Red Team interview preparedness
Sheiko37
Member Posts: 214 ■■■□□□□□□□
Hi all, I'll be interviewing for an internal red team position and want to prepare myself as best as possible, however I definitely don't want to bullshit the interviewers because if I wasn't ready for the job but still somehow landed it I would be found out fast.
I mentioned to the person hiring my interest in offensive .NET, however in my current role I just haven't had the time or support to develop my skills. He mentioned there might be some code review in the interview or questions around using Windows APIs for code execution, and this has me spooked. Does anyone have some introductory resources for C# specifically as an offensive tool? I have some coding skills to write scripts and small tools in various languages, but this is different and I want to at least demonstrate my interest and foundational knowledge.
I expect there to be questions around kill chains,
TTPs, the MITRE framework, C2 infrastructure, maybe questions on
planning and preparing, and I think I could handle all these questions
fine, and that worries me because I can't think of more topics or questions that I would struggle with.
If you have any resources, advice or personal experiences please share, TIA!
Tagged:
Comments
-
securityorc Member Posts: 58 ■■■□□□□□□□Very interesting topic! Have a look at these resources for red teaming interviews in general:https://github.com/WebBreacher/offensiveinterview
https://medium.com/@malcomvetter/how-to-pass-a-red-team-interview-9155828cfa1c
https://www.fireeye.com/blog/products-and-services/2016/03/attacking_like_apro.htmlI saved them as a baseline / preparatory resource for when I will get into red teaming, this is something I aspire to, but at the moment I still have plenty to learn and experience from pentesting before I'm ready for that step.As for offensive .NET, I'd be keen to learn more about that as well, since I've recently been exposed to its power in modern environments. I recommend RastaMouse and Adam Chester's blogs, also Rasta's Youtube channel where he shows building SharpC2, a .NET C2 framework.From a practical standpoint of getting your hands on the code, this Defcon workshop looks perfect, it's on my to do list.
-
tedjames Member Posts: 1,182 ■■■■■■■■□□Hey, these are excellent resources! Thanks for posting. About six months ago, I moved out of the security team and into software development so I can focus on application security, specifically testing our apps. We're also a .NET shop.What has helped me so far has been a .NET development course on Udemy. I don't plan to become a developer, but I do need to better understand how things work. I also turned my Raspberry Pi into a PHP web server and created an app to help me understand how they work. I'm also planning to install IIS server to practice on.Definitely don't try to BS the interviewers. Likely they'll know when you're doing it. It's better just to say, "I don't know, but I would love to learn," and then talk about your plans for training. Show that you're proactive about your education.
-
JDMurray Admin Posts: 13,099 AdminWhat are the requirements of the job posting? Are they looking for a "I don't know much but I love to learn" person or an "I already know a lot about red-teaming and can hit the ground running" person?
-
Sheiko37 Member Posts: 214 ■■■□□□□□□□They're building a new red team (from my understanding), so no one in the team regardless of experience will be able to "hit the ground running" so to speak. There's multiple positions and skills they're looking for, e.g. threat intelligence, exploit dev, operators (again, in my understanding so far). I'd be going for an operator/infrastructure position.I just can't think of questions I might struggle with, unless they go hard on exploit dev, RE, or deep real world APT knowledge. I'm certainly not overconfident regardless.@securityorc, I'll have a better look at those links tomorrow and respond, thanks.
-
JDMurray Admin Posts: 13,099 AdminIs there an internal job posting that has the requirements of what the hiring manager is looking for in the position that you are interviewing? That would be a big, big help to completing your quest.
And don't worry about "BSing" the interviewers. If they know their red-teaming they'll be able to spot BS very quickly. Truth is always the best policy regardless of how much you (do or don't) want the job. -
Sheiko37 Member Posts: 214 ■■■□□□□□□□securityorc said:https://medium.com/@malcomvetter/how-to-pass-a-red-team-interview-9155828cfa1cGood high-level resources, particularly the FireEye blog.securityorc said:Having a look through all these and I think I could answer 90% on the spot with no preparation , they are a bit more skewed to straight penetration testing though rather than a red team.Adam Chester's blog looks good, haven't seen that one before, and I've used RastaMouse a fair bit as a resource but I'll definitely need to read it in depth leading up to any interview. The DEFCON workshop looks like a lot of work but exactly what I need.
-
Sheiko37 Member Posts: 214 ■■■□□□□□□□@JDMurray thanks, will give it a read.I've put together a list for myself to prepare, sharing here so others can use the resources.Blogs:
https://www.mdsec.co.uk/blog/
https://blog.xpnsec.com
https://rastamouse.me/categories/blog/
https://posts.specterops.io
https://ired.team.NET:Process & Mindset:https://www.fireeye.com/blog/products-and-services/2016/03/attacking_like_apro.html
https://medium.com/@malcomvetter/how-to-pass-a-red-team-interview-9155828cfa1cOther:
APT Groups and Operations - https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit#gid=438782970Active Directory Kill Chain Attack & Defense - https://github.com/infosecn1nja/AD-Attack-Defense/blob/master/README.mdInterview Questions - https://github.com/WebBreacher/offensiveinterview