MITRE ATT&CK turned purple – Part 1: Hijack execution flow

The MITRE ATT&CK framework is probably the most well-known framework in terms of adversary emulation and by extent, red teaming.It features numerous TTPs (Tactics, Techniques, and Procedures) and maps them to threat actors. Being familiar with this framework is not only benefiting the red team operations but the blue team operations as well! To create […]

Unmanaged file searching with Filesearcher.exe

During our red team engagements, we are often reliant on a command and control infrastructure. Typically these infrastructures are capable of loading .NET assemblies in memory, which gave me the idea of coding a filesearcher assembly. This was partially invented because of a CTF event I was participating in which had me hunting several file […]

What’s in a name? Thoughts on Red Team nomenclature

In my previous post, I promised to expand on the distinction between adversary emulation, adversary simulation, red teaming, and purple teaming, or at least how I tried to distinguish these terms in a way that made sense to me Emulation and simulation; I’ve heard both terms used interchangeably to refer to the same type of […]

Thoughts on the recent Red Team debate

Around the end of November 2019, Florian Roth wrote a much-discussed post about problems he saw with today’s red teaming. I considered writing a blog post to diverge some of my ideas and “respond” to his concerns. However, as is often the case with these types of things, I didn’t get to it at the […]

The Rise of Adversary Emulation

In this blog post, we will discuss a fairly new concept that has been gaining a lot of traction recently: Adversary Emulation. Adversary emulation aims to test a network’s resilience against advanced attackers or advanced persistent threats (APTs). To do so, the adversary’s tactics, techniques, and procedures (TTPs) are emulated along the cyber kill chain, […]