I finally earned the CRTO badge, and I want to give some feedback that I did not see anywhere else (Forgive me if I am wrong).

TL;DR

  • Throughout the course I felt a bit confused about its structure and how it would align with the “attack life cycle” I have in mind.
  • Start from C2 setup and MS Defender bypass, then do the rest of the course.
  • I did not enjoyed a lot the course itself, but I loved the exam. It’s been a love and hate relationship.

Course material

It’s probably just me not fully understanding the course’s proposition, but I found it confusing and, at times, merely a cheatsheet of commands to execute.

Structure

Perhaps it’s because the organization of the modules doesn’t follow a clear structure. For example, reconnaissance techniques are scattered throughout the course instead of being grouped into a single section. Specifically, for the reconnaissance part, there are explicit modules like Host Reconnaissance and Domain Reconnaissance, but they don’t cover all the reconnaissance activities that should be performed. In fact, these sections exclude fundamental reconnaissance tasks necessary to exploit potential misconfigurations in Active Directory. These are instead covered in dedicated sections like MSSQL Server, ADCS, or LAPS.

This type of structure is not necessarily a negative aspect, but personally, it caused me some confusion, as I am used to grouping topics around a common theme.

Actual content

Cheatsheet vs methodology

Some sections, like those mentioned above, provide a list of commands rather than offering an enumeration methodology. This is the aspect I liked the least. Fortunately, not all sections are like this. The Defender bypass section is a good example. In this section, the topics are fairly well divided based on the ‘lifecycle’ of the beacon (On-disk, In-memory, Behavioral), and a sort of methodology is provided to make the beacons at least partially undetectable by Defender.

Step-by-step approach or not?

Another choice I didn’t quite understand was the duality in the level of support provided in the materials. There are several sections where the student is guided step-by-step, while in others certain aspects are taken for granted. This duality confused me because I expected a single approach to be adopted throughout. As a result, I initially followed one study method but had to adjust it as the course progressed.

This last point might be due to the fact that the theoretical course is essentially a walkthrough of the lab, with some theoretical insights added. I imagine that the foundation of this walkthrough was created almost in one go. This likely led to certain things being taken for granted because they were activities performed sequentially during the walkthrough itself. However, when repeated by a third party (the student), who wasn’t in the flow of the practical activity, they end up being less clear.

All things considered, the course allows you to create a comprehensive cheatsheet, and the content is still high quality. The explanations are not overly demanding, although in some cases they might be a bit too brief. The course includes mini challenges in the lab where students need to apply what they’ve learned. These are among the most important sections because they act as black box experiences compared to the rest of the lab, which is fully explained. That said, it’s still far from the infamous Try Harder approach of OffSec, which to be honest I like (Unpopular opinion, I know).

Lab

The lab environment is among the best I’ve ever experienced. It’s probably the result of a combination of Immersive Labs and Rastamouse’s efforts, providing students with an environment that’s practically ready to use and incredibly easy to manage.

Course consumption and exam preparation

If I were to retake the course from the beginning, I would start with two key points:

  • Configuring the C2.
  • Bypassing MS Defender.

For those who already have some basic offensive security knowledge (in my opinion, VulnLab, HackTheBox, or TryHackMe are sufficient), I would recommend starting with the modules that explain how the C2 works and how to bypass MS Defender. Afterward, you can focus on the rest of the course. This is because the mentioned sections are relatively easy to understand and are fundamental for grasping how the beacon operates on the system and for success in the exam. Once these are completed and practiced in the lab, proceed with the rest of the content following the suggested order.

Exam experience

TL;DR -> Outstanding exam.

If someone has understood the course concepts, verified the various bypasses, and completed the entire lab (whether following the course or not), the exam will be a success. There are no tricky surprises; it’s quite straightforward and its sole purpose is to validate the knowledge gained during the course. It was truly enjoyable and not stressful at all.

crto-progress

Suggestion

  • As always, enumeration is the key. If you enumerate well, you will already know the attack path to follow
  • At each step, do a SITREP.
  • Take breaks; as a true Italian, I followed the Pomodoro technique.
  • If you’re stuck, take a break. When you return, review the last steps you took, analyze your situation, and compare notes with the course.
  • Everything you need in terms of tools is already available on the exam machines.
  • The exam is just another learning session. Don’t make it stressful, but approach it with a positive mindset. Whether you pass or not doesn’t matter much, what counts is how much you can learn from this opportunity.

Conclusion

Probably, all the aspects I didn’t like are mainly due to the fact that the course is aimed at an audience with relatively little experience. I’m by no means an expert, but having some prior experience, I already have a fairly defined modus operandi that aligns more with real-world red teaming and incident response contexts. Still, it’s a course worth taking. Go for it, and have fun.