文章总结： 本期攻防技战术动态主要围绕红队、蓝队技术及工具更新展开。漏洞方面提及了CVE-2025-29969。红队技术聚焦于多种高级持久化技术与绕过策略，如利用驱动、WSL、COMHooking等实现内存dump、内核读写及EDR绕过，并介绍了Toast通知滥用等社会工程学技巧。蓝队技术则推出了用于监控和分析Windows事件日志的工具。此外，还收录了redStack、Fritter、VMkatz等多个新型攻防工具。 综合评分： 85 文章分类： 红队,WEB安全,恶意软件,安全工具,渗透测试

攻防技战术动态一周更新 – 20260316

原创

红蓝对抗技术 红蓝对抗技术

红蓝对抗技战术

2026年3月21日 10:46 北京

漏洞相关

1、EventLogin – CVE-2025-29969

https://github.com/SafeBreach-Labs/EventLogin-CVE-2025-29969

EventLog-in: Propagating With Weak Credentials Using the Eventlog Service in Microsoft Windows (CVE-2025-29969)

红队技术

1、Sleeping Beauty: Putting Adaptix to Bed with Crystal Palace

https://maorsabag.github.io/posts/adaptix-stealthpalace/sleeping-beauty/

2、Introducing RelayKing – Relay To Royalty

Introducing RelayKing – Relay To Royalty

3、Ghost in the PPL – LSASS Memory Dump

Ghost in the PPL – LSASS Memory Dump

4、WSL, COM Hooking, & RTTI

https://jonny-johnson.medium.com/wsl-com-hooking-rtti-3abbf873d61f

5、Abusing a vulnerable driver BYOVD to gain arbitrary kernel R/W and bypass PPL protection

https://medium.com/@s12deff/abusing-a-vulnerable-driver-byovd-to-gain-arbitrary-kernel-r-w-and-bypass-ppl-protection-571552c7efc8

6、EDR killers explained: Beyond the drivers

https://www.welivesecurity.com/en/eset-research/edr-killers-explained-beyond-the-drivers/

7、Fantastic unwind information and where to find them

https://klezvirus.github.io/posts/Byoud/

https://github.com/klezVirus/byoud

8、NT AFD.SYS HTTP Downloader: From First Syscall to bypass the majority of usermode EDR hooks

https://core-jmp.org/2026/03/nt-afd-sys-http-downloader-from-first-syscall-to-bypass-the-majority-of-usermode-edr-hooks/

9、abusing Windows toast notifications for fun and user manipulation

https://brmk.me/2026/03/18/toast-my-way.html

https://github.com/brmkit/toastnotify-bof

10、Is MotW Bypass Possible in 2026?

11、Stealthy WMI lateral movement – StealthyWMIExec.py

https://ghaleb0x317374.github.io/2026/03/15/Stealthy-WMI-lateral-movement-StealthyWMIExec.py.html

12、Credential Guard

Credential Guard

13、Trust no one: are one-way trusts really one way?

https://offsec.almond.consulting/trust-no-one_are-one-way-trusts-really-one-way.html

14、Crimes against NTDLL – Implementing Early Cascade Injection

https://fluxsec.red/implementing-early-cascade-injection-rust

15、Extending Conquest using Python Modules

https://jakobfriedl.github.io/blog/conquest-modules/

蓝队技术

1、Windows Event Catalog

https://detection.wiki/

2、EVENmonitor

https://github.com/NeffIsBack/EVENmonitor

Monitor the Windows Event Log with grep-like features or filtering for specific Event IDs

工具类

1、redStack: A Boot-to-Breach Lab Environment for Red Team Operators

https://github.com/BaddKharma/redStack

2、Fritter

https://github.com/0xROOTPLS/Fritter

The evasive cousin of Donut.

3、VMkatz

https://github.com/nikaiw/VMkatz

Extract Windows credentials directly from VM memory snapshots and virtual disks

4、RegPwn BOF

https://github.com/Flangvik/RegPwnBOF

5、KslDump – BMVD (Bring the Microsoft Vulnerable Driver)

https://github.com/andreisss/KslDump

6、Trustify

https://github.com/bytewreck/Trustify

Proof-of-Concept software for creating inbound AD forest trusts.

7、LOLC2

https://github.com/lolc2/lolc2.github.io

lolC2 is a collection of C2 frameworks that leverage legitimate services to evade detection

8、📦 Outpacket

https://github.com/n00py/Outpacket

This cheatsheet maps common impacket workflows to their modern alternatives

9、Phantom

https://github.com/zux0x3a/Phantom

Phantom is project created to perform loading and executing .NET assemblies directly in memory within an IIS environment running in full‑trust mode. Instead of relying on file‑based approach, it uses reflective loading techniques to inject and run a DLL inside the memory space of the w3wp.exe worker pool process

10、AdaptixC2 Template Generators

https://github.com/AeonDave/AdaptixC2-Template-Generators

11、AboutRusty Armory

https://github.com/memN0ps/armory-rs

Rusty Armory – Beacon Object Files (BOFs) in Rust (Codename: Armory)

12、Rusty DoublePulsar

https://github.com/memN0ps/doublepulsar-rs

Rusty DoublePulsar – Cobalt Strike User-Defined Reflective Loader (UDRL) in Rust (Codename: DoublePulsar)

13、rustunnel

https://github.com/joaoh82/rustunnel

**Rustunnel** is a open-source tunnel service written in Rust that replicates the core functionality of ngrok. It exposes local services running behind NAT/firewalls to the public internet through a relay server self-hosted or our managed service.

其他类

1、

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：红蓝对抗技战术 红蓝对抗技术 红蓝对抗技术《攻防技战术动态一周更新 – 20260316》