Red Teaming Methodology

Red Team Assessment Methodology Overview

At Razorthorn Security, our Red Team engagements are designed to simulate the tactics, techniques and procedures (TTPs) used by sophisticated adversaries. Our goal is to test not just the technical weaknesses, but the overall readiness of an organisation’s defence. These assessments evaluate how well your blue team (security operations) can detect and mitigate real world threats, focusing on protection, detection, response and recovery. 

Our engagements are threat driven, meaning we model our operations after specific adversary groups relevant to your sector. We leverage the MITRE ATT&CK framework to ensure a comprehensive simulation of various attack techniques. This enables us to identify how attackers would behave across the entire kill chain, from initial access through data exfiltration.

Planning and Scoping

Objective Definition

For each engagement, Razorthorn Security works with the client to define clear, strategic objectives. These objectives aim to measure the entire security ecosystem, including technology, processes and personnel response capabilities.

Objectives may include:

• Measuring incident response: Can the team effectively respond to specific attacks like ransomware or spear-phishing?

• Testing detection capabilities: How quickly can your team detect lateral movement or exfiltration activities?

• Assessing business impact: What could an adversary achieve if they gain control of critical systems or data?

Each engagement is scoped to simulate real world attacks, accounting for critical infrastructure, geographic constraints and mission-critical systems that should be protected from direct interference.

Scope Definition

Razorthorn Security defines both in scope and out of scope systems. Critical infrastructure that cannot be disrupted is identified, while the focus remains on high value targets within the designated scope. We focus on threat scenarios most relevant to your organisation’s risk profile.

Reconnaissance

Passive Reconnaissance

At Razorthorn Security, the first stage of any engagement begins with passive reconnaissance, using open source intelligence (OSINT) to gather information about the target without triggering detection. This includes harvesting data from publicly available sources like social media, job postings, press releases and even misconfigured cloud environments. We employ tools like the Harvester and Maltego to collect and visualise data, identifying critical pieces of information about the network, key personnel, and the organisation’s infrastructure.

Active Reconnaissance

In the active reconnaissance phase, we take steps to map the network and uncover vulnerabilities by interacting directly with the target environment. Using tools like Nmap and Nessus, we conduct network scans and identify open ports, services, and potential weak points. However, we apply techniques to minimise our footprint by conducting stealthy scans and minimising the volume of traffic generated. The aim is to blend into normal network activity to avoid detection.

Initial Access

Razorthorn Security employs a variety of methods to achieve Initial Access to a target, depending on the scope of the engagement. These methods range from technical exploits and social engineering to physical intrusion techniques, each designed to simulate the tactics of advanced adversaries.

Exploitation

Razorthorn Security’s technical exploitation focuses on leveraging known vulnerabilities in systems or services to gain unauthorized access:

• Web Application Exploits: We test for vulnerabilities such as SQL injection (SQLi), Cross-Site Scripting (XSS), and insecure authentication mechanisms to bypass protections and gain access to sensitive systems.

• Network-Based Exploits: Utilising tools like Nmap and Nessus, we identify weak or exposed services, unpatched software, and misconfigured systems. We may exploit vulnerabilities like CVEs (Common Vulnerabilities and Exposures) in network services to establish initial access.

• Zero-Day Exploitation: In rare cases, Razorthorn Security may develop or use zero-day vulnerabilities (previously undisclosed weaknesses) if discovered during the engagement. This level of exploit requires careful execution to avoid premature detection.

Social Engineering

Human weaknesses are a primary vector for achieving initial access. Razorthorn Security conducts targeted social engineering campaigns tailored to the organisation, often involving:

• Spear-Phishing: Highly targeted phishing emails designed to trick specific individuals into clicking malicious links or downloading infected attachments. These campaigns are based on detailed OSINT to ensure authenticity.

• Vishing (Voice Phishing): We may conduct phone-based attacks where our team impersonates trusted figures such as IT staff, tricking employees into providing sensitive credentials or performing insecure actions.

• Baiting: Using physical devices like USB drops in key areas, we simulate attacks where malware is unknowingly introduced

Physical Intrusion (if in scope)

When included within the scope of the engagement, physical intrusion is a powerful method for gaining initial access to the internal network or sensitive areas of a facility. Razorthorn Security employs a range of physical security breach techniques:

• Tailgating: Our operatives blend into the target environment and use social engineering to “tailgate” authorized personnel into secure areas, such as server rooms, by following closely behind and exploiting human error.

• Badge Cloning and Forgery: Using devices like Proxmark or RFID cloners, we can clone access badges or create fake employee badges based on OSINT about the organisation’s personnel and uniforms.

• Lockpicking: In cases where direct physical access to secure areas is required, we may use lockpicking tools and techniques to bypass security locks. This method is reserved for high-value targets that are difficult to access via social engineering alone.

• Surveillance: Prior to physical entry, we conduct covert surveillance of the facility, documenting security patrols, camera placement, and employee behaviour to identify potential weaknesses in physical security.

• Planting Hardware Devices: Once inside, Razorthorn Security’s team may plant covert devices, such as a modified Raspberry Pi or other network implants, allowing for remote access to the target’s internal network. These devices are placed in areas that are unlikely to be noticed, such as under desks, in conference rooms, or in network closets.

Wireless Network Attacks

Wireless networks, particularly those with weak encryption or authentication, provide an additional entry point. Razorthorn may perform attacks such as:

• Wi-Fi Hacking: Using tools like Wifite2 and EAPHammer, we attempt to gain unauthorised access.
• Evil Twin Attacks: By setting up a rogue wireless access point (Evil Twin), we lure employees into connecting to a fake network, allowing us to capture network traffic, including login credentials.
• Bluetooth Exploitation: If in scope, we may exploit insecure Bluetooth devices used by employees to access sensitive systems through wireless connectivity

Establish Foothold

Once initial access is achieved, Razorthorn focuses on strengthening that access by escalating privileges, maintaining a persistent presence, and preparing for future actions. This stage involves both technical and covert tactics to avoid detection while increasing control over the target systems. The key to a successful foothold is maintaining stealth, ensuring that any access gained remains undetected for as long as possible, while preparing the environment for lateral movement or data exfiltration.

Privilege Escalation

After gaining a foothold, the next priority is privilege escalation, which is essential for gaining higher-level access to systems and accounts. Privilege escalation methods typically involve exploiting system misconfigurations or weaknesses in operating systems and applications.

Exploiting Local Privileges: Once an attacker compromises a low-level user account, they aim to escalate their privileges to become a local administrator or root user. This may involve exploiting unpatched vulnerabilities (e.g., kernel exploits), using weak password policies, or leveraging accessible configuration files that expose sensitive information.

Abusing Trusted Services: In many enterprise environments, there are trusted relationships between systems and users. By exploiting those relationships (for instance, through impersonation of privileged accounts via Pass-the-Hash or Kerberos ticket forging), the attacker can gain access to more valuable systems and assets.

Credential Harvesting: Tools like Mimikatz are often used to steal plaintext credentials from memory or grab password hashes. With these credentials, Red Teams can use techniques like Pass-the-Ticket or Over-Pass-the-Hash to move laterally across the network or escalate privileges.

Razorthorn Security ensures that privilege escalation is achieved in a manner that mirrors the techniques used by sophisticated adversaries. By leveraging real world TTPs (Tactics, Techniques and Procedures), we assess whether the organisation’s defence mechanisms can detect and prevent escalation attacks.

Maintaining Stealth During Persistence

Maintaining stealth is crucial when establishing persistence. Razorthorn Security ensures that persistence mechanisms blend into the target environment. This is achieved by:

• Leveraging Legitimate Tools: Using native tools and protocols (like PowerShell, WMI, or PsExec) to deploy persistence mechanisms ensures that security solutions like Endpoint Detection and Response (EDR) systems are less likely to flag the activity.

• Process Injection: This technique involves injecting malicious code into legitimate processes, making it harder for detection systems to differentiate between normal and malicious activity.

• C2 Frameworks: We may use customised Command and Control (C2) frameworks that employ encryption and traffic obfuscation to mimic normal network traffic, ensuring persistence mechanisms communicate with our servers without raising alarms.

Pivoting for Lateral Movement

Once persistence is established on one or more systems, Razorthorn Security prepares for lateral movement across the network. This phase involves gathering further intelligence on the internal network, assessing other systems and accounts, and setting the stage for more advanced exploitation:

• Internal Reconnaissance: Tools like BloodHound can be used to map out the Active Directory infrastructure, showing the relationship between users, groups, and permissions. This allows us to plan the next steps for lateral movement.

• Credential Dumping: We continue to dump credentials and hashes from compromised systems, aiming to access more privileged accounts or sensitive systems.

• Network Persistence: In some cases, Razorthorn Security may deploy tools that help maintain persistence across the network itself. This could involve deploying implants on routers, switches, or wireless access points, ensuring network-level access.

Covering Tracks

To ensure long-term success, Razorthorn Security takes steps to cover any traces left during the establishment of the foothold:

• Log Tampering: Where possible, we alter or delete logs that may indicate unauthorised access or activities, making it harder for incident response teams to detect the presence of malicious actors.

• Obfuscating Commands: We ensure that commands and scripts used during persistence are obfuscated, making them harder to detect in security monitoring systems.

• Removing Temporary Files: All temporary files, artefacts, or malicious tools used to establish persistence.

Lateral Movement

Lateral movement is essential for accessing valuable assets within the network. Razorthorn uses stealthy techniques to move between systems, often employing tools like BloodHound to map Active Directory relationships and identify paths to critical resources. Common lateral movement methods include:

• Pass-the-Hash: Utilizing captured hashes to impersonate legitimate users.

• PsExec: For executing commands on remote systems.

• RDP Hijacking: To take control of sessions unnoticed.

These techniques are designed to minimize the creation of logs or other artefacts that might alert the security team. During lateral movement, maintaining stealth is critical to ensuring persistence while gathering more intelligence about the internal network.

Command and Control (C2)

Once footholds are established, Razorthorn Security sets up Command and Control (C2) channels to maintain communication with compromised hosts. These channels are carefully disguised as normal traffic, often using HTTPS or DNS tunnelling to avoid raising suspicion. Redundancy is built into our C2 infrastructure, with multiple outbound paths for C2 traffic – primary channels for real-time operations and backup channels for long-term persistence.

C2 traffic is kept minimal to avoid detection, leveraging low-and-slow communication strategies to evade monitoring by intrusion detection systems (IDS).

Data Exfiltration

In the final stages, Razorthorn Security simulates data exfiltration, focusing on removing sensitive data without being detected. Data is typically encrypted and segmented into small chunks before being sent out through covert channels like DNS tunnelling, cloud storage, or email attachments. We also simulate attacks designed to bypass data loss prevention (DLP) systems and test the blue team’s response to insider threats attempting to exfiltrate data.

Post-Exploitation

The ultimate goal of Razorthorn Security’s engagements is to achieve specific mission objectives, which may involve:

• Gaining access to sensitive intellectual property.

• Simulating a ransomware attack to test incident response.

• Disrupting key operational systems to evaluate how quickly the blue team can restore normal operations.

• Our post-exploitation phase is designed to test both detection and response under realistic conditions, providing actionable insights into how well the organisation can handle a live breach.

Reporting

The reporting phase is one of the most crucial components of a Razorthorn Security Red Team engagement. Our final report details every step taken, TTPs employed, vulnerabilities exploited, and the overall effectiveness of the attack. More importantly, we provide:

• Actionable remediation recommendations.

• Business impact analysis of the discovered vulnerabilities.

• Timeline of events, showing how quickly the security team detected and responded to each phase of the attack.

Clean-Up

At the conclusion of every engagement, Razorthorn Security ensures complete clean-up, removing all traces of the engagement from the target environment. This includes deleting malware, scripts, and backdoor tools, restoring any configurations that were altered, and ensuring no leftover artefacts remain. The environment is returned to its pre-engagement state to prevent any residual impact on business operations.