// Know Your Enemy

Red Team Attack Patterns

Understand how professional Red Teams operate. Detection indicators and response playbooks mapped to MITRE ATT&CK framework.

Based on MITRE ATT&CK Framework

All techniques are mapped to MITRE ATT&CK IDs. Focus on patterns most relevant to CCDC competition scenarios.

Full MITRE ATT&CK Matrix
// Quick Reference

Rapid Detection Guide

Fast lookup for common attacks during competition.

AttackWindows IndicatorLinux IndicatorImmediate Action
Brute Force Login4625 (many)"Failed password" in auth.logBlock source IP, check if succeeded
New Admin Account4720 + 4732/etc/passwd + /etc/group changesDisable account, investigate source
Scheduled Task/Cron4698crontab changes, /etc/cron.d/Remove task, check for payload
Service Installed7045systemd unit createdStop service, remove, investigate
Lateral Movement (SMB)5140/5145 to C$ or ADMIN$N/ABlock source, check destination
Lateral Movement (SSH)N/ASSH from internal IPKill session, change keys
Process InjectionSysmon 8/10ptrace calls in auditKill process, investigate parent
Data ExfiltrationLarge outbound transfersUnusual network trafficBlock destination, assess damage
// TA0001

Initial Access

How attackers get their first foothold

T1078

Valid Accounts

Using legitimate credentials (often default or weak passwords)

CCDC Relevance
VERY HIGH - Red Team will try default creds in first 5 minutes

Detection Indicators

  • Multiple failed logins followed by success
  • Login from unusual source IP
  • Login outside normal hours
  • Login to multiple systems rapidly
Log Sources
Win: Event ID 4624 (success), 4625 (failure)
Linux: /var/log/auth.log, /var/log/secure

Response Actions

  • Change ALL default passwords immediately
  • Disable guest and unused accounts
  • Enable account lockout policies
  • Monitor authentication logs continuously
T1190

Exploit Public-Facing Application

Exploiting vulnerabilities in web apps, databases, or services

CCDC Relevance
HIGH - Web services are primary targets

Detection Indicators

  • Unusual HTTP requests (SQLi, XSS patterns)
  • Web application errors in logs
  • Unexpected process spawned by web server
  • Database queries from web context
Log Sources
Win: IIS logs, Application Event Log
Linux: /var/log/apache2/*, /var/log/nginx/*

Response Actions

  • Patch known vulnerabilities
  • Enable WAF if available
  • Review and harden web app configs
  • Restrict database user permissions
// TA0003

Persistence

How attackers maintain access after reboot

T1053

Scheduled Task/Job

Creating scheduled tasks or cron jobs for persistence

CCDC Relevance
VERY HIGH - Favorite Red Team persistence method

Detection Indicators

  • New scheduled tasks created
  • Tasks running from unusual paths
  • Tasks running as SYSTEM or root
  • Cron jobs in unexpected locations
Log Sources
Win: Event ID 4698 (task created), Task Scheduler log
Linux: /var/log/cron, crontab -l for all users

Response Actions

  • Audit all scheduled tasks immediately
  • Remove unauthorized tasks
  • Monitor task creation events
  • Restrict task creation permissions
T1136

Create Account

Creating new accounts for persistent access

CCDC Relevance
VERY HIGH - Check for new accounts constantly

Detection Indicators

  • New user account created
  • Account added to admin groups
  • Account created with unusual naming
  • Service accounts with interactive login
Log Sources
Win: Event ID 4720 (user created), 4732 (added to group)
Linux: /var/log/auth.log, /etc/passwd changes

Response Actions

  • Document all legitimate accounts
  • Immediately disable unknown accounts
  • Alert on any account creation
  • Review group memberships hourly
T1547

Boot/Logon Autostart

Adding malware to startup locations

CCDC Relevance
HIGH - Check registry and startup folders

Detection Indicators

  • New entries in Run/RunOnce keys
  • Startup folder modifications
  • New services set to auto-start
  • systemd unit files created
Log Sources
Win: Sysmon Event ID 13, Registry auditing
Linux: /etc/systemd/system/, /etc/init.d/

Response Actions

  • Baseline all startup entries
  • Remove unauthorized entries
  • Monitor registry changes
  • Audit systemd units
// TA0004

Privilege Escalation

How attackers gain higher privileges

T1068

Exploitation for Privilege Escalation

Exploiting software vulnerabilities to gain elevated privileges

CCDC Relevance
MEDIUM - Depends on patch level

Detection Indicators

  • Unexpected SYSTEM/root processes
  • Crashes in privileged services
  • Unusual child processes from services
Log Sources
Win: Sysmon Event ID 1, Application crashes
Linux: /var/log/kern.log, audit.log

Response Actions

  • Patch systems where possible
  • Minimize running services
  • Use application whitelisting
  • Monitor process creation
T1055

Process Injection

Injecting code into legitimate processes

CCDC Relevance
MEDIUM - Advanced technique

Detection Indicators

  • Process accessing memory of other processes
  • Legitimate process with unusual network activity
  • DLL loaded from unusual path
Log Sources
Win: Sysmon Event ID 8, 10
Linux: /proc/[pid]/maps, audit.log

Response Actions

  • Enable Sysmon for detailed logging
  • Monitor for unusual process behavior
  • Use EDR if available
// TA0008

Lateral Movement

How attackers move through the network

T1021.002

SMB/Windows Admin Shares

Using admin shares (C$, ADMIN$) for lateral movement

CCDC Relevance
VERY HIGH - Primary Windows lateral movement

Detection Indicators

  • Access to admin shares from workstations
  • PsExec or similar tool execution
  • Service creation on remote systems
  • Large file copies to admin shares
Log Sources
Win: Event ID 5140 (share access), 5145 (detailed)
Linux: N/A - Windows specific

Response Actions

  • Disable admin shares if not needed
  • Restrict admin share access
  • Monitor SMB traffic
  • Use network segmentation
T1021.004

SSH

Using SSH for lateral movement on Linux systems

CCDC Relevance
VERY HIGH - Primary Linux lateral movement

Detection Indicators

  • SSH connections between internal systems
  • SSH from unusual source
  • SSH key added to authorized_keys
  • Failed SSH attempts
Log Sources
Win: N/A - Linux specific
Linux: /var/log/auth.log, /var/log/secure

Response Actions

  • Change SSH keys and passwords
  • Restrict SSH to needed systems
  • Monitor SSH logs continuously
  • Consider SSH jump hosts
T1047

WMI

Using Windows Management Instrumentation remotely

CCDC Relevance
HIGH - Stealthy lateral movement

Detection Indicators

  • WMI process creation events
  • Network connections to WMI ports
  • Unusual WMI subscriptions
Log Sources
Win: Event ID 5857-5861, WMI-Activity log
Linux: N/A - Windows specific

Response Actions

  • Restrict WMI access
  • Monitor WMI activity
  • Disable WMI if not needed
// TA0040

Impact

How attackers affect business operations

T1489

Service Stop

Stopping critical services to impact scoring

CCDC Relevance
VERY HIGH - Direct scoring impact

Detection Indicators

  • Critical service stopped unexpectedly
  • Multiple services stopped in sequence
  • Service stop from unusual account
Log Sources
Win: Event ID 7036 (service state change)
Linux: journalctl -u [service], systemd logs

Response Actions

  • Monitor scored services continuously
  • Set up automatic service restart
  • Alert on service state changes
  • Have recovery procedures ready
T1485

Data Destruction

Deleting or corrupting critical data

CCDC Relevance
HIGH - Can destroy service configs

Detection Indicators

  • Mass file deletions
  • Database drops or truncations
  • Config file modifications
Log Sources
Win: Object access auditing, Sysmon Event ID 23
Linux: auditd file monitoring

Response Actions

  • Backup critical configs IMMEDIATELY
  • Monitor file integrity
  • Restrict delete permissions
  • Have restore procedures ready
T1491

Defacement

Modifying web content for visibility

CCDC Relevance
MEDIUM - More about embarrassment than points

Detection Indicators

  • Web file modifications
  • Unusual web server writes
  • Content changes in monitored files
Log Sources
Win: IIS logs, File auditing
Linux: inotify, auditd

Response Actions

  • Backup web content
  • Monitor web directories
  • Restore from backup quickly
  • File integrity monitoring
// Competition Timeline

Typical Red Team Attack Timeline

What to expect at each phase of competition.

0-15 min

Reconnaissance

Port scanning, service enumeration, credential testing

Low
15-60 min

Initial Access

Default credential attempts, known exploit attempts

HIGH
1-2 hours

Foothold & Persistence

Backdoor installation, scheduled tasks, new accounts

CRITICAL
2-4 hours

Lateral Movement

Moving to other systems, privilege escalation

HIGH
4-6 hours

Full Compromise

Domain admin access, service disruption attempts

CRITICAL
6-8 hours

Persistence & Impact

Maintaining access, data theft/destruction, defacement

HIGH

Defense Starts with Detection

Now that you know the attacks, learn the defensive doctrine and operational procedures.