What is red-team-tactics?

Principles for adversary simulation using the MITRE ATT&CK framework to assess defenses, detection, and response.

Which MITRE ATT&CK phases are covered?

From Reconnaissance and Initial Access through Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, C2, Exfiltration, to Impact.

How should findings be reported?

Document the attack chain, techniques used, where detection failed, and actionable improvements to detection and response.

red-team-tactics

Scanned

npx machina-cli add skill vudovn/antigravity-kit/red-team-tactics --openclaw

Files (1)

SKILL.md

4.3 KB

Red Team Tactics

Adversary simulation principles based on MITRE ATT&CK framework.

1. MITRE ATT&CK Phases

Attack Lifecycle

RECONNAISSANCE → INITIAL ACCESS → EXECUTION → PERSISTENCE
       ↓              ↓              ↓            ↓
   PRIVILEGE ESC → DEFENSE EVASION → CRED ACCESS → DISCOVERY
       ↓              ↓              ↓            ↓
LATERAL MOVEMENT → COLLECTION → C2 → EXFILTRATION → IMPACT

Phase Objectives

Phase	Objective
Recon	Map attack surface
Initial Access	Get first foothold
Execution	Run code on target
Persistence	Survive reboots
Privilege Escalation	Get admin/root
Defense Evasion	Avoid detection
Credential Access	Harvest credentials
Discovery	Map internal network
Lateral Movement	Spread to other systems
Collection	Gather target data
C2	Maintain command channel
Exfiltration	Extract data

2. Reconnaissance Principles

Passive vs Active

Type	Trade-off
Passive	No target contact, limited info
Active	Direct contact, more detection risk

Information Targets

Category	Value
Technology stack	Attack vector selection
Employee info	Social engineering
Network ranges	Scanning scope
Third parties	Supply chain attack

3. Initial Access Vectors

Selection Criteria

Vector	When to Use
Phishing	Human target, email access
Public exploits	Vulnerable services exposed
Valid credentials	Leaked or cracked
Supply chain	Third-party access

4. Privilege Escalation Principles

Windows Targets

Check	Opportunity
Unquoted service paths	Write to path
Weak service permissions	Modify service
Token privileges	Abuse SeDebug, etc.
Stored credentials	Harvest

Linux Targets

Check	Opportunity
SUID binaries	Execute as owner
Sudo misconfiguration	Command execution
Kernel vulnerabilities	Kernel exploits
Cron jobs	Writable scripts

5. Defense Evasion Principles

Key Techniques

Technique	Purpose
LOLBins	Use legitimate tools
Obfuscation	Hide malicious code
Timestomping	Hide file modifications
Log clearing	Remove evidence

Operational Security

Work during business hours
Mimic legitimate traffic patterns
Use encrypted channels
Blend with normal behavior

6. Lateral Movement Principles

Credential Types

Type	Use
Password	Standard auth
Hash	Pass-the-hash
Ticket	Pass-the-ticket
Certificate	Certificate auth

Movement Paths

Admin shares
Remote services (RDP, SSH, WinRM)
Exploitation of internal services

7. Active Directory Attacks

Attack Categories

Attack	Target
Kerberoasting	Service account passwords
AS-REP Roasting	Accounts without pre-auth
DCSync	Domain credentials
Golden Ticket	Persistent domain access

8. Reporting Principles

Attack Narrative

Document the full attack chain:

How initial access was gained
What techniques were used
What objectives were achieved
Where detection failed

Detection Gaps

For each successful technique:

What should have detected it?
Why didn't detection work?
How to improve detection

9. Ethical Boundaries

Always

Stay within scope
Minimize impact
Report immediately if real threat found
Document all actions

Never

Destroy production data
Cause denial of service (unless scoped)
Access beyond proof of concept
Retain sensitive data

10. Anti-Patterns

❌ Don't	✅ Do
Rush to exploitation	Follow methodology
Cause damage	Minimize impact
Skip reporting	Document everything
Ignore scope	Stay within boundaries

Remember: Red team simulates attackers to improve defenses, not to cause harm.

Source

git clone https://github.com/vudovn/antigravity-kit/blob/main/.agent/skills/red-team-tactics/SKILL.mdView on GitHub

Overview

Red team tactics principles rooted in the MITRE ATT&CK framework guide adversary simulations across the full attack lifecycle, including detection evasion and reporting. It helps security teams map attacker objectives, test defenses, and produce actionable improvement plans.

How This Skill Works

The skill maps MITRE ATT&CK phases to practical tests: plan reconnaissance, choose initial access vectors (phishing, public exploits, or valid credentials), and execute through execution, persistence, privilege escalation, defense evasion, and lateral movement. It emphasizes documenting each technique, expected detections, and gaps in reporting to drive improvements in detection and response.

When to Use It

Plan a controlled red-team exercise to test defenses end-to-end against the full ATT&CK lifecycle.
Evaluate detection coverage for MITRE ATT&CK techniques and identify coverage gaps.
Map an organization’s attack surface using Reconnaissance and Initial Access vectors (phishing, exposed services, or credential reuse).
Demonstrate privilege escalation, lateral movement, and credential access in a safe test environment.
Produce an attack narrative and detection-gap analysis to inform remediation and SOC playbooks.

Quick Start

Step 1: Define scope, objectives, and safe testing environment with stakeholders.
Step 2: Map planned activities to MITRE ATT&CK phases and select initial access vectors.
Step 3: Execute ethically, document techniques and detections, then prepare a remediation-focused report.

Best Practices

Define scope, rules of engagement, data handling, and blast radius before starting.
Align activities with MITRE ATT&CK phases to ensure comprehensive coverage of techniques.
Prioritize high-impact techniques while minimizing production impact and user disruption.
Thoroughly document each technique, detections observed (or not), and remediation recommendations.
Bridge into reporting with a clear narrative and actionable next steps for defenders.

Example Use Cases

Phishing-based initial access test to evaluate user awareness and email security controls.
Assessment of public-facing services to identify exposed attack surfaces and misconfigurations.
Credential extraction scenarios (valid credentials or pass-the-hash) to test internal access controls.
Active Directory attacks such as Kerberoasting, AS-REP Roasting, or Golden Ticket simulations.
Lateral movement using admin shares and remote services to assess network segmentation and monitoring.

Frequently Asked Questions

Add this skill to your agents