All SkillsGet Started Free
Executing Red Team Exercise
Executes comprehensive red team exercises that simulate real-world adversary operations against an organization's people, processes, and technology. The red team operates with stealth as a primary objective, employing the full attack lifecycle from initial reconnaissance through objective completion while testing the organization's detection and response capabilities. This differs from penetration testing by focusing on adversary emulation rather than vulnerability identification. Activates for requests involving red team exercise, adversary simulation, adversary emulation, or full-scope offensive security assessment.
MCP get_skill({ skillId: "executing-red-team-exercise-ba16eda8" })Use this skill with your agent
Create a free account and connect via MCP
# Executing Red Team Exercise ## When to Use - Assessing an organization's ability to detect, respond to, and contain a realistic adversary operation - Testing the effectiveness of the security operations center (SOC), incident response team, and threat hunting capabilities - Validating security investments by simulating attacks that chain multiple vulnerabilities and techniques - Evaluating the organization's security posture against specific threat actors (nation-state, ransomware groups, insider threats) - Meeting regulatory requirements for adversary simulation (TIBER-EU, CBEST, AASE, iCAST) **Do not use** without executive-level authorization and a detailed Rules of Engagement document, against systems where disruption could affect safety or critical operations, or as a replacement for basic vulnerability management (fix known vulnerabilities first). ## Prerequisites - Executive-level written authorization with clearly defined objectives, scope, and off-limits systems - Red team command and control (C2) infrastructure: primary and backup C2 channels with domain fronting or redirectors - Operator workstations with OPSEC-hardened toolsets (Cobalt Strike, Sliver, Brute Ratel, or Mythic) - Threat intelligence on adversary groups relevant to the target organization for adversary emulation planning - Trusted agent (white cell) within the target organization who manages the exercise boundaries without alerting defenders - MITRE ATT&CK matrix for mapping planned and executed techniques > **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws. ## Workflow ### Step 1: Adversary Emulation Planning Develop the operation plan based on a realistic threat model: - **Threat actor selection**: Select an adversary group relevant to the organization's industry. For financial services, emulate FIN7 or Lazarus Group. For healthcare, emulate APT41 or FIN12. Map the selected adversary's known TTPs from MITRE ATT&CK. - **Objective definition**: Define measurable objectives such as "Access customer financial data from the core banking system" or "Demonstrate ability to deploy ransomware across the domain" - **Attack plan development**: Create a step-by-step operation plan mapping each phase to ATT&CK tactics: 1. Initial Access (TA0001): Phishing, exploiting public-facing applications, or supply chain compromise 2. Execution (TA0002): PowerShell, scripting, exploitation for client execution 3. Persistence (TA0003): Scheduled tasks, registry modifications, implant deployment 4. Privilege Escalation (TA0004): Token impersonation, exploitation for privilege escalation 5. Defense Evasion (TA0005): Process injection, timestomping, indicator removal 6. Credential Access (TA0006): LSASS dumping, Kerberoasting, credential stuffing 7. Lateral Movement (TA0008): Remote services, pass-the-hash, remote desktop 8. Collection/Exfiltration (TA0009/TA0010): Data staging, exfiltration over C2 - **Deconfliction plan**: Establish procedures for the white cell to distinguish red team activity from actual threats ### Step 2: Infrastructure Preparation Build OPSEC-hardened attack infrastructure: - **C2 infrastructure**: Deploy primary C2 server behind redirectors that filter Blue Team investigation traffic. Use domain fronting or legitimate cloud services (Azure CDN, CloudFront) to blend C2 traffic with normal web traffic. - **Phishing infrastructure**: Register aged domains (30+ days old), configure SPF/DKIM/DMARC, and build credential harvesting or payload delivery pages - **Payload development**: Create custom implants or configure C2 framework payloads with:
#mukul-cybersecurity-skills#security#cybersecurity#penetration#testing