1.
RED
TEAM
DLPLOL
GROUP
POLICY
EDRPENTE
STING COMMUNIC
ATION
STEA
LTH
KERBE
ROS
PHYSICAL
APPSEC
IMP
ACK
ET
COBALT
STRIKE
DESERI
ALIZE
QRSTE
ALTH GRAPHI
C
PRODUC
TION
META
SPLOI
T
rREPO
RTING
AVDERP

2.
RED TEAM
METHODOLOGY
A NAKED LOOK

3.
○ Jason Lang
○ Sr Security Consultant at TrustedSec
○ Red team, trolling, shennanigans
○ Twitter: @curi0usJack
○ Hobbies: woodworking, bee keeping
About

4.
Goals
○ To give you an unrestricted look at one red
teamer’s (consultant) methodology, including
core principals.
○ To foster learning by example (and failure)
○ To drop some handy stuff. :-)

5.
Red Team Target Maturity
Vuln scan
External
pentest
Internal
pentest
Purple
Team(s)
Red team /
ATT&CK
Non-scoped
long term /
AdSims
Patch
Management
Network
Controls /
Admin Rights
Configured
Endpoint
/EDRs
Centralized
Logging
Finely tuned
Alerting and
Response
Threat
Hunting
Thanks @Contra_BlueTeam!

6.
Red Team Target Maturity
Vuln scan
External
pentest
Internal
pentest
Purple
Team(s)
Red team /
ATT&CK
Non-scoped
long term /
AdSims
Patch
Management
Network
Controls /
Admin Rights
Configured
Endpoint
/EDRs
Centralized
Logging
Finely tuned
Alerting and
Response
Threat
Hunting
Thanks @Contra_BlueTeam!

7.
Red Team Key Difference
Ability to slow your roll

8.
Why this talk? I’m already a pro
Because of the 10-20%

9.
Internal
Staying Stealthy
SE
Tips to keep you getting
shellz
Reporting
Lorem ipsum dolor sit
ugh, Microsoft Word
Pre-gig
Initial steps, OSINT, &
Recon
External
Required Reading
Talk Agenda

10.
My Red Team Core Principals
○ Adversary simulation, not emulation.
○ Goal is specific data, trophy systems, or apps. Not DA
(unless DA a trophy, which it shouldn’t be).
○ Emphasize stealth over speed.
○ Active defense should be encouraged, to a point. Goal isn’t
to “win” (either red or blue).
○ Scope should be as open as possible, including physical.
○ There should always be a “tip your hand” moment.

11.
PRE-GIG
aka PRE-FUN

12.
Core Principals: Pre-Gig
○ Steer client towards as open a scope as possible.
○ Clearly define what *can* be done vs what *will* be done.
○ Set an assumed breach target date.
○ Ask for their user password policy, specifically: Lockout
Threshold, Lockout Duration, Lockout Observation Window.

13.
Question
When does a red team engagement start?
Answer: The minute you get the assignment email.

14.
LinkedIn - It’s The Best
○ You should must have a recon
account by now
○ Set a repeating task to add
connections
○ Easy to scrape

15.
LinkedIn - Build It Fast
1. Build a decent profile. Be thorough.
Be sure to add colleges/organization.
2. Click “My Network”
3. Scroll way down to fill the page
4. Run in Browser dev tools
$("[data-control-name*='invite']").each(function(index) { $(this).trigger('click'); })
Thanks @mandreko & @Glitch1101!

16.
Domains
○ Aged for months ahead of time
○ Reusable if possible.
○ clientname-portal.com is not ok. client.health-portal.com is.
○ Careful though, Cert transparency logs….
○ C2 & Phish domains never overlap!
○ Submit domains with PA, BlueCoat, Checkpoint, McAfee
○ Magic categories: Health, Financial, Goverment

17.
Domains
1. Determine the sensitive traffic that must not be decrypted: Best practice
dictates that you decrypt all traffic except that in sensitive categories, such as
Health, Finance, Government, Military and Shopping.
https://blog.paloaltonetworks.com/2018/11/best-practices-enabling-ssl-decryption/
Palo Alto SSL Decryption Best Practices

18.
Passive Recon - How I Do It
○ hardcidr to get external ranges
○ amass with shodan/censys keys (wait for Black Friday)
○ https://crt.sh for cert transparency (crtsh-parse.py)
○ Metadata searching with pymeta
○ Github searching with trufflehog, reposcanner, Google
○ Authenticated LinkedIn scraping for contacts (LinkedInt by
@vysecurity)
○ Dorks for everything else
Tool names in red. All on Github

19.
Favorite Dorks
○ DOMAIN.COM (site:amazonaws.com |
site:blob.core.windows.net | site:digitaloceanspaces.com)
○ DOMAIN.COM (site:pastebin.com | site:paste2.org |
site:paste.bradleygill.com | site:pastie.org | site:dpaste.com)
○ “CLIENT NAME” site:linkedin.com (intitle:”Service Desk” |
intitle:“Desktop Support” | intitle:”Security Engineer” |
intitle:”Help Desk”)

20.
Breach Data
○ Treasure trove of info:
○ Email format
○ Password format
○ New user passwords (group by count)?
○ Good place to start:
○ https://thepiratebay.org/torrent/22590240/Leaked_Databases

21.
EXTERNAL
aka “Find $Microsoft”

22.
Core Principals: External
○ Brute AD from external, and always through a VPN.
○ Do your due diligence, but web app testing usually isn’t the
focus (and quite possibly outside your discipline/expertise).
○ Make liberal use of credential stuffing. It works.

23.
Active Recon - How I Do It
★aquatone for website screen grabs
★dirsearch for HTTP dir-bruting
★nmap for top port tcp/udp sweeps
‣ Proxies may require full TCP connect (-sT)
‣ nmap default UA: Mozilla/5.0 (compatible; Nmap Scripting Engine);
http://nmap.org/book/nse.html
Tool names in red. Blue Stars == Proxy/VPN

24.
initialrecon.py
Because gimme the dataz…
https://git.io/initialrecon
https://git.io/crtshparse
Code:

25.
NTLM Bruting
○ Obvious Sources:
○ Office 365
○ Exchange EWS
○ Skype/Lync
○ Check https://testconnectivity.microsoft.com
○ Less Obvious - ADFS. Troopers 19
○ /adfs/services/trust/2005/windowstransport
○ /adfs/services/trust/13/windowstransport
🔥 Still hawt 🔥

26.
SE
aka “Find Bob”

27.
Core Principals: SE
○ Phishing:
○ 5 addresses max at a time, all bcc’d, with 15 mins between
sends. Send from O365.
○ Links, not attachments.
○ Never a worry from Proofpoint.
○ Lead off with your latest tradecraft and downgrade as you get a
feel for the environment. Don’t abuse your TTPs.
○ Eventually pivot to assumed breach (about 50% way through)

28.
Infr. Automation with Ansible
○ Ansible is an open source platform that automates software
provisioning, config mgmt & app deployement
○ It uses YAML files (.yml) to express gruops of commands
called tasks.
○ All tasks are executed on a target server using SSH +
Python. No agents required!
○ Modules make up the bulk of functionality, allowing a
variety of tasks like copying files, service management, etc

29.
Infr. Automation with Ansible

30.
Ansible - Tasks

31.
Ansible - Modules

32.
Ansible - Arguments

33.
Ansible - Playbooks
Thanks Marcello! https://github.com/byt3bl33d3r/AnsiblePlaybooks

34.
Macros/Attachments
○ Payloads
○ Safe: Modified cactus torch (js + eval() = ftw)
○ Safer: regkey mods only
○ VBA Stomping / EvilClippy
○ https://vbastomp.com/
○ Template Injection
○ http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html

35.
Template Injection

36.
Azure Information Protection (AIP)
○ Leverages O365’s RMS to encrypt Office document to
*specific recipients*
○ Impossible for defenders/sandboxes to evaluate the
attachment without the user’s credentials. muahaha
○ Does not require your target have O365
https://blog.atwork.at/post/2018/02/18/Azure-information-protection-user-experience-with-external-users

37.
Azure Information Protection (AIP)

38.
Azure Information Protection (AIP)

39.
Azure Information Protection (AIP)

40.
Azure Information Protection (AIP)

41.
Azure Information Protection (AIP)
Full guide here: https://www.trustedsec.com/2019/04/next-gen-
phishing-leveraging-azure-information-protection/
DerbyCon 9 Talk: https://youtu.be/EYUp_MNtJIk
Thanks @Oddvarmoe & @jarsnah12!

42.
INTERNAL
aka “Find Sharepoint”

43.
Core Principals: Internal
○ Prioritize: cookies, bookmarks, file shares, SharePoint.
○ Kerberoast single users only, no less than one hour apart (at
minimum). Research before hand.
○ Initial landing callback of 5-30 minutes, depending on engagement
time & sophistication of defenses.
○ Test all commands in your lab before firing live. Duplicate defenses if
possible.

44.
Lab Environment
○ Internal lab is *required*
○ MSDN license
○ Splunk dev license
○ Used Dell R710 (ebay, ~$500)
○ Full AD forest
○ Sysmon/Defender -> Splunk
○ Splunk ThreatHunting App by
@olafhartong

45.
Tools/Tactics
(*) == heavily modified
○ What I almost never use:
○ CrackMapExec, internal bruting, PowerSploit
○ What I sometimes use:
○ Bloodhound, MSF aux mods, mimikatz*, Cobalt Strike*
○ What I always use:
○ proxychains, SOCKS, impacket*, ldapsearch, kerberos
manipulation, /dirkjanm.io/*.*

46.
wmiexec.py

47.
wmiexec.py
Thanks vim!

48.
wmiexec.py
index=windows EventCode=4688
`comment("impacket/wmiexec.py commands")`
(Process_Command_Line=*127.0.0.1* AND (Process_Command_Line="*ADMIN$*"
OR Process_Command_Line="*C$*"))
`comment("impacket/smbexec.py commands")`
OR (Process_Command_Line="*execute.bat*" AND Process_Command_Line=“*Temp__output*")
`comment("impacket/secretsdump.py")`
OR (Creator_Process_Name="*services.exe" AND New_Process_Name="*svchost.exe"
AND Process_Command_Line="*RemoteRegistry")
`comment("impacket/atexec.py")`
OR (Process_Command_Line="cmd*C:WindowsTemp*.tmp 2>&1”)
| table _time host Process_Command_Line
| sort _time desc

49.
Lowpriv - Chrome
○ mimikatz dpapi::chrome /in:%localappdata%googlechromeUser
DataDefault(Cookies | Login Data)

50.
Lowpriv - Chrome
○ If you don’t want to fire mimikatz in the target’s memory:
○ Save off the Cookies/Login Data files
○ Acquire the user’s password
○ Follow steps here for decrypting user DPAPI keys to then
decrypt Chrome files
○ https://www.harmj0y.net/blog/redteaming/operational-guidance-for-
offensive-user-dpapi-abuse/

51.
Persistence & Movement
○ site:hexacorn.com inurl:blog intitle:beyond HKCU
○ COM/DLL Hijacking
○ Procmon is your best friend
○ Use a COM Proxy so you don’t fubar the target
https://adapt-and-attack.com/2019/08/29/proxying-com-for-stable-hijacks/
Thanks @leoloobeek!
○ Blend. In.

52.
Blending In

53.
Blending In

54.
DLL Hijacking

55.
DLL Hijacking

56.
COM Hijacking

57.
COM Hijacking
Thanks @enigma0x3 @bohops!

58.
Hooray free Windows!

59.
REPORTING
aka “Find Bourbon”

60.
Core Principals: Communication/Reporting
○ Status Updates: Use “selective caution” when sharing.
○ Full walkthrough/narrative must be included in the report!
○ Findings: Less in number, better in quality. No SSL v2 nonsense
unless you actually did something with it.
○ Consultants: Offer multiple follow up calls with defense team. These
are *the best*.

61.
Thank
you
DerbyCon!!