What is red team operations?

Red team operations simulate real-world attacks to test and improve an organization's security posture.

What skills are covered in this roadmap?

C2 frameworks, EDR evasion, OPSEC, social engineering, and more.

Who should use this roadmap?

Penetration testers, red teamers, and security professionals.

Red Team Operations Roadmap - RFS Cyber Roadmap

Overview

Red Team Operations represent the pinnacle of security assessment, simulating sophisticated adversaries to test an organization's detection and response capabilities. This advanced track covers the methodologies and techniques used in professional red team engagements.

🔍 Professional Red Team Services

While this guide provides advanced red teaming knowledge, real-world red team operations require extensive expertise and resources. For organizations in Portugal seeking professional red team assessments, Pentesting.pt offers comprehensive red team operations and advanced security testing services.

Learning Objectives

Master Command & Control (C2) framework development and deployment
Develop expertise in Living off the Land techniques
Learn advanced EDR/AV evasion methodologies
Understand social engineering campaign orchestration
Master lateral movement and persistence techniques
Develop operational security (OPSEC) best practices

🎮 Command & Control Frameworks

Cobalt Strike Mastery

Professional red team platform for advanced adversary simulation.

Beacon configuration and customization
Malleable C2 profile development
Advanced post-exploitation modules
Sleep mask and process injection

Custom C2 Development

Building bespoke command and control infrastructure.

C2 protocol design and implementation
Encrypted communication channels
Domain fronting and CDN abuse
C2 redundancy and failover

Open Source C2 Platforms

Leveraging and customizing open source C2 frameworks.

Covenant and Empire frameworks
Sliver C2 platform
Mythic collaborative platform
Framework comparison and selection

🏡 Living off the Land Techniques

LOLBins & LOLBAs

Abusing legitimate binaries and applications for malicious purposes.

PowerShell and WMI abuse
Windows built-in tool exploitation
Registry manipulation techniques
Scheduled task abuse

Fileless Attacks

Memory-only attacks that leave minimal forensic evidence.

In-memory payload execution
PowerShell reflection attacks
Process hollowing techniques
DLL injection methods

Process Injection

Advanced process injection techniques for stealth execution.

DLL injection variations
Process hollowing and doppelgänging
Manual DLL loading
Thread execution hijacking

👻 EDR/AV Evasion

Signature Evasion

Bypassing signature-based detection mechanisms.

Payload encoding and encryption
Polymorphic code generation
String obfuscation techniques
Anti-emulation methods

Behavioral Evasion

Evading behavioral analysis and heuristic detection.

Sleep and timing manipulation
Sandbox detection and evasion
Environment keying techniques
User interaction simulation

EDR Bypass Techniques

Advanced methods for evading Endpoint Detection and Response.

ETW (Event Tracing for Windows) bypass
AMSI (Anti-Malware Scan Interface) evasion
API hooking detection and bypass
Kernel callback evasion

🎣 Social Engineering Campaigns

Phishing Operations

Sophisticated phishing campaign development and execution.

Spear phishing targeting
Credential harvesting pages
Email spoofing and impersonation
Multi-stage phishing campaigns

Pretexting & Vishing

Voice and text-based social engineering techniques.

Phone-based information gathering
Pretext development and execution
Voice changing and spoofing
SMS phishing campaigns

Physical Security

Physical penetration testing and social engineering.

Badge cloning and RFID attacks
Lock picking and bypass
Tailgating and piggybacking
USB drop attacks

🚶 Lateral Movement Techniques

Credential Theft

Advanced credential harvesting and reuse techniques.

LSASS memory dumping
Kerberos ticket extraction
NTDS.dit extraction
Browser credential harvesting

Network Movement

Moving through network segments and trust boundaries.

SMB and WMI lateral movement
PowerShell Remoting abuse
RDP and SSH tunneling
Network pivoting techniques

Trust Relationship Abuse

Exploiting trust relationships for domain movement.

Domain trust enumeration
Forest trust exploitation
Cross-domain attack paths
External trust abuse

🔐 Persistence Mechanisms

Registry Persistence

Windows registry-based persistence techniques.

Run keys and startup folders
Service creation and modification
WMI event subscriptions
COM hijacking techniques

Scheduled Tasks & Services

Leveraging system services for persistent access.

Scheduled task creation
Service binary replacement
Service DLL hijacking
Logon script persistence

Advanced Persistence

Sophisticated persistence mechanisms for long-term access.

Bootkit and rootkit techniques
UEFI persistence
Hypervisor-based persistence
Firmware implant techniques

🔒 Operational Security (OPSEC)

Infrastructure OPSEC

Securing red team infrastructure and maintaining anonymity.

C2 infrastructure isolation
Domain categorization and aging
Traffic redirection and proxying
Infrastructure attribution prevention

Payload OPSEC

Developing operationally secure payloads and tools.

Payload signing and validation
Anti-analysis techniques
Attribution prevention
Forensic counter-measures

Operational OPSEC

Maintaining operational security during engagements.

Communication security
Timeline and activity correlation
Log evasion techniques
Incident response evasion

🧪 Hands-on Lab: Full Red Team Campaign

Objective: Execute a complete red team operation from initial access to persistence.

Duration: 16-20 hours

Skills Practiced: C2 deployment, lateral movement, persistence, OPSEC

Start Lab Exercise

🛠️ Red Team Arsenal

C2 Frameworks

Cobalt Strike: Professional red team platform
Covenant: .NET C2 framework
Empire: PowerShell and Python post-exploitation
Sliver: Open source C2 platform

Evasion Tools

Veil: Payload generation framework
Donut: Shellcode generation tool
ScareCrow: EDR evasion tool
ThreatCheck: AV signature scanner

Post-Exploitation

SharpCollection: C# offensive tools
GhostPack: .NET post-exploitation toolkit
BloodHound: AD attack path analysis
PowerSploit: PowerShell exploitation toolkit

📋 Recommended Resources

Red Team Development and Operations - Comprehensive red team guide
Advanced Penetration Testing - Sophisticated attack techniques
The Hacker Playbook 3 - Red team methodologies
MITRE ATT&CK Framework - Adversary tactics and techniques
Red Team Field Manual - Quick reference guide

🎯 Professional Development

Red Team Certifications

Industry certifications for red team professionals:

✅ CRTO (Certified Red Team Operator)
✅ CRTP (Certified Red Team Professional)
✅ GCIH (GIAC Certified Incident Handler)
✅ GPEN (GIAC Penetration Tester)

RFS Expertise: Senior Red Team experience with specialization in telecommunications and unified communications security.

📈 Learning Progress

Track your red team operations expertise:

Complete the sections above to track your progress

← Back to Roadmap

🎭 Red Team Operations