Red Team OPSEC Playbook

1. Planning and Reconnaissance

  • Objectives: Define scope and rules; conduct thorough, OPSEC-aware passive reconnaissance to gather intelligence without detection; risk assessment.

  • Detailed Steps:

    • Identify critical information to protect (personas, infrastructure, intentions).

    • Passive and low-noise footprint OSINT gathering.

    • Use compartmentalized and anonymized infrastructure (VPNs, cloud instances).

    • Securely document and communicate findings.

  • Tools/Resources:

  • Advanced Considerations: Use AI-assisted reconnaissance tools for hyper-automation, ensuring slow and randomized scans to avoid detection.

2. Initial Access and Execution

  • Objectives: Gain initial entry with stealth, use adaptive, fileless payloads; maintain encrypted, anonymized communication.

  • Detailed Steps:

    • Develop or customize environment-aware, fileless payloads for each target.

    • Test extensively in isolated OPSEC-hardened labs mimicking targets.

    • Use “living off the land” techniques to minimize forensic trails.

    • Employ multiple C2 redirects/proxy chains with dynamic infrastructure.

    • Encrypt and jitter beacons in C2 communication to avoid baseline anomalies.

  • Tools/Resources:

  • Advanced Considerations: Use AI-generated payload mutations to evade signature-based detections and dynamic environment checks to disable execution in sandboxes.

3. Persistence and Lateral Movement

  • Objectives: Establish stealthy persistence; conduct low-noise lateral movement; limit credential exposure.

  • Detailed Steps:

    • Use short-lived, compartmentalized credentials.

    • Employ OPSEC-conscious AD attack paths and lateral movement avoiding noisy scanning.

    • Persist via userland methods (scheduled tasks, COM hijacks), cleaned after use.

    • Rotate attack infrastructure and IPs to prevent forensic correlation.

  • Tools/Resources:

  • Advanced Considerations: Continuously monitor defensive telemetry (if accessible), adapt tactics, and employ automated kill switches on sandbox detection.

4. Data Collection and Exfiltration

  • Objectives: Collect and exfiltrate target data securely with minimal noise using covert, multi-layer encryption and multiple channels.

  • Detailed Steps:

    • Encrypt data locally before exfiltration.

    • Chunk data and use multi-protocol covert channels (DNS, HTTPS, ICMP).

    • Rotate exfiltration domains, IP infrastructure, and credentials often.

    • Stage exfil on cloud services using ephemeral credentials and camouflage among normal traffic.

  • Tools/Resources:

  • Advanced Considerations: Automate exfiltration scheduling to coincide with legitimate high-volume traffic, mimicking normal user patterns.

5. Cleanup and Cover Tracks

  • Objectives: Erase forensic footprints and undo persistence without disrupting normal operations.

  • Detailed Steps:

    • Wipe memory artifacts and unlink rogue processes.

    • Delete logs or selectively edit event entries.

    • Remove all persistence mechanisms, disable accounts, revoke credentials.

    • Conduct detailed post-op analysis identifying OPSEC failures.

  • Tools/Resources:

  • Advanced Considerations: Integrate automation of cleanup immediately on operation exit, leveraging volatile storage and scheduled tasks.

6. Cross-Phase Operational Best Practices

  • Description: Maintain strong OPSEC hygiene across people, infrastructure, and communications.

  • Key Practices:

    • Strict role compartmentalization of operators and infrastructure.

    • Automated rotation of IP addresses, domains, digital certificates with cloud APIs.

    • Use metadata-minimizing encrypted comms like Signal, Session, or Tor-based messaging.

    • Behavioral hygiene: avoid repetitive patterns and operational timing fingerprinting.

    • Ongoing OPSEC risk assessments during operations.

  • Training and Methodology Resources:

PreviousRed Team InfrastructureNextDefensive Security

Last updated