Red Team Learning Resources

Understanding the core principles and lifecycle of Red Team operations.

What is Red Teaming? Red Teaming involves simulating real-world adversarial attacks to test an organization’s cybersecurity defenses, processes, and personnel response.

Core Concepts

Attack Lifecycle: Understanding phases like Reconnaissance, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, C2, Exfiltration, and Impact.
Adversary Simulation: Mimicking the Tactics, Techniques, and Procedures (TTPs) of real-world threat actors.
MITRE ATT&CK Framework: Utilizing this knowledge base of adversary tactics and techniques for planning and reporting.
Post-Exploitation Tactics: Techniques used after initial compromise to maintain access, move laterally, escalate privileges, and achieve objectives.

Essential tools used across different phases of a Red Team operation.

Reconnaissance

Shodan

Search engine for Internet-connected devices, finding exposed services, vulnerabilities.

ReconOSINTTool Visit Site

Maltego

Visual link analysis tool for OSINT and forensics, mapping relationships between information.

ReconOSINTTool Visit Site

theHarvester

Gathers emails, subdomains, hosts, employee names, open ports and banners from public sources.

ReconOSINTTool View

Nmap

Powerful network scanner for host discovery, service detection, OS detection, and vulnerability scanning.

ReconNetworkTool Visit Site

Exploitation & C2

Metasploit

Widely used framework for developing, testing, and executing exploits against remote targets.

ExploitationFrameworkTool Visit Site

Cobalt Strike

Commercial C2 framework for advanced adversary simulations and red team operations.

ExploitationC2Tool Visit Site

Impacket

Python classes for working with network protocols. Essential for interacting with Windows services (SMB, Kerberos, etc.).

ExploitationPythonNetworkLibrary View

Pupy RAT

Open source, cross-platform (Windows, Linux, OSX, Android) Remote Administration and Post-Exploitation Tool.

ExploitationC2Tool View

Privilege Escalation

LinPEAS / WinPEAS

Scripts (PEASS-ng) for local privilege escalation enumeration on Linux and Windows systems.

PrivEscEnumerationTool View

PowerSploit

A collection of PowerShell modules useful for penetration testers during all phases of an assessment.

PrivEscPost-ExploitationFramework View

EasyPeasey Linux PrivEsc

ADD DESCRIPTION HERE (Automated script for Linux privesc checks, often wraps LinPEAS).

PrivEscLinuxTool View

Lateral Movement

BloodHound

Visually map Active Directory attack paths. Indispensable for AD pentesting.

Lateral MovementADTool View

CrackMapExec

Post-exploitation tool for lateral movement, credential testing, and command execution in Windows networks.

Lateral MovementWindowsTool View

Evil-WinRM

The ultimate WinRM shell for hacking/pentesting Windows environments, facilitating lateral movement.

Lateral MovementWindowsTool View

Exfiltration

Rclone

Command-line utility for syncing files and directories to and from various cloud storage providers.

ExfiltrationCloudTool Visit Site

PowerShell Exfil Scripts

Custom PowerShell scripts are often used for tailored data exfiltration methods.

Other Offensive Tools

YARA

Tool aimed at helping malware researchers identify and classify malware samples based on textual or binary patterns.

AnalysisTool Visit Site

WireGuard

Extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.

NetworkToolVPN Visit Site

Kali Linux

A Debian-derived Linux distribution designed for digital forensics and penetration testing.

Red TeamOSPlatform Visit Site

Phish.Report

Phishing simulation and security awareness training platform (also used for reporting).

Social EngineeringTool Visit Site

SOAR & Analysis Tools (Relevant for Context)

TheHive & Cortex

Scalable, open source SOAR platform for incident management and security analysis.

SOARBlue TeamPlatform Visit Site

Velociraptor

Advanced digital forensics and incident response tool for endpoint data collection and analysis.

DFIRBlue TeamTool Visit Site

Platforms offering labs and scenarios to practice Red Team skills.

Cyber Range Platforms

TryHackMe: Offers dedicated Red Teaming paths and labs suitable for various skill levels.
Hack The Box: Pro Labs provide realistic, enterprise-grade Red Team scenarios.
Cyber Range Labs: Various platforms offer realistic attack simulations (search for specific providers like Immersive Labs, RangeForce, etc.).

Certification-Focused Labs

Offensive Security Proving Grounds: Practice labs designed to complement OSCP/OSCE training.
Zero Point Security Red Team Ops: Advanced Red Team training (CRTO) with associated labs.

Examples of how Red Teaming is applied in real-world security assessments.

Enterprise Security Testing

Simulating APT (Advanced Persistent Threat) attacks to evaluate overall security posture.
Testing the effectiveness of detection mechanisms (EDR, SIEM) and incident response procedures (SOC).

Cloud Security Assessments

Compromising environments through misconfigured cloud services (S3 buckets, security groups, etc.).
Testing cloud Identity and Access Management (IAM) controls and permissions boundaries.

Active Directory Penetration Testing

Exploiting common AD misconfigurations and weak credential practices.
Mapping attack paths for lateral movement and domain privilege escalation using tools like BloodHound.