Red Teaming is a comprehensive approach that involves the use of various tactics, techniques, and procedures (TTPs) to simulate real-world threats. The primary objective of Red Teaming is to train and evaluate the effectiveness of the people, processes, and technology that are responsible for defending an organization’s environment. By replicating real-world attacks, Red Teaming helps organizations identify vulnerabilities and weaknesses in their security posture, enabling them to improve their defenses and better protect their assets.
Look alike domains:
IDN Homograph:
Look alike domains:
Using Octal:
A spam phishing campaign was executed, resulting in the breach of numerous internal accounts. These compromised accounts were not associated with email systems, but rather belonged to specific internal applications. Following this, a shift in strategy was implemented, leading to the compromise of a single email account.
We successfully obtained initial login credentials and gained access to a single email account. Utilizing a password spraying technique, we applied the same password to other email accounts, resulting in the compromise of multiple additional accounts.
Once access was established, we proceeded to monitor both incoming and outgoing email communication for all compromised accounts. Through this monitoring process, we were able to identify a profitable opportunity and subsequently took advantage of it.
By simply requesting the TeamViewer credentials it was possible to access a workstation and we dropped a payload. From there on we went on with recon and lateral movement.
Using a similar tactic we asked for credentials to connect, however, access was not granted due to the slow internet connection. We tried deploying a payload, however it got picked up by the EDR (Endpoint Detection and Response).
Since we were impersonating a trustworthy person that the others were trusting, we asked one of the targets to execute a PowerShell script that would enumerate the system (we told the target that it would help us in troubleshooting the issue).
The PowerShell script looks like this:
# Get the IPConfig information
$ipconfigOutput = ipconfig /all | Out-String# Get the current username
$currentUsername = $env:USERNAME
# Get the hostname
$hostname = $env:COMPUTERNAME
# Get the domain name
$domainName = (Get-WmiObject Win32_ComputerSystem).Domain
# Get the list of installed software
$installedPrograms = Get-WmiObject -Class Win32_Product | Select-Object -ExpandProperty Name
# Get the domain users
$domainUsers = & net user /domain | Select-Object -Skip 4 | ForEach-Object {
$userName = $_ -replace '\s{2,}', ',' -split ','
$userName[0].Trim()
}
# Get the domain groups
$domainGroups = & net group /domain | Select-Object -Skip 6 | ForEach-Object {
$groupName = $_ -replace '\s{2,}', ',' -split ','
$groupName[0].Trim()
}
# Get the proxy settings
$proxySettings = Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name ProxyServer, ProxyEnable -ErrorAction SilentlyContinue
$proxyServer = $proxySettings.ProxyServer
$proxyEnabled = $proxySettings.ProxyEnable
# Define the file path based on the computer name
$fileName = "$hostname.txt"
$filePath = Join-Path -Path $env:USERPROFILE\Desktop -ChildPath $fileName
# Create an output string with the system information
$output = @"
IPConfig:
$ipconfigOutput
Current Username: $currentUsername
Hostname: $hostname
Installed Software:
$($installedPrograms -join "`r`n")
Domain Name: $domainName
Domain Users:
$($domainUsers -join "`r`n")
Domain Groups:
$($domainGroups -join "`r`n")
Proxy Settings:
Proxy Server: $proxyServer
Proxy Enabled: $proxyEnabled
"@
# Save the output to the file
$output | Out-File -FilePath $filePath -Encoding UTF8
# Display a confirmation message
Write-Host "System information saved to $filePath"
We also provided instructions on how to execute our script. After a while we received the file with the data that we were waiting for.
Sweet! We have everything that we needed. We proceeded to bypassing the EDR and circumventing the user into executing our payload. From there on, we looked into getting a more in-depth situational awareness and moved laterally.
Not always everything goes our way, obviously.
Red teaming is a full-scope, multi-layered attack simulation designed to test an organization’s security posture in its entirety. It involves a wide range of tactics, techniques, and procedures (TTPs) that mimic those used by real-world attackers.
It’s important to note that phishing is not the only option available to red teamers. While phishing is a common tactic used in social engineering attacks, there are many other techniques that can be used to gain access to a system or network. This includes, but is not limited to, physical attacks such as tailgating or lock picking, and technical attacks such as exploiting software vulnerabilities or misconfigured systems.
Red teaming is also more expensive and time-consuming than penetration testing. This is because it involves a more comprehensive and in-depth assessment of an organization’s security posture, which requires more resources and expertise. However, the benefits of red teaming can far outweigh the costs, as it provides a more accurate and realistic assessment of an organization’s ability to detect and respond to real-world attacks.
Finally, red teaming also tests the security team’s response to an attack. This is an important aspect of red teaming that is often overlooked in traditional penetration testing. By simulating a real-world attack, red teaming allows an organization to evaluate the effectiveness of its incident response plan and identify areas for improvement. This can help an organization to better prepare for and respond to real-world attacks, ultimately improving its overall security posture.