RBT Security

RBT Security RBT Security is built to help companies protect their networks and systems against cyber threats.

We believe we can make a difference through our pe*******on testing, security awareness, Red Team, Adversary Emulation, and Purple Team assessments.

Check out our latest demo on how advanced implants evade Windows Defender protections using memory encryption, API obfus...
04/28/2026

Check out our latest demo on how advanced implants evade Windows Defender protections using memory encryption, API obfuscation, and hybrid C2 redirectors.

https://www.youtube.com/watch?v=8y7L1gCtk-M

3 likes. "Windows Defender Evasion: Implant Analysis & Full Bypass | Havoc C2"

How hackers hide their commands.New research reveals how "Command-Line Obfuscation" allows attackers to disguise their a...
03/12/2026

How hackers hide their commands.

New research reveals how "Command-Line Obfuscation" allows attackers to disguise their actions using secret symbols and "weird" characters to trick scanners.

1.- Hidden Intent: Masking malicious activity.
2.- Trusted Tools: Turning standard Windows programs into invisible weapons.
3.- Bypassing Alerts: Executing attacks without triggering security systems.

Learn more: https://www.wietzebeukema.nl/blog/bypassing-detections-with-command-line-obfuscation

Defensive tools like AVs and EDRs rely on command-line arguments for detecting malicious activity. This post demonstrates how command-line obfuscation, a shell-independent technique that exploits executables’ parsing “flaws”, can bypass such detections. It also introduces ArgFuscator, a new to...

The "Invisible" Tool in Every Computer.Did you know one of the most powerful hacking tools is already installed on almos...
03/04/2026

The "Invisible" Tool in Every Computer.

Did you know one of the most powerful hacking tools is already installed on almost every Windows PC? It’s called PowerShell. While it's used by admins for work, hackers love it because it’s "built-in" and can help them hide their tracks.

1.- Fileless Attacks: Running malicious code in memory so it doesn't leave files for scanners to find.
2.- Password Stealing: Pulling credentials directly from the system's memory.
3.- Silent Control: Taking over other computers on the same network using "legitimate" commands.

Learn more about how to stay safe: https://hetmehta.com/posts/powershell-for-hackers/

A red teamer’s guide to PowerShell for post-exploitation: enum, privesc, persistence, and C2

Is your Kubernetes cluster truly secure?Our new demo reveals how a single misconfigured dashboard can give an attacker "...
02/26/2026

Is your Kubernetes cluster truly secure?

Our new demo reveals how a single misconfigured dashboard can give an attacker "God-mode" access to your entire infrastructure.

1.- Authentication Bypass: Gaining entry without a password.
2.- C2 Integration: Deploying malicious pods that call back to a Sliver C2 framework for persistent control.
3.- Remote Control: Managing the cluster from anywhere using stolen tokens.

Operational convenience should never come at the cost of infrastructure hardening.

See the full attack: https://www.youtube.com/watch?v=Ha2uDx4fhj8

In this demonstration, we walk through a real-world Kubernetes attack chain targeting one of the most commonly misconfigured components in a cluster the Kube...

New demo from RBT Security!We’re breaking down how to evade Microsoft Defender, AMSI, and ETW using MapView Code Injecti...
02/21/2026

New demo from RBT Security!

We’re breaking down how to evade Microsoft Defender, AMSI, and ETW using MapView Code Injection. By mapping shared memory views instead of using traditional memory writes, we can deploy a Sliver C2 beacon with significantly less noise.

Check out the full workflow, including Native API resolution and post-ex enumeration using Sliver's fork-and-run with PPID spoofing, plus self-process injection to trigger built-in AMSI and ETW evasion.

Watch here: https://www.youtube.com/watch?v=Oq4GN9pHhUE

⚠️ CORRECTION: At timestamp 18:52, the Process ID shown is 1688; this is incorrect. The correct PID is 4568. Using 1688 will spawn a new unintended process r...

How hackers bypass internal security.These attacks are still valid and used daily by threat actors:1.- IPv6 Hijacking: I...
02/02/2026

How hackers bypass internal security.

These attacks are still valid and used daily by threat actors:

1.- IPv6 Hijacking: Intercepting secrets.
2.- Delegation Abuse: Impersonating users via nxc.
3.- AS-REP Roasting: Stealing specific password types.
4.- ADCS Attacks: Weaponizing digital certificates.

Demo:

In this video, we continue our internal pe*******on testing series by demonstrating advanced post-initial access techniques in a controlled lab environment. ...

How do hackers get around internal security? (Part 2)We demonstrate real-world scenarios where an attacker turns a minor...
01/27/2026

How do hackers get around internal security? (Part 2)

We demonstrate real-world scenarios where an attacker turns a minor network mistake into total control of your servers.

Inside the Attack Chain:

1.- New "Admins": Attackers use the network to create their own "Admin" accounts and add themselves to protected groups.

2.- Empire & PowerShell: We show how Empire is used to send hidden commands that open a backdoor for the hacker.

3.- Encrypted Havoc Theft: We used the Havoc framework to execute Mimikatz in-memory using XOR encryption. By "scrambling" the tool's code, it stays invisible to traditional antivirus software while it steals your passwords.

The Fix: Deep telemetry monitoring. By recording every digital footprint from new user accounts to hidden script commands, companies can stop the attack before the damage is done.

Demo: https://www.youtube.com/watch?v=Cx8dbqbwwu4

In this video, we continue our initial access internal pe*******on testing series, focusing on post-initial-access techniques using C2 frameworks in a contro...

How do hackers get around internal security? (Part 1)It's often not through complex "zero-day" exploits, but by using th...
01/26/2026

How do hackers get around internal security? (Part 1)

It's often not through complex "zero-day" exploits, but by using the network's own protocols against it.

An internal pe*******on test to show how three common attacks, NetNTLMv2 capture, NTLM Relay, and SMB Proxying, are used to gain control of a network from the inside out.

Understanding these paths is the first step to securing your organization!

Demo:

Landing that first foothold inside an internal network is often the most critical phase of an engagement. This playlist deconstructs the transition from "una...

Thread Context Code Injection – Video DemoIn this new RBT Security Labs video, we demonstrate how Thread Context Code In...
01/05/2026

Thread Context Code Injection – Video Demo

In this new RBT Security Labs video, we demonstrate how Thread Context Code Injection works and why it’s still used in real-world attacks.

Using a Havoc C2 payload, we show how attackers can hijack an existing thread within a legitimate process and move on to post-exploitation activities such as system enumeration.

🎥 Watch the demo here: https://youtu.be/H2TID1RyNew

In this video demonstration from RBT Security Labs, we break down Thread Context Code Injection, a classic process injection technique that hijacks an existi...

NEW VIDEO: Evading Microsoft Defender with APC Injection Ever wonder how attackers hide malicious code inside legitimate...
12/05/2025

NEW VIDEO: Evading Microsoft Defender with APC Injection

Ever wonder how attackers hide malicious code inside legitimate programs while bypassing antivirus?

In our latest video, we demonstrate APC Injection via Suspended Thread, a stealthy technique that executes Adaptix C2 payloads inside trusted processes without triggering Microsoft Defender.

We show the complete attack chain:
1.- Payload injection into a legitimate process
2.- System reconnaissance with Seatbelt
3.- Credential extraction for lateral movement

👉 Watch the full demo on YouTube https://www.youtube.com/watch?v=CA9fohxfnkw
💬 Join our Discord community for more red team content
Perfect for cybersecurity professionals and anyone interested in offensive security!
https://discord.com/invite/8EfKbmgC

Join the Discord community to discuss and learn more: https://discord.com/invite/8EfKbmgCAPC Injection via Suspended ThreadIn this video, we demonstrate how ...

EVADING MICROSOFT DEFENDER – APC Injection via Alertable StateWe just published a new video demo from RBT Security Labs,...
11/28/2025

EVADING MICROSOFT DEFENDER – APC Injection via Alertable State

We just published a new video demo from RBT Security Labs, showing how Asynchronous Procedure Call (APC) injection can be used to execute code through a thread in an alertable state and how this technique can evade Microsoft Defender.

For this demo, we also highlight related Mythic capabilities, such as AMSI and ETW bypass concepts, default process swapping (e.g., MSBuild.exe as LOLBins), and user-focused system enumeration (Seatbelt) to provide context on how defenders and researchers study post-exploitation techniques.

🎥 Watch the video here: https://www.youtube.com/watch?v=5pMfv2fFDFg&t=17s

Join the Discord community to discuss and learn more: https://discord.gg/8EfKbmgCAPC Injection via alertable stateIn this video, we explain how Asynchronous ...

Address

18 King Street East, Suite 1400
Toronto, ON
M5C1C4

Website

Alerts

Be the first to know and let us send you an email when RBT Security posts news and promotions. Your email address will not be used for any other purpose, and you can unsubscribe at any time.

Shortcuts

Share

Category