RTO II is a continuation (not a replacement) of Red Team Ops and aims to build on its foundation.  The primary focus of this course is to provide more advanced OPSEC tactics and defence bypass strategies.

Students will:

Learn how to build secure and resilient on-premise C2 infrastructure, using public cloud redirectors and HTTPS.

Go deeper into C++ and C# programming with Windows APIs, leading into writing custom tooling for a variety of offensive actions including process injection, PPID spoofing, and command line spoofing.

Learn how to clean up memory indicators of Cobalt Strike's Beacon, and leverage in-memory obfuscation to bypass some memory scanning techniques.

Employ strategies for enumerating, identifying, and exploiting weaknesses in Attack Surface Reduction and Windows Defender Application Control technologies.

Bypass AV and EDR agents by circumventing ETW, userland hooking, and kernel callbacks.

Course Curriculum

  1. 2
    • Defence in Depth

    • Infrastructure Design

    • Apache Installation

    • SSL Certificates

    • Beacon Certificates

    • SSH Tunnel

    • Enabling Apache Redirection

    • User Agent Rules

    • Cookie Rules

    • URI & Query Rules

    • Beacon Staging

    • Redirecting DNS

    • Payload Guardrails

    • External C2

  2. 3
    • WinAPI

    • MessageBox in C++

    • CreateProcess in C++

    • P/Invoke

    • MessageBox in C#

    • Type Marshalling

    • CreateProcess in C#

    • Error Handling

    • NT APIs

    • Ordinals

    • MessageBox in VBA

    • CreateProcess in VBA

    • D/Invoke

    • D/Invoke & Ordinals

    • D/Invoke API Hashing

  3. 4
    • Process Injection

    • Downloading Files in C++

    • Downloading Files in C#

    • Function Delegate C++

    • Function Delegate C#

    • CreateThread C++

    • CreateThread C#

    • CreateRemoteThread

    • QueueUserAPC

    • NtMapViewOfSection

  4. 5
    • Post-Exploitation Behaviours & Memory Indicators

    • Memory Permissions & Cleanup

    • BOF Memory Allocations

    • Fork and Run Memory Allocations

    • SpawnTo

    • Process Inject Kit

    • PPID Spoofing

    • Command Line Argument Spoofing

    • SMB Named Pipes Names

    • Event Tracing for Windows

    • Inline (.NET) Execution

    • Tool Signatures

  5. 6
    • Attack Surface Reduction

    • Enumerating Enabled Rules

    • MS Office Rules

    • Reversing ASR Exclusions

    • GadgetToJScript

    • Process Creations from PSExec & WMI

    • Credential Stealing from LSASS

  6. 7
    • Windows Defender Application Control

    • Living Off The Land Binaries, Scripts and Libraries

    • Wildcard FilePaths

    • FileName

    • Trusted Signers

  7. 8
    • Protected Processes

    • Bypassing DSE

    • Dumping LSASS

  8. 9
    • Endpoint Detection and Response

    • Detecting the Bad

    • Hook Bypass Strategy

    • Process Mitigation Policy

    • D/Invoke Manual Mapping

    • Syscalls

    • Direct vs Indirect Syscalls

    • Syscalls in Cobalt Strike

    • Network Connections

    • Image Load Events

    • Thread Stack Spoofing

    • Sleep Mask Kit

    • Testing with YARA

    • User-Defined Reflective Loader

    • Kernel Callbacks


  • What prerequisite knowledge do I need?

    Students should be comfortable writing C++ and C#.

  • Should I complete RTO before attempting RTO II?

    Although not mandatory, it is recommended. You'll probably be fine if you're already familiar with everything covered in the RTO curriculum.

  • Is lab access included with the course?

    No, lab access is sold separately.

  • Does the course include an exam attempt?

    Yes - you get 1 free exam attempt when you purchase the course. The voucher does not have an expiry date.

  • Can I take the exam without buying the course?

    Yes - just pay the fee and schedule the exam from the booking page.

Student Reviews

5 star rating

Excellent as always

Federico Lagrasta

The course is great and full of useful information from a well-known veteran ;)

The course is great and full of useful information from a well-known veteran ;)

Read Less
5 star rating


Hassan AlMusajjen

Really amazing course well done (Y)

Really amazing course well done (Y)

Read Less
5 star rating


D. G.

Excellent highly recommend for learning latest adversary tradecraft.

Excellent highly recommend for learning latest adversary tradecraft.

Read Less
5 star rating

Best Course avai

Mike Miles



Read Less
5 star rating


Vasileios Chantzaras

Great context flow!

Great context flow!

Read Less