2026-02-02 00:39:12 网络安全文章来源：ZONE.CI 全球网 0 阅读模式

文章总结： 本文档汇总红蓝对抗技战术，红队侧重Windows进程注入、内存取证、EDR免杀及CS武器化，涵盖进程镂空与隐蔽创建等技术。蓝队涉及AD安全与RMM工具滥用防御。工具类提供AD证书服务提权、隐蔽LDAP查询、DLL劫持及LSASS转储等资源。内容聚焦内网渗透与系统底层攻防实战，对安全研究具有较高参考价值。 综合评分： 88 文章分类： 红队,内网渗透,免杀,恶意软件,安全工具

cover_image

攻防技战术动态一周更新 – 20260126

原创

红蓝对抗技术红蓝对抗技术

红蓝对抗技战术

2026年1月31日 20:58 北京

漏洞相关

1、

红队技术

1、Windows PPL (Protected Processes Light)

https://medium.com/@s12deff/windows-ppl-protected-processes-light-e158332aedca

2、The Windows Process Journey — rdpclip.exe (RDP Clipboard Monitor)

https://medium.com/@boutnaru/the-windows-process-journey-rdpclip-exe-rdp-clipboard-monitor-160d36034967

3、When Process Hollowing Isn’t Process Hollowing

https://trainsec.net/library/windows-internals/when-process-hollowing-isnt-process-hollowing/

4、Windows Process Internals: A few Concepts to know before jumping on Memory Forensics [Part 4] — VADs

https://imphash.medium.com/windows-process-internals-a-few-concepts-to-know-before-jumping-on-memory-forensics-part-4-16c47b89e826

5、QueueUserAPC2 Process Injection

https://medium.com/@s12deff/queueuserapc2-process-injection-f57473dfe251

6、Introducing RelayKing – Relay To Royalty

Introducing RelayKing – Relay To Royalty

7、Living off the Process

https://g3tsyst3m.com/lotp/Living-off-the-Process/

8、EDR免杀对抗：CS武器化改造技术实现

https://mp.weixin.qq.com/s/xSN7AwG36aR7WAGYB6Y9Nw

9、Windows下不触发任何进程监控的创建进程

http://mp.weixin.qq.com/s/i7qJCI1az3qZB-o1d7WYTQ

10、The Windows Process Journey — smss.exe (Session Manager Subsystem)

https://medium.com/@boutnaru/the-windows-process-journey-smss-exe-session-manager-subsystem-bca2cf748d33

蓝队技术

1、ADTrapper – Active Directory Security Analysis Platform

https://github.com/MHaggis/ADTrapper

2、The Skeleton Key: How Attackers Weaponize Trusted RMM Tools for Backdoor Access

https://blog.knowbe4.com/the-skeleton-key-how-attackers-weaponize-trusted-rmm-tools-for-backdoor-access

工具类

1、AD-CS-Forest-Exploiter

https://github.com/MWR-CyberSec/AD-CS-Forest-Exploiter

Exploit AD CS misconfiguration allowing privilege escalation and persistence from any child domain to full forest compromise

2、CleanLdap

https://github.com/mandiant/cleanldap

BOF to perform stealthy LDAP queries over AD WS

3、AudioDG.exe DLL Hijacking for LPE

https://github.com/S1lkys/AudioDG.exe-DLL-Hijacking-for-LPE

4、OpenMalleableC2

https://github.com/CodeXTF2/OpenMalleableC2

5、EventHorizon

https://github.com/HullaBrian/EventHorizon

Tool that gathers a customizable set of ETW telemetry and generates user-defined detections

6、🤖💀 AI-Coded Scripts 💀🤖

https://github.com/S3cur3Th1sSh1t/AI-Coded-scripts/tree/main

This repo contains useful scripts that AI created for me which I would have been too lazy for

7、AddUser-SAMR

https://github.com/ricardojoserf/AddUser-SAMR

Create local administrators with the SAMR API (lowest-level technique). Implemented in C#, Python, Rust and Crystal

8、ColdWer

https://github.com/0xsh3llf1r3/ColdWer

Cobalt Strike BOF to freeze EDR/AV processes and dump LSASS using WerFaultSecure.exe PPL bypass

其他类

1、

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：红蓝对抗技战术红蓝对抗技术红蓝对抗技术《攻防技战术动态一周更新 – 20260126》