0.2_Red_Team_Workspace_Cheatsheet

#redteam #training #ops #obsidian #tmux #reporting

Red Team Workspace Cheatsheet

BLUF: A clean workspace keeps you fast, calm, and report-ready. During an engagement, your job is to make every note, artifact, screenshot, and command easy to find, easy to verify, and easy to hand off.

Core Rules

One engagement = one workspace
One fact = one canonical home
Raw evidence stays raw
Notes describe secrets; notes do not store secrets
If future-you cannot find it in 30 seconds, your structure is wrong

Engagement Root Structure

engagement-name/
├── 00_admin/
│   ├── scope.md
│   ├── roes.md
│   ├── contacts.md
│   └── timeline.md
├── 01_notes/
│   ├── daily/
│   ├── hosts/
│   ├── findings/
│   └── attack-paths/
├── 02_scans/
│   ├── external/
│   ├── internal/
│   ├── web/
│   └── cloud/
├── 03_evidence/
│   ├── screenshots/
│   ├── requests/
│   ├── terminal-logs/
│   ├── pcaps/
│   └── loot/
├── 04_payloads/
│   ├── templates/
│   ├── staging/
│   └── outputs/
├── 05_reporting/
│   ├── drafts/
│   ├── findings/
│   ├── diagrams/
│   └── appendices/
└── 99_archive/

Quick Logic

Folder	What goes there	What does not go there
`00_admin/`	Scope, ROE, milestones, contact notes	Findings and shell output
`01_notes/`	Human-readable thinking and operator notes	Raw screenshots, binaries, creds
`02_scans/`	Scanner output and enumeration data	Final write-up prose
`03_evidence/`	Screenshots, terminal transcripts, raw proof	Cleaned summaries only
`04_payloads/`	Templates and generated operation artifacts	Long-term evidence
`05_reporting/`	Report-ready material	Unsorted scratch notes

Obsidian Vault Layout

Use the vault for thinking, linking, and triage.

01_notes/
├── daily/
│   ├── 2026-04-08.md
│   └── 2026-04-09.md
├── hosts/
│   ├── host-app-01.md
│   ├── host-dc-01.md
│   └── host-vpn-01.md
├── findings/
│   ├── RT-F01-unauthenticated-admin-access.md
│   └── RT-F02-excessive-ad-permissions.md
└── attack-paths/
    └── ap-initial-access-to-domain-admin.md

Recommended Note Types

Note Type	Naming Pattern	Purpose
Daily log	`YYYY-MM-DD.md`	Running operator log
Host note	`host-<label>.md`	Per-system context
Finding draft	`RT-F##-<slug>.md`	Evidence-to-report bridge
Attack path	`ap-<slug>.md`	Multi-step chain documentation
Admin note	`<topic>.md`	Scope, timing, coordination

Daily Note Template

# 2026-04-08

## Objectives
- Validate external attack surface
- Confirm web auth boundary assumptions

## Activity Log
- 09:10 - Session started; tmux workspace created
- 09:32 - Confirmed host inventory mismatch with provided scope
- 10:05 - Captured first evidence set for RT-F01

## Evidence Created
- screenshot-rt-f01-login-bypass-20260408-1007.png
- terminal-rt-f01-repro-20260408-1011.log

## Open Questions
- Is `admin.example` in scope?
- Is the VPN user set shared with the blue team?

## Next Actions
- Verify whether bypass survives SSO flow
- Promote notes into finding draft

Host Note Template

# host-app-01

## Role
Internet-facing application server

## Identifiers
- Hostname: app01.example.internal
- IP: 10.10.20.15
- Environment: Production

## Access
- Access method: VPN + HTTPS
- Cred reference: see password manager entry only

## Findings / Observations
- Login flow leaks role data in response body
- File upload endpoint accepts unexpected content types

## Evidence Links
- ../03_evidence/screenshots/screenshot-app01-upload-20260408-1142.png
- ../03_evidence/requests/request-app01-upload-bypass.txt

## Related Notes
- [[RT-F01-unauthenticated-admin-access]]

Obsidian Rules

Use notes to store meaning, not raw dumps
Link to evidence files instead of copying large blobs into notes
Store credentials in a password manager, not markdown
Keep one note per host and one note per finding
Promote temporary observations into structured notes before end of day

Naming Convention

Use sortable names everywhere.

<artifact-type>-<target-or-finding>-<yyyymmdd-hhmm>.<ext>

Examples

screenshot-rt-f01-login-bypass-20260408-1007.png
terminal-rt-f01-repro-20260408-1011.log
request-app01-upload-bypass-20260408-1142.txt
pcap-vpn-initial-access-20260408-1320.pcap
loot-host-dc-01-shares-20260408-1545.txt

Naming Rules

Put the finding ID in filenames once a finding exists
Use timestamps when the order matters
Prefer labels like host-dc-01 over bare IPs in filenames
Use the same target label in vault notes, evidence, and report drafts

tmux / Terminal Control

The terminal is your cockpit. Use it like one.

Session Model

# Create one session per engagement
tmux new -s acme-q2

# Suggested windows
tmux rename-window control
tmux new-window -n recon
tmux new-window -n web
tmux new-window -n loot
tmux new-window -n notes
tmux new-window -n report

Window Roles

Window	Purpose
`control`	Scope, quick nav, admin tasks, jump host control
`recon`	Scans, enumeration, background jobs
`web`	Curl, proxies, app testing helpers
`loot`	Reviewing outputs and evidence movement
`notes`	Obsidian, markdown cleanup, timeline sync
`report`	Finding drafts and appendix assembly

Pane Discipline

Left pane: command execution
Right pane: results review or note updates
Bottom pane: scratchpad or watch output
Do not mix unrelated targets in one pane history

Logging Commands

# Record a clean transcript for a finding repro
script -a ../03_evidence/terminal-logs/terminal-rt-f01-repro-$(date +%Y%m%d-%H%M).log

# Stop recording
exit

# Save command output directly to evidence
curl -isk https://target.example/login > ../03_evidence/requests/request-login-check-$(date +%Y%m%d-%H%M).txt

Terminal Rules

Start a new pane or window for a new hypothesis
Name long-running jobs in your notes
Move outputs out of /tmp before ending the day
Keep a daily list of “still running / still relevant” processes
If a command proves a finding, capture it immediately and label it

Evidence Handling

Evidence is only useful if someone else can trust and follow it.

Minimum Evidence Packet for a Finding

Short summary of what was proven
Target identifier
Timestamp
Raw command or raw request/response
Output or screenshot
Operator note explaining why it matters

Screenshot Rules

Capture the full context first, then crop if needed
Annotate only after preserving an original
Name screenshots with finding ID and action
Do not rely on screenshots alone when text output exists

Raw vs. Promoted Evidence

Stage	Description
Raw	Original logs, requests, screenshots, pcaps
Promoted	The exact subset attached to a finding
Report-ready	Cleaned narrative plus selected proof

Fast Promotion Workflow

raw artifact -> daily note mention -> finding draft -> report evidence block

Reporting Handoff

Your notes should already be halfway to the report.

Finding Draft Skeleton

# RT-F01 - Unauthenticated Admin Access

## Summary
Unauthenticated users can access the administrative dashboard through an alternate route.

## Affected Assets
- host-app-01

## Reproduction
1. Request `/alt-admin`
2. Observe `200 OK`
3. Access privileged functions without prior authentication

## Evidence
- ../03_evidence/requests/request-alt-admin-20260408-1007.txt
- ../03_evidence/screenshots/screenshot-rt-f01-admin-panel-20260408-1008.png
- ../03_evidence/terminal-logs/terminal-rt-f01-repro-20260408-1011.log

## Impact
Unauthorized users can access administrative functions and sensitive data.

## Remediation Direction
Enforce centralized authorization checks on all privileged routes.

End-of-Day Handoff Checklist

Daily note updated
New hosts documented
New evidence renamed and moved
Candidate findings promoted into 01_notes/findings/
Report draft updated with any validated findings
Open questions written down before stopping

Anti-Patterns

Anti-Pattern	Why it hurts
Dumping everything into one markdown file	You cannot hand off or search effectively
Saving screenshots as `image1.png`	Evidence becomes meaningless within hours
Storing credentials in notes	Creates unnecessary risk and leakage paths
Keeping raw evidence only in shell scrollback	Proof disappears when the session dies
Writing the report from memory at the end	Gaps, errors, and weak remediation follow

Bootstrap Commands

ENG="acme-q2"

mkdir -p "$ENG"/{00_admin,01_notes/{daily,hosts,findings,attack-paths},02_scans/{external,internal,web,cloud},03_evidence/{screenshots,requests,terminal-logs,pcaps,loot},04_payloads/{templates,staging,outputs},05_reporting/{drafts,findings,diagrams,appendices},99_archive}

tmux new -d -s "$ENG"
tmux rename-window -t "$ENG":1 control
tmux new-window -t "$ENG" -n recon
tmux new-window -t "$ENG" -n web
tmux new-window -t "$ENG" -n loot
tmux new-window -t "$ENG" -n notes
tmux new-window -t "$ENG" -n report

echo "Workspace ready: $ENG"

Final Mental Model

Workspace discipline is operational discipline.
If your notes, evidence, and terminal flow are structured from the start, reporting becomes assembly instead of archaeology.