Module 20

Question 1

What is considered the most important aspect of a red team engagement?

Answer 1

The final report, as it must accurately communicate objectives, findings, business impacts, and recommendations.

Question 2

The Cobalt Strike _____ report provides an overall timeline of post-exploitation activity.

Answer 2

Activity

Question 3

Which Cobalt Strike report summarizes information collected on each host, such as services and credentials?

Answer 3

The Hosts report.

Question 4

The Cobalt Strike _____ report provides technical details like a C2 traffic profile, domains, and file hashes, akin to a threat intelligence report.

Answer 4

IOC (Indicators of Compromise)

Question 5

Which Cobalt Strike report summarizes post-exploitation activity on a per-session basis?

Answer 5

The Sessions report.

Question 6

The Cobalt Strike _____ report details activity from its built-in spear phishing capabilities, like which users clicked malicious links.

Answer 6

Social engineering

Question 7

Which Cobalt Strike report maps the recorded activity to MITRE’s ATT&CK Matrix?

Answer 7

The TTP (Tactics, Techniques, and Procedures) report.

Question 8

How are Cobalt Strike reports typically used when delivering them to a client?

Answer 8

They are typically included as appendices with the main report, not handed over directly.

Question 9

What sources are used to construct the final red team report?

Answer 9

All logs and notes from the engagement, including Cobalt Strike reports and individual operator logs.

Question 10

Which section of a red team report is aimed at business executives and provides a concise, non-technical overview of findings and risks?

Answer 10

The Executive Summary.

Question 11

The _____ section of a red team report summarizes the testing methodology, goals, and scope of the assessment.

Answer 11

Goals & Scenario

Question 12

Which section constitutes the bulk of a red team report’s content and outlines the sequence of events in technical detail?

Answer 12

The Attack Narrative.

Question 13

The _____ section of a red team report describes deficiencies in the organization’s ability to prevent, detect, or respond.

Answer 13

Observations & Recommendations

Question 14

In a red team report, what does an ‘observation’ typically describe?

Answer 14

A deficiency in an organization’s ability to prevent, detect, and/or respond to a specific activity.

Question 15

For each ‘observation’ in a report, what should be provided to mitigate the identified deficiency?

Answer 15

One or more recommendations.

Question 16

Which section of a red team report reiterates the significance of the key findings and provides a final statement of business risk?

Answer 16

The Conclusion.

Question 17

What is the term for the meetings held with an organization’s personnel to review the content of the final report?

Answer 17

Out-briefs.

Question 18

What is the name of the out-brief tailored toward management, which is performed soon after an engagement completes?

Answer 18

An executive brief.

Question 19

What is the primary goal of conducting an executive brief with management?

Answer 19

To ensure they understand the business impact and to get their buy-in for implementing improvements.

Question 20

Which type of out-brief involves a detailed review of activities and outcomes between the red team and other technical teams, such as a blue team?

Answer 20

A technical out-brief.

Question 21

What is considered the best opportunity for offensive and defensive teams to learn from each other following an engagement?

Answer 21

The technical out-brief.

Question 22

If a Cobalt Strike client is connected to multiple team servers, how does it handle data when generating a report?

Answer 22

It automatically aggregates and orders the data from all of them.