Red Team Tutorial: Open-source .NET malware development with AV evasion

Dmitrijs Trizna
19 min readJan 15, 2020


An important value that moves cyber security boundaries forward is the magnificent work done by researchers worldwide. Luckily for everyone in this industry, often this work is shared freely and publicly.

One of the research directions, offensive tradecraft, provides possibilities for security engineers and analysts to improve their defensive posture and understand techniques that malicious actors may use against them.

Recently there were fluctuations in Force whether publicly available offensive tools weaponize APT groups and are used maliciously. While this may be True to some extent, and I could share argumentation (for both sides) to provide some personal opinion, this is not the goal of this work.

I’ll just emphasize a few facts:

  • if we look at the utilitarian value of shared offensive research in regards to whether it is used ethically or maliciously, there’s no doubt where the prevailing part of distribution resides;
  • having access to these techniques, you know the enemy possibilities (almost all techniques released publicly have detailed descriptions of underlying mechanisms or source code available), without these researches, you (mostly) would be blind;
  • without these techniques, I personally and the security community available to me directly couldn’t help improve the security posture for a lot of infrastructures that thankfully now are in pretty good shape (of course, relatively to something).

With this in mind, I will show you how one can simulate advanced threats by performing a chain of actions on open-source tools for proof of concept purposes, so you can defend against similar techniques if used by real threat actors.

I will not deliberately describe all underneath the technical background needed for tools to perform the activity — original tradecraft authors best describe this. The focus here is weaponization.


We take the fresh installation of Windows 10 from:

Dmitrijs Trizna

Sr. Security Researcher @ Microsoft. This blog is an independent R&D at the intersection of Machine Learning and Cyber-Security.