0.2 Red Team Workspace Cheatsheet
Red Team Workspace Cheatsheet
BLUF: A clean workspace keeps you fast, calm, and report-ready. During an engagement, your job is to make every note, artifact, screenshot, and command easy to find, easy to verify, and easy to hand off.
Authorized use only: Use these notes only in owned, explicitly authorized, or isolated lab environments.
Detection awareness: Assume commands, binaries, network calls, identity changes, and cloud or directory actions may be logged by endpoint tooling, audit frameworks, SIEM pipelines, proxy logs, DNS logs, auth logs, and platform telemetry.
Blue-team view: Treat every technique as a defender validation exercise too: note what artifacts it creates, what alerts or hunts could surface it, and what monitoring or hardening would prevent or contain it.
CTF/lab boundary: If a sandbox or CTF includes bypass-oriented exercises, keep them confined to that environment and translate the lesson into detection, prevention, and cleanup notes rather than real-world evasion guidance.
Core Rules
- One engagement = one workspace
- One fact = one canonical home
- Raw evidence stays raw
- Notes describe secrets; notes do not store secrets
- If future-you cannot find it in 30 seconds, your structure is wrong
Engagement Root Structure
engagement-name/
├── 00_admin/
│ ├── scope.md
│ ├── roes.md
│ ├── contacts.md
│ └── timeline.md
├── 01_notes/
│ ├── daily/
│ ├── hosts/
│ ├── findings/
│ └── attack-paths/
├── 02_scans/
│ ├── external/
│ ├── internal/
│ ├── web/
│ └── cloud/
├── 03_evidence/
│ ├── screenshots/
│ ├── requests/
│ ├── terminal-logs/
│ ├── pcaps/
│ └── loot/
├── 04_payloads/
│ ├── templates/
│ ├── staging/
│ └── outputs/
├── 05_reporting/
│ ├── drafts/
│ ├── findings/
│ ├── diagrams/
│ └── appendices/
└── 99_archive/
Quick Logic
| Folder | What goes there | What does not go there |
|---|---|---|
00_admin/ |
Scope, ROE, milestones, contact notes | Findings and shell output |
01_notes/ |
Human-readable thinking and operator notes | Raw screenshots, binaries, creds |
02_scans/ |
Scanner output and enumeration data | Final write-up prose |
03_evidence/ |
Screenshots, terminal transcripts, raw proof | Cleaned summaries only |
04_payloads/ |
Templates and generated operation artifacts | Long-term evidence |
05_reporting/ |
Report-ready material | Unsorted scratch notes |
Obsidian Vault Layout
Use the vault for thinking, linking, and triage.
01_notes/
├── daily/
│ ├── 2026-04-08.md
│ └── 2026-04-09.md
├── hosts/
│ ├── host-app-01.md
│ ├── host-dc-01.md
│ └── host-vpn-01.md
├── findings/
│ ├── RT-F01-unauthenticated-admin-access.md
│ └── RT-F02-excessive-ad-permissions.md
└── attack-paths/
└── ap-initial-access-to-domain-admin.md
Recommended Note Types
| Note Type | Naming Pattern | Purpose |
|---|---|---|
| Daily log | YYYY-MM-DD.md |
Running operator log |
| Host note | host-<label>.md |
Per-system context |
| Finding draft | RT-F##-<slug>.md |
Evidence-to-report bridge |
| Attack path | ap-<slug>.md |
Multi-step chain documentation |
| Admin note | <topic>.md |
Scope, timing, coordination |
Daily Note Template
# 2026-04-08
## Objectives
- Validate external attack surface
- Confirm web auth boundary assumptions
## Activity Log
- 09:10 - Session started; tmux workspace created
- 09:32 - Confirmed host inventory mismatch with provided scope
- 10:05 - Captured first evidence set for RT-F01
## Evidence Created
- screenshot-rt-f01-login-bypass-20260408-1007.png
- terminal-rt-f01-repro-20260408-1011.log
## Open Questions
- Is `admin.example` in scope?
- Is the VPN user set shared with the blue team?
## Next Actions
- Verify whether bypass survives SSO flow
- Promote notes into finding draft
Host Note Template
# host-app-01
## Role
Internet-facing application server
## Identifiers
- Hostname: app01.example.internal
- IP: 10.10.20.15
- Environment: Production
## Access
- Access method: VPN + HTTPS
- Cred reference: see password manager entry only
## Findings / Observations
- Login flow leaks role data in response body
- File upload endpoint accepts unexpected content types
## Evidence Links
- ../03_evidence/screenshots/screenshot-app01-upload-20260408-1142.png
- ../03_evidence/requests/request-app01-upload-bypass.txt
## Related Notes
- RT-F01-unauthenticated-admin-access
Obsidian Rules
- Use notes to store meaning, not raw dumps
- Link to evidence files instead of copying large blobs into notes
- Store credentials in a password manager, not markdown
- Keep one note per host and one note per finding
- Promote temporary observations into structured notes before end of day
Naming Convention
Use sortable names everywhere.
<artifact-type>-<target-or-finding>-<yyyymmdd-hhmm>.<ext>
Examples
screenshot-rt-f01-login-bypass-20260408-1007.png
terminal-rt-f01-repro-20260408-1011.log
request-app01-upload-bypass-20260408-1142.txt
pcap-vpn-initial-access-20260408-1320.pcap
loot-host-dc-01-shares-20260408-1545.txt
Naming Rules
- Put the finding ID in filenames once a finding exists
- Use timestamps when the order matters
- Prefer labels like
host-dc-01over bare IPs in filenames - Use the same target label in vault notes, evidence, and report drafts
tmux / Terminal Control
The terminal is your cockpit. Use it like one.
Session Model
# Create one session per engagement
tmux new -s acme-q2
# Suggested windows
tmux rename-window control
tmux new-window -n recon
tmux new-window -n web
tmux new-window -n loot
tmux new-window -n notes
tmux new-window -n report
Window Roles
| Window | Purpose |
|---|---|
control |
Scope, quick nav, admin tasks, jump host control |
recon |
Scans, enumeration, background jobs |
web |
Curl, proxies, app testing helpers |
loot |
Reviewing outputs and evidence movement |
notes |
Obsidian, markdown cleanup, timeline sync |
report |
Finding drafts and appendix assembly |
Pane Discipline
- Left pane: command execution
- Right pane: results review or note updates
- Bottom pane: scratchpad or watch output
- Do not mix unrelated targets in one pane history
Logging Commands
# Record a clean transcript for a finding repro
script -a ../03_evidence/terminal-logs/terminal-rt-f01-repro-$(date +%Y%m%d-%H%M).log
# Stop recording
exit
# Save command output directly to evidence
curl -isk https://target.example/login > ../03_evidence/requests/request-login-check-$(date +%Y%m%d-%H%M).txt
Terminal Rules
- Start a new pane or window for a new hypothesis
- Name long-running jobs in your notes
- Move outputs out of
/tmpbefore ending the day - Keep a daily list of “still running / still relevant” processes
- If a command proves a finding, capture it immediately and label it
Evidence Handling
Evidence is only useful if someone else can trust and follow it.
Minimum Evidence Packet for a Finding
- Short summary of what was proven
- Target identifier
- Timestamp
- Raw command or raw request/response
- Output or screenshot
- Operator note explaining why it matters
Screenshot Rules
- Capture the full context first, then crop if needed
- Annotate only after preserving an original
- Name screenshots with finding ID and action
- Do not rely on screenshots alone when text output exists
Raw vs. Promoted Evidence
| Stage | Description |
|---|---|
| Raw | Original logs, requests, screenshots, pcaps |
| Promoted | The exact subset attached to a finding |
| Report-ready | Cleaned narrative plus selected proof |
Fast Promotion Workflow
raw artifact -> daily note mention -> finding draft -> report evidence block
Reporting Handoff
Your notes should already be halfway to the report.
Finding Draft Skeleton
# RT-F01 - Unauthenticated Admin Access
## Summary
Unauthenticated users can access the administrative dashboard through an alternate route.
## Affected Assets
- host-app-01
## Reproduction
1. Request `/alt-admin`
2. Observe `200 OK`
3. Access privileged functions without prior authentication
## Evidence
- ../03_evidence/requests/request-alt-admin-20260408-1007.txt
- ../03_evidence/screenshots/screenshot-rt-f01-admin-panel-20260408-1008.png
- ../03_evidence/terminal-logs/terminal-rt-f01-repro-20260408-1011.log
## Impact
Unauthorized users can access administrative functions and sensitive data.
## Remediation Direction
Enforce centralized authorization checks on all privileged routes.
End-of-Day Handoff Checklist
- Daily note updated
- New hosts documented
- New evidence renamed and moved
- Candidate findings promoted into
01_notes/findings/ - Report draft updated with any validated findings
- Open questions written down before stopping
Anti-Patterns
| Anti-Pattern | Why it hurts |
|---|---|
| Dumping everything into one markdown file | You cannot hand off or search effectively |
Saving screenshots as image1.png |
Evidence becomes meaningless within hours |
| Storing credentials in notes | Creates unnecessary risk and leakage paths |
| Keeping raw evidence only in shell scrollback | Proof disappears when the session dies |
| Writing the report from memory at the end | Gaps, errors, and weak remediation follow |
Bootstrap Commands
ENG="acme-q2"
mkdir -p "$ENG"/{00_admin,01_notes/{daily,hosts,findings,attack-paths},02_scans/{external,internal,web,cloud},03_evidence/{screenshots,requests,terminal-logs,pcaps,loot},04_payloads/{templates,staging,outputs},05_reporting/{drafts,findings,diagrams,appendices},99_archive}
tmux new -d -s "$ENG"
tmux rename-window -t "$ENG":1 control
tmux new-window -t "$ENG" -n recon
tmux new-window -t "$ENG" -n web
tmux new-window -t "$ENG" -n loot
tmux new-window -t "$ENG" -n notes
tmux new-window -t "$ENG" -n report
echo "Workspace ready: $ENG"
Final Mental Model
Workspace discipline is operational discipline.
If your notes, evidence, and terminal flow are structured from the start, reporting becomes assembly instead of archaeology.