Hello world and welcome to Haxez, in this post I’m going to be talking about Red Team Engagements. Again, for those who haven’t been following along, this is the Red Teaming learning path on TryHackMe. Furthermore, If you’re interested in cybersecurity or hacking then I would highly recommend giving it a look.
Task 1 – Red Team Engagements Introduction
As with most of the educational rooms on TryHackMe, the first room introduces the topic being discussed. Notably, it discusses the different types of Red Team engagements whether its a Tabletop exercise, Adversary emulation, or Physical assessment. Furthermore, it goes on to explain what the following tasks are going to discuss. Not much more to say about the task than that. There is a “question” in this room but it doesn’t require an answer.
Task 2 – Defining Scope and Objectives
The second task in the room focuses on defining the scope and objectives. Including, why it is important to agree upon the scope with the client. It discusses how and why IP ranges, domain names, and other information should be included. Additionally, it discusses why it is important to understand the client’s objectives.
Question: What CIDR range is permitted to be attacked? Answer: 10.0.4.0/22 Question: is the use of white cards permitted? (Y/N) Answer: Y Question: Are you permitted to access "*.bethechange.xyz?" (Y/N) Answer: N
Task 3 – Rules of Engagement
The next task in the room discusses the rules of engagement document. In essence, the rules of engagement documents are exactly that. They are legally binding contracts outlining what the client’s objectives are. Furthermore, they explain the scope of the engagement. Additionally, they include all the stakeholders.
Question: How many explicit restrictions are specified? Answer: 3 Question: What is the first access type mentioned in the document? Answer: Phishing Question: Is the red team permitted to attack 192.168.1.0/24? (Y/N) Answer: N
Task 4 – Red Team Campaign Planning
The next task in the room is titled campaign planning. In summary, it explains how each Red Team engagement can be broken down into four plans. The engagement plan contains all the technical requirements. An operations plan is an expansion of the engagement plan but goes into further details. A mission plan that includes the exact commands to run and at what time. The remediation plan which contains information on what happens once the campaign has finished. There are no questions in this room.
Task 5 – Engagement Documentation
The fifth task in the room further elaborates on the planning phase by discussing the engagement documentation. Furthermore, the engagement documentation matches up with the planning phase accordingly. The author discusses what each of the documents may contain but that this may vary from organization to organization. If you’ve worked in the IT industry for a while, you will understand that each company does things differently.
Task 6 – Concept of Operation
Further expanding on the engagement documentation, task 6 explains the Concept of Operation (CONOPS) document. In essence, the CONOPS document contains can be compared to a penetration test executive summary. For example, an executive summary is a high-level document aimed at executives who may not have a high technical understanding. It further explains that it should include the client’s name, timeframe, objectives, and tools to be used.
Task 7 – Resource Plan
The resource plan discussed in task 7 is a document that details the overview of the dates and resource requirements. However, this document should be written as a bulleted list rather than a summary. Furthermore, there is no defined standard for this document. It is likely that these documents will vary from company to company.
Question: When will the engagement end? (MM/DD/YYYY) Answer: 11/14/2021 Question: What is the budget the red team has for AWS cloud cost? Answer: $1000 Question: Are there any miscellaneous requirements for the engagement? (Y/N) Answer: N
Task 8 – Operations Plan
An operations plan is a document that provides details on the engagement and what will take place. This document should be more detailed than the CONOPS document and may possibly contain the Rules of Engagement document. Furthermore, it too should be a bulleted list like the resource plan. It should include things like stopping conditions, assigned personnel, TTP’s, and communication plans.
Question: What phishing method will be employed during the initial access phase? Answer: Spearphishing Question: What site will be utilized for communication between the client and red cell? Answer: vectr.io Question: If there is a system outage, the red cell will continue with the engagement. (T/F) Answer: F
Task 9 – Mission Plan
The 9th task in this room discusses the mission plan document. In essence, this document is specific to each cell and the details should be completed by the operators. Furthermore, the document should cover the objectives, operators, exploits, targets, and execution plan.
Question: When will the phishing campaign end? (mm/dd/yyyy) Answer: 10/23/2021 Question: Are you permitted to attack 10.10.6.78? (Y/N) Answer: N Question: When a stopping condition is encountered, you should continue working and determine the solution yourself without a team lead. (T/F) Answer: F
Task 10 – Red Team Engagements Conclusions
The last task in the room is the conclusion. There isn’t much to say about this so I will use this section to give my own conclusions. Granted the information in these tasks isn’t exactly fun like hands-on labs. However, I appreciate the material for what it is. It doesn’t just teach you the technical skills needed to be a Red Team operator, it teaches you the process and procedures too. A lot of online learning resources tend to fail in this area by not being able to strike a good balance. TryHackMe excels in giving you both sides of the information.