Adversary Emulation, Evasion and Custom Tradecraft

Domain overview

This domain is about how offensive work survives telemetry and control pressure. It focuses on operator decisions, not branding: process choice, payload design, client-side chains and command infrastructure.

How to approach this surface

• Tradecraft is about fit-for-purpose operation, not novelty. A quiet native action can be better than a clever payload if it reaches the same objective with cleaner evidence.
• Payload staging is a telemetry choice. Each loader, stager or script bridge changes how defenders will see the operation.
• AV/EDR bypass concepts matter most when tied to constraints: signed tools, in-memory execution, parent-child process logic, AMSI, ETW, user interaction or macro gates.
• Client-side chains are often where realism lives. Browser downloads, office documents, installers, chat tools and RMM software all create different trust narratives.
• Custom tooling should earn its complexity. The more bespoke the tool, the stronger your OPSEC, testing discipline and rollback plan must be.

Related certification and framework context

• OffSec PEN-300 / OSEPAdvanced tradecraft, evasion and operation against harder environments.
• MITRE ATT&CK EnterpriseTechnique framing across execution, persistence, defense evasion and command-and-control.
• CISA Eviction Strategies ToolDefender-oriented counterpoint useful for emulation and reporting context.

Selected public references

• LOLBAS ProjectLiving-off-the-land binaries and scripts in Windows environments.
• GTFOBinsUnix binaries and system tools that shift privilege or execution assumptions.
• Sigma HQDetection logic context to test what your tradecraft will likely light up.
• The DFIR ReportReal intrusion reporting that helps align tradecraft with observed operator behaviour.
• MITRE ATT&CK EvaluationsPublic emulation and detection context for realistic operations thinking.

Topic index