Red Team Tactics

Adversary simulation principles based on MITRE ATT&CK framework.

1. MITRE ATT&CK Phases

Attack Lifecycle

RECONNAISSANCE → INITIAL ACCESS → EXECUTION → PERSISTENCE
       ↓              ↓              ↓            ↓
   PRIVILEGE ESC → DEFENSE EVASION → CRED ACCESS → DISCOVERY
       ↓              ↓              ↓            ↓
LATERAL MOVEMENT → COLLECTION → C2 → EXFILTRATION → IMPACT

Phase Objectives

Phase	Objective
Recon	Map attack surface
Initial Access	Get first foothold
Execution	Run code on target
Persistence	Survive reboots
Privilege Escalation	Get admin/root
Defense Evasion	Avoid detection
Credential Access	Harvest credentials
Discovery	Map internal network
Lateral Movement	Spread to other systems
Collection	Gather target data
C2	Maintain command channel
Exfiltration	Extract data

2. Reconnaissance Principles

Passive vs Active

Type	Trade-off
Passive	No target contact, limited info
Active	Direct contact, more detection risk

Information Targets

Category	Value
Technology stack	Attack vector selection
Employee info	Social engineering
Network ranges	Scanning scope
Third parties	Supply chain attack

3. Initial Access Vectors

Selection Criteria

Vector	When to Use
Phishing	Human target, email access
Public exploits	Vulnerable services exposed
Valid credentials	Leaked or cracked
Supply chain	Third-party access

4. Privilege Escalation Principles

Windows Targets

Check	Opportunity
Unquoted service paths	Write to path
Weak service permissions	Modify service
Token privileges	Abuse SeDebug, etc.
Stored credentials	Harvest

Linux Targets

Check	Opportunity
SUID binaries	Execute as owner
Sudo misconfiguration	Command execution
Kernel vulnerabilities	Kernel exploits
Cron jobs	Writable scripts

5. Defense Evasion Principles

Key Techniques

Technique	Purpose
LOLBins	Use legitimate tools
Obfuscation	Hide malicious code
Timestomping	Hide file modifications
Log clearing	Remove evidence

Operational Security

Work during business hours
Mimic legitimate traffic patterns
Use encrypted channels
Blend with normal behavior

6. Lateral Movement Principles

Credential Types

Type	Use
Password	Standard auth
Hash	Pass-the-hash
Ticket	Pass-the-ticket
Certificate	Certificate auth

Movement Paths

Admin shares
Remote services (RDP, SSH, WinRM)
Exploitation of internal services

7. Active Directory Attacks

Attack Categories

Attack	Target
Kerberoasting	Service account passwords
AS-REP Roasting	Accounts without pre-auth
DCSync	Domain credentials
Golden Ticket	Persistent domain access

8. Reporting Principles

Attack Narrative

Document the full attack chain:

How initial access was gained
What techniques were used
What objectives were achieved
Where detection failed

Detection Gaps

For each successful technique:

What should have detected it?
Why didn't detection work?
How to improve detection

9. Ethical Boundaries

Always

Stay within scope
Minimize impact
Report immediately if real threat found
Document all actions

Never

Destroy production data
Cause denial of service (unless scoped)
Access beyond proof of concept
Retain sensitive data

10. Anti-Patterns

❌ Don't	✅ Do
Rush to exploitation	Follow methodology
Cause damage	Minimize impact
Skip reporting	Document everything
Ignore scope	Stay within boundaries

Remember: Red team simulates attackers to improve defenses, not to cause harm.

When to Use

This skill is applicable to execute the workflow or actions described in the overview.

red-team-tactics

Red Team Tactics

1. MITRE ATT&CK Phases

Attack Lifecycle

Phase Objectives

2. Reconnaissance Principles

Passive vs Active

Information Targets

3. Initial Access Vectors

Selection Criteria

4. Privilege Escalation Principles

Windows Targets

Linux Targets

5. Defense Evasion Principles

Key Techniques

Operational Security

6. Lateral Movement Principles

Credential Types

Movement Paths

7. Active Directory Attacks

Attack Categories

8. Reporting Principles

Attack Narrative

Detection Gaps

9. Ethical Boundaries

Always

Never

10. Anti-Patterns

When to Use