A tester here. Looking forward to connecting and learning from you.

I make notes so that I don't forget.

.-- .-- .-- .-.-.- .-.. .. -. -.- . -.. .. -. .-.-.- -.-. --- -- -..-. .. -. -..-. .-.. .. ..-. . - .. -- . ... -.-. .-. .. .--. - -.- .. -.. -.. .. .

SSBkb24ndCBrbm93IHdoYXQgSSBhbSBkb2luZy4gClNvIGhlbHAgbWUsIEdvZC4=

March 2025

Goal: Make a CS beacon that can survive the initial drop by the end of this month.
What I need:
Deep understanding of Binaries and windows system
Deep understanding of EDR
Deep understanding of Cobalt Strike kits

Resources: CRTO, CRTL, Maldev, chatgpt!

How does a binary work ?

0. Resources
1. Portable Executable Structure
2. From PE to Memory
3. Flow of System Calls - ntdll.dll, kernel32.dll
4. Win32 API and Windows Native API
4a. NTDLL.DLL - Overview and Functionality
5. Syscalls Flow
5a. Syscalls Deep dive
5b. From Memory - PEB_TEB
6. Execution

graph TD
    A[User Application] -->|Calls Function| B[Win32 API - kernel32.dll / user32.dll]
    B -->|Calls Function| C[Ntdll.dll - Native API]
    C -->|Executes Syscall Instruction| D[Windows Kernel - KiSystemService]
    D -->|Handles Request| E[Kernel-Mode Service - ntoskrnl.exe]
    E -->|Returns Result| D
    D -->|Returns to User Mode| C
    C -->|Returns Result| B
    B -->|Returns to Application| A

How does EDR work?
1. Let's understand EDR like a blue team
2. Let's understand EDR like a red team

How to bypass EDR?
0. Binary creation and insertion
1. Download Prevention & Bypass Techniques
1a. AES, RC4, XOR encryption
1b. XOR-Based Self-Decrypting Payload (With Memory Execution)
1c. RC4-Based Self-Decrypting Payload (C++)
1d. AES-Based Self-Decrypting Payload (C++)
1e. Advanced UPX Methods for Modifying Binary Structure
2. Direct syscalls intro
2a. Direct Syscalls cpp
2b. Indirect Syscalls intro
2c. Indirect Syscalls -Tool
3. API Hooking