Adversary Tactics - Identity-driven Offensive Tradecraft

Operating via C2

Effective red team operations require a unified platform for all team members. In this course, you can use either Mythic or Cobalt Strike as your Command and Control (C2) platform. You’re also welcome to use other C2 platforms you are familiar with or wish to explore.

Mythic

Mythic is a popular open-source C2 platform with various agents and capabilities. The Apollo agent is preferred for our AT:IDOT lab.

• Mythic Operator Video Series
• C2 and the Docker Dance: Mythic 3.0’s Marvelous Microservice Moves – Cody Thomas
• Spinning Webs — Unveiling Arachne for Web Shell C2 - Cody Thomas
• Mythic 3.3 — Out of Beta - Cody Thomas
• MythicTips on X (formerly Twitter)

Cobalt Strike

If you’re new to Cobalt Strike, we highly recommend reviewing Raphael Mudge’s free online course on Red Team Operations. This course covers everything you need to get started and prepare for the AT:IDOT lab.

• Red Team Operations with Cobalt Strike (Start with “Red Team Ops with Cobalt Strike (1 of 9): Operations”): YouTube Link
• Red Teaming With Cobalt Strike – Not So Obvious Features by Oddvar Moe

For more advanced topics and techniques, check out:

• Cobalt Strike Official Blog
• Cobalt Strike Documentation

Windows and Active Directory

Most environments you’ll encounter as a red team operator use Microsoft Active Directory. To prepare for AT:IDOT, review the basics of Active Directory and common attack methods, including Credential Shuffle, Kerberoasting, and Golden/Silver Tickets.

• Sean Metcalf’s ADSecurity Blog
• Active Directory Attack and Defense
• BloodHound
• DEFCON 24 - Six Degrees of Domain Admin

Tunneling and Proxying Traffic

Complex networks often require tunneling traffic via SSH and using SOCKS proxies. Proficiency in these skills is essential for the AT:IDOT lab.

• Offensive Security Guide to SSH Tunnels and Proxies - Russel Van Tuyl
• Proxy Windows Tooling via SOCKS - Nick Powers