HackTheCore

Tradecraft // Evasion, Payload Design and Operator Discipline

Adversary Emulation, Evasion and Custom Tradecraft

There is a point where pentesting stops being enumeration plus exploitation and becomes operational design. That is where tradecraft lives. Mature offensive work asks not only "can I get code execution?" but also "how do I move, blend, stage, validate and document this without destroying signal or tripping obvious control points too early?"

domain huboperator referencepublic sources

Domain overview

This domain covers defense evasion concepts, AV/EDR bypass reasoning, client-side chaining, staged payload delivery, OPSEC, custom tooling and C2 tradecraft. The emphasis is not on gimmick code or cargo-cult malware behaviour. It is on operator choices: how payloads are delivered, what telemetry they generate, how much customisation is warranted and where the engagement line is between realistic emulation and irresponsible noise.

How to approach this surface

  • Tradecraft is about fit-for-purpose operation, not novelty. A quiet native action can be better than a clever payload if it reaches the same objective with cleaner evidence.
  • Payload staging is a telemetry choice. Each loader, stager or script bridge changes how defenders will see the operation.
  • AV/EDR bypass concepts matter most when tied to constraints: signed tools, in-memory execution, parent-child process logic, AMSI, ETW, user interaction or macro gates.
  • Client-side chains are often where realism lives. Browser downloads, office documents, installers, chat tools and RMM software all create different trust narratives.
  • Custom tooling should earn its complexity. The more bespoke the tool, the stronger your OPSEC, testing discipline and rollback plan must be.

Related certification and framework context

Curated public references

  • LOLBAS ProjectLiving-off-the-land binaries and scripts in Windows environments.
  • GTFOBinsUnix binaries and system tools that shift privilege or execution assumptions.
  • Sigma HQDetection logic context to test what your tradecraft will likely light up.
  • The DFIR ReportReal intrusion reporting that helps align tradecraft with observed operator behaviour.
  • MITRE ATT&CK EvaluationsPublic emulation and detection context for realistic operations thinking.

Brief index

brief

Payload Staging and OPSEC

Choosing delivery and execution patterns that fit the engagement and telemetry reality.

field notepublic links
brief

AV and EDR Evasion Concepts

Detection pressure, AMSI/ETW awareness, in-memory execution and behavioural shaping.

field notepublic links
brief

Client-Side Chaining

Documents, browsers, installers and user-mediated execution paths as an offensive chain.

field notepublic links