# Red Team OPSEC Playbook ### 1. Planning and Reconnaissance * **Objectives:** Define scope and rules; conduct thorough, OPSEC-aware passive reconnaissance to gather intelligence without detection; risk assessment. * **Detailed Steps:** * Identify critical information to protect (personas, infrastructure, intentions). * Passive and low-noise footprint OSINT gathering. * Use compartmentalized and anonymized infrastructure (VPNs, cloud instances). * Securely document and communicate findings. * **Tools/Resources:** * [Amass](https://github.com/OWASP/Amass) — attack surface mapping * [Recon-ng](https://github.com/lanmaster53/recon-ng) — OSINT reconnaissance * [Maltego](https://www.maltego.com/) — link analysis * [Shodan](https://www.shodan.io/) — asset discovery * [LinkedInt](https://linkdedin.xyz/) — LinkedIn scraping * [Gitleaks](https://github.com/gitleaks/gitleaks) — secrets detection * **Advanced Considerations:** Use AI-assisted reconnaissance tools for hyper-automation, ensuring slow and randomized scans to avoid detection. *** ### 2. Initial Access and Execution * **Objectives:** Gain initial entry with stealth, use adaptive, fileless payloads; maintain encrypted, anonymized communication. * **Detailed Steps:** * Develop or customize environment-aware, fileless payloads for each target. * Test extensively in isolated OPSEC-hardened labs mimicking targets. * Use “living off the land” techniques to minimize forensic trails. * Employ multiple C2 redirects/proxy chains with dynamic infrastructure. * Encrypt and jitter beacons in C2 communication to avoid baseline anomalies. * **Tools/Resources:** * [Cobalt Strike](https://www.cobaltstrike.com/) — commercial C2 and payload ops * [Outflank Security Tooling (OST)](https://www.outflank.nl/products/outflank-security-tooling/) — evasion and OPSEC booster for Cobalt Strike * [Metasploit Framework](https://www.metasploit.com/) — exploit/payload platform * [PowerShell Empire](https://github.com/PowerShellEmpire/Empire) — post-exploitation framework * [Beacon Object Files (BOFs)](https://outflank.com/beacon-object-files-bofs/) — stealth payload extensions * **Advanced Considerations:** Use AI-generated payload mutations to evade signature-based detections and dynamic environment checks to disable execution in sandboxes. *** ### 3. Persistence and Lateral Movement * **Objectives:** Establish stealthy persistence; conduct low-noise lateral movement; limit credential exposure. * **Detailed Steps:** * Use short-lived, compartmentalized credentials. * Employ OPSEC-conscious AD attack paths and lateral movement avoiding noisy scanning. * Persist via userland methods (scheduled tasks, COM hijacks), cleaned after use. * Rotate attack infrastructure and IPs to prevent forensic correlation. * **Tools/Resources:** * [BloodHound](https://github.com/BloodHoundAD/BloodHound) — AD attack visualization * [Mimikatz](https://github.com/gentilkiwi/mimikatz) — credential dump/manipulation * [Impacket](https://github.com/SecureAuthCorp/impacket) — Python network lib for SMB/Windows protocol * Kerberos OPSEC plugin techniques: [F-Secure blog](https://labs.f-secure.com/blog/the-offensive-kerberos-world/) * **Advanced Considerations:** Continuously monitor defensive telemetry (if accessible), adapt tactics, and employ automated kill switches on sandbox detection. *** ### 4. Data Collection and Exfiltration * **Objectives:** Collect and exfiltrate target data securely with minimal noise using covert, multi-layer encryption and multiple channels. * **Detailed Steps:** * Encrypt data locally before exfiltration. * Chunk data and use multi-protocol covert channels (DNS, HTTPS, ICMP). * Rotate exfiltration domains, IP infrastructure, and credentials often. * Stage exfil on cloud services using ephemeral credentials and camouflage among normal traffic. * **Tools/Resources:** * [DNSCat2](https://github.com/iagox86/dnscat2) — DNS-tunneling tool * [Chisel](https://github.com/jpillora/chisel) — SSH tunneling over HTTP(S) * [Cloud storage abuse methods](https://unit42.paloaltonetworks.com/cloud-threats-and-data-exfiltration/) — guide from Unit42 * Custom AWS/Azure CLI scripts for cloud staging automation * **Advanced Considerations:** Automate exfiltration scheduling to coincide with legitimate high-volume traffic, mimicking normal user patterns. *** ### 5. Cleanup and Cover Tracks * **Objectives:** Erase forensic footprints and undo persistence without disrupting normal operations. * **Detailed Steps:** * Wipe memory artifacts and unlink rogue processes. * Delete logs or selectively edit event entries. * Remove all persistence mechanisms, disable accounts, revoke credentials. * Conduct detailed post-op analysis identifying OPSEC failures. * **Tools/Resources:** * [PowerSploit](https://github.com/PowerShellMafia/PowerSploit) — cleanup and log manipulation * Custom memory wiping and log cleaner scripts (PowerShell, OS-native) * [Awesome Red Team OPSEC Cheatsheet](https://github.com/RistBS/Awesome-RedTeam-Cheatsheet/blob/master/Miscs/OPSEC%20Guide.md) * **Advanced Considerations:** Integrate automation of cleanup immediately on operation exit, leveraging volatile storage and scheduled tasks. *** ### 6. Cross-Phase Operational Best Practices * **Description:** Maintain strong OPSEC hygiene across people, infrastructure, and communications. * **Key Practices:** * Strict role compartmentalization of operators and infrastructure. * Automated rotation of IP addresses, domains, digital certificates with cloud APIs. * Use metadata-minimizing encrypted comms like [Signal](https://signal.org/), [Session](https://getsession.org/), or Tor-based messaging. * Behavioral hygiene: avoid repetitive patterns and operational timing fingerprinting. * Ongoing OPSEC risk assessments during operations. * **Training and Methodology Resources:** * [SpecterOps Red Team Operations](https://specterops.io/training/red-team-operations/) * [TryHackMe Red Team OPSEC Guide](https://github.com/jesusgavancho/TryHackMe_and_HackTheBox/blob/master/Red%20Team%20OPSEC.md) * [RedTeam-Tools GitHub Repository](https://github.com/A-poc/RedTeam-Tools)