Innovative Red Team Tactics

Hello 0x00sec, long time no see!

Today I decided to start a discussion around innovative Red Team TTP’s we have encountered or used.

For those who are not familiar with the concept; RT and Pentest methodologies have different goals in mind. Despite using similar methods, they answer different questions.

PT Questions: Can my infrastructure be hacked? If so, how?
PT Goals: Discovery of various attack paths into a system. (The concept of “attack path” is the nuance between a PT and a Vulnerability Assessment. VA focus on singular vulnerabilities, whereas PT focus on exploiting vulnerabilities towards a specific impact. This act of exploitation is called an “attack path”.)

RT Questions: Am I prepared against real world attacks? Can I detect when I’m being attacked? Can I stop it before it causes any damage?
RT Goals: Emulating or simulating various type of threats and measuring the efficiency of incident detection and response process.

I think the subject of this discussion is more clear now. When talking about Red Team TTP’s we’re NOT talking about: pentesting tools, attack techniques, exploits, RATs or crypters (unless the technique is novel).

TTP 1: Using “Unquoted Service Paths” to mislead analysts

If you’re going to deploy your backdoor as a new service, leverage “unquoted service path” to confuse detection systems and the SOC.

Service path: C:\Program Files\decoymalware.exe
Real malware: C:\Program.exe

You could use decoymalware.exe as a means to deceive security operators. Maybe put a legitimate and signed binary there so when your new service is discovered and binary is uploaded to VT it would seem completely innocent and the alert might get disregarded as a false positive.

Or if its likely that this will be further investigated you could put a completely irrelevant malware to mislead. A known cryptominer maybe? It is malicious but not really that important so the alert regarding to your backdoor will be quickly “resolved”.

TTP 2: Using Remote Drive Mapping to steal NTLM hashes

In several investigations I came across LNK files pointing to remote smb paths. Their purpose was to force the client to authenticate with the attacker’s smb server. Thus, the attacker could steal the victim’s NTLM hash. I found this usage of RDM’s innovative.

TTP 3: DNS Poisoning and Injecting into Google Analytics JS

Now think about the browsing activity of a normal user. Probably more than half of the webpages he’ll visit will be requesting JS files from Google Analytics. So if you can somehow redirect these requests to your own webserver (by DNS poisoning, or MITM, or sth else) and replace these JS files, you will have the perfect C2 system for your malware! Your malware won’t have to send even a single TCP packet. The browsing activity of your victim will be the carrier of your messages and it will be frequent enough! :smile:

What are your favorite Red Team TTP’s? Please write them below :point_down:


This is a really nice concise overview. I wish I had been told this and the differences long ago when I was a young wannabe hacker :stuck_out_tongue:

It really all centers around the business goals, the maturity of the business, and what kind of question they’re trying to answer, whether that be:

  • is the infrastructure secure?
  • Is the company compliant
  • Is the company/org as a whole secure against an attacker, should they try, lets dry test it!

You have to really speak to a client and figure that out. Nice to see a new article from you @hunter, great job!

Thank you @pry0cc its nice to be back!
Sometimes I see tactics that are so innovative, I can’t help myself admiring :smiley:
I may add new ones now and then. My goal is to distill knowledge from threat researches and red team ops. Your contributions are more than welcomed!

1 Like

#3 is dirty and I love it. I’m stealing it.

1 Like