How to Create an Internal/Corporate Red Team

Simulating Adversaries Since 1984

Step 1 — Build Relationships with Blue

Step 2 — Unit Test Your Detections

Step 3 — Draft Your Rules of Engagement

Step 4 — Baby’s First Red Team Exercise

  • Pick a specific access objective (but keep it simple, like access to an Accounting system, or privileged access to an IT system); “king of the hill” could be a reasonable first objective, but probably shouldn’t be the goal of a mature red team program.
  • Setup an internally hosted VM to run your single and only C2 server (for the first one, skip all of the drama of procuring external VMs for redirectors, DNS domains, categorization, etc.), but note that this completely avoids a very important set of telemetry with your egress stack. The tradeoff is welcome in exchange for a simple first exercise.
  • Use an “assume breach” methodology: ask your trusted agent to provide access to an internal target system (e.g. workstation), and prepare a payload to execute on a target system or use credentials provided to you to live off the land. Going full outside-to-inside is difficult (as it should be!) and you will gain more benefit to your organization by getting more repetitions in with the post-exploitation part of the attack chain, than the initial access phase. (You’ll add this in later.)

Step 5 — External Infrastructure

Step 6 — Advanced Objectives

Step 7 — More Initial Access Vectors





Red Team Leader at Fortune 1. I left my clever profile in my other social network:

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

World War Cryptography

Analyzing Qakbot using Brim’s No-code threat hunting

How to set up a Metamask wallet

Cookie Rules and Requirements

7 Stories From The Dark Web that Will Scare you

xFUND Oracle of Oracles for Secure On-Chain Pricing Information


Mi estrategia con Indices en Crypto #shorts

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tim MalcomVetter

Tim MalcomVetter

Red Team Leader at Fortune 1. I left my clever profile in my other social network:

More from Medium

picoCTF Write-up

How to attack Offensive Security Web Expert (OSWE)

Log4j Vulnerability Aftermath

Subdomain Enumeration TryHackme Writeup