🔴 Red Team Operations Lab
Advanced red team operations - From reconnaissance to persistence and exfiltration
Expert Level LabLab Overview
This comprehensive lab simulates real-world red team operations against a sophisticated enterprise environment. You'll conduct multi-stage attacks including initial access, privilege escalation, lateral movement, persistence, and data exfiltration. The lab emphasizes stealth, evasion, and realistic attack scenarios that mirror actual threat actor behaviors.
Learning Objectives
- Execute comprehensive red team operations from start to finish
- Develop advanced evasion and stealth techniques
- Master lateral movement and privilege escalation
- Implement persistence mechanisms and backdoors
- Conduct realistic data exfiltration operations
- Create detailed red team reports and recommendations
Prerequisites
- Advanced penetration testing experience
- Strong understanding of Active Directory exploitation
- Experience with C2 frameworks (Cobalt Strike, Empire, etc.)
- Knowledge of evasion techniques and anti-forensics
- Understanding of enterprise network architectures
🏗️ Lab Environment Setup
Target Environment
Realistic enterprise network with multiple security controls and monitoring.
- Multi-domain Active Directory forest
- Windows and Linux servers and workstations
- Network segmentation and firewalls
- Endpoint detection and response (EDR) systems
- SIEM and log aggregation
- Email security and web filtering
Red Team Infrastructure
Professional red team infrastructure for realistic operations.
- Cobalt Strike team server setup
- Domain fronting and CDN infrastructure
- Redirectors and proxy chains
- Custom malware and payloads
- Phishing infrastructure and email templates
- Data exfiltration channels
Blue Team Monitoring
Defensive monitoring and response capabilities.
- SIEM with custom detection rules
- EDR with behavioral analysis
- Network monitoring and packet capture
- Email security and threat detection
- Web application firewall monitoring
- Incident response team simulation
🎯 Lab Exercises
Exercise 1: Reconnaissance and OSINT
Objective: Conduct comprehensive reconnaissance and open source intelligence gathering.
Duration: 3-4 hours
Scenario: You're conducting a red team assessment against a target organization. Perform thorough reconnaissance without alerting the target.
Tasks:
- Passive reconnaissance and OSINT gathering
- Domain enumeration and subdomain discovery
- Social media and employee information gathering
- Technology stack identification
- Email address enumeration and validation
- Physical location and network infrastructure mapping
Expected Outcomes:
- Comprehensive target profile and attack surface
- Employee and technology intelligence
- Initial attack vector identification
Exercise 2: Initial Access - Phishing Campaign
Objective: Design and execute a sophisticated phishing campaign for initial access.
Duration: 4-5 hours
Scenario: Use social engineering and phishing to gain initial access to the target environment.
Tasks:
- Phishing email template design and customization
- Credential harvesting infrastructure setup
- Malware payload development and obfuscation
- Email delivery and tracking systems
- User interaction monitoring and analysis
- Initial foothold establishment and validation
Expected Outcomes:
- Successful initial access to target environment
- Phishing campaign effectiveness metrics
- User behavior analysis and insights
Exercise 3: Privilege Escalation and Lateral Movement
Objective: Escalate privileges and move laterally through the network.
Duration: 5-6 hours
Scenario: From your initial foothold, escalate privileges and expand access across the network.
Tasks:
- Local privilege escalation techniques
- Active Directory enumeration and reconnaissance
- Kerberos attack techniques (Kerberoasting, ASREPRoasting)
- Pass-the-hash and pass-the-ticket attacks
- Lateral movement using native tools
- Domain controller compromise and DCSync
Expected Outcomes:
- Domain administrator privileges
- Network-wide access and control
- Comprehensive lateral movement documentation
Exercise 4: Persistence and Backdoors
Objective: Establish multiple persistence mechanisms and backdoors.
Duration: 3-4 hours
Scenario: Implement various persistence mechanisms to maintain access even after detection and cleanup.
Tasks:
- Registry-based persistence mechanisms
- Scheduled task and service creation
- WMI event subscriptions for persistence
- Active Directory persistence (Golden/Silver tickets)
- Cloud service backdoors and persistence
- Anti-forensics and detection evasion
Expected Outcomes:
- Multiple persistence mechanisms established
- Stealth and evasion techniques implemented
- Persistence strategy documentation
Exercise 5: Data Discovery and Exfiltration
Objective: Discover sensitive data and execute data exfiltration operations.
Duration: 4-5 hours
Scenario: Identify and exfiltrate sensitive data while avoiding detection by security controls.
Tasks:
- Sensitive data discovery and classification
- Data staging and preparation for exfiltration
- Steganography and data hiding techniques
- Multiple exfiltration channels and methods
- Traffic analysis evasion and timing
- Data integrity verification and validation
Expected Outcomes:
- Successful data exfiltration without detection
- Data discovery and classification report
- Exfiltration technique effectiveness analysis
Exercise 6: Evasion and Anti-Forensics
Objective: Implement advanced evasion techniques and anti-forensics measures.
Duration: 3-4 hours
Scenario: Operate with maximum stealth while avoiding detection by security controls and forensic analysis.
Tasks:
- EDR evasion and bypass techniques
- Log manipulation and deletion
- Memory-only operations and fileless attacks
- Process hollowing and injection techniques
- Network traffic obfuscation and encryption
- Anti-analysis and sandbox evasion
Expected Outcomes:
- Advanced evasion techniques implementation
- Anti-forensics measures documentation
- Detection avoidance effectiveness analysis
Exercise 7: Red Team Reporting and Debrief
Objective: Create comprehensive red team reports and conduct debrief sessions.
Duration: 3-4 hours
Scenario: Document all red team activities and provide actionable recommendations to improve security posture.
Tasks:
- Executive summary and business impact analysis
- Technical findings and attack path documentation
- Security control effectiveness evaluation
- Risk assessment and prioritization
- Remediation recommendations and roadmap
- Stakeholder debrief and presentation
Expected Outcomes:
- Comprehensive red team assessment report
- Executive presentation and recommendations
- Security improvement roadmap
🛠️ Lab Tools & Resources
Command and Control Frameworks
- Cobalt Strike: Advanced threat simulation platform
- Empire: PowerShell and Python post-exploitation
- Sliver: Cross-platform implant framework
- Metasploit: Penetration testing framework
- Covenant: .NET command and control framework
- Koadic: Windows post-exploitation framework
Reconnaissance Tools
- Recon-ng: Web reconnaissance framework
- theHarvester: Email and subdomain enumeration
- Sublist3r: Subdomain enumeration tool
- Shodan: Internet-connected device search
- Maltego: Intelligence gathering platform
- SpiderFoot: OSINT automation tool
Evasion and Anti-Forensics
- Veil-Evasion: Payload obfuscation framework
- Shellter: Dynamic shellcode injection
- Hyperion: PE encryption and obfuscation
- AVEvasion: Anti-virus evasion techniques
- Invoke-Obfuscation: PowerShell obfuscation
- PE-Loader: Process injection techniques
📊 Lab Assessment
Attack Success Metrics
Evaluating the effectiveness of red team operations and techniques.
- Initial access success rate
- Privilege escalation achievement
- Lateral movement scope and depth
- Persistence mechanism effectiveness
- Data exfiltration success and stealth
Stealth and Evasion
Assessing the stealth and evasion capabilities demonstrated.
- Detection avoidance effectiveness
- Anti-forensics implementation quality
- Log manipulation and cleanup
- Network traffic obfuscation
- EDR and SIEM evasion techniques
Reporting and Communication
Evaluating the quality of red team documentation and reporting.
- Technical report completeness
- Executive summary clarity
- Risk assessment accuracy
- Recommendation quality and feasibility
- Stakeholder communication effectiveness
🎯 Advanced Challenges
Challenge 1: Zero-Day Exploitation
Develop and deploy zero-day exploits in red team operations.
- Vulnerability research and discovery
- Exploit development and weaponization
- Zero-day deployment and stealth
Challenge 2: Supply Chain Attack
Simulate supply chain attacks and third-party compromise scenarios.
- Third-party vendor assessment
- Supply chain attack simulation
- Trust relationship exploitation
Challenge 3: Adversary Emulation
Emulate specific threat actors and their TTPs (Tactics, Techniques, and Procedures).
- Threat actor research and profiling
- TTP mapping and implementation
- Attribution and behavioral analysis
📋 Lab Deliverables
- Red Team Assessment Report: Comprehensive operation documentation
- Attack Path Analysis: Detailed attack progression and techniques
- Security Control Evaluation: Defensive capability assessment
- Risk Assessment: Business impact and risk prioritization
- Remediation Roadmap: Security improvement recommendations
📚 Additional Resources
- MITRE ATT&CK Framework - Tactics, techniques, and procedures
- Red Team Field Manual - Quick reference for red team operations
- Advanced Persistent Threat - APT emulation and analysis
- Cobalt Strike Documentation - Advanced threat simulation
- Red Team Operations Guide - Comprehensive operation planning