// About // Skills // Research // Blog // Cheatsheets // Contact
Red Teamer & Security Researcher

Suleman
Rehman

Offensive security professional with 4+ years in red team operations, EDR/AV evasion, and Active Directory exploitation. I build tools, break defenses, and document attack techniques that others don't talk about.

4+ Years
4 Certs
22+ Techniques
3+ Tools Built
suleman@0xsr:~
Suleman Rehman
OSCP CPTS CRTO CRTL BS Cybersecurity

I break systems
for a living.

I'm Suleman Rehman, a cybersecurity professional with a Bachelor's degree in Cybersecurity and 4+ years of hands-on experience in offensive security operations. I hold OSCP (Offensive Security Certified Professional), CPTS (Certified Penetration Testing Specialist), CRTO (Certified Red Team Operator), and CRTL (Certified Red Team Lead) certifications.

My expertise centers on red team engagements, EDR and AV bypass development, Active Directory attack chains, and Windows internals. I build custom offensive tools — including Chimera, a C++17 EDR evasion framework implementing 12 MITRE ATT&CK techniques — and publish research on attack techniques that aren't documented anywhere else. Beyond offensive security, I'm the founder of Veriframe — an AI-powered GRC and compliance SaaS that automates security assessments, generates audit-ready reports across 8 frameworks (SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR, NIST 800-53, QCF, and ECC-2:2024), and provides continuous cloud infrastructure monitoring with Drata-equivalent evidence collection across AWS, GCP, and Azure. Currently expanding into cloud penetration testing — bridging the gap between offensive tradecraft and the cloud-native attack surface.

When I'm not on an engagement, I'm writing about persistence vectors, reversing security products, and studying the latest Windows internals to find new attack surfaces.

Education
BS. Cybersecurity
Certifications
OSCP · CPTS · CRTO · CRTL
Specialization
Red Team · Penetration Testing
Focus Areas
AD · Offensive Security· AI for Security

What I work with

Deep expertise across the full offensive security stack — from Windows internals to cloud attack surfaces.

🎯

Offensive Security

Penetration Tester Red Teamer VAPT Professional Adversary Simulation
🛡️

EDR & AV Evasion

AMSI Bypass ETW Patching Syscalls NTDLL Unhooking Sleep Obfuscation
🏛️

Active Directory

Kerberos Attacks DACL Abuse ADCS DCSync BloodHound
🔧

Malware Development

C / C++17 MASM x64 Shellcode Process Injection
☁️

Cloud Security

Azure AD / Entra OAuth2 Abuse Service Principals Conditional Access
⚙️

Tools & Languages

Python PowerShell Rust Cobalt Strike Metasploit Impacket

Credentials

OSCP
OSCP
Offensive Security Certified Professional
Offensive Security · OffSec
Exploitation Buffer Overflow Pivoting
CPTS
CPTS
Certified Penetration Testing Specialist
HackTheBox Academy
Active Directory Web Attacks Reporting
CRTO
CRTO
Certified Red Team Operator
Zero-Point Security · RastaMouse
Cobalt Strike C2 Operations OPSEC
CRTL
CRTL
Certified Red Team Lead
Zero-Point Security · RastaMouse
Red Team Planning Infrastructure Adversary Sim

What I've built

Open-source tools and research published for the security community.

🔥
Chimera
v1.0 · C++17 / MASM

Windows 11 EDR/AV evasion framework implementing 12 MITRE ATT&CK techniques under a single CLI. Covers AMSI bypass, ETW patching, direct/indirect syscalls, NTDLL unhooking, process hollowing, module stomping, sleep obfuscation, call stack spoofing, and more.

EDR Bypass AMSI Syscalls C++17 MASM T1055
☁️
az-ad-audit
v1.0 · Python

Comprehensive Azure Active Directory / Entra ID security assessment tool. Audits service principals, conditional access policies, OAuth2 app permissions, privileged identities, and misconfigurations across the full Azure AD attack surface.

Azure AD Entra ID OAuth2 Python T1078.004
🕸️
GitHubC2
v1.0 · Python

Proof-of-concept C2 framework using GitHub Gist as a covert communication channel. Implant polls a Gist for commands, executes them, and writes output back — all traffic blends with normal GitHub API calls. Low-cost, high-stealth infrastructure.

C2 Living-off-the-Cloud Python T1102.001

Latest Writeups

Attack techniques, tool breakdowns, and research nobody else is writing about.

All Posts →
Persistence Active Directory
Mar 2026

Persistence Atlas: 19 Techniques Nobody Talks About

Shadow Credentials, AdminSDHolder backdoors, Time Provider DLLs, AMSI Provider registration — persistence vectors that fly under every defender's radar, with full implementation commands.

Read article
EDR Bypass Malware Dev
Feb 2026

Building Chimera: An EDR Evasion Framework from Scratch

How I built a 12-technique EDR bypass toolkit in C++17 and MASM. AMSI, ETW, NTDLL unhooking, direct/indirect syscalls, process hollowing, module stomping — full implementation details.

Read article
C2 Infrastructure
Apr 2026

GitHub Gist as C2: Living-off-the-Cloud Infrastructure

Stealthy C2 channel using GitHub Gist as the communication medium. Operator console, implant beacon, command dispatch — all over the GitHub API. Traffic blends with normal developer activity.

Read article
Hardware Implant Shellcode
Jul 2026

Crystal-PIC: Hardware-Keyed PIC Stager via Raspberry Pi Pico W

Original research: a novel C2 delivery chain using Raspberry Pi Pico W as a USB HID implant with an RP2040 hardware UID-derived AES key, position-independent shellcode stager, and covert key exchange over USB mouse timing jitter.

Read article

Techniques I research

Mapped to MITRE ATT&CK Enterprise and MITRE ATLAS (AI/ML threat matrix).

T1027.011 — Sleep Obfuscation T1055 — Process Injection T1055.001 — DLL Injection T1055.004 — Hollowing T1055.014 — Heaven's Gate T1548 — Privilege Escalation T1562.001 — AMSI Bypass T1562.006 — ETW Patch T1098.001 — Shadow Creds T1003.006 — DCSync T1134.004 — PPID Spoof T1134.005 — SIDHistory T1649 — ADCS Abuse T1556.001 — Skeleton Key T1556.002 — Pwd Filter T1078.004 — Cloud Accounts T1197 — BITS Jobs T1546.003 — WMI Persist T1546.015 — COM Hijack T1547.003 — Time Provider T1547.005 — SSP T1547.010 — Port Monitor T1102.001 — GitHub C2 <<<<<<< HEAD T1200 — Hardware Additions T1059.001 — PowerShell T1620 — Reflective Code Loading ======= AML.T0051 — LLM Prompt Injection AML.T0020 — Poison Training Data AML.T0043 — Craft Adversarial Data AML.T0040 — Inference API Access AML.T0048 — Backdoor ML Model AML.T0024 — Exfil via Inference API >>>>>>> 03d06c3 (test)

Let's connect

Open to red team consulting, research collaborations, and security discussions.

Find me on LinkedIn or explore my tools on GitHub.