4. Red Team Operation Process
sindadsec.ir
۲
• Planning: Threat Intelligence to Find suitable APT => TTP
• Execution- Automation: Use Emulation platform ART or Caldera both of them
need customization and Mastery on MITRE ATT&CK
• Execution- Manual: should Manually emulate TTP
• Culmination: Breach and Deep Penetration
• Reporting: after emulation did should compile a report
3
5. Methodology for Red Teaming?
Cyber kill chain
MITRE Attack
Reconnaissance, Resource Development, Initial
Access, Execution, Persistence, Privilege Escalation,
Defense Evasion, Credential Access, Discovery,
Lateral Movement, Collection, Command and
Control, Exfiltration Impact
۸ sindadsec.ir
Pyramid Of Pain
4
ATT&CK Techniques
6. Methodology for Red Teaming?
Cyber kill chain
MITRE Attack
Reconnaissance, Resource Development, Initial
Access, Execution, Persistence, Privilege Escalation,
Defense Evasion, Credential Access, Discovery,
Lateral Movement, Collection, Command and
Control, Exfiltration Impact
۸ sindadsec.ir
Why TTP is so Important ?
4.1
7. Focus on TTP, APT can change everything but in most operation,
they have the same procedure and EDR can detect them.APT1-
CONTI
۱۰ sindadsec.ir
Indicator Of Compromise
Hash , IP , Domain , network and host artifact , Tools
IOC VS IOA
Indicator OF Attack
5
11. ۸ sindadsec.ir
Resource Development [TA0042]
• Resource Development consists of techniques that
involve adversaries creating, purchasing, or
compromising/stealing resources that can be used to
support targeting.
➢VPS
➢Domain
➢Mail Server Configuration
➢Bring CVE and Weaponization from Recon
➢Prepare FUD Payload & Exploits
8
12. Reconnaissance, Resource Development, Initial
Access, Execution, Persistence, Privilege Escalation,
Defense Evasion, Credential Access, Discovery,
Lateral Movement, Collection, Command and
Control, Exfiltration Impact
۸ sindadsec.ir
Initial Access [TA0001]
• Initial Access consists of techniques that use various entry vectors to
gain their initial foothold within a network.
Tools:
➢Airecrack-NG
➢Lunkcystrike
➢Wifi-Pupkin
➢Gophish
➢SQLMAP
➢KING Phisher
➢Bash Bunny
9
13. Reconnaissance, Resource Development, Initial
Access, Execution, Persistence, Privilege Escalation,
Defense Evasion, Credential Access, Discovery,
Lateral Movement, Collection, Command and
Control, Exfiltration Impact
۸ sindadsec.ir
Execution [TA0002]
• Execution consists of techniques that result in adversary-controlled
code running on a local or remote system.
Tools:
➢Macro
10
14. Reconnaissance, Resource Development, Initial
Access, Execution, Persistence, Privilege Escalation,
Defense Evasion, Credential Access, Discovery,
Lateral Movement, Collection, Command and
Control, Exfiltration Impact
۸ sindadsec.ir
Persistence [TA0003]
• Persistence consists of techniques that adversaries use to keep
access to systems across restarts, changed credentials, and other
interruptions that could cut off their access.
Tools:
➢C2
➢Rootkit
➢Pwncat
11
15. Reconnaissance, Resource Development, Initial
Access, Execution, Persistence, Privilege Escalation,
Defense Evasion, Credential Access, Discovery,
Lateral Movement, Collection, Command and
Control, Exfiltration Impact
۸ sindadsec.ir
Privilege Escalation [TA0004]
✓ SYSTEM/root level
✓ local administrator
✓ a user account with admin-like access
✓ user accounts with access to specific systems or performs a specific function
✓ These techniques often overlap with Persistence techniques, as OS features
that let an adversary persist can execute in an elevated context.
Tools:
➢Rubeus
➢UACme
➢SharpUP
12
16. ۸ sindadsec.ir
Defense Evasion [TA0005]
• Defense Evasion consists of techniques that adversaries use to avoid
detection throughout their compromise.
Tools:
➢Meterpreter
➢ProxyChains
➢Invoke-Obfuscation
➢Veil
13
17. ۸ sindadsec.ir
Credential Access [TA0006]
• Credential Access consists of techniques for stealing credentials like
account names and passwords.
Tools:
➢Mimikatz
➢Hashcat
➢Responder
➢Cain & Able
➢John the Ripper
➢THC Hydra
➢LaZagne
14
18. ۸ sindadsec.ir
Discovery [TA0007]
• Discovery consists of techniques an adversary may use to gain
knowledge about the system and internal network.
Tools:
➢BloodHound
➢SeatBelt
➢Kismet
➢ADRecon
15
19. Reconnaissance, Resource Development, Initial
Access, Execution, Persistence, Privilege Escalation,
Defense Evasion, Credential Access, Discovery,
Lateral Movement, Collection, Command and
Control, Exfiltration Impact
۸ sindadsec.ir
Lateral Movement [TA0008]
• Lateral Movement consists of techniques that adversaries use to
enter and control remote systems on a network. Following through on
their primary objective often requires exploring the network to find
their target and subsequently gaining access to it.
Tools:
➢Mimikatz
➢Psexec
➢WMIOps
➢CrackMapExec
16
20. Reconnaissance, Resource Development, Initial
Access, Execution, Persistence, Privilege Escalation,
Defense Evasion, Credential Access, Discovery,
Lateral Movement, Collection, Command and
Control, Exfiltration Impact
۸ sindadsec.ir
Collection [TA0009]
• The collection consists of techniques adversaries may use to gather
information and the sources of information collected that is relevant
to following through on the adversary's objectives.
Tools:
➢PowerSploit
➢PowerUPSQL
17
21. Reconnaissance, Resource Development, Initial
Access, Execution, Persistence, Privilege Escalation,
Defense Evasion, Credential Access, Discovery,
Lateral Movement, Collection, Command and
Control, Exfiltration Impact
۸ sindadsec.ir
Command And Control [TA0011]
• Command and Control consist of techniques that adversaries may use
to communicate with systems under their control within a victim
network.
Tools:
➢Cobaltstrike
➢Metasploit
➢Sillenttrinity
➢Koadic
➢PoshC2
➢Empire
➢Puppy
➢Quasar
➢Covenant
18
22. ۸ sindadsec.ir
Exfiltration [TA0010]
• Exfiltration consists of techniques that adversaries may use to steal
data from your network. Once they’ve collected data, adversaries
often package it to avoid detection while removing it.
Tools:
➢DNScat2
➢ClockifyFactory
➢Powershell-RAT
19
23. Reconnaissance, Resource Development, Initial
Access, Execution, Persistence, Privilege Escalation,
Defense Evasion, Credential Access, Discovery,
Lateral Movement, Collection, Command and
Control, Exfiltration Impact
۸ sindadsec.ir
Impact [TA0040]
• The adversary is trying to manipulate, interrupt, or destroy your
systems and data.
Tools:
➢Slowris
➢LOIC(Low ORBIT LON Cannon)
➢Ransomware
➢Wiper
20