Shadow Protocol

A comprehensive technical guide to understanding offensive security operations. Learn how attackers think, operate, and hide—so you can build better defenses.

Educational Purpose Only

This material is for defensive security education. Understanding attack methodologies is essential for building effective defenses. All techniques described here should only be practiced in authorized environments: your own lab, CTF competitions, bug bounty programs with explicit permission, or professional penetration testing engagements with written authorization.

Unauthorized access to computer systems is illegal. The techniques described could result in serious criminal charges if misused. Read the full Disclaimer & Acceptable Use Policy.

The Problem Every Attacker Faces

You've compromised a system. Maybe through phishing, an exploit, or social engineering. You've got code execution on the target. Now what?

The fundamental challenge: how do you maintain access and extract value without getting caught?

A raw reverse shell to your home IP address is amateur hour. The victim's logs now contain your IP address. Game over. Even a mediocre incident response team will trace that connection back to you.

Professional operators solve this through layers of indirection. Every step in the attack chain is designed to:

Hide the attacker's true origin
Blend with legitimate traffic
Survive network interruptions
Persist across reboots
Evade detection and analysis

This guide walks through the entire attack lifecycle, explaining not just what attackers do, but why they make each decision and how defenders can detect them.

The Attack Lifecycle

Before diving into specifics, understand the overall flow. Attacks aren't random—they follow a structured methodology that sophisticated actors have refined over decades.

Complete Attack Chain

flowchart LR subgraph Phase0["Phase 0: Preparation"] A[Build Infrastructure] --> B[Set Up C2] B --> C[Test & Harden] end subgraph Phase1["Phase 1: Initial Access"] D[Reconnaissance] --> E[Weaponization] E --> F[Delivery] F --> G[Exploitation] end subgraph Phase2["Phase 2: Establish Foothold"] H[Execution] --> I[Persistence] I --> J[C2 Beacon] end subgraph Phase3["Phase 3: Expand Access"] K[Discovery] --> L[Credential Access] L --> M[Lateral Movement] M --> N[Privilege Escalation] end subgraph Phase4["Phase 4: Complete Mission"] O[Collection] --> P[Staging] P --> Q[Exfiltration] end Phase0 --> Phase1 Phase1 --> Phase2 Phase2 --> Phase3 Phase3 --> Phase4 style A fill:#1a1a25,stroke:#00ff88 style B fill:#1a1a25,stroke:#00ff88 style C fill:#1a1a25,stroke:#00ff88 style D fill:#1a1a25,stroke:#00d4ff style E fill:#1a1a25,stroke:#00d4ff style F fill:#1a1a25,stroke:#00d4ff style G fill:#1a1a25,stroke:#00d4ff style H fill:#1a1a25,stroke:#ffd700 style I fill:#1a1a25,stroke:#ffd700 style J fill:#1a1a25,stroke:#ffd700 style K fill:#1a1a25,stroke:#ff6b35 style L fill:#1a1a25,stroke:#ff6b35 style M fill:#1a1a25,stroke:#ff6b35 style N fill:#1a1a25,stroke:#ff6b35 style O fill:#1a1a25,stroke:#ff3366 style P fill:#1a1a25,stroke:#ff3366 style Q fill:#1a1a25,stroke:#ff3366

ASCII Representation

┌─────────────────────────────────────────────────────────────────────────────────┐
│                              ATTACK LIFECYCLE                                    │
├─────────────────────────────────────────────────────────────────────────────────┤
│                                                                                 │
│  PHASE 0: PREPARATION                                                          │
│  ┌──────────────┐    ┌──────────────┐    ┌──────────────┐                      │
│  │   Build      │───►│   Set Up     │───►│   Test &     │                      │
│  │   Infra      │    │   C2 Server  │    │   Harden     │                      │
│  └──────────────┘    └──────────────┘    └──────────────┘                      │
│         │                                        │                              │
│         ▼                                        ▼                              │
│  ┌──────────────────────────────────────────────────────────────────┐          │
│  │  PHASE 1: INITIAL ACCESS                                         │          │
│  │  ┌────────┐    ┌────────┐    ┌────────┐    ┌────────┐           │          │
│  │  │ Recon  │───►│Weaponize───►│Delivery│───►│Exploit │           │          │
│  │  └────────┘    └────────┘    └────────┘    └────────┘           │          │
│  └──────────────────────────────────────────────────────────────────┘          │
│                                     │                                           │
│                                     ▼                                           │
│  ┌──────────────────────────────────────────────────────────────────┐          │
│  │  PHASE 2: ESTABLISH FOOTHOLD                                      │          │
│  │  ┌──────────┐    ┌──────────┐    ┌──────────┐                    │          │
│  │  │ Execute  │───►│ Persist  │───►│ Beacon   │                    │          │
│  │  └──────────┘    └──────────┘    └──────────┘                    │          │
│  └──────────────────────────────────────────────────────────────────┘          │
│                                     │                                           │
│                                     ▼                                           │
│  ┌──────────────────────────────────────────────────────────────────┐          │
│  │  PHASE 3: EXPAND ACCESS                                           │          │
│  │  ┌────────┐   ┌────────┐   ┌────────┐   ┌────────┐              │          │
│  │  │Discover│──►│  Creds │──►│Lateral │──►│PrivEsc │              │          │
│  │  └────────┘   └────────┘   └────────┘   └────────┘              │          │
│  └──────────────────────────────────────────────────────────────────┘          │
│                                     │                                           │
│                                     ▼                                           │
│  ┌──────────────────────────────────────────────────────────────────┐          │
│  │  PHASE 4: COMPLETE MISSION                                        │          │
│  │  ┌──────────┐    ┌──────────┐    ┌──────────┐                    │          │
│  │  │ Collect  │───►│  Stage   │───►│  Exfil   │                    │          │
│  │  └──────────┘    └──────────┘    └──────────┘                    │          │
│  └──────────────────────────────────────────────────────────────────┘          │
│                                                                                 │
└─────────────────────────────────────────────────────────────────────────────────┘

Key Concepts to Understand

[1]

Layers of Indirection

Attackers never connect directly to targets. Every connection passes through multiple layers: VPNs, proxy chains, compromised infrastructure, cloud services. If any layer is burned, the real attacker remains hidden.

[2]

Blending with Legitimate Traffic

C2 traffic over HTTPS looks like normal web browsing. DNS tunneling looks like DNS queries. Traffic to AWS/Cloudflare IPs looks like cloud services. Attackers hide in the noise.

[3]

Living Off the Land

Why upload malware when the target already has everything you need? PowerShell, WMI, certutil, rundll32—Microsoft-signed binaries that do exactly what attackers need. AV can't flag Microsoft's own tools without massive false positives.

[4]

Asynchronous Operations

Sophisticated attackers don't maintain live connections. Implants beacon periodically, receive commands, execute them, report back. Connections are brief, outbound-initiated, and survive network interruptions.

What This Guide Covers

Navigation Guide

Each section includes danger level indicators. CRITICAL sections cover techniques that are particularly powerful/dangerous. LOW sections focus on detection and defense.

Phase 0: Preparation & Infrastructure

Before touching any target, attackers build their operational infrastructure:

Proxy Chains & Tunneling: How traffic bounces through multiple nodes
Compromised Infrastructure: Using pwned boxes instead of your own
Cloud Functions as Proxies: Lambda, Cloudflare Workers, Azure Functions
Anonymous Domain Registration: Crypto payments, bulletproof hosting
C2 Framework Setup: Cobalt Strike, Sliver, Havoc configuration
Redirectors: Disposable front-end servers that protect real C2

Phase 1: Initial Access

Getting that first foothold on the target:

Reconnaissance: OSINT, passive enumeration, light scanning
Phishing: Email lures, landing pages, credential harvesting
Payload Types: ISO files, LNK shortcuts, HTA applications
Delivery Methods: Email attachments, watering holes, USB drops
Exploitation: Triggering code execution on the target

Phase 2: Establishing a Foothold

Making initial access persistent and establishing communication:

LOLBins Deep Dive: certutil, mshta, wmic, bitsadmin, rundll32, PowerShell
Memory-Only Execution: Fileless attacks, reflective loading
Persistence Mechanisms: Scheduled tasks, registry keys, WMI subscriptions
Beaconing Explained: Intervals, jitter, sleep patterns
Evasion Techniques: Anti-sandbox, anti-analysis checks

Phase 3: Expanding Access

Moving beyond the initial compromise:

Internal Reconnaissance: Domain enumeration, network mapping
Credential Harvesting: Mimikatz, LSASS dumping, cached credentials
Lateral Movement: PsExec, WMI, PSRemoting, Pass-the-Hash
Privilege Escalation: Local admin to Domain Admin paths

Phase 4: Completing the Mission

Achieving objectives and extracting value:

Data Discovery: Finding files, databases, credentials
Collection & Staging: Compressing, encrypting, preparing data
Exfiltration Channels: HTTPS, DNS, cloud services, steganography
Cleanup: Covering tracks, removing artifacts

Advanced Topics

Time Delays: Sleeping for hours/days before activation
Domain Fronting: Hiding C2 behind legitimate services
Golden SAML: The terrifying persistence technique
Sleeper Implants: Dormant for months, undetectable

Defense & Detection

How defenders catch attackers:

Behavioral Analysis: Detecting beaconing patterns
Process Lineage: Catching abnormal parent-child relationships
Network Baselines: Identifying anomalous traffic
EDR Capabilities: How modern detection works
Threat Hunting: Proactively searching for compromise

The Fundamental Asymmetry

Attackers

Need to find ONE path in
Assume every layer will eventually fail
Can wait months for the right moment
Only need to succeed once
Choose the time, place, and method

Defenders

Must cover EVERY path
Must detect before damage is done
Must respond 24/7/365
Must succeed every time
React to attacker's choices

This asymmetry is why understanding offensive techniques is essential for defense. You can't detect what you don't understand. You can't prevent techniques you've never seen.

The Sleeper Problem

Nation-state actors think in years, not hours. They compromise systems, establish persistence, and then... nothing. No beaconing. No exfiltration. The implant sits dormant for months or years.

When geopolitics shift, when your company becomes strategically relevant, a single triggering event activates the implant. Detection during dormancy is nearly impossible—there's no behavior to detect.

Your network might be compromised right now by something that hasn't started operating yet.

How This Started

"I'm learning how hacking works to better defend. I've always known THAT a hacker attacks port 22 but I never understood it. The hacker needs to reverse shell back to himself but if he gives up his IP address then he's potentially caught. How do they hide their own IP?"

This project started with that question—asked late one night in a conversation that kept going deeper. What began as curiosity about reverse shells evolved into a complete exploration of the attack lifecycle, from infrastructure hiding through Golden SAML and sleeper implants.

Each question led to more questions. Each answer revealed the next layer of complexity. The conversation was preserved and became this resource.

Read the Full Origin Story →

Experience the Attack

[!]

What Does It Feel Like?

You've learned how attackers operate. Now experience what it's like to be on the receiving end.

nixfred.com is an interactive experience that demonstrates these techniques in action. It's a simulation—a psychological journey through what happens when someone clicks what they shouldn't have clicked.

No actual harm. Just perspective.

Enter nixfred.com →

Getting Started

This guide is designed for two audiences:

Security Practitioners

If you're building defenses, focus on understanding the why behind each technique. Every section includes detection strategies. Pay attention to what artifacts attackers leave behind and what normal vs. abnormal behavior looks like.

Start with Detection

Learners & Researchers

If you're learning offensive security for ethical purposes (red teaming, CTFs, research), follow the attack lifecycle in order. Set up a lab environment first—you'll need hands-on practice to truly understand these concepts.

Set Up Your Lab

💀

REJECTION: DENIED

Experience a Mr. Robot-inspired interactive narrative. Watch a rejected job candidate's revenge fantasy unfold through simulated terminal commands and psychological escalation. Darkly comedic. Technically ambitious. Deeply unnerving.

Enter the Simulation →

Ready to begin?

Phase 0: Infrastructure Setup →