Red Team Tools

In the intricate world of cybersecurity, defending against cyber threats is an ongoing battle. This challenge is further intensified by the evolving and increasingly sophisticated tactics, techniques, and procedures (TTPs) of adversaries. Central to this dynamic is understanding the tools and techniques that red teams—ethical hackers simulating real-world cyberattacks—employ to test and strengthen defenses.

The MITRE ATT&CK framework has emerged as a pivotal resource in this arena, offering a comprehensive matrix of tactics and techniques that adversaries use across their attack lifecycle. This blog delves deep into the various red team tools mapped meticulously to specific MITRE ATT&CK tactics and techniques, providing insights into how these tools operate, and why they're essential for a robust defensive strategy.

Disclaimer: This article is for educational purposes only. Unauthorized use of these tools against any system or network without explicit permission is illegal.

What Are Red Team Tools?

Red Team Tools are specialized software applications, scripts, or utilities developed and utilized by red teamers to assess, test, and exploit vulnerabilities in an organization's infrastructure, applications, people, and processes. These tools emulate techniques and tactics employed by real-world attackers, providing a realistic assessment of an organization's security posture.

Ranging from reconnaissance tools to post-exploitation utilities, red team tools aim to mimic various stages of an attack lifecycle. Their primary purpose is to help identify weaknesses, improve defenses, and enhance an organization's ability to detect and respond to genuine threats. While many of these tools have legitimate use cases for security assessments, they can also be misused by malicious actors if not properly secured and handled.

Using Native OS Tools vs. Brining Custom Red Teaming Tools

During real-world cyberattacks, adversaries have the choice between using tools that are native to the operating system (often referred to as "living off the land") and introducing custom tools to the targeted environment. 

Native OS tools are programs and utilities that come pre-installed with the operating system and are generally intended for legitimate administrative or system-related functions. In contrast, custom red teaming tools are specially crafted or acquired software, often designed to exploit, escalate, and maneuver within a network.

Here are two examples.

Native OS Tool: PowerShell

• Purpose: A task automation and configuration management framework that comes with Windows.

• Attack Use Case: Can be used to execute malicious scripts, move laterally, or extract data without downloading any additional tools.

Custom Red Teaming Tool: Mimikatz

• Purpose: A tool designed to extract plaintext passwords, hashes, and other sensitive data from memory.

• Attack Use Case: Quickly obtain credentials after gaining initial access.

Attackers often choose native OS tools to evade detection. 

Since these tools are legitimate and commonly used by system administrators, their usage doesn't immediately raise alarms. Security tools and monitoring systems are less likely to flag activity associated with these tools as malicious. By leveraging native tools, attackers can blend in with regular system activities, making their movements harder to distinguish from legitimate operations. On the other hand, custom tools might have unique signatures, behaviors, or network patterns that can be more easily detected by security solutions. 

In essence, using native OS tools helps attackers maintain a lower profile and prolong their presence in the environment undetected.

An Example of PoshC2 Framework’s Being Flagged by Windows Defender

Let us consider the following scenario: say that while investigating a spear-phishing attempt made by an adversary, we discovered an email with an attachment. The adversary attempted to lure the victim into downloading the attachment by claiming it needed to be checked for compliance regulations. In reality, the attachment was PoshC2, though it was disguised under a different name to appear as innocuous as possible.

However, when the user downloaded and executed the file, Windows Defender flagged the executable and quarantined it, identifying it as VirTool:Win32/PoshC2.G.

This example illustrates a crucial aspect of cybersecurity: the constant cat-and-mouse game between adversaries and defenders. 

Adversaries often shy away from using commercial or widely recognized custom tools as they can be easily flagged by modern security solutions, such as Windows Defender in the scenario described. Instead, they tend to customize these tools or disguise them under different names and appearances to circumvent detection. This customization alters the tool's signature, making it harder for signature-based detection systems to identify the malicious tool.

Red Team Tools

Red teaming is a critical process where ethical hackers simulate cyber-attacks against an organization to identify vulnerabilities that could be exploited by malicious actors. These simulations are conducted with the knowledge and consent of the organization being tested, making it a legal and ethical practice. 

In this blog, we have curated a comprehensive list of software employed by adversaries, mapped to the MITRE ATT&CK Framework. This software landscape is delineated into two main segments: TOOLs and MALWARE. 

Tools encompass commercial, open-source, built-in, or publicly available software that could be utilized by defenders, penetration testers, red teamers, or adversaries. This category encapsulates software not generally found on enterprise systems as well as commonly available software as part of an operating system already present in an environment. 

Examples include PsExec, Impacket, AdFind, CrackMapExec, Mimikatz, and Windows utilities such as Net, netstat, Tasklist, among others. 

AdFind as an Example Software Classified as TOOL by MITRE ATT&CK Framework.

In the upcoming sections, we have selected the Tools and mapped them under their corresponding tactics and techniques as per the MITRE ATT&CK framework.

Reconnaissance Red Teaming Tools (TA0043)

Reconnaissance, often referred to as "recon", is a preliminary phase in cybersecurity where information about a target system or network is collected, be it passively or actively, to assist in future operations. 

Some of the notable tools used for this purpose include OWASP Amass, Sn1per, theHarvester, Recon-ng 5, Maltego CE 4, the Social Engineering Toolkit (SET), Nikto 2, Shodan, Spiderfoot, and EyeWitness. 

While adversaries may leverage these tools to uncover vulnerabilities and potential points of entry for malicious intent, ethical hackers or professionals use them to identify and rectify security weaknesses, ensuring the safety and resilience of systems against potential threats.

In addition to ones listed in this section, in the SOFTWARE section, we discovered that the AADInternals tool was mapped to the Reconnaissance (TA0043) tactic under the MITRE ATT&CK Framework, along with its corresponding technique IDs.

Execution Red Teaming Tools (TA0002)

In the realm of cybersecurity, the Execution phase, categorized under ATT&CK Execution TA0002, denotes a scenario where adversaries deploy specific tools to execute their malicious code on target systems, either locally or remotely. 

Key tools, such as macro_pack, Donut, and Unicorn, emphasize this execution aspect. 

Additionally, many tools have been explicitly mapped to the MITRE ATT&CK framework, affirming their significance and widespread adoption in real-world scenarios. 

Such mapped tools include AADInternals, Impacket, Donut, Empire, Koadic, Impacket, Cmd, CARROTBALL, BloodHound, Peirates, ConnectWise, PowerSploit, and PoshC2, each with distinct ATT&CK IDs and corresponding technique references.

While at a glance these tools might appear malign in nature, in the hands of adversaries, they're powerful instruments for compromising systems. However, they also double up as invaluable assets in the arsenals of red teaming professionals and ethical hackers. 

Red teamers employ them to simulate sophisticated attacks, testing an organization's defenses in real-time. On the other hand, ethical hackers utilize these tools to identify vulnerabilities and rectify them before malevolent entities exploit them, safeguarding the digital infrastructure and its stakeholders.

Persistence Red Teaming Tools (TA0003)

In cybersecurity, the Persistence phase—represented under ATT&CK Persistence TA0003—depicts scenarios where adversaries employ specific techniques to ensure their continued access to compromised systems, even in the face of challenges like system restarts, credential alterations, and other potential disruptions. It encapsulates strategies that adversaries deploy to solidify their presence on a target, from code hijacking to startup modifications. 

Several tools have been meticulously mapped to the MITRE ATT&CK framework to signify their role in these persistence activities. 

Noteworthy among them are Empire, AADInternals, Koadic, PowerSploit, Ruler, CSPY Downloader, Mimikatz, BITSAdmin, and PsExec. Each of these tools has distinct ATT&CK IDs and associated technique references, underscoring their specific roles in ensuring persistent access.

These tools, while potent in the hands of malicious actors, also serve as invaluable instruments for red teaming and ethical hacking endeavors. Red team professionals harness them to emulate advanced persistent threats, pushing organizational defenses to their limits. Conversely, ethical hackers wield these tools as a means to unearth and mitigate vulnerabilities, fortifying systems against adversaries seeking long-term access.

Privilege Escalation Red Teaming Tools (TA0004)

In the realm of cybersecurity, the Privilege Escalation phase, denoted as ATT&CK Privilege Escalation TA0004, refers to situations where adversaries deploy specialized techniques to elevate their access rights, enabling them to expand their control over the compromised system. This phase is crucial as it often paves the way for adversaries to perform more invasive activities, like accessing sensitive data or deploying malicious payloads. 

Several tools have been intricately mapped to the MITRE ATT&CK framework to highlight their critical role in facilitating privilege escalation. 

Among these are Mimikatz, IronNetInjector, PoshC2, UACme, Koadic, Empire, CSPY Downloader, AADInternals, PowerSploit, Netsh, and PcShare. Each tool is identified with unique ATT&CK IDs and associated technique references, elucidating their specific functions in the privilege escalation process.

These tools, while inherently powerful and potentially malicious when misused, also offer great value in red teaming and ethical hacking operations. Red team experts utilize them to emulate complex attacks, simulating real-world adversaries that might exploit privilege escalation vulnerabilities. Meanwhile, ethical hackers employ these tools to identify and remedy potential system weak points, ensuring that systems are safeguarded against unauthorized privilege elevation by malicious actors.

Defense Evasion Red Teaming Tools (TA0005)

Defense evasion embodies techniques that adversaries deploy to escape detection during their incursion. The emphasis is on stealth, and these techniques are geared towards bypassing or compromising the defensive measures in place. This can range from the deactivation or removal of security software, to the more sophisticated methods of obfuscating or encrypting malicious scripts. In some instances, adversaries harness and misuse trusted processes to conceal their malware, adding layers of deception to their tactics.

Within the framework of MITRE ATT&CK's Defense Evasion (TA0005), tools like Pass-The-Hash Toolkit, HTRAN, Reg, Koadic, Donut, Esentutl, Certutil, CSPY Downloader, Cmd, CARROTBALL, RemoteUtilities, Invoke-PSImage, PowerSploit, IronNetInjector, Mimikatz, Netsh, PoshC2, and PcShare have been identified and mapped, each associated with specific ATT&CK IDs and technique references that illustrate their role in evasive maneuvers.

These tools, while potentially malicious in the wrong hands, are indispensable for red teaming and ethical hacking endeavors. Red teams leverage them to simulate sophisticated adversaries that employ stealth to bypass detection. Simultaneously, ethical hackers harness these tools to unearth and mitigate potential vulnerabilities in defense systems, ensuring the resiliency and robustness of those defenses against stealthy and evasive threats.

Credential Access Red Teaming Tools (TA0006)

Adversaries employ Credential Access techniques to steal account names and passwords, enabling them to move laterally within environments and access restricted resources. Such techniques may involve keylogging, credential dumping, or exploiting improperly stored or weakly protected passwords. By using legitimate credentials, adversaries not only gain unfettered access but also reduce their detection chances, blending in with typical user activities.

Within the scope of MITRE ATT&CK's Credential Access (TA0006), an array of tools like Mimikatz, Gsecdump, Cachedump, CrackMapExec, Rubeus, Esentutl, PowerSploit, Responder, Pwdump, Empire, Reg, LaZagne, PoshC2, Impacket, Koadic, AADInternals, Lslsass, MailSniper, and NBTscan stand identified. 

Each tool corresponds to specific ATT&CK IDs and technique references that offer a detailed blueprint of their modus operandi.

Discovery Red Teaming Tools (TA0007)

In cybersecurity, the Discovery phase—outlined within the ATT&CK Discovery TA0007—captures the various methods and techniques adversaries utilize to acquire information about the compromised environment. This stage is crucial for adversaries, offering insights into the system and internal network, which subsequently informs their decisions and tactics. By harnessing native operating system tools and other software, adversaries can comprehend what lies within their reach and understand potential vulnerabilities or valuable assets. 

A myriad of tools, diligently mapped to the MITRE ATT&CK framework, exemplifies these discovery activities. 

Noteworthy among these tools are BloodHound, AdFind, Reg, Rubeus, Cmd, Rclone, Empire, Ruler, Ifconfig, Koadic, PowerSploit, AADInternals, MailSniper, RemoteUtilities, Arp, NBTscan, Netstat, PoshC2, PcShare, Ping, Netsh, Peirates, and Nbtstat. 

Each of these tools comes with distinct ATT&CK IDs and associated technique references, highlighting their particular roles in environment discovery.

Lateral Movement Red Teaming Tools (TA0008)

In the realm of cybersecurity, the Lateral Movement phase—defined within ATT&CK Lateral Movement TA0008—describes the strategies and maneuvers that adversaries execute to traverse a network once they've secured an initial foothold. Their aim is to find and access specific resources or targets within the network, which often necessitates moving through multiple systems and perhaps even taking over various user accounts. This is akin to an intruder not just breaking into a building, but moving from room to room to find a specific valuable item. Notably, while adversaries can deploy their proprietary tools to aid in this movement, they frequently exploit native OS tools and legitimate credentials to stay under the radar and blend with normal activities.

A range of tools, as categorized by the MITRE ATT&CK framework, play pivotal roles in facilitating this lateral progression across networks. Among the prominent ones are Mimikatz, PsExec, Cmd, Esentutl, BITSAdmin, Pupy, CrackMapExec, PowerSploit, and Pass-The-Hash Toolkit. 

Each tool is linked with unique ATT&CK IDs and related technique references, highlighting the specific ways they can be employed to move laterally within a network.

Collection Red Teaming Tools (TA0009)

Within cybersecurity, the Collection phase—outlined in ATT&CK Collection TA0009—details the strategies adversaries deploy to aggregate information pertinent to their objectives. After infiltrating a system or network, attackers often seek specific data, and the methods they employ to harvest this data is what the collection phase is all about. Whether it's to support a primary mission or merely opportunistic data harvesting, the process can involve a myriad of tactics, from intercepting emails and video feeds to taking screenshots or recording keystrokes. And while gathering is an end in itself, it often serves as a precursor to another crucial phase: data exfiltration.

Several tools, as categorized by the MITRE ATT&CK framework, have been earmarked for their significance in the Collection phase. Some of the key tools include PowerSploit, Koadic, Rclone, Impacket, Certutil, Empire, ConnectWise, MailSniper, Esentutl, PoshC2, Mythic, RemoteUtilities, and PcShare. 

Each of these tools is associated with specific ATT&CK IDs and designated technique references.

Command and Control Red Teaming Tools (TA0011)

In the cybersecurity landscape, the Command and Control phase, as illustrated under ATT&CK Command and Control TA0011, represents the methodologies adversaries employ to maintain communications with the systems they have successfully infiltrated. 

By establishing a channel of communication, they gain the capability to remotely control, command, and even extract information from these compromised systems. A crucial aspect of this phase is the adversary's attempt to camouflage their communication, often striving to ensure it appears as legitimate or routine network traffic. This masking helps them evade detection. Given the intricacies of various network structures and defense mechanisms, adversaries can adopt a myriad of techniques ranging from the overt to the covert to ensure uninterrupted command and control.

Numerous tools have been associated with the Command and Control phase in the MITRE ATT&CK framework, highlighting their utility in this critical phase. Key among them are Pupy, Empire, RemoteUtilities, Donut, HTRAN, CSPY Downloader, Esentutl, Cmd, BITSAdmin, Koadic, PoshC2, CARROTBALL, Netsh, PcShare, and Mythic. 

Each tool comes with designated ATT&CK IDs and associated technique references. 

Exfiltration Red Teaming Tools (TA0010)

In cybersecurity narratives, the Exfiltration phase—outlined under ATT&CK Exfiltration TA0010—elucidates the various tactics adversaries deploy to illicitly extract valuable data from compromised systems or networks. The act of exfiltration is often the culmination of a cyber-attack, where adversaries seek to transport stolen data to their desired destination. Before doing so, they may utilize a variety of techniques to prepare the data for transmission. These preparations could involve data compression to minimize its size or encryption to ensure its secrecy. Adversaries might choose to transfer this data over their established command and control channels or through alternative routes. Often, there's a strategic intent behind how they transmit this data, like placing size constraints to reduce the risk of detection.

The MITRE ATT&CK framework has carefully mapped several tools to the Exfiltration phase, pinpointing their relevance in aiding adversaries during data extraction. Prominent among these tools are Rclone, Pupy, Dnscat2, Mythic, Empire, AADInternals, and PcShare. Each of these tools is accompanied by specific ATT&CK IDs and corresponding technique references. 

Such detailed mappings provide insights into the distinct roles these tools play in the exfiltration process, whether it's packaging data for stealthy extraction, transmitting it over different channels, or using techniques that bypass conventional security measures.

For instance, Rclone is known for its capability in cloud-based data transfer, making it a versatile tool for adversaries aiming to move stolen data to cloud storage. Similarly, tools like Mythic or Empire can be utilized for their encryption and data manipulation capabilities, ensuring that the extracted data remains clandestine. In essence, these tools exemplify the range of techniques adversaries have at their disposal during the critical exfiltration stage, emphasizing the need for robust defensive measures against data breaches.

Impact Red Teaming Tool (TA0040)

Within the cybersecurity landscape, the Impact phase—denoted as ATT&CK Impact TA0040—details the methods adversaries utilize to disrupt, degrade, or even destroy critical system functions or data. This phase highlights the potential aftermath of an intrusion, focusing on the adversary's intent to inflict harm rather than merely stealing information. By executing impact techniques, adversaries aim to compromise the availability of resources, alter their integrity, or manipulate operational processes to serve their malicious objectives. These can range from deleting valuable data to subtly modifying processes so that, on the surface, operations seem regular, but underneath, they serve the malevolent aims of the attacker. Often, these impactful actions can either signify the culmination of a cyber operation or act as a smokescreen to mask data exfiltration.

The MITRE ATT&CK framework, in its in-depth analysis, has associated specific tools with the Impact phase, underscoring their potential roles in executing detrimental operations. One such noteworthy tool is RawDisk. 

Categorized with distinct ATT&CK IDs and associated technique references, RawDisk exemplifies the kind of software that adversaries might employ to manipulate or damage system data or structures. In particular, RawDisk is recognized for its capabilities in directly interacting with disk data, bypassing the file system, which can lead to devastating results like data deletion or alteration. This tool, and others like it, epitomize the destructive potential adversaries wield when targeting systems, underlining the importance of robust security postures and timely incident response measures.