red-team-tactics
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseRed Team Tactics
Red Team 战术
Adversary simulation principles based on MITRE ATT&CK framework.
基于MITRE ATT&CK框架的对手模拟原则。
1. MITRE ATT&CK Phases
1. MITRE ATT&CK 攻击阶段
Attack Lifecycle
攻击生命周期
RECONNAISSANCE → INITIAL ACCESS → EXECUTION → PERSISTENCE
↓ ↓ ↓ ↓
PRIVILEGE ESC → DEFENSE EVASION → CRED ACCESS → DISCOVERY
↓ ↓ ↓ ↓
LATERAL MOVEMENT → COLLECTION → C2 → EXFILTRATION → IMPACTRECONNAISSANCE → INITIAL ACCESS → EXECUTION → PERSISTENCE
↓ ↓ ↓ ↓
PRIVILEGE ESC → DEFENSE EVASION → CRED ACCESS → DISCOVERY
↓ ↓ ↓ ↓
LATERAL MOVEMENT → COLLECTION → C2 → EXFILTRATION → IMPACTPhase Objectives
阶段目标
| Phase | Objective |
|---|---|
| Recon | Map attack surface |
| Initial Access | Get first foothold |
| Execution | Run code on target |
| Persistence | Survive reboots |
| Privilege Escalation | Get admin/root |
| Defense Evasion | Avoid detection |
| Credential Access | Harvest credentials |
| Discovery | Map internal network |
| Lateral Movement | Spread to other systems |
| Collection | Gather target data |
| C2 | Maintain command channel |
| Exfiltration | Extract data |
| 阶段 | 目标 |
|---|---|
| Recon(侦察) | 测绘攻击面 |
| Initial Access(初始访问) | 获取首个立足点 |
| Execution(执行) | 在目标系统上运行代码 |
| Persistence(持久化) | 重启后仍能留存 |
| Privilege Escalation(权限提升) | 获取管理员/root权限 |
| Defense Evasion(规避检测) | 避免被检测到 |
| Credential Access(凭证获取) | 窃取凭证 |
| Discovery(发现) | 测绘内部网络 |
| Lateral Movement(横向移动) | 扩散至其他系统 |
| Collection(收集) | 收集目标数据 |
| C2(命令与控制) | 维持命令通道 |
| Exfiltration(数据外泄) | 提取数据 |
2. Reconnaissance Principles
2. 侦察原则
Passive vs Active
被动侦察 vs 主动侦察
| Type | Trade-off |
|---|---|
| Passive | No target contact, limited info |
| Active | Direct contact, more detection risk |
| 类型 | 权衡点 |
|---|---|
| 被动侦察 | 不接触目标,获取信息有限 |
| 主动侦察 | 直接接触目标,被检测风险更高 |
Information Targets
信息收集目标
| Category | Value |
|---|---|
| Technology stack | Attack vector selection |
| Employee info | Social engineering |
| Network ranges | Scanning scope |
| Third parties | Supply chain attack |
| 类别 | 价值 |
|---|---|
| 技术栈 | 选择攻击向量 |
| 员工信息 | 社会工程学利用 |
| 网络范围 | 扫描范围划定 |
| 第三方 | 供应链攻击利用 |
3. Initial Access Vectors
3. 初始访问向量
Selection Criteria
选择标准
| Vector | When to Use |
|---|---|
| Phishing | Human target, email access |
| Public exploits | Vulnerable services exposed |
| Valid credentials | Leaked or cracked |
| Supply chain | Third-party access |
| 向量 | 使用场景 |
|---|---|
| 钓鱼攻击 | 针对人员目标,可访问邮箱 |
| 公开漏洞利用 | 存在暴露的易受攻击服务 |
| 有效凭证 | 凭证已泄露或被破解 |
| 供应链攻击 | 可通过第三方获取访问权限 |
4. Privilege Escalation Principles
4. 权限提升原则
Windows Targets
Windows 目标
| Check | Opportunity |
|---|---|
| Unquoted service paths | Write to path |
| Weak service permissions | Modify service |
| Token privileges | Abuse SeDebug, etc. |
| Stored credentials | Harvest |
| 检查项 | 利用机会 |
|---|---|
| 未加引号的服务路径 | 写入路径 |
| 薄弱的服务权限 | 修改服务配置 |
| 令牌权限 | 滥用SeDebug等权限 |
| 存储的凭证 | 窃取凭证 |
Linux Targets
Linux 目标
| Check | Opportunity |
|---|---|
| SUID binaries | Execute as owner |
| Sudo misconfiguration | Command execution |
| Kernel vulnerabilities | Kernel exploits |
| Cron jobs | Writable scripts |
| 检查项 | 利用机会 |
|---|---|
| SUID 二进制文件 | 以所有者身份执行 |
| Sudo 配置错误 | 执行命令 |
| 内核漏洞 | 内核漏洞利用 |
| Cron 任务 | 可写入的脚本 |
5. Defense Evasion Principles
5. 规避检测原则
Key Techniques
核心技术
| Technique | Purpose |
|---|---|
| LOLBins | Use legitimate tools |
| Obfuscation | Hide malicious code |
| Timestomping | Hide file modifications |
| Log clearing | Remove evidence |
| 技术 | 目的 |
|---|---|
| LOLBins | 使用合法工具 |
| 混淆 | 隐藏恶意代码 |
| 时间戳篡改 | 隐藏文件修改痕迹 |
| 日志清理 | 清除操作痕迹 |
Operational Security
操作安全
- Work during business hours
- Mimic legitimate traffic patterns
- Use encrypted channels
- Blend with normal behavior
- 在工作时间内开展操作
- 模仿合法流量模式
- 使用加密通道
- 融入正常行为
6. Lateral Movement Principles
6. 横向移动原则
Credential Types
凭证类型
| Type | Use |
|---|---|
| Password | Standard auth |
| Hash | Pass-the-hash |
| Ticket | Pass-the-ticket |
| Certificate | Certificate auth |
| 类型 | 用途 |
|---|---|
| 密码 | 标准身份验证 |
| 哈希值 | 哈希传递攻击 |
| 票据 | 票据传递攻击 |
| 证书 | 证书身份验证 |
Movement Paths
移动路径
- Admin shares
- Remote services (RDP, SSH, WinRM)
- Exploitation of internal services
- 管理员共享
- 远程服务(RDP、SSH、WinRM)
- 内部服务漏洞利用
7. Active Directory Attacks
7. Active Directory 攻击
Attack Categories
攻击类别
| Attack | Target |
|---|---|
| Kerberoasting | Service account passwords |
| AS-REP Roasting | Accounts without pre-auth |
| DCSync | Domain credentials |
| Golden Ticket | Persistent domain access |
| 攻击类型 | 目标 |
|---|---|
| Kerberoasting | 服务账户密码 |
| AS-REP Roasting | 无预认证的账户 |
| DCSync | 域凭证 |
| 黄金票据 | 持久化域访问权限 |
8. Reporting Principles
8. 报告原则
Attack Narrative
攻击叙事
Document the full attack chain:
- How initial access was gained
- What techniques were used
- What objectives were achieved
- Where detection failed
记录完整攻击链:
- 如何获取初始访问权限
- 使用了哪些技术
- 达成了哪些目标
- 检测环节在哪些地方失效
Detection Gaps
检测缺口
For each successful technique:
- What should have detected it?
- Why didn't detection work?
- How to improve detection
针对每个成功使用的技术:
- 原本应该由什么检测到它?
- 为什么检测没有生效?
- 如何改进检测能力
9. Ethical Boundaries
9. 伦理边界
Always
始终遵循
- Stay within scope
- Minimize impact
- Report immediately if real threat found
- Document all actions
- 严格在测试范围内操作
- 尽可能降低影响
- 发现真实威胁时立即报告
- 记录所有操作
Never
绝对禁止
- Destroy production data
- Cause denial of service (unless scoped)
- Access beyond proof of concept
- Retain sensitive data
- 破坏生产数据
- 造成拒绝服务(除非在测试范围内)
- 超出概念验证的访问范围
- 留存敏感数据
10. Anti-Patterns
10. 反模式
| ❌ Don't | ✅ Do |
|---|---|
| Rush to exploitation | Follow methodology |
| Cause damage | Minimize impact |
| Skip reporting | Document everything |
| Ignore scope | Stay within boundaries |
Remember: Red team simulates attackers to improve defenses, not to cause harm.
| ❌ 禁止行为 | ✅ 正确做法 |
|---|---|
| 急于开展漏洞利用 | 遵循方法论 |
| 造成破坏 | 尽可能降低影响 |
| 跳过报告环节 | 记录所有内容 |
| 无视测试范围 | 严格在边界内操作 |
注意: Red Team的作用是模拟攻击者以提升防御能力,而非造成破坏。