Red Team & Offensive Security

Custom C2 Framework Development

The foundation of any serious red team operation is the command-and-control infrastructure. Public C2 frameworks — Cobalt Strike, Sliver, Mythic, Havoc — are well-known to defenders. Their network signatures, beacon patterns, and implant behaviors are cataloged in EDR rulesets and threat intelligence feeds. BypassCore develops custom C2 frameworks from the ground up for each engagement, ensuring zero signature overlap with known tooling.

Our C2 architecture is built around communication channel flexibility. The implant supports multiple transport protocols — HTTPS with domain fronting, DNS over HTTPS (DoH) exfiltration through legitimate resolvers, WebSocket channels disguised as real-time web applications, and covert channels embedded in legitimate cloud API traffic (Slack, Teams, Azure, AWS). Channel selection is dynamic: the implant evaluates network restrictions on the compromised host and selects the channel most likely to blend with legitimate traffic. If one channel is blocked, it automatically fails over to the next without operator intervention.

EDR Evasion & Implant Development

Modern EDR solutions (CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Carbon Black) employ multiple detection layers: userland API hooking via ntdll.dll instrumentation, kernel-mode ETW (Event Tracing for Windows) telemetry, AMSI (Antimalware Scan Interface) for script content inspection, and machine learning models that classify behavior in real time. Defeating these systems requires a comprehensive evasion strategy that addresses every detection layer simultaneously.

BypassCore implants are written in Rust or C, compiled as position-independent shellcode with no standard library dependencies. API resolution happens at runtime through PEB walking and hashed function name lookup — the import table is empty, giving static analysis tools nothing to examine. All strings are encrypted with a per-build key and decrypted only at the moment of use, then immediately zeroed from memory. The shellcode is loaded through a custom reflective loader that maps the implant into memory without calling VirtualAlloc or NtAllocateVirtualMemory — instead, we repurpose existing RWX regions or use direct syscalls to allocate memory through nt-level APIs that bypass EDR userland hooks.

For ETW evasion, our implant patches the EtwEventWrite function in ntdll.dll to return immediately without logging, blinding the EDR's kernel telemetry pipeline for our process. AMSI is defeated by patching the AmsiScanBuffer function before any script execution occurs. These patches are applied through indirect syscalls with randomized stub generation, evading detection of the patching itself.

Kernel-Level Persistence

For engagements requiring persistent access that survives reboots, system scans, and incident response, BypassCore deploys kernel-level persistence mechanisms. Our approach uses the BYOVD (Bring Your Own Vulnerable Driver) technique — loading a legitimately signed driver with a known vulnerability (such as a write-what-where primitive) and exploiting it to load our unsigned kernel payload. Once in kernel space, our driver registers boot-start persistence through a registry callback that recreates its service entry if removed, and monitors for its own deletion through file system minifilter callbacks.

The kernel implant provides rootkit-level capabilities: process hiding through EPROCESS list manipulation, file hiding through NTFS minifilter interception, registry key cloaking through CmRegisterCallbackEx filtering, and network connection hiding through the Nsiproxy techniques detailed in our GetTcpTable bypass article. These hiding mechanisms ensure that even if an incident responder is on the box running forensic tools, the implant remains invisible.

Lateral Movement & Credential Access

BypassCore implements lateral movement techniques that avoid the well-monitored paths. Instead of PSExec, WMI, or WinRM — which generate obvious ETW events and are watched by every EDR — we use less-monitored mechanisms: DCOM object instantiation through specific COM classes that allow remote code execution, scheduled task creation through direct RPC calls to the Task Scheduler service, and exploitation of legitimate remote management tools already present in the environment (SCCM, Intune, PDQ Deploy).

For credential access, we go beyond Mimikatz. Our custom credential harvester directly reads LSASS memory through our kernel driver — bypassing Protected Process Light (PPL) restrictions that block userland tools — and extracts NTLM hashes, Kerberos tickets, and DPAPI master keys. For environments using Credential Guard, we target alternative credential stores: cached domain credentials in the LSA secrets registry hive, DPAPI-protected browser credentials, and Kerberos keytabs left on disk by service accounts.

Engagement Capabilities

Related Articles