Throughout the years Red Team has been defined in various ways by many Security Researchers but a clear definition was given by Joe Vest:

Red teaming is the process of using Tactics, Techniques, and Procedures (TTPs) to emulate real-world threats with the goal of training and measuring the effectiveness of the people, processes, and technology used to defend an environment.

-Joe Vest

In Red Teaming the goal is to test and evaluate the TTD (Time To Detect) and TTR (Time To Response), in an organizations security analyst (Blue Team). A Red Teams engagement can be finished by reaching a set of Goals that is provided by the client or simply by reaching Domain Dominance which in where the Red Team has complete access to the Entire Network.

The Hackers Playbook has a clear definition to differentiate a Pentest with a Red Team Engagement:

Red Teaming follows an Attack Cycle with which a most common pattern is the one shown below:

A Red Team Operation consists of a Lead and a team of Operators. In this blog I will reference the attack cycle but as well give demonstrations from the MITRE ATT&CK Framework.

Recon

This is the first step taken into gaining a foothold on the targets network. OSINT being a big part of the reconnaissance for gathering information about the target, in the following I will demonstrate a typical Passive and Aggressive approach of a Reconnaissance taken to gather information.

Passive:

This is a good approach for gathering information as we will NOT touch the target in any way such as Scanning Ports or making an unusual request to the user/business. A popular method of passive scanning is known as OSINT [Open-Source Intelligence Gathering], there is a plethora of tools that can be used to achieve this in an automated way or just go for a manual method.

A sample of Passive can be demonstrated via Google Dorking:

The concept of "Google hacking" dates back to 2002, when Johnny Long began to collect Google search queries that uncovered vulnerable systems and/or sensitive information disclosures – labeling them googleDorks.

We can tell in the search query that the word password has been queried on sites that contain the Google Domain.

Shodan a popular hacker’s engine, the website is known for showing open ports across the internet. This is also a great passive method for looking at any ports that have been facing the internet and allowing us to look without the need for scanning. In the example below we search for “yahoo” using Shodan.

Aggressive:

A NOISIER approach this requires us to scan ports, send tampered request, phone calls, spoofing, etc. Sometimes this approach is taken to gather more information that is available than a softer approach.

Examples of this approach can be demonstrated with an NMAP scan. These are useful as they can be quite aggressive when scanning an internal network. In this example will do a simple nmap scan on an internal IP network address.

Another popular active scanning tool is ENUM4LINUX. This tool enumerates the SMB (445) and looks for shares that are accessible via Anonymous logins or you can try with a password as well. (This will leave logs on the network)

CrackmapExec is also another popular tool for internal scanning of users. One instance is when the operator obtains usernames so that a password spray can be initiated. in this example, we will use valid credentials

A plethora of active tools for enumeration that are well known can be: AQUTAONE, SPOOFCHECK, DNSRECON, BURP SUITE, etc.

Weaponization

Weaponizing or developing our payload is the act of the operator building a functional working payload in the target’s environment to gain a foothold on the network.

The more information gathered in this process allows the operator to target any AV, EDR or Security Tools that are running.

More examples can be shown on Red Team Notes 2.0

In a small example of weaponizing a Payload we have gathered the information of our target:

OS: Windows 10 Enterprise 19043 (Windows 10 Enterprise 6.3)

Computer name: DESKTOP-ALPHA

Domain name: DOMINIONCYBER.local

With the information obtained from enumeration we are aware that we are targeting a Windows environment. Our goal is to build payloads for this environment that would allow us to gain code execution. In this example we will use a Macro Payload, but an operator’s toolkit can consist of various formats including EXE, MACROS, HTA and others.

With Cobalt Strike we can create a VBA script that would allow us to copy + paste this code onto a working Word Document to deliver to our target user.

By choosing the Macro Payload option:

CS gives us instructions on how to add these macros to a Word Document for weaponizing

We will utilize the Visual Basic option from the Developer Menu which can be enabled in the Options > Customize Ribbon section

This will allow us to add code onto our Word Document which we can continue to paste or copied code from Cobalt Strike.

Here we will be able to save this Document as a Word Enabled Document

Saving this and sending it to our targeted user while working on a pretext that will ask them to Enable the Macro Settings for the Document.

Delivery

The Delivery method for our payloads is an important section in Red Teaming. Executing this successfully will be a deciding factor to determine if our payload will be delivered. The tool demonstrated here is a very well-known Open-Source framework. Many others which can achieve the same goal are available, but I will be using GoPhish for this example.

GoPhish an Open-Source phishing toolkit designed for businesses and penetration testers. It provides the ability to quickly and easily setup and execute phishing engagements as well as security awareness trainings.

The setup and explanation of this tool will be skipped, as the manual is a very well written guide on how to work with Gophish

When our framework is fully setup, we can access this by utilizing the web browser and login in with the credentials we setup in the installation process.

We can start by sending some emails to our targets

An example of our phishing email with a payload attached to it seen below.

A simple example of the framework utilized to Deliver our payloads, a more sophisticated approach can be taken by adding SSL encryption, changing some header information, and having it look a little more presentable, but this was a simple approach for demonstration purposes.

Situational Awareness

An important process in the deciding factor of an operator, the information acquired in this process can pretty much decide the next steps in the operation entirely. The more info gathered the more probabilities of findings to being located and to take the next appropriate course of action to Move Laterally, Privilege Escalate, Persistence, etc.

From here will work with the Cobalt Strike Post Exploitation Framework an industry standard in the Red Team Field once an operator has gain initial access they will work with Beacons, we can start enumeration with popular tools that are available to us.

Host Enumeration

We can start with grabbing a simple OS Information from the local host.

We can use Aggressor scripts to give Cobalt Strike customized behavior and tooling; this one shows us important processes running on the host by identifying them with colors

Sample of a Security product, the Explorer Process and Web Browsers

The security settings for the Host

Some interesting ports that run services on their default configuration such as SQL, FTP, SMB, HTTP.

The ARP Table can show us recent connections that have tried to reach our host or that the host as made.

Looking into the Environment Variables can demonstrate if users have Custom Paths to run custom insider software, maybe the user has their home directories on a Remote Host, we can check if other languages are available as well such as Python or Ruby on Windows.

With these examples we can show that the operator besides having to enumerate the local host for potential attack vectors the operator can also start Domain Enumeration where it grabs information about the entirety of the network looking for Computers, Users, Permissions, Groups, GPO, etc.

Domain Name:

Domain Controllers:

Domain Users:

Domain Groups:

Domain Computers:

Domain Group Members (Domain Admins):

Situational Awareness is an important part to consider and really work on, this can be a deciding factor of a successful engagement many tools can achieve this information in different ways, but the goal is always to check as much as possible when in an environment.

Credential Dumping

Operators need to gain credentials to move laterally, privilege escalate or just to demonstrate impact, great tools such as mimikatz can give us these results. To use mimikatz Administrator Level must be achieved

Some user level access for credentials can be Browser Credentials and/or Vault Credentials these can be accessed by the current users permissions as they are encrypted by the level they currently were worked on, Firefox was a process located in our previous Enumeration and we can access credentials that are saved on the browser by using the ThunderFox tool

Firefox is not the only browser that can be accessed in this way be sure to check out others that might be running (Edge, Chrome).

Cobalt Strike has a hashdump command which will dump local hashes

Persistence

The act of maintaining a foothold on the Network. This is important to achieve a Workstation can be extremely volatile these can Reboot, Crash, PowerOff, LogOff or Suspend. These actions will have us lose our initial access we should consider persistence something to be done in our initial performance as we can lose our Beacon and Phishing again does not sound like fun.

A persistent method that we can achieve as our current user would be to modify the Startup folder and drop a beacon on to Disk, so that every time the user logs back in the contents of this folder gets executed on Run Time.

A simple bat file that runs the Calculator was left on the Startup Folder and we can see that every time the user logs backs in, this file will execute.

Defense Evasion

The act of evading Security Software. This technique is one of the hardest to work on as evasion is considered a Cat and Mouse game for the ever changing filed of detection. I will demonstrate a simple evasion technique utilizing a PowerShell Script.

A Nishang Payload for demonstration

The moment this file is saved on the Host it gets immediately detected as malicious

A trick I have noticed from Defender is that changing the entire language of the variable names can evade the software because the functions of PowerShell are completely legitimate, it’s just the usage and famous “Bad Words” found on a file.

We can also encode this into a base64 format to kind of trick prying eyes (Analysts) onto what is being executed

Privilege Escalation

The act of elevating your privileges inside the Network. A scenario is when the operator gets stuck and isn’t allowed to access servers, computers and others shares because of the permissions they are currently working on. A great tool for privilege escalation searches is PrivescCheck.

An amazing PowerShell Script that looks for multiple vulnerable configurations, cleartext credentials, and missing patches for exploitation that can allow the operator to elevate privileges on the workstation.

I will demonstrate the SeimpersonatePrivilege Token with this the user is allowed to impersonate an account and act on behalf of the account.

Running PrivescCheck demonstrates this permission as True

To exploit these permissions will utilize the PrintSpoofer exploit it abuses the permissions to create a pipe and have the local system try and authenticate to it, so it can impersonate its token.

Lateral Movement

Lateral Movement is the act of moving around the Network. Operators need to access other servers that contain more information of the network or probably a goal that needs to be achieved is on another host than the one they are currently on.

A method of Lateral Movement is the WS-Management protocol, Windows PowerShell remoting allows you to run any PowerShell commands on one or more remote computers. You can establish persistent connections, start interactive sessions, and run scripts.

When having access to the internal network PowerShell has a CMDLET that allows to check for PS Remote availability on a Remote Host

If outside the network the usual port for this connection would be 5985 an active port scan technique can help in locating these protocols.

From the Outside we can connect to this by utilizing the Evil-WinRm Tool

Internal access will allow us to connect to a different workstation, we can use various methods to authenticate but I used the approach of running as a different user, and the user can simply access the PSSession of the remote workstation as seen below

Hope this blog was helpful and can be of great help of the demonstration on some of the Red Team techniques utilized and also to be as friendly as possible in the understanding of the concepts.