Red Team

Red Team Operations

Advanced adversary simulation techniques that go beyond traditional penetration testing. Red team engagements focus on realistic attack scenarios, detection evasion, and testing organizational resilience against sophisticated threats.

Advanced Material

Red team operations are high-risk activities requiring senior-level authorization and coordination with blue teams. Techniques here can cause significant harm if misused.
flowchart TD A[Red Team Operations] --> B[C2 Frameworks] A --> C[Initial Access] A --> D[Defense Evasion] A --> E[OPSEC] A --> F[Tradecraft] B --> B1[Sliver / Havoc / Mythic] C --> C1[Phishing / Smuggling] D --> D1[AMSI / EDR Bypass] E --> E1[IOC Management] F --> F1[Lateral Movement] style A fill:#ff6b6b,stroke:#000,color:#000 style B fill:#a855f7,stroke:#000,color:#000 style C fill:#a855f7,stroke:#000,color:#000 style D fill:#a855f7,stroke:#000,color:#000 style E fill:#a855f7,stroke:#000,color:#000 style F fill:#a855f7,stroke:#000,color:#000

Red Team Techniques

🎯

C2 Frameworks

Command and control infrastructure setup, beacon operations, and C2 channel management.

Sliver Havoc Mythic Cobalt Strike
🚪

Initial Access

Phishing, payload delivery, HTML smuggling, and modern initial access techniques.

Phishing HTML Smuggling ISO Delivery Macros
🛡️

Defense Evasion

AMSI bypass, EDR evasion, syscalls, unhooking, and sleep obfuscation techniques.

AMSI ETW Syscalls EDR Bypass
🔒

Operational Security

IOC management, artifact cleanup, traffic blending, and attribution avoidance.

IOC Mgmt Log Evasion Timestomping Cleanup
⚔️

Tradecraft

Credential harvesting, lateral movement, domain escalation, and achieving objectives.

Credentials Lateral Move Pivoting Domain Admin
🛡️

EDR Bypass

Per-EDR analysis, userland unhooking, direct/indirect syscalls, BYOVD, ETW blinding, and kernel callback removal.

Syscalls Unhooking BYOVD ETW Blind
⚙️

Payload Development

Custom shellcode loaders in Nim/Rust/Go, reflective DLL injection, process hollowing, encryption, and anti-analysis.

Nim/Rust/Go Shellcode Obfuscation Anti-Analysis

Red Team vs Pentest

Aspect Penetration Test Red Team
Objective Find vulnerabilities Test detection & response
Scope Defined systems Goal-based (crown jewels)
Duration 1-3 weeks 2-6 months
Detection Often ignored Must evade
Awareness IT team knows Limited awareness

Quick Reference

Topic Key Tools Focus Area
C2 Frameworks Sliver, Havoc, Mythic Beacon ops, listeners, infrastructure
Initial Access GoPhish, HTML smuggling Phishing, payload delivery
Evasion Syscalls, unhooking AMSI, ETW, EDR bypass
OPSEC Traffic analysis, timestomp Artifact cleanup, attribution
Tradecraft Rubeus, Mimikatz, WMI Creds, lateral movement, pivoting

📚 Recommended Reading

Evading EDR

Evading EDR

Matt Hand (2023)

Deep dive into EDR internals, syscall evasion, ETW blinding, callback removal, and modern detection bypass techniques.

 Black Hat Python, 2nd Edition

Black Hat Python, 2nd Edition

Justin Seitz & Tim Arnold (2021)

Build custom red team tools — network sniffers, keyloggers, C2 implants, and offensive automation in Python.

Related Topics

Reporting

Documentation and reporting

C2 Frameworks

Command and control setup

Kerberos Attacks

AD attack techniques

As an Amazon Associate I earn from qualifying purchases.