Red Team Ops is an online, self-study course that teaches the basic principles, tools and techniques synonymous with red teaming.

Students will first cover the core concepts of adversary simulation, command & control, engagement planning and reporting.

They will then go through each stage of the attack lifecycle - from initial compromise to full domain takeover, data hunting and exfiltration.  Students will learn how common "OPSEC failures" can lead to detection by defenders, and how to carry out those attacks in a stealthier way.

Finally, they will learn how to bypass defences such as Windows Defender, AMSI and AppLocker.

Course Curriculum

  1. 1
  2. 2

    • Red Team Ops Lab

    • Cobalt Strike

    • Starting the Team Server

    • Starting the Team Server Demo

    • Listener Management

    • Listener Management Demo

    • Generating Payloads

    • Interacting with Beacon

    • Interacting with Beacon Demo

    • Pivot Listeners

    • Pivot Listeners Demo

    • Running as a Service

    • Running as a Service Demo
  3. 3

    • External Reconnaissance

    • DNS Records

    • Google Dorks

    • Social Media
  4. 4

    • Initial Compromise

    • Password Spraying

    • Password Spraying Demo

    • Internal Phishing

    • Initial Access Payloads

    • Visual Basic for Applications (VBA) Macros

    • VBA Macro Demo

    • Remote Template Injection

    • Remote Template Injection Demo

    • HTML Smuggling
  5. 5

    • Host Reconnaissance

    • Processes

    • Seatbelt

    • Screenshots

    • Keylogger

    • Clipboard

    • User Sessions
  6. 6

    • Host Persistence

    • Task Scheduler

    • Startup Folder

    • Registry AutoRun

    • Hunting for COM Hijacks
  7. 7

    • Host Privilege Escalation

    • Windows Services

    • Unquoted Service Paths

    • Weak Service Permissions

    • Weak Service Binary Permissions

    • UAC Bypasses
  8. 8

    • Elevated Host Persistence

    • Windows Services

    • WMI Event Subscriptions
  9. 9

    • Obtaining Credential Material

    • Beacon + Mimikatz

    • NTLM Hashes

    • Kerberos Encryption Keys

    • Security Account Manager

    • Domain Cached Credentials

    • Extracting Kerberos Tickets

    • DCSync
  10. 10

    • Password Cracking Tips & Tricks

    • Wordlists

    • Wordlist + Rules

    • Masks

    • Mask Length & Mask Files

    • Combinator

    • Hybrid

    • kwprocessor
  11. 11

    • Domain Recon

    • PowerView

    • SharpView

    • ADSearch
  12. 12

    • User Impersonation

    • Pass the Hash

    • Pass the Ticket

    • Overpass the Hash

    • Token Impersonation

    • Token Store

    • Make Token

    • Process Injection
  13. 13

    • Lateral Movement

    • Windows Remote Management

    • PsExec

    • Windows Management Instrumentation (WMI)

    • The Curious Case of CoInitializeSecurity

    • DCOM
  14. 14

    • Session Passing

    • Beacon Passing

    • Foreign Listener

    • Spawn & Inject
  15. 15

    • SOCKS Proxies

    • Linux Tools

    • Proxychains Demo

    • Windows Tools

    • Proxifier Demo

    • Pivoting with Kerberos

    • Browsers

    • Reverse Port Forwards

    • NTLM Relaying

    • NTLM Relaying Demo
  16. 16

    • Data Protection API

    • Credential Manager

    • Scheduled Task Credentials
  17. 17

    • Kerberos

    • Kerberoasting

    • ASREP Roasting

    • Unconstrained Delegation

    • Unconstrained Delegation Demo

    • Constrained Delegation

    • Constrained Delegation Demo

    • Alternate Service Name

    • S4U2Self Abuse

    • S4U2Self Demo

    • Resource-Based Constrained Delegation

    • RBCD Demo

    • Shadow Credentials

    • Kerberos Relay Attacks
  18. 18

    • Active Directory Certificate Services

    • Finding Certificate Authorities

    • Misconfigured Certificate Templates

    • Vulnerable User Template Demo

    • NTLM Relaying to ADCS HTTP Endpoints

    • User & Computer Persistence
  19. 19

    • Abusing Group Policy

    • Modify Existing GPO

    • Create & Link a GPO
  20. 20

    • MS SQL Servers

    • MS SQL Impersonation

    • MS SQL Command Execution

    • MS SQL Command Exection Demo

    • MS SQL Lateral Movement

    • MS SQL Lateral Movement Demo

    • MS SQL Privilege Escalation

    • MS SQL Privilege Escalation Demo
  21. 21

    • Configuration Manager

    • Enumeration

    • Network Access Account Credentials

    • Lateral Movement
  22. 22

    • Domain Dominance

    • Silver Tickets

    • Golden Tickets

    • Diamond Tickets

    • Forged Certificates
  23. 23

    • Forest & Domain Trusts

    • Parent/Child

    • One-Way Inbound

    • One-Way Outbound
  24. 24

    • Local Administrator Password Solution

    • Reading ms-Mcs-AdmPwd

    • Password Expiration Protection

    • LAPS Backdoors
  25. 25

    • Microsoft Defender Antivirus

    • Artifact Kit

    • Artifact Kit Demo

    • Malleable C2

    • Resource Kit

    • AMSI vs Post-Exploitation

    • Manual AMSI Bypasses

    • Behavioural Detections

    • Command Line Detections
  26. 26

    • AppLocker

    • Policy Enumeration

    • Writeable Paths

    • Living Off The Land Binaries, Scripts and Libraries

    • PowerShell CLM

    • Beacon DLL
  27. 27

    • Data Hunting & Exfiltration

    • File Shares

    • Databases
  28. 28

    • Extending Cobalt Strike

    • Mimikatz Kit

    • Jump & Remote-Exec

    • Beacon Object Files

    • Malleable Command & Control
  29. 29

    • Enabling Windows Defender

FAQ

  • What prerequisite knowledge do I need?

    Students should have a good working knowledge of Windows and Active Directory environments. Prior penetrating testing experience would be a bonus. Familiarity with C, C# and PowerShell would also be advantageous but not essential.

  • Is lab access included with the course?

    No, lab access is sold separately.

  • Does the course include an exam attempt?

    Yes - you get 1 free exam attempt when you purchase the course. The voucher does not have an expiry date.

  • Can I take the exam without buying the course?

    Yes - just pay the fee and schedule the exam from the booking page.

Student Reviews

5 star rating

Beyond Expectations - 5 Stars

Eric Osinski

Zero Point Security's RTO course content went above and beyond my expectations. The course modules are well designed, organized and informative. Additionally...

Read More

Zero Point Security's RTO course content went above and beyond my expectations. The course modules are well designed, organized and informative. Additionally, the lab environment acts as a fantastic tool to practice the techniques that you're learning alongside the modules. The fact that the course content is updated frequently and is available indefinitely provides great value to enrollees. Overall, I highly recommend this course to those looking to solidify their foundational knowledge of red team methodology and testing through command and control.

Read Less
5 star rating

Amazing value course

Konstantin Karabadzhakov

After finishing the OSEP and immediately jumping into the CRTO, I can certainly say I learned even more in regards to enumeration of domains, active director...

Read More

After finishing the OSEP and immediately jumping into the CRTO, I can certainly say I learned even more in regards to enumeration of domains, active directory, lateral movement, etc. The addition of cobalt strike and touching on Splunk and detections is of incredible value ! I can only say I highly recommend to course !

Read Less
5 star rating

Truly amazing

Jeremiasz Pluta

This course is amazing and should be strongly recommended for anyone, that wants to take a step into the world of red teaming. It presents the matters of red...

Read More

This course is amazing and should be strongly recommended for anyone, that wants to take a step into the world of red teaming. It presents the matters of red teaming in simple, understanding way. Everyone who's relatively familiar with penetration testing can learn many new techniques and begin to feel confident in area of red teaming.

Read Less
5 star rating

Great Intro!

STEPHEN HARUNA

This is a must for every offensive security person.

This is a must for every offensive security person.

Read Less
5 star rating

A must have certificate.

Perry Daniel Junior Ofori

I have gained in two months what it would have taken me a year to learn. The TTP and knowledge in this course is publicly available but having having someone...

Read More

I have gained in two months what it would have taken me a year to learn. The TTP and knowledge in this course is publicly available but having having someone structure it as a guide with accompanying labs makes knowledge acquisition faster.

Read Less
5 star rating

This course is gold

Roberto La Piana

This course is gold if you're ready to get better at Active Directory, and level up your skills. Really quality material, and well explained. I'm already usi...

Read More

This course is gold if you're ready to get better at Active Directory, and level up your skills. Really quality material, and well explained. I'm already using this knowledge on engagements and I'm just half-way through. Although CobaltStrike heavy, all concepts, commands and tools can be used/applied to scenarios where CobltStrike is not a thing with very little modification. I do recommend some base knowledge before enrolling, but that goes without saying. Well done ZeroPointSecurity

Read Less