red teaming
A comprehensive 3-month roadmap designed for intermediate practitioners to master the design, automation, and deployment of stealthy red team infrastructure while maintaining rigorous Operational Security (OpSec).
Goal
red teaming infra development and deployment with full opsec
Steps
6 Phases
Tasks
0 / 18 Done
Your Journey
Follow this phased approach to master red teaming infra. Take it step by step.
Foundations of Red Team Infrastructure Architecture
Foundations of Red Team Infrastructure Architecture
Month 1, Weeks 1-2: Transitioning from basic setups to enterprise-grade, multi-tiered architectures that prioritize survivability and OpSec.
Understand the concept of functional tiers: Redirectors (Tier 1), C2 Servers (Tier 2), and Backend/Logging (Tier 3).
Recommended Resource
Red Team Infrastructure Wiki
Deep dive into data leakage points including WHOIS information, TLS certificates, and IP reputation.
Recommended Resource
Rasta Mouse: Infrastructure Series
Learning how to use VPNs, Tor, and non-attributable payment methods for purchasing domains and VPS instances.
Recommended Resource
OffSec: OpSec for Red Teams
Infrastructure as Code (IaC) and Cloud Provisioning
Infrastructure as Code (IaC) and Cloud Provisioning
Month 1, Weeks 3-4: Automating the deployment of infrastructure to ensure speed, consistency, and easy destruction to minimize forensic footprints.
Using Terraform to provision virtual private servers (VPS) across multiple cloud providers (AWS, Azure, DigitalOcean).
Recommended Resource
Introduction to Terraform
Scripting the purchase and DNS configuration of domains using APIs from Namecheap or GoDaddy.
Recommended Resource
Red Team Terraform Templates
Implementing a multi-provider strategy to avoid single points of failure and vendor-specific detections.
Recommended Resource
Google Cloud Architecture Framework
Advanced Redirection and Traffic Filtering
Advanced Redirection and Traffic Filtering
Month 2, Weeks 1-2: Implementing smart redirectors to mask the true Command and Control (C2) server and filter out blue team investigations.
Configuring Nginx with rewrite rules to pass only legitimate beacon traffic to the backend C2.
Recommended Resource
C2 Redirection with Nginx
Using Caddy for automated Let's Encrypt certificates and simplified reverse proxy logic.
Recommended Resource
Caddy Documentation
Using tools like RedGuard to filter traffic based on JA3 fingerprints, headers, and geolocation.
Recommended Resource
RedGuard: Red Team Traffic Flow Control
C2 Frameworks and Payload Evasion
C2 Frameworks and Payload Evasion
Month 2, Weeks 3-4: Deploying and hardening modern C2 frameworks and tailoring communication profiles for stealth.
Security configurations for Sliver or Havoc C2 to prevent fingerprinting by scanners like Shodan or Censys.
Recommended Resource
Sliver C2 Documentation
Customizing HTTP/S headers, URIs, and payloads to mimic legitimate traffic patterns (e.g., Office 365 or Amazon traffic).
Recommended Resource
Cobalt Strike Malleable C2 Guide
Setting up stealthy file hosting using AWS S3 buckets or Cloudflare Workers for payload delivery.
Recommended Resource
Infra-RedTeam Resource List
Logging, Monitoring, and Alerting
Logging, Monitoring, and Alerting
Month 3, Weeks 1-2: Establishing visibility into your infrastructure to detect blue team responses and maintain operational control.
Shipping logs from all redirectors and C2 servers to a centralized Elasticsearch, Logstash, and Kibana instance.
Recommended Resource
RedELK: Red Team SIEM
Setting up Discord or Slack webhooks to notify the team when a new beacon checks in or when a scanner is detected.
Recommended Resource
Red Team Alerting Scripts
Identifying and blacklisting IP ranges belonging to security vendors and incident response firms.
Recommended Resource
IPCat: IP Categorization Tool
Full Automation and Final Deployment
Full Automation and Final Deployment
Month 3, Weeks 3-4: Integrating everything into a seamless pipeline for one-click deployment of a complete red team environment.
Using Ansible playbooks to automatically install tools, harden OS settings, and deploy Dockerized C2 instances.
Recommended Resource
DetectionLab (Reference for Automation)
Utilizing Azure Front Door or Cloudflare for high-reputation domain usage in traffic routing.
Recommended Resource
The State of Domain Fronting
Deploy a full stack using IaC, verify traffic flow through redirectors, and perform a mock 'burn' and 'recovery' of a domain.
Recommended Resource
MDSec Infrastructure Automation
The Peak
Keep climbing! You're almost at the master level of this roadmap.