RustRedOps – Rust Native Offensive Toolkit Collection for Red Teams

RustRedOps is a curated repository of offensive security proof-of-concepts and tools implemented in the Rust programming language. The project bundles numerous focused modules that demonstrate classic red team techniques translated into idiomatic Rust. Topics in the repository include process injection, memory mapping injection, payload staging, API hooking, ETW and AMSI patching, UEFI examples, and WebAssembly shellcode. The repo is intended for research, lab reproduction, and authorised red team development on Windows platforms.

Features

Multi-module collection covering process injection primitives, including Asynchronous Procedure Call injection, thread hijacking, function stomping, and module stomping.
Examples for payload staging and in-memory execution, including HTTP-based retrieval and registry-backed staging demonstrations.
Low-level primitives and evasions include direct system calls, CRT minimization, IAT obfuscation, and NTDLL unhooking.
Supporting projects demonstrating drivers, UEFI images, and WebAssembly-based shellcode execution.
Cross-Compilation Guidance for Building Modules for Specific Target Architectures.

Installation

The repository requires Rust and Cargo. Follow the repository README for module-specific prerequisites. Verbatim build and compile commands from the README are provided below.

git clone https://github.com/joaoviictorti/RustRedOps.git cd RustRedOps

To build modules in release mode:

cargo build --release

To list available target architectures:

rustup target list

To add a destination architecture:

rustup target add <arch>

To compile for a specific architecture:

cargo build --release --target <arch>

The README instructs operators to change into the particular module directory (for example cd RustRedOps/Process_Injection) before building, and to consult the module README for any additional dependencies such as Windows SDK components.

Usage

RustRedOps is a multi-project collection and does not expose a single global command line interface. The README instructs operators to select the module they need, read that module’s README for runtime options and example invocations, and then build and test the module in an isolated lab environment. Verbatim guidance from the README:

cd RustRedOps/<name-project> # follow the project-specific README for usage and examples

If a specific module exposes a CLI with a --help output, consult that module’s README or run the built binary in your test lab to capture its exact help text. The top-level repository does not provide a consolidated --help output.

Attack scenario

In a lab engagement simulating post-exploitation, an operator requires a compact, native binary to stage and execute shellcode without leaving visible artifacts. The operator clones the repository, navigates to Payload_Staging, builds the module with cargo build --release and configures the HTTP retrieval settings shown in the module README. The operator runs the loader in an isolated virtual machine, triggers the benign-looking HTTP fetch that returns encrypted shellcode, and the loader maps the shellcode into memory and executes it using fiber-based execution demonstrated in the Payload_Execution_Fibers example. From the elevated context obtained via token manipulation, the operator performs forensic-safe credential extraction and lateral movement planning. Use of these modules should be confined to authorised testbeds only.

Red team relevance and trade-offs

Rust offers strong performance, small static binaries and low-level control. These traits make Rust attractive for red team tooling where stealth, portability and minimal interpreter artifacts matter. RustRedOps demonstrates how classic offensive techniques map into Rust. Trade-offs include an increased build complexity and the need for careful code signing and packaging for engagement use. Operators must validate builds and sign binaries where required by engagement rules of engagement. Defenders should expect a rise in native Rust executables performing behaviours historically associated with interpreted scripts or managed code.

Detection and mitigation

Defenders can prioritise the following controls when validating exposure to Rust-native offensive tooling:

Instrument endpoint telemetry to detect suspicious in-memory execution patterns, unusual network retrieval of executable payloads and unexpected use of direct syscalls.
Monitor for new or unexpected native binaries in execution paths and baseline common developer and administrator tools to reduce false positives.
Use file integrity monitoring and signed binaries enforcement to limit execution of unsigned artifacts.
Apply process and registry auditing to detect staging behaviours such as registry-based payload retrieval.

Related Darknet coverage

For defensive context and complementary tools on darknet.org.uk see:

Windows_EndPoint_Audit – Endpoint Security Auditing Toolkit — automated checks for misconfigurations and weak permissions relevant to detecting installer and post-exploit issues.
mitmproxy – Intercepting HTTP Proxy Tool — useful for inspecting and emulating HTTP-based payload retrieval and staging flows in a lab.
BlockEDRTraffic – EDR Evasive Lateral Movement Tool — demonstrates EDR evasion approaches and highlights why native binaries require careful detection strategies.

Conclusion

RustRedOps is a pragmatic repository for red teamers who want Rust-native examples of process injection, payload staging and evasion primitives. It is a modular collection intended for research and lab reproduction. Operators should compile and test modules in isolated environments and follow engagement rules of engagement for code signing and operational risk. Use the module READMEs as the authoritative source for usage and options.

You can read more or download RustRedOps here: https://github.com/joaoviictorti/RustRedOps