JFM Jean-Francois Maes Security / Red Team / SANS

Work

Talks, tools, research, and writing.

Everything public, organized by category. All entries link to source material.

SANS courses

Courses

Courses authored and taught at SANS Institute.

Courses SANS course

Author & instructor

SEC565: Red Team Operations and Adversary Emulation

SANS course on red team operations covering adversary emulation, C2, and end-to-end attack simulation.

SANS Institute
Courses SANS course

Author & instructor

SEC699: Advanced AI Security and Operations

SANS course on applying AI to security operations: LLM integration, AI-powered workflows, and practical AI security.

SANS Institute

Workshops & talks

Talks

Workshops, conference talks, and hands-on training material.

Talks 2026 workshop

Workshop author

Vibe Hacking: MCP Empire Edition

SANS workshop on driving Empire C2 through an MCP server using natural-language workflows.

GitHub
Talks 40 stars

Workshop author

From Zero to Hero: Creating a Reflective Loader in C#

Hands-on workshop on building reflective loaders in C#, with source code and slide decks.

GitHub
Talks x33fcon talk

Speaker

Fun with Shellcode Loaders

x33fcon talk exploring creative shellcode loader techniques for offensive operations.

x33fcon
Talks Conference talk

Co-speaker with Randy Pargman

Busting the Ghost in the Logs

A defender's worst nightmare becomes true — how can blue teams react when attackers have blocked all telemetry?

Conference talk
Talks BruCon talk

Speaker

D/Invoke: EDR Bypassing

BruCon talk on using D/Invoke to bypass EDR solutions through dynamic invocation techniques.

BruCon
Talks SANS workshop

Workshop author

NTLM Relaying 101: How Internal Pentesters Compromise Domains

SANS workshop on NTLM relay attacks for internal pentests, with an accompanying gitbook walkthrough.

SANS
Talks SANS webcast

Speaker

Understanding & Detecting User Impersonation & Lateral Movement

SANS webcast on detecting user impersonation techniques and lateral movement in enterprise environments.

SANS
Talks Workshop

Workshop author

AD Privilege Escalation with Empire

Hands-on workshop on Active Directory privilege escalation using Empire C2, with gitbook walkthrough.

Gitbook

Open-source tooling

Tools

Offensive security tools built for real operator workflows.

Tools 570+ stars

Creator

LazySign

Fake code-signing for binaries using built-in Windows tooling. The most-starred tool in the collection.

GitHub
Tools 304 stars

Creator

SharpZipRunner

Encrypted-zip loader that executes position-independent shellcode from memory.

GitHub
Tools 216 stars

Creator

Invoke-DLLClone

PowerShell tool combining DLL cloning and signing into a practical offensive workflow.

GitHub
Tools 131 stars

Creator

phisherman

Phishing and MFA-bypass training application, originally built for SEC565.

GitHub
Tools Workshop range

Creator

aws_mini_ad

IaC proof of concept for deploying a minimal Active Directory lab in AWS.

GitHub
Tools GitHub

Creator

SharpHandler

Tool for stealing and duplicating handles from other processes to abuse their privileges.

GitHub
Tools GitHub

Creator

AmsiHooker

AMSI bypass via hooking, disabling the Antimalware Scan Interface at runtime.

GitHub
Tools GitHub

Creator

SharpNukeEventLog

Tool for nuking Windows event logs to cover tracks during red team operations.

GitHub
Tools GitHub

Creator

Backdoorplz

Backdoor implant tool for persistence during red team engagements.

GitHub
Tools GitHub

Creator

Clippi-B

Clipboard monitoring tool for capturing sensitive data during offensive operations.

GitHub

Articles & posts

Writing

Technical writing on security operations, infrastructure, and offensive tradecraft.

Writing SANS blog

Author

A Decade of Security Assessments: Security Issues That Refuse to Die

Recurring security issues observed over a decade of assessments — the problems that keep coming back.

SANS Blog
Writing NVISO blog

Author

Tap Tap, Is This Thing On? Creating a Notification Service for Cobalt Strike

Building a notification service to alert operators when new beacons check in on Cobalt Strike.

NVISO Labs
Writing Neuvik blog

Author

Using GenAI to Encode Malware and Bypass EDR

Exploring how generative AI can be used to encode malware payloads and evade endpoint detection.

Neuvik
Writing NVISO blog

Author

The Return of the Spoof Part 1: Parent Process ID Spoofing

Techniques for spoofing parent process IDs to evade detection during offensive operations.

NVISO Labs
Writing NVISO blog

Author

Unmanaged File Searching with FileSearcher.exe

Using an unmanaged .NET file searcher to locate sensitive files during red team engagements.

NVISO Labs
Writing NVISO blog

Author

I Solemnly Swear I Am Up to No Good: Introducing the Marauders Map

Introducing a tool for mapping out attack paths and visualizing offensive operations.

NVISO Labs
Writing SCYTHE blog

Author

Using SCYTHE Payload as Shellcode

Walkthrough on converting SCYTHE payloads into shellcode for use in custom loaders.

SCYTHE
Writing Case study

Co-author with Dave Mayer

The Tale of Privilege Escalation vs the Unstartable Service

Technical case study on a privilege escalation finding involving a service that wouldn't start.

Neuvik
Writing TrustedSec blog

Author

A Comprehensive Guide on Relaying Anno 2022

In-depth guide covering modern NTLM relay attack techniques and mitigations.

TrustedSec

Decks & material

Media

Workshop slide decks, webcast repos, and downloadable material.

Media Gitbook

Walkthrough

NTLM Relaying Like a Boss Gitbook

Step-by-step gitbook companion to the NTLM Relaying 101 workshop.

Gitbook
Media Live repo

Material hub

2026 Workshops and Webcasts

Public repository for current workshop and webcast material.

GitHub
Media Slide deck

Slide deck

SANS Emulation Workshop Deck

PDF deck accompanying the Buer emulation workshop.

GitHub
Media Slide deck

Slide deck

SANS Reflection Workshop Deck

PDF deck accompanying the C# reflective-loader workshop.

GitHub