Red Team Tactics
Adversary simulation principles based on MITRE ATT&CK framework.
1. MITRE ATT&CK Phases
Attack Lifecycle
RECONNAISSANCE → INITIAL ACCESS → EXECUTION → PERSISTENCE
↓ ↓ ↓ ↓
PRIVILEGE ESC → DEFENSE EVASION → CRED ACCESS → DISCOVERY
↓ ↓ ↓ ↓
LATERAL MOVEMENT → COLLECTION → C2 → EXFILTRATION → IMPACT
Phase Objectives
| Phase | Objective | |-------|-----------| | Recon | Map attack surface | | Initial Access | Get first foothold | | Execution | Run code on target | | Persistence | Survive reboots | | Privilege Escalation | Get admin/root | | Defense Evasion | Avoid detection | | Credential Access | Harvest credentials | | Discovery | Map internal network | | Lateral Movement | Spread to other systems | | Collection | Gather target data | | C2 | Maintain command channel | | Exfiltration | Extract data |
2. Reconnaissance Principles
Passive vs Active
| Type | Trade-off | |------|-----------| | Passive | No target contact, limited info | | Active | Direct contact, more detection risk |
Information Targets
| Category | Value | |----------|-------| | Technology stack | Attack vector selection | | Employee info | Social engineering | | Network ranges | Scanning scope | | Third parties | Supply chain attack |
3. Initial Access Vectors
Selection Criteria
| Vector | When to Use | |--------|-------------| | Phishing | Human target, email access | | Public exploits | Vulnerable services exposed | | Valid credentials | Leaked or cracked | | Supply chain | Third-party access |
4. Privilege Escalation Principles
Windows Targets
| Check | Opportunity | |-------|-------------| | Unquoted service paths | Write to path | | Weak service permissions | Modify service | | Token privileges | Abuse SeDebug, etc. | | Stored credentials | Harvest |
Linux Targets
| Check | Opportunity | |-------|-------------| | SUID binaries | Execute as owner | | Sudo misconfiguration | Command execution | | Kernel vulnerabilities | Kernel exploits | | Cron jobs | Writable scripts |
5. Defense Evasion Principles
Key Techniques
| Technique | Purpose | |-----------|---------| | LOLBins | Use legitimate tools | | Obfuscation | Hide malicious code | | Timestomping | Hide file modifications | | Log clearing | Remove evidence |
Operational Security
- Work during business hours
- Mimic legitimate traffic patterns
- Use encrypted channels
- Blend with normal behavior
6. Lateral Movement Principles
Credential Types
| Type | Use | |------|-----| | Password | Standard auth | | Hash | Pass-the-hash | | Ticket | Pass-the-ticket | | Certificate | Certificate auth |
Movement Paths
- Admin shares
- Remote services (RDP, SSH, WinRM)
- Exploitation of internal services
7. Active Directory Attacks
Attack Categories
| Attack | Target | |--------|--------| | Kerberoasting | Service account passwords | | AS-REP Roasting | Accounts without pre-auth | | DCSync | Domain credentials | | Golden Ticket | Persistent domain access |
8. Reporting Principles
Attack Narrative
Document the full attack chain:
- How initial access was gained
- What techniques were used
- What objectives were achieved
- Where detection failed
Detection Gaps
For each successful technique:
- What should have detected it?
- Why didn't detection work?
- How to improve detection
9. Ethical Boundaries
Always
- Stay within scope
- Minimize impact
- Report immediately if real threat found
- Document all actions
Never
- Destroy production data
- Cause denial of service (unless scoped)
- Access beyond proof of concept
- Retain sensitive data
10. Anti-Patterns
| ❌ Don't | ✅ Do | |----------|-------| | Rush to exploitation | Follow methodology | | Cause damage | Minimize impact | | Skip reporting | Document everything | | Ignore scope | Stay within boundaries |
Remember: Red team simulates attackers to improve defenses, not to cause harm.