Red Team Methodologie

Cyber Sec Rom Approach on Red Team Engagements

About

Red Team engagements are an all-out attack on the organization with the aim of compromising critical data assets in company’s network by any means possible. Leveraging the vast threat landscape that a true attacker would have available to them, we imitate the real-world attacks that can hit the organization and perform all the necessary techniques that attackers would employ. By assuming the role of a highly motivated attacker, we demonstrate all the ways that your information security is at risk. General techniques used in a Red Team engagement vary from standard phishing attempts aimed at employees and social engineering to impersonating staff members, to compromising the physical security and implanting Command and Control devices within company’s network. The demonstrated impact from a Red Team engagement paints a much larger picture that will aid the organization in the planning, development, and prioritization of future information security initiatives.

There are a handful of people inside the organization that are aware of the engagement. A C-suite executive or a high-ranking manager of the company should be in constant communication with the Red Team. Any issues or alert should be immediately addressed.

The rules of engagement are predefined before the start of the engagement.

Frameworks

Red Team Engagements follow the best practices and methodologies from industry standards:

MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)
Penetration Testing Execution Standard (PTES)
The Open-Source Security Testing Methodology Manual (OSSTMM)
Open Web Application Security Project (OWASP)

Phases

Red Team engagements follow a methodology that consists of two phases

Breaching the perimeter
Reconnaissance & Exploitation
Phishing
Assume Breach
Reconnaissance & Local Privilege Escalation & Lateral Movement & Data Exfiltration

Breaching the perimeter

This phase can be split into three different stages:

Reconnaissance

In this phase we are using passive and active methods to retrieve as much information as possible about the Company. We are mapping the internet exposure of the target.

Subdomains that are known to belong to the company
Newly merges and acquisitions
Technologies used by the company (Microsoft, Google, AWS, Salesforce, etc)
Running services and technologies
Internet exposed web applications (off-the-shelf, custom-build)
Usernames and email addresses from publicly available sources (LinkedIn, Social media)
Leveraging Threat Intelligence to gather information from online sources, data dumps, password leaks from the Dark Web.

Exploitation

We will try to exploit any vulnerabilities that we find. The main goal is to get access to the internal organization and/or access the internal network. Among the actions performed in this phase:

Validating credentials gathered in the Reconnaissance phase
Password spraying and brute forcing attacks against the accounts discovered and validated. These attacks are performed against, and not limited to SSH, RDP, VPN, VDI, OWA
Web application testing
- Identify and exploit vulnerabilities that can be used in client-side attacks
- Identify and exploit vulnerabilities that can lead to remote code execution on the server
Service Exploitation
- Identify and exploit any service that is running on one of the subdomains or domains of the company. Among the activities performed:
- Testing for known credentials
- Brute-forcing/password spraying against login forms
- Identify and exploit vulnerable services

Phishing

The main goal of this phase is to obtain user’s credentials and get access to the employee’s workstations. Possible phishing scenarios that can be performed:

Malicious Macro – In this scenario a malicious document will be carefully chosen and obfuscated to bypass security solutions such as Antivirus and EDR solutions. The payload’s purpose is to connect back to the red team’s command and control server (C2) and to obtain a reverse shell.
Password Gathering - In this scenario a email is sent to the employee which contains a link to a page with a login form. The user should enter his/her credentials to access the information mentioned in the email. Once the username and password are entered the user is redirected to a predefined page. The credentials are meantime captured by the Red Team.

This scenario is also valid for companies which employ multi factor authentication. * Some limitation can apply on types of MFA Implementation

Drive-By-Download – In this scenario an email is sent to the employee. The email contains a link to website that once accessed will force a download file on the employee’s computer. The file contains a malicious link that eventually will lead to a reverse shell.

NOTE: Phishing scenarios require pre-planning.

In order to bypass some of the spam and security measures implemented by the targeted company, domain should be purchased before starting the engagement. These should have a good reputation and be known by the top security product vendors.
Email templates can mimic company’s emails, a partner, known vendor solutions or outside companies. The email can be personalized depending on the pretext and scope of the campaign

Assume Breach – Post Compromise

The scope of this assessment is to perform actions inside the company network without being detected. The end goal can differ for each engagement: get domain administrator privileges (full network compromise), move laterally, exfiltrate data.

Having access to the internal network, it may be possible to perform the following actions:

Reconnaissance

Identify critical servers such as file servers, domain controllers, etc.
Identify applications that the compromised user has (email, internal applications)

Local Privilege escalation

Starting with a low-privileged user, exploit misconfigurations or vulnerabilities and escalate the privileges to administrator or SYSTEM
Attempt to Bypass AV
Attempt to Bypass EDR

Lateral movement

Network level
Dump credentials found on the workstation and move laterally to other machines
Social Engineering level
Send emails from the compromised user to other key accounts employees inside the organization. The email contains a malicious document or a link to a capture credentials website.
Engage users on internal communication channels (zoom, Slack, Teams, etc.), the end goal being to compromise their accounts.

Data exfiltration

In this phase, files and documents are encrypted and send outside the company. Different Exfiltration channels can be used and performed via DNS queries, HTTP traffic, ICMP, etc.
Possible exfiltrated data:
- Customer PII and credit card information
- Source Code repositories
- Stock market analytics
- Other information that might seem valuable to the company

Advantages

Red Team engagement offer a wide array of advantages for both external and internal approaches:

External

Assess the responsiveness of the SOC in place
Verifying Security measures implemented by the organization for the external assets
Assess internet facing web applications
Assess employee awareness on phishing emails
Assess email protection employed by the company

Internal

Assess the responsiveness of the SOC in place
Verify EDR and AV protection
Assess AD policy implementation and configuration
Test for open share and sensitive files on the servers
Test employee awareness on internal attacks and social engineering
Assess mitigation in place against data exfiltration

Reporting

At the end of the assessment a report will be handed to the company representative describing:

Detailed and timestamp walkthrough of the Red Teaming Engagement
Relevant information gathered about the company in the External Reconnaissance phase
List with compromised accounts or leaks relevant to the company
List of vulnerabilities existent on the internet exposed services and web applications
Relevant information collected in the internal reconnaissance phase
All the steps performed inside the organization
Data that was exfiltrated as a POC (Proof of Concept)
Path to Domain Admin

PreviousMethodologies

Last updated 2 years ago

Red Team Methodologie

Cyber Sec Rom Approach on Red Team Engagements

About

The rules of engagement are predefined before the start of the engagement.

Frameworks

Red Team Engagements follow the best practices and methodologies from industry standards:

MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)
Penetration Testing Execution Standard (PTES)
The Open-Source Security Testing Methodology Manual (OSSTMM)
Open Web Application Security Project (OWASP)

Phases

Red Team engagements follow a methodology that consists of two phases

Breaching the perimeter
Reconnaissance & Exploitation
Phishing
Assume Breach
Reconnaissance & Local Privilege Escalation & Lateral Movement & Data Exfiltration

Breaching the perimeter

This phase can be split into three different stages:

Reconnaissance

In this phase we are using passive and active methods to retrieve as much information as possible about the Company. We are mapping the internet exposure of the target.

Subdomains that are known to belong to the company
Newly merges and acquisitions
Technologies used by the company (Microsoft, Google, AWS, Salesforce, etc)
Running services and technologies
Internet exposed web applications (off-the-shelf, custom-build)
Usernames and email addresses from publicly available sources (LinkedIn, Social media)
Leveraging Threat Intelligence to gather information from online sources, data dumps, password leaks from the Dark Web.

Exploitation

We will try to exploit any vulnerabilities that we find. The main goal is to get access to the internal organization and/or access the internal network. Among the actions performed in this phase:

Validating credentials gathered in the Reconnaissance phase
Password spraying and brute forcing attacks against the accounts discovered and validated. These attacks are performed against, and not limited to SSH, RDP, VPN, VDI, OWA
Web application testing
- Identify and exploit vulnerabilities that can be used in client-side attacks
- Identify and exploit vulnerabilities that can lead to remote code execution on the server
Service Exploitation
- Identify and exploit any service that is running on one of the subdomains or domains of the company. Among the activities performed:
- Testing for known credentials
- Brute-forcing/password spraying against login forms
- Identify and exploit vulnerable services

Phishing

The main goal of this phase is to obtain user’s credentials and get access to the employee’s workstations. Possible phishing scenarios that can be performed:

Malicious Macro – In this scenario a malicious document will be carefully chosen and obfuscated to bypass security solutions such as Antivirus and EDR solutions. The payload’s purpose is to connect back to the red team’s command and control server (C2) and to obtain a reverse shell.
Password Gathering - In this scenario a email is sent to the employee which contains a link to a page with a login form. The user should enter his/her credentials to access the information mentioned in the email. Once the username and password are entered the user is redirected to a predefined page. The credentials are meantime captured by the Red Team.

This scenario is also valid for companies which employ multi factor authentication. * Some limitation can apply on types of MFA Implementation

Drive-By-Download – In this scenario an email is sent to the employee. The email contains a link to website that once accessed will force a download file on the employee’s computer. The file contains a malicious link that eventually will lead to a reverse shell.

NOTE: Phishing scenarios require pre-planning.

In order to bypass some of the spam and security measures implemented by the targeted company, domain should be purchased before starting the engagement. These should have a good reputation and be known by the top security product vendors.
Email templates can mimic company’s emails, a partner, known vendor solutions or outside companies. The email can be personalized depending on the pretext and scope of the campaign

Assume Breach – Post Compromise

Having access to the internal network, it may be possible to perform the following actions:

Reconnaissance

Identify critical servers such as file servers, domain controllers, etc.
Identify applications that the compromised user has (email, internal applications)

Local Privilege escalation

Starting with a low-privileged user, exploit misconfigurations or vulnerabilities and escalate the privileges to administrator or SYSTEM
Attempt to Bypass AV
Attempt to Bypass EDR

Lateral movement

Network level
Dump credentials found on the workstation and move laterally to other machines
Social Engineering level
Send emails from the compromised user to other key accounts employees inside the organization. The email contains a malicious document or a link to a capture credentials website.
Engage users on internal communication channels (zoom, Slack, Teams, etc.), the end goal being to compromise their accounts.

Data exfiltration

In this phase, files and documents are encrypted and send outside the company. Different Exfiltration channels can be used and performed via DNS queries, HTTP traffic, ICMP, etc.
Possible exfiltrated data:
- Customer PII and credit card information
- Source Code repositories
- Stock market analytics
- Other information that might seem valuable to the company

Advantages

Red Team engagement offer a wide array of advantages for both external and internal approaches:

External

Assess the responsiveness of the SOC in place
Verifying Security measures implemented by the organization for the external assets
Assess internet facing web applications
Assess employee awareness on phishing emails
Assess email protection employed by the company

Internal

Assess the responsiveness of the SOC in place
Verify EDR and AV protection
Assess AD policy implementation and configuration
Test for open share and sensitive files on the servers
Test employee awareness on internal attacks and social engineering
Assess mitigation in place against data exfiltration

Reporting

At the end of the assessment a report will be handed to the company representative describing:

Detailed and timestamp walkthrough of the Red Teaming Engagement
Relevant information gathered about the company in the External Reconnaissance phase
List with compromised accounts or leaks relevant to the company
List of vulnerabilities existent on the internet exposed services and web applications
Relevant information collected in the internal reconnaissance phase
All the steps performed inside the organization
Data that was exfiltrated as a POC (Proof of Concept)
Path to Domain Admin

PreviousMethodologies

Last updated 2 years ago