After completing the RTO I course at the start of the year, I felt it was time for another course. I was curious to see what the RTO II had to offer. I enjoyed the RTO I course and was keen to see what part to 2 had to offer, in addition to getting some more hands on practice with cobalt strike.
As the Zero-Point security states, this is a continuation of and not a replacement for RTO I.
First Impression
The course may seem a bit intimidating at first, there is quite a bit of focus on custom code and EDR evasion. With the course’s focus on research and more of a “self-discovery” style of delivery than RTO I, it may be a bit more challenging if you’re not fully comfortable with penetration testing and the content of RTO I. RTO I was quite gentle and showed exactly how/what to do. In addition, it would have been nice to have some videos on the more advanced concepts. But in saying that, the course is well structured and helps you enhance your testing methodology. It equips you with the tools to do your own research and find solutions to the challenges.
Labs
The labs are a bit more free-form than RTO I. You are provided access to the Lab with several machines with varying degrees of mitigations applied. You are free to experiment with your bypasses and get your beacon to stay alive. The labs were responsive and I had no significant lag or issues, apart from the occasional weird Copy/Past error in Guacamole. I would suggest to take good notes during your lab time and understand how each mitigation works and how it can be bypassed. Also understand what the options in your C2 profile do and what effect they can have on your beacon playloads. I found this to be quite helpful in getting a inital profile that I could then tweak to my needs.
https://github.com/Tylous/SourcePoint
Exam
After about 28 days of working through the course and getting my beacons past the elastic Yara rules, I decided to start the exam. For the exam, you have 96 hours or 8 Days, whichever elapses first, with an option to pause the exam time. To pass, you need 5/6 flags. Compared to the RTO I exam, the RTO II exam is primarily focused on bypassing EDR and monitoring; you are expected to be familiar with the techniques and attacks of RTO I. The exam can feel a bit frustrating at times, but take breaks, think clearly, and examine what is at your disposal. I completed the exam in around 42 hours with 5/6 flags. Overall, if you have a firm grasp of the attacks in RTO I and the evasion of RTO II, you should be fine.
Final Thoughts
I really enjoy the trainings from Zero-Point security, and for the price, I feel the courses are worth it. Some people may find it a bit out of their comfort zone to be forced to work with limited tools and be forced to use Cobalt Strike. But I find this to be a strength of both the RTO I and RTO II. It forces you to work in a potentially different way than you’re used to, thus helping build the mindset that there are different ways to achieve the same goal. If you have never been exposed to Cobalt Strike it is also an excellent way to get acquainted with a nice C2 framework, which you may not normally have access to. The techniques learned in the course can be applied to real-world testing and will help build a solid foundation on which to improve your skills.