Resources
Initial Access
- How To: Empire’s Cross Platform Office Macro
- Phishing with PowerPoint
- PHISHING WITH EMPIRE
- Bash Bunny
- OWASP Presentation of Social Engineering - OWASP
- USB Drop Attacks: The Danger of “Lost And Found” Thumb Drives
- Weaponizing data science for social engineering: Automated E2E spear phishing on Twitter - Defcon 23
- Cobalt Strike - Spear Phishing documentation
- Cobalt Strike Blog - What’s the go-to phishing technique or exploit?
- Spear phishing with Cobalt Strike - Raphael Mudge
- EMAIL RECONNAISSANCE AND PHISHING TEMPLATE GENERATION MADE SIMPLE
- Phishing for access
- Excel macros with PowerShell
- PowerPoint and Custom Actions
- Macro-less Code Exec in MSWord
- Multi-Platform Macro Phishing Payloads
- Abusing Microsoft Word Features for Phishing: “subDoc”
- Phishing Against Protected View
- POWERSHELL EMPIRE STAGERS 1: PHISHING WITH AN OFFICE MACRO AND EVADING AVS
- The PlugBot: Hardware Botnet Research Project
- Luckystrike: An Evil Office Document Generator
- The Absurdly Underestimated Dangers of CSV Injection
- Macroless DOC malware that avoids detection with Yara rule
- Phishing between the app whitelists
- Executing Metasploit & Empire Payloads from MS Office Document Properties (part 1 of 2)
- Executing Metasploit & Empire Payloads from MS Office Document Properties (part 2 of 2)
- Social Engineer Portal
- 7 Best social Engineering attack
- Using Social Engineering Tactics For Big Data Espionage - RSA Conference Europe 2012
- USING THE DDE ATTACK WITH POWERSHELL EMPIRE
- Phishing on Twitter - POT
- Microsoft Office – NTLM Hashes via Frameset
- Defense-In-Depth write-up
- Spear Phishing 101
Execution
- Research on CMSTP.exe,
- Windows oneliners to download remote payload and execute arbitrary code
- Executing Commands and Bypassing AppLocker with PowerShell Diagnostic Scripts
- WSH Injection: A Case Study
- Gscript Dropper
Persistence
- A View of Persistence
- hiding registry keys with psreflect
- Persistence using RunOnceEx – Hidden from Autoruns.exe
- Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe
- Putting data in Alternate data streams and how to execute it – part 2
- WMI Persistence with Cobalt Strike
- Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence
- Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence (Part 2)
- Vshadow: Abusing the Volume Shadow Service for Evasion, Persistence, and Active Directory Database Extraction
Privilege Escalation
User Account Control Bypass
- First entry: Welcome and fileless UAC bypass,
- Exploiting Environment Variables in Scheduled Tasks for UAC Bypass,
- Reading Your Way Around UAC in 3 parts: Part 1. Part 2. Part 3.
- Bypassing UAC using App Paths,
- “Fileless” UAC Bypass using sdclt.exe,
- UAC Bypass or story about three escalations,
- “Fileless” UAC Bypass Using eventvwr.exe and Registry Hijacking,
- Bypassing UAC on Windows 10 using Disk Cleanup,
- Using IARPUninstallStringLauncher COM interface to bypass UAC,
- Fileless UAC Bypass using sdclt
- Eventvwr File-less UAC Bypass CNA
- Windows 7 UAC whitelist
Escalation
Defense Evasion
- Window 10 Device Guard Bypass
- App Locker ByPass List
- Window Signed Binary
- Bypass Application Whitelisting Script Protections - Regsvr32.exe & COM Scriptlets (.sct files)
- Bypassing Application Whitelisting using MSBuild.exe - Device Guard Example and Mitigations
- Empire without powershell
- Powershell without Powershell to bypass app whitelist
- MS Signed mimikatz in just 3 steps
- Hiding your process from sysinternals
- code signing certificate cloning attacks and defenses
- userland api monitoring and code injection detection
- In memory evasion
- Bypassing AMSI via COM Server Hijacking
- process doppelganging
- Week of Evading Microsoft ATA - Announcement and Day 1 to Day 5
- VEIL-EVASION AES ENCRYPTED HTTPKEY REQUEST: SAND-BOX EVASION
- Putting data in Alternate data streams and how to execute it
- AppLocker – Case study – How insecure is it really? – Part 1
- AppLocker – Case study – How insecure is it really? – Part 2
- Harden Windows with AppLocker – based on Case study part 2
- Harden Windows with AppLocker – based on Case study part 2
- Office 365 Safe links bypass
- Windows Defender Attack Surface Reduction Rules bypass
- Bypassing Device guard UMCI using CHM – CVE-2017-8625
- Bypassing Application Whitelisting with BGInfo
- Cloning and Hosting Evil Captive Portals using a Wifi PineApple
- https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/
- Executing Commands and Bypassing AppLocker with PowerShell Diagnostic Scripts
- mavinject.exe Functionality Deconstructed
Credential Access
- Windows Access Tokens and Alternate credentials
- Bringing the hashes home with reGeorg & Empire
- Intercepting passwords with Empire and winning
- Local Administrator Password Solution (LAPS) Part 1
- Local Administrator Password Solution (LAPS) Part 2
- USING A SCF FILE TO GATHER HASHES
- Remote Hash Extraction On Demand Via Host Security Descriptor Modification
- Offensive Encrypted Data Storage
- Practical guide to NTLM Relaying
- Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync
- Dumping Domain Password Hashes
Discovery
- Red Team Operating in a Modern Environment
- My First Go with BloodHound
- Introducing BloodHound
- A Red Teamer’s Guide to GPOs and OUs
- Automated Derivative Administrator Search
- A Pentester’s Guide to Group Scoping
- Local Group Enumeration
- The PowerView PowerUsage Series #1 - Mass User Profile Enumeration
- The PowerView PowerUsage Series #2 – Mapping Computer Shortnames With the Global Catalog
- The PowerView PowerUsage Series #3 – Enumerating GPO edit rights in a foreign domain
- The PowerView PowerUsage Series #4 – Finding cross-trust ACEs
- Aggressor PowerView
- Lay of the Land with BloodHound
- Scanning for Active Directory Privileges & Privileged Accounts
- Microsoft LAPS Security & Active Directory LAPS Configuration Recon
- Trust Direction: An Enabler for Active Directory Enumeration and Trust Exploitation
- SPN Discovery
Lateral Movement
- A Citrx Story
- Jumping Network Segregation with RDP
- Pass hash pass ticket no pain
- Abusing DNSAdmins privilege for escalation in Active Directory
- Using SQL Server for attacking a Forest Trust
- Extending BloodHound for Red Teamers
- OPSEC Considerations for beacon commands
- My First Go with BloodHound
- Kerberos Party Tricks: Weaponizing Kerberos Protocol Flaws
- Lateral movement using excel application and dcom
- Lay of the Land with BloodHound
- The Most Dangerous User Right You (Probably) Have Never Heard Of
- Agentless Post Exploitation
- A Guide to Attacking Domain Trusts
- Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy
- Targeted Kerberoasting
- Kerberoasting Without Mimikatz
- Abusing GPO Permissions
- Abusing Active Directory Permissions with PowerView
- Roasting AS-REPs
- Getting the goods with CrackMapExec: Part 1
- Getting the goods with CrackMapExec: Part 2
- DiskShadow: The Return of VSS Evasion, Persistence, and Active Directory Database Extraction
- Abusing Exported Functions and Exposed DCOM Interfaces for Pass-Thru Command Execution and Lateral Movement
- a guide to attacking domain trusts
- Outlook Home Page – Another Ruler Vector
- Outlook Forms and Shells
- Abusing the COM Registry Structure: CLSID, LocalServer32, & InprocServer32
- LethalHTA - A new lateral movement technique using DCOM and HTA
- Abusing DCOM For Yet Another Lateral Movement Technique
Collection
- Accessing clipboard from the lock screen in Windows 10 Part 1
- Accessing clipboard from the lock screen in Windows 10 Part 2
Exfiltration
- DNS Data exfiltration — What is this and How to use?
- DNS Tunnelling
- sg1: swiss army knife for data encryption, exfiltration & covert communication
- Data Exfiltration over DNS Request Covert Channel: DNSExfiltrator
- DET (extensible) Data Exfiltration Toolkit
- Data Exfiltration via Formula Injection Part1
Command and Control
Domain Fronting
- Empre Domain Fronting
- Escape and Evasion Egressing Restricted Networks - Tom Steele and Chris Patten
- Finding Frontable Domain
- TOR Fronting – Utilising Hidden Services for Privacy
- Simple domain fronting PoC with GAE C2 server
- Domain Fronting Via Cloudfront Alternate Domains
- Finding Domain frontable Azure domains - thoth / Fionnbharr (@a_profligate)
- Google Groups: Blog post on finding 2000+ Azure domains using Censys
- Red Team Insights on HTTPS Domain Fronting Google Hosts Using Cobalt Strike
- SSL Domain Fronting 101
- How I Identified 93k Domain-Frontable CloudFront Domains
- Validated CloudFront SSL Domains
- CloudFront Hijacking
- CloudFrunt GitHub Repo
Connection Proxy
- Redirecting Cobalt Strike DNS Beacons
- Apache2Mod Rewrite Setup
- Cobalt Strike HTTP C2 Redirectors with Apache mod_rewrite
- High-reputation Redirectors and Domain Fronting
- Cloud-based Redirectors for Distributed Hacking
- Combatting Incident Responders with Apache mod_rewrite
- Operating System Based Redirection with Apache mod_rewrite
- Invalid URI Redirection with Apache mod_rewrite
- Strengthen Your Phishing with Apache mod_rewrite and Mobile User Redirection
- mod_rewrite rule to evade vendor sandboxes
- Expire Phishing Links with Apache RewriteMap
- Serving random payloads with NGINX
- Mod_Rewrite Automatic Setup
- Hybrid Cobalt Strike Redirectors
- Expand Your Horizon Red Team – Modern SAAS C2
- RTOps: Automating Redirector Deployment With Ansible
Web Services
- C2 with Dropbox
- C2 with gmail
- C2 with twitter
- Office 365 for Cobalt Strike C2
- Red Team Insights on HTTPS Domain Fronting Google Hosts Using Cobalt Strike
- A stealthy Python based Windows backdoor that uses Github as a C&C server
- External C2 (Third-Party Command and Control)
- Cobalt Strike over external C2 – beacon home in the most obscure ways
- External C2 for Cobalt Strike
- External C2 framework for Cobalt Strike
- External C2 framework - GitHub Repo
- Hiding in the Cloud: Cobalt Strike Beacon C2 using Amazon APIs
- Exploring Cobalt Strike’s ExternalC2 framework
Application Layer Protocol
- C2 WebSocket
- C2 WMI
- C2 Website
- C2 Image
- C2 Javascript
- C2 WebInterface
- C2 with DNS
- C2 with https
- C2 with webdav
- Introducing Merlin — A cross-platform post-exploitation HTTP/2 Command & Control Tool
- InternetExplorer.Application for C2
Infrastructure
- Automated Red Team Infrastructure Deployment with Terraform - Part 1
- Automated Red Team Infrastructure Deployment with Terraform - Part 2
- Red Team Infrastructure - AWS Encrypted EBS
- 6 RED TEAM INFRASTRUCTURE TIPS
- How to Build a C2 Infrastructure with Digital Ocean – Part 1
- Infrastructure for Ongoing Red Team Operations
- Attack Infrastructure Log Aggregation and Monitoring
- Randomized Malleable C2 Profiles Made Easy
- Migrating Your infrastructure
- ICMP C2
- Using WebDAV features as a covert channel
- Safe Red Team Infrastructure
- EGRESSING BLUECOAT WITH COBALTSTIKE & LET’S ENCRYPT
- Command and Control Using Active Directory
- A Vision for Distributed Red Team Operations
- Designing Effective Covert Red Team Attack Infrastructure
- Serving Random Payloads with Apache mod_rewrite
- Mail Servers Made Easy
- Securing your Empire C2 with Apache mod_rewrite
- Automating Gophish Releases With Ansible and Docker
- How to Write Malleable C2 Profiles for Cobalt Strike
- How to Make Communication Profiles for Empire
- A Brave New World: Malleable C2
- Malleable Command and Control
Embedded and Peripheral Devices Hacking
- Gettting in with the Proxmark3 & ProxBrute
- Practical Guide to RFID Badge copying
- Contents of a Physical Pentester Backpack
- MagSpoof - credit card/magstripe spoofer
- Wireless Keyboard Sniffer
- RFID Hacking with The Proxmark 3
- Swiss Army Knife for RFID
- Exploring NFC Attack Surface
- Outsmarting smartcards
- Reverse engineering HID iClass Master keys
- Android Open Pwn Project (AOPP)
Misc
- Red Tips of Vysec
- Cobalt Strike Tips for 2016 ccde red teams
- Models for Red Team Operations
- Planning a Red Team exercise
- Raphael Mudge - Dirty Red Team tricks
- introducing the adversary resilience methodology part 1
- introducing the adversary resilience methodology part 2
- Responsible red team
- Red Teaming for Pacific Rim CCDC 2017
- How I Prepared to Red Team at PRCCDC 2015
- Red Teaming for Pacific Rim CCDC 2016
- Responsible Red Teams
RedTeam Gadgets
Network Implants
- LAN Tap Pro
- Rubber Ducky
- LAN Turtle
- Bash Bunny
- PACKET SQUIRRE
Wifi Auditing
- WiFi Pineapple
- Alpha Long range Wireless USB
- Wifi-Deauth Monster
- Crazy PA
IoT
- BLE Key
- Proxmark3
- Zigbee Sniffer
- Attify IoT Exploit kit
Software Defined Radio - SDR
- HackRF One Bundle
- RTL-SDR
- YARD stick one Bundle
- Ubertooth
Misc
- Key Grabber
- Magspoof
- Poison tap
- keysweeper
Ebooks
- Next Generation Red Teaming
- Targeted Cyber Attack
- Advanced Penetration Testing: Hacking the World’s Most Secure Networks
- Social Engieers’ Playbook Pretical Pretexting