The Red Team Vade Mecum
Search…
The Red Team Vade Mecum
The Red Team Vade Mecum
Techniques
Defense Evasion
Binary Properties and Code Signing
ATA/ATP
Tips and Tricks
Basics
Disabling/Patching Telemetry
Minimization
Misdirection
Hiding our Payloads
IPC For Evasion and Control
Privilege Escalation
Enumeration
Execution
Initial Access
Lateral Movement
Code Injection
Persistence
Infrastructure
SQL
Other
Windows Internals
Powered By
GitBook
Tips and Tricks
EDRs love scanning RWX memory, so use: RW -> RX
Try to use apis closer to the kernel so that products have less telemetry over your apis and you have more api mixups to use. Examples are:
CreateRemoteThread
RtlCreateUserThread
QueueUserAPC: ResumeThread or NtResumeThread or NtAlertResumeThread
NtQueueApcThread: ResumeThread or NtResumeThread or NtAlertResumeThread
Avoid calling functions against common parameters. For example, you can do something like this:
address = VirtualAlloc(1000)
virtualprotect(addr+50)
memcpy(address+100)
createthread(address + 200)
Try include obscure flags in OpenProcess calls
Try to duplicate existing handles on the machine instead of creating new ones with NtQuerySystemInformation
Inject from noisy contexts like from SYSTEM or csrss.exe
Encrypt/change your permissions of your payload and modules if not in use
​
​
Previous
Trusted Installer
Next
Basics
Last modified
1yr ago
Copy link