Red Team Operations Workflow¶

Advanced adversary simulation exercises to test detection and response capabilities.

Overview¶

Duration: 2-4 weeks
Difficulty: Advanced
Prerequisites: Authorization, experienced team, comprehensive planning

What is Red Teaming?¶

Red teaming simulates real-world adversary tactics, techniques, and procedures (TTPs) to test an organization's detection and response capabilities.

Differences from Penetration Testing:

Aspect	Penetration Test	Red Team
Goal	Find vulnerabilities	Test detection/response
Scope	Defined targets	Broad, realistic
Stealth	Not required	Essential
Duration	Days to weeks	Weeks to months
Approach	Comprehensive	Targeted, realistic
Blue Team	Usually aware	Usually unaware

Red Team Phases¶

graph LR
    A[Planning] --> B[Reconnaissance]
    B --> C[Initial Access]
    C --> D[Persistence]
    D --> E[Privilege Escalation]
    E --> F[Lateral Movement]
    F --> G[Objective Achievement]
    G --> H[Exfiltration]
    H --> I[Cleanup & Report]

Phase 1: Planning & Preparation¶

1.1 Define Objectives¶

Common Objectives: - Access specific data (crown jewels) - Compromise specific systems - Test detection capabilities - Evaluate response procedures - Assess security controls

1.2 Rules of Engagement¶

Critical Elements: - Authorized scope - Prohibited actions - Emergency contacts - Communication protocols - Deconfliction procedures

Example ROE:

## Rules of Engagement

### Authorized
- Social engineering (email only)
- Network exploitation
- Physical access attempts
- Data exfiltration (test data only)

### Prohibited
- Destructive actions
- Actual data exfiltration
- Third-party attacks
- Denial of service

### Emergency Stop
Contact: [Name] at [Phone]
Code Word: "RED STOP"

1.3 Team Structure¶

Red Team Roles: - Team Lead: Overall coordination - Operators: Execute attacks - Support: Infrastructure, tools - OPSEC: Maintain stealth

White Cell (Coordination): - Oversee exercise - Manage deconfliction - Handle emergencies - Coordinate reporting

Blue Team (Defense): - Usually unaware of exercise - Detect and respond normally - Document actions

Phase 2: Reconnaissance¶

2.1 Passive Reconnaissance¶

OSINT Gathering:

# Passive subdomain enumeration
aphids-cli \
  --api-key $API_KEY \
  --runbook osint-passive \
  --target-domain target.com \
  --engagement red-team-2024

Information to Gather: - Employee names and emails - Technology stack - Third-party services - Physical locations - Organizational structure - Recent news/changes

Sources: - LinkedIn - Job postings - Social media - Public documents - Certificate transparency - Shodan/Censys

2.2 Active Reconnaissance¶

Controlled Active Recon:

# Careful, stealthy scanning
aphids-cli \
  --api-key $API_KEY \
  --runbook red-team-recon \
  --target-domain target.com \
  --stealth-mode high

Stealth Techniques: - Slow scanning (avoid IDS) - Distributed sources - Legitimate-looking traffic - Off-peak hours - Blend with normal traffic

2.3 Target Selection¶

Identify Attack Vectors: - Vulnerable web applications - Exposed services - Weak authentication - Social engineering targets - Physical access points - Supply chain weaknesses

Phase 3: Initial Access¶

3.1 Attack Vectors¶

Common Vectors: - Phishing: Spear phishing emails - Web Exploits: Application vulnerabilities - Exposed Services: RDP, SSH, VPN - Physical: Tailgating, USB drops - Supply Chain: Third-party compromise

3.2 Phishing Campaign¶

Execution: 1. Create convincing pretext 2. Set up infrastructure 3. Send emails 4. Monitor for clicks 5. Capture credentials 6. Establish access

OPSEC Considerations: - Use realistic domains - Proper email headers - Legitimate-looking content - Track carefully - Clean up artifacts

3.3 Web Application Exploitation¶

Identify Vulnerabilities:

# Targeted vulnerability scanning
aphids-cli \
  --api-key $API_KEY \
  --runbook web-exploit-recon \
  --target-url https://target.com/app

Exploitation: - SQL injection for database access - RCE for shell access - File upload for persistence - Authentication bypass

Phase 4: Persistence¶

4.1 Establish Persistence¶

Techniques: - Backdoor accounts - Scheduled tasks - Service modifications - Web shells - Registry modifications - Startup items

Example:

# Create backdoor user (if authorized)
# Document all actions for cleanup
# Use realistic names
# Maintain OPSEC

4.2 Command & Control¶

C2 Infrastructure: - Redirectors - Domain fronting - Encrypted channels - Legitimate services (Slack, Discord)

OPSEC: - Blend with normal traffic - Use HTTPS - Irregular beaconing - Domain reputation

Phase 5: Privilege Escalation¶

5.1 Local Privilege Escalation¶

Techniques: - Kernel exploits - SUID binaries - Sudo misconfigurations - Service exploits - Token manipulation

Enumeration:

# Enumerate privilege escalation vectors
# Check for:
# - Weak permissions
# - Unpatched systems
# - Misconfigured services
# - Stored credentials

5.2 Domain Privilege Escalation¶

Active Directory Attacks: - Kerberoasting - AS-REP roasting - Pass-the-hash - Golden ticket - Silver ticket - DCSync

Lateral Movement Prep: - Enumerate domain - Identify high-value targets - Map trust relationships - Find admin accounts

Phase 6: Lateral Movement¶

6.1 Network Enumeration¶

Internal Reconnaissance:

# From compromised host
# Enumerate network
# Identify targets
# Map relationships
# Find paths to objectives

Information to Gather: - Network topology - Active hosts - Running services - Domain structure - File shares - Databases

6.2 Lateral Movement Techniques¶

Methods: - PSExec: Remote execution - WMI: Windows Management - RDP: Remote desktop - SSH: Secure shell - Pass-the-Hash: Credential reuse - Overpass-the-Hash: Kerberos tickets

OPSEC: - Use legitimate tools - Avoid detection signatures - Clean up logs - Maintain stealth

6.3 Credential Harvesting¶

Sources: - Memory dumps - Registry - Configuration files - Browser saved passwords - Network shares - Database connections

Tools (if authorized): - Mimikatz - LaZagne - Custom scripts

Phase 7: Objective Achievement¶

7.1 Crown Jewels Access¶

Locate Objectives: - Customer databases - Intellectual property - Financial data - Authentication systems - Backup systems

Access Methods: - Direct database access - File share access - Application access - Backup access

7.2 Data Staging¶

Prepare for Exfiltration: 1. Locate target data 2. Compress and encrypt 3. Stage in accessible location 4. Prepare exfiltration method 5. DO NOT actually exfiltrate real data

7.3 Proof of Concept¶

Demonstrate Access: - Screenshot of database query - Hash of sensitive file - List of accessible systems - Evidence of access - Never exfiltrate real data

Phase 8: Simulated Exfiltration¶

8.1 Exfiltration Methods¶

Techniques: - DNS Tunneling: Data in DNS queries - HTTPS: Encrypted web traffic - Cloud Storage: Upload to external service - Email: Attach to outbound email - Physical: USB, printed documents

OPSEC: - Blend with normal traffic - Use encryption - Slow and steady - Avoid detection

8.2 Test Data Only¶

Critical

NEVER exfiltrate real customer or sensitive data!

Use: - Test data only - Dummy files - Hashes of real files - Screenshots as proof - File listings

Phase 9: Cleanup & Reporting¶

9.1 Cleanup¶

Remove All Artifacts: - [ ] Backdoor accounts - [ ] Scheduled tasks - [ ] Modified files - [ ] Web shells - [ ] Registry changes - [ ] Logs (if modified) - [ ] Uploaded files - [ ] C2 infrastructure

Verification: - Document all changes made - Verify all removed - Restore original state - Confirm with blue team

9.2 Debrief¶

Hot Wash (Immediate): - What worked - What was detected - What failed - Lessons learned - Blue team feedback

Formal Debrief: - Full timeline - TTPs used - Detection points - Response actions - Recommendations

9.3 Reporting¶

Red Team Report Sections:

1. Executive Summary - Objectives achieved - Key findings - Overall assessment - Recommendations

2. Methodology - Attack path - TTPs used - Tools employed - Timeline

3. Detailed Findings - Each compromise step - Evidence - Detection/evasion - Impact

4. Blue Team Performance - What was detected - Response actions - Response time - Effectiveness

5. Recommendations - Security improvements - Detection enhancements - Response procedures - Training needs

Purple Team Integration¶

What is Purple Teaming?¶

Collaborative approach where red and blue teams work together to improve defenses.

Benefits: - Immediate feedback - Faster improvement - Better understanding - Shared knowledge

Purple Team Process¶

graph LR
    A[Red: Execute Attack] --> B[Blue: Attempt Detection]
    B --> C[Discuss Results]
    C --> D[Improve Detection]
    D --> E[Red: Retry Attack]
    E --> B

Workflow: 1. Red team executes technique 2. Blue team attempts detection 3. Teams discuss results 4. Blue team improves detection 5. Red team validates improvement 6. Repeat for next technique

Best Practices¶

Planning¶

✅ Clear Objectives: Know what you're testing
✅ Detailed ROE: Document everything
✅ Emergency Procedures: Plan for issues
✅ Deconfliction: Coordinate with white cell
✅ Legal Review: Ensure proper authorization

Execution¶

✅ Maintain OPSEC: Stay stealthy
✅ Document Everything: Detailed notes
✅ Realistic TTPs: Mimic real adversaries
✅ Safety First: Don't cause damage
✅ Communication: Regular white cell updates

Reporting¶

✅ Actionable Findings: Practical recommendations
✅ Evidence: Screenshots, logs, artifacts
✅ Timeline: Detailed attack path
✅ Blue Team Feedback: Their perspective
✅ Improvement Focus: How to get better

Common Pitfalls¶

❌ Scope Creep: Staying within bounds
❌ Too Aggressive: Causing damage
❌ Poor OPSEC: Getting caught early
❌ Inadequate Cleanup: Leaving artifacts
❌ Weak Reporting: Not actionable
❌ No Follow-up: Not implementing fixes