Red Team Tactics
Structure authorized adversary simulations and defensive validation using MITRE ATT&CK phases instead of ad-hoc attack notes.
Overview
Red Team Tactics is an agent skill most often used in Ship (also Operate, Validate) that structures authorized adversary simulation and defensive validation around MITRE ATT&CK attack phases.
Install
npx skills add https://github.com/sickn33/antigravity-awesome-skills --skill red-team-tacticsWhat is this skill?
- Maps a full attack lifecycle from reconnaissance through impact aligned to MITRE ATT&CK
- Documents phase objectives for initial access, persistence, privilege escalation, and exfiltration
- Covers reconnaissance trade-offs between passive and active collection
- Includes defense evasion and credential-access principles for authorized assessments
- Emphasizes authorized security assessments, defensive validation, or controlled education only
Adoption & trust: 690 installs on skills.sh; 40.1k GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
You need to test defenses or train on attacker behavior but lack a consistent MITRE-aligned lifecycle instead of scattered techniques and notes.
Who is it for?
Authorized penetration testers, founders running defensive purple-team exercises, and agents drafting structured security assessment narratives.
Skip if: Unauthorized intrusion, malware development, or teams that only need dependency CVE triage without adversary lifecycle framing.
When should I use this skill?
Authorized security assessments, defensive validation, or controlled educational environments requiring MITRE ATT&CK-aligned adversary simulation principles.
What do I get? / Deliverables
You get phased objectives from recon through impact plus recon trade-offs and reporting hooks suitable for authorized assessment write-ups.
- Phase-ordered assessment outline
- Recon strategy notes (passive vs active)
- Reporting structure tied to attack lifecycle
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Red-team framing is cataloged under Ship because security hardening and pre-release offensive validation sit in the launch-readiness window for solo builders shipping real products. Security subphase is the canonical home for MITRE lifecycle guidance, detection evasion concepts, and assessment reporting—not general debugging.
Where it fits
Scope an authorized assessment by mapping recon and initial-access goals before committing to a test plan.
Pre-launch purple-team pass that walks MITRE phases against staging to find detection gaps.
Tabletop lateral movement and exfiltration scenarios to tune alerts and runbooks.
How it compares
Use for MITRE ATT&CK phase discipline instead of generic 'hacking tips' chat without authorized-scope guardrails.
Common Questions / FAQ
Who is red-team-tactics for?
Solo builders and small teams doing permitted security assessments, defensive validation, or controlled security education who want MITRE ATT&CK vocabulary in the agent.
When should I use red-team-tactics?
During Ship security reviews before launch, Operate incident-readiness drills, and Validate scoping when you map attack surface and engagement goals for an authorized test.
Is red-team-tactics safe to install?
The skill is marked offensive-risk and authorized-use-only; review the Security Audits panel on this Prism page and your engagement paperwork before relying on it in production contexts.
SKILL.md
READMESKILL.md - Red Team Tactics
> AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments. # Red Team Tactics > Adversary simulation principles based on MITRE ATT&CK framework. --- ## 1. MITRE ATT&CK Phases ### Attack Lifecycle ``` RECONNAISSANCE → INITIAL ACCESS → EXECUTION → PERSISTENCE ↓ ↓ ↓ ↓ PRIVILEGE ESC → DEFENSE EVASION → CRED ACCESS → DISCOVERY ↓ ↓ ↓ ↓ LATERAL MOVEMENT → COLLECTION → C2 → EXFILTRATION → IMPACT ``` ### Phase Objectives | Phase | Objective | |-------|-----------| | **Recon** | Map attack surface | | **Initial Access** | Get first foothold | | **Execution** | Run code on target | | **Persistence** | Survive reboots | | **Privilege Escalation** | Get admin/root | | **Defense Evasion** | Avoid detection | | **Credential Access** | Harvest credentials | | **Discovery** | Map internal network | | **Lateral Movement** | Spread to other systems | | **Collection** | Gather target data | | **C2** | Maintain command channel | | **Exfiltration** | Extract data | --- ## 2. Reconnaissance Principles ### Passive vs Active | Type | Trade-off | |------|-----------| | **Passive** | No target contact, limited info | | **Active** | Direct contact, more detection risk | ### Information Targets | Category | Value | |----------|-------| | Technology stack | Attack vector selection | | Employee info | Social engineering | | Network ranges | Scanning scope | | Third parties | Supply chain attack | --- ## 3. Initial Access Vectors ### Selection Criteria | Vector | When to Use | |--------|-------------| | **Phishing** | Human target, email access | | **Public exploits** | Vulnerable services exposed | | **Valid credentials** | Leaked or cracked | | **Supply chain** | Third-party access | --- ## 4. Privilege Escalation Principles ### Windows Targets | Check | Opportunity | |-------|-------------| | Unquoted service paths | Write to path | | Weak service permissions | Modify service | | Token privileges | Abuse SeDebug, etc. | | Stored credentials | Harvest | ### Linux Targets | Check | Opportunity | |-------|-------------| | SUID binaries | Execute as owner | | Sudo misconfiguration | Command execution | | Kernel vulnerabilities | Kernel exploits | | Cron jobs | Writable scripts | --- ## 5. Defense Evasion Principles ### Key Techniques | Technique | Purpose | |-----------|---------| | LOLBins | Use legitimate tools | | Obfuscation | Hide malicious code | | Timestomping | Hide file modifications | | Log clearing | Remove evidence | ### Operational Security - Work during business hours - Mimic legitimate traffic patterns - Use encrypted channels - Blend with normal behavior --- ## 6. Lateral Movement Principles ### Credential Types | Type | Use | |------|-----| | Password | Standard auth | | Hash | Pass-the-hash | | Ticket | Pass-the-ticket | | Certificate | Certificate auth | ### Movement Paths - Admin shares - Remote services (RDP, SSH, WinRM) - Exploitation of internal services --- ## 7. Active Directory Attacks ### Attack Categories | Attack | Target | |--------|--------| | Kerberoasting | Service account passwords | | AS-REP Roasting | Accounts without pre-auth | | DCSync | Domain credentials | | Golden Ticket | Persistent domain access | --- ## 8. Reporting Principles ### Attack Narrative Document the full attack chain: 1. How initial access was gained 2. What techniques were used 3. What objectives were achieved 4. Where detection failed ### Detection Gaps For each successful technique: - What should have detected it? - Why didn't detection work? - How to improve detection --- ## 9. Ethical Boundaries ### Always - Stay within scope - Mini