Red Teaming is a comprehensive approach that involves the use of various tactics, techniques, and procedures (TTPs) to simulate real-world threats. The primary objective of Red Teaming is to train and evaluate the effectiveness of the people, processes, and technology that are responsible for defending an organization’s environment. By replicating real-world attacks, Red Teaming helps organizations identify vulnerabilities and weaknesses in their security posture, enabling them to improve their defenses and better protect their assets.

• Phishing is a type of cyber attack that involves tricking individuals into divulging sensitive information.
• There are multiple types of attacks, such as vishing, smishing, and phishing.

• Spear phishing is a more targeted and personalized form of phishing attack.
• In spear phishing, attackers gather information about their targets to create a highly customized attack.
• Spear phishing attacks can be highly sophisticated and difficult to identify.

1. Initial compromise & establishing foothold
2. Additional recon
3. Elevating privileges & lateral movement
4. Data exfiltration

Preparations

• Buying look-alike domains and letting them “cook” for a period of time
• Reviewing target web applications in order to identify any kind of information that can aid in the attack
• Looking for historical breaches
• Identifying targetable email addresses
• Reviewing external infrastructure for vulnerabilities or information that can aid in instrumenting further attacks

Example 1 – Target domain: google.com

Look alike domains:

• g00gle.com
• Gogle.com

IDN Homograph:

• ɡοοɡⅼе.com
• ԌООԌⅬᎬ.com

Example 2 – Sample target: microsft.com

Look alike domains:

• rnicrosoft.com
• rnicrosft.com

Using Octal:

• microsoft.com@017700000001

Initial compromise through phishing:

• Phishing emails sent to the gathered email addresses / Spam phishing
• Sending more targeted emails
• Gathering credentials
• Categorizing credentials (useful, not useful, possibly useful, etc)
• Testing credentials
• Password spraying
• Additional accounts compromise
• Access granted as no MFA was required / Bypassing MFA
• If successful, additional information gathering, if it fails, rethink the phishing strategy

Going one step further – Spear phishing

• Monitoring emails initially compromised / OSINT on specific targets
• Crafting new attack scenarios
• Trying to be more interactive with the targets
• Gaining access
• Taking profits

A spam phishing campaign was executed, resulting in the breach of numerous internal accounts. These compromised accounts were not associated with email systems, but rather belonged to specific internal applications. Following this, a shift in strategy was implemented, leading to the compromise of a single email account.

It all starts with one compromised email

We successfully obtained initial login credentials and gained access to a single email account. Utilizing a password spraying technique, we applied the same password to other email accounts, resulting in the compromise of multiple additional accounts.

Once access was established, we proceeded to monitor both incoming and outgoing email communication for all compromised accounts. Through this monitoring process, we were able to identify a profitable opportunity and subsequently took advantage of it.

By simply requesting the TeamViewer credentials it was possible to access a workstation and we dropped a payload. From there on we went on with recon and lateral movement.

Going one step further

Using a similar tactic we asked for credentials to connect, however, access was not granted due to the slow internet connection. We tried deploying a payload, however it got picked up by the EDR (Endpoint Detection and Response).

Since we were impersonating a trustworthy person that the others were trusting, we asked one of the targets to execute a PowerShell script that would enumerate the system (we told the target that it would help us in troubleshooting the issue).

The PowerShell script looks like this:

# Get the IPConfig information
$ipconfigOutput = ipconfig /all | Out-String
# Get the current username
$currentUsername = $env:USERNAME
# Get the hostname
$hostname = $env:COMPUTERNAME
# Get the domain name
$domainName = (Get-WmiObject Win32_ComputerSystem).Domain
# Get the list of installed software
$installedPrograms = Get-WmiObject -Class Win32_Product | Select-Object -ExpandProperty Name
# Get the domain users
$domainUsers = & net user /domain | Select-Object -Skip 4 | ForEach-Object {
    $userName = $_ -replace '\s{2,}', ',' -split ','
    $userName[0].Trim()
}
# Get the domain groups
$domainGroups = & net group /domain | Select-Object -Skip 6 | ForEach-Object {
    $groupName = $_ -replace '\s{2,}', ',' -split ','
    $groupName[0].Trim()
}
# Get the proxy settings
$proxySettings = Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name ProxyServer, ProxyEnable -ErrorAction SilentlyContinue
$proxyServer = $proxySettings.ProxyServer
$proxyEnabled = $proxySettings.ProxyEnable
# Define the file path based on the computer name
$fileName = "$hostname.txt"
$filePath = Join-Path -Path $env:USERPROFILE\Desktop -ChildPath $fileName
# Create an output string with the system information
$output = @"
IPConfig:
$ipconfigOutput
Current Username: $currentUsername
Hostname: $hostname
Installed Software:
$($installedPrograms -join "`r`n")
Domain Name: $domainName
Domain Users:
$($domainUsers -join "`r`n")
Domain Groups:
$($domainGroups -join "`r`n")
Proxy Settings:
Proxy Server: $proxyServer
Proxy Enabled: $proxyEnabled
"@
# Save the output to the file
$output | Out-File -FilePath $filePath -Encoding UTF8
# Display a confirmation message
Write-Host "System information saved to $filePath"

We also provided instructions on how to execute our script. After a while we received the file with the data that we were waiting for.

Sweet! We have everything that we needed. We proceeded to bypassing the EDR and circumventing the user into executing our payload. From there on, we looked into getting a more in-depth situational awareness and moved laterally.

Not always everything goes our way, obviously.

Being reported for phishing/suspicious activity

Getting credentials that are not useful / Aware users trolling

5 minutes later…

Red teaming is a full-scope, multi-layered attack simulation designed to test an organization’s security posture in its entirety. It involves a wide range of tactics, techniques, and procedures (TTPs) that mimic those used by real-world attackers.

It’s important to note that phishing is not the only option available to red teamers. While phishing is a common tactic used in social engineering attacks, there are many other techniques that can be used to gain access to a system or network. This includes, but is not limited to, physical attacks such as tailgating or lock picking, and technical attacks such as exploiting software vulnerabilities or misconfigured systems.

Red teaming is also more expensive and time-consuming than penetration testing. This is because it involves a more comprehensive and in-depth assessment of an organization’s security posture, which requires more resources and expertise. However, the benefits of red teaming can far outweigh the costs, as it provides a more accurate and realistic assessment of an organization’s ability to detect and respond to real-world attacks.

Finally, red teaming also tests the security team’s response to an attack. This is an important aspect of red teaming that is often overlooked in traditional penetration testing. By simulating a real-world attack, red teaming allows an organization to evaluate the effectiveness of its incident response plan and identify areas for improvement. This can help an organization to better prepare for and respond to real-world attacks, ultimately improving its overall security posture.