red-team-tactics

Red Team Tactics - Red Team Tactical Guide

Skill Overview

Based on red team tactical skills from the MITRE ATT&CK framework, this provides a complete adversary simulation methodology, covering the full attack chain from reconnaissance to impact, defensive evasion techniques, and professional reporting principles.

Applicable Scenarios

1. Enterprise Security Assessments

Helps organizations discover defensive blind spots through real attack simulations, assess security monitoring and response capabilities, and identify detection gaps.

2. Red Team Exercise Execution

Provides red team members with a structured attack methodology to ensure exercises cover all phases of MITRE ATT&CK, while maintaining professionalism and controllability.

3. Security Team Training

Helps blue teams understand adversary tactics and techniques, improve detection rules, and strengthen overall defenses.

Core Functions

1. MITRE ATT&CK Attack Chain

Offers a complete attack lifecycle framework, from reconnaissance, initial access, and execution, to persistence, privilege escalation, defensive evasion, credential access, discovery, lateral movement, data collection, C2 communications, data exfiltration, and impact—each stage includes clear tactical objectives and guidance on technique selection.

2. Defensive Evasion and Lateral Movement

Covers evasion techniques such as LOLBins abuse and code obfuscation, as well as timestamp spoofing, and also multiple lateral movement methods including credential reuse, pass-the-hash, and pass-the-ticket—while emphasizing operational security and ethical boundaries.

3. Professional Reporting and Ethical Standards

Provides a structured guide for writing red team reports, including attack narratives, detection gap analysis, and improvement recommendations; clearly defines the exercise scope, the principle of minimizing impact, and professional ethical boundaries.

Frequently Asked Questions

What are red team tactics?

Red team tactics are a methodology for simulating real adversaries, based on the MITRE ATT&CK framework. By conducting adversary emulation exercises, organizations can evaluate and improve their security defenses. Unlike malicious attacks, red team exercises follow strict ethical standards, operate within agreed-upon boundaries, and aim to help organizations discover security weaknesses rather than cause real harm.

How do red team exercises differ from penetration testing?

Although both involve security assessments, there are fundamental differences: penetration testing focuses on discovering and exploiting technical vulnerabilities, typically aiming to obtain specific privileges; red team exercises focus more on simulating a complete attack chain to test an organization’s detection and response capabilities, emphasizing stealth and persistence, and often running longer and more closely resembling real adversary behavior.

What are the ethical boundaries in red team exercises?

Red team exercises must always follow these principles: operate only within the agreed scope; minimize impact on production environments; immediately report when real threats are discovered; and fully document all actions. Prohibited actions include destroying production data, conducting denial-of-service attacks (unless explicitly authorized), performing operations beyond the proof-of-concept scope, or retaining sensitive data.