Python › Red Team Automation
Red team automation and operational logging
Red-team operations involve a lot of repeatable plumbing — encoding payloads, processing collected data, reporting, and keeping an activity log. Python is the glue. This lesson covers payload handling and the operational logging that separates a professional engagement from a reckless one. As always, only against authorised engagements.
You'll learn to
- Encode and template payloads safely in your own tooling
- Process collected data into searchable form
- Keep a timestamped activity log for deconfliction
Payload handling is encoding and templating
import base64
# Encode a command for transport (PowerShell -EncodedCommand wants UTF-16LE base64):
def ps_encode(command):
return base64.b64encode(command.encode("utf-16-le")).decode()
# Symmetric XOR for simple obfuscation (defeats naive string detection only):
def xor(data: bytes, key: bytes) -> bytes:
return bytes(b ^ key[i % len(key)] for i, b in enumerate(data))
blob = xor(b"payload-bytes", b"k3y") # encode at build time
orig = xor(blob, b"k3y") # XOR is symmetric — same call decodes
Payload handling is mostly encoding and templating. ps_encode produces the form PowerShell’s -EncodedCommand expects; xor shows symmetric obfuscation. These are mechanics — the tradecraft is choosing what evades a specific environment.
The activity log is not optional
import json, logging
from datetime import datetime, timezone
logging.basicConfig(filename="oplog.jsonl", level=logging.INFO, format="%(message)s")
def log_action(action, target, detail=""):
entry = {
"ts": datetime.now(timezone.utc).isoformat(),
"action": action, "target": target, "detail": detail,
}
logging.info(json.dumps(entry)) # one JSON object per line (JSONL)
log_action("recon", "corp.local", "LDAP user enumeration")
log_action("credaccess", "dc01", "Kerberoast svc_sql")
Professional red teaming requires a timestamped record of every action — for deconfliction (proving which activity was yours versus a real attacker), for the client report, and for cleanup. This logs each action as a JSON line with a UTC timestamp.
Checkpoint
Why is a timestamped activity log essential on a professional red-team engagement, beyond just record-keeping?
It enables deconfliction: when the defenders see suspicious activity and alerts fire, the timestamped log lets everyone determine whether it was the red team's authorised action or a genuine, separate intrusion. It also becomes the narrative for the client report and the basis for cleanup. Without it, the team can't prove what it did or distinguish its own activity from a real attacker's.
Try it yourself
Write a small log_action function that appends a JSON line with a UTC timestamp, an action name, a target, and a detail string to a file. Call it a few times to simulate logging recon and a credential-access step, then read the file back — that JSONL is the start of an engagement timeline.
Key takeaways
- Payload handling is encoding (base64, XOR) and per-target templating.
- Generate fresh, varied payloads so static signatures don’t catch reuse.
- Log every action as timestamped JSONL for deconfliction and reporting.
- Write secure tooling: no shell=True on dynamic input, protect loot.
Quick quiz
Next, a tour of the Python security ecosystem — the libraries that do the heavy lifting and when to reach for each.