Red Team Ops emulate real-world adversary, remaining undetected by minimizing noise and avoiding security triggers.
OPSEC describe the likelihood of actions being detected by victim. Red team actions uninterrupted by the defenders and not interrupted by the defenders.
This involves performing stealthy techniques that blends into normal activity, maintaining a low profile on compromised systems. Leverage trusted processes and native tools living off the land.
Reusing credentials, impersonating legitimate users, and mimicking normal behavior, the operator seeks to evade antivirus. Bypass endpoint defenses to achieve mission objectives without alerting defenders.
CRTO Zero Point Security Study Notes for the Red Team Ops Exam
- Cobalt Strike Primer
- Defence Evasion
- Initial Access
- Persistence
- Post-Exploitation
- Privilege Escalation
- Elevated Persistence
- Credential Access
- User Impersonation
- Discovery
- Lateral Movement
- Pivoting
- Kerberos
- Microsoft SQL Server
- Domain Dominance
- Active Directory Certificate Services ADCS
- Forest & Domain Trusts
- AppLocker
- Cobalt Strike Initial Commands Lab
- Defence-evasion-lab-Malleable.md
- Initial Access Lab
- Persistence lab
- Privilege Escalation lab
- Elevated Persistence lab
- Credential Access Challenge
- User Impersonation Lab
- Discovery Lab
- Lateral Movement Lab
- SOCKS Pivoting Lab
- Kerberos - Unconstrained Delegation Lab
- Kerberos - Constrained Delegation - Protocol Transition Lab
- Kerberos - Constrained Delegation - Service Name Substitution Lab
- Kerberos - S4U2self
- Kerberos - Resource-Based Constrained Delegation Lab
- Kerberos Challenge
- SQL Servers Lab
- ESC1 Misconfigured Client Authentication Templates
- ESC8 NTLM Relay to ADCS HTTP Endpoints
- DPERSIST1 Golden Certificates
- Parent-Child Trust Lab
- Inbound Trust Lab
- Outbound Trust Lab
- AppLocker Challenge
Ready to use scripts, payloads & code sample templates in CRTO exam
- ThreadCheck- Artifact Kit
- .NET Marshal.Copy method called to copy Beacon shellcode
- native WriteProcessMemory API
- obfuscation Invoke-obfuscation script
- Beacon Memory - export raw Beacon DLL before obfuscations applied
- Beacon Command Behaviour - Beacon Object Files BOF custom command import
- Cobalt Strike User Guide - PowerShell_Command & _Compress
- Elevate Kit
- Cobalt Strike User Guide - beacon_exploit_register
- DLL side loading Payload Template
- Rasta Mouse - .NET Startup Hooks
- GadgetToJScript used to create JavaScript dropper out of a .NET assembly
- double click batch command file exploit
- GrimResource use crafted .msc file and unpatched XSS flaw trigger JavaScript code execution via mmc
- CyberChef - payload
- SharpUp GhostPack
- PowerSploit
- Ghidra
- IDA free
- dotPeek jetbrains decompiler
- dnSpy
- ysoserial
- ired.team notes
- Kerbeus-BOF Beacon Object Files for Kerberos abuse
- BOFHound parse output from ldapsearch and pyldapsearch into BloodHound-compatible JSON files
- pyldapsearch
- ldapsearch
- Cloud AzureHound
- RustHound-CE
- LOLBAS - Living Off The Land Binaries, Scripts and Libraries
- BOF Version of SCShell for Cobalt Strike instead of psExec
- OPSEC Consideration for Beacon Commands
- PowerUpSQL
- SQLRecon
- SQL-BOF
- go sqlcmd
- HeidiSQL
- SSMS
