Red team finding / technique
-- Select a red team technique --
Phishing -- malicious Office macro executed by user
Phishing -- RTF exploit (Equation Editor) via email
Phishing -- HTML smuggling / drive-by download
VPN / edge device exploitation (no user interaction)
Web application exploitation (public-facing app)
PowerShell with encoded command executed
WMI remote execution to lateral target
rundll32.exe used to execute malicious DLL
Registry Run key persistence installed
Scheduled task created for persistence
Malicious Windows service installed
Web shell deployed on web server
LSASS memory dumped (Mimikatz / ProcDump)
DCSync attack performed
Kerberoasting performed
NTDS.dit extracted via ntdsutil IFM
Browser credential store accessed
Pass-the-Hash used for lateral movement
RDP used to move to secondary host
PsExec used for lateral movement
Data exfiltrated to cloud storage
Data exfiltrated via DNS
Was the tester caught?
No -- the technique was not detected
Yes -- detected but want to understand the mechanism
Partial -- detected late or with significant delay
Map to blue team detection