Red Team
Red Team Operations
Advanced adversary simulation techniques that go beyond traditional penetration testing. Red team engagements focus on realistic attack scenarios, detection evasion, and testing organizational resilience against sophisticated threats.
Advanced Material
Red team operations are high-risk activities requiring senior-level authorization and
coordination with blue teams. Techniques here can cause significant harm if misused.
flowchart TD
A[Red Team Operations] --> B[C2 Frameworks]
A --> C[Initial Access]
A --> D[Defense Evasion]
A --> E[OPSEC]
A --> F[Tradecraft]
B --> B1[Sliver / Havoc / Mythic]
C --> C1[Phishing / Smuggling]
D --> D1[AMSI / EDR Bypass]
E --> E1[IOC Management]
F --> F1[Lateral Movement]
style A fill:#ff6b6b,stroke:#000,color:#000
style B fill:#a855f7,stroke:#000,color:#000
style C fill:#a855f7,stroke:#000,color:#000
style D fill:#a855f7,stroke:#000,color:#000
style E fill:#a855f7,stroke:#000,color:#000
style F fill:#a855f7,stroke:#000,color:#000
Red Team Techniques
🎯
C2 Frameworks
Command and control infrastructure setup, beacon operations, and C2 channel management.
Sliver Havoc Mythic Cobalt Strike
🚪
Initial Access
Phishing, payload delivery, HTML smuggling, and modern initial access techniques.
Phishing HTML Smuggling ISO Delivery Macros
🛡️
Defense Evasion
AMSI bypass, EDR evasion, syscalls, unhooking, and sleep obfuscation techniques.
AMSI ETW Syscalls EDR Bypass
🔒
Operational Security
IOC management, artifact cleanup, traffic blending, and attribution avoidance.
IOC Mgmt Log Evasion Timestomping Cleanup
⚔️
Tradecraft
Credential harvesting, lateral movement, domain escalation, and achieving objectives.
Credentials Lateral Move Pivoting Domain Admin
Red Team vs Pentest
| Aspect | Penetration Test | Red Team |
|---|---|---|
| Objective | Find vulnerabilities | Test detection & response |
| Scope | Defined systems | Goal-based (crown jewels) |
| Duration | 1-3 weeks | 2-6 months |
| Detection | Often ignored | Must evade |
| Awareness | IT team knows | Limited awareness |
Quick Reference
| Topic | Key Tools | Focus Area |
|---|---|---|
| C2 Frameworks | Sliver, Havoc, Mythic | Beacon ops, listeners, infrastructure |
| Initial Access | GoPhish, HTML smuggling | Phishing, payload delivery |
| Evasion | Syscalls, unhooking | AMSI, ETW, EDR bypass |
| OPSEC | Traffic analysis, timestomp | Artifact cleanup, attribution |
| Tradecraft | Rubeus, Mimikatz, WMI | Creds, lateral movement, pivoting |