Skip to content

Chapter 17 Quiz: Red Team Operations

Test your knowledge of adversary simulation, red team frameworks, C2 infrastructure, and operational security.

Questions

1. A red team is conducting an assumed breach engagement. What does "assumed breach" mean in this context?

  • A) The red team is permitted to physically break into the building
  • B) The engagement starts with a foothold already established inside the network, simulating a scenario where initial compromise has already occurred
  • C) The red team assumes all vulnerabilities have been patched and tests only physical controls
  • D) The blue team assumes the red team will breach the perimeter and prepares in advance
Answer

B — The engagement starts with a foothold already established inside the network, simulating a scenario where initial compromise has already occurred

In an assumed breach engagement, the red team is granted a pre-positioned implant, credentials, or workstation access to skip initial compromise and focus on lateral movement, privilege escalation, and detection evasion. This model efficiently tests post-breach detection and response capabilities without spending weeks on perimeter exploitation.

2. Which C2 framework is developed and maintained by Raphael Mudge and is widely used in both red team engagements and by real-world threat actors such as APT groups?

  • A) Brute Ratel C4
  • B) Cobalt Strike
  • C) Sliver
  • D) Empire
Answer

B — Cobalt Strike

Cobalt Strike, developed by Raphael Mudge (later acquired by Fortra), is the industry-standard commercial C2 framework used in red team operations. Its Beacon payload and malleable C2 profiles have also been abused by threat actors including APT29 and various ransomware groups, making Cobalt Strike beacon artifacts a key detection target in real SOC environments.

3. TIBER-EU is a framework developed by the European Central Bank. What type of testing does it specifically govern?

  • A) Vulnerability scanning of public-facing web applications
  • B) Threat-intelligence-led red team testing of financial sector entities
  • C) Compliance auditing of cloud service providers
  • D) Insider threat simulation exercises for banking staff
Answer

B — Threat-intelligence-led red team testing of financial sector entities

TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) provides a European framework for conducting intelligence-led red team tests against financial institutions. It mandates that red team TTPs be derived from a formal Targeted Threat Intelligence report that maps real threat actors likely to target the specific institution, making it distinct from generic red team engagements.

4. During red team OPSEC planning, which of the following best describes the purpose of "categorizing operational assets" before an engagement?

  • A) Counting tools available for exploitation
  • B) Classifying infrastructure, identities, and tradecraft so that loss or compromise of any single asset does not expose the entire operation
  • C) Documenting all findings before the engagement begins
  • D) Assigning CVSS scores to target vulnerabilities
Answer

B — Classifying infrastructure, identities, and tradecraft so that loss or compromise of any single asset does not expose the entire operation

Red team OPSEC requires compartmentalizing operational assets — C2 servers, redirectors, personas, and tooling — so that if the blue team detects and burns one asset, they cannot pivot to identify the full operation. This mirrors the OPSEC principles used by real APT groups to maintain persistence while under investigation.

5. A red team operator uses a DNS C2 channel where beacon communications are encoded in TXT record queries. What is the primary defensive detection technique for this technique?

  • A) Blocking all DNS resolution at the firewall
  • B) Monitoring for anomalously high DNS query volume, long/random subdomains, or TXT record queries from workstations to external resolvers
  • C) Deploying a WAF in front of DNS servers
  • D) Enabling DNSSEC on all internal zones
Answer

B — Monitoring for anomalously high DNS query volume, long/random subdomains, or TXT record queries from workstations to external resolvers

DNS-over-C2 (DNS tunneling) is detected by analyzing DNS query patterns: unusually long subdomain labels (encoded data), high query frequency to a single domain, use of TXT/NULL record types, or DNS queries that bypass the internal resolver. Tools like Zeek DNS logs and Elastic DNS anomaly detection rules are commonly used.

6. What is the key purpose of "deconfliction" during a red team engagement running concurrently with a real SOC?

  • A) Ensuring the red team uses the same tools as real threat actors
  • B) A process by which the SOC can verify whether an alert was generated by the red team or a real threat actor, without compromising the engagement's stealth
  • C) Removing false positive alerts from the SIEM before reporting
  • D) The process of formally ending the red team engagement
Answer

B — A process by which the SOC can verify whether an alert was generated by the red team or a real threat actor, without compromising the engagement's stealth

Deconfliction is a confidential channel (typically through a trusted white cell/control cell) that allows the blue team to confirm whether a specific indicator belongs to the red team without tipping off the wider SOC. This prevents incident responders from pursuing a real threat while inadvertently standing down due to confusion with red team activity.

7. A red team operator wants to establish persistence on a Windows host using a technique that survives reboots and blends with legitimate Windows functionality. Which technique is MOST consistent with APT tradecraft?

  • A) Adding the payload to the Desktop autorun folder
  • B) Registering a malicious DLL as a Windows service using sc.exe create
  • C) Modifying HKCU\Software\Microsoft\Windows\CurrentVersion\Run with a living-off-the-land binary (LOLBin) that loads an in-memory payload
  • D) Creating a scheduled task that runs at user logon using schtasks /create
Answer

C — Modifying HKCU\Software\Microsoft\Windows\CurrentVersion\Run with a living-off-the-land binary (LOLBin) that loads an in-memory payload

While all options could provide persistence, APT tradecraft favors using legitimate Windows binaries (mshta, regsvr32, wscript, rundll32) to execute payloads, minimizing new binary drops that trigger AV/EDR. HKCU Run key modifications require only user-level privileges and do not generate high-noise service creation events, making this the most evasive option among the choices.

8. In a red team report, which section documents the specific detection gaps discovered — for example, that a Kerberoasting attack generated no alerts in the SIEM?

  • A) Executive Summary
  • B) Attack Narrative
  • C) Detection Findings / Purple Team Observations
  • D) Scope and Rules of Engagement
Answer

C — Detection Findings / Purple Team Observations

The Detection Findings section maps red team actions to blue team visibility, documenting which TTPs were executed, what logs should have fired, and whether they actually produced alerts. This section drives the most actionable improvements — tuning SIEM rules, deploying new data sources — and is the primary output used in purple team follow-up exercises.

9. Brute Ratel C4 (BRC4) differs from Cobalt Strike in which significant way relevant to red team operations?

  • A) BRC4 is free and open-source
  • B) BRC4 was designed from the ground up to evade EDR behavioral detections, including unhooking user-mode API hooks and direct syscalls
  • C) BRC4 only supports Linux implants
  • D) BRC4 uses HTTP exclusively for C2 communication
Answer

B — BRC4 was designed from the ground up to evade EDR behavioral detections, including unhooking user-mode API hooks and direct syscalls

Developed by ex-red teamer Chetan Nayak, Brute Ratel C4 was explicitly built with EDR evasion as a design goal — implementing direct syscalls, process injection techniques that bypass user-mode hooks, and OPSEC-safe process handling. Its detection-evasive design made it highly attractive to threat actors, and it was observed being abused by nation-state groups within months of release.

10. Which phase of the red team lifecycle involves analyzing the target's business processes, identifying crown jewels, and defining the specific objectives (flags) the team will attempt to achieve?

  • A) Initial access
  • B) Pre-engagement planning and objective setting
  • C) Lateral movement
  • D) Persistence establishment
Answer

B — Pre-engagement planning and objective setting

Before any technical action, a red team engagement requires defining the "crown jewels" — the high-value assets that real adversaries would target (domain admin credentials, financial data, source code repositories) — and translating these into measurable flags. This objective-based framing is what distinguishes a red team from a pentest and ensures the engagement simulates realistic threat actor goals.

Scoring

Score Performance
9–10 Expert — Red team operations concepts fully internalized
7–8 Proficient — Ready to participate in or manage red team engagements
5–6 Developing — Review Chapter 17 C2 frameworks and OPSEC sections
<5 Foundational — Re-read Chapter 17 before proceeding

Return to Chapter 17 | Next: Chapter 18