Massive thanks to @janoglezcampos for fixing my trash formatting and categorizing it. Now it wont give you eye cancer. I sometimes put stuff on my blog. Existing research I read and find useful will be put here.
- What is it that makes a Microsoft executable a Microsoft executable?
- The Case of the Missing Digital Signatures Tab
- Defender SmartScreen Deep Dive 02
- Lets Create An EDR… And Bypass It! Part 1: How EDRs inject DLLs to hook processes
- Lets Create An EDR… And Bypass It! Part 2: Preventing the hook from loading into our process by preventing the DLL load
- Userland DLL hooks C# code sample - SharpUnhooker
- Evading userland DLL hooks in C# using D/Invoke - D-Pwn
- Adventures in Dynamic Evasion; unhooking
- Kernel callbacks
- Process instrumentation callbacks
- Hooking via exceptions
- Evading EDR Detection with Reentrancy Abuse
- Unhooking Sentinel1
- Emulating Covert Operations - Dynamic Invocation (Avoiding PInvoke & API Hooks)
- Halo's Gate: Dynamically resolving syscalls based on unhooked syscalls
- Shellcode detection using realtime kernel monitoring
- EDR tampering
- Offensive API Hooking
- Proxying DLL Loads for hiding ETW-TI call stack tracing
- Evading ETW-TI call stack tracing using custom call stacks
- Attacks on ETW Blind EDR Sensors
- Detecting Adversarial Tradecrafts Tools by leveraging ETW
- Data Only Attack: Neutralizing EtwTi Provider
- Stack Spoofing
- SleepyCrypt: Encrypting a running PE image while it sleeps
- Sleeping with a Mask On (Cobalt Strike)
- GPUSleep
- SilentMoonWalk - a thread stack spoofer
- CallStackMasker
- Advanced module stoping using AceLdr
- SysWhispers is dead, long live SysWhispers!
- Combining Direct System Calls and sRDI to bypass AV/EDR
- Implementing Syscalls in Cobalt Strike Part 1 - Battling Imports and Dependencies
- When You sysWhisper Loud Enough for AV to Hear You
- Process injection sample codes
- KnownDLLs injection
- Abusing Windows’ Implementation of Fork() for Stealthy Memory Operations
- Object Overloading
- HintInject
- APC techniques
- Unicode Reflection - Event Null Byte Injection
- Alternative Process Injection
- Weaponizing mapping injection
- Advanced-Process-Injection-Workshop by CyberWarFare Labs
- Threadless inject
- Function hijacking
- Mockingjay (Reusing existing RWX memory) techniques
- Operational challenges in offensive C - SpectreOps
- WORKSHOP // A journey into malicious code tradecraft for Windows // Silvio La Porta and Antonio Villani
- Python library for ML evasion and detection etc
- Massive guide on bypassing anticheat and antidebug - also works in malware against EDRs
- 3in1: Project aimed to Bypass Some Av Products, Using Different, Advanced Features
- Evasion-Practice: Different evasion techniques/PoCs
- Reading and writing remote process data without using ReadProcessMemory / WriteProcessMemory
- SharpEDRChecker: EDR detection
- StackScraper - Capturing sensitive data using real-time stack scanning against a remote process
- WindowsNoExec - Abusing existing instructions to executing arbitrary code without allocating executable memory
- Masking Malicious Memory Artifacts – Part III: Bypassing Defensive Scanners
- EDR and Blending In: How Attackers Avoid Getting Caught: Part 2
- Adventures in Dynamic Evasion
- Hindering Threat Hunting, a tale of evasion in a restricted environment
- One thousand and one ways to copy your shellcode to memory (VBA Macros)
- Delete-self-poc: A way to delete a locked, or current running executable, on disk
- Writing Beacon Object Files: Flexible, Stealthy, and Compatible: Direct syscalls from the real ntdll to bypas syscall detection
- Kernel Karnage – Part 9 (Finishing Touches)
- Using the kernel callback table to execute code
- Invisible Sandbox Evasion
- Important: Reduce ur entropy
- compile your code into mov instructions
- Perfect DLL Hijacking
- Life of a payload
- PPLMedic
- Parent-child process strcuture
- Echotrail - windows process stats
- Browser In The Browser (BITB) Attack
- Black Hills Infosec - Coercion and relays
- Pocket Guide to OPSEC in Adversary Emulation
- Observations from the stellarparticle-campaign
- Ukraine Cyber Operations
- Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability #threatintel report
- Post auth RCE based in malicious LUA plugin script upload SCADA controllers located in Russia
- Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments
- Revisiting Phishing Simulations
- Phishing page detection via learning classifiers from page layout feature
- List of crowd-sourced phishing sites. Some are still active
- mrd0x - phishing with spoofed cloud attachments
- mrd0x - teams abuse
- mrd0x - phishing with .ics
- Phishing with Github
- A comprehensive guide on relaying
- Automating a Red Team Lab (Part 1): Domain Creation
- Automating a Red Team Lab (Part 2): Monitoring and Logging
- Announcing Azure in BloodHound Enterprise
- AD Trusts
- Learn AD basics
- Diamond attacks
- Certified Pre Owned (ADCS Abuse)
- Windows Logon Process Deep Dive
- How to Detect and Dump Credentials from the Windows Registry
- DPAPI Deep Dive
- Mimikatz SSP for Stealing Credentials at Logon
- Kerberos Authentication Deep Dive
- Process Integrity Levels
- Protected Processes in Windows (LSASS as a PPL)
- Mimikatz WDigest (Storing Plaintext Credentials in Memory)
- Credential Defenses
- Defeating Windows Defender Credential Guard
- NTLM and NTLMv2 Challenge-Response
- in memory lsass dumper using syscalls
- Walter Planner: Attack path planner
- NimPackt-v1: A Nim-based packer for .NET executables and raw shellcode
- PackMyPayload: Payload Containerization
- TymSpecial Shellcode Loader
- KrbRelay
- BadAssMacros: generate malicious macros
- PurplePanda: Identify privilege escalation paths and dangerous permissions
- 0d1n: a tool for automating customized attacks against web applications
- Inceptor: a tool which can help to automate AV/EDR bypass
- Injector: Complete Arsenal of Memory injection and other techniques for red-teaming in Windows
- Pixload: Set of tools for creating/injecting payload into images
- Cloak: Generate python payloads via msfvenom and inject them into python scripts
- SNOWCRASH: Create a scripts that can be launched on both Linux and Windows machines
- D-Generate - syscall tracing
- Myths-About-External-C2
- Running shellcode in electron
- Cause & Effect…ive C2
- Eye of the TIBER - A blend of red team trends
- Useful Libraries for Malware Development
- Windows EVTX Samples [200 EVTX examples]
- Russian Cyber Attack Escalation in Ukraine
- A Study on Blue Team’s OPSEC Failures
- Dive into the MITRE Engage™ Official Release
- Conti leaked chats
- Conti source code
- Attack Flow — Beyond Atomic Behaviors
- VBA and Function Pointers
- MalAPI: List of Windows Apis classified by usage in malware dev
- Guest Diary (Etay Nir) Kernel Hooking Basics
- BOF2shellcode — a tutorial converting a stand-alone BOF loader into shellcode
- Cobalt Strike User Defined Reflective Loader (UDRL)
- DynamicWrapperEx – Windows API Invocation from Windows Script Host
- Cracked5pider/ReflectedDll.c: Get output from injected reflected dll
- Nt/Zw Mapping from Kernel32
- DEF CON 29 - Ben Kurtz - Offensive Golang Bonanza: Writing Golang Malware
- A novel technique to communicate between threads using the standard ETHREAD structure
- VX-Underground Black Mass 2022
- Cloud Adoption Framework for Azure Terraform landing zones
- March 2022 Update Release Notes: Cloud Adoption Framework for Azure Terraform landing zones
- Cloud Adoption Framework for Azure Terraform landing zones Documentation
- Cloud Adoption Framework for Azure - Landing zones on Terraform - Rover