Introduction to Red Teaming

What is Red Teaming?

The term "Red Teaming" has various definitions, but the simplest is: Red Teaming is the process of simulating a non-destructive cyberattack to test an organization's security measures.

A Red Team typically consists of two or more ethical hackers who possess the skills and tools of criminal hackers but operate under a strict ethical framework. These professionals are hired and paid to conduct these operations legitimately and responsibly. The primary objective of a Red Team exercise is to demonstrate the potential damage an adversary group could inflict on an organization. This helps identify and mitigate vulnerabilities, improving the organization's overall security posture.

Red teamers employ a wide range of hacking methodologies, threat emulation tools, and advanced tactics to simulate sophisticated attackers, including Advanced Persistent Threats (APTs). This realistic approach allows organizations to prepare for and defend against real-world threats effectively.

Pentesting vs Red Teaming

The differences are numerous, but the most important one is: Penetration testing engagements focus on identifying as many vulnerabilities as possible within a defined scope, while, on the other hand, Red Team exercises have a specific objective that must be achieved using any method (as long as it does not violate local laws or exceed the defined scope).

The Importance of OPSEC

Operational Security (OPSEC) in information security refers to how "noisy" our actions are and how easily defenders can detect and/or block them. During Red Team exercises, in 99.9% of cases, a blue team will be on the other side of the wire (otherwise, the red team exercise would be ineffective), actively trying to detect and prevent us from entering the network. This is why understanding our actions and the traces we leave behind is crucial. Using a random network scanning tool from GitHub and running it on the network is not OPSEC and will most likely result in us being detected.

What are the prerequisites to follow this series?

I believe having a general understanding of what Red Teaming is or basic practical knowledge of penetration testing is essential to fully grasp the content. However, all of this information is accessible to everyone, so feel free to explore and enjoy the material as you wish. I plan to cover the following topics:

C2 Infrastructure:

This section covers the essentials of setting up and securing a Command and Control (C2) infrastructure, with a focus on Havoc C2. Key topics include the purpose of C2 in Red Team operations, security considerations and setting up a fully functional C2 infra on AWS.

Havoc C2:

This section explores the Havoc C2 framework, detailing how it functions, installation processes, the configuration and most importantly how to use it.

Initial Access:

This section focuses on techniques used to gain initial access to a target system. It covers both remote and physical access methods, such as HTML smuggling, VBA macros, password spraying and hardware-based attacks like Bash bunny and Rubber Ducky.

AD ATTACKS I → Initial Access (Assumed Breach): GOAD the OPSEC way

This part goes into Active Directory (AD) attacks used to escalate access within a compromised network. Topics include local privilege escalation, domain enumeration, and Kerberos-based attacks such as ASREP Roasting and Kerberoasting.

AD ATTACKS II → AD Lateral Movement and Privilege Escalation: GOAD the OPSEC way

In this section, I will cover advanced techniques for lateral movement and privilege escalation within Active Directory environments. Key methods include user impersonation, Kerberos delegation attacks, ACL/DACL abuse, ADCS exploitation, MSSQL server attacks, domain compromise, AD trust attacks, and NTLM relay attacks.

Defense Evasion I:

This section covers evasion techniques used to avoid detection by defensive tools such as AV and endpoint protection. Topics include how AV products work, what triggers them, the Windows API, and techniques like obfuscation and encryption.

Defense Evasion II:

This part dives into advanced evasion methods, such as bypassing application blacklisting, memory patching and evading EDR solutions (e.g Elastic)

I will leave references in every section so that readers can do their own research and go deeper into the topics covered. This is my biggest project, and for it to come out like I want it to will require some time. I will post every new release on my LinkedIn and community Discord server, so don't miss it!

I GOT STUCK WHAT DO I DOOOOO????

If you ever get stuck on something related or unrelated to the path, I highly encourage you to join our community. I can provide direct support there, or you can contact me on LinkedIn.

Support me

If you like the path and want to support me, it would mean the world to me!