攻防技战术动态一周更新 - 20250922

漏洞相关

1、

红队技术

1、Domain Fronting is Dead. Long Live Domain Fronting!

https://www.praetorian.com/blog/domain-fronting-is-dead-long-live-domain-fronting/

2、Under the Pure Curtain: From RAT to Builder to Coder

https://research.checkpoint.com/2025/under-the-pure-curtain-from-rat-to-builder-to-coder/

3、Implementing Hell’s Gate in Zig – Part 1

https://0xsp.com/security%20research%20%20development%20srd/malware%20research/implementing-hells-gate-in-zig-part-1/

4、Malware development: persistence - part 29. Add Windows Terminal profile. Simple C example.

https://cocomelonc.github.io/persistence/2025/09/20/malware-pers-29.html

5、Bypassing EDR using an In-Memory PE Loader

https://g3tsyst3m.com/fileless%20techniques/Bypassing-EDR-using-an-In-Memory-PE-Loader/

6、Windows Kernel Exploits: ZwMapViewOfSection and ZwUnMapViewOfSection

https://www.exploitpack.com/blogs/news/windows-kernel-exploits-using-zwmapviewofsection-and-zwunmapviewofsection

7、IOCTL++ tool for hunting Windows Kernel Exploits

https://www.exploitpack.com/blogs/news/ioctl-tool-for-hunting-windows-kernel-exploits

8、CPP / C++ Notes - Windows API Programming Win32

https://caiorss.github.io/C-Cpp-Notes/WindowsAPI-cpp.html

9、WSUS Is SUS: NTLM Relay Attacks in Plain Sight

https://trustedsec.com/blog/wsus-is-sus-ntlm-relay-attacks-in-plain-sight

10、Making the Debugging of UDRLs (a bit) Easier

https://rwxstoned.github.io/2025-07-06-Better-debugging-UDRL/

11、Linked Lists in Windows Kernel Driver

https://medium.com/@s12deff/linked-lists-in-windows-kernel-driver-5a89b6219347

12、Using Reflective Loaders to Replace LoadLibrary for Hot Swappable Modules in C++

https://racoten.gitbook.io/red-team-developments-and-operations

13、The Havoc framework

https://lorenzomeacci.com/the-havoc-framework

14、Malware development: persistence - part 28. CertPropSvc registry hijack. Simple C/C++ example.

https://cocomelonc.github.io/persistence/2025/09/14/malware-pers-28.html

蓝队技术

1、From Windows drivers to a almost fully working EDR

https://blog.whiteflag.io/blog/from-windows-drivers-to-a-almost-fully-working-edr/

工具类

1、EDR-Freeze

https://github.com/TwoSevenOneT/EDR-Freeze

EDR-Freeze is a tool that puts a process of EDR, AntiMalware into a coma state.

2、Get-NetNTLM

https://github.com/KingOfTheNOPs/Get-NetNTLM

3、ZigStrike

https://github.com/0xsp-SRD/ZigStrike

ZigStrike, a powerful Payload Delivery Pipeline developed in Zig, offering a variety of injection techniques and anti-sandbox features.

4、WMI Process Dump

https://github.com/0xthirteen/WMI_Proc_Dump

5、mtprocess.py

https://github.com/0xthirteen/mtprocess

Python script to leverage MSFT_MTProcess WMI class

6、TaskHound

https://github.com/1r0BIT/TaskHound

Tool to enumerate privileged Scheduled Tasks on Remote Systems

7、ByteCaster

https://github.com/Print3M/ByteCaster

Swiss Army Knife for payload encryption, obfuscation, and conversion to byte arrays – all in a single command (14 output formats supported)! ☢️

8、havoc-obfuscator

https://github.com/Acucarinho/havoc-obfuscator

9、PPLScan.cpp

https://gist.github.com/S3cur3Th1sSh1t/e1e47ba3fe6e303b943412732abfb8d0

10、WerDump

https://github.com/M1ndo/WerDump

A Beacon Object File (BOF) for Havoc/CS to Bypass PPL and Dump Lsass

11、Dralyxor

https://github.com/ocalasans/dralyxor

Dralyxor: Advanced C++ header-only library for robust string obfuscation, shielding binaries from static/dynamic analysis. Uses a consteval micro-program engine with variable NOPs. Runtime anti-debug/tamper checks (canaries, content checksums) plus RAII "just-in-time" decryption ensure secure, minimal memory exposure of plain-text data.

12、D(COM) V(ulnerability) S(canner) AKA Devious swiss army knife - Lateral movement using DCOM Objects

https://github.com/ScorpionesLabs/DVS

13、SVG Security Analysis Toolkit - Tool Documentation

https://github.com/HackingLZ/svg_phishing_tools

14、RPC Filters Interop Assembly Project

https://github.com/MichaelGrafnetter/RPCFilterManager

15、GunnerC2

https://github.com/LeighlinRamsay/GunnerC2

16、Unnecessarily complicated way of controlling shellcode execution using InternetStatusCallback()

https://gist.github.com/whokilleddb/593e81f794809fb3498008aa39b7ff86

17、yolo-mssqlclient

https://github.com/YOLOP0wn/yolo-mssqlclient

custom impacket mssqlclient

18、Different ways of dumping lsass

https://github.com/yo-yo-yo-jbo/dumping_lsass/

其他类

1、Inside Windows Sessions: A Deep Dive with Pavel

http://trainsec.net/library/windows-internals/inside-windows-sessions/

2、[Cracking Windows Kernel with HEVD] Chapter 0: Where do I start?

https://mdanilor.github.io/posts/hevd-0/