Red team tactics principles based on MITRE ATT&CK. Attack phases, detection evasion, reporting.
Add this skill
npx mdskills install sickn33/red-team-tacticsWell-structured reference guide with clear MITRE ATT&CK phases and ethical boundaries
1---2name: red-team-tactics3description: Red team tactics principles based on MITRE ATT&CK. Attack phases, detection evasion, reporting.4allowed-tools: Read, Glob, Grep5---67# Red Team Tactics89> Adversary simulation principles based on MITRE ATT&CK framework.1011---1213## 1. MITRE ATT&CK Phases1415### Attack Lifecycle1617```18RECONNAISSANCE → INITIAL ACCESS → EXECUTION → PERSISTENCE19 ↓ ↓ ↓ ↓20 PRIVILEGE ESC → DEFENSE EVASION → CRED ACCESS → DISCOVERY21 ↓ ↓ ↓ ↓22LATERAL MOVEMENT → COLLECTION → C2 → EXFILTRATION → IMPACT23```2425### Phase Objectives2627| Phase | Objective |28|-------|-----------|29| **Recon** | Map attack surface |30| **Initial Access** | Get first foothold |31| **Execution** | Run code on target |32| **Persistence** | Survive reboots |33| **Privilege Escalation** | Get admin/root |34| **Defense Evasion** | Avoid detection |35| **Credential Access** | Harvest credentials |36| **Discovery** | Map internal network |37| **Lateral Movement** | Spread to other systems |38| **Collection** | Gather target data |39| **C2** | Maintain command channel |40| **Exfiltration** | Extract data |4142---4344## 2. Reconnaissance Principles4546### Passive vs Active4748| Type | Trade-off |49|------|-----------|50| **Passive** | No target contact, limited info |51| **Active** | Direct contact, more detection risk |5253### Information Targets5455| Category | Value |56|----------|-------|57| Technology stack | Attack vector selection |58| Employee info | Social engineering |59| Network ranges | Scanning scope |60| Third parties | Supply chain attack |6162---6364## 3. Initial Access Vectors6566### Selection Criteria6768| Vector | When to Use |69|--------|-------------|70| **Phishing** | Human target, email access |71| **Public exploits** | Vulnerable services exposed |72| **Valid credentials** | Leaked or cracked |73| **Supply chain** | Third-party access |7475---7677## 4. Privilege Escalation Principles7879### Windows Targets8081| Check | Opportunity |82|-------|-------------|83| Unquoted service paths | Write to path |84| Weak service permissions | Modify service |85| Token privileges | Abuse SeDebug, etc. |86| Stored credentials | Harvest |8788### Linux Targets8990| Check | Opportunity |91|-------|-------------|92| SUID binaries | Execute as owner |93| Sudo misconfiguration | Command execution |94| Kernel vulnerabilities | Kernel exploits |95| Cron jobs | Writable scripts |9697---9899## 5. Defense Evasion Principles100101### Key Techniques102103| Technique | Purpose |104|-----------|---------|105| LOLBins | Use legitimate tools |106| Obfuscation | Hide malicious code |107| Timestomping | Hide file modifications |108| Log clearing | Remove evidence |109110### Operational Security111112- Work during business hours113- Mimic legitimate traffic patterns114- Use encrypted channels115- Blend with normal behavior116117---118119## 6. Lateral Movement Principles120121### Credential Types122123| Type | Use |124|------|-----|125| Password | Standard auth |126| Hash | Pass-the-hash |127| Ticket | Pass-the-ticket |128| Certificate | Certificate auth |129130### Movement Paths131132- Admin shares133- Remote services (RDP, SSH, WinRM)134- Exploitation of internal services135136---137138## 7. Active Directory Attacks139140### Attack Categories141142| Attack | Target |143|--------|--------|144| Kerberoasting | Service account passwords |145| AS-REP Roasting | Accounts without pre-auth |146| DCSync | Domain credentials |147| Golden Ticket | Persistent domain access |148149---150151## 8. Reporting Principles152153### Attack Narrative154155Document the full attack chain:1561. How initial access was gained1572. What techniques were used1583. What objectives were achieved1594. Where detection failed160161### Detection Gaps162163For each successful technique:164- What should have detected it?165- Why didn't detection work?166- How to improve detection167168---169170## 9. Ethical Boundaries171172### Always173174- Stay within scope175- Minimize impact176- Report immediately if real threat found177- Document all actions178179### Never180181- Destroy production data182- Cause denial of service (unless scoped)183- Access beyond proof of concept184- Retain sensitive data185186---187188## 10. Anti-Patterns189190| ❌ Don't | ✅ Do |191|----------|-------|192| Rush to exploitation | Follow methodology |193| Cause damage | Minimize impact |194| Skip reporting | Document everything |195| Ignore scope | Stay within boundaries |196197---198199> **Remember:** Red team simulates attackers to improve defenses, not to cause harm.200
Full transparency — inspect the skill content before installing.