Ending Soon! Get a new iPad, Samsung Galaxy Tab A or take $350 Off Your OnDemand or vLive course by May 10!

SEC564: Red Team Operations and Threat Emulation Beta

This course provides the foundation needed to manage and operate a Red Team and conduct Red Team engagements. What is Red Teaming? Red Teaming is the process of using tactics, techniques, and procedures (TTPs) to emulate a real-world threat with the goals of training and measuring the effectiveness of people, processes and technology used to defend an environment.

Red Teaming is built on the fundamentals of penetration testing, yet focuses on specific scenarios and goals used to evaluate and measure an organization's overall security defense posture. That posture includes people, processes, and technology. This course will explore Red Teaming concepts in depth to provide a clear understanding of what a Red Team is and its role in Security Testing.

Organizations spend a great deal of time and money on the security of their systems. Red Teaming uses a comprehensive approach to gain insight into an organization's overall security. Red Teams have a unique goal of testing an organization's ability to detect, respond to, and recover from an attack. When properly conducted, Red Team activities significantly improve an organization's security controls, help hone defensive capabilities, and measure the effectiveness of security operations.

The Red Team concept requires a different approach from a typical security test, and it relies heavily on well-defined tactics, techniques, and procedures (TTPs). These are critical if a Red Team is to successfully emulate a realistic threat or adversary. Red Team results exceed a typical list of penetration test vulnerabilities, provide a deeper understanding of how an organization would perform against an actual threat, and identify where security strengths and weaknesses exist.

Course Syllabus


Day 1 begins by introducing Red Team topics, concepts, and ideas. You will learn what Red Teaming is, how it is used, and how it compares to other security testing types such as vulnerability assessments and penetration tests. Several topics, concepts, and ideas that are specific to Red Teams, and which constitute the critical foundation of Red Teaming, are examined in order to provide a solid base of understanding.

  • Setting up an Attack Platform
  • Using Web Shells to Support C2

CPE/CMU Credits: 6

  • History and Origin
  • Red Teaming Introduction
  • Aspects of a Red Team
  • Standard Attack Platform
  • Red Team Role in Blue Team Training
  • Live Assessment Example
  • How to Succeed
  • Engagement Frequency
  • Security Misconceptions and Assumptions
  • Red Team Goals
  • Threat Perspective
  • Threat Emulation Scenarios
  • Tradecraft and TTPs
  • Social Engineering
  • Tools and Techniques
  • Web Shells

Day 2 continues with a heavy focus on Red Team tools and techniques. The day is filled with multiple exercises designed to explore various aspects of Red Teaming. During the exercises, you manage and control indicators of compromise (IOCs), design custom command and control channels, and use unique command and control tools. You will also learn Red Teaming concepts needed to control and manage a Red Team. These include how to interface with clients, collect and log engagement artifacts, successfully execute an engagement, manage deconfliction, properly end an engagement, and deliver a professional report.

  • Named Pipe C2
  • Analyzing and Understanding User-Agent String IOCs
  • Modifying Tools to Control IOCs
  • C2 Design and Customization - PowerShell Empire

CPE/CMU Credits: 6

  • Tools and Techniques
  • Understanding and Controlling Tool Indicators
  • Red Team Engagement Roles and Responsibilities
  • Handling Client Data
  • Data Collection
  • Red Team Engagement
  • Flow Engagement Planning
  • Engagement Execution
  • Ending a Red Team Engagement
  • Red Team Engagement Reporting

Additional Information


To get the most value out of this course, students are required to bring their own laptop so that they can connect directly to the workshop network we will create. It is the students' responsibility to make sure the system is properly configured with all drivers necessary to connect to an Ethernet network.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine.


You are required to bring Windows 10, 8 or 8.1 (Professional, Enterprise, or Ultimate), Windows 7 (Professional, Enterprise, or Ultimate), Windows Vista (Business, Enterprise, or Ultimate) or Windows 2008/2012 Server, either a real system or a virtual machine. Professional versions only. Home versions will not work.

The course includes a VMware image file of a guest Linux system that is larger than 3 GB. Therefore, you need a file system with the ability to read and write files that are larger than 2 GB, such as NTFS on a Windows machine.

IMPORTANT NOTE: You will also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function, even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool. Ensure you have administrative credentials to your Windows system.

Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.


You will use VMware to run Windows and Linux operating systems simultaneously when performing exercises in class. You must have either the free VMware Player 6 or later or the commercial VMware Workstation 10 or later installed on your system prior to coming to class. You can download VMware Player for free here.

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation here. VMware will send you a time-limited license number for VMware Workstation if you register for the trial on their website. No license number is required for VMware Player.

We will give you a USB full of attack tools to experiment with during the class and to take home for later analysis. We will also provide a Linux image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.


You do not need to bring a Linux system as the class uses a Linux image in VMware. However, you are required to bring VMware Workstation, VMware Player or VMware Fusion. The class does not support Virtual Box, VirtualPC, or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements

  • x86-compatible or x64-compatible 2.0 GHz CPU minimum or higher
  • 8 GB RAM minimum with 16 GB or higher recommended
  • Ethernet adapter (a wired connection is required in class; if your laptop supports only wireless, please make sure to bring a USB Ethernet adapter with you)
  • 40 GB available hard-drive space
  • An available USB Port
  • Any Service Pack level is acceptable for Windows 10, 8, Windows 7 or Windows Vista

During the workshop, you will be connecting to one of the most hostile networks on Earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Security professionals interested in expanding their knowledge of Red Teaming
  • Penetration testers
  • Ethical hackers
  • Defenders who want to better understand offensive methodologies, tools, and techniques
  • Auditors who need to build deeper technical skills
  • Red Team members
  • Blue Team members
  • Forensics specialists who want to better understand offensive tactics

The concepts and exercises in this course are built on the fundamentals of offensive security. An understanding of general penetration testing concepts is encouraged, and a background in security fundamentals will provide a solid base upon which to build Red Teaming concepts.

Many of the Red Teaming concepts taught in this course are suitable for anyone in the security community, and both highly technical staff as well as management personnel will be able to gain a deeper understanding of Red Teaming.

  • A course USB with the SANS Slingshot Linux Penetration Testing Environment loaded with numerous tools used for all exercises
  • Details on Red Team use of common tools and their usage
  • A variety of sample documents used in planning, executing, and reporting Red Team engagements
  • Make the best use of a Red Team to understand and measure an organization's defenses. You will learn what Red Teaming is and how it differs from other security testing engagements. This course offers a unique view of the offensive security field of Red Teaming and the concepts, principles, and guidelines critical to a Red Team's success. It prepares you to design and create threat-specific goals to measure and train organizational defenders (CND/Blue Teams) and shows how a Red Team uses the "Get In, Stay In, and Act" methodology to achieve operational impacts.

Authors' Statement

"A great deal of time and money are spent on protecting critical digital assets. Many organizations focus their security testing on compliance or limited scope reviews of a system. These limited tests often leave an organization with a false sense of security. Organizations that open themselves to assessment not only of their technology, but also of their people and processes, can significantly improve their security posture and adjust a limited security budget to protect their most critical assets. Scenario-based testing and Red Team techniques can be used to determine how an organization really stands up to a realistic and determined threat."

- Joe Vest and James Tubberville

*CPE/CMU credits not offered for the SelfStudy delivery method

1 Training Results
Type Topic Course / Location / Instructor Date Register

Private Training
All Private Training Course of Your Choice Your Choice  

*Course contents may vary depending upon location, see specific event description for details.