RTO II is a continuation (not a replacement) of Red Team Ops and aims to build on its foundation.  The primary focus of this course is to provide more advanced OPSEC tactics and defence bypass strategies.

Students will:

Learn how to build secure and resilient on-premise C2 infrastructure, using public cloud redirectors and HTTPS.

Go deeper into C++ and C# programming with Windows APIs, leading into writing custom tooling for a variety of offensive actions including process injection, PPID spoofing, and command line spoofing.

Learn how to clean up memory indicators of Cobalt Strike's Beacon, and leverage in-memory obfuscation to bypass some memory scanning techniques.

Employ strategies for enumerating, identifying, and exploiting weaknesses in Attack Surface Reduction and Windows Defender Application Control technologies.

Bypass AV and EDR agents by circumventing ETW, userland hooking, and kernel callbacks.

Course Curriculum

    1. Course Introduction

      FREE PREVIEW

    2. Red Team Ops II Lab

      FREE PREVIEW

    1. Defence in Depth

      FREE PREVIEW

    2. Infrastructure Design

    3. Apache Installation

    4. SSL Certificates

    5. Beacon Certificates

    6. SSH Tunnel

    7. Enabling Apache Redirection

    8. User Agent Rules

    9. Cookie Rules

    10. URI & Query Rules

    11. Beacon Staging

    12. Redirecting DNS

    13. Payload Guardrails

    14. External C2

    1. WinAPI

      FREE PREVIEW

    2. MessageBox in C++

    3. CreateProcess in C++

    4. P/Invoke

    5. MessageBox in C#

    6. Type Marshalling

    7. CreateProcess in C#

    8. Error Handling

    9. NT APIs

    10. Ordinals

    11. MessageBox in VBA

    12. CreateProcess in VBA

    13. D/Invoke

    14. D/Invoke & Ordinals

    15. D/Invoke API Hashing

    1. Process Injection

    2. Downloading Files in C++

    3. Downloading Files in C#

    4. Function Delegate C++

    5. CreateThread C++

    6. CreateThread C#

    7. CreateRemoteThread

    8. QueueUserAPC

    9. NtMapViewOfSection

    1. Post-Exploitation Behaviours & Memory Indicators

    2. Memory Permissions & Cleanup

    3. BOF Memory Allocations

    4. Fork and Run Memory Allocations

    5. SpawnTo

    6. Process Inject Kit

    7. PPID Spoofing

    8. Command Line Argument Spoofing

    9. SMB Named Pipes Names

    10. Event Tracing for Windows

    11. Inline (.NET) Execution

    12. Tool Signatures

    1. Attack Surface Reduction

    2. Enumerating Enabled Rules

    3. MS Office Rules

    4. Reversing ASR Exclusions

    5. GadgetToJScript

    6. Process Creations from PSExec & WMI

    7. Credential Stealing from LSASS

About this course

  • £399.00
  • 83 lessons

FAQ

  • What prerequisite knowledge do I need?

    It's recommended that students complete Red Team Ops I before attempting this course.

  • Is lab access included with the course?

    You can purchase lab time with the course - see the pricing options below.

  • Does the lab have usage limits?

    Yes, you are limited in the total number of hours that you can run the lab for. These are 40/80/120 hours for the 30/60/90 day options respectively.

  • What if I don't use all the hours?

    As a rule of thumb, any unused hours are lost. Cases that involve 'damnum fatale' are assessed on a case-by-case basis.

  • What if I hit the usage cap before my lab expires?

    Contact [email protected] to discuss your options.

  • Can I choose my lab start time?

    No, lab access starts at the time of purchase.

  • I left my lab running, can I have my hours back?

    Managing your runtime is your responsibility and we cannot reimburse you for hours lost by forgetting to shut the lab down.

  • Does the course include an exam attempt?

    Yes - you get 1 free exam attempt when you purchase the course. The voucher does not have an expiry date.

  • Can I take the exam without buying the course?

    Yes - just pay the fee and schedule the exam from the booking page.

Student Reviews

5 star rating

Excellent as always

Federico Lagrasta

The course is great and full of useful information from a well-known veteran ;)

The course is great and full of useful information from a well-known veteran ;)

Read Less
5 star rating

H4554n

Hassan AlMusajjen

Really amazing course well done (Y)

Really amazing course well done (Y)

Read Less
5 star rating

Excellent

D. G.

Excellent highly recommend for learning latest adversary tradecraft.

Excellent highly recommend for learning latest adversary tradecraft.

Read Less
5 star rating

Best Course avai

Michael Miles

Superb!

Superb!

Read Less
5 star rating

RTO II

Vasileios Chantzaras

Great context flow!

Great context flow!

Read Less

Price Options

Purchase the course by itself or with included lab time. Each option comes with a free exam attempt.