№1. RedTeam-Tools. Red Team Tips

15 May 2023 4 minutes Author: Lady Liberty

Red Team and their tools

The term Red Team comes from the military environment and defines a “friendly” attacking team. The difference between Red Team operations and classic pentest is primarily in the rules of action and the warning of the defending party. Also, with “classic” pentest, “white lists” are most often used, restrictions on the work being carried out, the level of interaction with the system. When conducting Red Team operations, there are no restrictions, a real attack on the infrastructure is carried out: from external perimeter attacks, to physical access attempts, “hard” sociotechnical techniques (not fixing a link, but, for example, a full-fledged reverse shell). The Red Team approach is most closely related to a targeted attack, the Advanced Persistent Threat (APT). The Red Team should consist of experienced professionals with extensive experience in both IT/IS infrastructure building and systems compromise experience.

The use of a specific toolkit in a separate case may be due to the specifics of a particular application or service and differs from ordinary penetration testing. When conducting Red Team operations, the question of team interaction and systematization of the obtained results arises – this includes reports of various analysis tools and vulnerabilities detected in manual mode – all this is a huge amount of information, in which without proper order and a systematic approach, something important can be missed or “raked out” » duplicates are possible. There is also a need to consolidate reports and normalize them and bring them to a single form. Usually, Red Team operations cover rather voluminous infrastructures that require the use of specialized tools:

1. Bypass a disabled command line with /k

This command line has been disabled by your administrator…” Commonly seen in environments such as kiosk computers. A quick hack is to use /k through the Windows startup window. This will execute the command and then display a restriction message allowing the command to be executed.

2. Verify that you are in a virtual machine

Want to know if you’re in a virtual machine?” Ask for registry keys and find out!!! If any results appear, you are in a virtual machine.

3. Paralyze Windows Defender by removing signatures

A bit confusing, but if Windows Defender is giving you a major headache, instead of turning it off (which warns the user), you should just eliminate it by removing all signatures.

4. Query DNS records for enumeration

The enumeration is 95%. However, running lots of scans to assess the environment is very noisy. Why not query the DC/DNS server for all DNS records?

5. Local alternative to Sysinternals PsExec.exe

Tired of loading Sysinternals PsExec.exe while side-scrolling?” Windows comes preinstalled with the best alternative. Try this.

6. Enable multiple RDP sessions for each user

Sometimes you want to log into a host via RDP or similar, but your user has an active session. Enable multiple sessions per user.

7. Live off the ground port scanner

If possible, live off the land rather than loading tools (for many reasons). PowerShell/.NET Help. For example: a simple port scanner in Powershell.

8. Search for internal endpoints in browser bookmarks

You’ll be surprised what you can learn just from a user’s bookmarks. For example, the internal endpoints they have access to.

9. PowerShell DownloadString with proxy support

Today, most large organizations use web proxies. The default PowerShell bootloader does not support proxies. Use this one.

10. Hiding the local administrator account

Creating accounts is risky when you dodge the blue, but when you create a local admin, use some cute registry wizardry to hide it.

11. Unquoted service paths without PowerUp

11. Unchuoted service patgs witgut Poverup.

12. Stop Windows Defender from removing mimikatz.exe

Are you tired of Windows Defender deleting mimikatz.exe?” Try this.

Found an error?
If you find an error, take a screenshot and send it to the bot.