Red Teaming & Adversary Simulation

Campaign-Based Red Team Operations

  • May 8, 2025
  • 0

Sherlocked Security – Campaign-Based Red Team Operations

Test and Strengthen Your Defenses with a Persistent, Long-Term Attack Simulation

1. Statement of Work (SOW)

Service Name: Campaign-Based Red Team Operations
Client Type: Enterprises, Government, Critical Infrastructure, Financial Institutions
Service Model: Long-Term Engagement with Continuous Attack Simulation
Compliance Coverage: NIST 800-53, SOC 2, ISO 27001, PCI-DSS, HIPAA

Testing Types:

  • Persistent Access via Multiple Vectors
  • Simulated Insider Threats
  • Multi-Phase Attacks Including Initial Access, Persistence, Lateral Movement, and Data Exfiltration
  • Social Engineering (Phishing, Vishing, Impersonation)
  • Advanced Malware Deployment and Command & Control (C2) Techniques
  • Attack Simulation via Multiple Entry Points (Network, Web Applications, Supply Chain, Physical)
  • Red Team Operations to Identify Gaps in Incident Response and Detection

2. Our Approach

[Pre-engagement] → [Reconnaissance & Intelligence Gathering] → [Initial Access Attempt] → [Establish Persistence] → [Lateral Movement Simulation] → [Data Collection & Exfiltration] → [Incident Response Testing] → [Reporting & Remediation Recommendations] → [Continuous Engagement & Retesting]

3. Methodology

[Engagement Kickoff] → [Reconnaissance & Vulnerability Research] → [Initial Access & Exploitation] → [Post-Exploitation & Lateral Movement] → [Social Engineering & Human Targeting] → [Data Exfiltration Simulation] → [Detection & Response Evaluation] → [Reporting] → [Remediation & Retesting]

4. Deliverables to the Client

  1. Red Team Operation Report: A detailed report summarizing all attack vectors, tactics, techniques, and procedures (TTPs) used throughout the engagement.
  2. Exploit Proof-of-Concepts (PoCs): Proofs for all successful exploits and attack chains.
  3. Social Engineering Insights: Detailed findings from social engineering attacks and human vulnerabilities.
  4. Lateral Movement Analysis: Findings from internal network penetration and lateral movement simulations.
  5. Data Exfiltration Report: A comprehensive analysis of data exfiltration techniques and success rates.
  6. Incident Detection & Response Evaluation: Analysis of how well your detection mechanisms handled the attack.
  7. Remediation Recommendations: Actionable steps to mitigate discovered vulnerabilities and improve security posture.
  8. Retesting & Validation: Retesting after remediation to ensure closure of identified vulnerabilities.

5. What We Need from You (Client Requirements)

  • Full access to your internal systems for engagement execution (network, applications, endpoints).
  • Support from your IT security and response teams for real-time collaboration.
  • Active collaboration with internal teams to set up testing environments (production, staging).
  • Defined scope of critical assets and business functions for targeted testing.
  • Permissions to conduct social engineering attacks (phishing, impersonation, etc.).
  • Information on existing security measures such as firewalls, SIEM, IDS/IPS, and endpoint detection systems.

6. Tools & Technology Stack

  • Custom Red Team Scripts for lateral movement and exploitation.
  • Cobalt Strike for advanced post-exploitation and lateral movement simulations.
  • Metasploit Framework for exploit development and execution.
  • BloodHound for Active Directory enumeration and privilege escalation.
  • Phishing Kits for social engineering and credential harvesting.
  • Mimikatz for credential dumping and exploitation.
  • Empire for PowerShell-based exploitation and C2 communications.
  • Nmap, Nessus, and OpenVAS for network vulnerability scanning.
  • Burp Suite for web application penetration testing.
  • Impacket for SMB-based exploitation.

7. Engagement Lifecycle

1. Discovery Call & Scope Definition → 2. Reconnaissance & Targeting → 3. Initial Access Attempt → 4. Persistence & Evasion Techniques → 5. Lateral Movement & Internal Exploitation → 6. Data Exfiltration Simulation → 7. Incident Response Testing & Evaluation → 8. Report Delivery → 9. Remediation & Retesting → 10. Ongoing Engagement (if applicable)

8. Why Sherlocked Security?

Feature Sherlocked Advantage
Persistent, Long-Term Engagement Simulate sustained adversary tactics to identify deep security gaps
Real-World Attack Simulation Comprehensive attack scenarios including social engineering, physical, and cyber tactics
Advanced Exploit Development Leverage custom tools and tailored exploits for comprehensive testing
Detection and Response Evaluation Assess the effectiveness of your security monitoring and response teams
Retesting & Continuous Engagement Ensure vulnerabilities are patched and defenses remain resilient over time
Proven Expertise in APT Simulation Deep understanding of Advanced Persistent Threat tactics and countermeasures

9. Real-World Case Studies

Case 1: Financial Institution Breach Simulation

Client: Large Global Bank
Scenario: Persistent access was gained through a phishing campaign targeting internal employees, eventually leading to privilege escalation and lateral movement within the network.
Findings: Insufficient email filtering allowed initial access, and Active Directory misconfigurations enabled privilege escalation.
Fix: Strengthened phishing defenses, improved internal training, and implemented more robust access controls.

Case 2: Critical Infrastructure Attack Simulation

Client: National Energy Grid Operator
Scenario: A simulated attack on the power grid’s administrative network involved social engineering and exploitation of weak perimeter defenses.
Findings: The attack was successful due to unpatched systems and poor segmentation between critical and non-critical infrastructure.
Fix: Enhanced network segmentation, timely patch management, and incident response procedures were reviewed and strengthened.

10. SOP – Standard Operating Procedure

  1. Kickoff & Scoping Session
  2. Reconnaissance and Intelligence Gathering
  3. Initial Access Attempt (Phishing, Exploitation)
  4. Establish Persistence (Backdoors, Web Shells)
  5. Lateral Movement and Escalation
  6. Data Exfiltration and Command & Control Simulation
  7. Detection and Response Testing
  8. Deliver Final Report with Findings and Recommendations
  9. Retesting and Post-Engagement Review

11. Red Team Campaign-Based Operations Checklist

1. Reconnaissance & Target Discovery

1.1 Network Discovery

  • Identify active hosts within the target network using tools like Nmap.
  • Perform DNS enumeration to discover internal and external subdomains.
  • Identify open ports and services exposed to the internet (e.g., SSH, RDP, SMB).
  • Perform OS fingerprinting and service versioning to discover vulnerabilities in services.

1.2 Application & Web Discovery

  • Use tools like Burp Suite or OWASP ZAP to map web applications and identify potential attack surfaces.
  • Discover potential insecure endpoints like login pages, file upload functionality, and admin interfaces.
  • Analyze web servers for misconfigurations or outdated software.

1.3 Target Identification

  • Identify critical assets, such as servers, databases, and intellectual property.
  • Identify key employees and entry points for social engineering or targeted attacks.

2. Initial Access & Exploitation

2.1 Phishing Campaign

  • Create spear-phishing emails targeting key employees with malicious attachments or links.
  • Utilize fake login pages to harvest credentials via social engineering.
  • Test anti-phishing measures such as email filters and awareness training.

2.2 Web Application Exploitation

  • SQL Injection (SQLi): Identify vulnerable input fields to exfiltrate data or gain system access.
  • Cross-Site Scripting (XSS): Inject malicious scripts to steal session tokens or escalate privileges.
  • Authentication Bypass: Exploit weak authentication mechanisms like password reset vulnerabilities.

2.3 SMB and RDP Exploitation

  • SMB Exploits: Utilize EternalBlue (MS17-010) or Brute Force SMB vulnerabilities for remote code execution.
  • RDP Brute Force: Attempt password spraying or RDP brute force to gain unauthorized access.
  • Credential Harvesting: Harvest credentials from exposed RDP or SMB services using Mimikatz or similar tools.

3. Post-Exploitation & Persistence

3.1 Persistence Mechanisms

  • Deploy backdoors (e.g., web shells, reverse shells) to maintain access after the initial compromise.
  • Modify Windows services or Linux cron jobs to run persistent scripts or malware.
  • Exploit Windows Task Scheduler or cron jobs to execute malicious code on a scheduled basis.

3.2 Privilege Escalation

  • Windows: Use Mimikatz to escalate privileges or dump credentials from memory.
  • Linux/Unix: Exploit Sudo misconfigurations, Setuid binaries, or kernel vulnerabilities to escalate privileges.
  • Active Directory: Identify misconfigurations or weak permissions in Active Directory (AD) to escalate privileges.

3.3 Credential & Token Hijacking

  • Pass-the-Hash (PTH): Use NTLM hashes to authenticate as higher-privileged users without needing clear-text passwords.
  • Pass-the-Ticket (PTT): Use Kerberos tickets to escalate access in Active Directory environments.
  • Token Impersonation: Hijack Kerberos tokens or security tokens to impersonate higher-privileged users.

4. Lateral Movement & Internal Exploitation

4.1 Lateral Movement

  • Use SMB, RDP, or WMI to move laterally between internal systems.
  • Exploit Windows Management Instrumentation (WMI) for remote command execution on other machines.
  • Utilize PowerShell Remoting or PSExec for command execution on remote systems.

4.2 Internal Network Exploitation

  • Exploit misconfigured file shares or open network drives to access sensitive internal resources.
  • Privilege escalation on internal systems to move towards Domain Admin privileges.
  • Use Netcat or Cobalt Strike for establishing C2 channels for further exploitation.

4.3 Active Directory Exploitation

  • Enumerate Active Directory for over-permissioned groups, unnecessary privileged users, and weak domain trusts.
  • Kerberos Golden Ticket: Use Golden Tickets to impersonate domain administrators.
  • Group Policy Exploitation: Modify Group Policy Objects (GPOs) to execute malicious scripts on domain controllers or other systems.

5. Data Exfiltration & Command-and-Control (C2)

5.1 Data Exfiltration

  • Exfiltrate sensitive data (documents, databases, emails) over encrypted channels (e.g., HTTPS, DNS tunneling).
  • Test for data leaks via exploited file share permissions and misconfigured cloud storage.
  • Use compression and encryption to hide exfiltrated data from detection.

5.2 Establishing Command-and-Control (C2)

  • Set up C2 channels using tools like Cobalt Strike, Empire, or Netcat.
  • Use HTTP, HTTPS, or DNS tunneling for covert communication between compromised hosts and external C2 servers.
  • Implement Domain Fronting to evade detection by network monitoring tools.

6. Detection & Response Testing

6.1 SIEM & IDS/IPS Evaluation

  • Monitor SIEM logs to determine if network scans, privilege escalation, or lateral movement are detected.
  • Check if IDS/IPS systems are flagging malicious traffic such as port scanning or exploitation attempts.
  • Review event logs and PowerShell logs for signs of privilege escalation or unauthorized access attempts.

6.2 Incident Response Validation

  • Test the effectiveness of incident response plans through simulated attacks.
  • Evaluate response time, containment strategies, and the overall escalation process.
  • Ensure forensic evidence collection procedures are in place to track the attacker’s movements and actions.

6.3 User Behavior Analytics (UBA)

  • Use UBA tools to detect abnormal patterns of user behavior (e.g., unusual login times, unexpected data access).
  • Monitor for lateral movement or privilege escalation that bypasses traditional defenses.
  • Evaluate if UEBA systems can detect suspicious user activity.

7. Reporting & Remediation Recommendations

7.1 Comprehensive Attack Report

  • Deliver a detailed report summarizing all attack vectors, successful exploits, and privilege escalations.
  • Provide Proof-of-Concept (PoC) for each vulnerability or exploit leveraged during the engagement.
  • Include screen captures, log files, and network traffic from the attack for thorough documentation.

7.2 Remediation Recommendations

  • Offer tailored remediation steps to mitigate identified risks and vulnerabilities.
  • Suggest improvements for network segmentation, access controls, and patch management.
  • Recommend security awareness training for staff to mitigate social engineering risks.

7.3 Post-Engagement Retesting

  • Conduct retesting to ensure all vulnerabilities and attack vectors identified during the engagement have been mitigated.
  • Verify that the implemented remediation measures are effective in blocking the previously exploited attack paths.
  • Validate that the organization has applied the necessary patches, reconfigured systems, and strengthened defenses to prevent similar attacks.
  • Re-assess any security controls that were bypassed during the initial engagement to confirm that they are properly configured.
  • Test the effectiveness of new security measures that were introduced after the initial testing phase.

8. Engagement Closure

8.1 Final Report Delivery

  • Provide a final comprehensive report summarizing all activities conducted during the engagement, including:
    • Detailed attack vectors and methods used.
    • Successful exploits and escalation paths.
    • Vulnerabilities discovered within systems and processes.
    • Mitigation and remediation steps that were recommended.
    • Post-engagement verification results to ensure issues have been addressed.
  • Ensure the report contains clear evidence of success (e.g., screenshots, command logs, system configurations) from the exploitation phase.

8.2 Client Feedback & Discussion

  • Meet with the client to discuss the findings and ensure they understand the report.
  • Answer any follow-up questions about the methodology, specific attack vectors, or recommended remediation.
  • Provide advice on further strengthening the security posture based on findings.
  • Offer security training recommendations for the client’s employees based on the tactics, techniques, and procedures (TTPs) used during the campaign.

8.3 Knowledge Transfer

  • Share any lessons learned or best practices with the client, including:
    • Techniques for improving internal security awareness and defense mechanisms.
    • Tools and resources that the client can use for ongoing monitoring and vulnerability management.
    • Recommendations for future red team exercises or ongoing security assessments.
  • Provide resources to help the client maintain the improvements made during the engagement.

8.4 Final Handoff & Documentation

  • Handoff all relevant documentation from the engagement, including:
    • Attack vector mappings and detailed analysis of successful exploitation.
    • Remediation steps taken, and any technical configurations or fixes made.
    • Proof of concept (PoC) for successful exploits (with recommendations for closing vulnerabilities).
  • Ensure the client has access to all artifacts, logs, and data that can support post-engagement analysis or audits.

9. Continuous Improvement & Recommendations

9.1 Security Posture Assessment

  • Recommend ongoing red team assessments at regular intervals to simulate evolving threats.
  • Suggest implementing a continuous improvement program for the client’s security team, ensuring they are prepared for evolving attack methods.
  • Encourage scenario-based training to better equip staff to recognize social engineering or phishing attempts in the future.

9.2 Threat Intelligence Integration

  • Encourage the client to integrate threat intelligence feeds to stay informed about emerging attack techniques and threat actor tactics.
  • Recommend security information sharing within industry groups to share insights and tactics with peers.
  • Suggest automated threat hunting to proactively search for signs of compromise or vulnerabilities within the network.

9.3 Security Tool Recommendations

  • Suggest implementing or enhancing the use of security tools such as:
    • SIEM (Security Information and Event Management) systems for proactive monitoring.
    • Endpoint Detection and Response (EDR) tools to detect and respond to suspicious activity at endpoints.
    • Network monitoring tools like IDS/IPS for real-time traffic analysis and anomaly detection.
    • Privileged Access Management (PAM) solutions to limit the scope of privilege escalation.

10. Final Recommendations for Red Team Campaigns

10.1 Ongoing Security Testing

  • Recommend that the client regularly schedule red team campaigns to simulate various types of cyber-attacks (e.g., APT, insider threats, external breaches).
  • Advise on simulating both external attacks (hacking from outside the network) and internal attacks (compromised internal users, lateral movement).
  • Encourage continuous integration of offensive and defensive testing to evaluate the response time and adaptability of security measures.

10.2 Security Maturity Model

  • Help the client develop a security maturity model that includes:
    • Initial assessment of their security controls.
    • Ongoing tracking of improvements and gaps identified during red team engagements.
    • Clear goals for enhancing security posture through controlled and gradual improvements.
  • Suggest periodic reviews of the security program to ensure it stays current with new attack methodologies.

10.3 Long-Term Threat Mitigation Strategies

  • Develop a long-term strategy that includes:
    • Security hardening (e.g., patch management, network segmentation, privilege minimization).
    • Regular threat and vulnerability assessments to identify potential risks before attackers do.
    • Enhancing incident response capabilities to quickly detect, contain, and mitigate future attacks.
  • Ensure that the client continuously updates its response playbooks to address new and emerging threats effectively.

12. Remediation & Continuous Improvement

  • Patch & Harden Systems: Address identified vulnerabilities and apply security patches.
  • Improve Detection: Enhance monitoring and alerting to detect lateral movement and privilege escalation.
  • Train Employees: Conduct ongoing social engineering training to reduce human error.
  • Retest Security Posture: Perform follow-up assessments to validate remediation efforts.
Command & Control (C2) Emulation
Adversary Simulation (MITRE ATT&CK)