The best thing I did for my offensive work was spend real time looking at it from the other side of the glass.
You cannot move quietly through a system whose detection you don't understand. So I went and read how endpoint detection actually works (what it hooks, what it logs, what fires an alert and what slides past), entirely in the lab, nothing pointed at anything real.
A few things that reframed how I operate:
- Most detection is behavioural, not signature. It isn't hunting a known-bad file, it's hunting a known-bad pattern: a process spawning a shell that opens a network connection, one account requesting a pile of service tickets, a login from a host that's never logged in there before.
- Offline beats online. Half the reason Kerberoasting is so effective is that the cracking happens on my machine. Anything you can pull out and work on offline produces zero telemetry on the target.
- Volume is a signature too. Ten thousand DNS queries in a minute is the alert. Slow and passive isn't just manners, it's evasion.
Understanding detection doesn't only make you quieter, it makes you a better builder. Half of what I know about defending the Vyrox pipeline came from trying to imagine exactly how I'd get past it.