There's a few broad areas I discuss during interviews: Offensive Active Directory Be able to talk about common Active Directory attacks, how they work, and how to mitigate them. For example: Kerberoasting, Silver/Golden Ticket attacks, and (Un)constrained delegation. EDR Evasion Techniques Process Injection, what is execute-assembly, API hooking, AMSI bypasses Command and Control OPSEC considerations when running C2, Domain Fronting, C2 protocols, domain reputation Persistence Techniques RunOnce regkeys, modifying existing scheduled tasks, hijacking services Lateral Movement Named pipes, WMI, PowerShell Remoting, remotely scheduling tasks Ultimately, just walking through the various steps of a red team operation and having an open discussion about the techniques, procedures, and how they work under the hood. Also, I like to ask about any outside of work projects like home labbing, CTFs, etc. More on reddit.com

Hi all, I'll be interviewing for an internal red team position and want to prepare myself as best as possible, however I definitely don't want to bullshit the interviewers because if I wasn't ready for the job but still somehow landed it I would be found out fast. More on community.infosecinstitute.com

If this is a thing people are interested in, here's my dump of interview questions I've been asked. Some of them are vague because I didn't remember them in full detail by the time I started compiling the list.

https://docs.google.com/document/d/1t0mEmfmZHO3iG8UBYMwNskvqAX-bUrl_7c-cmAOAub4/edit?usp=sharing

Just a caveat: Look at my flair for context into some of the questions. There are some (e.g. impl memcpy) that are 'lol easy' but I was expected to talk about the implementation to the hardware level and suggest optimisations to it that'd take advantage of the CPU arch capabilities.

Another point: Note that there are very few leetcode-esque questions. For a sub that's obsessed with leetcode, I want to point out that there's a large segment in the industry that doesn't give 2 shits about algos and are more interested in domain-specific knowledge. If it adds any legitimacy to my opinion (it shouldn't), I work at a Big N.

Sidenote: Tesla was my most favourite interview by far. It was on-topic and a good test of my knowledge.

More on reddit.com

It's not that you're thinking like an attacker, it's that you're looking for the sexy (but stupid) answer instead of the boring (but sensible) answer. Both blue team and red team would benefit from a script to banner grab for the SSL version -- red team would use it during recon to know what attacks to try, blue team would use it to know what patches to apply and how to monitor/mitigate systems that can't be patched. If I'm running Wireshark to look for real time exploitation of Heartbleed, that only helps if someone uses Heartbleed while I'm watching. If I look for five minutes, go "oh, I don't see any attacks happening" and close it, there's now 23 hours and 55 minutes that someone COULD be exploiting Heartbleed without my knowing. Also, in an enterprise there are multiple servers, you're going to want to check all of them. So you'd have to set up some long-term, enterprise-wide monitoring/event capture/alerting, which frankly I'm not sure Wireshark is the right tool for -- something like Security Onion would let you run full pcap + Bro + Snort. And that still is only going to tell you whether something is being exploited, not whether it could be. A sexy but slightly more sensible answer (at least in my mind) would be "i would try to exploit Heartbleed on that server" -- but if you were doing that, I sure hope you'd check the version number first to make sure it's exploitable before trying to run said exploit, which brings us back to our banner grab script. (And if you do want to actively exploit each server, remember this is an enterprise-setting and you may have 25,50, 100 servers you're supposed to check. With hundreds of vulnerabilities you may be checking for, carefully proving each one by exploiting it is a terrible use of your time.) More on reddit.com