red-team-tactics

Attack Lifecycle

```

RECONNAISSANCE → INITIAL ACCESS → EXECUTION → PERSISTENCE

↓ ↓ ↓ ↓

PRIVILEGE ESC → DEFENSE EVASION → CRED ACCESS → DISCOVERY

↓ ↓ ↓ ↓

LATERAL MOVEMENT → COLLECTION → C2 → EXFILTRATION → IMPACT

```

Phase Objectives

| Phase | Objective |

|-------|-----------|

| Recon | Map attack surface |

| Initial Access | Get first foothold |

| Execution | Run code on target |

| Persistence | Survive reboots |

| Privilege Escalation | Get admin/root |

| Defense Evasion | Avoid detection |

| Credential Access | Harvest credentials |

| Discovery | Map internal network |

| Lateral Movement | Spread to other systems |

| Collection | Gather target data |

| C2 | Maintain command channel |

| Exfiltration | Extract data |

---

Passive vs Active

| Type | Trade-off |

|------|-----------|

| Passive | No target contact, limited info |

| Active | Direct contact, more detection risk |

Information Targets

| Category | Value |

|----------|-------|

| Technology stack | Attack vector selection |

| Employee info | Social engineering |

| Network ranges | Scanning scope |

| Third parties | Supply chain attack |

---

Selection Criteria

| Vector | When to Use |

|--------|-------------|

| Phishing | Human target, email access |

| Public exploits | Vulnerable services exposed |

| Valid credentials | Leaked or cracked |

| Supply chain | Third-party access |

---

Windows Targets

| Check | Opportunity |

|-------|-------------|

| Unquoted service paths | Write to path |

| Weak service permissions | Modify service |

| Token privileges | Abuse SeDebug, etc. |

| Stored credentials | Harvest |

Linux Targets

| Check | Opportunity |

|-------|-------------|

| SUID binaries | Execute as owner |

| Sudo misconfiguration | Command execution |

| Kernel vulnerabilities | Kernel exploits |

| Cron jobs | Writable scripts |

---

Key Techniques

| Technique | Purpose |

|-----------|---------|

| LOLBins | Use legitimate tools |

| Obfuscation | Hide malicious code |

| Timestomping | Hide file modifications |

| Log clearing | Remove evidence |

Operational Security

• Work during business hours
• Mimic legitimate traffic patterns
• Use encrypted channels
• Blend with normal behavior

---

Credential Types

| Type | Use |

|------|-----|

| Password | Standard auth |

| Hash | Pass-the-hash |

| Ticket | Pass-the-ticket |

| Certificate | Certificate auth |

Movement Paths

• Admin shares
• Remote services (RDP, SSH, WinRM)
• Exploitation of internal services

---

Attack Categories

| Attack | Target |

|--------|--------|

| Kerberoasting | Service account passwords |

| AS-REP Roasting | Accounts without pre-auth |

| DCSync | Domain credentials |

| Golden Ticket | Persistent domain access |

---

Attack Narrative

Document the full attack chain:

1. How initial access was gained
2. What techniques were used
3. What objectives were achieved
4. Where detection failed

Detection Gaps

For each successful technique:

• What should have detected it?
• Why didn't detection work?
• How to improve detection

---

Always

• Stay within scope
• Minimize impact
• Report immediately if real threat found
• Document all actions

Never

• Destroy production data
• Cause denial of service (unless scoped)
• Access beyond proof of concept
• Retain sensitive data

---

| ❌ Don't | ✅ Do |

|----------|-------|

| Rush to exploitation | Follow methodology |

| Cause damage | Minimize impact |

| Skip reporting | Document everything |

| Ignore scope | Stay within boundaries |

---

> Remember: Red team simulates attackers to improve defenses, not to cause harm.