ATT&CK Framework mapping

By default, all lab scenarios have been categorized by Tactic:

  • Initial Access (TA001)
  • Execution (TA002)
  • Persistence (TA003)
  • Privilege Escalation (TA004)
  • Defense Evasion (TA005)
  • Credential Access (TA006)
  • Discovery (TA007)
  • Lateral Movement (TA008)
  • Collection (TA009)
  • Command and Control (TA0011)
  • Exfiltration (TA0010)
  • Impact (TA0040)
  • Breach and Attack Simulations
  • Forensics

Red vs Blue Hands-On Labs Index
v1.0.1.2021

  • LOLbins / one-liners for bind & reverse shells, download/upload, file compression tricks
  • AD and Network Enumeration
  • AD Kerberos password spraying and brute-forcing
  • Windows Integrity Levels
  • Evil-WinRM pivoting + Ghostpack enumeration
  • Bypass UAC over Koadic C3
  • Dump lsass at scale
  • AD Credential Dumping using Impacket's secretsdump
  • Dumping DC Hashes via wmic and Vssadmin Shadow Copy
  • PPID spoofing and command argument spoofing
  • DLL Hijacking against MSDTC service for persistence
  • OCI DLL Hijacking
  • Windows Process Injection / Hollowing Techniques
  • Windows CMSTP + Rundll Network Connection
  • Windows MSBuild In-memory Code Execution
  • Windows MSHTA + Windows Script Component
  • Windows Bitsadmin
  • Windows New Firewall Rule
  • Windows Sharpshooter + Metasploit Framework + SMB Named Pipe Pivoting
  • Windows Schtasks Persistence
  • Windows Application Shimming Persistence
  • Windows Winlogon Helper DLL Persistence
  • AD Skeleton Key Persistence
  • Pass The Hash over dcomexec / psexec / wmiexec / smbexec
  • Evading Sysmon and Windows Event Logging
  • SMB named pipes for lateral movement
  • RDP no-GUI Remote Command Execution
  • Ask for Windows passwords from Powershell
  • Shad0w beacons
  • Donuts, donuts, anyone?
  • ADS NTFS
  • The power of SharpDPAPI
  • Windows Pcap driver installation
  • AD Silver and Golden tickets
  • AD Kerberoasting / DCsync / DCShadow
  • Linux ELF in-memory code execution for running network events
  • Linux syscall faulting for C2 agent execution
  • Injecting an ELF file into a remote Linux process
  • Linux GDB Shared Library Injection
  • Linux sshd Injection + password extraction
  • Linux Apache rootkit + command execution over HTTP
  • Linux kernel space rootkits and backdoors vs LKRG
  • Invoking Linux Reverse shell from kernel space in response to ICMP
  • Hidden channel over ICMP!
  • Customize dnscat2, tunnel, and exfiltrate data over DNS
  • In-memory DNS AAAA implant for Linux
  • DNS AXFR Payload Delivery
  • DNS Fast-flux domains
  • DNS dictionary and random characters DGA
  • HTTP2 Exfiltration and DNS over HTTPS C2
  • DLP validation through data exfiltration using multiple network channels at once
  • Playing with LDAP as payload delivery channel / hidden storage
  • Tunneling traffic into internal networks
  • Mutual TLS / SSL C2 communication
  • SNI-based TLS data exfiltration
  • Stageless and staged payloads in different formats + whitelist bypassing + armoring + sandbox detection
  • C2 and data exfiltration over clouds (Dropbox, Google Drive, Slack, Discord)
  • NTLM Multi-relaying and command execution + BadPDF
  • HTTP exfiltration and covert channels based on UA, cookies / encrypted cookies, WebDAV, WebSockets
  • Clone, armor, and phish popular websites and use them for covert channel
  • Playing “QUIC” exfil game
  • Local network scanning from the pwned OS/browser through XSS
  • Looping, port forwarding, pivoting, and routing tricks through Covenant / Meterpreter / Empire and other C2 Frameworks
  • Pivot and pwn over HTTP Socks Proxy Tunneling
  • Web categorization | Domain fronting for SharpChisel
  • Pwn remote docker host over DNS rebinding
  • Octopus AES-256 Encrypted C2
  • Playing with PoshC2 post-exploitation modules
  • Slow exfil - sending data in small "chunks"
  • Port Knocking
  • Punching holes in your NAT
  • Youtube-based command delivery and execution
  • Google Translator as a C2 Proxy
  • Auditing and exfiltrating data against layer 7 inspection rules on NG-firewalls
  • Network/exfiltration modules of Nishang, PowerSploit, Powercat, Empire
  • The world of web shells
  • Network hops chaining and hiding behind open proxies.
  • TOR network traffic simulations
  • P2P network traffic simulations
  • Network flooding
  • DHCP Starvation
  • Text-based steganography and hiding data in images
  • SSH tunneling tips and tricks
  • Network and OS artifacts for upgrading the shells and changing the transport on the fly
  • Request throttling, behavior tuning, and profile customization of beacon/shell connections
  • Breach and Attack Simulation Frameworks and toolkits
  • Memory Forensics
  • Infection Monkey Automated Adversary Simulations
  • Network Flight Simulator
  • Purple Team ATT&CK Automation
  • Atomic Red Team Simulations
  • Falco vs Linux / docker auditing
  • Playing with CME + atsvc
  • NTP Exfiltration vs Moloch
  • Hello my PupyRAT, Grat2 C2 & NinjaC2