red-team-tactics
Red team tactics principles based on MITRE ATT&CK. Attack phases, detection evasion, reporting.
Best use case
red-team-tactics is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Red team tactics principles based on MITRE ATT&CK. Attack phases, detection evasion, reporting.
Teams using red-team-tactics should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/red-team-tactics/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How red-team-tactics Compares
| Feature / Agent | red-team-tactics | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Red team tactics principles based on MITRE ATT&CK. Attack phases, detection evasion, reporting.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Red Team Tactics
> Adversary simulation principles based on MITRE ATT&CK framework.
---
## 1. MITRE ATT&CK Phases
### Attack Lifecycle
```
RECONNAISSANCE → INITIAL ACCESS → EXECUTION → PERSISTENCE
↓ ↓ ↓ ↓
PRIVILEGE ESC → DEFENSE EVASION → CRED ACCESS → DISCOVERY
↓ ↓ ↓ ↓
LATERAL MOVEMENT → COLLECTION → C2 → EXFILTRATION → IMPACT
```
### Phase Objectives
| Phase | Objective |
|-------|-----------|
| **Recon** | Map attack surface |
| **Initial Access** | Get first foothold |
| **Execution** | Run code on target |
| **Persistence** | Survive reboots |
| **Privilege Escalation** | Get admin/root |
| **Defense Evasion** | Avoid detection |
| **Credential Access** | Harvest credentials |
| **Discovery** | Map internal network |
| **Lateral Movement** | Spread to other systems |
| **Collection** | Gather target data |
| **C2** | Maintain command channel |
| **Exfiltration** | Extract data |
---
## 2. Reconnaissance Principles
### Passive vs Active
| Type | Trade-off |
|------|-----------|
| **Passive** | No target contact, limited info |
| **Active** | Direct contact, more detection risk |
### Information Targets
| Category | Value |
|----------|-------|
| Technology stack | Attack vector selection |
| Employee info | Social engineering |
| Network ranges | Scanning scope |
| Third parties | Supply chain attack |
---
## 3. Initial Access Vectors
### Selection Criteria
| Vector | When to Use |
|--------|-------------|
| **Phishing** | Human target, email access |
| **Public exploits** | Vulnerable services exposed |
| **Valid credentials** | Leaked or cracked |
| **Supply chain** | Third-party access |
---
## 4. Privilege Escalation Principles
### Windows Targets
| Check | Opportunity |
|-------|-------------|
| Unquoted service paths | Write to path |
| Weak service permissions | Modify service |
| Token privileges | Abuse SeDebug, etc. |
| Stored credentials | Harvest |
### Linux Targets
| Check | Opportunity |
|-------|-------------|
| SUID binaries | Execute as owner |
| Sudo misconfiguration | Command execution |
| Kernel vulnerabilities | Kernel exploits |
| Cron jobs | Writable scripts |
---
## 5. Defense Evasion Principles
### Key Techniques
| Technique | Purpose |
|-----------|---------|
| LOLBins | Use legitimate tools |
| Obfuscation | Hide malicious code |
| Timestomping | Hide file modifications |
| Log clearing | Remove evidence |
### Operational Security
- Work during business hours
- Mimic legitimate traffic patterns
- Use encrypted channels
- Blend with normal behavior
---
## 6. Lateral Movement Principles
### Credential Types
| Type | Use |
|------|-----|
| Password | Standard auth |
| Hash | Pass-the-hash |
| Ticket | Pass-the-ticket |
| Certificate | Certificate auth |
### Movement Paths
- Admin shares
- Remote services (RDP, SSH, WinRM)
- Exploitation of internal services
---
## 7. Active Directory Attacks
### Attack Categories
| Attack | Target |
|--------|--------|
| Kerberoasting | Service account passwords |
| AS-REP Roasting | Accounts without pre-auth |
| DCSync | Domain credentials |
| Golden Ticket | Persistent domain access |
---
## 8. Reporting Principles
### Attack Narrative
Document the full attack chain:
1. How initial access was gained
2. What techniques were used
3. What objectives were achieved
4. Where detection failed
### Detection Gaps
For each successful technique:
- What should have detected it?
- Why didn't detection work?
- How to improve detection
---
## 9. Ethical Boundaries
### Always
- Stay within scope
- Minimize impact
- Report immediately if real threat found
- Document all actions
### Never
- Destroy production data
- Cause denial of service (unless scoped)
- Access beyond proof of concept
- Retain sensitive data
---
## 10. Anti-Patterns
| ❌ Don't | ✅ Do |
|----------|-------|
| Rush to exploitation | Follow methodology |
| Cause damage | Minimize impact |
| Skip reporting | Document everything |
| Ignore scope | Stay within boundaries |
---
> **Remember:** Red team simulates attackers to improve defenses, not to cause harm.
## When to Use
This skill is applicable to execute the workflow or actions described in the overview.Related Skills
redteam
Red team adversarial analysis to find weaknesses, vulnerabilities, and failure modes. Use before launches, for security review, or when a plan feels too perfect.
red-team-tools
This skill should be used when the user asks to "follow red team methodology", "perform bug bounty hunting", "automate reconnaissance", "hunt for XSS vulnerabilities", "enumerate su...
team-collaboration-standup-notes
You are an expert team communication specialist focused on async-first standup practices, AI-assisted note generation from commit history, and effective remote team coordination patterns.
team-collaboration-issue
You are a GitHub issue resolution expert specializing in systematic bug investigation, feature implementation, and collaborative development workflows. Your expertise spans issue triage, root cause an
team-composition-analysis
This skill should be used when the user asks to \\\"plan team structure", "determine hiring needs", "design org chart", "calculate compensation", "plan equity allocation", or requests...
teamcamp-automation
Automate Teamcamp tasks via Rube MCP (Composio). Always search tools first for current schemas.
microsoft-teams-automation
Automate Microsoft Teams tasks via Rube MCP (Composio): send messages, manage channels, create meetings, handle chats, and search messages. Always search tools first for current schemas.
connecteam-automation
Automate Connecteam tasks via Rube MCP (Composio). Always search tools first for current schemas.
pinia
Pinia official Vue state management library, type-safe and extensible. Use when defining stores, working with state/getters/actions, or implementing store patterns in Vue apps.
pingdom-automation
Automate Pingdom tasks via Rube MCP (Composio). Always search tools first for current schemas.
angular-performance
Angular performance: NgOptimizedImage, @defer, lazy loading, SSR. Trigger: When optimizing Angular app performance, images, or lazy loading.
perf-web-optimization
Optimize web performance: bundle size, images, caching, lazy loading, and overall page speed. Use when site is slow, reducing bundle size, fixing layout shifts, improving Time to Interactive, or optimizing for Lighthouse scores. Triggers on: web performance, bundle size, page speed, slow site, lazy loading. Do NOT use for Core Web Vitals-specific fixes (use core-web-vitals), running Lighthouse audits (use perf-lighthouse), or Astro-specific optimization (use perf-astro).