Awesome-Red-Teaming

Red Teaming Guide

A curated list of resources and techniques for conducting red teaming exercises.

List of Awesome Red Teaming Resources

GitHub

7k stars
346 watching
2k forks
last commit: 11 months ago
Linked from 4 awesome lists

cobalt-strikeempirephishingredteamredteaminguac

Table of Contents / ↑ Initial Access

The Hitchhiker’s Guide To Initial Access
How To: Empire’s Cross Platform Office Macro
Phishing with PowerPoint
PHISHING WITH EMPIRE
Bash Bunny
OWASP Presentation of Social Engineering - OWASP
USB Drop Attacks: The Danger of “Lost And Found” Thumb Drives
Weaponizing data science for social engineering: Automated E2E spear phishing on Twitter - Defcon 24
Cobalt Strike - Spear Phishing documentation
Cobalt Strike Blog - What's the go-to phishing technique or exploit?
Spear phishing with Cobalt Strike - Raphael Mudge
EMAIL RECONNAISSANCE AND PHISHING TEMPLATE GENERATION MADE SIMPLE
Phishing for access
Excel macros with PowerShell
PowerPoint and Custom Actions
Macro-less Code Exec in MSWord
Multi-Platform Macro Phishing Payloads
Abusing Microsoft Word Features for Phishing: “subDoc”
Phishing Against Protected View
POWERSHELL EMPIRE STAGERS 1: PHISHING WITH AN OFFICE MACRO AND EVADING AVS
The PlugBot: Hardware Botnet Research Project
Luckystrike: An Evil Office Document Generator
The Absurdly Underestimated Dangers of CSV Injection
Macroless DOC malware that avoids detection with Yara rule
Phishing between the app whitelists
Executing Metasploit & Empire Payloads from MS Office Document Properties (part 1 of 2)
Executing Metasploit & Empire Payloads from MS Office Document Properties (part 2 of 2)
Social Engineer Portal
7 Best social Engineering attack
Using Social Engineering Tactics For Big Data Espionage - RSA Conference Europe 2012
USING THE DDE ATTACK WITH POWERSHELL EMPIRE
Phishing on Twitter - POT
Microsoft Office – NTLM Hashes via Frameset
Defense-In-Depth write-up
Spear Phishing 101

Table of Contents / ↑ Execution

Research on CMSTP.exe,
Windows oneliners to download remote payload and execute arbitrary code
Executing Commands and Bypassing AppLocker with PowerShell Diagnostic Scripts
WSH Injection: A Case Study
Gscript Dropper

Table of Contents / ↑ Persistence

A View of Persistence
hiding registry keys with psreflect
Persistence using RunOnceEx – Hidden from Autoruns.exe
Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe
Putting data in Alternate data streams and how to execute it – part 2
WMI Persistence with Cobalt Strike
Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence
Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence (Part 2)
Vshadow: Abusing the Volume Shadow Service for Evasion, Persistence, and Active Directory Database Extraction

Table of Contents / ↑ Privilege Escalation / User Account Control Bypass

First entry: Welcome and fileless UAC bypass,
Exploiting Environment Variables in Scheduled Tasks for UAC Bypass,
Part 1. Reading Your Way Around UAC in 3 parts:
Bypassing UAC using App Paths,
"Fileless" UAC Bypass using sdclt.exe,
UAC Bypass or story about three escalations,
"Fileless" UAC Bypass Using eventvwr.exe and Registry Hijacking,
Bypassing UAC on Windows 10 using Disk Cleanup,
Using IARPUninstallStringLauncher COM interface to bypass UAC,
Fileless UAC Bypass using sdclt
Eventvwr File-less UAC Bypass CNA
Windows 7 UAC whitelist

Table of Contents / ↑ Privilege Escalation / Escalation

Windows Privilege Escalation Checklist 2,509 3 months ago
From Patch Tuesday to DA
A Path for Privilege Escalation

Table of Contents / ↑ Defense Evasion

Window 10 Device Guard Bypass 133 over 7 years ago
App Locker ByPass List 1,925 about 1 year ago
Window Signed Binary 6 about 7 years ago
Bypass Application Whitelisting Script Protections - Regsvr32.exe & COM Scriptlets (.sct files)
Bypassing Application Whitelisting using MSBuild.exe - Device Guard Example and Mitigations
Empire without powershell
Powershell without Powershell to bypass app whitelist
MS Signed mimikatz in just 3 steps 2,121 over 3 years ago
Hiding your process from sysinternals
code signing certificate cloning attacks and defenses
userland api monitoring and code injection detection
In memory evasion
Bypassing AMSI via COM Server Hijacking
process doppelganging
Week of Evading Microsoft ATA - Announcement and Day 1 to Day 5
VEIL-EVASION AES ENCRYPTED HTTPKEY REQUEST: SAND-BOX EVASION
Putting data in Alternate data streams and how to execute it
AppLocker – Case study – How insecure is it really? – Part 1
AppLocker – Case study – How insecure is it really? – Part 2
Harden Windows with AppLocker – based on Case study part 2
Harden Windows with AppLocker – based on Case study part 2
Office 365 Safe links bypass
Windows Defender Attack Surface Reduction Rules bypass
Bypassing Device guard UMCI using CHM – CVE-2017-8625
Bypassing Application Whitelisting with BGInfo
Cloning and Hosting Evil Captive Portals using a Wifi PineApple
https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/
Executing Commands and Bypassing AppLocker with PowerShell Diagnostic Scripts
mavinject.exe Functionality Deconstructed

Table of Contents / ↑ Credential Access

Windows Access Tokens and Alternate credentials
Bringing the hashes home with reGeorg & Empire
Intercepting passwords with Empire and winning
Local Administrator Password Solution (LAPS) Part 1
Local Administrator Password Solution (LAPS) Part 2
USING A SCF FILE TO GATHER HASHES
Remote Hash Extraction On Demand Via Host Security Descriptor Modification
Offensive Encrypted Data Storage
Practical guide to NTLM Relaying
Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync
Dumping Domain Password Hashes

Table of Contents / ↑ Discovery

Red Team Operating in a Modern Environment
My First Go with BloodHound
Introducing BloodHound
A Red Teamer’s Guide to GPOs and OUs
Automated Derivative Administrator Search
A Pentester’s Guide to Group Scoping
Local Group Enumeration
The PowerView PowerUsage Series #1 - Mass User Profile Enumeration
The PowerView PowerUsage Series #2 – Mapping Computer Shortnames With the Global Catalog
The PowerView PowerUsage Series #3 – Enumerating GPO edit rights in a foreign domain
The PowerView PowerUsage Series #4 – Finding cross-trust ACEs
Aggressor PowerView
Lay of the Land with BloodHound
Scanning for Active Directory Privileges & Privileged Accounts
Microsoft LAPS Security & Active Directory LAPS Configuration Recon
Trust Direction: An Enabler for Active Directory Enumeration and Trust Exploitation
SPN Discovery

Table of Contents / ↑ Lateral Movement

A Citrix Story
Jumping Network Segregation with RDP
Pass hash pass ticket no pain
Abusing DNSAdmins privilege for escalation in Active Directory
Using SQL Server for attacking a Forest Trust
Extending BloodHound for Red Teamers
OPSEC Considerations for beacon commands
My First Go with BloodHound
Kerberos Party Tricks: Weaponizing Kerberos Protocol Flaws
Lateral movement using excel application and dcom
Lay of the Land with BloodHound
The Most Dangerous User Right You (Probably) Have Never Heard Of
Agentless Post Exploitation
A Guide to Attacking Domain Trusts
Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy
Targeted Kerberoasting
Kerberoasting Without Mimikatz
Abusing GPO Permissions
Abusing Active Directory Permissions with PowerView
Roasting AS-REPs
Getting the goods with CrackMapExec: Part 1
Getting the goods with CrackMapExec: Part 2
DiskShadow: The Return of VSS Evasion, Persistence, and Active Directory Database Extraction
Abusing Exported Functions and Exposed DCOM Interfaces for Pass-Thru Command Execution and Lateral Movement
a guide to attacking domain trusts
Outlook Home Page – Another Ruler Vector
Outlook Forms and Shells
Abusing the COM Registry Structure: CLSID, LocalServer32, & InprocServer32
LethalHTA - A new lateral movement technique using DCOM and HTA
Abusing DCOM For Yet Another Lateral Movement Technique

Table of Contents / ↑ Collection

Accessing clipboard from the lock screen in Windows 10 Part 1
Accessing clipboard from the lock screen in Windows 10 Part 2

Table of Contents / ↑ Exfiltration

DNS Data exfiltration — What is this and How to use?
DNS Tunnelling
sg1: swiss army knife for data encryption, exfiltration & covert communication
Data Exfiltration over DNS Request Covert Channel: DNSExfiltrator
DET (extensible) Data Exfiltration Toolkit 158 about 5 years ago
Data Exfiltration via Formula Injection Part1

Table of Contents / ↑ Command and Control / Domain Fronting

Empre Domain Fronting
Escape and Evasion Egressing Restricted Networks - Tom Steele and Chris Patten
Finding Frontable Domain 615 over 1 year ago
TOR Fronting – Utilising Hidden Services for Privacy
Simple domain fronting PoC with GAE C2 server
Domain Fronting Via Cloudfront Alternate Domains
Finding Domain frontable Azure domains - thoth / Fionnbharr (@a_profligate)
Google Groups: Blog post on finding 2000+ Azure domains using Censys
Red Team Insights on HTTPS Domain Fronting Google Hosts Using Cobalt Strike
SSL Domain Fronting 101
How I Identified 93k Domain-Frontable CloudFront Domains
Validated CloudFront SSL Domains
CloudFront Hijacking
CloudFrunt GitHub Repo 347 over 4 years ago

Table of Contents / ↑ Command and Control / Connection Proxy

Redirecting Cobalt Strike DNS Beacons
Apache2Mod Rewrite Setup 81 over 7 years ago
Cobalt Strike HTTP C2 Redirectors with Apache mod_rewrite
High-reputation Redirectors and Domain Fronting
Cloud-based Redirectors for Distributed Hacking
Combatting Incident Responders with Apache mod_rewrite
Operating System Based Redirection with Apache mod_rewrite
Invalid URI Redirection with Apache mod_rewrite
Strengthen Your Phishing with Apache mod_rewrite and Mobile User Redirection
mod_rewrite rule to evade vendor sandboxes
Expire Phishing Links with Apache RewriteMap
Serving random payloads with NGINX
Mod_Rewrite Automatic Setup
Hybrid Cobalt Strike Redirectors
Expand Your Horizon Red Team – Modern SAAS C2
RTOps: Automating Redirector Deployment With Ansible

Table of Contents / ↑ Command and Control / Web Services

C2 with Dropbox
C2 with gmail
C2 with twitter
Office 365 for Cobalt Strike C2
Red Team Insights on HTTPS Domain Fronting Google Hosts Using Cobalt Strike
A stealthy Python based Windows backdoor that uses Github as a C&C server
External C2 (Third-Party Command and Control)
Cobalt Strike over external C2 – beacon home in the most obscure ways
External C2 for Cobalt Strike 281 about 7 years ago
External C2 framework for Cobalt Strike
External C2 framework - GitHub Repo 226 over 1 year ago
Hiding in the Cloud: Cobalt Strike Beacon C2 using Amazon APIs 226 over 1 year ago
Exploring Cobalt Strike's ExternalC2 framework

Table of Contents / ↑ Command and Control / Application Layer Protocol

C2 WebSocket
C2 WMI
C2 Website
C2 Image
C2 Javascript
C2 WebInterface
C2 with DNS
C2 with https
C2 with webdav
Introducing Merlin — A cross-platform post-exploitation HTTP/2 Command & Control Tool
InternetExplorer.Application for C2

Table of Contents / ↑ Command and Control / Infrastructure

Automated Red Team Infrastructure Deployment with Terraform - Part 1
Automated Red Team Infrastructure Deployment with Terraform - Part 2
Red Team Infrastructure - AWS Encrypted EBS
6 RED TEAM INFRASTRUCTURE TIPS
How to Build a C2 Infrastructure with Digital Ocean – Part 1
Infrastructure for Ongoing Red Team Operations
Attack Infrastructure Log Aggregation and Monitoring
Randomized Malleable C2 Profiles Made Easy
Migrating Your infrastructure
ICMP C2
Using WebDAV features as a covert channel
Safe Red Team Infrastructure
EGRESSING BLUECOAT WITH COBALTSTIKE & LET'S ENCRYPT
Command and Control Using Active Directory
A Vision for Distributed Red Team Operations
Designing Effective Covert Red Team Attack Infrastructure
Serving Random Payloads with Apache mod_rewrite
Mail Servers Made Easy
Securing your Empire C2 with Apache mod_rewrite
Automating Gophish Releases With Ansible and Docker
How to Write Malleable C2 Profiles for Cobalt Strike
How to Make Communication Profiles for Empire
A Brave New World: Malleable C2
Malleable Command and Control

Table of Contents / ↑ Embedded and Peripheral Devices Hacking

Gettting in with the Proxmark3 & ProxBrute
Practical Guide to RFID Badge copying
Contents of a Physical Pentester Backpack
MagSpoof - credit card/magstripe spoofer 3,940 over 2 years ago
Wireless Keyboard Sniffer
RFID Hacking with The Proxmark 3
Swiss Army Knife for RFID
Exploring NFC Attack Surface
Outsmarting smartcards
Reverse engineering HID iClass Master keys
Android Open Pwn Project (AOPP)

Table of Contents / ↑ Misc

Red Tips of Vysec 1,049 over 4 years ago
Cobalt Strike Tips for 2016 ccde red teams
Models for Red Team Operations
Planning a Red Team exercise 611 over 7 years ago
Raphael Mudge - Dirty Red Team tricks
introducing the adversary resilience methodology part 1
introducing the adversary resilience methodology part 2
Responsible red team
Red Teaming for Pacific Rim CCDC 2017
How I Prepared to Red Team at PRCCDC 2015
Red Teaming for Pacific Rim CCDC 2016
Responsible Red Teams
Awesome-CobaltStrike 4,033 about 1 year ago
Part-1 RedTeaming from Zero to One

Table of Contents / ↑ RedTeam Gadgets

LAN Tap Pro
LAN Turtle
Bash Bunny
Key Croc
Packet Squirrel
Shark Jack
WiFi Pineapple
Alpha Long range Wireless USB
Wifi-Deauth Monster
Crazy PA
Signal Owl
BLE Key
Proxmark3
Zigbee Sniffer
Attify IoT Exploit kit
HackRF One Bundle
RTL-SDR
YARD stick one Bundle
Ubertooth
Key Grabber
Magspoof
Poison tap
keysweeper
USB Rubber Ducky
Screen Crab
O.MG Cable
Keysy
Dorothy for Okta SSO 175 4 months ago

Table of Contents / ↑ Ebooks

Next Generation Red Teaming
Targeted Cyber Attack
Advanced Penetration Testing: Hacking the World's Most Secure Networks
Social Engineers' Playbook Practical Pretexting
The Hacker Playbook 3: Practical Guide To Penetration Testing
How to Hack Like a PORNSTAR: A step by step process for breaking into a BANK

Table of Contents / ↑ Training ( Free )

Tradecraft - a course on red team operations
Advanced Threat Tactics Course & Notes
FireEye - a whiteboard session on red team operations
Building an Effective Active Directory Lab Environment for Testing
Setting up DetectionLab
vulnerable-AD - Script to make your home AD Lab vulnerable 2,014 8 months ago

Table of Contents / ↑ Certification

CREST Certified Simulated Attack Specialist
CREST Certified Simulated Attack Manager
SEC564: Red Team Operations and Threat Emulation
ELearn Security Penetration Testing eXtreme
Certified Red Team Professional
Certified Red Teaming Expert
PentesterAcademy Certified Enterprise Security Specialist (PACES)

Backlinks from these awesome lists:

More related projects: