admin-baked/red-team-tactics
.agent/skills/skills/red-team-tactics/SKILL.md
Red team tactics principles based on MITRE ATT&CK. Attack phases, detection evasion, reporting.
$ install --global
skillsauthnpx skillsauth add admin-baked/bakedbot-for-brands red-team-tacticsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 29, 2026, 7:35 PM59.9s1 file scanned
SKILL.md
- name:
- red-team-tactics
- description:
- Red team tactics principles based on MITRE ATT&CK. Attack phases, detection evasion, reporting.
- allowed-tools:
- Read, Glob, Grep
Red Team Tactics
Adversary simulation principles based on MITRE ATT&CK framework.
1. MITRE ATT&CK Phases
Attack Lifecycle
RECONNAISSANCE → INITIAL ACCESS → EXECUTION → PERSISTENCE
↓ ↓ ↓ ↓
PRIVILEGE ESC → DEFENSE EVASION → CRED ACCESS → DISCOVERY
↓ ↓ ↓ ↓
LATERAL MOVEMENT → COLLECTION → C2 → EXFILTRATION → IMPACT
Phase Objectives
| Phase | Objective | |-------|-----------| | Recon | Map attack surface | | Initial Access | Get first foothold | | Execution | Run code on target | | Persistence | Survive reboots | | Privilege Escalation | Get admin/root | | Defense Evasion | Avoid detection | | Credential Access | Harvest credentials | | Discovery | Map internal network | | Lateral Movement | Spread to other systems | | Collection | Gather target data | | C2 | Maintain command channel | | Exfiltration | Extract data |
2. Reconnaissance Principles
Passive vs Active
| Type | Trade-off | |------|-----------| | Passive | No target contact, limited info | | Active | Direct contact, more detection risk |
Information Targets
| Category | Value | |----------|-------| | Technology stack | Attack vector selection | | Employee info | Social engineering | | Network ranges | Scanning scope | | Third parties | Supply chain attack |
3. Initial Access Vectors
Selection Criteria
| Vector | When to Use | |--------|-------------| | Phishing | Human target, email access | | Public exploits | Vulnerable services exposed | | Valid credentials | Leaked or cracked | | Supply chain | Third-party access |
4. Privilege Escalation Principles
Windows Targets
| Check | Opportunity | |-------|-------------| | Unquoted service paths | Write to path | | Weak service permissions | Modify service | | Token privileges | Abuse SeDebug, etc. | | Stored credentials | Harvest |
Linux Targets
| Check | Opportunity | |-------|-------------| | SUID binaries | Execute as owner | | Sudo misconfiguration | Command execution | | Kernel vulnerabilities | Kernel exploits | | Cron jobs | Writable scripts |
5. Defense Evasion Principles
Key Techniques
| Technique | Purpose | |-----------|---------| | LOLBins | Use legitimate tools | | Obfuscation | Hide malicious code | | Timestomping | Hide file modifications | | Log clearing | Remove evidence |
Operational Security
- Work during business hours
- Mimic legitimate traffic patterns
- Use encrypted channels
- Blend with normal behavior
6. Lateral Movement Principles
Credential Types
| Type | Use | |------|-----| | Password | Standard auth | | Hash | Pass-the-hash | | Ticket | Pass-the-ticket | | Certificate | Certificate auth |
Movement Paths
- Admin shares
- Remote services (RDP, SSH, WinRM)
- Exploitation of internal services
7. Active Directory Attacks
Attack Categories
| Attack | Target | |--------|--------| | Kerberoasting | Service account passwords | | AS-REP Roasting | Accounts without pre-auth | | DCSync | Domain credentials | | Golden Ticket | Persistent domain access |
8. Reporting Principles
Attack Narrative
Document the full attack chain:
- How initial access was gained
- What techniques were used
- What objectives were achieved
- Where detection failed
Detection Gaps
For each successful technique:
- What should have detected it?
- Why didn't detection work?
- How to improve detection
9. Ethical Boundaries
Always
- Stay within scope
- Minimize impact
- Report immediately if real threat found
- Document all actions
Never
- Destroy production data
- Cause denial of service (unless scoped)
- Access beyond proof of concept
- Retain sensitive data
10. Anti-Patterns
| ❌ Don't | ✅ Do | |----------|-------| | Rush to exploitation | Follow methodology | | Cause damage | Minimize impact | | Skip reporting | Document everything | | Ignore scope | Stay within boundaries |
Remember: Red team simulates attackers to improve defenses, not to cause harm.
Related Skills
admin-baked/skills/shared/executive-brief
testing
VerifiedTrustedCommunity
--- name: executive-brief description: Produce a concise executive brief or portfolio digest for a super user or operator — use when summarizing multi-account performance, cross-org anomalies, top actions needed, or weekly business status for leadership review. Trigger phrases: "executive summary", "weekly brief", "portfolio digest", "top actions this week", "what needs my attention", "board update", "cross-account summary". version: 0.1.0 owner: platform agent_owner: pops allowed_roles: - sup
2SKILL.mdUpdated Apr 1, 2026
admin-baked/skills/shared/anomaly-to-action-memo
development
VerifiedTrustedCommunity
--- name: anomaly-to-action-memo description: Interpret a detected anomaly or signal and produce a decision-ready action memo — use when an alert, metric deviation, or operational signal needs to be turned into a prioritized recommendation with evidence, owner, and next step. Trigger phrases: "what does this anomaly mean", "something looks off", "explain this alert", "revenue is down", "traffic dropped", "flag this for review", "what should we do about this". version: 0.1.0 owner: ops-intelligen
2SKILL.mdUpdated Apr 1, 2026
admin-baked/skills/org/brand-voice
testing
VerifiedTrustedCommunity
--- name: brand-voice description: Apply BakedBot brand voice standards to any customer-facing content — use when generating or reviewing copy that must match a dispensary or brand's approved tone, language patterns, and messaging constraints. Trigger phrases: "does this match our voice", "write in our brand voice", "on-brand copy", "brand guidelines", "tone check". version: 0.1.0 owner: platform agent_owner: craig allowed_roles: - super_user - dispensary_operator - brand_operator outputs:
2SKILL.mdUpdated Apr 1, 2026
admin-baked/skills/grower/sell-through-partner-analysis
testing
VerifiedTrustedCommunity
--- name: sell-through-partner-analysis description: Analyze which retail dispensary partners are selling through a grower's products effectively, identify top performers and laggards, and produce a prioritized partner action plan. Use when a grower wants to know where their products move fastest, which partners need attention, and where to focus wholesale sales effort. Trigger phrases: "which partners are selling our product", "sell-through analysis", "partner performance", "where is inventory
2SKILL.mdUpdated Apr 1, 2026