It is a question that gets posed to me pretty frequently: “Do you miss being a red teamer?” If you came all the way to my blog to see the answer, I will save you some time and from reading a couple hundred words — No. The real meaning of this post is not in that single word answer, but rather it reveal itself when you consider the question “why don’t you miss it?”

First, we must rewind for a quick recap: In 2014 after separating from the USAF, I joined a small-ish (at that time) team of folks to do consulting, specifically as a penetration tester and red teamer. For three years, I was lucky to work with brilliant coworkers / researchers / hackers who pushed me every day to excel in the offensive space and encouraged a unique creativity that seemed natural when solving hard problems. I had the fortune of leading a multitude of engagements from program development work with corporate red teams to external red team assessments for a variety of companies. I was also lucky to share my passion of offensive work as a trainer at BlackHat where the days were long but seeing the joy people had in problem solving made it all worth it. …


As an attacker, it is all too easy to settle down into a rhythm. That rhythm of operations, the specific techniques and automation involved with conducting offensive work, boiled down to foundational tradecraft decisions that are often reused between campaigns. Why reuse of tradecraft between campaigns? Well, it enables scalable and efficient operations; unfortunately, it also creates a digital fingerprint. We have seen the results of this at a national level with the deep revelations of the operations of advanced threat actors. Recently, I have shifted jobs into a Security Engineer role where I get to work with customers and with “BIG” (notice the caps) data to do network forensics and threat detection. Being on the defender’s side of the breach has definitely helped to refine certain aspects of my tradecraft. …


This is part three of a blog series titled: Common Ground. In Part One , I discussed the background and evolution of red teaming. I dove deep into how it applies to the information security industry and some limitations that are faced on engagements. In Part Two , I discussed various components of the planning phase to help ensure a valuable and mature exercise. In this part, I will discuss how a red team can execute a thorough operation. I will steer clear of the technical components of the network red team, instead focusing on the most important outcome of a red team assessment: communication improvement and bias identification. …


This is part two of a blog series titled: Common Ground. In , I discussed the backgrounds and evolution of red teaming, diving deep into how it applies to the information security industry and some limitations engagements face. In this part, I will discuss common components of red team planning and how they play into execution. There are many publications, documents, articles, and books focused on the structure of red teams, but I’m going to cover facets integral to engagement planning that I don’t see discussed enough.

Planning can be completed formally or informally. Organizations often benefit by being heavily involved in the planning process; however, sometimes the task is delegated to the red team with the organization giving final approvals. Finally, while not every single component here may be thoroughly planned in every engagement, I do not believe that it lessens the validity of the engagement as long as execution strikes back to the central theme or motivation for testing in the first place. …


Over the past ten years, red teaming has grown in popularity and has been adopted across different industries as a mature method of assessing an organization’s ability to handle challenges. With its widespread adoption, the term “red team” has come to mean different things to different people depending on their professional background. This is part one of a three-part blog series where I will break down and inspect red teaming. In this section, I will address what I believe red teaming is, how it applies to the infosec industry, how it is different from other technical assessments, and the realistic limitations on these types of engagements. In part two, I will discuss some topics important to planning a red team engagement, including organizational fit, threat models, training objectives, and assessment “events.” Finally, in part three, I will discuss red team execution, focusing on the human and strategic factors instead of technical aspects. …


I love seeing red and blue teams square off during an engagement. It works best if both sides avoid selfish desires and focus on the task at hand; improvement and training is the ultimate goal. A key component of the offensive aspect of this feud is the ability for the red team to conduct adversarial actions against users to gather data and accomplish objectives. Throughout every engagement, the red team has to be constantly aware of user behavior — tracking their movements , exploiting their weaknesses , mapping relationships , and analyzing yielded data to better accomplish the adversarial mission. By collecting, analyzing, and processing user-based intelligence, the red team is armed and prepared to succeed in accomplishing training objectives while also carrying out realistic adversarial actions. Keylogging, clipboard monitoring, and screenshots provide easy examples of user-centric post-exploitation actions that are both super useful for the red team and borderline creepy at times. These are also some of my favorite techniques before and after escalation of obtaining valuable intel. With strictly the data from these actions our team has been able to obtain passwords to critical ICS nodes, get screenshots of admins accessing sensitive data repositories (i.e. mainframes for healthcare, finance, etc), retrieve router configs copied to the clipboard, and many many more awesome things. In short, these actions are crucial for success in a large-scale and long-term engagement. One key thing about being in a red team: you must avoid limiting yourself to certain actions or tools out of habit. You have to ditch the myopic view and broaden your horizon. When I run out of ideas, I look to the real adversaries to see what they are doing. Several sets of threat actors (i.e. Flame , Duqu ) have been particularly inspiring and driven us to “up our game” when it comes to utilizing intelligence gathering against users. These actors all appear to have a wide array of modular capabilities in their tools that allow them to accomplish required actions. For our team, Empire and Cobalt Strike have the majority of capabilities we need for data collection; however, every so often we want to dig deeper and demonstrate additional actions that an adversary could carry out. In a recent engagement, those specific actions were webcam capture and microphone audio recording. You might ask “… REALLY? Why do I need audio/video from a target?” If you have asked that, you might consider brainstorming about all the ways an adversary gathers intel from a system or why they gather it. For example’s sake, audio capture makes a lot of sense for a military command center or political office. …


Since the release of PowerShell Empire at BSidesLV 2015 by Will Schroeder (@harmj0y) and myself, the project has taken off. I could not be more proud of the community of contributors and users that have rallied together to help us maintain and continue building Empire. Since the project’s release, Matt Nelson (@enigma0x3) has joined our team and has taken charge of handling the various issues that arise from time to time (many thanks to him for this uphill battle). Also, Matt Graeber (@mattifestation) is now working with us and will likely have a lot of backstage influence on the continued development AND detection/mitigation of Empire. To think of it, I have been mostly hands-off with Empire development recently… Will and Matt work at speeds that I can only envy and their vision for the tool is fantastic. This post is continuing an ongoing blog series that the Empire team is doing and will cover integration with existing toolsets, namely Metasploit and Cobalt Strike. …


Network attacks (WPAD Injection, HTTP/WSUS MITM, SMB Relay etc.) are a very useful attack vector for adversaries trying to laterally spread, gather credentials or escalate privileges in a semi-targeted manner. This vector is used by known adversaries attempting to penetrate deep into networks, and numerous threat/malware reports have cited tools with functionality that allows attackers to perform these attacks in a remote fashion. Duqu 2.0 is a great example of where such attacks can be found in the wild and the reports of this actor make a great case study.

I became even more familiar with the techniques thanks to demos and stories from Jeff Dimmock (@bluscreenofjeff) and Andy Robbins (@_wald0), with whom I work everyday. After learning Responder, I toyed with broader capabilities such as , which combines a variety of tools into a weaponized platform for easy integration into your methodology. For those unfamiliar with these tools, please check out the following…


Intro

User hunting is the process of tracking down where users are logged in or have a session in the network. By locating their login or session, you might be able to gain access to that Machine, privesc (if required), and operate in the context of the new user. This is obviously most helpful with elevated user accounts.

Harmj0y has talked in-depth about user hunting in multiple blog posts and at several different conferences… you might wonder, why another post? While many people have paid attention and are plenty capable of running PowerView’s “Invoke-UserHunter” function, they might not fully understand how it works below the hood. This can prevent them from being successful in “Austere” networks (you know, where things get weird), or very very large enterprise networks. …

About

Justin Warner

Tech: Threat Intel | Photographer @ https://www.justinwarnerphoto.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store