The Advanced Red Team Operators course is an advanced-to-expert level simulated lab environment
hosted in Azure and AWS, designed for experienced students to gain practical experience in
advanced red team operations using Cobalt Strike. Over the course of three days, students will learn
how to build infrastructure to simulate a real-life red team operation using Cobalt Strike, a powerful
tool for executing red team operations. The course includes topics such as redirectors, C2 channels,
vulnerability identification, network enumeration, process injection, and privilege escalation. With
Terraform scripts provided to set up the lab environment and a simulated real-life attack path to
navigate, the Advanced Red Team Operators course is essential for experienced professionals
seeking to hone their advanced red team operations skills using Cobalt Strike.
Who Should Attend?
This course is intended for advanced students with a strong understanding of the fundamentals of
cybersecurity, experience with penetration testing, and experience in executing red team operations.
It is designed for individuals who want to take their red team skills to the next level and challenge
themselves with practical experience in advanced red team operations using Cobalt Strike. Current
red team operators will thrive here and have the opportunity to expand their skill set and learn new
techniques to stay ahead of the curve.
Key Learning Objectives
Learn how to set up and configure Cobalt Strike with Docker
Understand C2 channels and learn how to build HTTPS redirectors using Apache Mod-rewrite
Gain practical experience in Azure configurations and setup
Learn how to use AWS Lambda with Python
Utilize GCP and Azure CDNs for custom traffic redirection
Learn how to protect your infrastructure and team server
Develop expertise in process injection and payload development
Learn how to perform attack path enumeration and execution for red team operations.
Students should have experience in advanced cybersecurity fundamentals and a strong
understanding of penetration testing and execution of red team operations. However, this course is
designed to challenge you across areas that you may not be comfortable with, and that is the point. A
willingness to learn and not give up is essential. Students should also be familiar with Cobalt Strike
and have a working knowledge of AWS and Azure cloud platforms, GCP, Docker, Apache web server
configurations, HTTPS redirectors using Apache Mod-rewrite, shellcode development for bypassing
AV/EDR, and advanced network design for red team operations. Comfort with Terraform is also
expected for deploying necessary infrastructure.
Students will be given multiple Terraform scripts to spin up their own lab environment in AWS/Azure
that consists of the following:
Ubuntu Cobalt Strike Team Server
Ubuntu Cobalt Strike Redirector Server
Windows 10 Development Machine
Windows Server 2019 (Domain Controller)
Windows Serer 2019 (PKI Server)
Windows Serer 2019 (Application Server)
Windows Serer 2019 (SQL Server)
Students must have an active AWS admin account with programmatic access.
Students must have an active Azure admin account
Students must have a GCP admin account
Students must be able to run terraform from local laptops
Introduction to the course and lab environment setup
Setting up Cobalt Strike with Docker
Understanding C2 channels and HTTPS redirectors using Apache Mod-rewrite
Building infrastructure in Azure and AWS to protect the Cobalt Strike team server
Utilizing AWS Lambda with Python for custom traffic redirection
Using GCP and Azure CDNs for custom traffic redirection
Protecting your infrastructure and team server
Process injection techniques and payload development for gaining a foothold on a simulated
Hiding shellcode for bypassing AV/EDR
Footholds in 2023
Terraform setup and configuration for a simulated Active Directory environment in AWS
Breaching a simulated Active Directory environment and overcoming challenges using real-
life examples from 2022 and 2023 engagements
Attack path enumeration and execution for red team operations
Note: Please note that the syllabus provided is intended to be a general outline of the course content
and does not reflect the true nature of the course guide or starting and ending points. This course is
hyper-current and changes are always made at the last minute to ensure that students receive the
most up-to-date and relevant content possible. As a result, the syllabus is subject to change, and
course content may be modified based on student skill level, course progression, and other factors.
team lead. He has led long‐term red team engagements in highly complex Fortune 500
companies. He has also worked with Microsoft to increase kernel security for the Windows
10 operating system. John has led training at BlackHat, DerbyCon, and Wild West Hackin’
Fest. John has the following certifications: OSCP, OSCE, CRTP (Certified Red Team
Professional), CRTE (Certified Red Team Expert), and SLAE (Assembly Language and
Shellcoding). John enjoys spending time with his family, working on his maple syrup farm,
and running long distances.