Alright everyone, let's have a quick conversation about Red Teaming. Because honestly, some of you (actually a lot of you) who want to be a part of a Red Team and are taking courses or are actually a part of a Red Team actually don't fully understand its main purpose. (1/n)
The reason I'm writing this is because someone I was talking to told me that "If a client can't detect syscalls and advanced bypass techniques then they shouldn't be doing a red team assessment". And honestly, that's the wrong mindset to have. (2/n)
You're doing more damage than good to the client if your whole idea of an RT operation is to bypass everything and stay quiet - unless of course that's what the client specifically asked you to do! (3/n)
A Red Team isn't about getting domain admin, destroying the client and then laughing in their face that they didn't detect your "l33t" activities. (4/n)
The whole purpose of such an assessment is to "emulate real world threats that utilize TTPs with the goal of training and measuring the effectiveness of the organization to defend their environment". (Shout-out to @joevest for that line). (5/n)
Read that again. We are to "emulate" threat scenarios. So, if you talk with the client and they mention that they're worried about financially motivated groups/ransomware. Then your first step is to research the TTPs of groups like FIN6, APT41, or Silent and *emulate* them. (6/n)
Let's be honest here. A lot of current APTs still use .LNK files for persistence and to trigger chain of infections to download C2s. Can the client detect that? Yes? Good! Move onto more advanced techniques! Can they detect those? No? Okay, how can the client improve? (7/n)
As a Red Team we need to test assumptions. Things such as "Oh our AV/EDR will detect that" or "Only admins can access that" still need to be tested. Just because something is said to be true, doesn't mean it is true - especially for simple things like LNK files. (8/n)
A lot of Red Teamers (myself included) do get annoyed when the client catches them. But don't see that as failure, see that as a good thing! We want the client to detect us, or even catch us. That means that the organization we are testing is doing something right! (9/n)
Remember, at the end of the day our job as a Red Team is to help *improve* the security of an organization, and not to demoralize the company and blue teams working there. Because in all honestly, working for the Blue Team is hard work, and I speak from experience. (10/n)
Alright that's the end of my rant. So just remember ladies and gentleman, that the next time you're on a red team gig, ask yourself how can "I" help improve the security posture of the company we're testing so they don't end up on the news because of a breach next week. (11/11).
You can follow @jack_halon.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: