red-team-tactics

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Red Team Tactics

Red Team 战术

Adversary simulation principles based on MITRE ATT&CK framework.

基于MITRE ATT&CK框架的对手模拟原则。

1. MITRE ATT&CK Phases

1. MITRE ATT&CK 攻击阶段

Attack Lifecycle

攻击生命周期

RECONNAISSANCE → INITIAL ACCESS → EXECUTION → PERSISTENCE
       ↓              ↓              ↓            ↓
   PRIVILEGE ESC → DEFENSE EVASION → CRED ACCESS → DISCOVERY
       ↓              ↓              ↓            ↓
LATERAL MOVEMENT → COLLECTION → C2 → EXFILTRATION → IMPACT

RECONNAISSANCE → INITIAL ACCESS → EXECUTION → PERSISTENCE
       ↓              ↓              ↓            ↓
   PRIVILEGE ESC → DEFENSE EVASION → CRED ACCESS → DISCOVERY
       ↓              ↓              ↓            ↓
LATERAL MOVEMENT → COLLECTION → C2 → EXFILTRATION → IMPACT

Phase Objectives

阶段目标

Phase	Objective
Recon	Map attack surface
Initial Access	Get first foothold
Execution	Run code on target
Persistence	Survive reboots
Privilege Escalation	Get admin/root
Defense Evasion	Avoid detection
Credential Access	Harvest credentials
Discovery	Map internal network
Lateral Movement	Spread to other systems
Collection	Gather target data
C2	Maintain command channel
Exfiltration	Extract data

Phase	Objective
Recon	测绘攻击面
Initial Access	获取初始立足点
Execution	在目标系统上运行代码
Persistence	系统重启后仍保持访问权限
Privilege Escalation	获取管理员/根权限
Defense Evasion	规避检测
Credential Access	获取凭证
Discovery	测绘内部网络
Lateral Movement	横向移动至其他系统
Collection	收集目标数据
C2	维持命令与控制通道
Exfiltration	提取数据

2. Reconnaissance Principles

2. 侦察原则

Passive vs Active

被动侦察 vs 主动侦察

Type	Trade-off
Passive	No target contact, limited info
Active	Direct contact, more detection risk

Type	Trade-off
Passive	不接触目标，获取信息有限
Active	直接接触目标，被检测风险更高

Information Targets

信息收集目标

Category	Value
Technology stack	Attack vector selection
Employee info	Social engineering
Network ranges	Scanning scope
Third parties	Supply chain attack

Category	Value
Technology stack	选择攻击向量
Employee info	社会工程学利用
Network ranges	确定扫描范围
Third parties	供应链攻击

3. Initial Access Vectors

3. 初始访问向量

Selection Criteria

选择标准

Vector	When to Use
Phishing	Human target, email access
Public exploits	Vulnerable services exposed
Valid credentials	Leaked or cracked
Supply chain	Third-party access

Vector	When to Use
Phishing	针对人员目标，可访问邮箱时使用
Public exploits	存在暴露的易受攻击服务时使用
Valid credentials	存在泄露或破解的凭证时使用
Supply chain	可通过第三方访问时使用

4. Privilege Escalation Principles

4. 权限提升原则

Windows Targets

Windows 目标

Check	Opportunity
Unquoted service paths	Write to path
Weak service permissions	Modify service
Token privileges	Abuse SeDebug, etc.
Stored credentials	Harvest

Check	Opportunity
Unquoted service paths	写入路径
Weak service permissions	修改服务
Token privileges	滥用SeDebug等权限
Stored credentials	获取存储的凭证

Linux Targets

Linux 目标

Check	Opportunity
SUID binaries	Execute as owner
Sudo misconfiguration	Command execution
Kernel vulnerabilities	Kernel exploits
Cron jobs	Writable scripts

Check	Opportunity
SUID binaries	以所有者身份执行
Sudo misconfiguration	执行命令
Kernel vulnerabilities	内核漏洞利用
Cron jobs	可写入的脚本

5. Defense Evasion Principles

5. 防御规避原则

Key Techniques

核心技术

Technique	Purpose
LOLBins	Use legitimate tools
Obfuscation	Hide malicious code
Timestomping	Hide file modifications
Log clearing	Remove evidence

Technique	Purpose
LOLBins	使用合法工具
Obfuscation	隐藏恶意代码
Timestomping	隐藏文件修改痕迹
Log clearing	清除证据

Operational Security

操作安全

Work during business hours
Mimic legitimate traffic patterns
Use encrypted channels
Blend with normal behavior

在工作时间开展操作
模仿合法流量模式
使用加密通道
融入正常行为

6. Lateral Movement Principles

6. 横向移动原则

Credential Types

凭证类型

Type	Use
Password	Standard auth
Hash	Pass-the-hash
Ticket	Pass-the-ticket
Certificate	Certificate auth

Type	Use
Password	标准身份验证
Hash	哈希传递（Pass-the-hash）
Ticket	票据传递（Pass-the-ticket）
Certificate	证书身份验证

Movement Paths

移动路径

Admin shares
Remote services (RDP, SSH, WinRM)
Exploitation of internal services

管理员共享目录
远程服务（RDP、SSH、WinRM）
内部服务漏洞利用

7. Active Directory Attacks

7. Active Directory 攻击

Attack Categories

攻击类别

Attack	Target
Kerberoasting	Service account passwords
AS-REP Roasting	Accounts without pre-auth
DCSync	Domain credentials
Golden Ticket	Persistent domain access

Attack	Target
Kerberoasting	服务账户密码
AS-REP Roasting	无预认证的账户
DCSync	域凭证
Golden Ticket	持久化域访问权限

8. Reporting Principles

8. 报告原则

Attack Narrative

攻击叙事

Document the full attack chain:

How initial access was gained
What techniques were used
What objectives were achieved
Where detection failed

记录完整攻击链：

如何获取初始访问权限
使用了哪些技术
达成了哪些目标
检测环节在何处失效

Detection Gaps

检测缺口

For each successful technique:

What should have detected it?
Why didn't detection work?
How to improve detection

对于每个成功使用的技术：

本应通过什么方式检测到它？
为什么检测没有生效？
如何改进检测机制

9. Ethical Boundaries

9. 伦理边界

Always

必须遵守

Stay within scope
Minimize impact
Report immediately if real threat found
Document all actions

严格在测试范围内操作
尽可能降低影响
若发现真实威胁立即报告
记录所有操作

Never

绝对禁止

Destroy production data
Cause denial of service (unless scoped)
Access beyond proof of concept
Retain sensitive data

销毁生产数据
造成拒绝服务（除非在测试范围内）
超出概念验证的访问范围
留存敏感数据

10. Anti-Patterns

10. 反模式

❌ Don't	✅ Do
Rush to exploitation	Follow methodology
Cause damage	Minimize impact
Skip reporting	Document everything
Ignore scope	Stay within boundaries

Remember: Red team simulates attackers to improve defenses, not to cause harm.

❌ 禁止	✅ 推荐
急于进行漏洞利用	遵循方法论
造成破坏	降低影响
跳过报告环节	记录所有内容
无视测试范围	严格遵守边界

谨记： Red Team的作用是模拟攻击者以提升防御能力，而非造成损害。