Security specialty

Red Teaming

Browse every cataloged workflow for red teaming, with source context, tags, and security framework mappings intact.

Complete collection

Skills in this domain

33 skills

cybersecuritySkill

Abusing DPAPI for Credential Access

Extract DPAPI-protected secrets such as credentials and browser data offline and online.

Red Teaming
active-directorycredential-accessdpapimimikatz+4
ATT&CK, 3 mappingsNIST CSF, 1 mapping
cybersecuritySkill

Abusing Shadow Credentials for Privilege Escalation

Take over Active Directory user and computer accounts by writing alternate certificate keys to msDS-KeyCredentialLink (Shadow Credentials) with pyWhisker, Whisker, and Certipy, then authenticate via PKINIT.

Red Teaming
active-directorycertipykey-credential-linkpkinit+4
ATT&CK, 5 mappingsNIST CSF, 1 mapping
cybersecuritySkill

Building C2 Infrastructure with Sliver Framework

Build and configure a resilient command-and-control infrastructure using BishopFox's Sliver C2 framework with redirectors, HTTPS listeners, and multi-operator support for authorized red team engagements.

Red Teaming
adversary-simulationc2-frameworkcommand-and-controlinfrastructure+3
ATT&CK, 7 mappingsNIST CSF, 3 mappingsD3FEND, 5 mappings
cybersecuritySkill

Building C2 Redirector Infrastructure

Architect redirectors with nginx and Apache, malleable profiles, and OPSEC for resilient C2.

Red Teaming
apache-mod-rewritec2-infrastructuremalleable-c2nginx+4
ATT&CK, 6 mappingsNIST CSF, 1 mapping
cybersecuritySkill

Building Red Team C2 Infrastructure with Havoc

Deploy and configure the Havoc C2 framework with teamserver, HTTPS listeners, redirectors, and Demon agents for authorized red team operations.

Red Teaming
adversary-emulationcommand-and-controldemon-agenthavoc-c2+2
ATT&CK, 28 mappingsNIST CSF, 3 mappingsD3FEND, 5 mappingsAI RMF, 3 mappings
cybersecuritySkill

Coercing Authentication with Coercer and PetitPotam

Trigger machine account authentication with PetitPotam (MS-EFSR) and Coercer across MS-RPRN, MS-DFSNM, and MS-FSRVP to feed NTLM relay into AD CS Web Enrollment (ESC8) and other relay targets.

Red Teaming
active-directorycoercercoercionesc8+4
ATT&CK, 3 mappingsNIST CSF, 1 mapping
cybersecuritySkill

Conducting Domain Persistence with DCSync

Perform DCSync attacks to replicate Active Directory credentials and establish domain persistence by extracting KRBTGT, Domain Admin, and service account hashes for Golden Ticket creation.

Red Teaming
active-directorycredential-dumpingdcsyncgolden-ticket+3
ATT&CK, 7 mappingsNIST CSF, 3 mappingsD3FEND, 5 mappings
cybersecuritySkill

Conducting Full-Scope Red Team Engagement

Plan and execute a comprehensive red team engagement covering reconnaissance through post-exploitation using MITRE ATT&CK-aligned TTPs to evaluate an organization's detection and response capabilities.

Red Teaming
adversary-emulationmitre-attackoffensive-securitypenetration-testing+3
ATT&CK, 62 mappingsNIST CSF, 3 mappingsD3FEND, 5 mappings
cybersecuritySkill

Conducting Internal Reconnaissance with BloodHound CE

Conduct internal Active Directory reconnaissance using BloodHound Community Edition to map attack paths, identify privilege escalation chains, and discover misconfigurations in domain environments.

Red Teaming
active-directoryattack-pathsbloodhoundgraph-analysis+3
ATT&CK, 9 mappingsNIST CSF, 3 mappingsD3FEND, 5 mappings
cybersecuritySkill

Conducting Pass-the-Ticket Attack

Pass-the-Ticket (PtT) is a lateral movement technique that uses stolen Kerberos tickets (TGT or TGS) to authenticate to services without knowing the user's password. By extracting Kerberos tickets from memory (LSASS) on a compromised host, an attacker can inject those tickets into their own session to impersonate the ticket owner and access resources as that user.

Red Teaming
adversary-simulationexploitationkerberoslateral-movement+4
ATT&CK, 8 mappingsNIST CSF, 3 mappingsD3FEND, 5 mappings
cybersecuritySkill

Conducting Social Engineering Pretext Call

Plan and execute authorized vishing (voice phishing) pretext calls to assess employee susceptibility to social engineering and evaluate security awareness controls.

Red Teaming
human-riskphishingpretext-callred-team+3
ATT&CK, 10 mappingsNIST CSF, 3 mappingsATLAS, 2 mappingsD3FEND, 5 mappingsAI RMF, 2 mappings
cybersecuritySkill

Conducting Spearphishing Simulation Campaign

Spearphishing simulation is a targeted social engineering attack vector used by red teams to gain initial access. Unlike broad phishing campaigns, spearphishing uses OSINT-derived intelligence to craft highly personalized messages targeting specific individuals. This skill covers developing pretexts, building payloads, setting up email infrastructure, executing the campaign, and tracking results.

Red Teaming
adversary-simulationexploitationmitre-attackpost-exploitation+3
ATT&CK, 15 mappingsNIST CSF, 3 mappingsD3FEND, 5 mappings
cybersecuritySkill

Executing Red Team Engagement Planning

Red team engagement planning is the foundational phase that defines scope, objectives, rules of engagement (ROE), threat model selection, and operational timelines before any offensive testing begins. A well-structured engagement plan ensures the red team simulates realistic adversary behavior while maintaining safety guardrails that prevent unintended business disruption.

Red Teaming
adversary-simulationengagement-planningexploitationmitre-attack+3
ATT&CK, 13 mappingsNIST CSF, 3 mappings
cybersecuritySkill

Exploiting Active Directory Certificate Services ESC1

Exploit misconfigured Active Directory Certificate Services (AD CS) ESC1 vulnerability to request certificates as high-privileged users and escalate domain privileges during authorized red team assessments.

Red Teaming
active-directoryad-cscertificate-abusedomain-escalation+3
ATT&CK, 10 mappingsNIST CSF, 3 mappingsD3FEND, 5 mappings
cybersecuritySkill

Exploiting Active Directory with BloodHound

BloodHound is a graph-based Active Directory reconnaissance tool that uses graph theory to reveal hidden and unintended relationships within AD environments. Red teams use BloodHound to identify attack paths from compromised accounts to high-value targets such as Domain Admins, identifying privilege escalation chains that would be nearly impossible to find manually. SharpHound is the official data collector that gathers AD objects, relationships, ACLs, sessions, and group memberships.

Red Teaming
active-directoryadversary-simulationbloodhoundexploitation+3
ATT&CK, 18 mappingsNIST CSF, 3 mappingsD3FEND, 5 mappings
cybersecuritySkill

Exploiting AD CS with Certipy

Enumerate and exploit Active Directory Certificate Services ESC1 through ESC16 misconfigurations with Certipy, including SAN abuse, NTLM relay to web enrollment (ESC8), and golden certificate forgery.

Red Teaming
active-directoryadcscertipyesc1+4
ATT&CK, 3 mappingsNIST CSF, 1 mapping
cybersecuritySkill

Exploiting Constrained Delegation Abuse

Exploit Kerberos Constrained Delegation misconfigurations in Active Directory to impersonate privileged users via S4U2self and S4U2proxy extensions for lateral movement and privilege escalation.

Red Teaming
active-directoryconstrained-delegationkerberoslateral-movement+3
ATT&CK, 9 mappingsNIST CSF, 3 mappingsD3FEND, 5 mappings
cybersecuritySkill

Exploiting Kerberoasting with Impacket

Perform Kerberoasting attacks using Impacket's GetUserSPNs to extract and crack Kerberos TGS tickets for Active Directory service accounts.

Red Teaming
active-directorycredential-accessimpacketkerberoasting+3
ATT&CK, 12 mappingsNIST CSF, 3 mappingsD3FEND, 5 mappings
cybersecuritySkill

Exploiting MS17-010 EternalBlue Vulnerability

MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code execution. Originally discovered by the NSA and leaked by the Shadow Brokers in 2017, it was used in the WannaCry and NotPetya ransomware campaigns. Despite patches being available since March 2017, many organizations still have unpatched systems, making it a viable red team exploitation vector especially in legacy environments.

Red Teaming
adversary-simulationeternalblueexploitationmitre-attack+4
ATT&CK, 6 mappingsNIST CSF, 3 mappingsD3FEND, 5 mappings
cybersecuritySkill

Exploiting noPac (CVE-2021-42278 / CVE-2021-42287)

Exploit the noPac vulnerability chain (CVE-2021-42278 sAMAccountName spoofing and CVE-2021-42287 KDC PAC confusion) to escalate from standard domain user to Domain Admin in Active Directory environments.

Red Teaming
active-directorycve-2021-42278cve-2021-42287domain-escalation+3
ATT&CK, 9 mappingsNIST CSF, 3 mappingsD3FEND, 5 mappings
cybersecuritySkill

Exploiting Zerologon Vulnerability (CVE-2020-1472)

Exploit the Zerologon vulnerability (CVE-2020-1472) in the Netlogon Remote Protocol to achieve domain controller compromise by resetting the machine account password to empty.

Red Teaming
active-directorycve-2020-1472domain-controllerms-nrpc+3
ATT&CK, 9 mappingsNIST CSF, 3 mappingsD3FEND, 5 mappings
cybersecuritySkill

Mapping Attack Paths with BloodHound CE

Collect Active Directory data with SharpHound and Entra ID data with AzureHound, ingest into BloodHound Community Edition, and analyze on-prem, cloud, and hybrid attack paths with built-in queries and custom Cypher.

Red Teaming
active-directoryattack-pathsazurehoundbloodhound-ce+4
ATT&CK, 4 mappingsNIST CSF, 1 mapping
cybersecuritySkill

Operating Havoc C2

Deploy a Havoc team server with Yaotl profiles, generate evasive Demon agents with indirect syscalls and sleep obfuscation, and run post-exploitation and pivoting for adversary emulation.

Red Teaming
adversary-emulationcommand-and-controldemon-agentevasion+4
ATT&CK, 6 mappingsNIST CSF, 1 mapping
cybersecuritySkill

Operating Sliver C2

Stand up a Sliver C2 server and listeners, generate cross-platform implants and beacons, and run post-exploitation, pivoting, and BOF/.NET tooling via the armory for adversary emulation.

Red Teaming
adversary-emulationcommand-and-controlimplantmtls+4
ATT&CK, 6 mappingsNIST CSF, 1 mapping
cybersecuritySkill

Performing Active Directory BloodHound Analysis

Use BloodHound and SharpHound to enumerate Active Directory relationships and identify attack paths from compromised users to Domain Admin.

Red Teaming
active-directoryad-enumerationattack-pathbloodhound+3
ATT&CK, 26 mappingsNIST CSF, 3 mappingsD3FEND, 5 mappings
cybersecuritySkill

Performing Credential Access with LaZagne

Extract stored credentials from compromised endpoints using the LaZagne post-exploitation tool to recover passwords from browsers, databases, system vaults, and applications during authorized red team operations.

Red Teaming
credential-accesscredential-dumpinglateral-movementlazagne+3
ATT&CK, 13 mappingsNIST CSF, 3 mappingsD3FEND, 5 mappings
cybersecuritySkill

Performing Initial Access with EvilGinx3

Perform authorized initial access using EvilGinx3 adversary-in-the-middle phishing framework to capture session tokens and bypass multi-factor authentication during red team engagements.

Red Teaming
adversary-in-the-middlecredential-theftevilginxinitial-access+3
ATT&CK, 10 mappingsNIST CSF, 3 mappingsD3FEND, 5 mappings
cybersecuritySkill

Performing Kerberoasting Attack

Kerberoasting is a post-exploitation technique that targets service accounts in Active Directory by requesting Kerberos TGS (Ticket Granting Service) tickets for accounts with Service Principal Names (SPNs) set. These tickets are encrypted with the service account's NTLM hash, allowing offline brute-force cracking without generating failed login events. It is one of the most common privilege escalation paths in AD environments because any domain user can request TGS tickets.

Red Teaming
active-directoryadversary-simulationcredential-accessexploitation+4
ATT&CK, 9 mappingsNIST CSF, 3 mappingsD3FEND, 5 mappings
cybersecuritySkill

Performing Lateral Movement with WMIExec

Perform lateral movement across Windows networks using WMI-based remote execution techniques including Impacket wmiexec.py, CrackMapExec, and native WMI commands for stealthy post-exploitation during red team engagements.

Red Teaming
impacketlateral-movementpost-exploitationred-team+3
ATT&CK, 10 mappingsNIST CSF, 3 mappingsD3FEND, 5 mappings
cybersecuritySkill

Performing Open Source Intelligence Gathering

Open Source Intelligence (OSINT) gathering is the first active phase of a red team engagement, where operators collect publicly available information about the target organization to identify attack surfaces, potential targets for social engineering, technology stacks, and credential exposures. Effective OSINT directly shapes initial access strategies and reduces operational risk.

Red Teaming
adversary-simulationexploitationmitre-attackosint+3
ATT&CK, 26 mappingsNIST CSF, 3 mappings
cybersecuritySkill

Performing Physical Intrusion Assessment

Conduct authorized physical penetration testing using tailgating, badge cloning, lock bypassing, and rogue device deployment to evaluate facility security controls.

Red Teaming
badge-cloninglock-pickingphysical-pentestphysical-security+3
ATT&CK, 9 mappingsNIST CSF, 3 mappingsD3FEND, 5 mappings
cybersecuritySkill

Performing Privilege Escalation on Linux

Linux privilege escalation involves elevating from a low-privilege user account to root access on a compromised system. Red teams exploit misconfigurations, vulnerable services, kernel exploits, and weak permissions to achieve root. This skill covers both manual enumeration techniques and automated tools for identifying and exploiting privilege escalation vectors.

Red Teaming
adversary-simulationexploitationlinuxmitre-attack+3
ATT&CK, 10 mappingsNIST CSF, 3 mappingsD3FEND, 5 mappings
cybersecuritySkill

Relaying NTLM for ADCS ESC8

Run ntlmrelayx into ADCS web enrollment to obtain a domain controller certificate via ESC8.

Red Teaming
active-directoryadcscertipyesc8+4
ATT&CK, 4 mappingsNIST CSF, 1 mapping