Long-Duration Engagements
Operations
Red team engagements often last months, requiring careful management of persistent access, rotating infrastructure, and maintaining operational security. Unlike short pentests, long engagements simulate APT-level persistence.
Persistence Strategies
- Multiple Beacons: Deploy 3-5 C2 beacons with different communication methods (HTTPS, DNS, ICMP)
- Diversified Persistence: Use multiple mechanisms (scheduled tasks, WMI events, service DLLs)
- Backup Access: Maintain access via secondary user accounts, web shells, or implanted devices
- Dormant Implants: Deploy "sleeper" beacons that only activate on specific dates or triggers
Operational Burnout
Long engagements risk operator fatigue and mistakes. Rotate team members, maintain detailed operation logs, and enforce rest periods to avoid OPSEC failures.
Managing Detection Risk Over Time
The longer you're in a network, the higher the detection probability. Mitigate with:
- Low and Slow: Minimize actions, especially during business hours
- Infrastructure Rotation: Change C2 domains every 2-4 weeks
- Avoid Patterns: Vary beacon intervals, communication times, and access methods
- Monitor Blue Team: Track SIEM alerts, EDR deployments, and incident response activities