בס״ד
⫷ HacKingPro ⫸
⫷ TryHackMe | KoTH ⫸
⫷ Privilege-Escalation⫸
⫷ ScanPro | Linfo | Diablo ⫸
⫷ Offensive-Security | PenTest ⫸
⫷ Goals | Studies | HacKing | AnyTeam ⫸
TTP- Tactics, Techniques and ProceduresTI- Threat IntelligenceCTI- Cyber Threat IntelligenceISAC- Information and Sharing Analysis Centers
- 1 Reconnaissance:
- No identified TTPs, use internal team methodology
- 2 Weaponization:
- Command and Scripting Interpreter
- PowerShell
- Python
- VBA
- Ruby
- Bash
- Shell
- User executed malicious attachments
- Command and Scripting Interpreter
- 3 Delivery:
- Exploit Public-Facing Applications
- Spearphishing
- 4 Exploitation:
- Registry modification
- Scheduled tasks
- Keylogging
- Credential dumping
- 5 Installation:
- Ingress tool transfer
- Proxy usage
- 6 Command & Control:
- Web protocols (HTTP/HTTPS)
- DNS
- Actions on Objectives
- Exfiltration over C2
| Cyber Kill Chain | MITRE ATT&CK |
|---|---|
| Recon | Reconnaissance |
| Weaponization | Execution |
| Delivery | Initial Access |
| Exploitation | Initial Access |
| Installation | Persistence / Defense Evasion |
| Command & Control | Command and Control |
| Actions on Objectives | Exfiltration / Impact |
- Determine required knowledge and skills
- Identify and implement alternate methods for bridging knowledge gaps
- Develop roles and responsibilities guide
- Develop red team methodology
- Develop TTP guidance for engagements
- Includes Bag of tricks
- Develop data collection guide and tools
- Develop operational process plan
- Develop communication plan template
- Develop ROE template: Rules of Engagement (RoE)
- Develop technical briefing template
- Develop report template: Diablo
- Client Name
- Service Provider
- Timeframe
- General Objectives/Phases
- Other Training Objectives (Exfiltration)
- High-Level Tools/Techniques planned to be used
- Threat group to emulate (if any)
- Header
- Personnel writing
- Dates
- Customer
- Engagement Dates
- Reconnaissance Dates
- Initial Compromise Dates
- Post-Exploitation and Persistence Dates
- Misc. Dates
- Knowledge Required (optional)
- Reconnaissance
- Initial Compromise
- Post-Exploitation
- Resource Requirements
- Personnel
- Hardware
- Cloud
- Misc.
- Objectives:
- Operators
- Exploits/Attacks
- Targets
- Users:
- Machines:
- Objectives:
- Execution plan variations
- Engagement Planning
- ROE
- Event Communication plan
- Distribute Deconfliction Process
- Entry point/method
- Scope
- Goals/Objectives (should address at least one of the following)
- Protect
- Detect
- Respond
- Restore
- Target Restrictions
- Target Infrastructure / Asset verification / Approvals
- Scenario Development
- Operational Impact planning
- ROE
- Develop threat profiles
- Network and Host Activity
- IOC Generation (incl subsequent Analysis) and Management
- Plan threat infrastructure
- Tier 1
- IPs
- Systems
- Redirectors
- PPS
- Tier 2
- IPs
- Systems
- Redirectors
- PPS
- Tier 3
- IPs
- Systems
- Redirectors
- PPS
- Deploy tools to infrastructure
- Tier 1
- Data collection repository
-
A THREAT’S ABILITY TO ACCESS TO COMMON AND RESTRICTED AREAS (PHYSICAL)
- What ability does a threat have to access common areas?
- What ability does a threat have to access restricted areas?
- Can a threat use access gained to enable cyber capabilities?
- What impacts can a threat have through gained access?
-
A THREAT’S ABILITY TO ACCESS KEY/CRITICAL SYSTEMS
- Can a threat access key/critical systems?
- What impacts can a threat have on key/critical systems?
-
A THREAT’S ABILITY TO MOVE FREELY THROUGHOUT A NETWORK
- What ability does a threat have to freely move throughout a network?
-
A THREAT’S ABILITY TO GAIN DOMAIN WIDE AND LOCAL ADMINISTRATIVE ACCESS?
- What ability does a threat have to gain local administrative access?
- What ability does a threat have to gain domain administrative access?
- What ability does a threat have to gain elevated access?
-
A THREAT’S ABILITY TO ACCESS OR IDENTIFY SENSITIVE INFORMATION
- What ability does a threat have to access sensitive information?
- What ability does a threat have to identify sensitive information?
-
A THREAT’S ABILITY TO EXFILTRATE DATA OUTSIDE AN ORGANIZATION
- What ability does a threat have to exfiltrate data outside an organization?
- How much data must be exfiltrated to impact an organization?
-
A THREAT’S ABILITY TO ACT UNDETECTED FOR A GIVEN TIME FRAME
- How long can a threat go undetected?
- Can a threat achieve its goals undetected?
- What must a threat do to stimulate a reaction from an organization?
-
A THREAT’S ABILITY TO PERFORM OPERATIONAL IMPACTS
- What impacts can a threat perform against an organization?
- How can a threat affect X?
- Rules of Engagement
- Executive Summary
- Overarching summary of all contents and authorization within RoE document
- Purpose
- Defines why the RoE document is used
- References
- Any references used throughout the RoE document (HIPAA, ISO, etc.)
- Scope
- Statement of the agreement to restrictions and guidelines
- Definitions
- Definitions of technical terms used throughout the RoE document
- Rules of Engagement and Support Agreement
- Defines obligations of both parties and general technical expectations of engagement conduct
- Provisions
- Define exceptions and additional information from the Rules of Engagement
- Requirements, Restrictions, and Authority
- Define specific expectations of the red team cell
- Ground Rules
- Define limitations of the red team cell's interactions
- Resolution of Issues/Points of Contact
- Contains all essential personnel involved in an engagement
- Authorization
- Statement of authorization for the engagement
- Approval
- Signatures from both parties approving all subsections of the preceding document
- Appendix
- Any further information from preceding subsections
- Executive Summary
The campaign summary we will be using consists of four different plans varying in-depth and coverage adapted from military operations documents.
| Type of Plan | Explanation of Plan | Plan Contents |
|---|---|---|
| Engagement Plan | An overarching description of technical requirements of the red team. | CONOPS, Resource and Personnel Requirements, Timelines |
| Operations Plan | An expansion of the Engagement Plan. Goes further into specifics of each detail. | Operators, Known Information, Responsibilities, etc. |
| Mission Plan | The exact commands to run and execution time of the engagement. | Commands to run, Time Objectives, Responsible Operator, etc. |
| Remediation Plan | Defines how the engagement will proceed after the campaign is finished. | Report, Remediation consultation, etc. |
| Component | Purpose |
|---|---|
| CONOPS (Concept of Operations) | Non-technically written overview of how the red team meets client objectives and target the client. |
| Resource plan | Includes timelines and information required for the red team to be successful—any resource requirements: personnel, hardware, cloud requirements. |
| Component | Purpose |
|---|---|
| Personnel | Information on employee requirements. |
| Stopping conditions | How and why should the red team stop during the engagement. |
| RoE (optional) | - |
| Technical requirements | What knowledge will the red team need to be successful. |
| Component | Purpose |
|---|---|
| Command playbooks (optional) | Exact commands and tools to run, including when, why, and how. Commonly seen in larger teams with many operators at varying skill levels. |
| Execution times | Times to begin stages of engagement. Can optionally include exact times to execute tools and commands. |
| Responsibilities/roles | Who does what, when. |
| Component | Purpose |
|---|---|
| Report | Summary of engagement details and report of findings. |
| Remediation/consultation | How will the client remediate findings? It can be included in the report or discussed in a meeting between the client and the red team. |
- TryHackMe: Red Team Engagements:
- Learn the steps and procedures of a red team engagement, including planning, frameworks, and documentation.
- Red Teaming Toolkit
Shr3dKit Red Team Tool Kit
This tool kit is very much influenced by infosecn1nja's kit. Use this script to grab majority of the repos.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent