Playbook ยท Red Team

Rowdy Roddy Red Team Infrastructure

A playbook for completing the administrative and technical logistics of a red team engagement.

Learning Objectives

The overall goal is to hand you a playbook on how to complete the administrative and technical logistics for a red team engagement.

Step 0 โ€” Define the Scope & Objectives

This phase is kickoff calls and scoping meetings. Key definitions:

Step 1 โ€” Leverage Threat Intel for Adversary Emulation

Threat intelligence is the process of collecting, analyzing, and applying information about adversaries to improve security defenses.

Understanding TTPs

Step 2 โ€” Develop a Tailored Attack Plan

Mapping Intel to MITRE ATT&CK

  1. Define the target industry
  2. Download the latest Verizon DBIR
  3. Find the industry in the report
  4. Map top patterns to MITRE ATT&CK terminology โ€” e.g. Social Engineering = T1566, Basic Web Application Attack = T1190
  5. Identify actor motives (e.g. Financial)
  6. Google Dork: site:attack.mitre.org "retail" "T1566" "T1190" "financially motivated"
  7. Open the corresponding MITRE Group APT page

Creating the ATT&CK Plan

  1. Visit the attack group's MITRE Group page
  2. Click ATT&CK Navigator > View
  3. Google "<APT> recent attacks"
  4. Create an outline of the TTPs to use โ€” templates: Injects Plan, Injects Plan Example. Headers: Tactic | Technique ID | Name | Description | Target | Command | Flag | MD5
  5. Systematically develop the plan through each tactic

Use tools like PowerPoint, Keynote, or tldraw.com to create a data-flow diagram visualizing the attack chain.

Step 3 โ€” Design & Deploy C2 Infrastructure

Infrastructure Components

3 core requirements: (1) a goal and permission to pursue it, (2) an attack plan emulating a relevant threat actor, (3) domain names to hide traffic.

Acquiring Domains

Domain names are critical for generating legitimate-looking traffic. Strategy: revive expired domains with history to avoid proxy detection. Using ExpiredDomains.net, sort deleted domains by BackLinks (BL), and prioritize WBY (whois first seen) and ABY (archive.org first seen).

AWS Infrastructure Setup

Setup following this guide remains free under the AWS Free Tier. Costs below reflect full monthly operation.

Creating a VPC

Internet Gateway & Subnets

AWS Pricing & Costs

Example full-operation infrastructure (24/7):

Grand total: ~$65/month (budget ~$120/month to be safe). Elastic IPv4 costs $0.005/hr; public IPv6 and private IPv4 are free.

Setting Up EC2 Instances

Bastion Host

A server at the perimeter of a network, designed as a single point of entry for authorized users to access a private network from the public internet. Ubuntu, t3.micro, public subnet, IPv6 only (no public IPv4), Bastion-SG, 8 GB gp3, termination protection on, IMDSv2 only.

$ chmod 600 ./bastion-key.pem
$ ssh -i bastion-key.pem ubuntu@[IPv6-ADDRESS]

A Cloudflare Tunnel (cloudflared) can be installed for SSH access in the IPv6-only environment.

Redirector

Hides the C2 server's real IP and routes traffic between targets and C2. Ubuntu, t2.micro, public subnet, IPv6 only, Public-SG, 8 GB gp3. Reach it by hopping through the bastion:

$ scp -i bastion-key.pem ./redirector-key.pem ubuntu@[BASTION_IPv6]:/home/ubuntu/bastion-host/redirector-key.pem
$ ssh -i bastion-key.pem ubuntu@[BASTION_IPv6]
$ ssh -i redirector-key.pem ubuntu@[REDIRECTOR_IPv6]

C2 Server

Ubuntu, t2.micro, private subnet, no public IPv4/IPv6, Private-SG, 20 GB gp3 with encryption enabled. Reachable only from within the bastion.


References