# Red Team Development and Operations  ## Metadata - Author: [[Joe Vest, James Tubberville]] - Full Title: Red Team Development and Operations - Category: #books ## Highlights - "We have too many logs and alerts to respond!" or “We are just trying to keep up with ticket volume!”? Why do organizations log what they log? Compliance? In case they are needed? Vendor’s advice? Organizations are still missing a key piece to all threats; understanding their actions and TTPs. ([Location 229](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=229)) - Although these systems are highly functional and capable, the ideas, concepts, and thoughts can sometimes be "boxed in," leading to incorrect assumptions about how a system honestly operates. People build systems, and people make assumptions about capability, functionality, and security. These assumptions lead to flaws in which a threat may take advantage. ([Location 302](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=302)) - Note: Abstraction misses details of reality - Red Teams rarely, if ever, run standard vulnerability assessment tools. These tools are loud and generate more traffic than a Red Team engagement is willing to accept. If a vulnerability assessment tool MUST be used, there should be a question asked as to the type of security assessment being conducted, or they should be run with high focus from a "burned" attack location. Vulnerability assessments are still a critical component to security program but are quite different in scope and goals of a red team engagement. ([Location 422](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=422)) - penetration test can look and feel very similar to a Red Team engagement, and in many cases, use the same tools. These similarities should not cause anyone to confuse the two. Penetration tests focus on exploiting weaknesses to determine business risk. ([Location 433](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=433)) - Red Teaming is the process of using Tactics, Techniques, and Procedures (TTPs) to emulate a real-world threat with the goals of training and measuring the effectiveness of the people, processes, and technology used to defend an environment. ([Location 528](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=528)) - For instance, it can be common to use GSA rates x 1.25. This has been a successful method to provide operators a good rate to cover lodging, meals, and incidentals. ([Location 598](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=598)) - Tactics are the tactical goals a threat may use during an operation. Techniques describe the actions threats take to achieve their objectives. Procedures are the technical steps required to perform an action. ([Location 958](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=958)) - Remember, a Red Team engagement is not an all-out hack fest. In many cases, a Red Team is helping personnel understand how a specific threat impacts an organization. ([Location 1012](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=1012)) - simplify, Red Teams explore the "threat story." A scenario provides the script for that story and drives how a Red Team emulates a threat. A Red Team uses the plot to shape their actions and develop their TTPs. All of these aspects combined create a comprehensive threat scenario. ([Location 1157](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=1157)) - YYYYMMDD_HHMM_IP_Description format. ([Location 1789](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=1789)) - outbound sources: Maintain at least two outbound sources for C2 redundancy; however, use only one for operations (considered an interactive tier). The second (a long- or short-haul tier) is dormant or extremely slow and used as a backup if/when the primary is discovered. ([Location 1949](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=1949)) - Do not execute from non-executable locations ([Location 1980](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=1980)) - Do not use binaries for initial capabilities As a general rule, do not drop binaries on the system. First, use built-in commands to achieve your goals. This is not always possible, and binaries may be required; however, binaries must be vetted, obfuscated, and tested against detection before use. ●        Ensure all other “Do's and Don’ts" are met for all binaries ●        Consult a senior operator before dropping any binary ([Location 1987](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=1987)) - Do not download restricted datasets ([Location 1995](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=1995)) - Once exploitation occurs, backdoors or other means of access should be established. ([Location 2016](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=2016)) - A Red Team operator successfully uses the exploit from a burnable IP space. The exploit results in remote command execution of the target webserver. Instead of using the exploit repeatedly to issue commands, a web shell is deployed. ([Location 2018](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=2018)) - It is important to remember that a Red Team engagement is not a comprehensive view of a target's vulnerabilities. ([Location 2026](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=2026)) - Popular places to find exploits: ●        Metasploit: www.metasploit.com – public exploits and zero days ●        ExploitHub: www.exploithub.com – commercial exploit clearinghouse for nonzero days ●        Exploit DB: www.exploit-db.com – repository of exploits maintained by Offensive Security ●        Other exploit clearing houses ([Location 2029](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=2029)) - Exploits can be rare, costly, and ephemeral. When they work, they are great, but most exploits have a short lifetime. ([Location 2050](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=2050)) - Security has increased over the years, and the number of traditional memory corruption exploits has dropped significantly. This has driven threats to search for alternate means of gaining access to a target. Web applications are excellent targets for exploitation and remote code execution. ([Location 2053](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=2053)) - In cases where phishing is risky, consider white carding. A solid strategy is to send a phishing email to a trusted insider. That person will click links or provide information as directed by the phish. ([Location 2097](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=2097)) - Red Teams do not commonly use vulnerability scanners. These tools generally tend to be loud and to generate a tremendous amount of traffic. Vulnerability identification by a Red Team focuses on OSINT, low and slow enumeration, intelligent guessing, or other non-intrusive methods. ([Location 2127](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=2127)) - Using a focused scan would minimize exposure. They could also manually extract version information from the web application. In any case, caution should be taken before running a vulnerability scanner to reduce exposure. If more intrusive scanning is needed, performing the scan from a burnable source that is dedicated to louder activities would protect more sensitive sources from being exposed. ([Location 2132](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=2132)) - Does the risk of exposure from running a generally loud tool outweigh the potential knowledge learned? ●    Are there other ways to identify a vulnerability without using the automated scanner? ●      Will exploitation of a vulnerability provide a path that is beneficial to a Red Team’s goal? (Remember that vulnerability identification is typically not a Red Team engagement goal.) ([Location 2137](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=2137)) - -sT ●   This forces Nmap to perform a full connect scan. Nmap’s default is –sS, or a stealth scan. A full scan completes the full TCP handshake (SYN,SYN/ACK,ACK) and sends a (RST) to gracefully tear down the connection. A –sS scan sends only SYN and waits for a response or timeout. A full connection is not established. Although the term stealth is used, this behavior can indicate a scan is being run against a target. In general, full connect scans produce less triggers through network security devices. This is especially true when they are executed very slowly. ([Location 2163](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=2163)) - ~/.msf4/msfconsole.rc spool /root/.msf4/spool.log setg ConsoleLogging true setg verbose true setg LogLevel 5 setg SessionLogging true setg TimestampOutput true setg PromptTimeFormat %Y%m%d.%H%M%S%z setg PROMPT %T S:%S J:%J setg ExitOnSession false setg DisableCourtesyShell true load sounds #optional ([Location 2237](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=2237)) - In terms of where the metasploit framework fits in Red Teaming, it is useful in providing a library of exploits, but is generally not appropriate for command and control. ([Location 2247](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=2247)) - Red Team Infrastructure Wiki – https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki ([Location 2333](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=2333)) - ACLs or other protections should be put in place only to allow access from Red Team Operators. A responsible Red Team should not allow C2 control outside designated Red Team IPs/Segments. Even "hacker" software is not safe. ([Location 2389](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=2389)) - C2 Infrastructure Rules ●        C2 servers do not directly communicate with targets ●        Targets and C2 servers communicate through a redirector ●        Tiers should be used for their intended purposes Tier 1 – Low and slow, intended for long-term persistence Tier 2 – Mid-speed communications, designed to reestablish interactive C2 Tier 3 – An Interactive tier designed to perform everyday commands near real time or as operationally required New C2 must remain at the same tier or lower (never higher): ([Location 2451](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=2451)) - LEGEND This diagram can help illustrate the tiers and the relationships of how to share information between each. ([Location 2469](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=2469)) - Typical C2 Design for Emulating a Threat Designed to Stimulate Blue (Exercises) ●        One or two C2 servers. All tiers are used for interaction with the target ●        Redirectors are not in use ●        IP addresses are used instead of domain names ●        The target and C2 directly communicate ●        The use of common protocols on standard or nonstandard ports (HTTP, HTTPS) ●        Communications may or may not be encrypted ([Location 2489](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=2489)) - It is desired to have all exploits, toolkits, and persistence mechanisms have self-destruct code baked in as both time-based, to prevent execution outside the engagement window, and target-based to prevent exploitation outside the target environment. ([Location 2555](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=2555)) - The executive outbrief should focus on the big picture of the event and is best portrayed as a chronological story of critical steps and observations. The story and actions will become the attack narrative in the final report. At this point, the final report and analysis are not complete, but management is looking for quick answers. If obvious issues were identified, they could be highlighted in the brief. It should be pointed out that the final report may contain observations that will not be discovered until all information has been analyzed. ([Location 2637](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=2637)) - Most executive suites and senior managers aren’t as interested in the technical details of the engagement. They are more commonly interested in the impacts to business functions, production, and reputation. Attempt to correlate each major action or milestone to the business aspects impacted. If possible, estimating total costs (including lost revenue, time, remediation, capability, etc.) facilitates executive understanding of the impacts and reinforces interaction. ([Location 2643](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=2643)) - Questions to Defuse Hostile Response to Red Team Activity ([Location 2720](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=2720)) - Don’t forget to visit the companion website, http://redteam.guide for additional information, Red Team templates, and other guides. ([Location 3115](https://readwise.io/to_kindle?action=open&asin=B0842BMMCC&location=3115))