Red Team Methodology

This methodology follows the MITRE ATT&CK framework — the industry standard for categorizing adversary behavior. Each tactic below represents a phase of an attack, with links to the relevant pages on this site.

# Set these at the start of every engagement session
export TARGET=<ip>
export SUBNET=<cidr>
export DOMAIN=<domain>
export USER=<username>
export PASSWORD=<password>
export LHOST=<your-ip>
export LPORT=<port>
export HASH=<ntlm-hash>

1. Reconnaissance (TA0043)

Gather information about the target before direct interaction. Understand the attack surface — domains, employees, technologies, and infrastructure.

Passive (no direct contact with target):

Google Dorking — search engine operators to find exposed files, directories, and information
OSINT Tools — theHarvester, Shodan, Netcraft, subdomain enumeration, certificate transparency, GitHub secret scanning, metadata analysis

Active (direct interaction with target):

Port Scanning — Nmap, masscan, service version detection
DNS Enumeration — zone transfers, brute forcing, dnsrecon, dnsenum
SMB Enumeration — share enumeration, null sessions, enum4linux
SMTP & SNMP Enumeration — user enumeration, community string brute forcing

2. Resource Development (TA0042)

Prepare the tools, infrastructure, and payloads needed for the engagement.

Generate payloads with msfvenom — reverse shells, DLLs, MSI packages, web shells
Apply AV Evasion techniques — AMSI bypass, encoding, custom loaders, LOLBins
Set up listeners and C2 infrastructure — Metasploit, Sliver, or other frameworks
Prepare File Transfer methods — HTTP servers, SMB shares, upload servers

3. Initial Access (TA0001)

Gain a foothold on the target network. The entry point depends on what reconnaissance revealed.

Web Application Attacks — identify and exploit web vulnerabilities
SQL Injection — database attacks, OS command execution via SQLi
Path Traversal & LFI — file read, log poisoning, PHP wrappers, RCE via file inclusion
Cross-Site Scripting — session hijacking, phishing via XSS
Client-Side Attacks — Office macros, HTA payloads, phishing, malicious shortcuts
Public Exploits — searchsploit, Exploit-DB, CVE exploitation
Password Attacks — spraying, brute forcing, cracking
Service Enumeration — per-service attack procedures for FTP, SSH, SMB, RDP, databases, Redis, etc.

4. Execution (TA0002)

Run attacker-controlled code on the target system.

Metasploit Framework — exploit modules, Meterpreter, payload execution
PowerShell and cmd.exe execution techniques covered across the AV Evasion page (encoded commands, LOLBins, AMSI bypass)
WMI and DCOM execution covered in AD Lateral Movement

5. Persistence (TA0003)

Maintain access across reboots, credential changes, and network interruptions.

Persistence — scheduled tasks, registry run keys, services, DLL hijacking, WMI subscriptions, cron jobs, SSH keys, systemd, SUID backdoors
AD Persistence — golden/silver/diamond tickets, skeleton key, AdminSDHolder, ACL abuse, SID history, DSRM, certificate forgery, machine accounts

6. Privilege Escalation (TA0004)

Gain higher-level permissions on a compromised system.

Windows Privilege Escalation — service hijacking, unquoted paths, DLL hijacking, registry abuse, scheduled tasks, AlwaysInstallElevated, potato attacks, token impersonation, kernel exploits, UAC bypass
Linux Privilege Escalation — sudo abuse, SUID/SGID, capabilities, cron jobs, kernel exploits, Docker/LXD group, wildcard injection, NFS no_root_squash, weak file permissions

7. Defense Evasion (TA0005)

Avoid detection by security tools and monitoring.

AV Evasion — AMSI bypass, PowerShell Constrained Language Mode bypass, payload encoding/obfuscation, custom shellcode loaders, process injection, living off the land binaries

8. Credential Access (TA0006)

Steal credentials for further access and lateral movement.

Credential Harvesting — Mimikatz, LSASS dumps, SAM extraction, DPAPI, browser credentials, WiFi passwords, registry secrets, Linux config files, SSH keys, Responder, NTLM relay
AD Authentication Attacks — AS-REP Roasting, Kerberoasting, password spraying, DC Sync, NTLM relay, coercion attacks (PetitPotam, PrinterBug), ADCS attacks, shadow credentials
Password Attacks — hash cracking (Hashcat, John), wordlist mutation, credential spraying

9. Discovery (TA0007)

Learn about the environment — users, groups, systems, shares, and trust relationships.

AD Enumeration — net commands, LDAP queries, PowerView, BloodHound/SharpHound, NetExec, Kerbrute, GPO/trust/ACL enumeration
Service Enumeration — per-service enumeration for every common port
Web App Methodology — technology fingerprinting, directory brute forcing, manual inspection

10. Lateral Movement (TA0008)

Move between systems in the target network to reach high-value targets.

AD Lateral Movement — WMI, WinRM, PsExec, pass-the-hash, overpass-the-hash, pass-the-ticket, DCOM, silver/golden tickets, shadow copies
Pivoting & Tunneling — SSH tunneling, Chisel, Ligolo-ng, sshuttle, Proxychains, netsh, plink, DNS/ICMP tunneling, Meterpreter pivoting, double pivoting

11. Collection (TA0009)

Gather data of interest from compromised systems before exfiltration.

Staging and compression techniques covered in Data Exfiltration
Sensitive file discovery commands covered in Windows Privesc and Credential Harvesting

12. Command and Control (TA0011)

Maintain communication with compromised systems.

Metasploit Framework — multi/handler, Meterpreter sessions, pivoting, post-exploitation modules
Pivoting & Tunneling — Chisel, Ligolo-ng, DNS tunneling, ICMP tunneling for C2 in restricted environments

13. Exfiltration (TA0010)

Transfer collected data out of the target environment.

Data Exfiltration — HTTP/HTTPS, SMB, DNS, ICMP, netcat, SCP, base64 encoding, cloud storage exfiltration
File Transfer — all methods for moving files between attacker and target

14. Impact (TA0040)

Disrupt, destroy, or manipulate systems and data. In an authorized engagement, impact is typically limited to demonstrating the capability rather than actually causing damage — proving that ransomware deployment, data destruction, or service disruption would be possible given the access achieved.

Engagement Workflow Tips

Golden Rule

Read read READ the scan outputs. Read every line, actually analyze the output for usernames, passwords, useful information, CVEs, etc.

Work Methodically

For every target, follow the methodology above in order. Don't jump between targets — this causes things to be forgotten and missed.

Enumerate Every Service

For every single service discovered on a target, search for <service> exploit, <service> poc, and try multiple tools to enumerate each one. Don't skip a service because it looks uninteresting.

Collect Everything

Add all discovered usernames to usernames.txt
Add all discovered passwords to passwords.txt
Check websites for potential custom wordlist crafting (CeWL)
Save all scan output for later review
Try every credential against every service (password reuse is extremely common)

Web Services Checklist

When you find a web server, run through the full stack — don't skip steps: Nikto, GoBuster/feroxbuster (try multiple wordlists), subdomain enumeration, source code inspection, and input field analysis.

tip

Setting environment variables once at the start of a session means you can copy/paste commands directly from these notes without editing IPs every time.

1. Reconnaissance (TA0043)​

2. Resource Development (TA0042)​

3. Initial Access (TA0001)​

4. Execution (TA0002)​

5. Persistence (TA0003)​

6. Privilege Escalation (TA0004)​

7. Defense Evasion (TA0005)​

8. Credential Access (TA0006)​

9. Discovery (TA0007)​

10. Lateral Movement (TA0008)​

11. Collection (TA0009)​

12. Command and Control (TA0011)​

13. Exfiltration (TA0010)​

14. Impact (TA0040)​

Engagement Workflow Tips​

Work Methodically​

Enumerate Every Service​

Collect Everything​

Web Services Checklist​