home / skills / vudovn / antigravity-kit / red-team-tactics
This skill helps simulate red team tactics based on MITRE ATT&CK to improve defenses by mapping phases, vectors, and reporting.
npx playbooks add skill vudovn/antigravity-kit --skill red-team-tacticsReview the files below or copy the command above to add this skill to your agents.
---
name: red-team-tactics
description: Red team tactics principles based on MITRE ATT&CK. Attack phases, detection evasion, reporting.
allowed-tools: Read, Glob, Grep
---
# Red Team Tactics
> Adversary simulation principles based on MITRE ATT&CK framework.
---
## 1. MITRE ATT&CK Phases
### Attack Lifecycle
```
RECONNAISSANCE → INITIAL ACCESS → EXECUTION → PERSISTENCE
↓ ↓ ↓ ↓
PRIVILEGE ESC → DEFENSE EVASION → CRED ACCESS → DISCOVERY
↓ ↓ ↓ ↓
LATERAL MOVEMENT → COLLECTION → C2 → EXFILTRATION → IMPACT
```
### Phase Objectives
| Phase | Objective |
|-------|-----------|
| **Recon** | Map attack surface |
| **Initial Access** | Get first foothold |
| **Execution** | Run code on target |
| **Persistence** | Survive reboots |
| **Privilege Escalation** | Get admin/root |
| **Defense Evasion** | Avoid detection |
| **Credential Access** | Harvest credentials |
| **Discovery** | Map internal network |
| **Lateral Movement** | Spread to other systems |
| **Collection** | Gather target data |
| **C2** | Maintain command channel |
| **Exfiltration** | Extract data |
---
## 2. Reconnaissance Principles
### Passive vs Active
| Type | Trade-off |
|------|-----------|
| **Passive** | No target contact, limited info |
| **Active** | Direct contact, more detection risk |
### Information Targets
| Category | Value |
|----------|-------|
| Technology stack | Attack vector selection |
| Employee info | Social engineering |
| Network ranges | Scanning scope |
| Third parties | Supply chain attack |
---
## 3. Initial Access Vectors
### Selection Criteria
| Vector | When to Use |
|--------|-------------|
| **Phishing** | Human target, email access |
| **Public exploits** | Vulnerable services exposed |
| **Valid credentials** | Leaked or cracked |
| **Supply chain** | Third-party access |
---
## 4. Privilege Escalation Principles
### Windows Targets
| Check | Opportunity |
|-------|-------------|
| Unquoted service paths | Write to path |
| Weak service permissions | Modify service |
| Token privileges | Abuse SeDebug, etc. |
| Stored credentials | Harvest |
### Linux Targets
| Check | Opportunity |
|-------|-------------|
| SUID binaries | Execute as owner |
| Sudo misconfiguration | Command execution |
| Kernel vulnerabilities | Kernel exploits |
| Cron jobs | Writable scripts |
---
## 5. Defense Evasion Principles
### Key Techniques
| Technique | Purpose |
|-----------|---------|
| LOLBins | Use legitimate tools |
| Obfuscation | Hide malicious code |
| Timestomping | Hide file modifications |
| Log clearing | Remove evidence |
### Operational Security
- Work during business hours
- Mimic legitimate traffic patterns
- Use encrypted channels
- Blend with normal behavior
---
## 6. Lateral Movement Principles
### Credential Types
| Type | Use |
|------|-----|
| Password | Standard auth |
| Hash | Pass-the-hash |
| Ticket | Pass-the-ticket |
| Certificate | Certificate auth |
### Movement Paths
- Admin shares
- Remote services (RDP, SSH, WinRM)
- Exploitation of internal services
---
## 7. Active Directory Attacks
### Attack Categories
| Attack | Target |
|--------|--------|
| Kerberoasting | Service account passwords |
| AS-REP Roasting | Accounts without pre-auth |
| DCSync | Domain credentials |
| Golden Ticket | Persistent domain access |
---
## 8. Reporting Principles
### Attack Narrative
Document the full attack chain:
1. How initial access was gained
2. What techniques were used
3. What objectives were achieved
4. Where detection failed
### Detection Gaps
For each successful technique:
- What should have detected it?
- Why didn't detection work?
- How to improve detection
---
## 9. Ethical Boundaries
### Always
- Stay within scope
- Minimize impact
- Report immediately if real threat found
- Document all actions
### Never
- Destroy production data
- Cause denial of service (unless scoped)
- Access beyond proof of concept
- Retain sensitive data
---
## 10. Anti-Patterns
| ❌ Don't | ✅ Do |
|----------|-------|
| Rush to exploitation | Follow methodology |
| Cause damage | Minimize impact |
| Skip reporting | Document everything |
| Ignore scope | Stay within boundaries |
---
> **Remember:** Red team simulates attackers to improve defenses, not to cause harm.
This skill codifies red team tactics and operational principles mapped to the MITRE ATT&CK lifecycle. It focuses on attack phases, common techniques for initial access, lateral movement, privilege escalation, and defense evasion, plus ethical boundaries and reporting guidance. The goal is to help teams plan realistic adversary simulations and produce actionable detections and mitigation recommendations.
The content inspects each ATT&CK phase and lists practical objectives, typical vectors, and decision criteria for selecting techniques. It summarizes reconnaissance trade-offs (passive vs active), access vectors, escalation checks for Windows and Linux, lateral movement paths, Active Directory attack categories, and operational security measures. It also prescribes reporting structure and detection-gap analysis to convert exercises into defensive improvements.
How do I choose initial access techniques for a test?
Pick vectors that match the target profile and objectives: phishing for human-centered tests, public exploits for exposed services, or supply-chain methods for third-party risk. Prioritize safety and scope.
What should a good post-engagement report include?
A clear attack narrative, technique-by-technique detection analysis, root causes for missed detections, prioritized mitigations, and recommendations for monitoring and controls.