Welcome to the Red Teaming Runbook, a comprehensive guide designed to help cybersecurity professionals and red team operators plan, execute, and document red team engagements. This runbook covers everything from reconnaissance to exploitation, persistence, and reporting.
- Introduction
- Red Team Engagement Phases
- Tactics, Techniques, and Procedures (TTPs)
- Rules of Engagement (RoE)
- Tools and Infrastructure
- Operational Security (OPSEC)
- Simulating Threat Actors
- Post-Engagement Review
- Lessons Learned and Continuous Improvement
- Compliance and Legal Considerations
The Red Teaming Runbook provides a structured approach to executing red team operations. It serves as a practical guide for offensive security engagements aimed at identifying vulnerabilities, testing incident response, and improving the overall security posture of organizations.
- Define goals, objectives, and success criteria.
- Set engagement scope, timelines, and communication plans with stakeholders.
- Gather intelligence through OSINT, network scanning, and social engineering.
- Tools: Shodan, Recon-ng, Maltego.
- Develop custom malware, payloads, and exploits.
- Tools: Metasploit, Cobalt Strike, Empire.
- Deliver the payload via phishing, USB drops, or network exploitation.
- Tools: Phishing Frameworks, custom scripts.
- Exploit weaknesses to gain initial access.
- Exploitation targets: Web apps, network services, endpoints.
- Maintain persistent access and establish communication with compromised systems.
- Tools: Covenant, Cobalt Strike.
- Lateral movement, privilege escalation, and data exfiltration.
- Techniques: Pass-the-Hash, Kerberoasting.
- Document attack paths, vulnerabilities, and recommendations.
- Create detailed technical reports and executive summaries for stakeholders.
TTPs represent the adversarial tactics used during engagements to replicate real-world attacks. Key TTPs include:
- Initial Access: Phishing, exploitation of vulnerabilities.
- Lateral Movement: Credential theft, RDP hijacking.
- Persistence: Scheduled tasks, backdoors.
- Exfiltration: Covertly transferring sensitive data out of the network.
The RoE ensures that the red team operates within defined legal and ethical boundaries. It specifies:
- What systems can be attacked (in-scope systems).
- Restrictions on certain actions (e.g., no data destruction).
- Communication protocols with the Blue Team and stakeholders.
A successful red team operation requires various tools and infrastructure for reconnaissance, exploitation, C2, and reporting.
- Reconnaissance Tools: Nmap, Masscan.
- Exploitation Tools: Metasploit, BloodHound.
- C2 Tools: Cobalt Strike, Empire.
- Reporting Tools: Ghostwriter, KeepNote.
OPSEC is critical in red teaming to avoid detection by the Blue Team. Key OPSEC considerations:
- Use of encryption for communication (e.g., VPNs, Tor).
- Avoid using corporate devices or networks.
- Regularly change infrastructure (IP addresses, domains).
Simulate different types of adversaries to make the engagement more realistic:
- Nation-State Actors: Targeting high-value data using sophisticated techniques.
- Insider Threats: Gaining access through internal compromise or rogue employees.
- Hacktivists: Focused on defacing websites or leaking data.
After the engagement, conduct a debriefing with stakeholders, discuss findings, and identify areas of improvement. Ensure that:
- Detailed reports are delivered.
- Vulnerabilities are communicated to the Blue Team.
- A timeline of attack sequences is reviewed.
Each engagement should result in a list of lessons learned to refine future red team activities. Key areas to assess:
- Were there any detection or communication gaps?
- What tactics were the most effective?
- How can the team's processes be improved?
Ensure that all activities comply with applicable laws and internal regulations:
- Legal Frameworks: Understand and comply with laws like the Computer Fraud and Abuse Act (CFAA) and GDPR.
- Engagement Contracts: Ensure contracts include a detailed scope and waiver of liability in case of system disruption.
We welcome contributions to this runbook! If you have suggestions, improvements, or additional methodologies, feel free to submit a pull request.
This project is licensed under the MIT License. See the LICENSE file for more details.
This Red Teaming Runbook serves as a guide for planning, executing, and reviewing offensive security engagements. Whether you're a seasoned red teamer or just getting started, this runbook provides the essential steps and methodologies for successful operations.