Learning Objectives
Step 0 โ Define the Scope & Objectives
This phase is kickoff calls and scoping meetings. Key definitions:
- Engagement Duration โ weeks or months?
- Primary Goals โ testing enterprise security controls or SOC procedures?
- Detection Risk โ is the blue team active or passive?
- Get Out of Jail Free Card โ a designated resource vouching for your activities
- Lateral Limits โ off-limits areas
Step 1 โ Leverage Threat Intel for Adversary Emulation
Threat intelligence is the process of collecting, analyzing, and applying information about adversaries to improve security defenses.
Understanding TTPs
- Tactics โ the why behind an attack (Initial Access, Privilege Escalation)
- Techniques โ how adversaries achieve goals (Spearphishing, Credential Dumping)
- Procedures โ specific threat-group implementations
Step 2 โ Develop a Tailored Attack Plan
Mapping Intel to MITRE ATT&CK
- Define the target industry
- Download the latest Verizon DBIR
- Find the industry in the report
- Map top patterns to MITRE ATT&CK terminology โ e.g. Social Engineering =
T1566, Basic Web Application Attack =T1190 - Identify actor motives (e.g. Financial)
- Google Dork:
site:attack.mitre.org "retail" "T1566" "T1190" "financially motivated" - Open the corresponding MITRE Group APT page
Creating the ATT&CK Plan
- Visit the attack group's MITRE Group page
- Click ATT&CK Navigator > View
- Google "<APT> recent attacks"
- Create an outline of the TTPs to use โ templates: Injects Plan, Injects Plan Example. Headers: Tactic | Technique ID | Name | Description | Target | Command | Flag | MD5
- Systematically develop the plan through each tactic
Use tools like PowerPoint, Keynote, or tldraw.com to create a data-flow diagram visualizing the attack chain.
Step 3 โ Design & Deploy C2 Infrastructure
Infrastructure Components
- Cloud Hosting (IaaS) โ AWS, Azure, GCP (free-tier); Terraform; Ansible; EC2s, VPCs
- Redirectors โ Nginx, Caddy, HAProxy; Cloudflare / CloudFront domain fronting; basic redirector with iptables
- C2 Framework โ Sliver (free), Empire (free), Cobalt Strike (paid)
- Additional โ bastion host, phishing/payload server, logging server
Acquiring Domains
Domain names are critical for generating legitimate-looking traffic. Strategy: revive expired domains with history to avoid proxy detection. Using ExpiredDomains.net, sort deleted domains by BackLinks (BL), and prioritize WBY (whois first seen) and ABY (archive.org first seen).
AWS Infrastructure Setup
Creating a VPC
- Name
TestVPC, IPv4 CIDR10.0.0.0/16, Amazon-provided IPv6 - 1 availability zone, 1 public + 1 private subnet, no NAT gateway
- Enable DNS hostnames + DNS resolution; add an IPv6 CIDR to the public subnet
Internet Gateway & Subnets
- Create
RedTeam-IGWand attach it toTestVPC - Public subnet: auto-assign IPv6, disable auto-assign public IPv4
- Private subnet: auto-assign IPv4
- Public route table: add
::/0โ IGW. Private route table: remove any::/0route, keep10.0.0.0/16
AWS Pricing & Costs
Example full-operation infrastructure (24/7):
- Bastion Host (t3.micro): $0 (free tier)
- Redirector (t3.micro): ~$7/mo
- Phishing Server (t3.micro): ~$7/mo
- Payload Server (t3.micro): ~$7/mo
- Cobalt Strike Team Server (t3.small): ~$14/mo
- RedELK Logging Server (t3.medium): ~$28/mo
Setting Up EC2 Instances
Bastion Host
A server at the perimeter of a network, designed as a single point of entry for authorized users to access a private network from the public internet. Ubuntu, t3.micro, public subnet, IPv6 only (no public IPv4), Bastion-SG, 8 GB gp3, termination protection on, IMDSv2 only.
$ chmod 600 ./bastion-key.pem
$ ssh -i bastion-key.pem ubuntu@[IPv6-ADDRESS] A Cloudflare Tunnel (cloudflared) can be installed for SSH access in the IPv6-only environment.
Redirector
Hides the C2 server's real IP and routes traffic between targets and C2. Ubuntu, t2.micro, public subnet, IPv6 only, Public-SG, 8 GB gp3. Reach it by hopping through the bastion:
$ scp -i bastion-key.pem ./redirector-key.pem ubuntu@[BASTION_IPv6]:/home/ubuntu/bastion-host/redirector-key.pem
$ ssh -i bastion-key.pem ubuntu@[BASTION_IPv6]
$ ssh -i redirector-key.pem ubuntu@[REDIRECTOR_IPv6] C2 Server
Ubuntu, t2.micro, private subnet, no public IPv4/IPv6, Private-SG, 20 GB gp3 with encryption enabled. Reachable only from within the bastion.