Page cover

Red Team Operation 101

Introduction

Red Teaming is the art of thinking like an attacker to test an organization’s security. It’s not just about “hacking stuff” — it’s about using realistic techniques, stealth, and strategy to uncover weaknesses that often go unnoticed. From reconnaissance to exploitation and post-exploitation, the goal is clear: demonstrate real-world impact, not just identify vulnerabilities.

While penetration testing is tactical and vulnerability-focused, Red Teaming is strategic and behavior-focused. It's less about finding every flaw, and more about showing how a real adversary could achieve their objectives.

Objectives

  • Detect Gaps – Test how well security tools and teams detect malicious activity across the attack chain.

  • Assess Response – Measure how quickly and effectively teams react to simulated threats.

  • Validate Controls – Verify if security controls in production work as expected under real attack scenarios.

  • Show Impact – Translate technical findings into real business risks like data theft or service disruption.

Beneficts

  • Threat-Informed Defense – Align detection and response with real attacker behavior using frameworks like MITRE ATT&CK.

  • Resilience Testing – Evaluate how well people, processes, and technology withstand complex, multi-vector attacks.

  • Executive Insights – Convert technical results into clear risk stories for leadership and investment decisions.

  • Purple Team Enablement – Foster collaboration between Red and Blue Teams to boost security capabilities faster.

Metrics

Metric
What it Measures

Mean Time to Detect (MTTD)

Speed of identifying malicious activity

Mean Time to Respond (MTTR)

Speed of containing and remediating threats

Detection Coverage

Percentage of the attack that was detected or blocked

Response Accuracy

Accuracy and timeliness of defensive actions

Planning Phases

Behind every successful Red Team engagement is a well-planned operation that mirrors real-world adversary behavior. Here's a breakdown of the key planning phases and what happens in each:

Threat Modeling and Intelligence Gathering

It all starts with understanding who you’re emulating. This phase focuses on selecting a realistic threat actor based on threat intelligence (e.g., MITRE ATT&CK), industry-specific risks, and the organization’s critical assets. The goal is to map out relevant TTPs, initial access vectors, and likely attack paths.

Defining Objective & Goals

Next, the team outlines clear and measurable goals. These span:

  • Technical goals like gaining domain admin or exfiltrating data

  • Tactical objectives such as bypassing EDR or maintaining persistence

  • Strategic goals tied to business impact, like simulating a breach response Everything must align with the bigger picture: demonstrating risk in a meaningful, traceable way.

Infrastructure & OPSEC Planning

Before launching anything, the Red Team sets up its infrastructure—C2 servers, redirectors, and safe staging environments. They also implement OPSEC controls to remain stealthy. This can include domain aging, TLS certificate cloning, or blending traffic patterns to avoid detection. Think of this as building your attack platform without triggering any alarms.

Tooling & Payload Development

With the infrastructure in place, it’s time to prepare tooling that matches the selected threat actor. This can involve phishing payloads, custom implants, loaders, or evasion techniques like DLL sideloading or AMSI bypass. All payloads must be tested and refined to ensure functionality and safety in the target environment.

Logistics & Coordination

Even covert ops need structure. This phase involves syncing with the White Team for emergency contacts and deconfliction, aligning timelines with internal stakeholders, and ensuring legal/compliance sign-off. Documentation checkpoints are also established to keep everything accountable and reviewable before launch.

Red Team Execution Stages

A Red Team operation is more than just “getting in.” It’s a full-cycle exercise that emulates real adversary behavior from the first scan to demonstrating meaningful business risk. Below is a breakdown of each stage, including goals, common techniques, and key considerations for stealth, control, and safety.

Stage
Goal
Key Tools/Techniques

Reconnaissance

Map external footprint

OSINT, Nmap, Masscan, DNSRecon, Aquatone

Initial Access

Establish foothold

Phishing, HTML smuggling, CVEs, payload obfuscation

Post-Exploitation

Understand internal environment

PowerView, BloodHound, Mimikatz, Seatbelt

Lateral Movement & Persistence

Expand access / maintain presence

PsExec, RDP, WMI, Run Keys, Service Hijacking

Actions on Objectives

Demonstrate real-world risk

Fake data exfil, ransomware simulation, privilege abuse

Stage 1: Reconnaissance (Passive & Active)

Objective: Map the external footprint and gather actionable intelligence without alerting the target

Type
Techniques
Targets

Pasive

WHOIS, DNS records, certificate transparency, LinkedIn scraping, GitHub, OSINT tools (e.g., SpiderFoot, theHarvester)

Domains, subdomains, email addresses, public assets

Active

Nmap, Masscan, DNSRecon, Aquatone, HTTP probing

IP ranges, open ports, exposed services

Focus on collecting information about employee structures, third-party services, outdated systems, and anything externally facing.

Stage 2: Initial Access

Objective: Establish a foothold in the target environment by emulating TTPs used by real-world threat actors

Common Initial Access Methods:

  • Phishing – Spear phishing, payload droppers, link-based lures

  • HTML Smuggling / Malicious Docs – Embedded VBA, macro-enabled docs, CVE-based exploits

  • Valid Accounts – Credential stuffing, leaked credentials, password spraying

  • Exploiting Services – VPNs, web apps with RCE, misconfigurations

Payload Requeriments:

Aspect
Details

Evasion

Obfuscated payloads, sandbox-aware, EDR-aware

Delivery

Via phishing, downloaders, or staged droppers

C2 Integration

Secure and covert communication (e.g., HTTPS, domain fronting)

OPSEC is critical. Avoid triggers like MOTW (Mark of the Web), suspicious API calls, or known bad hashes.

Stage 3: Post-Exploitation

Objective: Explore, expand, and understand the internal environment — all while remaining undetected.

Core Activities:

Category
Tactics & Tools

Enumeration

Network shares, user/group info, domain trust mapping (PowerView, SharpHound)

Credential Access

LSASS dumping, token theft, DPAPI abuse (Mimikatz, Rubeus)

Privilege Escalation

UAC bypass, vulnerable services, unquoted paths, token impersonation (Seatbelt, WinPEAS)

Stealth Tips:

  • Use reflective or in-memory loaders

  • Rotate tools and TTPs to avoid signature-based detections

  • Space out actions to simulate human timing

Always validate that access is meaningful (e.g., access to sensitive files, AD structure, production systems).

Stage 4: Lateral Movement & Persistence

Objective: Expand control and maintain access, mimicking an attacker’s long-term campaign behavior.

Lateral Movement Techniques:

  • SMB (PsExec, WMIExec)

  • RDP, WinRM, Scheduled Tasks

  • Abusing GPOs or remote service creation

Persistence Techniques:

  • Registry run keys, scheduled tasks, startup folders

  • Service hijacking or DLL search order hijacking

  • C2 beaconing without modifying disk (if persistence is out of scope)

High-Impact TTPs:

Technique
Purpose

DCSync

Extract domain hashes by mimicking a domain controller

Kerberoasting

Crack service account credentials offline

AS-REP Roasting

Target accounts not requiring pre-authentication

Always stay within the Rules of Engagement. If persistence is not allowed, simulate presence via memory-only implants.

Stage 5: Actions on Objectives

Objective: Show the business impact of an attack — without causing real harm.

Common Simulated Impacts:

Activity
Purpose

Accessing sensitive shares/databases

Prove data exposure

Exfiltrating decoy data

Test DLP and monitoring effectiveness

Pivoting to production environments

Show depth of compromise

Simulated ransomware deployment

Test incident response, without encrypting real files

Safety Considerations:

  • Use clearly labeled decoy data

  • Avoid real data manipulation unless explicitly permitted

  • Provide detailed logs and proof-of-concept artifacts to demonstrate impact without disruption

Glossary

  • TTPs (Tactics, Techniques and Procedures): A structured way to describe how an attacker operates, including what they do (tactics), how they do it (techniques), and the operational details (procedures).

PreviousCyber Threat Intelligence 101NextPython Offensive Security 101

Last updated