Master Red Suite

Plan and execute red team engagements with a comprehensive suite of tools, tradecraft, and methodology covering initial access, command and control, persistence, lateral movement, and exfiltration. This skill covers C2 framework selection, payload development, OPSEC practices, and adversary simulation aligned with MITRE ATT&CK.

When to Use This Skill

Choose Master Red Suite when you need to:

• Select and configure C2 frameworks for red team operations
• Develop custom payloads that evade endpoint detection
• Establish covert persistence mechanisms on compromised systems
• Simulate specific adversary TTPs for purple team exercises

Consider alternatives when:

• You need vulnerability assessment without adversary simulation (use Pentest Checklist)
• You need web application-specific testing (use Burp Suite or API Fuzzing)
• You need cloud-specific attack techniques (use Cloud Penetration Testing)

Quick Start

Copy
from dataclasses import dataclass, field
from typing import List, Dict
from enum import Enum

class C2Framework(Enum):
    COBALT_STRIKE = "Cobalt Strike"
    SLIVER = "Sliver"
    MYTHIC = "Mythic"
    HAVOC = "Havoc"
    COVENANT = "Covenant"
    BRUTE_RATEL = "Brute Ratel C4"

@dataclass
class C2Profile:
    framework: C2Framework
    listener_type: str       # http, https, dns, smb
    sleep_interval: int      # seconds between callbacks
    jitter_percent: int      # randomization percentage
    user_agent: str
    domain_fronting: bool = False
    malleable_profile: str = ""

@dataclass
class RedTeamToolkit:
    """Red team engagement toolkit configuration."""
    c2: C2Profile
    initial_access: List[str] = field(default_factory=list)
    persistence_methods: List[str] = field(default_factory=list)
    lateral_movement: List[str] = field(default_factory=list)
    exfil_channels: List[str] = field(default_factory=list)

    def generate_ops_plan(self) -> str:
        lines = [
            f"=== RED TEAM OPS PLAN ===",
            f"\nC2 Framework: {self.c2.framework.value}",
            f"  Listener: {self.c2.listener_type}",
            f"  Sleep: {self.c2.sleep_interval}s (jitter: {self.c2.jitter_percent}%)",
            f"  Domain Fronting: {'Yes' if self.c2.domain_fronting else 'No'}",
            f"\nInitial Access Methods:",
        ]
        for ia in self.initial_access:
            lines.append(f"  - {ia}")
        lines.append("\nPersistence Methods:")
        for p in self.persistence_methods:
            lines.append(f"  - {p}")
        lines.append("\nLateral Movement:")
        for lm in self.lateral_movement:
            lines.append(f"  - {lm}")
        lines.append("\nExfiltration Channels:")
        for ex in self.exfil_channels:
            lines.append(f"  - {ex}")
        return '\n'.join(lines)

# Example
toolkit = RedTeamToolkit(
    c2=C2Profile(
        framework=C2Framework.SLIVER,
        listener_type="https",
        sleep_interval=60,
        jitter_percent=30,
        user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
    ),
    initial_access=["Spearphishing with macro document", "HTML smuggling"],
    persistence_methods=["Scheduled task", "Registry run key", "DLL side-loading"],
    lateral_movement=["WMI execution", "PsExec", "DCOM"],
    exfil_channels=["HTTPS C2 channel", "DNS exfiltration", "Cloud storage upload"],
)
print(toolkit.generate_ops_plan())

Core Concepts

C2 Framework Comparison

Framework	License	Protocols	Key Strength
Cobalt Strike	Commercial	HTTP/S, DNS, SMB	Malleable C2 profiles, industry standard
Sliver	Open source	HTTP/S, DNS, mTLS, WireGuard	Modern, active development, multi-player
Mythic	Open source	HTTP, WebSocket, TCP	Modular agents, web UI, extensible
Havoc	Open source	HTTP/S	Cobalt Strike alternative, modern design
Brute Ratel C4	Commercial	HTTP/S, DNS, SMB	EDR evasion, syscall-based

Payload Development Checklist

Copy
def payload_development_checklist():
    """Checklist for developing evasive payloads."""
    checklist = {
        "Pre-build": [
            "Identify target EDR/AV products",
            "Choose payload type (shellcode, DLL, EXE, script)",
            "Select execution method (in-memory, disk-based, fileless)",
            "Plan delivery mechanism (email, web, USB, supply chain)",
        ],
        "Evasion techniques": [
            "Encrypt/encode shellcode (AES, XOR, custom)",
            "Use direct syscalls instead of API calls",
            "Implement sandbox detection (timing, user interaction)",
            "String obfuscation for suspicious keywords",
            "Dynamic API resolution (GetProcAddress)",
            "AMSI bypass for PowerShell/dotNET payloads",
        ],
        "Operational security": [
            "Remove debug symbols and metadata",
            "Modify PE timestamps and compilation artifacts",
            "Test against target AV/EDR in isolated lab",
            "Use unique payload per target (avoid hash-based detection)",
            "Implement kill switch / self-destruct timer",
        ],
        "Testing": [
            "Test on clean VM with target OS version",
            "Verify against VirusTotal (or private scanner for OPSEC)",
            "Confirm C2 callback works through target network",
            "Test cleanup and artifact removal",
        ],
    }

    for phase, items in checklist.items():
        print(f"\n{phase.upper()}:")
        for item in items:
            print(f"  [ ] {item}")

payload_development_checklist()

Configuration

Parameter	Description	Default
c2_framework	C2 tool selection	Engagement-specific
sleep_interval	Beacon callback interval (seconds)	60
jitter_percent	Callback timing randomization	20-40%
listener_protocol	C2 communication protocol	"https"
domain_fronting	Use CDN for C2 hiding	false
payload_format	Output format (exe, dll, shellcode)	"shellcode"
encryption	Payload encryption method	"AES-256"
opsec_level	Stealth requirements	"high"

Best Practices

1. Use long sleep intervals with high jitter in production environments — Real APTs don't beacon every second. Use 30-120 second sleep intervals with 20-40% jitter to blend with normal network traffic. Adjust based on the target's network monitoring maturity — shorter intervals for testing detection, longer for stealth.

2. Test payloads against the target's specific EDR before deployment — Build a lab environment matching the target's endpoint protection. Test payloads until they execute cleanly without triggering alerts. Each EDR product has different detection mechanisms — what evades CrowdStrike may not evade SentinelOne.

3. Rotate C2 infrastructure regularly — Don't use the same domain, IP, or certificate for the entire engagement. Rotate redirectors, use domain fronting or CDN-based C2, and have backup communication channels. Infrastructure burned by detection should be replaced, not reused.

4. Maintain detailed operation logs with timestamps — Record every action, tool, and command with timestamps and target identifiers. This enables deconfliction with real incidents, supports the after-action report, and provides reproducible evidence for purple team analysis.

5. Plan and test exfiltration before attempting it — Don't wait until you have access to sensitive data to figure out exfiltration. Pre-plan channels (C2, DNS, HTTPS to cloud storage) and test with benign data. Failed exfiltration attempts after gaining access waste the entire operation.

Common Issues

C2 callbacks are blocked by the target's proxy — Corporate proxies may block unknown domains or require authentication. Use domain fronting through legitimate CDN domains (Azure, CloudFront, Fastly) or proxy-aware implants that use the system's configured proxy settings and NTLM authentication.

Payload is detected by EDR during execution — Modern EDR detects behavior, not just signatures. Avoid common patterns: don't inject into svchost.exe (heavily monitored), don't use CreateRemoteThread (hooked by all EDRs), and don't call VirtualAllocEx with RWX permissions. Use indirect syscalls and legitimate process execution.

Team members step on each other's operations — Without coordination, multiple operators may access the same target simultaneously, triggering alerts or corrupting each other's access. Use a shared C2 platform with team awareness (Mythic's multi-player, Sliver's multiplayer mode) and assign operators to specific targets.