Red Team Playbook: From External Breach to Internal Network Domination

1. Reconnaissance & Initial Access

Finding weak points in the perimeter is often more effective than hunting for 0‑day bugs. External footholds rely on technical skills and deep knowledge of the target’s business and personnel.

Asset & Information Collection (OSINT):

DNS probing: Query keywords such as intranet, sharepoint, wiki, cyberark to quickly locate high‑value assets (technique #5).

Automated monitoring: Combine Spiderfoot for long‑term open‑source monitoring with theHarvester to collect sub‑domains and email addresses, or use DomainHunter to find trusted transition domains that bypass filtering.

Metadata extraction: Use PowerMeta or FOCA on public documents to leak internal usernames and software versions.

Phishing & Social Engineering:

Multidimensional payload delivery: If payloads are blocked, embed single‑line Python or PowerShell commands in emails to lure targets (including macOS users) into manual execution.

Bypassing 2FA: With O365, AWS and other cloud services making 2FA standard, employ Evilginx to harvest cookies for session hijacking, or phish VPN/Citrix gateways that may lack 2FA.

Email format tricks: When SPF is not paired with a DMARC policy, spoof internal mailboxes; weak DMARC yields a high success rate.

2. Defense Evasion & Weaponization

Countering antivirus, EDR, and sandbox solutions is daily red‑team work.

Bypassing monitoring & sandbox:

Noise generation: Replace monitored commands like whoami or net users /domain with innocuous equivalents such as echo %userprofile%, or mutate them to net use /dom and powershell -ec.

Parent‑child process hiding: Use the SelectMyParent tool to avoid suspicious parent‑child relationships (e.g., preventing powershell.exe from spawning cmd.exe).

Anti‑sandbox techniques: When faced with FireEye‑style sandboxes, generate HTA files with GenHTA that contain sandbox‑evading logic, or load malicious code directly into memory.

Execution stations:

Alternative execution methods: If runas is blocked, switch to unmanaged PowerShell; if regsvr32 is intercepted, employ tools like SCT‑obfuscator to disrupt detection.

Leveraging system features: Use Alternate Data Streams (ADS) to drop files, or employ Volume Shadow Copies (VSC) to run payloads while evading blue‑team scans.

3. Credential Access & Privilege Escalation

Credential theft is the core of internal penetration. Beyond classic Mimikatz, many low‑noise techniques exist.

Domain password extraction:

Kerberoasting: A fast path to domain admin rights; export service tickets with PowerView and crack them offline.

Legacy default credentials: Do not overlook GPP passwords left in SYSVOL; if cracking stalls, build dictionaries from user‑history passwords or guess combinations of company name, season, and year.

Hash theft & relay: From a low‑privileged host, drop UNC‑link LNK files in shared folders or embed images with WordSteal, then capture NetNTLM hashes using Inveigh.

Target‑specific credential theft:

When KeePass runs in memory, extract passwords with KeeThief.

For password‑protected documents, obtain hashes via office2john and crack them.

4. Discovery & Lateral Movement

Blind scanning in mature networks quickly reveals the attacker.

Precise asset discovery:

Dump full DNS zones or use BloodHound to map attack paths; focus not only on domain admins but also on high‑privilege groups like server operators.

After compromising a host, run tasklist, netstat and query user to assess processes and logged‑in users for potential jump hosts.

Lateral techniques:

Local admin shares: Machines built on the same image often share identical local admin hashes, enabling batch lateral movement.

Session hijacking & spying: Detect active RDP sessions and hijack them with tscon; in VDI environments, leverage Citrix Shadow Taskbar to monitor virtual desktops.

Unconventional paths: Exploit default printer passwords, WSUS update mechanisms, or perform RDP‑Inception attacks to break out of isolated networks.

5. OPSEC & Infrastructure

Operational security determines how long a red team can remain hidden inside the target network.

Traffic & communication awareness:

C2 architecture: Follow best practices to build red‑team infrastructure. Use Domain Fronting to blend malicious traffic with legitimate CDN nodes, or establish lightweight tunnels via SSH with GatewayPorts.

Decoys: Separate attack activities by generating high‑noise scans with Nessus from the external side or flooding the target with spam, draining blue‑team analysis capacity and masking real attack channels.

Evidence cleanup & anti‑forensics:

On Linux, execute kill -9 $$ to prevent bash history from being written; modify DHCP settings to erase hostnames and VPN configurations that could reveal the operator.

Monitor mobile endpoints; if red‑team infrastructure is detected or scanned by the blue team, trigger immediate counter‑measures.

6. Summary: Red Team Mindset

Goal‑oriented: Red‑team exercises aim not merely at “vulnerability scanning” but at infiltrating to achieve business objectives (e.g., “ATM cash‑out” or “steal core formula”).

Team collaboration: Penetration is both an art and an engineering discipline; teamwork sparks better ideas and covers more attack surfaces.

Continuous learning: Blue‑team defenses evolve constantly. Stay updated with top security conferences and the latest research from security researchers to maintain an offensive edge.