Red Team Tactics
Adversary simulation principles based on MITRE ATT&CK framework.
- MITRE ATT&CK Phases Attack Lifecycle RECONNAISSANCE → INITIAL ACCESS → EXECUTION → PERSISTENCE ↓ ↓ ↓ ↓ PRIVILEGE ESC → DEFENSE EVASION → CRED ACCESS → DISCOVERY ↓ ↓ ↓ ↓ LATERAL MOVEMENT → COLLECTION → C2 → EXFILTRATION → IMPACT
Phase Objectives Phase Objective Recon Map attack surface Initial Access Get first foothold Execution Run code on target Persistence Survive reboots Privilege Escalation Get admin/root Defense Evasion Avoid detection Credential Access Harvest credentials Discovery Map internal network Lateral Movement Spread to other systems Collection Gather target data C2 Maintain command channel Exfiltration Extract data 2. Reconnaissance Principles Passive vs Active Type Trade-off Passive No target contact, limited info Active Direct contact, more detection risk Information Targets Category Value Technology stack Attack vector selection Employee info Social engineering Network ranges Scanning scope Third parties Supply chain attack 3. Initial Access Vectors Selection Criteria Vector When to Use Phishing Human target, email access Public exploits Vulnerable services exposed Valid credentials Leaked or cracked Supply chain Third-party access 4. Privilege Escalation Principles Windows Targets Check Opportunity Unquoted service paths Write to path Weak service permissions Modify service Token privileges Abuse SeDebug, etc. Stored credentials Harvest Linux Targets Check Opportunity SUID binaries Execute as owner Sudo misconfiguration Command execution Kernel vulnerabilities Kernel exploits Cron jobs Writable scripts 5. Defense Evasion Principles Key Techniques Technique Purpose LOLBins Use legitimate tools Obfuscation Hide malicious code Timestomping Hide file modifications Log clearing Remove evidence Operational Security Work during business hours Mimic legitimate traffic patterns Use encrypted channels Blend with normal behavior 6. Lateral Movement Principles Credential Types Type Use Password Standard auth Hash Pass-the-hash Ticket Pass-the-ticket Certificate Certificate auth Movement Paths Admin shares Remote services (RDP, SSH, WinRM) Exploitation of internal services 7. Active Directory Attacks Attack Categories Attack Target Kerberoasting Service account passwords AS-REP Roasting Accounts without pre-auth DCSync Domain credentials Golden Ticket Persistent domain access 8. Reporting Principles Attack Narrative
Document the full attack chain:
How initial access was gained What techniques were used What objectives were achieved Where detection failed Detection Gaps
For each successful technique:
What should have detected it? Why didn't detection work? How to improve detection 9. Ethical Boundaries Always Stay within scope Minimize impact Report immediately if real threat found Document all actions Never Destroy production data Cause denial of service (unless scoped) Access beyond proof of concept Retain sensitive data 10. Anti-Patterns ❌ Don't ✅ Do Rush to exploitation Follow methodology Cause damage Minimize impact Skip reporting Document everything Ignore scope Stay within boundaries
Remember: Red team simulates attackers to improve defenses, not to cause harm.