Skip to content

Red Team Notes

A field notebook for offensive security operators. These notes collect tactics, techniques, and procedures (TTPs) encountered during red team engagements and malware development research. The goal is to have a single, fast-searchable reference you can use during an assessment.

Disclaimer: The material here is for educational and authorized testing only. Use it only on systems you own or have explicit permission to test.

Where to start

  • Red Team

    End-to-end offensive operations: OPSEC, C2, host recon, persistence, privilege escalation, lateral movement, exfiltration, and AD internals.

    Start with the Introduction

  • Malware Development

    Windows internals and offensive engineering: code injection, hooking, evasion, and object enumeration, with annotated C/C++ snippets.

    Jump to Code Injection

  • Full-text search

    Press / or click the search icon in the top bar to search every page. Material for MkDocs indexes headings, code blocks and tables.

  • Source on GitHub

    The site is generated from Markdown in docs/. Edit any page and open a pull request.

    benjugat/rtnotes

Project layout

docs/
├── index.md                # This page
├── changelog.md            # Build / content changelog
├── red-team/               # Operations, C2, AD, lateral movement, etc.
│   ├── introduction.md
│   ├── opsec-infrastructure.md
│   ├── c2-cobaltstrike.md
│   └── ...
├── malware/                # Windows internals & offensive engineering
│   ├── basics/
│   ├── code-injection/
│   ├── hooking/
│   ├── lowpriv-evasion/
│   └── object-enumeration/
└── images/                 # All static assets

Conventions used in the notes

  • Code samples are usually C/C++ unless otherwise stated.
  • Beacon examples assume Cobalt Strike; the same patterns apply to other C2s.
  • OPSEC notes are flagged with !!! note "OPSEC" admonitions.
  • Use the left sidebar to navigate by section. Use the right sidebar (or /) to search.