An ongoing book
ETW bypass via NtTraceEvent patching, overwriting the first byte with 0xC3 (RET) to cut event flow before it reaches the kernel, blinding EDRs and Defender.
Read ✧Dynamic Invocation as an evasion technique, resolving Windows APIs at runtime to keep the IAT empty, plus XOR string obfuscation to hide function names from static analysis.
Read ✧Corrupting the amsiContext structure to disable AMSI scanning, from WinDBG memory patching to a one-liner PowerShell bypass via Reflection on AmsiUtils.
Read ✧Active Directory Kerberos delegation in depth covering Unconstrained, Constrained (S4U), and Resource-Based, with PrinterBug, Service Name Substitution, and RBCD abuse walkthroughs.
Read ✧