RED TEAM

OPERATIONS
Ignite Technologies

www.hackingarticles.in
 Ignite Technologies
Where we are today !!

Red Team & its Methodologies

Working Of Red Teamers

RED TEAM
.
Red Team v/s VAPT v/s Blue Team

OPERATIONS
MITRE ATT&CK

Red Team Kill Chain

Advanced Persistent Threat (APT)

Course Overview
 Ignite Technologies

What is Red Team ?? .

A Red Team is a group of highly skilled pentesters that are

summoned by an organization to test their defense and
improve its effectiveness.

Basically, it is the way of utilizing strategies, systems, and

methodology to simulate real-world scenarios so as to
prepare and measure the security defenses of the
organization.
 Ignite Technologies

Engagement Rules for a Red Team Operation .

Red Teams are given opportunities to touch and manipulate targets network in a way i.e.
typically done by real threats. There-by, they sometimes positions themselves to do serious
damage or embarrassment to an organization.
Therefore, before starting with a Red Team Operation, the Read Teamers and the clients are
bound with a document carrying up with some Rules of Engagement (RoE) that must be
signed by both the parties such that the things should be clear at both the ends.

www.hackingarticles.in
 Ignite Technologies
The RoE is a document that contains the follows sub sections -

Project Specific Scope Contains the list of servers, router, IP ranges, and the other hardware devices.

Allowable Testing Environment Which organization’s sector is allowable to test.

Calendar Outline A schedule about on which month the testing will start and when it will end.

Preferable Time At what time the traffic is least at the servers.

Should the team stop & notify or should proceed for the
How to proceed if found vulnerable.
persistence and privilege escalation.

When to update ?? The vulnerabilities should be updated on daily basis or collectively in the
final report

How to handle client data?

Restricted Modules Which system is not allowed to test or which tools should not be used.

Declaration All the test would be in a safe environment such that the testing servers would not crash,
but still there are chances that the test would lead to certain server instability. Thereby
the tester is not responsible for such mis-happenings
 Ignite Technologies
Working of Red Teamers !!

Reconnaissance Determines Building

Exploit the Follow-up
to collect the best attacking
victim for the Report
information possible environment
the Remote malicious Making!!
about the way to & Selection
Access intent !
target. exploit it. of tools.

Red Team tactics contains a full scope, multi layered diverse

attacks to simulate real world attacks to measure the security
alignments that are applied.
www.hackingarticles.in
 Ignite Technologies
Red Team Methodology

Red Team v/s VAPT
Red Team
Red Team includes tactics, techniques and
procedures (TTPs) by adversaries. A Red-
Team is a in-house testing overall accesses
and evaluates multiple areas of security
through a multi-layered approach. Therefore,
it follows the concept of “defense in depth”
Here they present a real-world attack
scenarios and hard facts in an attempt to
improve the company’s response.
The goal of the Red Team is to not find as
many vulnerabilities but to test the detection
and response capabilities of infrastructure.
www.hackingarticles.in
Ignite Technologies
.
VAPT
Penetration Testing is used to monitor
control and identify vulnerability in order to
secure the organization. Whereas the
Vulnerability assessment is the process of
analyzing system in order to focus on finding
vulnerability and prioritizing them by risk.
Basically, VAPT is testing the security of an
organization’s infrastructure in order to
find and patch vulnerabilities in a limited
span of time (in a week or two).

Red Team v/s Blue Team
Red Teamers are the attackers.
Red Team members are adept at all forms of
digital attack, as well as social engineering
and other methods to find ways to break into
the systems of a company.
But they are bound by employment
agreements or legal contracts to not disclose
what they find to anyone, as the team itself
works as an employees of the company that is
undergoing the testing and are usually
members of the IT Security divisions of the
company’s IT group.
www.hackingarticles.in
Ignite Technologies
.
Blue Teamers are the defenders.
Blue Teams are the internal security teams
majorly the employees of the company who
looks after the security breaches. Eg - SOC
Blue Teams have two major areas of
operations –
Their only focus is to find the
vulnerability and patch them as it seems
fit.
They can also keep providing security
during the Red Team engagement.
 Ignite Technologies

Purple Team .

Purple Teamers are the attackers and the defenders.

This team has a corporative mindset of both the teams the Red & the Blue !!

The main purpose of a Purple Team is analyze how both the teams react and, there-by strengthen or
improves the Blue Team on the basis of the final outcome or on the severity of bugs the Red team
finds up.
In an organization, Purple Teams are not constant. They exist to maximize the effectiveness of Red
and Blue teams, but if both the teams follow up their responsibilities in the best way then the Purple
Team dissolves themselves.

www.hackingarticles.in
 Ignite Technologies

MITRE ATT&CK
R
.

MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based
on real-world observations.
With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by
bringing communities together to develop more effective cybersecurity.
There are a total of “156” techniques and “272” Sub-techniques, which thus helps an individual to call
out a successful Red Team operation or even many times used by threat hunters and defenders to
better classify attacks.
All the tactics and techniques are thus represented into “MITRE ATT&CK® Matrix for Enterprise”,
which thereby can be checked out from here.

Everything is OK, but why Mitre named its framework as ATT&CK ??

ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge.

 Ignite Technologies
MITRE ATT&CK® Matrix in a nutshell –
 Ignite Technologies

Red Team Attack Kill Chain !! .

Active
Directory

Lateral
Movement
Command Credential
Dumping
& Control

Initial Access & Establish Escalate Data Defense

Weaponization Reporting
Delivery Persistence Privileges Exfiltration Evasion

This Red Team Attack Kill Chain has been driven from “MITRE ATT&CK” and “Cyber Kill Chain” !!
 Ignite Technologies

Advanced Persistent Threat (APT) .

An APT is a sophisticated, highly skilled and well-funded attacking group, where the attackers or the
adversaries use a number of tricks and techniques in order to hack their target, these techniques
may include a number of tools, and social engineering.

An APT attack is a pre-defined attack, which targets web-applications, network servers, systems,
routers, and even on the hardware devices.
These APT groups are recognized by their numbers for example –
APT1 A Chinese threat group that has been attributed to the 2nd Bureau of the
People’s Liberation Army (PLA)
APT37 A suspected North Korean cyber espionage group that has been active since
at least 2012, that target victims primarily in South Korea, but also in Japan,
Nepal, China, India, Romania, and other parts of the Middle East.

You can check the list of other APT groups from here !!
 Ignite Technologies

Course Overview
 Ignite Technologies
Course Overview

Initial Access Command and Escalate

Weaponization
& Delivery Control Privileges

Credential Active Lateral

Persistence
Dumping Directory Movement

Data Defense
Reporting
Exfiltration Evasion

www.hackingarticles.in
 Ignite Technologies
Initial Access & Delivery

Drive-by Valid
Phishing
Compromise Accounts

External
Advanced Social Exploit Public-Facing
Remote
Engineering Application
Services

Initial Access comprises of techniques that uses various entry vectors to have
initial foothold within a network.
 Ignite Technologies
Weaponization

Command and Scripting Interpreter

Weak Path Rule

Scheduled Task/Job

Bypass Application Whitelisting

User Execution

www.hackingarticles.in
 Ignite Technologies
Command and Control

Command & Control over Application Layer Protocol

With Non-Application layer Protocols

Sessions with Zombies & Implants

Command & Control with Powershell

C&C over cloud services !!

Command and Control abbreviated as “C2” or “C&C” which consists of

techniques that adversaries use to communicate with systems under their
control (takes the remote access of the victim’s system)
 Ignite Technologies
Escalate Privileges
Abuse Elevation Control Mechanism

Bypass User Account Control

Exploitation for Privilege Escalation

What is Privilege Escalation ??

Hijack Execution Flow

Escalating Privileges with Automated script

Escalate Privileges commonly termed as Privilege Escalation is a method that an attacker use to gain
higher-level permissions i.e. “administrative” or “root” over on a system or a network.
www.hackingarticles.in
 Ignite Technologies
Active Directory
Windows
Server
Installation
Active
DC Backdoor
Directory
with
Default Local
Skeleton Key
Accounts

Active
Directory
Kerberos
AS-REP
Authenticati
Roasting
on Process

Golden
Ticket Attack

www.hackingarticles.in
 Ignite Technologies
Lateral Movement
Introduction to Lateral Movement

Exploitation of Remote Services

Remote Service Session Hijacking

Lateral Tool Transfers

Use Alternate Authentication Material

“After gaining control over of the victim’s machine, adversaries crawl or move
slowly-deeply through a network in search of data or assets to exfiltrate.”
 Ignite Technologies
Persistence

Account Manipulation

BITS Jobs

Boot or Logon Autostart

Execution

Event Triggered Execution

Scheduled Task/Job

Defense Evasion consists of techniques that adversaries use to avoid

detection throughout their compromise.
 Ignite Technologies
Data Exfiltration
Introduction to Data Exfiltration with
Automated
Data Steganography
Exfiltration
Exfiltration Approach

Exfiltration Encrypted Exfiltration

Over Reverse Over Non-C2
Alternative Connection Platforms
Protocol

Data
Exfiltration
Exfiltration
Over Web
Over Size
Service
Limits

Data exfiltration is the technique where an attacker steal

unauthorized data from the target’s computer and stores
them into their system.

www.hackingarticles.in
 Ignite Technologies
Defense Evasion
What is Data Exfilteration

Access Token Manipulation

Hide Artifacts

Decode Files or Information

Indicator Removal on Host

Alternate Data Streams

Tracks Analysis and Deletion

Defense Evasion consists of techniques that adversaries use to avoid

detection throughout their compromise.
 Ignite Technologies

Ignite Technologies

www.ignitetechnologies.in
.

info@ignitetechnologies.in
THANK YOU
+91 959 938 7841
+011-45103130