mtsbatalha/red-team-tactics

Red Team Tactics

Adversary simulation principles based on MITRE ATT&CK framework.

---

1. MITRE ATT&CK Phases

Attack Lifecycle

RECONNAISSANCE → INITIAL ACCESS → EXECUTION → PERSISTENCE
       ↓              ↓              ↓            ↓
   PRIVILEGE ESC → DEFENSE EVASION → CRED ACCESS → DISCOVERY
       ↓              ↓              ↓            ↓
LATERAL MOVEMENT → COLLECTION → C2 → EXFILTRATION → IMPACT

Phase Objectives

| Phase | Objective | |-------|-----------| | Recon | Map attack surface | | Initial Access | Get first foothold | | Execution | Run code on target | | Persistence | Survive reboots | | Privilege Escalation | Get admin/root | | Defense Evasion | Avoid detection | | Credential Access | Harvest credentials | | Discovery | Map internal network | | Lateral Movement | Spread to other systems | | Collection | Gather target data | | C2 | Maintain command channel | | Exfiltration | Extract data |

---

2. Reconnaissance Principles

Passive vs Active

| Type | Trade-off | |------|-----------| | Passive | No target contact, limited info | | Active | Direct contact, more detection risk |

Information Targets

| Category | Value | |----------|-------| | Technology stack | Attack vector selection | | Employee info | Social engineering | | Network ranges | Scanning scope | | Third parties | Supply chain attack |

---

3. Initial Access Vectors

Selection Criteria

| Vector | When to Use | |--------|-------------| | Phishing | Human target, email access | | Public exploits | Vulnerable services exposed | | Valid credentials | Leaked or cracked | | Supply chain | Third-party access |

---

4. Privilege Escalation Principles

Windows Targets

| Check | Opportunity | |-------|-------------| | Unquoted service paths | Write to path | | Weak service permissions | Modify service | | Token privileges | Abuse SeDebug, etc. | | Stored credentials | Harvest |

Linux Targets

| Check | Opportunity | |-------|-------------| | SUID binaries | Execute as owner | | Sudo misconfiguration | Command execution | | Kernel vulnerabilities | Kernel exploits | | Cron jobs | Writable scripts |

---

5. Defense Evasion Principles

Key Techniques

| Technique | Purpose | |-----------|---------| | LOLBins | Use legitimate tools | | Obfuscation | Hide malicious code | | Timestomping | Hide file modifications | | Log clearing | Remove evidence |

Operational Security

• Work during business hours
• Mimic legitimate traffic patterns
• Use encrypted channels
• Blend with normal behavior

---

6. Lateral Movement Principles

Credential Types

| Type | Use | |------|-----| | Password | Standard auth | | Hash | Pass-the-hash | | Ticket | Pass-the-ticket | | Certificate | Certificate auth |

Movement Paths

• Admin shares
• Remote services (RDP, SSH, WinRM)
• Exploitation of internal services

---

7. Active Directory Attacks

Attack Categories

| Attack | Target | |--------|--------| | Kerberoasting | Service account passwords | | AS-REP Roasting | Accounts without pre-auth | | DCSync | Domain credentials | | Golden Ticket | Persistent domain access |

---

8. Reporting Principles

Attack Narrative

Document the full attack chain:

1. How initial access was gained
2. What techniques were used
3. What objectives were achieved
4. Where detection failed

Detection Gaps

For each successful technique:

• What should have detected it?
• Why didn't detection work?
• How to improve detection

---

9. Ethical Boundaries

Always

• Stay within scope
• Minimize impact
• Report immediately if real threat found
• Document all actions

Never

• Destroy production data
• Cause denial of service (unless scoped)
• Access beyond proof of concept
• Retain sensitive data

---

10. Anti-Patterns

| ❌ Don't | ✅ Do | |----------|-------| | Rush to exploitation | Follow methodology | | Cause damage | Minimize impact | | Skip reporting | Document everything | | Ignore scope | Stay within boundaries |

---

Remember: Red team simulates attackers to improve defenses, not to cause harm.

When to Use

This skill is applicable to execute the workflow or actions described in the overview.