The Red Team Toolchain: Build vs. Buy?

Level: Intermediate

The "Cobalt Strike" Problem

For a decade, Raphael Mudge's Cobalt Strike defined red teaming. It was perfect. It was stable. And eventually, it became the most fingerprinted software on earth.

Today, if you run a default Cobalt Strike beacon on a network with a decent EDR, you will be flagged in milliseconds. Not because the tool is bad, but because defenders have thousands of signatures for its default behavior (named pipes, memory allocation patterns, JA3 hashes).

This brings us to the core dilemma of modern Red Team engineering: Do we buy established tools, or build our own?

Command & Control (C2) Frameworks

The C2 is the heart of operations. It handles your agents, your listeners, and your data exfiltration.

The Commercial Standard

  • Cobalt Strike: Still the king of ease-of-use and "Malleable C2" profiles. Great for when you need stability.
  • Brute Ratel (BRC4): Gained fame for bypassing everything, then got leaked, now detected often.
  • Nighthawk: The sophisticated choice for evasion. heavily focused on memory obsfucation.

The Open Source / DIY Route

  • Sliver: The Go-based powerhouse. Extremely feature-rich, supports mutual TLS, DNS C2, and WireGuard. But Go binaries are large (harder to hide).
  • Havoc: A modern C++ framework that feels like Cobalt Strike but allows custom payload compilation.
  • Mythic: A "framework of frameworks." You can plug in any agent (Python, Mac, .NET) into a unified web UI. Ideally suited for teams that write their own agents.

My Advice: Use a Commercial C2 for the UI and management, but never use the default payload generator. Use a custom loader to inject the shellcode.

Infrastructure as Code (IaC)

Gone are the days of manually spinning up a VPS on Digital Ocean and SSHing into it. If your C2 gets burned (blocked), you need to burn the infrastructure and redeploy in 5 minutes.

You need Terraform and Ansible.

Redirectors: Never expose your Teamserver directly to the internet. Use "Redirectors" (dumb proxies) in front. Victim -> AWS CloudFront -> EC2 Nginx (Redirector) -> Teamserver

If the Blue Team blocks the IP, they blocked the Redirector. You just spin up a new one and update the DNS. The Teamserver stays safe.

Example Terraform snippet for a Redirector:

resource "digitalocean_droplet" "redirector" {
  image  = "ubuntu-22-04-x64"
  name   = "cdn-update-server-01"
  region = "nyc1"
  size   = "s-1vcpu-1gb"

  provisioner "remote-exec" {
    inline = [
      "apt update",
      "apt install -y socat",
      "socat TCP4-LISTEN:443,fork TCP4:${var.teamserver_ip}:443 &"
    ]
  }
}

Weaponization & Dev Tools

You are essentially a software development shop that specializes in malware.

  1. Impacket: The python library for interacting with Windows network protocols (SMB, WMI, MSSQL, LDAP). It is indispensable.
  2. BloodHound: For graph analytics of AD trust relationships.
  3. Code Signing Certificates: Buy an EV certificate (or steal one). Signed binaries bypass SmartScreen and lower EDR scrutiny.
  4. Obfuscators: Tools like ConfuserEx (for .NET) or Chimera (for PowerShell) to scramble your code signatures.

The "Assume Breach" Laptop

For internal tests, you need a hardware rig. * The OS: Kali Linux is great, but Windows Commando VM allows you to use native Windows tools (PowerShell, C#) without cross-compilation headaches. * The Network: A travel router (GL.iNet) to isolate your traffic and handle VPN connections back to your base.

Conclusion

The tool doesn't make the hacker. I can compromise a network with telnet and notepad.exe if I have to. Tools just provide speed and scale.

Focus on understanding how the tool works. If you don't know what API calls your C2 is making, you can't optimize it for evasion.