The State of Art in Red Team is whatever you want to believe

I wanted to share my opinion about this topic for aproximately two years, but I always avoid it because two main reasons: who the f_ck wants the opinion of a nobody and why waste bytes to write something non-technical. I guess the last twitter “pseudo-drama” about Initial Access and Red Team was the last straw I needed to get rid of that itch in my brain.

As I said, I am a nobody so take my opinion with a pinch of salt. I’ve been working on pure Red Teams (no pentest, audits or whatever) since 2016. Ten years where I played all the roles: operator, leader, manager and operator again. After this decade of working in this field, talking with friends in different companies around the world and seeing what is disclosed in twitter/blogs, I’m certain that nobody has the slightest idea what the “State of the Art” is when it comes to Red Teams. And don’t get me wrong, I don’t know either. And it’s for a simple reason: we’re all biased by the TTPs used in our companies (and even between coworkers of the same team), even in our regions (Spain vs Europe; Europe vs USA), and the stuff we keep in secret.

When I was working in Spain, the two or three “real” Red Teams that were in the country back in that time had the mindset of “Phishing is for Losers”. We breached the perimeter every time. We invested a lot of time and efforts creating labs with the platforms we saw in the perimeter of our customers and then finding 0-days (the first example that comes to my mind is that RCE + LPE in ZeroShell that later was exploited by Mirai CVE-2019-12725) or creating exploits for N-days. Most of our projects had a duration of 1 year, and rarely, 3 or 4 months only. So “time” was never a constrain to get the oportunity of dropping a webshell in the perimeter.

Our TTPs worked around that: breaching the perimeter, dropping a webshell, then something to pivot (a modified version of reGeorge or other tool) and start pwning. We used as persistence a lot of stuff that today would be considered “exotic”, like PHP extensions, backdooring Apache or combining MySQL UDFs and triggers to execute our implant when we tried to auth with a fake user (or even turn MySQL into a socks proxy reusing the client connection).

Later, customers started to request the inclusion of “social engineering” components in our engagements. Because we though that “phishing is for losers” we decided to do it with our unique style. Do you want that someone gets infected? Don’t worry, we are going to pwn a web platform used by your employees (e.g. company blog) and do a watering hole attack to trick them into installing something. Do you want us sending some kind of emails with an attachment? Let us do some reversing on that exploit found in the wild for a Microsoft Office memory corruption and rebuild it to deploy our implant. Oh, do you want us to proof your shiny MFA? We are going to create a fake portal with a reverse proxy, use black SEO to position it close (or even above) your real intranet in Google. Ah, do you want something more creative? Let us drop an APK in Google Play that will read the SMS for the OTP so we can forward it to us.

We did all this stuff 6-10 years ago, and we thought that was the “State of the Art” in Red Teaming. And we were really good in some stuff, the stuff that was related to the TTPs we used in the company, but we lacked of knowledge and tooling for other stuff. Meanwhile people in other Red Teams had cool Initial Access TTPs, we lacked of them because we focused on breaching the perimeter. Our own implant was a bit crappy (a glorified Reflective DLL loader, but to be honest it was undetected for years) in comparision with what others were using (Cobalt Strike and similars), so that was a big difference too.

Then I moved to work for a UK company, and got a really big cultural shock. Except one or two individuals, everyone in the team focused in doing phishing as Initial Access. For me was challenging to adapt the first months to that because I never had to use phish in a mandatory way, and the contrast was huge. I started work two hours earlier than scheduled and left two hours later, so I could catch up and read all the past reports, all the information on the TTPs being used, all the tools. I felt very small compared to my colleagues; all that knowledge I had (and what I thought that was the “State of the Art” TTPs) was useless because they worked differently here. I buckled down to start being “useful”.

I believe I am not disclosing nothing when I say that our TTPs circles around NightHawk, so we built them to be run inside NightHawk. Would be considered this to be the “State of the Art” compared to other Red Teams that use simple implants as a beachhead from which to launch attacks using heavily modified versions of Impacket? Probably, depending on how your company works, you will consider the way you operate as the “State of the Art” (running tools inside the implant vs using the implant to just proxify your tooling).

I find that trying to be a “voice” in twitter (or conferences) and claim to talk about what Red Teams are doing is pretty naive most of the times because of this natural bias and also… because people do not talk about their TTPs until they are burn, can get a profit by publishing it (every company does it in their blogs for PR, or just individuals to get clout and “twitter points”) or want to make internet a safe place®. The best case of this are the Initial Access vectors: nobody that works on this wants to disclose them because they are fairy dust. And, if you are too young or naive, you can believe that you are the first on using them. The reality is: chances that others has been using the same Initial Access for years are really high. But nobody talks about them to do not burn them, so you are in your bubble thinking that you just discovered something new.

Because Red Teaming difficulty increased, companies and individuals stopped sharing information for free in public. We exchange ideas and disclose stuff privately to our close friends, or in private events like Red Treat. If you try to situate the current “State of the Art” based on what you see in articles, social networks and conferences you will fail. Because the stuff that is published, most of the times, is stuff one year old at minimum. Every company who invests in research (internal or outsourcered) is ahead from what the public sees.

For example, that “pseudo-twitter-drama” claimed that every Red Team is using a “custom Loki from 0xBoku”. And when you read something like that, you understand how biased is the people because they live in their own bubble. Red Teams has been profiting from the corpse of Electron apps to bypass allow list controls for years (I believe BEEMKA was published like 6 or 7 years ago). And in multiple and different ways, because Electron is a gift that keeps giving (there are a lot of TTPs related to Electron that Red Teaam are currently exploiting, let’s see how long it takes to someone publish any of them as “new”). Modifying app.asar as loki did is something being exploited for years by Red Teams, and in ways far more “interesting” than how Loki did it.

Another case, relatively recent, is OneNote as a container to distribute payloads. Red Teams has been using it for years because it was the perfection: it didn’t propagate MotW, it was a well-known file format that nobody would suspect, it was not blocked by allow lists and most email gateways didn’t care. While the Red Teams had been quietly exploiting it for years, people on Twitter had to announce it with great fanfare and trumpets as if it were the next big thing. Important, don’t misunderstand me. I’m not talking about burning TTPs (although that would be an interesting post too); with this post, I’m referring to the fact that people aren’t aware of what other Red Teams are doing in their engagements because everyone lives in their own bubble, so most of the time that “new discovery” in reality is something that was used previously by others.

Returning to the topic of the Twitter thread I mentioned, I agree that doing operations in 2026 is really difficult, but not by the things commented in that post. When I read quotes like “delivery an email to an inbox is an art” implicitly saying that it is something difficult I am not sure how is the people doing phishing. I never had issues with that, at worst my first campaigns got rejected because I used a domain created recently and in case of that happening I just use an older domain or a generic email like gmail. On the other hand, getting people executing your payloads most of the times is not a problem if you build the right rapport and pretext. The problem is, and here I agree with the twitter thread, what payloads do you use to avoid MotW. We are lucky and have a bunch of posibilities to use in our engagements, although everytime it’s getting more and more complicated. As I said, Initial Access vectors are like fairy dust right now.

What does Red Team “difficult” is other kind of stuff. Honey objects in Active Directory (oh, did you pull the info from that spicy OU? Get caught!), network detections (did you try to connect to an SMB placed in a network segment that workstations should not try to connect? Get caught!), isolation (workstations can’t see anything “interesting”) and good Active Directory hygine after loads of Red Team interations.

So, whatever you believe is the current “State of the Art” probably is wrong and is just what you see inside your bubble. We have zero idea about what other Red Teams are doing, or what tricks they have in their bags as result of internal researchs. What you see published as “new”, most of the time in reality is “old” but you arrived late to the party.