Red Team Runbook

A practitioner-focused runbook for planning and executing red team engagements. Structured around MITRE ATT&CK, with notes on regulated frameworks (TIBER-EU, CBEST, iCAST, AASE), modern C2, AD/Azure AD tradecraft, EDR evasion, and assumed-breach / purple operations.

For the phase-by-phase operator playbook, see Runbook.md.

Use only against systems you are authorized to test. The techniques referenced here are illegal without explicit written authorization.

---

Table of Contents

1. Engagement Models
2. Regulated Frameworks
3. Pre-Engagement
   • Scoping & RoE
   • Legal
   • Threat Modeling
4. Infrastructure
5. Reconnaissance (TA0043)
6. Resource Development (TA0042)
   • Payload Development
   • Delivery Containers
7. Initial Access (TA0001)
8. Execution & Defense Evasion (TA0002 / TA0005)
9. Command & Control (TA0011)
10. Active Directory Tradecraft
    • Enumeration
    • Credential Access (TA0006)
    • Privilege Escalation (TA0004)
    • Lateral Movement (TA0008)
    • AD CS Abuse (ESC1–ESC15)
    • Trust & Forest Attacks
11. Cloud / Entra ID
12. Persistence (TA0003)
13. Collection & Exfiltration (TA0009 / TA0010)
14. Impact (TA0040)
15. Operational Security
16. Purple Teaming & Detection Engineering
17. Reporting
18. Post-Engagement
19. Contributing
20. License

---

Engagement Models

• Full-scope red team — black-box, objective-driven, undeclared to defenders. Highest realism, highest cost, longest timeline (typically 4–12 weeks).
• Assumed-breach — operator placed at an internal foothold (workstation, low-priv account). Skips initial access; tests internal detection and response. Most common engagement type in 2026.
• Purple team — declared, collaborative. Run ATT&CK techniques alongside the SOC to measure and improve detection.
• Adversary emulation — replicate a specific threat actor's TTPs (CTID emulation plans) — APT29, FIN7, etc.
• Scenario-driven — narrow objective: "compromise the trading platform," "exfiltrate crown-jewel data," "demonstrate ransomware blast radius without detonation."
• TIBER / CBEST / iCAST — see Regulated Frameworks.

Pick the model with the customer before writing anything else.

---

Regulated Frameworks

• TIBER-EU — Threat Intelligence-Based Ethical Red Teaming. EU financial services, mandated under DORA in many member states. Two-phase: TI provider produces a Targeted Threat Intelligence Report, then Red Team provider executes against scenarios derived from it.
• CBEST — UK FCA / Bank of England framework. Similar TI-led model. Bank of England guidance.
• iCAST — Hong Kong Monetary Authority's intelligence-led testing framework.
• AASE / FEER — Saudi (SAMA) Financial Entities Ethical Red-Teaming.
• CORIE — Australia (Council of Financial Regulators).
• GBEST — UK Government variant.

Common pattern: TI provider builds threat scenarios from real adversaries known to target the sector; red team provider executes them; both are typically separate firms; engagement is overseen by a regulator-blessed Control Group inside the target org. The SOC is not informed.

---

Pre-Engagement

Scoping & RoE

• Objectives (specific, measurable) — e.g. "obtain domain-admin equivalent in prod AD forest"
• In-scope assets — IP ranges, domains, cloud tenants, applications, personnel categories for SE
• Out-of-scope — explicit. Get critical systems (medical, OT, safety) listed.
• Permitted TTPs — phishing? Vishing? Physical? Payload detonation? Lateral movement to sensitive segments?
• Hard stops — actions that require pause and Control Group approval (DA, exfil of real data, anything touching prod payment systems, OT, healthcare)
• Engagement window, working hours, deconfliction process
• Control Group composition and contact (24/7 number)
• Get-out-of-jail letter — signed, dated, naming operators, contactable verifier
• Communications cadence (weekly sync, daily standup, immediate-call triggers)

Legal

• Authorization scope tied to RoE in writing, signed by an authorized officer
• Country-specific statutes: CFAA (US), Computer Misuse Act 1990 (UK), §202a-c StGB (Germany), art. 323-1 (France), Cybercrime Act 2001 (Australia), PIPEDA (Canada)
• Data protection — GDPR, UK GDPR, CCPA/CPRA, PIPEDA, APPI (Japan). PII handling rules apply to anything you exfil, including PoC screenshots.
• DORA (EU financial) — operational resilience testing requirements
• Third-party assets — get authorization from the actual asset owner, not just the engagement sponsor (SaaS, ISP-managed, cloud-shared infra)
• Multi-jurisdiction engagements — operator location, infrastructure location, target location each create legal exposure
• Evidence handling — chain of custody for anything you collect

Threat Modeling

• What does the customer actually fear? (Map to scenarios, not generic "ransomware")
• Who realistically targets this org? (Sector + geography + value)
• TI inputs: MITRE ATT&CK groups, Mandiant APT reports, CrowdStrike threat reports, Recorded Future
• Build engagement scenarios from this, not from your favorite techniques

---

Infrastructure

• Operator boxes — dedicated, ephemeral, no personal accounts logged in, full disk encryption
• Team server — locked down, behind redirector, never directly exposed
• Redirectors — HTTP(S), DNS, SMTP as needed. Apache mod_rewrite, Nginx, or socat. CDN fronting still works on some providers (Fastly, Cloudflare Workers patterns) though Azure/Cloudfront fronting is dead.
• Categorized domains — aged, business-themed; check categorization on Cisco Talos, Forcepoint, Bluecoat / Symantec, McAfee, Palo Alto, Zscaler. Chameleon for staging.
• Domain selection — typosquats, expired domains with prior categorization, ExpiredDomains.net
• TLS — Let's Encrypt is fine but watch fingerprinting (issuer, cert age, SCT logs)
• Mail infrastructure — SPF, DKIM, DMARC must be set up correctly on sender side or phishing lands in spam. Warm domains before use.
• Operator anonymity — payment trail, registration trail, hosting trail should not connect to the firm
• Tooling:
  • C2 frameworks — Cobalt Strike, Sliver, Mythic, Havoc, Brute Ratel, Nighthawk
  • Phishing — GoPhish, Evilginx3, Modlishka, Muraena
  • Ops management — Ghostwriter for tracking, BloodHound CE for graphs

---

Reconnaissance (TA0043)

• Org footprint — domains, subsidiaries, M&A history, public filings
• People — LinkedIn enum (linkedin2username), Hunter.io, SignalHire, conference talks, GitHub commits
• Email format — ROCKYOU, validation via o365creeper, office365userenum
• Breach data — Dehashed, IntelX, Snusbase, HIBP enterprise
• External attack surface — Shodan, Censys, FOFA, ZoomEye, Amass, Subfinder
• Tech fingerprinting — VPN appliances (Ivanti, Fortinet, Palo, Citrix — the perennial entry points), Exchange/OWA, Citrix, RDWeb, SharePoint, GitLab, Jira
• M365 tenant enum — AADInternals, o365recon, Microsoft365_devicePhish
• Cloud footprint — cloud_enum, TruffleHog on the org's GitHub/GitLab
• Code repos — search org name, employee handles, leaked creds (TruffleHog, gitleaks)
• Physical — building photos, badge designs, vendor signage, dumpster review (where in scope and legal)

---

Resource Development (TA0042)

Payload Development

• Initial-access loader vs. post-ex Beacon are different problems. Keep them separate.
• Loaders — staged shellcode loaders (Donut, PIC-Get-Privileges), reflective DLLs, .NET assemblies via DInvoke
• Evasion building blocks:
  • AMSI bypass (patching AmsiScanBuffer, hardware breakpoints)
  • ETW bypass (patching EtwEventWrite)
  • Direct/indirect syscalls — SysWhispers3, Hell's Hall
  • Sleep masking — Ekko, Foliage, DeathSleep
  • String / API hashing
  • Module stomping, thread stack spoofing, call stack masking
  • PE unhooking (Perun's Fart)
• Beacon profiles — Malleable C2 profile tuning; never ship the default
• BOFs (Beacon Object Files) — TrustedSec BOFs, outflanknl/C2-Tool-Collection
• Sign your binaries — code-signing cert, even self-issued or stolen-looking, helps with some EDRs and user trust
• Testing — VirusTotal is not your test bed. Run in a private lab with the customer's EDR if you can get it, or representative EDRs (antiscan.me, kleenscan — non-distributing scanners)

Delivery Containers

• HTML smuggling — embedded blob, dropped on click (HTMLSmuggler, SharpHTMLSmuggling)
• ISO / IMG / VHD — mount-on-double-click, bypasses Mark-of-the-Web (MoTW) propagation (Microsoft has tightened this — check current behavior on target Win build)
• LNK — argument abuse, icon spoofing
• MSI / MSIX — signed installer abuse
• OneNote — declined since Microsoft locked embedded files, but still relevant
• PDF + JS — limited surface
• macro-enabled Office — dead-ish on default modern tenants but enterprises still allow it via policy. Check before assuming.
• ClickOnce — .application files
• XLL / WLL / PPA — add-in formats

---

Initial Access (TA0001)

• Spear-phish with link — credentials, MFA bypass (Evilginx3), device code
• Spear-phish with attachment — see Delivery Containers
• OAuth illicit consent — register attacker app, request high-priv scopes, victim clicks consent
• Device code phishing — abuse OAuth device code flow on M365 (TokenTactics, Microsoft365_devicePhish)
• Password spray — Spring2026! and <Companyname>2026 are still the answer surprisingly often. Tools: TREVORspray, MSOLSpray, DomainPasswordSpray
• Adversary-in-the-middle (AiTM) — Evilginx3 + Cloudflare worker for MFA-bypass against M365 / Okta / generic SSO
• Public-facing app exploit — Citrix, Fortinet, Ivanti, Palo, Exchange ProxyShell/ProxyNotShell, Confluence, Jenkins — the 2024–2026 era has been brutal here
• Supply chain — JS package, browser extension, CI/CD pipeline injection (in scope only)
• Physical / drop — Rubber Ducky, O.MG cable, malicious USB, network implant (LANTurtle, Plunder Bug)
• Vishing / SE callback — Microsoft IT impersonation → Quick Assist or AnyDesk install is the dominant 2025–2026 pattern

---

Execution & Defense Evasion (TA0002 / TA0005)

• LOLBin execution — LOLBAS Project, GTFOBins for Linux
• Living-off-the-land — rundll32, regsvr32, mshta, installutil, msbuild, cmstp — most are flagged hard now; pick recent additions
• AppLocker / WDAC bypass — signed binary abuse, DLL hijack of allowed apps
• AMSI / ETW bypass per-process
• Parent-process spoofing
• Token impersonation / manipulation
• Process injection — moved well past CreateRemoteThread:
  • Process hollowing
  • Process Ghosting / Doppelgänging / Herpaderping
  • Mockingjay
  • Module stomping
  • APC injection (early-bird)
• EDR evasion BOFs — Sysmon view, ETW provider enum, bofhound for offline BloodHound from BOF output

---

Command & Control (TA0011)

• Channels — HTTPS (most common), DNS (slow but covert), SMB (peer-to-peer internal), ICMP, custom
• Domain fronting — largely dead on major CDNs since 2018–2022; check current state per provider; Cloudflare Workers patterns still work in some configs
• Beacon timing — long sleep + jitter, not default 60s
• Egress testing — test C2 channels from inside the target environment ASAP after foothold; some channels die at the proxy
• Frameworks — Cobalt Strike (de facto), Sliver, Mythic, Havoc, Brute Ratel, Nighthawk. Pick based on engagement realism + budget + detection profile.
• Profile tuning — every default CS profile is signatured; modify http-config, process-inject, stage, post-ex
• Peer-to-peer — SMB / TCP Beacons for internal pivots, only one egress-talking node
• Redirector chains — at least one HTTP redirector in front of every team server

---

Active Directory Tradecraft

AD is the engagement target for most enterprise red teams. Treat this section as the core, not an appendix.

Enumeration

• BloodHound CE — SpecterOps/BloodHound (community edition is the current line; legacy BloodHound is EOL)
• SharpHound / AzureHound collectors
• ADExplorer snapshot → BloodHound ingest via ADExplorerSnapshot.py
• PowerView / PowerSploit (heavily signatured, run from memory)
• SOAPHound — LDAP enum via SOAP for AMSI evasion (SOAPHound)
• LDAPDomainDump (dirkjanm/ldapdomaindump)
• Manual net, dsquery, ADSI queries when tools are caught

Credential Access (TA0006)

• LSASS dump — direct via Mimikatz / nanodump / SafetyKatz; MiniDumpWriteDump with PPL bypass; comsvcs.dll MiniDump
• DPAPI — browser creds, RDP saved creds, vaulted secrets (SharpDPAPI)
• NTDS.dit — via shadow copy, DSInternals, secretsdump
• Kerberoasting — request TGS for SPN-enabled accounts, crack offline (Rubeus kerberoast, hashcat -m 13100)
• AS-REP roasting — accounts with DONT_REQ_PREAUTH set (Rubeus asreproast, hashcat -m 18200)
• Coerced authentication — PetitPotam, PrinterBug, DFSCoerce, Coercer
• NTLM relay — ntlmrelayx → LDAP, ADCS HTTP enrollment, SMB
• Shadow Credentials — write msDS-KeyCredentialLink (Whisker, pyWhisker)
• Cleartext / passwords on disk — GPP cpassword, scripts in SYSVOL, Unattend.xml, web.config, IIS apppool, SnaffPoint, Snaffler
• LAPS — read ms-MCS-AdmPwd or new msLAPS-Password if delegated; check ACLs

Privilege Escalation (TA0004)

• Local — PrivescCheck, WinPEAS, Seatbelt
• Token abuse — SeImpersonate → PrintSpoofer / JuicyPotatoNG / GodPotato
• Unquoted service paths, weak service ACLs, registry autoruns
• UAC bypass — UACME; often via signed binary auto-elevation
• AD path PrivEsc — BloodHound shortest path, focus on GenericAll, WriteOwner, WriteDACL, RBCD setup primitives
• Resource-Based Constrained Delegation (RBCD) — abuse msDS-AllowedToActOnBehalfOfOtherIdentity (Rubeus s4u)
• Unconstrained delegation — coerce DC → ticket capture

Lateral Movement (TA0008)

• Pass-the-Hash — Mimikatz sekurlsa::pth, Impacket psexec/wmiexec/smbexec/atexec
• Pass-the-Ticket — Rubeus ptt, ticket import
• Pass-the-Cert — PassTheCert, Certipy auth
• Overpass-the-Hash — NTLM → Kerberos TGT
• WMI / WinRM / DCOM lateral — Invoke-DCOM, SharpWMI
• RDP hijacking — tscon from SYSTEM
• SCCM abuse — SharpSCCM; ConfigMgr → DA is increasingly common path
• Group Policy abuse — write to GPO with WriteProperty → SharpGPOAbuse

AD CS Abuse (ESC1–ESC15)

Certified Pre-Owned (SpecterOps) — still the canonical reference; ESC categories continue to expand.

• Enumeration — Certify, Certipy find
• ESC1 — template allows SAN, low-priv can enroll → impersonate any user
• ESC2 — Any Purpose EKU
• ESC3 — Enrollment Agent template
• ESC4 — vulnerable template ACL
• ESC6 — EDITF_ATTRIBUTESUBJECTALTNAME2 flag on CA
• ESC7 — vulnerable CA ACL
• ESC8 — NTLM relay to HTTP/RPC enrollment endpoint → cert for relayed account
• ESC9 / ESC10 — no-security-extension / weak certificate mapping
• ESC11 — relay to ICPR RPC
• ESC13 — OID group link abuse
• ESC14 / ESC15 — newer (2024–2025), weak certificate mapping & schema-based abuse paths — review current SpecterOps research before assuming applicability

Trust & Forest Attacks

• Golden Ticket — krbtgt hash → forge any TGT
• Silver Ticket — service account hash → forged TGS for that service
• Diamond Ticket — modify a real TGT in-memory (more OPSEC-safe than Golden)
• Sapphire Ticket — Diamond + S4U2self
• SID History injection — across trusts (with caveats post-CVE-2020-0665)
• Trust ticket forgery — forge inter-realm TGT
• Foreign security principals — abuse cross-forest group memberships

---

Cloud / Entra ID

• Recon — tenant ID enum (login.microsoftonline.com/<domain>/.well-known/openid-configuration), user enum (o365creeper, office365userenum)
• Password spray — MSOLSpray, TREVORspray, Conditional Access aware
• Token theft / replay — TokenTactics, TokenTacticsV2, ROADtools, AADInternals
• Device code phishing — high success against MFA-protected accounts when CA doesn't block
• Illicit consent grant — register multi-tenant app, request Mail.Read / Files.Read.All / offline_access
• Pass-the-PRT — extract Primary Refresh Token from logged-in workstation, replay
• Service Principal abuse — overprivileged SPs are everywhere; map with ROADtools or Stormspotter
• Azure RBAC paths — AzureHound → BloodHound
• Hybrid attacks — on-prem AD → Azure via AD Connect (Seamless SSO, Pass-through Auth, sync account abuse) — adconnectdump
• Conditional Access bypass — non-interactive auth flows, legacy protocols (mostly killed), trusted IP exclusions, device-trust requirements
• AWS — Pacu, enumerate-iam, instance metadata abuse, IAM PrivEsc paths (see Rhino Security IAM PrivEsc)
• GCP — GCPBucketBrute, service account impersonation chains

---

Persistence (TA0003)

• AD — AdminSDHolder ACL, DCSync rights to a low-priv account, DnsAdmins membership, Skeleton Key (loud), Golden Ticket (long-term but krbtgt-bound)
• Host — scheduled tasks, services, WMI event subscription, COM hijack, registry Run keys, Image File Execution Options, AppInit DLLs, Winlogon helper, screensaver
• Cloud — additional admin, service principal credentials, app role assignment, federated identity, OAuth refresh tokens
• M365 — mailbox rules (auto-forward), delegated mailbox access, app permissions
• Implants — long-haul Beacon on separate infrastructure, ideally different family from primary
• OPSEC — persistence on a separate host from active operator activity; rotate primary and long-haul

---

Collection & Exfiltration (TA0009 / TA0010)

• Targeting — Snaffler / SnaffPoint output; SharePoint; OneDrive; mail PSTs; code repos; KeePass .kdbx; browser profiles
• Document grep — keyword sweep for password, secret, apikey, confidential, customer names
• Mail extraction — MailSniper, Graph API queries, New-MailboxExportRequest (Exchange on-prem)
• Archives — encrypted 7z or AES container before exfil
• Channels — same C2 channel (slow, safe), separate cloud upload (faster, noisier), DNS exfil (iodine, dnscat2)
• Volume control — never exfil real PII without explicit RoE permission; use representative samples + manifest

---

Impact (TA0040)

Real impact (encryption, destruction) is out of scope for nearly all engagements. Demonstrating it without doing it:

• Place a benign canary file in crown-jewel locations and show retrieval
• Demonstrate write/delete capability against test files, not production
• Document the exact blast radius (hosts, accounts, data classes accessible) without acting
• Show ability to disable EDR / backup / replication without actually disabling

---

Operational Security

• Logging discipline — every command logged, timestamped, attributed; Ghostwriter or equivalent
• Host hygiene — clear browser cache, sessions, history on operator boxes between engagements; never reuse infrastructure across customers
• Tradecraft separation — initial access infra ≠ post-ex infra ≠ long-haul infra
• Tool versioning — track which build of each tool was used (some leave version strings in artifacts)
• Artifact cleanup — uploaded BOFs, dropped binaries, scheduled tasks, created accounts — list, then remove after engagement
• Capture-the-flag discipline — record file hashes of anything dropped, MAC addresses, IP allocations, account names, ticket lifetimes
• Comms — encrypted operator chat (Signal, Matrix), no engagement detail in personal accounts
• Don't write the company name in plaintext in C2 profiles, file paths, or screenshots that might leak

---

Purple Teaming & Detection Engineering

• ATT&CK Navigator overlay — pre-engagement (what you'll run) and post-engagement (what was detected)
• For each technique executed, capture: timestamp, source host, command, expected telemetry, observed detection (yes/no/partial)
• Tools — Atomic Red Team for declarative technique execution; VECTR or SCYTHE for tracking; APTSimulator
• Deliver detection opportunities back to blue with:
  • Sigma rules (SigmaHQ) per missed detection
  • Specific log sources required (Sysmon configs, EDR query language, cloud audit logs)
  • Test queries the SOC can run to validate fix

---

Reporting

• Executive summary — one page, no jargon, business impact framed in customer's terms
• Engagement narrative — chronological attack path, screenshots, timestamps
• Findings — per technique:
  • ATT&CK technique ID
  • Description and impact
  • Reproduction steps
  • Affected assets
  • Detection guidance (Sigma rule, log source, sample query)
  • Remediation
  • Severity (CVSS optional, business-impact reasoning required)
• Attack path diagram — visual; BloodHound exports work well
• IOC list — hashes, domains, IPs the SOC can use to validate detection
• Tooling — Ghostwriter for tracking and reporting, PwnDoc, SysReptor, Obsidian/Notion for ops notes
• Don't ship raw scanner output. Don't ship a "list of vulns." Tell the story.

---

Post-Engagement

• Debrief with Control Group
• Joint readout with blue / SOC (purple debrief)
• Deliver detection content (Sigma rules, queries, log source recommendations)
• Confirm artifact removal — every account, file, task, persistence mechanism
• Sign-off on infrastructure decommission
• Customer satisfaction signed off in writing
• Internal retro — what worked, what got caught, what to do differently
• Update internal TTP library with anything new learned

---

Contributing

PRs welcome. Useful additions: new tradecraft with sources, framework updates, replacements for tools that have died, links to authoritative research. Keep entries tight.

---

License

MIT — use freely, attribution appreciated.

---

This is a living document. Adversaries change; the runbook should too.