Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is this iRed.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
AV Bypass with Metasploit Templates and Custom Binaries
Evading Windows Defender with 1 Byte Change
Bypassing Windows Defender: One TCP Socket Away From Meterpreter and Beacon Sessions
Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs
Windows API Hashing in Malware
Detecting Hooked Syscalls
Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs
Retrieving ntdll Syscall Stubs from Disk at Run-time
Full DLL Unhooking with C++
Enumerating RWX Protected Memory Regions for Code Injection
Disabling Windows Event Logs by Suspending EventLog Service Threads
T1027: Obfuscated Powershell Invocations
Masquerading Processes in Userland via _PEB
Commandline Obfusaction
File Smuggling with HTML and JavaScript
T1099: Timestomping
T1096: Alternate Data Streams
T1158: Hidden Files
T1140: Encode/Decode Data with Certutil
Downloading Files with Certutil
T1045: Packed Binaries
Unloading Sysmon Driver
Bypassing IDS Signatures with Simple Reverse Shells
Preventing 3rd Party DLLs from Injecting into your Malware
ProcessDynamicCodePolicy: Arbitrary Code Guard (ACG)
Parent Process ID (PPID) Spoofing
Executing C# Assemblies from Jscript and wscript with DotNetToJscript
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Windows Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Defense Evasion
Here are the articles in this section:
AV Bypass with Metasploit Templates and Custom Binaries
Evading Windows Defender with 1 Byte Change
Bypassing Windows Defender: One TCP Socket Away From Meterpreter and Beacon Sessions
Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs
EDR / AV Evasion
Windows API Hashing in Malware
Evasion
Detecting Hooked Syscalls
Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs
Retrieving ntdll Syscall Stubs from Disk at Run-time
Full DLL Unhooking with C++
EDR evasion
Enumerating RWX Protected Memory Regions for Code Injection
Code Injection, Defense Evasion
Disabling Windows Event Logs by Suspending EventLog Service Threads
T1027: Obfuscated Powershell Invocations
Defense Evasion
Masquerading Processes in Userland via _PEB
Understanding how malicious binaries can maquerade as any other legitimate Windows binary from the userland.
Commandline Obfusaction
Commandline obfuscation
File Smuggling with HTML and JavaScript
T1099: Timestomping
Defense Evasion
T1096: Alternate Data Streams
T1158: Hidden Files
Defense Evasion, Persistence
T1140: Encode/Decode Data with Certutil
Defense Evasion
Downloading Files with Certutil
Downloading additional files to the victim system using native OS binary.
T1045: Packed Binaries
Defense Evasion, Code Obfuscation
Unloading Sysmon Driver
Unload sysmon driver which causes the system to stop recording sysmon event logs.
Bypassing IDS Signatures with Simple Reverse Shells
Preventing 3rd Party DLLs from Injecting into your Malware
ProcessDynamicCodePolicy: Arbitrary Code Guard (ACG)
Parent Process ID (PPID) Spoofing
Executing C# Assemblies from Jscript and wscript with DotNetToJscript
Previous
Injecting .NET Assembly to an Unmanaged Process
Next
AV Bypass with Metasploit Templates and Custom Binaries
Last updated
2 years ago