zzqsec/ai-redteam-notes — explained in plain English
Analysis updated 2026-05-18
Study the reasoning behind webshell and implant detection evasion techniques for authorized red team engagements.
Reference version-specific notes when adapting security tooling to different Java or Tomcat environments during sanctioned testing.
Learn how specific antivirus and sandbox detection mechanisms work in order to test defenses against them legally.
| zzqsec/ai-redteam-notes | 0311119/free_registertool | 18597990650-lab/multi-agent-game | |
|---|---|---|---|
| Stars | 24 | 24 | 24 |
| Language | — | Python | Python |
| Setup difficulty | hard | hard | moderate |
| Complexity | 5/5 | 4/5 | 3/5 |
| Audience | researcher | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Content assumes an existing authorized penetration testing engagement and familiarity with security tooling.
This repository is a knowledge base of security research notes about evading detection tools, written in Chinese and generated with AI assistance, then reviewed by a human before being published. Red teaming means simulating attacker techniques to test an organization's defenses under legal authorization. Evasion means getting past protective software such as antivirus engines, web application firewalls, and endpoint detection systems without triggering an alert. The stated goal is to explain the reasoning behind these techniques for people who already work in authorized security testing, rather than to hand out ready to run attack tools to anyone. The notes cover several technical areas at a conceptual level. One section walks through several approaches for making PHP based web scripts harder for security scanners to flag, aimed at a specific class of security products. Another covers Java based server implants and web based backdoors, with details on how compatibility differs across Java and Tomcat versions. A separate guide explains how to port small helper programs, sometimes called Beacon Object Files, from one well known penetration testing framework to a newer open source alternative, including a table mapping equivalent functions between the two. There is also a write up describing how inconsistent character handling in certain parsers can be exploited to make different tools see different content in the same file, illustrated with several real world vulnerability references. Additional notes cover evading a specific AI powered antivirus engine, adjusting common remote administration tools so their PowerShell activity blends into normal usage, and getting a popular open source network scanning tool past certain antivirus products. Each topic explains the underlying reason a technique works and the conditions under which it applies, rather than only providing ready made scripts, and includes records of problems the author ran into along the way, along with the exact software versions tested. A changelog at the bottom tracks when each section was added or revised. The README states the purpose is legal, authorized penetration testing and security research only, and prohibits use for any unauthorized access or malicious activity, placing responsibility on the user for any consequences. The content is released under a Creative Commons license that permits noncommercial sharing with attribution as long as derivative works are shared under the same terms.
A Chinese-language, AI-assisted knowledge base explaining why various antivirus and detection evasion techniques work, for authorized penetration testing and security research.
You may share and adapt the content for noncommercial purposes if you give credit and license derivatives the same way.
Setup difficulty is rated hard, with roughly 1day+ to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.