文章总结： 文档汇总了2026年5月18日当周的攻防技术动态，涵盖漏洞利用（如CVE-2026-40369内核地址操作）、红队技巧（路径操纵、EDR钩子检测、shellcode编写）和蓝队分析（VIP键盘记录器防御规避），并推荐了多种工具（如SNI欺骗、进程注入工具）。核心发现包括新型攻击手法与防御策略，建议安全团队参考工具实现检测优化。 综合评分： 85 文章分类： 红队,蓝队,安全工具,漏洞分析,威胁情报

攻防技战术动态一周更新 – 20260518

原创

红蓝对抗技术 红蓝对抗技术

红蓝对抗技战术

2026年5月24日 10:34 北京

在小说阅读器读本章

去阅读

漏洞相关

1、CVE-2026-40369: Arbitrary Kernel Address Increment via NtQuerySystemInformation (Class 253)

https://github.com/orinimron123/CVE-2026-40369-EXPLOIT

红队技术

1、GhostTree: Unveiling Path Manipulation Techniques to Bypass Windows Security

https://www.varonis.com/blog/ghosttree-ntfs-trick

2、SYLK 文件格式的武器化滥用

SYLK 文件格式的武器化滥用

3、Remote Process Read Primitive via NtCreateThreadEx Exit Code

https://medium.com/@s12deff/remote-process-read-primitive-via-ntcreatethreadex-exit-code-8370c54ed648

4、Detecting EDR Inline Hooks in ntdll.dll

https://medium.com/@s12deff/detecting-edr-inline-hooks-in-ntdll-dll-18df079d76d4

5、Creating Custom x86 Windows Shellcode Using Dynamic API Resolution

https://screetsec.com/blog/custom-x86-windows-shellcode-dynamic-api-resolution

6、Primitive Process Injection: APC Tandem

https://medium.com/@s12deff/primitive-process-injection-apc-tandem-1dcec8515c86

7、An unexpected journey into Microsoft Defender’s signature World

https://retooling.io/blog/an-unexpected-journey-into-microsoft-defenders-signature-world

8、Fast and Furious – Nimbus Manticore Operations During the Iranian Conflict

https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/

9、Evading Antivirus: Bypassing Windows Defender with Tenebris-Gate

https://hackers-arise.com/evading-antivirus-bypassing-windows-defender-with-tenebris-gate/

10、Micro-Stager：利用内核异常分发机制实现 ETW TI 与 AMSI 双盲绕过

https://mp.weixin.qq.com/s/rn5YwQjhzkdDfPevpC-zQQ

蓝队技术

1、Behind the Code: The Layered Defense-Evasion of VIP Keylogger

https://www.splunk.com/en_us/blog/security/behind-the-code-layered-defense-evasion-vip-keylogger.html

工具类

1、sni-spoof-rs

https://github.com/therealaleph/sni-spoofing-rust

DPI bypass via fake TLS ClientHello injection with wrong TCP sequence number. Rust port of @patterniha’s SNI-Spoofing. Linux, macOS, Windows. Works with v2ray/xray VLESS configs behind Cloudflare.

2、CLR-Stomp

https://github.com/nettitude/CLR-STOMP

.NET CLR-Stomping

3、CrabLoader

https://github.com/qmadev/CrabLoader

A PoC Cobalt Strike UDRL written in Rust

4、PhantomKiller

https://github.com/redteamfortress/PhantomKiller

Another BYOVD process killer. works on all EDR’s. fully signed.

5、Beatrice.py

https://github.com/raskolnikov90/Beatrice.py

Modify machine code in binaries with alternative x64 assembly opcodes for AV evasion

6、goLoL

https://github.com/aaron-kidwell/goLoL

goLoL is a Windows host scanner that finds an always up to date listing of LOLBAS binaries present on the current machine and lists techniques you can run at your current privilege level with MITRE ATT&CK mappings and example commands.

7、Relay Bible — Internal Penetration Testing Relay Guide

https://github.com/rootsecdev/relay_bible

其他类

1、

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：红蓝对抗技战术 红蓝对抗技术 红蓝对抗技术《攻防技战术动态一周更新 – 20260518》