---

name: red-team-tactics description: "Red team tactics principles based on MITRE ATT&CK. Attack phases, detection evasion, reporting." risk: unknown source: community date_added: "2026-02-27"

Red Team Tactics

Adversary simulation principles based on MITRE ATT&CK framework.

---

1. MITRE ATT&CK Phases

Attack Lifecycle

RECONNAISSANCE → INITIAL ACCESS → EXECUTION → PERSISTENCE
       ↓              ↓              ↓            ↓
   PRIVILEGE ESC → DEFENSE EVASION → CRED ACCESS → DISCOVERY
       ↓              ↓              ↓            ↓
LATERAL MOVEMENT → COLLECTION → C2 → EXFILTRATION → IMPACT

Phase Objectives

Phase	Objective
Recon	Map attack surface
Initial Access	Get first foothold
Execution	Run code on target
Persistence	Survive reboots
Privilege Escalation	Get admin/root
Defense Evasion	Avoid detection
Credential Access	Harvest credentials
Discovery	Map internal network
Lateral Movement	Spread to other systems
Collection	Gather target data
C2	Maintain command channel
Exfiltration	Extract data

---

2. Reconnaissance Principles

Passive vs Active

Type	Trade-off
Passive	No target contact, limited info
Active	Direct contact, more detection risk

Information Targets

Category	Value
Technology stack	Attack vector selection
Employee info	Social engineering
Network ranges	Scanning scope
Third parties	Supply chain attack

---

3. Initial Access Vectors

Selection Criteria

Vector	When to Use
Phishing	Human target, email access
Public exploits	Vulnerable services exposed
Valid credentials	Leaked or cracked
Supply chain	Third-party access

---

4. Privilege Escalation Principles

Windows Targets

Check	Opportunity
Unquoted service paths	Write to path
Weak service permissions	Modify service
Token privileges	Abuse SeDebug, etc.
Stored credentials	Harvest

Linux Targets

Check	Opportunity
SUID binaries	Execute as owner
Sudo misconfiguration	Command execution
Kernel vulnerabilities	Kernel exploits
Cron jobs	Writable scripts

---

5. Defense Evasion Principles

Key Techniques

Technique	Purpose
LOLBins	Use legitimate tools
Obfuscation	Hide malicious code
Timestomping	Hide file modifications
Log clearing	Remove evidence

Operational Security

• Work during business hours
• Mimic legitimate traffic patterns
• Use encrypted channels
• Blend with normal behavior

---

6. Lateral Movement Principles

Credential Types

Type	Use
Password	Standard auth
Hash	Pass-the-hash
Ticket	Pass-the-ticket
Certificate	Certificate auth

Movement Paths

• Admin shares
• Remote services (RDP, SSH, WinRM)
• Exploitation of internal services

---

7. Active Directory Attacks

Attack Categories

Attack	Target
Kerberoasting	Service account passwords
AS-REP Roasting	Accounts without pre-auth
DCSync	Domain credentials
Golden Ticket	Persistent domain access

---

8. Reporting Principles

Attack Narrative

Document the full attack chain:

1. How initial access was gained
2. What techniques were used
3. What objectives were achieved
4. Where detection failed

Detection Gaps

For each successful technique:

• What should have detected it?
• Why didn't detection work?
• How to improve detection

---

9. Ethical Boundaries

Always

• Stay within scope
• Minimize impact
• Report immediately if real threat found
• Document all actions

Never

• Destroy production data
• Cause denial of service (unless scoped)
• Access beyond proof of concept
• Retain sensitive data

---

10. Anti-Patterns

❌ Don't	✅ Do
Rush to exploitation	Follow methodology
Cause damage	Minimize impact
Skip reporting	Document everything
Ignore scope	Stay within boundaries

---

Remember: Red team simulates attackers to improve defenses, not to cause harm.

When to Use

This skill is applicable to execute the workflow or actions described in the overview.