Massive thanks to @janoglezcampos for fixing my trash formatting and categorizing it. Now it wont give you eye cancer. I sometimes put stuff on my blog. Existing research I read and find useful will be put here.
For dead or redirected links, try the wayback machine :D
- What is it that makes a Microsoft executable a Microsoft executable?
โ ๏ธ REDIRECTED! - The Case of the Missing Digital Signatures Tab
- Defender SmartScreen Deep Dive 02
- Lets Create An EDRโฆ And Bypass It! Part 1: How EDRs inject DLLs to hook processes
- Lets Create An EDRโฆ And Bypass It! Part 2: Preventing the hook from loading into our process by preventing the DLL load
- Userland DLL hooks C# code sample - SharpUnhooker
- Evading userland DLL hooks in C# using D/Invoke - D-Pwn
- Adventures in Dynamic Evasion; unhooking
โ ๏ธ REDIRECTED! - Kernel callbacks
- Process instrumentation callbacks
- Hooking via exceptions
- Evading EDR Detection with Reentrancy Abuse
- Unhooking Sentinel1
โ ๏ธ REDIRECTED! - Emulating Covert Operations - Dynamic Invocation (Avoiding PInvoke & API Hooks)
- Halo's Gate: Dynamically resolving syscalls based on unhooked syscalls
- Shellcode detection using realtime kernel monitoring
- EDR tampering ๐ DEAD LINK!
- Offensive API Hooking
- Proxying DLL Loads for hiding ETW-TI call stack tracing
- Evading ETW-TI call stack tracing using custom call stacks
- Attacks on ETW Blind EDR Sensors
- Detecting Adversarial Tradecrafts Tools by leveraging ETW
- Data Only Attack: Neutralizing EtwTi Provider ๐ DEAD LINK!
- Stack Spoofing
- SleepyCrypt: Encrypting a running PE image while it sleeps
- Sleeping with a Mask On (Cobalt Strike)
- GPUSleep
- SilentMoonWalk - a thread stack spoofer
- CallStackMasker
- Reflective Call Stack Detections and Evasions
- Behind the Mask: Spoofing Call Stacks Dynamically with Timers
- Advanced module stoping using AceLdr
- Draugr - synthetic stack frame
- Cronos - sleep obf based on ekko
- KrakenMask - APC and gadgets for sleep obf
- Shelter - ROP sleep obf (another one)
- B21 - using Tp* WinAPIs to have a clean callstack while sleeping
- Pendulum - linux sleep obf
- PhaseDive - variant of Ekko
- Sleep obf explained
- Bootlicker - UEFI rootkit ๐ DEAD LINK!
- Niddhogg - kernel driver rootkit
- SysWhispers is dead, long live SysWhispers!
- Combining Direct System Calls and sRDI to bypass AV/EDR
โ ๏ธ REDIRECTED! - Implementing Syscalls in Cobalt Strike Part 1 - Battling Imports and Dependencies
- When You sysWhisper Loud Enough for AV to Hear You
- Process injection sample codes
- KnownDLLs injection
- Abusing Windowsโ Implementation of Fork() for Stealthy Memory Operations
- Object Overloading
- HintInject
- APC techniques
- Unicode Reflection - Event Null Byte Injection
- Alternative Process Injection
- Weaponizing mapping injection
- Advanced-Process-Injection-Workshop by CyberWarFare Labs
- Threadless inject
- Function hijacking
- Mockingjay (Reusing existing RWX memory) techniques
- Operational challenges in offensive C - SpectreOps
โ ๏ธ REDIRECTED! - WORKSHOP // A journey into malicious code tradecraft for Windows // Silvio La Porta and Antonio Villani
- Python library for ML evasion and detection etc
- Massive guide on bypassing anticheat and antidebug - also works in malware against EDRs ๐ DEAD LINK!
- 3in1: Project aimed to Bypass Some Av Products, Using Different, Advanced Features
โ ๏ธ REDIRECTED! - Evasion-Practice: Different evasion techniques/PoCs
- Reading and writing remote process data without using ReadProcessMemory / WriteProcessMemory ๐ DEAD LINK!
- SharpEDRChecker: EDR detection
- StackScraper - Capturing sensitive data using real-time stack scanning against a remote process ๐ DEAD LINK!
- WindowsNoExec - Abusing existing instructions to executing arbitrary code without allocating executable memory ๐ DEAD LINK!
- Masking Malicious Memory Artifacts โ Part III: Bypassing Defensive Scanners
- EDR and Blending In: How Attackers Avoid Getting Caught: Part 2
- Adventures in Dynamic Evasion
โ ๏ธ REDIRECTED! - Hindering Threat Hunting, a tale of evasion in a restricted environment
- One thousand and one ways to copy your shellcode to memory (VBA Macros)
- Delete-self-poc: A way to delete a locked, or current running executable, on disk
- Writing Beacon Object Files: Flexible, Stealthy, and Compatible: Direct syscalls from the real ntdll to bypas syscall detection ๐ DEAD LINK!
- Kernel Karnage โ Part 9 (Finishing Touches)
- Using the kernel callback table to execute code
โ ๏ธ REDIRECTED! - Invisible Sandbox Evasion
- Important: Reduce ur entropy
โ ๏ธ REDIRECTED! - compile your code into mov instructions
- Perfect DLL Hijacking
- Evading Elastic Callstack Signatures
- Life of a payload
- PPLMedic
- Parent-child process strcuture ๐ DEAD LINK!
- Echotrail - windows process stats
โ ๏ธ REDIRECTED! <-- this is now down, it leads to some weird coworking space service - Browser In The Browser (BITB) Attack ๐ DEAD LINK!
- Black Hills Infosec - Coercion and relays
- Pocket Guide to OPSEC in Adversary Emulationq
- Observations from the stellarparticle-campaign
โ ๏ธ REDIRECTED! - Ukraine Cyber Operations
- Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and โPrintNightmareโ Vulnerability #threatintel report
โ ๏ธ REDIRECTED! - Post auth RCE based in malicious LUA plugin script upload SCADA controllers located in Russia ๐ DEAD LINK!
- Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments
โ ๏ธ REDIRECTED!
- Revisiting Phishing Simulations
โ ๏ธ REDIRECTED! - Phishing page detection via learning classifiers from page layout feature
โ ๏ธ REDIRECTED! - List of crowd-sourced phishing sites. Some are still active
- mrd0x - phishing with spoofed cloud attachments ๐ DEAD LINK!
- mrd0x - teams abuse ๐ DEAD LINK!
- mrd0x - phishing with .ics ๐ DEAD LINK!
- Phishing with Github
โ ๏ธ REDIRECTED!
- A comprehensive guide on relaying
- Automating a Red Team Lab (Part 1): Domain Creation
- Automating a Red Team Lab (Part 2): Monitoring and Logging
- Announcing Azure in BloodHound Enterprise
โ ๏ธ REDIRECTED! - AD Trusts ๐ DEAD LINK!
- Learn AD basics ๐ DEAD LINK!
- Diamond attacks
- Certified Pre Owned (ADCS Abuse)
โ ๏ธ REDIRECTED!
- Windows Logon Process Deep Dive
โ ๏ธ REDIRECTED! - How to Detect and Dump Credentials from the Windows Registry
- DPAPI Deep Dive
- Mimikatz SSP for Stealing Credentials at Logon
- Kerberos Authentication Deep Dive ๐ DEAD LINK!
- Process Integrity Levels
- Protected Processes in Windows (LSASS as a PPL)
- Mimikatz WDigest (Storing Plaintext Credentials in Memory)
- Credential Defenses
โ ๏ธ REDIRECTED! - Defeating Windows Defender Credential Guard ๐ DEAD LINK!
- NTLM and NTLMv2 Challenge-Response ๐ DEAD LINK!
- Net-NTLMv1 Deprecation and Rainbow Tables
- in memory lsass dumper using syscalls
โ ๏ธ REDIRECTED! - Walter Planner: Attack path planner
- NimPackt-v1: A Nim-based packer for .NET executables and raw shellcode
- PackMyPayload: Payload Containerization
- TymSpecial Shellcode Loader ๐ DEAD LINK!
- KrbRelay
- BadAssMacros: generate malicious macros
- PurplePanda: Identify privilege escalation paths and dangerous permissions
- 0d1n: a tool for automating customized attacks against web applications ๐ DEAD LINK!
- Inceptor: a tool which can help to automate AV/EDR bypass
- Injector: Complete Arsenal of Memory injection and other techniques for red-teaming in Windows ๐ DEAD LINK!
- Pixload: Set of tools for creating/injecting payload into images
โ ๏ธ REDIRECTED! - Cloak: Generate python payloads via msfvenom and inject them into python scripts
- SNOWCRASH: Create a scripts that can be launched on both Linux and Windows machines
- D-Generate - syscall tracing
โ ๏ธ REDIRECTED! - Crystal-Kit
- Myths-About-External-C2
- Running shellcode in electron ๐ DEAD LINK!
- Cause & Effectโฆive C2
โ ๏ธ REDIRECTED! - Eye of the TIBER - A blend of red team trends
- Useful Libraries for Malware Development
- Windows EVTX Samples [200 EVTX examples]
- Russian Cyber Attack Escalation in Ukraine
- A Study on Blue Teamโs OPSEC Failures
โ ๏ธ REDIRECTED! - Dive into the MITRE Engageโข Official Release ๐ DEAD LINK!
- Conti leaked chats
- Conti source code
- Attack Flow โ Beyond Atomic Behaviors ๐ DEAD LINK!
- VBA and Function Pointers ๐ DEAD LINK!
- MalAPI: List of Windows Apis classified by usage in malware dev
- Guest Diary (Etay Nir) Kernel Hooking Basics
โ ๏ธ REDIRECTED! - BOF2shellcode โ a tutorial converting a stand-alone BOF loader into shellcode ๐ DEAD LINK!
- BOF Cocktails
- How to Hide Beacon During BOF Execution
- Cobalt Strike User Defined Reflective Loader (UDRL)
- DynamicWrapperEx โ Windows API Invocation from Windows Script Host
โ ๏ธ REDIRECTED! - Cracked5pider/ReflectedDll.c: Get output from injected reflected dll
- Nt/Zw Mapping from Kernel32
- DEF CON 29 - Ben Kurtz - Offensive Golang Bonanza: Writing Golang Malware
- A novel technique to communicate between threads using the standard ETHREAD structure
- VX-Underground Black Mass 2022
- Tradecraft Garden - by raphael mudge
- Cloud Adoption Framework for Azure Terraform landing zones
- March 2022 Update Release Notes: Cloud Adoption Framework for Azure Terraform landing zones
- Cloud Adoption Framework for Azure Terraform landing zones Documentation
- Cloud Adoption Framework for Azure - Landing zones on Terraform - Rover
- Counter Strike 1.6 as Malware C2
- OffensiveNotion
- We Put A C2 In Your Notetaking App: OffensiveNotion ๐ DEAD LINK!
- Building C2 implants in C++
- C2 matrix - all your c2 needs here
- How GitLab's Red Team automates C2 testing
โ ๏ธ REDIRECTED! - Playing in the Tradecraft Garden of Beacon ๐ DEAD LINK!
- Defining Cobalt Strike Reflective Loader