Chapter 35 Exercises: Red Team Operations

Exercise 35.1: Red Team vs. Penetration Test Scoping

Difficulty: Beginner Objective: Understand the differences between red team and penetration test engagement scoping.

You have been approached by a mid-size financial services company with the following request: "We want to test our security."

  1. Draft a scope document for a penetration test engagement. Include: target systems, testing methodology, timeline, deliverables, and constraints.
  2. Draft a scope document for a red team engagement against the same organization. Include: threat actor profile, objectives, rules of engagement, timeline, team awareness, and deliverables.
  3. Compare the two documents. List at least eight differences.
  4. Write a recommendation to the CISO explaining which type of engagement is appropriate based on the organization's security maturity. Consider scenarios where each would be the better choice.

Deliverable: Two scope documents, comparison table, and CISO recommendation.

Exercise 35.2: MITRE ATT&CK Navigator Mapping

Difficulty: Beginner Objective: Use the ATT&CK Navigator to map threat actor techniques and detection coverage.

  1. Access the ATT&CK Navigator at https://mitre-attack.github.io/attack-navigator/
  2. Create a new layer and name it "APT29 Techniques."
  3. Using the ATT&CK website (attack.mitre.org), research APT29 (Cozy Bear) and highlight all techniques attributed to this group.
  4. Create a second layer named "Current Detection Coverage." Assume your organization has: - EDR deployed on all endpoints (detects execution, process creation, file modification) - SIEM collecting Windows Event Logs (authentication, process creation with Sysmon) - Network monitoring (IDS/IPS, NetFlow) - Email gateway with attachment sandboxing
  5. Highlight techniques you believe your detections would cover.
  6. Create a combined layer showing the gap between APT29's techniques and your detection coverage.
  7. Identify the top five highest-risk gaps and explain why each is dangerous.

Deliverable: Three ATT&CK Navigator layers (exported as JSON) and gap analysis document.

Exercise 35.3: Rules of Engagement Document

Difficulty: Intermediate Objective: Create a comprehensive Rules of Engagement document for a red team engagement.

Scenario: You are leading a red team engagement against MedSecure, a healthcare organization with 2,000 employees, a patient portal, EHR system, and clinical devices.

Create a complete ROE document including:

  1. Executive authorization statement
  2. Engagement objectives (at least three specific goals)
  3. Scope definition (in-scope and out-of-scope systems, with explicit exclusions for patient care)
  4. Timeline and phases
  5. Acceptable and prohibited activities
  6. Social engineering guidelines (what is permitted and what is not)
  7. Physical testing boundaries
  8. Data handling requirements (especially for patient data)
  9. Communication plan (emergency contacts, deconfliction, status updates)
  10. Escalation procedures (what to do if you find active threats or critical patient safety issues)
  11. Legal considerations (authorization documentation, "get out of jail free" letter)
  12. Reporting requirements

Deliverable: Complete ROE document (2-4 pages).

Exercise 35.4: Attack Chain Planning

Difficulty: Intermediate Objective: Plan a realistic attack chain using MITRE ATT&CK techniques.

You are planning a red team engagement against a retail company. Based on threat intelligence, the primary threat is the FIN7 financial crime group.

  1. Research FIN7's known TTPs using the ATT&CK website and threat intelligence reports.
  2. Plan an attack chain from initial access to objective completion (stealing payment card data). Include: - Specific ATT&CK technique IDs for each step - Tools or methods you would use for each technique - Expected blue team detection opportunities at each step - Evasion measures to avoid detection
  3. Map your attack chain to at least 8 of the 14 ATT&CK tactics.
  4. Identify the three points in your attack chain where detection is most likely.
  5. Design a backup plan for when your primary approach is detected at each of those three points.

Deliverable: Attack chain document with ATT&CK mapping, detection analysis, and contingency plans.

Exercise 35.5: Atomic Red Team Testing

Difficulty: Intermediate Objective: Execute and analyze Atomic Red Team tests in a lab environment.

Prerequisites: Windows VM with Sysmon installed and logging to a local SIEM (ELK or Wazuh).

  1. Install Atomic Red Team on your Windows VM.
  2. Execute the following techniques one at a time, checking your SIEM for detections after each: - T1059.001 (PowerShell execution) - T1003.001 (LSASS Memory credential dumping) - T1053.005 (Scheduled Task creation) - T1070.004 (File deletion) - T1087.002 (Domain Account discovery)
  3. For each technique: - Document the exact command executed - Record which Sysmon event IDs were generated - Note whether your SIEM alerted on the activity - If not detected, write a detection rule (Sigma or SIEM-native)
  4. Clean up after each test using the Atomic Red Team cleanup commands.
  5. Re-run any undetected techniques after implementing your new detection rules.
  6. Calculate your detection coverage percentage.

Deliverable: Test results table, new detection rules, and coverage calculation.

Exercise 35.6: C2 Infrastructure Design

Difficulty: Intermediate Objective: Design a resilient C2 infrastructure for a red team engagement.

Design (but do not build outside of a lab) a C2 infrastructure for a 4-week red team engagement. Your design must include:

  1. Team server: Where will the C2 server run? How is it protected?
  2. Redirectors: Design at least two types of redirectors (HTTPS and DNS). Explain how they protect the team server.
  3. Short-haul vs. long-haul C2: Design separate channels for interactive sessions and persistent beacons. Explain the different requirements.
  4. Domain selection: Describe your criteria for selecting C2 domains. How do you make them appear legitimate?
  5. Traffic blending: How will your C2 traffic blend with normal network traffic? What legitimate services will you mimic?
  6. Fallback plan: What happens when the blue team identifies and blocks one of your C2 channels?
  7. OPSEC measures: How do you prevent your infrastructure from being attributed to your team?

Draw a network diagram of your complete C2 infrastructure.

Deliverable: C2 infrastructure design document with network diagram.

Exercise 35.7: Physical Security Assessment Plan

Difficulty: Intermediate Objective: Plan a physical security assessment for an office building.

Scenario: You have been authorized to conduct physical security testing of ShopStack's corporate headquarters.

  1. Create an OSINT plan: What information can you gather about the building before visiting? List at least 10 specific sources.
  2. Design a reconnaissance plan for on-site passive observation. What will you look for? How long will you observe?
  3. Plan three social engineering pretexts you could use to gain physical access. For each, describe: - The persona and cover story - Required props and clothing - Target entry point - Expected challenges and responses - Safety and de-escalation plan
  4. Identify the tools and equipment you would bring in your toolkit.
  5. Define success criteria: What specific objectives would constitute a successful test?
  6. Create a risk matrix: What could go wrong, and how would you handle each scenario?
  7. Draft the "get out of jail free" letter that you would carry during the assessment.

Deliverable: Complete physical security assessment plan with all components.

Exercise 35.8: Purple Team Exercise Planning

Difficulty: Intermediate Objective: Plan and document a purple team exercise.

Design a one-day purple team exercise focusing on credential access techniques:

  1. Select five credential access techniques from ATT&CK (under T1003, T1110, T1558, etc.).
  2. For each technique, document: - The offensive procedure (what the red team will do) - Expected log sources (where evidence should appear) - Current detection status (hypothesize: detected, partially detected, or not detected) - Detection development plan (if not currently detected)
  3. Create a detailed schedule for the exercise day, allocating time for each technique.
  4. Design a scoring template to track results (technique, detection status, time to detect, false positive rate).
  5. Plan the pre-exercise briefing agenda and post-exercise debrief structure.
  6. Define success criteria for the exercise overall.

Deliverable: Purple team exercise plan, schedule, scoring template, and briefing agenda.

Exercise 35.9: Adversary Emulation with Caldera

Difficulty: Advanced Objective: Set up and use MITRE Caldera for automated adversary emulation.

  1. Deploy MITRE Caldera in your lab environment following the official documentation.
  2. Deploy Caldera agents on at least two Windows VMs and one Linux VM.
  3. Create a custom adversary profile that emulates a targeted attack: - System discovery - File and directory discovery - Account discovery - Credential access - Lateral movement to the second Windows VM
  4. Run the adversary profile as an automated operation.
  5. Review the operation results in Caldera's reporting interface.
  6. Export the operation details and map each executed technique to ATT&CK.
  7. Review your SIEM/EDR for detections generated by the operation.
  8. Write a report summarizing which techniques were executed successfully, which were detected, and recommendations for improving detection.

Deliverable: Caldera adversary profile, operation results, detection analysis, and summary report.

Exercise 35.10: Detection Engineering

Difficulty: Advanced Objective: Develop and validate detection rules for common red team techniques.

  1. Write Sigma detection rules for the following techniques: - DCSync (T1003.006) - Kerberoasting (T1558.003) - Pass-the-Hash (T1550.002) - WMI Execution (T1047) - Scheduled Task Persistence (T1053.005)
  2. For each rule: - Explain the detection logic and what log sources are required - Identify potential false positive scenarios - Describe evasion techniques an attacker might use - Propose additional context or correlation that would reduce false positives
  3. Convert at least two Sigma rules to your SIEM's native query language.
  4. Test each rule in your lab by executing the corresponding technique (using Atomic Red Team or manual methods).
  5. Tune rules based on test results.
  6. Calculate the estimated false positive rate for each rule.

Deliverable: Five Sigma rules, converted SIEM rules, test results, and tuning documentation.

Exercise 35.11: Cloud Red Team Planning

Difficulty: Advanced Objective: Plan a cloud-focused red team assessment.

Scenario: MedSecure has migrated significant infrastructure to AWS. Plan a cloud red team assessment:

  1. Identify the top 10 AWS-specific attack techniques from ATT&CK (or MITRE's cloud matrix).
  2. For each technique, describe: - How the technique works in AWS - Required initial access or permissions - Tools you would use - Detection methods (CloudTrail events, GuardDuty findings)
  3. Design an attack chain from compromised developer credentials to data exfiltration from S3: - IAM enumeration - Privilege escalation - Resource discovery - Data access - Exfiltration
  4. Identify cloud-specific rules of engagement considerations (shared responsibility, tenant isolation, API rate limits).
  5. Propose a scoring system for evaluating cloud security posture based on your assessment.

Deliverable: Cloud attack technique catalog, attack chain design, ROE considerations, and scoring system.

Exercise 35.12: Report Writing Workshop

Difficulty: Intermediate Objective: Write a professional red team engagement report.

Using the following scenario, write a complete red team report:

Scenario: During a 3-week red team engagement against ShopStack, you achieved the following: - Week 1: Phishing campaign compromised 3 of 50 targets. One credential provided VPN access. - Week 2: Internal reconnaissance, Kerberoasting recovered 2 service account passwords. Lateral movement to database server via SMB. - Week 3: Accessed customer database. Extracted proof tokens (not real data). Established persistence via scheduled task.

The SOC detected the lateral movement in Week 2 (after 4 days) but the response team did not contain the activity effectively, allowing the engagement to continue.

Write a report including: 1. Executive summary (1 page) 2. ATT&CK technique mapping for each action 3. Attack narrative (chronological) 4. Detection and response assessment 5. Top 5 findings with remediation recommendations 6. ATT&CK Navigator visualization (describe what it would show)

Deliverable: Complete red team report (5-8 pages).

Exercise 35.13: Evasion Technique Research

Difficulty: Advanced Objective: Research and document modern EDR evasion techniques.

Research three categories of EDR evasion:

  1. User-mode API hooking bypass: - Explain how EDRs hook user-mode API calls - Describe direct system call techniques - Explain syscall proxying (indirect syscalls) - Discuss the detection arms race

  2. Memory evasion: - Explain sleep obfuscation techniques - Describe memory encryption during beacon sleep - Discuss heap vs. stack obfuscation - Explain module stomping

  3. ETW and AMSI bypass: - Explain what ETW provides to EDR products - Describe ETW patching techniques - Explain AMSI and common bypass methods - Discuss the limitations of these bypasses

For each category, provide: - Technical explanation of how the evasion works - Detection opportunities that remain despite the evasion - Recommendations for defenders to mitigate the evasion

Deliverable: Technical research document covering all three categories (3-5 pages).

Exercise 35.14: Threat Intelligence Report Analysis

Difficulty: Beginner Objective: Analyze a threat intelligence report and extract red team planning information.

  1. Download a publicly available threat intelligence report (e.g., from Mandiant, CrowdStrike, or CISA) about a threat actor relevant to your industry.
  2. Extract the following information: - Threat actor name and aliases - Motivation and targeting patterns - Initial access techniques used - Complete list of ATT&CK techniques attributed to the actor - Tools and malware used - Indicators of compromise - Notable infrastructure characteristics
  3. Create an ATT&CK Navigator layer for the threat actor.
  4. Design a two-week red team engagement plan based on this threat actor's TTPs.
  5. Identify which of the threat actor's capabilities you can realistically emulate and which are beyond your resources.

Deliverable: Threat intelligence extraction document, ATT&CK layer, and engagement plan.

Exercise 35.15: Measurement and Metrics Dashboard

Difficulty: Intermediate Objective: Design a security testing metrics dashboard.

Design a dashboard that tracks the effectiveness of red team and purple team programs over time:

  1. Define at least 10 metrics that should be tracked (e.g., MTTD, MTTR, detection coverage percentage, techniques tested, gaps closed).
  2. For each metric, define: data source, calculation method, target value, and acceptable range.
  3. Design the dashboard layout with mockups showing charts, tables, and trend lines.
  4. Create sample data for four quarterly purple team exercises showing improvement over time.
  5. Write a quarterly report template that uses dashboard data to communicate program effectiveness to leadership.
  6. Identify leading indicators (predictive) vs. lagging indicators (historical) among your metrics.

Deliverable: Dashboard design document with mockups, sample data, and quarterly report template.