RedTeam
RedTeam copied to clipboard
RedTeam - Red Team Tools
בס״ד
⚜️ Aภl๏miuภuຮ ⚜️
![](https://user-images.githubusercontent.com/51442719/172729066-1293d382-4a31-4f03-8c23-ab0ea5f611a0.png)
⫷ HacKingPro
⫸
⫷ TryHackMe
| KoTH
⫸
⫷ Privilege-Escalation
⫸
⫷ ScanPro
| Linfo
| Diablo
⫸
⫷ Offensive-Security
| PenTest
⫸
⫷ Goals
| Studies
| HacKing
| AnyTeam
⫸
RedTeam
RedTeam - Red Team Tools
RED TEAM DEVELOPMENT CHECKLIST
⫷ MITRE ATT&CK | OST Map | ATT&CK Navigator | Atomic Red Team ⫸
-
TTP
- Tactics, Techniques and Procedures -
TI
- Threat Intelligence -
CTI
- Cyber Threat Intelligence -
ISAC
- Information and Sharing Analysis Centers
- [ ] 1 Reconnaissance:
- No identified TTPs, use internal team methodology
- [ ] 2 Weaponization:
- Command and Scripting Interpreter
- PowerShell
- Python
- VBA
- Ruby
- Bash
- Shell
- User executed malicious attachments
- Command and Scripting Interpreter
- [ ] 3 Delivery:
- Exploit Public-Facing Applications
- Spearphishing
- [ ] 4 Exploitation:
- Registry modification
- Scheduled tasks
- Keylogging
- Credential dumping
- [ ] 5 Installation:
- Ingress tool transfer
- Proxy usage
- [ ] 6 Command & Control:
- Web protocols (HTTP/HTTPS)
- DNS
- Actions on Objectives
- Exfiltration over C2
Cyber Kill Chain | MITRE ATT&CK |
---|---|
Recon | Reconnaissance |
Weaponization | Execution |
Delivery | Initial Access |
Exploitation | Initial Access |
Installation | Persistence / Defense Evasion |
Command & Control | Command and Control |
Actions on Objectives | Exfiltration / Impact |
- [ ] Determine required knowledge and skills
- [ ] Identify and implement alternate methods for bridging knowledge gaps
- [ ] Develop roles and responsibilities guide
- [ ] Develop red team methodology
- [ ] Develop TTP guidance for engagements
- [ ] Includes Bag of tricks
- [ ] Develop data collection guide and tools
- [ ] Develop operational process plan
- [ ] Develop communication plan template
- [ ] Develop ROE template: Rules of Engagement (RoE)
- [ ] Develop technical briefing template
- [ ] Develop report template: Diablo
Concept of Operation (CONOPS)
There is not a set standard of a CONOPS document;
Below is an outline of critical components that should be included in a CONOPS
- [ ] Client Name
- [ ] Service Provider
- [ ] Timeframe
- [ ] General Objectives/Phases
- [ ] Other Training Objectives (Exfiltration)
- [ ] High-Level Tools/Techniques planned to be used
- [ ] Threat group to emulate (if any)
Resource Plan
- Header
- [ ] Personnel writing
- [ ] Dates
- [ ] Customer
- Engagement Dates
- [ ] Reconnaissance Dates
- [ ] Initial Compromise Dates
- [ ] Post-Exploitation and Persistence Dates
- [ ] Misc. Dates
- Knowledge Required (optional)
- [ ] Reconnaissance
- [ ] Initial Compromise
- [ ] Post-Exploitation
- Resource Requirements
- [ ] Personnel
- [ ] Hardware
- [ ] Cloud
- [ ] Misc.
Mission Plan
- [ ] Objectives:
- [ ] Operators
- [ ] Exploits/Attacks
- [ ] Targets
- [ ] Users:
- [ ] Machines:
- [ ] Objectives:
- [ ] Execution plan variations
PLANNING - RED TEAM ENGAGEMENT CHECKLIST
- [ ] Engagement Planning
- [ ] ROE
- [ ] Event Communication plan
- [ ] Distribute Deconfliction Process
- [ ] Entry point/method
- [ ] Scope
- [ ] Goals/Objectives (should address at least one of the following)
- [ ] Protect
- [ ] Detect
- [ ] Respond
- [ ] Restore
- [ ] Target Restrictions
- [ ] Target Infrastructure / Asset verification / Approvals
- [ ] Scenario Development
- [ ] Operational Impact planning
- [ ] ROE
- [ ] Develop threat profiles
- [ ] Network and Host Activity
- [ ] IOC Generation (incl subsequent Analysis) and Management
- [ ] Plan threat infrastructure
- [ ] Tier 1
- [ ] IPs
- [ ] Systems
- [ ] Redirectors
- [ ] PPS
- [ ] Tier 2
- [ ] IPs
- [ ] Systems
- [ ] Redirectors
- [ ] PPS
- [ ] Tier 3
- [ ] IPs
- [ ] Systems
- [ ] Redirectors
- [ ] PPS
- [ ] Deploy tools to infrastructure
- [ ] Tier 1
- [ ] Data collection repository
RED TEAM ENGAGEMENT GOAL PLANNING
COMMON GOALS: MEASURE AND OBSERVE ...
-
A THREAT’S ABILITY TO ACCESS TO COMMON AND RESTRICTED AREAS (PHYSICAL)
- What ability does a threat have to access common areas?
- What ability does a threat have to access restricted areas?
- Can a threat use access gained to enable cyber capabilities?
- What impacts can a threat have through gained access?
-
A THREAT’S ABILITY TO ACCESS KEY/CRITICAL SYSTEMS
- Can a threat access key/critical systems?
- What impacts can a threat have on key/critical systems?
-
A THREAT’S ABILITY TO MOVE FREELY THROUGHOUT A NETWORK
- What ability does a threat have to freely move throughout a network?
-
A THREAT’S ABILITY TO GAIN DOMAIN WIDE AND LOCAL ADMINISTRATIVE ACCESS?
- What ability does a threat have to gain local administrative access?
- What ability does a threat have to gain domain administrative access?
- What ability does a threat have to gain elevated access?
-
A THREAT’S ABILITY TO ACCESS OR IDENTIFY SENSITIVE INFORMATION
- What ability does a threat have to access sensitive information?
- What ability does a threat have to identify sensitive information?
-
A THREAT’S ABILITY TO EXFILTRATE DATA OUTSIDE AN ORGANIZATION
- What ability does a threat have to exfiltrate data outside an organization?
- How much data must be exfiltrated to impact an organization?
-
A THREAT’S ABILITY TO ACT UNDETECTED FOR A GIVEN TIME FRAME
- How long can a threat go undetected?
- Can a threat achieve its goals undetected?
- What must a threat do to stimulate a reaction from an organization?
-
A THREAT’S ABILITY TO PERFORM OPERATIONAL IMPACTS
- What impacts can a threat perform against an organization?
- How can a threat affect X?
Rules of Engagement (RoE)
- Rules of Engagement
- Executive Summary
- Overarching summary of all contents and authorization within RoE document
- Purpose
- Defines why the RoE document is used
- References
- Any references used throughout the RoE document (HIPAA, ISO, etc.)
- Scope
- Statement of the agreement to restrictions and guidelines
- Definitions
- Definitions of technical terms used throughout the RoE document
- Rules of Engagement and Support Agreement
- Defines obligations of both parties and general technical expectations of engagement conduct
- Provisions
- Define exceptions and additional information from the Rules of Engagement
- Requirements, Restrictions, and Authority
- Define specific expectations of the red team cell
- Ground Rules
- Define limitations of the red team cell's interactions
- Resolution of Issues/Points of Contact
- Contains all essential personnel involved in an engagement
- Authorization
- Statement of authorization for the engagement
- Approval
- Signatures from both parties approving all subsections of the preceding document
- Appendix
- Any further information from preceding subsections
- Executive Summary
Campaign planning
The campaign summary we will be using consists of four different plans varying in-depth and coverage adapted from military operations documents.
Type of Plan | Explanation of Plan | Plan Contents |
---|---|---|
Engagement Plan | An overarching description of technical requirements of the red team. | CONOPS, Resource and Personnel Requirements, Timelines |
Operations Plan | An expansion of the Engagement Plan. Goes further into specifics of each detail. | Operators, Known Information, Responsibilities, etc. |
Mission Plan | The exact commands to run and execution time of the engagement. | Commands to run, Time Objectives, Responsible Operator, etc. |
Remediation Plan | Defines how the engagement will proceed after the campaign is finished. | Report, Remediation consultation, etc. |
Engagement Plan:
Component | Purpose |
---|---|
CONOPS (Concept of Operations) | Non-technically written overview of how the red team meets client objectives and target the client. |
Resource plan | Includes timelines and information required for the red team to be successful—any resource requirements: personnel, hardware, cloud requirements. |
Operations Plan:
Component | Purpose |
---|---|
Personnel | Information on employee requirements. |
Stopping conditions | How and why should the red team stop during the engagement. |
RoE (optional) | - |
Technical requirements | What knowledge will the red team need to be successful. |
Mission Plan:
Component | Purpose |
---|---|
Command playbooks (optional) | Exact commands and tools to run, including when, why, and how. Commonly seen in larger teams with many operators at varying skill levels. |
Execution times | Times to begin stages of engagement. Can optionally include exact times to execute tools and commands. |
Responsibilities/roles | Who does what, when. |
Remediation Plan (optional):
Component | Purpose |
---|---|
Report | Summary of engagement details and report of findings. |
Remediation/consultation | How will the client remediate findings? It can be included in the report or discussed in a meeting between the client and the red team. |
- TryHackMe: Red Team Engagements:
- Learn the steps and procedures of a red team engagement, including planning, frameworks, and documentation.
- Red Teaming Toolkit
Tools
Shr3dKit Red Team Tool Kit
This tool kit is very much influenced by infosecn1nja's kit. Use this script to grab majority of the repos.
NOTE: hard coded in /opt and made for Kali Linux
Total Size (so far): 2.5+Gb