Red Team Tactics

No authorization = no testing.

Attack Phases (Based on MITRE ATT&CK)

1. Reconnaissance

Passive and active information gathering before touching the target.

Passive (no target contact):

• DNS lookup: nslookup, dig, certificate transparency logs
• OSINT: LinkedIn for employee names/roles, GitHub for leaked configs, Shodan for exposed infrastructure

Active (target is contacted):

• Port scanning: nmap -sV -sC <target>
• Web tech detection: whatweb, wappalyzer
• Subdomain enumeration: amass, subfinder

2. Initial Access

How does an attacker get their first foothold?

Common vectors:

• Phishing (credential harvest or malicious attachment)
• Exposed admin interfaces with default or weak credentials
• Publicly exposed vulnerable services (searchsploit, nuclei)
• Supply chain compromise (malicious npm package, CI/CD injection)

3. Persistence

Maintaining access after initial compromise:

• Scheduled tasks / cron jobs
• Web shells on compromised web servers
• New user accounts with admin rights
• SSH authorized_keys injection

4. Lateral Movement

Moving from initial foothold to higher-value targets:

• Pass-the-hash / pass-the-ticket (Active Directory)
• SSH key reuse across hosts
• Credential reuse (if one service is compromised, others sharing the password are vulnerable)
• Internal network scanning to map new targets

5. Exfiltration

Getting data out without triggering alerts:

• Small, slow transfers to blend with normal traffic
• Staging data in cloud storage linked to attacker-controlled accounts
• DNS exfiltration (for heavily monitored networks)

Common Vulnerability Targets

Detection Evasion (for Authorized Testing)

When testing detection capabilities:

• Slow scan rates to stay under IDS thresholds
• Use legitimate user agents and headers
• Blend with normal traffic patterns
• Test from IP ranges the organization wouldn't expect

Reporting Format

# Red Team Report: [Engagement Name]

## Executive Summary
[2–3 sentences: what was tested, biggest risk found, business impact]

## Scope
[Systems tested, date range, authorization reference]

## Critical Findings

### CRIT-01: [Title]
**Risk:** Critical
**CVSS:** 9.8
**Description:** [What the vulnerability is]
**Evidence:** [Screenshot, payload, response]
**Impact:** [What an attacker could do]
**Remediation:** [Specific fix with code or config example]

## Attack Narrative
[Chronological story of the full attack path from initial access to objective]

## Remediation Priority
|Finding|Severity|Fix By|
|---|---|---|

Ethical Boundaries

• Stop immediately if you discover evidence of an active breach by a real attacker — report it, don't continue testing
• Don't access, copy, or delete real user data even if you can
• Document everything — every command run, every finding noted
• Brief the client team before leaving — no surprises in the report

Output Format

When this skill produces a recommendation or design decision, structure your output as:

━━━ Red Team Tactics Recommendation ━━━━━━━━━━━━━━━━
Decision:    [what was chosen / proposed]
Rationale:   [why — one concise line]
Trade-offs:  [what is consciously accepted]
Next action: [concrete next step for the user]
─────────────────────────────────────────────────
Pre-Flight:  ✅ All checks passed
             or ❌ [blocking item that must be resolved first]