• Red Team Tactics

    Learn how to plan and conduct red team assessments using modern techniques.

  • Cobalt Strike

    Leverage the industry-leading adversary simulation software, Cobalt Strike.

  • Private Lab

    Access to your own lab with controls to start, stop and revert VMs at any time.

Red Team Ops is an online course that teaches the basic principles, tools and techniques, that are synonymous with red teaming.

Students will first cover the core concepts of adversary simulation, command & control, and how to plan an engagement.  They will then learn about each stage of the attack lifecycle from initial compromise to full domain takeover, data hunting, and data exfiltration.  Students will also take various OPSEC concerns into account and learn how to bypass defences such as Windows Defender, AMSI and AppLocker.  Finally, they will cover reporting and post-engagement activities.

Students have the option to purchase the course by itself or with lab access.  A free exam attempt is included with each option.

Course Curriculum

  1. 1
  2. 2
    • Command & Control

    • Red Team Ops Lab

    • Cobalt Strike

    • Starting the Team Server

    • Listener Management

    • Generating Payloads

    • Interacting with Beacon

    • Miscellany Tips & Tricks

    • Cobalt Strike Demo

  3. 3
    • External Reconnaissance

    • DNS Records

    • Social Media

  4. 4
    • Initial Compromise

    • Password Spraying

    • Internal Phishing

    • HTML Application (HTA)

    • Visual Basic for Applications (VBA) Macro's

    • Parent-Child Relationships

    • Building Alerts in Kibana

    • Initial Compromise Demo

  5. 5
    • Host Reconnaissance

    • Seatbelt

    • Screenshots

    • Keylogger

  6. 6
    • Host Persistence

    • Task Scheduler

    • Startup Folder

    • Registry AutoRun

    • COM Hijacking

    • Hunting for COM Hijacks

  7. 7
    • Host Privilege Escalation

    • Web Proxies

    • Peer-to-Peer Listeners

    • Peer-to-Peer Listener Demo

    • Windows Services

    • Unquoted Service Paths

    • Unquoted Service Path Demo

    • Weak Service Permissions

    • Weak Service Permission Demo

    • Weak Service Binary Permissions

    • Weak Service Binary Permission Demo

    • Always Install Elevated

    • Always Install Elevated Demo

    • UAC Bypasses

    • UAC Bypass Demo

  8. 8
    • Domain Reconnaissance

    • PowerView

    • Get-Domain

    • Get-DomainController

    • Get-ForestDomain

    • Get-DomainPolicyData

    • Get-DomainUser

    • Get-DomainComputer

    • Get-DomainOU

    • Get-DomainGroup

    • Get-DomainGroupMember

    • Get-DomainGPO

    • Get-DomainGPOLocalGroup

    • Get-DomainGPOUserLocalGroupMapping

    • Find-DomainUserLocation

    • Get-NetSession

    • Get-DomainTrust

    • SharpView

    • ADSearch

    • BloodHound

  9. 9
    • Lateral Movement

    • PowerShell Remoting

    • PsExec

    • Windows Management Instrumentation (WMI)

    • The Curious Case of CoInitializeSecurity

    • DCOM

  10. 10
    • Credentials & User Impersonation

    • LogonPasswords

    • eKeys

    • Security Account Manager

    • Domain Cached Credentials

    • Make Token

    • Process Injection

    • Token Impersonation

    • SpawnAs

    • Pass the Hash

    • Overpass the Hash

    • Extracting Kerberos Tickets

  11. 11
    • Password Cracking Tips & Tricks

    • Wordlists

    • Wordlist + Rules

    • Masks

    • Mask Length & Mask Files

    • Combinator

    • Hybrid

    • kwprocessor

  12. 12
    • Session Passing

    • Session Passing Demo

  13. 13
    • SOCKS Proxies

    • Windows Apps

    • Browsers

    • Metasploit

    • SOCKS Proxy Demo

    • Reverse Port Forwards

    • NTLM Relaying

    • NTLM Relaying Demo

  14. 14
    • Data Protection API

    • Credential Manager

    • Google Chrome

    • Credential Manager Demo

  15. 15
    • Kerberos

    • Kerberoasting

    • AS-REP Roasting

    • Unconstrained Delegation

    • Unconstrained Delegation Demo

    • The "Printer Bug"

    • Printer Bug Demo

    • Constrained Delegation

    • Constrained Delegation Demo

    • Alternate Service Name

    • Alternate Service Name Demo

    • S4U2self Abuse

    • S4U2self Demo

    • Linux Credential Cache

    • Linux Credential Cache Demo

  16. 16
    • Active Directory Certificate Services

    • Finding Certificate Authorities

    • Misconfigured Certificate Templates

    • Vulnerable User Template Demo

    • NTLM Relaying to ADCS HTTP Endpoints

    • ADCS NTLM Relay Demo

    • User & Computer Persistence

    • AD CS Auditing

  17. 17
    • Group Policy

    • Pivot Listeners

    • Pivot Listener Demo

    • Remote Server Administration Tools (RSAT)

    • RSAT Demo

    • SharpGPOAbuse

    • SharpGPOAbuse Demo

  18. 18
    • Discretionary Access Control Lists

    • Reset User Password

    • Targeted Kerberoasting

    • Targeted ASREPRoasting

    • Modify Domain Group Membership

  19. 19
    • MS SQL Servers

    • MS SQL NetNTLM Capture

    • MS SQL Command Execution

    • MS SQL Command Exec Demo

    • MS SQL Lateral Movement

    • MS SQL Lateral Movement Demo

    • MS SQL Privilege Escalation

    • MS SQL Privilege Escalation Demo

  20. 20
    • Domain Dominance

    • DCSync Backdoor

    • AdminSDHolder Backdoor

    • Remote Registry Backdoor

    • Skeleton Key

    • Silver Tickets

    • Golden Tickets

    • Forged Certificates

  21. 21
    • Forest & Domain Trusts

    • Parent/Child

    • One-Way (Inbound)

    • One-Way (Outbound)

    • Outbound Trust Demo

  22. 22
    • Local Administrator Password Solution

    • LAPS Persistence

    • LAPS Backdoors

  23. 23
    • Bypassing Antivirus

    • Artifact Kit

    • Artifact Kit Demo

    • Resource Kit

    • Resource Kit Demo

    • AmsiScanBuffer

    • Exclusions

    • AppLocker

    • AppLocker Rule Bypasses

    • PowerShell Constrained Language Mode

  24. 24
    • Data Hunting & Exfiltration

    • File Shares

    • Internal Web Apps

    • Databases

  25. 25
    • Post-Engagement & Reporting

    • Attack Narrative

    • Recommendations

    • Indicators of Compromise

  26. 26
    • Extending Cobalt Strike

    • Elevate Kit

    • Jump & Remote-Exec

    • Beacon Object Files

    • Malleable Command & Control

Student Reviews

5 star rating

Amazing value course

Konstantin Karabadzhakov

After finishing the OSEP and immediately jumping into the CRTO, I can certainly say I learned even more in regards to enumeration of domains, active director...

Read More

After finishing the OSEP and immediately jumping into the CRTO, I can certainly say I learned even more in regards to enumeration of domains, active directory, lateral movement, etc. The addition of cobalt strike and touching on Splunk and detections is of incredible value ! I can only say I highly recommend to course !

Read Less
5 star rating

Truly amazing

Jeremiasz Pluta

This course is amazing and should be strongly recommended for anyone, that wants to take a step into the world of red teaming. It presents the matters of red...

Read More

This course is amazing and should be strongly recommended for anyone, that wants to take a step into the world of red teaming. It presents the matters of red teaming in simple, understanding way. Everyone who's relatively familiar with penetration testing can learn many new techniques and begin to feel confident in area of red teaming.

Read Less
5 star rating

Great Intro!

STEPHEN HARUNA

This is a must for every offensive security person.

This is a must for every offensive security person.

Read Less
5 star rating

A must have certificate.

Perry Daniel Junior Ofori

I have gained in two months what it would have taken me a year to learn. The TTP and knowledge in this course is publicly available but having having someone...

Read More

I have gained in two months what it would have taken me a year to learn. The TTP and knowledge in this course is publicly available but having having someone structure it as a guide with accompanying labs makes knowledge acquisition faster.

Read Less
5 star rating

This course is gold

Roberto La Piana

This course is gold if you're ready to get better at Active Directory, and level up your skills. Really quality material, and well explained. I'm already usi...

Read More

This course is gold if you're ready to get better at Active Directory, and level up your skills. Really quality material, and well explained. I'm already using this knowledge on engagements and I'm just half-way through. Although CobaltStrike heavy, all concepts, commands and tools can be used/applied to scenarios where CobltStrike is not a thing with very little modification. I do recommend some base knowledge before enrolling, but that goes without saying. Well done ZeroPointSecurity

Read Less

Purchase Options

Purchase the course only or with a 40-hour lab bundle.