red-team-tactics
Red team tactics principles based on MITRE ATT&CK. Attack phases, detection evasion, reporting.
Best use case
red-team-tactics is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Red team tactics principles based on MITRE ATT&CK. Attack phases, detection evasion, reporting.
Teams using red-team-tactics should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/red-team-tactics/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How red-team-tactics Compares
| Feature / Agent | red-team-tactics | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Red team tactics principles based on MITRE ATT&CK. Attack phases, detection evasion, reporting.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Red Team Tactics
> Adversary simulation principles based on MITRE ATT&CK framework.
---
## 1. MITRE ATT&CK Phases
### Attack Lifecycle
```
RECONNAISSANCE → INITIAL ACCESS → EXECUTION → PERSISTENCE
↓ ↓ ↓ ↓
PRIVILEGE ESC → DEFENSE EVASION → CRED ACCESS → DISCOVERY
↓ ↓ ↓ ↓
LATERAL MOVEMENT → COLLECTION → C2 → EXFILTRATION → IMPACT
```
### Phase Objectives
| Phase | Objective |
|-------|-----------|
| **Recon** | Map attack surface |
| **Initial Access** | Get first foothold |
| **Execution** | Run code on target |
| **Persistence** | Survive reboots |
| **Privilege Escalation** | Get admin/root |
| **Defense Evasion** | Avoid detection |
| **Credential Access** | Harvest credentials |
| **Discovery** | Map internal network |
| **Lateral Movement** | Spread to other systems |
| **Collection** | Gather target data |
| **C2** | Maintain command channel |
| **Exfiltration** | Extract data |
---
## 2. Reconnaissance Principles
### Passive vs Active
| Type | Trade-off |
|------|-----------|
| **Passive** | No target contact, limited info |
| **Active** | Direct contact, more detection risk |
### Information Targets
| Category | Value |
|----------|-------|
| Technology stack | Attack vector selection |
| Employee info | Social engineering |
| Network ranges | Scanning scope |
| Third parties | Supply chain attack |
---
## 3. Initial Access Vectors
### Selection Criteria
| Vector | When to Use |
|--------|-------------|
| **Phishing** | Human target, email access |
| **Public exploits** | Vulnerable services exposed |
| **Valid credentials** | Leaked or cracked |
| **Supply chain** | Third-party access |
---
## 4. Privilege Escalation Principles
### Windows Targets
| Check | Opportunity |
|-------|-------------|
| Unquoted service paths | Write to path |
| Weak service permissions | Modify service |
| Token privileges | Abuse SeDebug, etc. |
| Stored credentials | Harvest |
### Linux Targets
| Check | Opportunity |
|-------|-------------|
| SUID binaries | Execute as owner |
| Sudo misconfiguration | Command execution |
| Kernel vulnerabilities | Kernel exploits |
| Cron jobs | Writable scripts |
---
## 5. Defense Evasion Principles
### Key Techniques
| Technique | Purpose |
|-----------|---------|
| LOLBins | Use legitimate tools |
| Obfuscation | Hide malicious code |
| Timestomping | Hide file modifications |
| Log clearing | Remove evidence |
### Operational Security
- Work during business hours
- Mimic legitimate traffic patterns
- Use encrypted channels
- Blend with normal behavior
---
## 6. Lateral Movement Principles
### Credential Types
| Type | Use |
|------|-----|
| Password | Standard auth |
| Hash | Pass-the-hash |
| Ticket | Pass-the-ticket |
| Certificate | Certificate auth |
### Movement Paths
- Admin shares
- Remote services (RDP, SSH, WinRM)
- Exploitation of internal services
---
## 7. Active Directory Attacks
### Attack Categories
| Attack | Target |
|--------|--------|
| Kerberoasting | Service account passwords |
| AS-REP Roasting | Accounts without pre-auth |
| DCSync | Domain credentials |
| Golden Ticket | Persistent domain access |
---
## 8. Reporting Principles
### Attack Narrative
Document the full attack chain:
1. How initial access was gained
2. What techniques were used
3. What objectives were achieved
4. Where detection failed
### Detection Gaps
For each successful technique:
- What should have detected it?
- Why didn't detection work?
- How to improve detection
---
## 9. Ethical Boundaries
### Always
- Stay within scope
- Minimize impact
- Report immediately if real threat found
- Document all actions
### Never
- Destroy production data
- Cause denial of service (unless scoped)
- Access beyond proof of concept
- Retain sensitive data
---
## 10. Anti-Patterns
| ❌ Don't | ✅ Do |
|----------|-------|
| Rush to exploitation | Follow methodology |
| Cause damage | Minimize impact |
| Skip reporting | Document everything |
| Ignore scope | Stay within boundaries |
---
> **Remember:** Red team simulates attackers to improve defenses, not to cause harm.
## When to Use
This skill is applicable to execute the workflow or actions described in the overview.Related Skills
red-team-tools
This skill should be used when the user asks to "follow red team methodology", "perform bug bounty hunting", "automate reconnaissance", "hunt for XSS vulnerabilities", "enumerate su...
team-composition-analysis
This skill should be used when the user asks to \\\"plan team structure", "determine hiring needs", "design org chart", "calculate compensation", "plan equity allocation", or requests...
weekly-email-team-instructions
Generates The Edmund Bogen Team's weekly market intelligence package: email, article page, dashboard, and community listings pages. Guides team through data collection, validates consistency, and produces all HTML assets ready for deployment to Constant Contact and GitHub.
codex-team
Use when you have 2+ tasks that Codex agents should execute. Runtime-native: Codex sub-agents when available, Codex CLI fallback otherwise. Handles file conflicts via merge/wave strategies. Triggers: "codex team", "spawn codex", "codex agents", "use codex for", "codex fix".
ai-agent-team
AI Agent 协作团队系统 - 基于 newtype-profile 架构。模拟编辑团队模型,通过多个专业 Agent 协作完成复杂任务。适用于内容创作、研究分析、知识管理等场景。核心 Agent: chief(主编/协调者), researcher(研究员), writer(作者), editor(编辑), fact-checker(核查员), archivist(档案员)。支持任务分类、并行处理、质量验证等高级协作模式。触发词: 'agent team', '协作', '研究分析', '内容创作', '多角度分析'
microsoft-teams-automation
Automate Microsoft Teams tasks via Rube MCP (Composio): send messages, manage channels, create meetings, handle chats, and search messages. Always search tools first for current schemas.
superteam-writing-plans
Create structured implementation plans with machine-parseable task blocks
ms-teams-apps
Microsoft Teams bots and AI agents - Claude/OpenAI, Adaptive Cards, Graph API
agent-teams
Orchestrate Gemini CLI agent teams for parallel multi-agent collaboration
bgo
Automates the complete Blender build-go workflow, from building and packaging your extension/add-on to removing old versions, installing, enabling, and launching Blender for quick testing and iteration.
swift-human-guidelines
Comprehensive Swift 6 and SwiftUI development guidelines for building iOS 26, iOS 18, iPadOS, macOS, watchOS, visionOS, and tvOS applications. Covers Foundation Models API, BGContinuedProcessingTask, Call Translation API, Liquid Glass design system, data-race safety, typed throws, synchronization primitives, SwiftUI/UIKit interoperability, zoom transitions, and document-based apps. Use when building new Apple platform apps, implementing Apple Intelligence features, optimizing performance with Swift 6 concurrency, following Apple Human Interface Guidelines, creating cross-platform applications, or working with iOS 26/18 APIs. Triggers on Swift code, SwiftUI views, Xcode projects, app architecture, background processing, translation features, Foundation Models, synchronization, actors, Sendable types, or modern Apple platform development.
swift-conventions
Swift coding conventions and best practices for modern Swift development. Use when writing, reviewing, or refactoring Swift code to ensure consistency with naming conventions, access control, async/await patterns, and SwiftUI/framework best practices.