Red Team interview preparedness

Hi all, I'll be interviewing for an internal red team position and want to prepare myself as best as possible, however I definitely don't want to bullshit the interviewers because if I wasn't ready for the job but still somehow landed it I would be found out fast.

I mentioned to the person hiring my interest in offensive .NET, however in my current role I just haven't had the time or support to develop my skills. He mentioned there might be some code review in the interview or questions around using Windows APIs for code execution, and this has me spooked. Does anyone have some introductory resources for C# specifically as an offensive tool? I have some coding skills to write scripts and small tools in various languages, but this is different and I want to at least demonstrate my interest and foundational knowledge.

I expect there to be questions around kill chains, TTPs, the MITRE framework, C2 infrastructure, maybe questions on planning and preparing, and I think I could handle all these questions fine, and that worries me because I can't think of more topics or questions that I would struggle with.

If you have any resources, advice or personal experiences please share, TIA!

Find more posts tagged with

red team

Interview tips

interview

Comments

securityorc

Very interesting topic! Have a look at these resources for red teaming interviews in general:

https://github.com/WebBreacher/offensiveinterview
https://medium.com/@malcomvetter/how-to-pass-a-red-team-interview-9155828cfa1c
https://www.fireeye.com/blog/products-and-services/2016/03/attacking_like_apro.html

I saved them as a baseline / preparatory resource for when I will get into red teaming, this is something I aspire to, but at the moment I still have plenty to learn and experience from pentesting before I'm ready for that step.

As for offensive .NET, I'd be keen to learn more about that as well, since I've recently been exposed to its power in modern environments. I recommend RastaMouse and Adam Chester's blogs, also Rasta's Youtube channel where he shows building SharpC2, a .NET C2 framework.

From a practical standpoint of getting your hands on the code, this Defcon workshop looks perfect, it's on my to do list.

https://github.com/mvelazc0/defcon27_csharp_workshop

tedjames

Hey, these are excellent resources! Thanks for posting. About six months ago, I moved out of the security team and into software development so I can focus on application security, specifically testing our apps. We're also a .NET shop.

What has helped me so far has been a .NET development course on Udemy. I don't plan to become a developer, but I do need to better understand how things work. I also turned my Raspberry Pi into a PHP web server and created an app to help me understand how they work. I'm also planning to install IIS server to practice on.

Definitely don't try to BS the interviewers. Likely they'll know when you're doing it. It's better just to say, "I don't know, but I would love to learn," and then talk about your plans for training. Show that you're proactive about your education.

JDMurray

What are the requirements of the job posting? Are they looking for a "I don't know much but I love to learn" person or an "I already know a lot about red-teaming and can hit the ground running" person?

Sheiko37

They're building a new red team (from my understanding), so no one in the team regardless of experience will be able to "hit the ground running" so to speak. There's multiple positions and skills they're looking for, e.g. threat intelligence, exploit dev, operators (again, in my understanding so far). I'd be going for an operator/infrastructure position.

I just can't think of questions I might struggle with, unless they go hard on exploit dev, RE, or deep real world APT knowledge. I'm certainly not overconfident regardless.

@securityorc, I'll have a better look at those links tomorrow and respond, thanks.

JDMurray

Is there an internal job posting that has the requirements of what the hiring manager is looking for in the position that you are interviewing? That would be a big, big help to completing your quest.

And don't worry about "BSing" the interviewers. If they know their red-teaming they'll be able to spot BS very quickly. Truth is always the best policy regardless of how much you (do or don't) want the job.

Sheiko37

securityorc said:
https://medium.com/@malcomvetter/how-to-pass-a-red-team-interview-9155828cfa1c
https://www.fireeye.com/blog/products-and-services/2016/03/attacking_like_apro.html

Good high-level resources, particularly the FireEye blog.

securityorc said:

https://github.com/WebBreacher/offensiveinterview

Having a look through all these and I think I could answer 90% on the spot with no preparation

, they are a bit more skewed to straight penetration testing though rather than a red team.

Adam Chester's blog looks good, haven't seen that one before, and I've used RastaMouse a fair bit as a resource but I'll definitely need to read it in depth leading up to any interview. The DEFCON workshop looks like a lot of work but exactly what I need.

JDMurray

Fairly new on Peerlyst: Preparing for your “Cybersecurity” job interview

Sheiko37

@JDMurray thanks, will give it a read.

I've put together a list for myself to prepare, sharing here so others can use the resources.

Blogs:
https://www.mdsec.co.uk/blog/
https://blog.xpnsec.com
https://rastamouse.me/categories/blog/
https://posts.specterops.io
https://ired.team

.NET:

https://github.com/mvelazc0/defcon27_csharp_workshop

Process & Mindset:

https://www.fireeye.com/blog/products-and-services/2016/03/attacking_like_apro.html
https://medium.com/@malcomvetter/how-to-pass-a-red-team-interview-9155828cfa1c

Other:
APT Groups and Operations - https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit#gid=438782970

Active Directory Kill Chain Attack & Defense - https://github.com/infosecn1nja/AD-Attack-Defense/blob/master/README.md

Interview Questions - https://github.com/WebBreacher/offensiveinterview