Skill

red-team-tactics

Outlines MITRE ATT&CK red team tactics for authorized security assessments: attack phases, reconnaissance, initial access, privilege escalation on Windows/Linux, defense evasion.

security

npx claudepluginhub sickn33/antigravity-awesome-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

> AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.

SKILL.md

Similar Skills

red-team-tactics

32.8k

Outlines MITRE ATT&CK red team tactics for authorized security assessments: attack phases, reconnaissance, initial access, privilege escalation on Windows/Linux, defense evasion.

antigravity-awesome-skills

redteam

Guides authorized APT red team operations: post-exploitation, lateral movement, AD attacks (Kerberoasting, DCSync, BloodHound), C2 tradecraft (Cobalt Strike), LotL, defense evasion, persistence, cloud APT.

14 files

akira

red-team

Provides methodology guidance for authorized penetration testing and red team engagements, routing to 11 specialized agents covering the full MITRE ATT&CK kill chain.

20 files10 tools

jerry

Stats

Stars36383

Forks5961

Last CommitApr 13, 2026

Used By3 plugins

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.

Red Team Tactics

Adversary simulation principles based on MITRE ATT&CK framework.

1. MITRE ATT&CK Phases

Attack Lifecycle

RECONNAISSANCE → INITIAL ACCESS → EXECUTION → PERSISTENCE
       ↓              ↓              ↓            ↓
   PRIVILEGE ESC → DEFENSE EVASION → CRED ACCESS → DISCOVERY
       ↓              ↓              ↓            ↓
LATERAL MOVEMENT → COLLECTION → C2 → EXFILTRATION → IMPACT

Phase Objectives

Phase	Objective
Recon	Map attack surface
Initial Access	Get first foothold
Execution	Run code on target
Persistence	Survive reboots
Privilege Escalation	Get admin/root
Defense Evasion	Avoid detection
Credential Access	Harvest credentials
Discovery	Map internal network
Lateral Movement	Spread to other systems
Collection	Gather target data
C2	Maintain command channel
Exfiltration	Extract data

2. Reconnaissance Principles

Passive vs Active

Type	Trade-off
Passive	No target contact, limited info
Active	Direct contact, more detection risk

Information Targets

Category	Value
Technology stack	Attack vector selection
Employee info	Social engineering
Network ranges	Scanning scope
Third parties	Supply chain attack

3. Initial Access Vectors

Selection Criteria

Vector	When to Use
Phishing	Human target, email access
Public exploits	Vulnerable services exposed
Valid credentials	Leaked or cracked
Supply chain	Third-party access

4. Privilege Escalation Principles

Windows Targets

Check	Opportunity
Unquoted service paths	Write to path
Weak service permissions	Modify service
Token privileges	Abuse SeDebug, etc.
Stored credentials	Harvest

Linux Targets

Check	Opportunity
SUID binaries	Execute as owner
Sudo misconfiguration	Command execution
Kernel vulnerabilities	Kernel exploits
Cron jobs	Writable scripts

5. Defense Evasion Principles

Key Techniques

Technique	Purpose
LOLBins	Use legitimate tools
Obfuscation	Hide malicious code
Timestomping	Hide file modifications
Log clearing	Remove evidence

Operational Security

Work during business hours
Mimic legitimate traffic patterns
Use encrypted channels
Blend with normal behavior

6. Lateral Movement Principles

Credential Types

Type	Use
Password	Standard auth
Hash	Pass-the-hash
Ticket	Pass-the-ticket
Certificate	Certificate auth

Movement Paths

Admin shares
Remote services (RDP, SSH, WinRM)
Exploitation of internal services

7. Active Directory Attacks

Attack Categories

Attack	Target
Kerberoasting	Service account passwords
AS-REP Roasting	Accounts without pre-auth
DCSync	Domain credentials
Golden Ticket	Persistent domain access

8. Reporting Principles

Attack Narrative

Document the full attack chain:

How initial access was gained
What techniques were used
What objectives were achieved
Where detection failed

Detection Gaps

For each successful technique:

What should have detected it?
Why didn't detection work?
How to improve detection

9. Ethical Boundaries

Always

Stay within scope
Minimize impact
Report immediately if real threat found
Document all actions

Never

Destroy production data
Cause denial of service (unless scoped)
Access beyond proof of concept
Retain sensitive data

10. Anti-Patterns

❌ Don't	✅ Do
Rush to exploitation	Follow methodology
Cause damage	Minimize impact
Skip reporting	Document everything
Ignore scope	Stay within boundaries

Remember: Red team simulates attackers to improve defenses, not to cause harm.

When to Use

This skill is applicable to execute the workflow or actions described in the overview.

Limitations

Use this skill only when the task clearly matches the scope described above.
Do not treat the output as a substitute for environment-specific validation, testing, or expert review.
Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.