red-team
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseRed Team
红队
Red team engagement planning and attack path analysis skill for authorized offensive security simulations. This is NOT vulnerability scanning (see security-pen-testing) or incident response (see incident-response) — this is about structured adversary simulation to test detection, response, and control effectiveness.
用于授权攻击性安全模拟的红队演练规划与攻击路径分析技能。本技能并非漏洞扫描(详见security-pen-testing)或事件响应(详见incident-response)——它聚焦于结构化的对手模拟,以测试检测、响应和控制措施的有效性。
Table of Contents
目录
Overview
概述
What This Skill Does
本技能的作用
This skill provides the methodology and tooling for red team engagement planning — building structured attack plans from MITRE ATT&CK technique selection, access level, and crown jewel targets. It scores techniques by effort and detection risk, assembles kill-chain phases, identifies choke points, and flags OPSEC risks.
本技能为红队演练规划提供方法论和工具支持——基于MITRE ATT&CK技术选择、访问权限级别和核心资产目标构建结构化攻击计划。它会根据实施难度和检测风险对技术进行评分,编排杀伤链阶段,识别choke point,并标记OPSEC风险。
Distinction from Other Security Skills
与其他安全技能的区别
| Skill | Focus | Approach |
|---|---|---|
| red-team (this) | Adversary simulation | Offensive — structured attack planning and execution |
| security-pen-testing | Vulnerability discovery | Offensive — systematic exploitation of specific weaknesses |
| threat-detection | Finding attacker activity | Proactive — detect TTPs in telemetry |
| incident-response | Active incident management | Reactive — contain and investigate confirmed incidents |
| 技能 | 核心关注点 | 实施方式 |
|---|---|---|
| red-team(本技能) | 对手模拟 | 攻击性——结构化攻击规划与执行 |
| security-pen-testing | 漏洞发现 | 攻击性——针对性弱点的系统性利用 |
| threat-detection | 发现攻击者活动 | 主动性——在遥测数据中检测TTP |
| incident-response | 事件主动管理 | 反应性——遏制并调查已确认的事件 |
Authorization Requirement
授权要求
All red team activities described here require written authorization. This includes a signed Rules of Engagement (RoE) document, defined scope, and explicit executive approval. The tool will not generate output without the flag. Unauthorized use of these techniques is illegal under the CFAA, Computer Misuse Act, and equivalent laws worldwide.
engagement_planner.py--authorized此处描述的所有红队活动均需书面授权。这包括签署的《参与规则》(RoE)文件、明确的范围以及管理层的正式批准。工具在未添加参数时不会生成输出。未经授权使用这些技术违反《计算机欺诈和滥用法案》(CFAA)、《计算机滥用法案》及全球各地等效法律,属于违法行为。
engagement_planner.py--authorizedEngagement Planner Tool
演练规划工具
The tool builds a scored, kill-chain-ordered attack plan from technique selection, access level, and crown jewel targets.
engagement_planner.pybash
undefinedengagement_planner.pybash
undefinedBasic engagement plan — external access, specific techniques
基础演练计划——外部访问,指定技术
python3 scripts/engagement_planner.py
--techniques T1059,T1078,T1003
--access-level external
--authorized --json
--techniques T1059,T1078,T1003
--access-level external
--authorized --json
python3 scripts/engagement_planner.py
--techniques T1059,T1078,T1003
--access-level external
--authorized --json
--techniques T1059,T1078,T1003
--access-level external
--authorized --json
Internal network access with crown jewel targeting
内部网络访问+核心资产定位
python3 scripts/engagement_planner.py
--techniques T1059,T1078,T1021,T1550,T1003
--access-level internal
--crown-jewels "Database,Active Directory,Payment Systems"
--authorized --json
--techniques T1059,T1078,T1021,T1550,T1003
--access-level internal
--crown-jewels "Database,Active Directory,Payment Systems"
--authorized --json
python3 scripts/engagement_planner.py
--techniques T1059,T1078,T1021,T1550,T1003
--access-level internal
--crown-jewels "Database,Active Directory,Payment Systems"
--authorized --json
--techniques T1059,T1078,T1021,T1550,T1003
--access-level internal
--crown-jewels "Database,Active Directory,Payment Systems"
--authorized --json
Credentialed (assumed breach) scenario with scale
凭证获取(假设已 breach)场景+规模化
python3 scripts/engagement_planner.py
--techniques T1059,T1078,T1021,T1550,T1003,T1486,T1048
--access-level credentialed
--crown-jewels "Domain Controller,S3 Data Lake"
--target-count 50
--authorized --json
--techniques T1059,T1078,T1021,T1550,T1003,T1486,T1048
--access-level credentialed
--crown-jewels "Domain Controller,S3 Data Lake"
--target-count 50
--authorized --json
python3 scripts/engagement_planner.py
--techniques T1059,T1078,T1021,T1550,T1003,T1486,T1048
--access-level credentialed
--crown-jewels "Domain Controller,S3 Data Lake"
--target-count 50
--authorized --json
--techniques T1059,T1078,T1021,T1550,T1003,T1486,T1048
--access-level credentialed
--crown-jewels "Domain Controller,S3 Data Lake"
--target-count 50
--authorized --json
List all 29 supported MITRE ATT&CK techniques
列出所有29种受支持的MITRE ATT&CK技术
python3 scripts/engagement_planner.py --list-techniques
undefinedpython3 scripts/engagement_planner.py --list-techniques
undefinedAccess Level Definitions
访问级别定义
| Level | Starting Position | Techniques Available |
|---|---|---|
| external | No internal access — internet only | External-facing techniques only (T1190, T1566, etc.) |
| internal | Network foothold — no credentials | Internal recon + lateral movement prep |
| credentialed | Valid credentials obtained | Full kill chain including priv-esc, lateral movement, impact |
| 级别 | 初始位置 | 可用技术 |
|---|---|---|
| external | 无内部访问权限——仅通过互联网 | 仅面向外部的技术(T1190、T1566等) |
| internal | 已获取网络立足点——无凭证 | 内部侦察+横向移动准备技术 |
| credentialed | 已获取有效凭证 | 完整杀伤链技术,包括提权、横向移动、影响实施 |
Exit Codes
退出代码
| Code | Meaning |
|---|---|
| 0 | Engagement plan generated successfully |
| 1 | Missing authorization or invalid technique |
| 2 | Scope violation — technique outside access-level constraints |
| 代码 | 含义 |
|---|---|
| 0 | 演练计划生成成功 |
| 1 | 缺少授权或技术无效 |
| 2 | 范围违规——技术超出访问级别限制 |
Kill-Chain Phase Methodology
杀伤链阶段方法论
The engagement planner organizes techniques into eight kill-chain phases and orders the execution plan accordingly.
演练规划工具将技术划分为11个杀伤链阶段,并按此顺序编排执行计划。
Kill-Chain Phase Order
杀伤链阶段顺序
| Phase | Order | MITRE Tactic | Examples |
|---|---|---|---|
| Reconnaissance | 1 | TA0043 | T1595, T1596, T1598 |
| Resource Development | 2 | TA0042 | T1583, T1588 |
| Initial Access | 3 | TA0001 | T1190, T1566, T1078 |
| Execution | 4 | TA0002 | T1059, T1047, T1204 |
| Persistence | 5 | TA0003 | T1053, T1543, T1136 |
| Privilege Escalation | 6 | TA0004 | T1055, T1548, T1134 |
| Credential Access | 7 | TA0006 | T1003, T1110, T1558 |
| Lateral Movement | 8 | TA0008 | T1021, T1550, T1534 |
| Collection | 9 | TA0009 | T1074, T1560, T1114 |
| Exfiltration | 10 | TA0010 | T1048, T1041, T1567 |
| Impact | 11 | TA0040 | T1486, T1491, T1498 |
| 阶段 | 顺序 | MITRE战术 | 示例 |
|---|---|---|---|
| 侦察 | 1 | TA0043 | T1595、T1596、T1598 |
| 资源开发 | 2 | TA0042 | T1583、T1588 |
| 初始访问 | 3 | TA0001 | T1190、T1566、T1078 |
| 执行 | 4 | TA0002 | T1059、T1047、T1204 |
| 持久化 | 5 | TA0003 | T1053、T1543、T1136 |
| 权限提升 | 6 | TA0004 | T1055、T1548、T1134 |
| 凭证获取 | 7 | TA0006 | T1003、T1110、T1558 |
| 横向移动 | 8 | TA0008 | T1021、T1550、T1534 |
| 收集 | 9 | TA0009 | T1074、T1560、T1114 |
| 数据渗出 | 10 | TA0010 | T1048、T1041、T1567 |
| 影响实施 | 11 | TA0040 | T1486、T1491、T1498 |
Phase Execution Principles
阶段执行原则
Each phase must be completed before advancing to the next unless the engagement scope specifies assumed breach (skip to a later phase). Do not skip persistence before attempting lateral movement — persistence ensures operational continuity if a single foothold is detected and removed.
每个阶段完成后方可进入下一阶段,除非演练范围明确指定假设已 breach(可跳过至后续阶段)。切勿在未建立持久化的情况下尝试横向移动——持久化可确保单个立足点被检测并清除后,操作仍能持续进行。
Technique Scoring and Prioritization
技术评分与优先级
Techniques are scored by effort (how hard to execute without detection) and prioritized in the engagement plan.
技术会根据实施难度(在不被检测到的前提下执行的难度)进行评分,并在演练计划中确定优先级。
Effort Score Formula
难度评分公式
effort_score = detection_risk × (len(prerequisites) + 1)Lower effort score = easier to execute without triggering detection.
effort_score = detection_risk × (len(prerequisites) + 1)难度评分越低,意味着越容易在不触发检测的情况下执行。
Technique Scoring Reference
技术评分参考
| Technique | Detection Risk | Prerequisites | Effort Score | MITRE ID |
|---|---|---|---|---|
| PowerShell execution | 0.7 | initial_access | 1.4 | T1059.001 |
| Scheduled task persistence | 0.5 | execution | 1.0 | T1053.005 |
| Pass-the-Hash | 0.6 | credential_access, internal_network | 1.8 | T1550.002 |
| LSASS credential dump | 0.8 | local_admin | 1.6 | T1003.001 |
| Spearphishing link | 0.4 | none | 0.4 | T1566.001 |
| Ransomware deployment | 0.9 | persistence, lateral_movement | 2.7 | T1486 |
| 技术 | 检测风险 | 前置条件 | 难度评分 | MITRE ID |
|---|---|---|---|---|
| PowerShell执行 | 0.7 | initial_access | 1.4 | T1059.001 |
| 计划任务持久化 | 0.5 | execution | 1.0 | T1053.005 |
| 哈希传递(Pass-the-Hash) | 0.6 | credential_access, internal_network | 1.8 | T1550.002 |
| LSASS凭证转储 | 0.8 | local_admin | 1.6 | T1003.001 |
| 鱼叉式钓鱼链接 | 0.4 | none | 0.4 | T1566.001 |
| 勒索软件部署 | 0.9 | persistence, lateral_movement | 2.7 | T1486 |
Choke Point Analysis
Choke Point分析
Choke points are techniques required by multiple paths to crown jewel assets. Detecting a choke point technique detects all attack paths that pass through it.
Choke Point是通往核心资产的多条路径都依赖的技术。检测到Choke Point技术即可检测到所有经过该点的攻击路径。
Choke Point Identification
Choke Point识别
The engagement planner identifies choke points by finding techniques in and tactics that serve as prerequisites for multiple subsequent techniques targeting crown jewels.
credential_accessprivilege_escalationPrioritize detection rule development and monitoring density around choke point techniques — hardening a choke point has multiplied defensive value.
演练规划工具通过寻找和战术中,作为多个后续核心资产攻击技术前置条件的技术,来识别Choke Point。
credential_accessprivilege_escalation优先围绕Choke Point技术开发检测规则并增加监控密度——强化Choke Point能带来倍增的防御价值。
Common Choke Points by Environment
不同环境下的常见Choke Point
| Environment Type | Common Choke Points | Detection Priority |
|---|---|---|
| Active Directory domain | T1003 (credential dump), T1558 (Kerberoasting) | Highest |
| AWS environment | T1078.004 (cloud account), iam:PassRole chains | Highest |
| Hybrid cloud | T1550.002 (PtH), T1021.006 (WinRM) | High |
| Containerized apps | T1610 (deploy container), T1611 (container escape) | High |
Full methodology:
references/attack-path-methodology.md| 环境类型 | 常见Choke Point | 检测优先级 |
|---|---|---|
| Active Directory域 | T1003(凭证转储)、T1558(Kerberoasting) | 最高 |
| AWS环境 | T1078.004(云账户)、iam:PassRole链 | 最高 |
| 混合云 | T1550.002(PtH)、T1021.006(WinRM) | 高 |
| 容器化应用 | T1610(部署容器)、T1611(容器逃逸) | 高 |
完整方法论:
references/attack-path-methodology.mdOPSEC Risk Assessment
OPSEC风险评估
OPSEC risk items identify actions that are likely to trigger detection or leave persistent artifacts.
OPSEC风险项用于识别可能触发检测或留下持久痕迹的操作。
OPSEC Risk Categories
OPSEC风险类别
| Tactic | Primary OPSEC Risk | Mitigation |
|---|---|---|
| Credential Access | LSASS memory access triggers EDR | Use LSASS-less techniques (DCSync, Kerberoasting) where possible |
| Execution | PowerShell command-line logging | Use AMSI bypass or alternative execution methods in scope |
| Lateral Movement | NTLM lateral movement generates event 4624 type 3 | Use Kerberos where possible; avoid NTLM over the network |
| Persistence | Scheduled tasks generate event 4698 | Use less-monitored persistence mechanisms within scope |
| Exfiltration | Large outbound transfers trigger DLP | Stage data and use slow exfil if stealth is required |
| 战术 | 主要OPSEC风险 | 缓解措施 |
|---|---|---|
| 凭证获取 | LSASS内存访问会触发EDR | 尽可能使用无需访问LSASS的技术(如DCSync、Kerberoasting) |
| 执行 | PowerShell命令行日志 | 在范围内使用AMSI绕过或替代执行方法 |
| 横向移动 | NTLM横向移动会生成事件4624类型3 | 尽可能使用Kerberos;避免通过网络使用NTLM |
| 持久化 | 计划任务会生成事件4698 | 在范围内使用监控较少的持久化机制 |
| 数据渗出 | 大规模 outbound传输会触发DLP | 如需隐身,可先暂存数据再缓慢渗出 |
OPSEC Checklist Before Each Phase
各阶段前的OPSEC检查清单
- Is the technique in scope per RoE?
- Will it generate logs that blue team monitors actively?
- Is there a less-detectable alternative that achieves the same objective?
- If detected, will it reveal the full operation or only the current foothold?
- Are cleanup artifacts defined for post-exercise removal?
- 该技术是否符合RoE的范围要求?
- 它是否会生成蓝队主动监控的日志?
- 是否存在可实现相同目标且检测难度更低的替代方案?
- 若被检测到,会暴露整个操作还是仅当前立足点?
- 是否已定义演练后的清理措施?
Crown Jewel Targeting
核心资产定位
Crown jewel assets are the high-value targets that define the success criteria of a red team engagement.
核心资产是定义红队演练成功标准的高价值目标。
Crown Jewel Classification
核心资产分类
| Crown Jewel Type | Target Indicators | Attack Paths |
|---|---|---|
| Domain Controller | AD DS, NTDS.dit, SYSVOL | Kerberoasting → DCSync → Golden Ticket |
| Database servers | Production SQL, NoSQL, data warehouse | Lateral movement → DBA account → data staging |
| Payment systems | PCI-scoped network, card data vault | Network pivot → service account → exfiltration |
| Source code repositories | Internal Git, build systems | VPN → internal git → code signing keys |
| Cloud management plane | AWS management console, IAM admin | Phishing → credential → AssumeRole chain |
Crown jewel definition is agreed upon in the RoE — engagement success is measured by whether red team reaches defined crown jewels, not by the number of vulnerabilities found.
| 核心资产类型 | 目标特征 | 攻击路径 |
|---|---|---|
| 域控制器 | AD DS、NTDS.dit、SYSVOL | Kerberoasting → DCSync → 黄金票据 |
| 数据库服务器 | 生产SQL、NoSQL、数据仓库 | 横向移动 → DBA账户 → 数据暂存 |
| 支付系统 | PCI合规网络、卡片数据 vault | 网络 pivot → 服务账户 → 数据渗出 |
| 源代码仓库 | 内部Git、构建系统 | VPN → 内部Git → 代码签名密钥 |
| 云管理平面 | AWS管理控制台、IAM管理员 | 钓鱼 → 凭证 → AssumeRole链 |
核心资产的定义需在RoE中达成一致——演练成功与否的衡量标准是红队是否到达指定核心资产,而非发现漏洞的数量。
Attack Path Methodology
攻击路径方法论
Attack path analysis identifies all viable routes from the starting access level to each crown jewel.
攻击路径分析会识别从初始访问级别到每个核心资产的所有可行路径。
Path Scoring
路径评分
Each path is scored by:
- Total effort score (sum of per-technique effort scores)
- Choke point count (how many choke points the path passes through)
- Detection probability (product of per-technique detection risks)
Lower effort + fewer choke points = path of least resistance for the attacker.
每条路径会根据以下维度评分:
- 总难度评分(各技术难度评分之和)
- Choke Point数量(路径经过的Choke Point数量)
- 检测概率(各技术检测风险的乘积)
难度越低+Choke Point越少=攻击者的阻力最小路径。
Attack Path Graph Construction
攻击路径图构建
external
└─ T1566.001 (spearphishing) → initial_access
└─ T1059.001 (PowerShell) → execution
└─ T1003.001 (LSASS dump) → credential_access [CHOKE POINT]
└─ T1550.002 (Pass-the-Hash) → lateral_movement
└─ T1078.002 (domain account) → privilege_escalation
└─ Crown Jewel: Domain ControllerFor the full scoring algorithm, choke point weighting, and effort-vs-impact matrix, see .
references/attack-path-methodology.mdexternal
└─ T1566.001(鱼叉式钓鱼)→ initial_access
└─ T1059.001(PowerShell)→ execution
└─ T1003.001(LSASS转储)→ credential_access [CHOKE POINT]
└─ T1550.002(哈希传递)→ lateral_movement
└─ T1078.002(域账户)→ privilege_escalation
└─ 核心资产:域控制器完整评分算法、Choke Point权重以及难度-影响矩阵详见。
references/attack-path-methodology.mdWorkflows
工作流程
Workflow 1: Quick Engagement Scoping (30 Minutes)
工作流程1:快速演练范围确定(30分钟)
For scoping a focused red team exercise against a specific target:
bash
undefined针对特定目标的聚焦型红队演练范围确定:
bash
undefined1. Generate initial technique list from kill-chain coverage gaps
1. 从杀伤链覆盖缺口生成初始技术列表
python3 scripts/engagement_planner.py --list-techniques
python3 scripts/engagement_planner.py --list-techniques
2. Build plan for external assumed-no-access scenario
2. 构建外部无访问权限假设场景的计划
python3 scripts/engagement_planner.py
--techniques T1566,T1190,T1059,T1003,T1021
--access-level external
--crown-jewels "Database Server"
--authorized --json
--techniques T1566,T1190,T1059,T1003,T1021
--access-level external
--crown-jewels "Database Server"
--authorized --json
python3 scripts/engagement_planner.py
--techniques T1566,T1190,T1059,T1003,T1021
--access-level external
--crown-jewels "Database Server"
--authorized --json
--techniques T1566,T1190,T1059,T1003,T1021
--access-level external
--crown-jewels "Database Server"
--authorized --json
3. Review choke_points and opsec_risks in output
3. 查看输出中的choke_points和opsec_risks
4. Present kill-chain phases to stakeholders for scope approval
4. 向利益相关方展示杀伤链阶段以获取范围批准
**Decision**: If choke_points are already covered by detection rules, focus on gaps. If not, those are the highest-value exercise targets.
**决策**:若Choke Point已被检测规则覆盖,则聚焦于缺口;若未覆盖,则这些是演练的最高价值目标。Workflow 2: Full Red Team Engagement (Multi-Week)
工作流程2:完整红队演练(数周)
Week 1 — Planning:
- Define crown jewels and success criteria with stakeholders
- Sign RoE with defined scope, timeline, and out-of-scope exclusions
- Build engagement plan with engagement_planner.py
- Review OPSEC risks for each phase
Week 2 — Execution (External Phase):
- Reconnaissance and target profiling
- Initial access attempts (phishing, exploit public-facing)
- Document each technique executed with timestamps
- Log all detection events to validate blue team coverage
Week 3 — Execution (Internal Phase):
- Establish persistence if initial access obtained
- Execute credential access techniques (choke points)
- Lateral movement toward crown jewels
- Document when and how crown jewels were reached
Week 4 — Reporting:
- Compile findings — techniques executed, detection rates, crown jewels reached
- Map findings to detection gaps
- Produce remediation recommendations prioritized by choke point impact
- Deliver read-out to security leadership
第1周——规划:
- 与利益相关方定义核心资产和成功标准
- 签署包含明确范围、时间线和排除项的RoE
- 使用engagement_planner.py构建演练计划
- 评审各阶段的OPSEC风险
第2周——执行(外部阶段):
- 侦察和目标分析
- 初始访问尝试(钓鱼、利用公开面漏洞)
- 记录每个执行的技术及时间戳
- 记录所有检测事件以验证蓝队覆盖范围
第3周——执行(内部阶段):
- 若获取初始访问则建立持久化
- 执行凭证获取技术(Choke Point)
- 向核心资产进行横向移动
- 记录到达核心资产的时间和方式
第4周——报告:
- 整理发现——执行的技术、检测率、到达的核心资产
- 将发现映射到检测缺口
- 生成按Choke Point影响优先级排序的修复建议
- 向安全领导层汇报结果
Workflow 3: Assumed Breach Tabletop
工作流程3:假设Breach桌面演练
Simulate a compromised credential scenario for rapid detection testing:
bash
undefined模拟凭证泄露场景以快速测试检测能力:
bash
undefinedAssumed breach — credentialed access starting position
假设Breach——凭证访问初始位置
python3 scripts/engagement_planner.py
--techniques T1059,T1078,T1021,T1550,T1003,T1048
--access-level credentialed
--crown-jewels "Active Directory,S3 Data Bucket"
--target-count 20
--authorized --json | jq '.phases, .choke_points, .opsec_risks'
--techniques T1059,T1078,T1021,T1550,T1003,T1048
--access-level credentialed
--crown-jewels "Active Directory,S3 Data Bucket"
--target-count 20
--authorized --json | jq '.phases, .choke_points, .opsec_risks'
python3 scripts/engagement_planner.py
--techniques T1059,T1078,T1021,T1550,T1003,T1048
--access-level credentialed
--crown-jewels "Active Directory,S3 Data Bucket"
--target-count 20
--authorized --json | jq '.phases, .choke_points, .opsec_risks'
--techniques T1059,T1078,T1021,T1550,T1003,T1048
--access-level credentialed
--crown-jewels "Active Directory,S3 Data Bucket"
--target-count 20
--authorized --json | jq '.phases, .choke_points, .opsec_risks'
Run across multiple access levels to compare path options
跨多个访问级别运行以比较路径选项
for level in external internal credentialed; do
echo "=== ${level} ==="
python3 scripts/engagement_planner.py
--techniques T1059,T1078,T1003,T1021
--access-level "${level}"
--authorized --json | jq '.total_effort_score, .phases | keys' done
--techniques T1059,T1078,T1003,T1021
--access-level "${level}"
--authorized --json | jq '.total_effort_score, .phases | keys' done
---for level in external internal credentialed; do
echo "=== ${level} ==="
python3 scripts/engagement_planner.py
--techniques T1059,T1078,T1003,T1021
--access-level "${level}"
--authorized --json | jq '.total_effort_score, .phases | keys' done
--techniques T1059,T1078,T1003,T1021
--access-level "${level}"
--authorized --json | jq '.total_effort_score, .phases | keys' done
---Anti-Patterns
反模式
- Operating without written authorization — Unauthorized red team activity against any system you don't own or have explicit permission to test is a criminal offense. The flag must reflect a real signed RoE, not just running the tool to bypass the check. Authorization must predate execution.
--authorized - Skipping kill-chain phase ordering — Jumping directly to lateral movement without establishing persistence means a single detection wipes out the entire foothold. Follow the kill-chain phase order — each phase builds the foundation for the next.
- Not defining crown jewels before starting — Engagements without defined success criteria drift into open-ended vulnerability hunting. Crown jewels and success conditions must be agreed upon in the RoE before the first technique is executed.
- Ignoring OPSEC risks in the plan — Red team exercises test blue team detection. Deliberately avoiding all detectable techniques produces an unrealistic engagement that doesn't validate detection coverage. Use OPSEC risks to understand detection exposure, not to avoid it entirely.
- Failing to document executed techniques in real time — Retroactive documentation of what was executed is unreliable. Log each technique, timestamp, and outcome as it happens. Post-engagement reporting must be based on contemporaneous records.
- Not cleaning up artifacts post-exercise — Persistence mechanisms, new accounts, modified configurations, and staged data must be removed after engagement completion. Leaving red team artifacts creates permanent security risks and can be confused with real attacker activity.
- Treating path of least resistance as the only path — Attackers adapt. Test multiple attack paths including higher-effort routes that may evade detection. Validating that the easiest path is detected is necessary but not sufficient.
- 无书面授权操作——针对任何非自有或未获得明确测试许可的系统进行未授权红队活动属于刑事犯罪。参数必须基于真实签署的RoE,而非仅为绕过工具限制而使用。授权必须在执行前完成。
--authorized - 跳过杀伤链阶段顺序——未建立持久化就直接进行横向移动意味着单次检测即可清除整个立足点。遵循杀伤链阶段顺序——每个阶段都为下一阶段奠定基础。
- 开始前未定义核心资产——无明确成功标准的演练会演变为无限制的漏洞挖掘。核心资产和成功条件必须在首次执行技术前,在RoE中达成一致。
- 忽略计划中的OPSEC风险——红队演练旨在测试蓝队检测能力。刻意避免所有可检测技术会导致演练不切实际,无法验证检测覆盖范围。应利用OPSEC风险了解检测暴露情况,而非完全规避。
- 未实时记录执行的技术——追溯记录执行内容不可靠。应在执行时记录每个技术、时间戳和结果。演练后报告必须基于同期记录。
- 演练后未清理痕迹——持久化机制、新增账户、修改的配置和暂存数据必须在演练完成后移除。遗留红队痕迹会造成永久安全风险,还可能被误认为真实攻击者活动。
- 将阻力最小路径视为唯一路径——攻击者会适应。测试多条攻击路径,包括可能规避检测的高难度路径。验证最容易的路径被检测到是必要的,但并不足够。
Cross-References
交叉引用
| Skill | Relationship |
|---|---|
| threat-detection | Red team technique execution generates realistic TTPs that validate threat hunting hypotheses |
| incident-response | Red team activity should trigger incident response procedures — detection and response quality is a primary success metric |
| cloud-security | Cloud posture findings (IAM misconfigs, S3 exposure) become red team attack path targets |
| security-pen-testing | Pen testing focuses on specific vulnerability exploitation; red team focuses on end-to-end kill-chain simulation to crown jewels |
| 技能 | 关系 |
|---|---|
| threat-detection | 红队技术执行会生成真实的TTP,用于验证威胁狩猎假设 |
| incident-response | 红队活动应触发事件响应流程——检测和响应质量是主要成功指标 |
| cloud-security | 云态势发现结果(IAM配置错误、S3暴露)会成为红队攻击路径的目标 |
| security-pen-testing | 渗透测试聚焦于特定漏洞利用;红队聚焦于端到端杀伤链模拟,以到达核心资产为目标 |