The adversary is trying to run malicious code

In this category we are aware that we need to Execute our Code, for whatever purpose it can be. Reverse Shell, Enumeration, Privesc, etc. But in this section we are a Hunter (Blue Team) and we are searching for our Prey (Red Team) again, what is left behind, what processes are created so they can reach their goal, what can we find so we know that they were here. This also helps us in to be more Opsec Safe Red Team can learn from here on what they are leaving behind and how can they avoid it in any way.

Will focus in the common techniques explained in the Offensive Section:


  • PowerShell

  • RunDLL32

  • Scheduled Tasks

  • Scripting

  • Trusted Developer Utilities

    • MSBuild

    • Regsvr32

  • WinRm

  • WMIC

  • Etc

Last updated