red-team-tactics

Sécurité & Conformité

Red team tactics principles based on MITRE ATT&CK. Attack phases, detection evasion, reporting.

Documentation

Red Team Tactics

> Adversary simulation principles based on MITRE ATT&CK framework.

---

1. MITRE ATT&CK Phases

Attack Lifecycle

RECONNAISSANCE → INITIAL ACCESS → EXECUTION → PERSISTENCE
       ↓              ↓              ↓            ↓
   PRIVILEGE ESC → DEFENSE EVASION → CRED ACCESS → DISCOVERY
       ↓              ↓              ↓            ↓
LATERAL MOVEMENT → COLLECTION → C2 → EXFILTRATION → IMPACT

Phase Objectives

| Phase | Objective |

|-------|-----------|

| Recon | Map attack surface |

| Initial Access | Get first foothold |

| Execution | Run code on target |

| Persistence | Survive reboots |

| Privilege Escalation | Get admin/root |

| Defense Evasion | Avoid detection |

| Credential Access | Harvest credentials |

| Discovery | Map internal network |

| Lateral Movement | Spread to other systems |

| Collection | Gather target data |

| C2 | Maintain command channel |

| Exfiltration | Extract data |

---

2. Reconnaissance Principles

Passive vs Active

| Type | Trade-off |

|------|-----------|

| Passive | No target contact, limited info |

| Active | Direct contact, more detection risk |

Information Targets

| Category | Value |

|----------|-------|

| Technology stack | Attack vector selection |

| Employee info | Social engineering |

| Network ranges | Scanning scope |

| Third parties | Supply chain attack |

---

3. Initial Access Vectors

Selection Criteria

| Vector | When to Use |

|--------|-------------|

| Phishing | Human target, email access |

| Public exploits | Vulnerable services exposed |

| Valid credentials | Leaked or cracked |

| Supply chain | Third-party access |

---

4. Privilege Escalation Principles

Windows Targets

| Check | Opportunity |

|-------|-------------|

| Unquoted service paths | Write to path |

| Weak service permissions | Modify service |

| Token privileges | Abuse SeDebug, etc. |

| Stored credentials | Harvest |

Linux Targets

| Check | Opportunity |

|-------|-------------|

| SUID binaries | Execute as owner |

| Sudo misconfiguration | Command execution |

| Kernel vulnerabilities | Kernel exploits |

| Cron jobs | Writable scripts |

---

5. Defense Evasion Principles

Key Techniques

| Technique | Purpose |

|-----------|---------|

| LOLBins | Use legitimate tools |

| Obfuscation | Hide malicious code |

| Timestomping | Hide file modifications |

| Log clearing | Remove evidence |

Operational Security

Work during business hours
Mimic legitimate traffic patterns
Use encrypted channels
Blend with normal behavior

---

6. Lateral Movement Principles

Credential Types

| Type | Use |

|------|-----|

| Password | Standard auth |

| Hash | Pass-the-hash |

| Ticket | Pass-the-ticket |

| Certificate | Certificate auth |

Movement Paths

Admin shares
Remote services (RDP, SSH, WinRM)
Exploitation of internal services

---

7. Active Directory Attacks

Attack Categories

| Attack | Target |

|--------|--------|

| Kerberoasting | Service account passwords |

| AS-REP Roasting | Accounts without pre-auth |

| DCSync | Domain credentials |

| Golden Ticket | Persistent domain access |

---

8. Reporting Principles

Attack Narrative

Document the full attack chain:

1.How initial access was gained
2.What techniques were used
3.What objectives were achieved
4.Where detection failed

Detection Gaps

For each successful technique:

What should have detected it?
Why didn't detection work?
How to improve detection

---

9. Ethical Boundaries

Always

Stay within scope
Minimize impact
Report immediately if real threat found
Document all actions

Never

Destroy production data
Cause denial of service (unless scoped)
Access beyond proof of concept
Retain sensitive data

---

10. Anti-Patterns

| ❌ Don't | ✅ Do |

|----------|-------|

| Rush to exploitation | Follow methodology |

| Cause damage | Minimize impact |

| Skip reporting | Document everything |

| Ignore scope | Stay within boundaries |

---

> Remember: Red team simulates attackers to improve defenses, not to cause harm.

Compétences similaires

Explorez d'autres agents de la catégorie Sécurité & Conformité

Voir tout le catalogue

Active Directory Attacks

This skill should be used when the user asks to "attack Active Directory", "exploit AD", "Kerberoasting", "DCSync", "pass-the-hash", "BloodHound enumeration", "Golden Ticket", "Silver Ticket", "AS-REP roasting", "NTLM relay", or needs guidance on Windows domain penetration testing.

VOIR LA FICHE

Pentest Checklist

This skill should be used when the user asks to "plan a penetration test", "create a security assessment checklist", "prepare for penetration testing", "define pentest scope", "follow security testing best practices", or needs a structured methodology for penetration testing engagements.

VOIR LA FICHE

security-scanning-security-sast

Static Application Security Testing (SAST) for code vulnerability

VOIR LA FICHE
Utiliser l'Agent red-team-tactics - Outil & Compétence IA | Skills Catalogue | Skills Catalogue