Red Team Flow
This table outlines a complete adversary simulation lifecycle, showing how an attack typically progresses from infrastructure setup to final reporting. Each phase explains what the attacker does, the purpose behind that action, and the observable signals that Blue Teams can detect. By aligning attacker objectives with defensive visibility, the table highlights that compromises are not single events but chains of activities, each leaving traces in logs, network traffic, and endpoint behavior. Used defensively, this table serves as a Purple Team reference to understand attacker flow, improve detection coverage at every stage, and reduce overall dwell time through earlier identification and response.
What is done
Why the attacker does it
What Blue Team may observe
Tools / Methods
Infrastructure
Rent VPS servers: one for C2, others as proxy redirectors
Hide the real C2 and quickly tear down nodes if exposed
New DNS A/AAAA records, unusual outbound web traffic
Terraform (VPC, Security Groups), Ansible (roles: c2_install, nginx_redirector), Cloud-init (hardening), WireGuard for operator VPN
Payload Build
Package payload inside document/shortcut, encrypt and modify signature
Bypass AV/EDR and deploy Beacon
EDR sandbox detects Base64/Gzip blobs in macros
Donut v3 (AES shellcode), Nimcrypt / RustyLoader (direct syscalls), ArtifactKit (Cobalt), MSI/ISO + LNK build scripts
Initial Access
Phishing email or perimeter RCE; victim executes file
Establish initial foothold
New outbound connections to redirectors, EDR alert on unknown process
Gophish (campaigns), Evilginx2 (MFA bypass), Impacket psexec/smbexec (RCE), PhantomJS (email screenshots)
Persistence
Add autorun, enable “quiet” DNS beacon
Maintain long-term access
Scheduled Task 106 events, suspicious DNS TXT queries
schtasks /create, reg add Run, Cobalt Beacon DNS, Sliver mTLS + WireGuard long-haul
Privilege Escalation
LPE or token theft → local admin
Access memory, install services
Event 4672 (privileged logon), driver execution
PrintSpoofer, JuicyPotatoNG, UACME m19, Mimikatz token::elevate, Seatbelt (priv checks)
Lateral Movement
Move via SMB / WinRM / WMI / RDP
Reach AD DC or critical servers
Admin logins from workstations, Kerberos TGS activity
CrackMapExec (smb, winrm), SharpHound (BloodHound), WMImplant, Chisel (port forwarding)
Credential Access
Kerberoasting, AS-REP Roasting, LSASS dump
Obtain passwords for next stages
4769 RC4 spikes, ProcDump 4688
Rubeus (kerberoast, asreproast), Impacket GetUserSPNs / GetNPUsers, ProcDump + Mimikatz sekurlsa
Domain Compromise
DCSync → KRBTGT hash, Golden Ticket
Full Active Directory control
4662 / 4673 DRSUAPI events, Kerberos tickets with 10-year lifetime
Mimikatz lsadump::dcsync, Rubeus golden, Impacket ticketer
Target Actions
Exfiltration, sabotage, impact demonstration
Fulfill attack scenario objectives
Large HTTPS / Rclone traffic, backup services stopped
Rclone (TLS, S3), AzureCopy, DCShadow (GPO to disable AV), PowerShell Invoke-Ransom (simulation)
Covering Tracks
Clear logs, remove backdoors
Hinder forensic analysis
wevtutil cl, empty event logs
wevtutil cl system/security, Clear-Logs.ps1, sdelete -z, Cobalt Beacon sleep 24h
Reporting
Timeline, MTTD/MTTR, recommendations
Show gaps and response time
SOC receives PDF / presentation
Dradis / Serpico (reporting), MITRE ATT&CK Navigator, Sigma rule references
Last updated