portscanner, interacting with grunt/beacon to understand more the environment

5. Persistence
Techniques to maintains the access such as Startup folders, scheduler tasks, and registry autoruns

6. Local Privilege Esclation
Techniques to elevate privileges

7. Domain Recon
Gathering information on the target domain

8. Credential & User Impersonation
Retrieving passwords and impersonate another user in the domain

9. Password Cracking
10. Lateral Movement
Techniques to move laterally to another system

11. Active Diretory Exploitation
Expoiting come misconfiguration on the AD such as Kerberoasting, Asreproasting, GPO abuse, MSSQL, etc.

12. Evasion
Bypassing AMSI and AppLocker


Upon completing each module, the badge will be rewarded to the students.



Personal opinion about the course, it does not really explain in the details about the background of the attacks or misconfiguration. It more into showing the most common attack on red teaming engagement lifecycle and how to perform the attacks using the C2 frameworks. The course will be using two C2 Framework as example: Covenant and Cobalt-Strike. As I didn't have the Cobalt-Strike's license, I am using the Covenant C2. Overall the Covenant C2 is good and easy to use, except for the SMB Grunt that at that time has some bug and instable.

The lab itself is shared among the students and each reset require the vote from the students. The support for the course is performed through the slack channel in where rastamouse and others members will help to answer the questions from the students.



Exam

I finished the course material on 3th Nov and scheduled my exam for 7th Nov. On the exam day, an email containing the VPN key and exam objective will provided. The exam is 48 hours long and does not required the student to write any report, instead each objective will have a flag to be retrieved and then submitted on the Canvas. I found the exam was quite fun and relaxing as we don't need to put much attention on screenshot/documenting the step since no report is required. This make me able to just focus on exploiting the machines. The exam result itself will come out instantly after submitting the flag.





Conclusion

I think this course is good introduction to red teaming and will give the student the overview of red teaming engagement starting from how to perform social engineering attack until domain dominance. It also covers the usage of C2 framework that usually use by the red team operators during the engagements. Students will need to do their own research to understand more about the attack, misconfiguration, or vulnerability as it does not cover in details in this course.