| name | red-team-tactics |
|---|
| description | Red team tactics principles based on MITRE ATT&CK. Attack phases, detection evasion, reporting. |
|---|
| allowed-tools | Read, Glob, Grep |
|---|
Red Team Tactics
Adversary simulation principles based on MITRE ATT&CK framework.
1. MITRE ATT&CK Phases
Attack Lifecycle
RECONNAISSANCE → INITIAL ACCESS → EXECUTION → PERSISTENCE
↓ ↓ ↓ ↓
PRIVILEGE ESC → DEFENSE EVASION → CRED ACCESS → DISCOVERY
↓ ↓ ↓ ↓
LATERAL MOVEMENT → COLLECTION → C2 → EXFILTRATION → IMPACT
Phase Objectives
| Phase |
Objective |
| Recon |
Map attack surface |
| Initial Access |
Get first foothold |
| Execution |
Run code on target |
| Persistence |
Survive reboots |
| Privilege Escalation |
Get admin/root |
| Defense Evasion |
Avoid detection |
| Credential Access |
Harvest credentials |
| Discovery |
Map internal network |
| Lateral Movement |
Spread to other systems |
| Collection |
Gather target data |
| C2 |
Maintain command channel |
| Exfiltration |
Extract data |
2. Reconnaissance Principles
Passive vs Active
| Type |
Trade-off |
| Passive |
No target contact, limited info |
| Active |
Direct contact, more detection risk |
Information Targets
| Category |
Value |
| Technology stack |
Attack vector selection |
| Employee info |
Social engineering |
| Network ranges |
Scanning scope |
| Third parties |
Supply chain attack |
3. Initial Access Vectors
Selection Criteria
| Vector |
When to Use |
| Phishing |
Human target, email access |
| Public exploits |
Vulnerable services exposed |
| Valid credentials |
Leaked or cracked |
| Supply chain |
Third-party access |
4. Privilege Escalation Principles
Windows Targets
| Check |
Opportunity |
| Unquoted service paths |
Write to path |
| Weak service permissions |
Modify service |
| Token privileges |
Abuse SeDebug, etc. |
| Stored credentials |
Harvest |
Linux Targets
| Check |
Opportunity |
| SUID binaries |
Execute as owner |
| Sudo misconfiguration |
Command execution |
| Kernel vulnerabilities |
Kernel exploits |
| Cron jobs |
Writable scripts |
5. Defense Evasion Principles
Key Techniques
| Technique |
Purpose |
| LOLBins |
Use legitimate tools |
| Obfuscation |
Hide malicious code |
| Timestomping |
Hide file modifications |
| Log clearing |
Remove evidence |
Operational Security
- Work during business hours
- Mimic legitimate traffic patterns
- Use encrypted channels
- Blend with normal behavior
6. Lateral Movement Principles
Credential Types
| Type |
Use |
| Password |
Standard auth |
| Hash |
Pass-the-hash |
| Ticket |
Pass-the-ticket |
| Certificate |
Certificate auth |
Movement Paths
- Admin shares
- Remote services (RDP, SSH, WinRM)
- Exploitation of internal services
7. Active Directory Attacks
Attack Categories
| Attack |
Target |
| Kerberoasting |
Service account passwords |
| AS-REP Roasting |
Accounts without pre-auth |
| DCSync |
Domain credentials |
| Golden Ticket |
Persistent domain access |
8. Reporting Principles
Attack Narrative
Document the full attack chain:
- How initial access was gained
- What techniques were used
- What objectives were achieved
- Where detection failed
Detection Gaps
For each successful technique:
- What should have detected it?
- Why didn't detection work?
- How to improve detection
9. Ethical Boundaries
Always
- Stay within scope
- Minimize impact
- Report immediately if real threat found
- Document all actions
Never
- Destroy production data
- Cause denial of service (unless scoped)
- Access beyond proof of concept
- Retain sensitive data
10. Anti-Patterns
| ❌ Don't |
✅ Do |
| Rush to exploitation |
Follow methodology |
| Cause damage |
Minimize impact |
| Skip reporting |
Document everything |
| Ignore scope |
Stay within boundaries |
Remember: Red team simulates attackers to improve defenses, not to cause harm.
