Exam Guide/Tips - Points

[ ] Check official exam guide : https://training.zeropointsecurity.co.uk/pages/red-team-ops-exam
[ ] Check out the Cobalt Strike Training Material - https://www.cobaltstrike.com/training/ or https://youtube.com/playlist?list=PLcjpg2ik7YT6H5l9Jx-1ooRYpfvznAInJ
[ ] Check out the GOAD Lab Environment - https://github.com/Orange-Cyberdefense/GOAD
[ ] Use Guacamole Instance on Edge Browser.
[ ] If you Wants to use Firefox , Enable Firefox Async Clipboard - https://sudoedit.com/firefox-async-clipboard/
[ ] For Persistence on machines
- Dump Local Admin Credentials (Passwords and Hash) , then Perform PTH, OPTH and Use Make_token to get shell.
- Add a Windows Service for Persistence with SYSTEM Access by Dropping a binary to disk.
- Add a SMB Beacon to Scheduled Tasks, Registry , or StartupFolder for Autorun.
- Add a DNS Beacon to Scheduled Tasks, Registry , or StartupFolder for Autorun.
- Use this Aggressor Script to make life easy - https://github.com/Peco602/cobaltstrike-aggressor-scripts/tree/main/persistence-sharpersist
[ ] There is no password/hash cracking in exam, So attacks such as Kerberoasting, ASRepRoasting and Domain Cached Credentials probably won’t be in exam environment, but they are present in Lab Env.
[ ] Make Sure to Atleast once Solve complete Lab with AV and APPLocker enabled.
[ ] Do not skip the extra mile challenge in lab (Applocker and Outbound Forest).
[ ] Make sure to enable AV and Force Windows Defender GPO to all the Computers and Across all domain and Forests and if not works manually enable Windows Defender on each and Every Machine.
[ ] If your beacon is not calling back home , then check below few things
- [ ] If powershell execute cradle or binary reverse shell is not working then,
  - Check if host can connect back to the teamserver
  - Check if the target powershell is not running in Contrained Language Mode.
  - Check for Applocker if enabled or not, if enabled then probably use a Binary or jump with psexec (Coz it uploads the binary to c:\Windows folder)
  - Also for Applocker, if we are not able to get the beacon , Then try using LOLBAS to execute the beacon code.

Tips from CRTO Review Blogs

Troubleshooting CRTO issues : https://tripla.dk/2021/01/31/crto-troubleshooting-notes-updates-in-progress/
By NoSecurity

Tips from Twitter and Discord

By @RastaMouse and others on discord