George Wu | CSEC Kill Chain Field Manual — Cybersecurity Curriculum

// MISSION BRIEF

Complete kill chain curriculum — self-directed offensive security study. 45 chapters across 11 volumes — from Windows fundamentals and TOCTOU exploit mechanics through enterprise threat emulation. Every chapter is field manual format: direct, annotated, no filler.

The doctrine: understand the system, build the tools, execute the chain, document everything.

MISSION → EXPLOIT → ARSENAL → PERSISTENCE → KILL CHAIN → WARFARE

Scope: Windows offensive security — TOCTOU race conditions, reverse shells, process injection, privilege escalation, lateral movement, evasion, social engineering, CTF execution, and enterprise red team emulation.

45 CHAPTERS

45 COMPLETE

11 VOLUMES

17543 LINES WRITTEN

VOL I OPERATION VADER — Mission & Windows Fundamentals 6/6 COMPLETE

01 Mission Brief — Operation VADER OPORD TOCTOU overview, kill chain, training syllabus COMPLETE
02 Dev Environment — Setting Up The Armoury VS Build Tools, cl.exe, compiler flags, project structure COMPLETE
03 Handles & Objects — Your Grip On The Weapon kernel handle tables, object types, CreateFile basics, error codes COMPLETE
04 Filesystem & Paths — The Patrol Route path resolution chain, DOS vs NT namespace, MFT, reparse points, filter drivers COMPLETE
05 CreateFile Deep Dive — The Primary Weapon System all 7 parameters, 5 exploit configurations, sync vs async COMPLETE
06 DeviceIoControl — The Fire Command IOCTL codes, FSCTL_SET_REPARSE_POINT, FSCTL_REQUEST_BATCH_OPLOCK COMPLETE

VOL II EXPLOIT MECHANICS — Race Condition Arsenal 3/3 COMPLETE

07 Async I/O — The Radio Receiver OVERLAPPED, Windows events, WaitForSingleObject, QPC timing COMPLETE
08 Oplocks — The Claymore batch oplock break mechanism, kernel hold pattern, sharing requirements COMPLETE
09 NTFS Junctions — The Road Sign Swap transparent redirect, no admin required, reparse buffer, cross-privilege COMPLETE

VOL III THE TARGET — Defender & TOCTOU 5/5 COMPLETE

10 Defender Architecture — Know Thy Enemy MsMpEng.exe, WdFilter.sys, RTP pipeline, scan-to-quarantine flow COMPLETE
11 TOCTOU Theory — The Ambush Doctrine race condition fundamentals, check-use gap, timing analysis COMPLETE
12 The Chain — Full Operations Order complete exploit chain, oplock+junction combo, SYSTEM redirect COMPLETE
13 RPC Attack Surface — Enemy Comms Intercepted 236-procedure RPC interface, IDL reverse engineering COMPLETE
14 Reverse Shell — The Callback Mechanism Winsock connect-back, hidden cmd.exe, payload delivery COMPLETE

VOL IV POST-EXPLOIT — Beyond TOCTOU 2/2 COMPLETE

15 Beyond TOCTOU — The Rootkit Phase HWBP bypass, phantom DLLs, service ACLs, 17 vectors audited COMPLETE
16 Glossary — Military-to-Technical Field Reference 70+ term mappings, 8 categories, signals intelligence COMPLETE

VOL V FOUNDATIONS — Programming & System Theory 4/4 COMPLETE

17 C Programming Primer — The Language of Exploitation preprocessor, pointers, structs, WinMain, Win32 types COMPLETE
18 Windows Internals — Know Your Battlefield user/kernel mode, NT API, PE format, kernel objects COMPLETE
19 Networking Concepts — TCP/IP For Red Teams sockets, Winsock, 3-way handshake, port selection COMPLETE
20 Compilation & Build Ops — Forging The Weapons MSVC pipeline, optimization flags, binary stripping COMPLETE

VOL VI SHADOW ARSENAL — Tool Documentation 5/5 COMPLETE

21 Shadow Shell — The Reverse Connection Winsock reverse shell, connect-back, GUI subsystem hiding COMPLETE
22 Process Injection — Theory & Practice classic DLL injection, reflective, hollowing, APC, thread hijack COMPLETE
23 DLL Injector — Code Injection OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread COMPLETE
24 Payload DLL — The Warhead DllMain, DLL_PROCESS_ATTACH, reverse shell launch, VNC callback COMPLETE
25 Shadow Token — Privilege Escalation SeDebugPrivilege, token theft, SYSTEM scanning, SAM dump COMPLETE

VOL VII GHOST OPERATIONS — Persistence & Evasion 4/4 COMPLETE

26 Shadow Evasion — Blinding The EDR Defender service freeze, registry exclusions, signature corruption COMPLETE
27 Ghost Service — The Persistent Backdoor Windows Service masquerade, SYSTEM persistence, boot survival COMPLETE
28 Shadow Lateral — Network Movement SMB admin shares, remote service creation, file copy, cleanup COMPLETE
29 OPSEC Tradecraft — Operational Security digital footprint, anti-forensics, log clearing, artifact cleanup COMPLETE

VOL VIII KILL CHAIN — Full Chain Operations 5/5 COMPLETE

30 CSEC Curriculum Overview — The Integrated Textbook 13-chapter theory, CODE_DOCS integration COMPLETE
31 Kill Chain Master Runbook — 9-Step Execution TEST chain, REAL chain, troubleshooting, AutoChain COMPLETE
32 Assessment Completion — UnDefend & YellowKey lab VM walkthroughs, exact compilation, EDR deception COMPLETE
33 Recreation Spec — Cold Rebuild From Scratch environment stamp, build matrix, verification checklists COMPLETE
34 Viability Assessment — Honest Defense Analysis what survives production, Tamper Protection, Credential Guard COMPLETE

VOL IX FIELD OPERATIONS — CTF & Deployment 4/4 COMPLETE

35 Tactical Operations — Plan to Codebase week-by-week lab manual, buffer overflow, DNS tunneling COMPLETE
36 CTF Execution Playbook — Final Demonstration 5-phase demo, C2 commands, evasion FAQ, foothold setup COMPLETE
37 Cross-Network Operations — Tunneling & Callback ngrok tunneling, TCP callback, cross-network shell COMPLETE
38 Self-Teaching Roadmap — 7-Level Curriculum Beginner to red teamer, resources, build projects COMPLETE

VOL X WARFARE DOCTRINE — Social Engineering & Advanced 4/4 COMPLETE

39 ASF Social Engineering — Adversarial Survival Framework pretexts, trust calibration, phishing, LNK spoofs COMPLETE
40 DataTrust Presentation — Speaking Script 16-slide presentation, NIST CSF, ACSC Essential Eight COMPLETE
41 Semester 2 Vulnerability Analysis — Four Exploits RedSun TOCTOU, GreenPlasma, MiniPlasma, BlueHammer COMPLETE
42 Enterprise Threat Emulation — Red vs Blue corporate role-play, Sysmon detection, blue team response COMPLETE

VOL XI ADVERSARIAL TRADECRAFT — Formalized ASF Tactics 3/3 COMPLETE

43 Obfuscation & Payload Encoding — ASF Tactic: CONCEALMENT XOR encoding, string concealment, .rdata vs stack, encoding ladder, VADER principle COMPLETE
44 Defense Evasion & Anti-Analysis — ASF Tactic: COUNTER-INTELLIGENCE HWBP AMSI bypass (VULN-195458), ETW blinding, VEH handler, anti-sandbox COMPLETE
45 DLL Search Order Exploitation — ASF Tactic: INFILTRATION phantom DLLs, osppc.dll discovery, PATH hijack, sideloading, DLL proxying COMPLETE

CSEC KILL CHAIN // FIELD MANUAL

// MISSION BRIEF