Red Teaming 101: Master Index

BLUF: This series provides a structured roadmap for transitioning from traditional penetration testing to advanced red team operations using the Harada OW64 methodology.

Master OW64 Grid — Harada Mandala Chart

Operational Overview

graph TB
    Goal((Red Team Operator))
    style Goal fill:#ff6600,stroke:#333,stroke-width:4px

    subgraph P1[Linux]
        L1[Enumeration & Phases]
        L2[SUID/SGID/Caps Exploit]
        L3[Cron & Service Abuse]
        L4[Kernel Exploit]
        L5[SSH Pivoting & Keys]
        L6[Container Escape]
        L7[Linux Persistence]
        L8[Full Linux Chain]
    end

    subgraph P2[Windows/AD]
        W1[System Enumeration]
        W2[Windows PrivEsc]
        W3[Credential Harvesting]
        W4[Windows Persistence]
        W5[AD Recon & Enum]
        W6[Kerberos Attacks]
        W7[NTLM Relay & Lateral]
        W8[ACL/ADCS/Domain Dom]
    end

    subgraph P3[Web]
        WB1[HTTP Recon & Phases]
        WB2[OWASP Top 10]
        WB3[Auth Attacks]
        WB4[API Hacking]
        WB5[SQL & Injection]
        WB6[Burp Suite Pro]
        WB7[File Upload & SSRF]
        WB8[Full Web Engagement]
    end

    subgraph P4[Network]
        N1[Post-Pivot Enum]
        N2[Quiet Port Scanning]
        N3[SOCKS w/ ligolo-ng and chisel]
        N4[Port Forwarding]
        N5[DNS Tunneling]
        N6[Infra Enumeration]
        N7[Full Pivot Chain]
    end

    subgraph P0[Initial Access]
        IA1[Recon and Portal Discovery]
        IA2[Password Spraying]
        IA3[Phishing and EvilGinx2]
        IA4[Public CVE Exploitation]
        IA5[Foothold Stabilization]
    end

    subgraph P5[Cloud]
        CL1[Cloud Identity]
        CL2[Cloud Enum & Recon]
        CL3[IAM PrivEsc]
        CL4[Token Theft & Abuse]
        CL5[IMDS Abuse]
        CL6[Azure AD Attacks]
        CL7[Serverless & Containers]
        CL8[Full Cloud Engagement]
    end

    subgraph P6[EDR]
        E1[AV Evasion]
        E2[AMSI Bypass]
        E3[Process Injection]
        E4[ETW & Unhooking]
        E5[Syscall Evasion]
        E6[Sleep Obfusc & Stack]
        E7[EDR Bypass Method]
        E8[LOLBins & BYOVD]
    end

    subgraph P7[C2]
        C1[Choose Framework]
        C2[Beacon Profiles]
        C3[Redirectors & Jump Infra]
        C4[Operate Sliver]
        C5[Operate Cobalt Strike]
        C6[Operate Mythic]
        C7[Advanced Channels]
        C8[BOF & Beacon Dev]
        C9[Full C2 Deployment]
    end

    subgraph P8[Reporting]
        R1[Finding Documentation]
        R2[Executive Summary]
        R3[Technical Report]
        R4[Remediation Mapping]
        R5[Attack Path Docs]
        R6[Public Writeup]
        R7[Tool Repo Curation]
        R8[Full Portfolio Dev]
    end

    P0 --> Goal
    Goal --- P1
    Goal --- P2
    Goal --- P3
    Goal --- P4
    Goal --- P5
    Goal --- P6
    Goal --- P7
    Goal --- P8

Foundational Cheatsheets

• 0.1 SecureHomelabs
• 0.2 Red Team Workspace Cheatsheet
• 0.3 Hardened Jump Hosts (OCI, AWS, DigitalOcean)
• 0.4 Initial Access — Password Spray, GoPhish, EvilGinx2 MFA Bypass, CVE Exploitation

Execution Model

Daily Micro-Practice (30–60 min total):

• 1 task from Pillar 1: Linux
• 1 task from Pillar 2: Windows/AD
• 1 task from Pillar 3: Web

Rotating Deep Pillar (60–120 min — pick one per day):

Progress Tracking

Prerequisites

Before starting this series, ensure you are comfortable with the concepts in the Recon series:

• 1. External Recon
• 2. Internal Recon (No Creds)
• 3. Authenticated Pivot
• 4. C2 & SOCKS
• 7. Blue Team Detection
• 9. Detection Event IDs (Splunk)

Navigation

Pillar Content Index

Quick-reference breakdown of what's inside each pillar file.

🔴 P1 — Linux (1_Linux.md)

Linux Operator Field Guide: 1.1a Part 1 — OPSEC, process masquerading, PrivEsc · 1.1b Part 2 — Looting, Persistence, Cleanup, Sliver C2, NFS exploitation

Linux C2 Field Guide: 7.9a Sliver C2 Linux — install, generation, in-memory delivery, listeners (Sliver operator docs → P7)

macOS Post-Exploitation: 1.3_macOS_Post_Exploitation — SIP/TCC, Keychain, browser creds, cloud tokens, LaunchAgent persistence, Poseidon C2, dylib hijacking

🟠 P2 — Windows/AD (2_Windows_AD.md)

🌐 P3 — Web (3_Web.md)

🟢 P4 — Networking (4_Networking.md)

Pivoting & Tunneling Deep Dive: 4.1_Pivoting_and_Tunneling — Tool decision tree, ligolo-ng TUN setup, chisel, rpivot, SSH tunnels, proxychains, double pivot, OPSEC cleanup

🔵 P5 — Cloud (5_Cloud.md)

⚫ P6 — EDR (6_EDR.md)

EDR Deep Dives:

• 6.2 Syscall Evasion Deep Dive — SysWhispers3, Hell's Gate / Halo's Gate / Tartarus Gate, direct vs. indirect syscalls, call stack evasion
• 6.3 Sleep Stack Evasion — Ekko, Foliage, Ziggurat, Cronos, SilentMoonwalk, PE header stomping, lab validation
• 6.4 CS Process Evasion — SpawnTo, PPID spoofing, cmdline arg spoofing, SMB pipe spoofing, inline .NET, BOF, UDRL
• 6.5 ASR WDAC Bypass — ASR rule enumeration & bypass, WDAC policy extraction, LOLBins, DLL sideloading, GadgetToJScript

📡 P7 — C2 Infrastructure (7_C2.md)

C2 Deep Dives by Function:

• Framework choice & operator guides: 7.9a Sliver C2 Linux, 7.10 Sliver C2 Windows, 7.4 Mythic C2 Operator Guide, 7.13 Cobalt Strike Setup Infra
• Beacon creation & shaping: 7.8 Sliver Profile Creation OPSEC, 7.9 Sliver Beacon Creation OPSEC, 7.6 Sliver HTTP C2 Profiles
• Infrastructure: 7.11 C2 Jump Server Infrastructure, 7.2 C2 infra, 7.5 C2 Infrastructure Walkthrough
• Advanced channels: 7.7 Advanced C2 Techniques
• BOF development: 7.14_BOF_Development — COFF skeleton, Win32 API macros, 4 complete examples, Makefile, local test harness, Sliver armory packaging
• Extension development: 7.12 Rust Beacon Development

Cloud Deep Dives:

• 5.1 AWS Attack Paths — IAM PrivEsc paths, IMDS theft, Lambda abuse, S3 exfil, AWS OPSEC
• 5.2 Azure Entra Attacks — Token theft, PRT attacks, Entra role PrivEsc, Azure resource attacks

Lab & Validation:

• LAB_Validation_Framework — Home lab setup, EDR configuration, technique validation checklist, interpretation guide

🟣 P8 — Reporting (8_Reporting.md)

🚪 P0 — Initial Access (0.4_Initial_Access.md) (pre-pillar)

Portfolio Reminder

Red Team 101 — Operational Doctrine

BLUF: Technical skill is table stakes. What separates an operator from a hobbyist is how they plan, document, communicate, and manage risk throughout an engagement.

Pre-Ops: Planning & Authorization

Nothing executes without paper. If you don't have written authorization you are committing a crime, not running a red team engagement.

Required Before Day 1:

RoE Must Explicitly Address:

• Goals / Objectives — Crown jewels, specific flags, detection testing
• Constraints — No DDoS, no destructive actions, no production DB writes
• Off-Limits — Named systems, subnets, third-party hosted services
• Working Hours — Active ops window (e.g., 09:00–17:00 local or 24/7)
• Escalation Path — Who approves going out-of-scope if an opportunity arises
• Get-Out-of-Jail Contact — Single POC who can authorize you to law enforcement on the spot

Op Plan

Sections:

1. Objective — What does success look like? (e.g., "Achieve DA without triggering a SOC alert")
2. Target Profile — Known intel: tech stack, AV/EDR, network segmentation, users
3. Phasing — Recon → Initial Access → Post-Ex → Lateral Movement → Objectives → Reporting
4. TTP Selection — Specific techniques planned per phase, mapped to MITRE ATT&CK
5. Contingency — What happens if you get caught? How do you re-establish access?
6. Exit Criteria — When do you stop?

Infrastructure

Standard Red Team Infra Stack:

Infrastructure Rules:

• Separate infrastructure per engagement — no cross-contamination
• Age domains weeks in advance and warm up with legitimate traffic
• Use IaC (Terraform + Ansible) to provision and teardown quickly
• Never expose the team server IP directly — always behind a redirector
• Document every IP, domain, credential, and port used — add to op notes

Workstation Hardening (Assessment Laptop)

Your laptop is the most sensitive device in the engagement. If it's compromised or stolen, the client's network is compromised too.

OS & Build:

• Use a dedicated assessment OS — don't dual-purpose your daily driver. Kali, ParrotOS, or a hardened Debian/Ubuntu install
• Full disk encryption (LUKS on Linux) — enabled before anything else. No exceptions

  Why "before anything else": Once loot, creds, SSH keys, C2 configs, or VPN profiles are written to an unencrypted disk you can't retroactively protect them. A lost or seized laptop becomes full compromise of the client environment — your C2 keys, their credentials, and your entire op are readable by whoever has the machine. "No exceptions" because the usual exception is convenience, which is not an acceptable risk when you're carrying client crown jewels.

• Auto-lock on screen after ≤ 5 minutes of inactivity; require password to unlock
• Keep the OS and all tools fully patched before each engagement
• Disable Bluetooth when not in use; disable USB auto-mount to prevent accidental execution from dropped drives

How to:

# Enable LUKS full-disk encryption during OS install (Kali/Ubuntu installer — check "Encrypt" option)
# Or encrypt an existing partition post-install:
cryptsetup luksFormat /dev/sdX
cryptsetup luksOpen /dev/sdX encrypted_vol

# Auto-lock (GNOME)
gsettings set org.gnome.desktop.session idle-delay 300
gsettings set org.gnome.desktop.screensaver lock-enabled true

# Patch before engagement
sudo apt update && sudo apt full-upgrade -y

# Disable Bluetooth
sudo systemctl disable bluetooth --now

# Disable USB auto-mount (GNOME)
gsettings set org.gnome.desktop.media-handling automount false

Compartmentalization:

• Run each engagement in an isolated VM — take a snapshot before connecting to the client environment
• Use separate browser profiles (or separate browsers) for: client portals vs. personal vs. research
• Keep loot and client data inside the engagement VM only — never copy to the host
• Use VPN from the host before the VM connects out — adds a layer of separation from your real IP

How to:

# Create a new KVM/QEMU VM for the engagement (or use VirtualBox)
virt-manager  # GUI — create new VM, allocate disk, take snapshot before connecting

# VirtualBox snapshot before connecting to client
VBoxManage snapshot "EngagementVM" take "pre-client-connect" --description "Clean state"

# Verify VPN is up on host BEFORE starting VM
curl ifconfig.me  # confirm you're hitting VPN exit IP, not home ISP

Network Discipline:

• Use a dedicated SIM / mobile hotspot for engagements — your home ISP appears in OSINT
• Connect to the client environment only through agreed VPN or jump server — never direct from your laptop IP
• Kill split tunneling on your VPN — all traffic should route through the tunnel when connected
• Use DNS over HTTPS or DNSSEC to prevent local DNS leakage during recon

How to:

# Verify no split tunnel — all traffic should exit VPN
ip route show   # default route should point to tun0/wg0, not eth0/wlan0

# Check for DNS leakage
cat /etc/resolv.conf          # should show VPN DNS, not home router
dig +short myip.opendns.com @resolver1.opendns.com   # verify exit IP

# Enable DNS over HTTPS (systemd-resolved)
sudo nano /etc/systemd/resolved.conf
# Set: DNS=1.1.1.1  DNSOverTLS=yes
sudo systemctl restart systemd-resolved

Credential & Key Hygiene:

• Store all credentials, SSH keys, and API tokens in a password manager (Bitwarden, KeePassXC) — not in plaintext files or shell history
• Use a unique SSH keypair per engagement — rotate and destroy at engagement close
• Never save client credentials in the browser or SSH known_hosts on the host — put them inside the engagement VM
• Set HISTFILE=/dev/null or export HISTCONTROL=ignorespace in your shell to suppress logging of sensitive commands

How to:

# Generate a per-engagement SSH keypair
ssh-keygen -t ed25519 -C "eng-clientname-2026" -f ~/.ssh/id_eng_clientname

# Suppress shell history for the session
unset HISTFILE
# Or prefix sensitive commands with a space (requires HISTCONTROL=ignorespace in .bashrc)
export HISTCONTROL=ignorespace

# Destroy keypair at engagement close
shred -u ~/.ssh/id_eng_clientname ~/.ssh/id_eng_clientname.pub

# Wipe known_hosts entries for client hosts
ssh-keygen -R <client-ip>

Physical Security:

• Never leave your laptop unattended and unlocked in any client facility
• Use a privacy screen filter when working in client offices or public spaces
• If your laptop is lost or stolen during an engagement, treat it as a breach — notify the client immediately and initiate their incident response process

Risk Management

Risk-Adverse Mindset:

• Always prefer reversible actions over destructive ones
• Test exploits in your lab first — never run untested code against production
• Before running any command that modifies state, ask: Can I undo this?
• If you break something, stop immediately, document exactly what happened, notify the client POC

Attack vs. Defend Mindset:

Knowledge Management

What to Capture:

• Op Notes — Real-time operational log (see below)
• Loot — Credentials, hashes, tickets, keys, sensitive files — organized and indexed
• Screenshots — Every significant finding, timestamped and annotated
• Network Maps — Running diagram of discovered hosts, subnets, and pivot paths
• Tool Configs — Save exact configurations used (C2 profiles, Ansible playbooks)

Repository & Data Transfer Plan:

• Use an encrypted, access-controlled repo (private GitHub or self-hosted Gitea)
• Use SCP / SFTP over SSH to transfer loot — never plain HTTP or email
• Define a data transfer plan in the op plan: how is loot moved, stored, and destroyed
• Client data must be securely deleted per SoW at engagement close

Op Notes

Op notes are your real-time log. They are the source of truth for the final report and any deconfliction.

Every Entry Must Include:

[TIMESTAMP UTC]  ACTION
Command:   <exact command run>
Target:    <IP / hostname / URL>
Result:    <exact output or summary>
Artifacts: <file dropped, service created, key used, etc.>
Screenshot: <filename or link>
Note:      <why you did this / what you expected vs got>

Op Note Discipline:

• Log before you execute — note your intent
• Copy exact commands — never paraphrase
• If something fails or behaves unexpectedly, log it in full
• Use a dedicated tool: CherryTree, Obsidian (this vault), or a timestamped Markdown file
• Back up op notes to the encrypted repo at the end of every session

Analyst Journal (Narrative Log)

Separate from op notes — a narrative account written in past tense. This is the raw material for the attack narrative in the final report.

Journal Format:

[DATE TIME UTC] — Narrative sentence describing what happened and why.

Example:
[2026-03-08 14:32 UTC] — Performed Kerberoasting against all SPN accounts.
Identified svc_sql with RC4 encryption. Hash cracked in 4 minutes via rockyou.txt.
Used resulting credential to authenticate to SQL01 as a domain user.

Journal vs Op Notes:

TTPs

Document every TTP used. This drives the MITRE ATT&CK mapping in the final report and helps the blue team build detections.

TTP Log Format:

TTP Discipline:

• Maintain the TTP log throughout the engagement — do not reconstruct from memory later
• Every technique maps back to a specific op note entry
• Flag any TTP where an alert was or was not triggered — feeds the detection gap analysis

Reporting Cadence

Daily Sitrep Template:

Date:             [DATE]
Operator:         [NAME]
Objective Today:  [WHAT YOU PLANNED]
Accomplished:     [WHAT YOU DID]
Systems Accessed: [IP / HOSTNAME LIST]
Findings:         [NEW FINDINGS SUMMARY]
Blockers:         [ANYTHING STOPPING PROGRESS]
Plan Tomorrow:    [NEXT STEPS]
Risk Items:       [ANYTHING NEEDING CLIENT ATTENTION]

Mishap Report Triggers — Stop and report immediately if you:

• Caused an unintended service disruption or outage
• Accessed a system marked off-limits
• Exfiltrated data beyond what was agreed
• Triggered a security response not part of the engagement exercise
• Lost control of a payload or implant

Post-Engagement Debrief

Cleanup Checklist:

• All implants / beacons killed and removed from target systems
• All created accounts, services, and scheduled tasks removed
• Infrastructure torn down (or isolation confirmed if retained)
• All loot / client data securely wiped per SoW
• Final report delivered and walkthrough scheduled
• Lessons-learned documented internally

Debrief Meeting Agenda:

1. Walk the client through the attack narrative — show the path, not just the findings
2. Demonstrate key findings with live reproduction (if safe)
3. Map each finding to a defensive control that would have blocked or detected it
4. Discuss detection gaps identified from the TTP log
5. Agree on a remediation timeline