Overview
The red-team-tactics skill provides adversary simulation principles based on the MITRE ATT&CK framework. It covers the complete attack lifecycle, from reconnaissance through exfiltration, helping defenders understand attacker methodologies.What This Skill Provides
- MITRE ATT&CK Phases: Complete attack lifecycle understanding
- Reconnaissance Principles: Passive and active information gathering
- Initial Access Vectors: Entry point selection and exploitation
- Privilege Escalation: Windows and Linux elevation techniques
- Defense Evasion: Avoiding detection and maintaining stealth
- Lateral Movement: Spreading across internal networks
- Active Directory Attacks: Kerberoasting, DCSync, Golden Tickets
- Reporting Principles: Documenting attack chains and detection gaps
- Ethical Boundaries: Responsible adversary simulation
MITRE ATT&CK Phases
Attack Lifecycle
Phase Objectives
| Phase | Objective |
|---|---|
| Recon | Map attack surface |
| Initial Access | Get first foothold |
| Execution | Run code on target |
| Persistence | Survive reboots |
| Privilege Escalation | Get admin/root |
| Defense Evasion | Avoid detection |
| Credential Access | Harvest credentials |
| Discovery | Map internal network |
| Lateral Movement | Spread to other systems |
| Collection | Gather target data |
| C2 | Maintain command channel |
| Exfiltration | Extract data |
Use Cases
When to Use This Skill
- Red team engagements
- Adversary simulation exercises
- Security control validation
- Detection engineering
- Security awareness training
- Incident response preparation
Example Scenarios
- Red Team Exercise: “Simulate an attack on this infrastructure”
- Detection Validation: “Test if our SIEM detects lateral movement”
- Security Assessment: “Identify detection gaps in our defenses”
- Training: “Demonstrate how attackers move through networks”
Reconnaissance Principles
Passive vs Active
| Type | Trade-off |
|---|---|
| Passive | No target contact, limited info |
| Active | Direct contact, more detection risk |
Information Targets
| Category | Value |
|---|---|
| Technology stack | Attack vector selection |
| Employee info | Social engineering |
| Network ranges | Scanning scope |
| Third parties | Supply chain attack |
Initial Access Vectors
Selection Criteria
| Vector | When to Use |
|---|---|
| Phishing | Human target, email access |
| Public exploits | Vulnerable services exposed |
| Valid credentials | Leaked or cracked |
| Supply chain | Third-party access |
Privilege Escalation Principles
Windows Targets
| Check | Opportunity |
|---|---|
| Unquoted service paths | Write to path |
| Weak service permissions | Modify service |
| Token privileges | Abuse SeDebug, etc. |
| Stored credentials | Harvest |
Linux Targets
| Check | Opportunity |
|---|---|
| SUID binaries | Execute as owner |
| Sudo misconfiguration | Command execution |
| Kernel vulnerabilities | Kernel exploits |
| Cron jobs | Writable scripts |
Defense Evasion Principles
Key Techniques
| Technique | Purpose |
|---|---|
| LOLBins | Use legitimate tools |
| Obfuscation | Hide malicious code |
| Timestomping | Hide file modifications |
| Log clearing | Remove evidence |
Operational Security
- Work during business hours
- Mimic legitimate traffic patterns
- Use encrypted channels
- Blend with normal behavior
Lateral Movement Principles
Credential Types
| Type | Use |
|---|---|
| Password | Standard auth |
| Hash | Pass-the-hash |
| Ticket | Pass-the-ticket |
| Certificate | Certificate auth |
Movement Paths
- Admin shares
- Remote services (RDP, SSH, WinRM)
- Exploitation of internal services
Active Directory Attacks
Attack Categories
| Attack | Target |
|---|---|
| Kerberoasting | Service account passwords |
| AS-REP Roasting | Accounts without pre-auth |
| DCSync | Domain credentials |
| Golden Ticket | Persistent domain access |
Reporting Principles
Attack Narrative
Document the full attack chain:- How initial access was gained
- What techniques were used
- What objectives were achieved
- Where detection failed
Detection Gaps
For each successful technique:- What should have detected it?
- Why didn’t detection work?
- How to improve detection
Ethical Boundaries
Always
- Stay within scope
- Minimize impact
- Report immediately if real threat found
- Document all actions
Never
- Destroy production data
- Cause denial of service (unless scoped)
- Access beyond proof of concept
- Retain sensitive data
Attack Chain Example
Phase 1: Reconnaissance
Phase 2: Initial Access
Phase 3: Privilege Escalation
Phase 4: Lateral Movement
MITRE ATT&CK Mapping
Every technique used should be mapped to:- Tactic: Why (e.g., Privilege Escalation)
- Technique: What (e.g., T1574.009 - Unquoted Service Path)
- Procedure: How (specific implementation)
Detection Engineering
For Each Technique
Document:- Observable artifacts: What can be detected?
- Detection logic: How to detect it?
- False positive rate: How noisy is detection?
- Evasion potential: Can it be bypassed?
Anti-Patterns to Avoid
| ❌ Don’t | ✅ Do |
|---|---|
| Rush to exploitation | Follow methodology |
| Cause damage | Minimize impact |
| Skip reporting | Document everything |
| Ignore scope | Stay within boundaries |
Related Skills
- vulnerability-scanner: Finding exploitable vulnerabilities
- api-patterns: API security testing
- clean-code: Secure coding practices
Which Agents Use This Skill
- security-auditor: Uses for attack simulation
- penetration-tester: Primary user for red team operations
Operational Considerations
Scope Definition
Before starting:- Target systems clearly defined
- Out-of-scope systems identified
- Acceptable attack vectors agreed
- Impact limitations set
- Communication plan established
During Engagement
- Maintain detailed logs of all actions
- Report critical findings immediately
- Stop if unexpected damage occurs
- Coordinate with blue team if needed
Post-Engagement
- Clean up artifacts
- Remove persistence mechanisms
- Deliver comprehensive report
- Conduct debrief with defenders
Tools Available
- Read, Glob, Grep: For reconnaissance and analysis
Remember: Red team simulates attackers to improve defenses, not to cause harm. Always operate ethically and within defined scope.