Table of Contents / ↑ Initial Access |
The Hitchhiker’s Guide To Initial Access | | | |
How To: Empire’s Cross Platform Office Macro | | | |
Phishing with PowerPoint | | | |
PHISHING WITH EMPIRE | | | |
Bash Bunny | | | |
OWASP Presentation of Social Engineering - OWASP | | | |
USB Drop Attacks: The Danger of “Lost And Found” Thumb Drives | | | |
Weaponizing data science for social engineering: Automated E2E spear phishing on Twitter - Defcon 24 | | | |
Cobalt Strike - Spear Phishing documentation | | | |
Cobalt Strike Blog - What's the go-to phishing technique or exploit? | | | |
Spear phishing with Cobalt Strike - Raphael Mudge | | | |
EMAIL RECONNAISSANCE AND PHISHING TEMPLATE GENERATION MADE SIMPLE | | | |
Phishing for access | | | |
Excel macros with PowerShell | | | |
PowerPoint and Custom Actions | | | |
Macro-less Code Exec in MSWord | | | |
Multi-Platform Macro Phishing Payloads | | | |
Abusing Microsoft Word Features for Phishing: “subDoc” | | | |
Phishing Against Protected View | | | |
POWERSHELL EMPIRE STAGERS 1: PHISHING WITH AN OFFICE MACRO AND EVADING AVS | | | |
The PlugBot: Hardware Botnet Research Project | | | |
Luckystrike: An Evil Office Document Generator | | | |
The Absurdly Underestimated Dangers of CSV Injection | | | |
Macroless DOC malware that avoids detection with Yara rule | | | |
Phishing between the app whitelists | | | |
Executing Metasploit & Empire Payloads from MS Office Document Properties (part 1 of 2) | | | |
Executing Metasploit & Empire Payloads from MS Office Document Properties (part 2 of 2) | | | |
Social Engineer Portal | | | |
7 Best social Engineering attack | | | |
Using Social Engineering Tactics For Big Data Espionage - RSA Conference Europe 2012 | | | |
USING THE DDE ATTACK WITH POWERSHELL EMPIRE | | | |
Phishing on Twitter - POT | | | |
Microsoft Office – NTLM Hashes via Frameset | | | |
Defense-In-Depth write-up | | | |
Spear Phishing 101 | | | |
Table of Contents / ↑ Execution |
Research on CMSTP.exe, | | | |
Windows oneliners to download remote payload and execute arbitrary code | | | |
Executing Commands and Bypassing AppLocker with PowerShell Diagnostic Scripts | | | |
WSH Injection: A Case Study | | | |
Gscript Dropper | | | |
Table of Contents / ↑ Persistence |
A View of Persistence | | | |
hiding registry keys with psreflect | | | |
Persistence using RunOnceEx – Hidden from Autoruns.exe | | | |
Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe | | | |
Putting data in Alternate data streams and how to execute it – part 2 | | | |
WMI Persistence with Cobalt Strike | | | |
Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence | | | |
Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence (Part 2) | | | |
Vshadow: Abusing the Volume Shadow Service for Evasion, Persistence, and Active Directory Database Extraction | | | |
Table of Contents / ↑ Privilege Escalation / User Account Control Bypass |
First entry: Welcome and fileless UAC bypass, | | | |
Exploiting Environment Variables in Scheduled Tasks for UAC Bypass, | | | |
Part 1. | | | Reading Your Way Around UAC in 3 parts: |
Bypassing UAC using App Paths, | | | |
"Fileless" UAC Bypass using sdclt.exe, | | | |
UAC Bypass or story about three escalations, | | | |
"Fileless" UAC Bypass Using eventvwr.exe and Registry Hijacking, | | | |
Bypassing UAC on Windows 10 using Disk Cleanup, | | | |
Using IARPUninstallStringLauncher COM interface to bypass UAC, | | | |
Fileless UAC Bypass using sdclt | | | |
Eventvwr File-less UAC Bypass CNA | | | |
Windows 7 UAC whitelist | | | |
Table of Contents / ↑ Privilege Escalation / Escalation |
Windows Privilege Escalation Checklist | 2,509 | 3 months ago | |
From Patch Tuesday to DA | | | |
A Path for Privilege Escalation | | | |
Table of Contents / ↑ Defense Evasion |
Window 10 Device Guard Bypass | 133 | over 7 years ago | |
App Locker ByPass List | 1,925 | about 1 year ago | |
Window Signed Binary | 6 | about 7 years ago | |
Bypass Application Whitelisting Script Protections - Regsvr32.exe & COM Scriptlets (.sct files) | | | |
Bypassing Application Whitelisting using MSBuild.exe - Device Guard Example and Mitigations | | | |
Empire without powershell | | | |
Powershell without Powershell to bypass app whitelist | | | |
MS Signed mimikatz in just 3 steps | 2,121 | over 3 years ago | |
Hiding your process from sysinternals | | | |
code signing certificate cloning attacks and defenses | | | |
userland api monitoring and code injection detection | | | |
In memory evasion | | | |
Bypassing AMSI via COM Server Hijacking | | | |
process doppelganging | | | |
Week of Evading Microsoft ATA - Announcement and Day 1 to Day 5 | | | |
VEIL-EVASION AES ENCRYPTED HTTPKEY REQUEST: SAND-BOX EVASION | | | |
Putting data in Alternate data streams and how to execute it | | | |
AppLocker – Case study – How insecure is it really? – Part 1 | | | |
AppLocker – Case study – How insecure is it really? – Part 2 | | | |
Harden Windows with AppLocker – based on Case study part 2 | | | |
Harden Windows with AppLocker – based on Case study part 2 | | | |
Office 365 Safe links bypass | | | |
Windows Defender Attack Surface Reduction Rules bypass | | | |
Bypassing Device guard UMCI using CHM – CVE-2017-8625 | | | |
Bypassing Application Whitelisting with BGInfo | | | |
Cloning and Hosting Evil Captive Portals using a Wifi PineApple | | | |
https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/ | | | |
Executing Commands and Bypassing AppLocker with PowerShell Diagnostic Scripts | | | |
mavinject.exe Functionality Deconstructed | | | |
Table of Contents / ↑ Credential Access |
Windows Access Tokens and Alternate credentials | | | |
Bringing the hashes home with reGeorg & Empire | | | |
Intercepting passwords with Empire and winning | | | |
Local Administrator Password Solution (LAPS) Part 1 | | | |
Local Administrator Password Solution (LAPS) Part 2 | | | |
USING A SCF FILE TO GATHER HASHES | | | |
Remote Hash Extraction On Demand Via Host Security Descriptor Modification | | | |
Offensive Encrypted Data Storage | | | |
Practical guide to NTLM Relaying | | | |
Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync | | | |
Dumping Domain Password Hashes | | | |
Table of Contents / ↑ Discovery |
Red Team Operating in a Modern Environment | | | |
My First Go with BloodHound | | | |
Introducing BloodHound | | | |
A Red Teamer’s Guide to GPOs and OUs | | | |
Automated Derivative Administrator Search | | | |
A Pentester’s Guide to Group Scoping | | | |
Local Group Enumeration | | | |
The PowerView PowerUsage Series #1 - Mass User Profile Enumeration | | | |
The PowerView PowerUsage Series #2 – Mapping Computer Shortnames With the Global Catalog | | | |
The PowerView PowerUsage Series #3 – Enumerating GPO edit rights in a foreign domain | | | |
The PowerView PowerUsage Series #4 – Finding cross-trust ACEs | | | |
Aggressor PowerView | | | |
Lay of the Land with BloodHound | | | |
Scanning for Active Directory Privileges & Privileged Accounts | | | |
Microsoft LAPS Security & Active Directory LAPS Configuration Recon | | | |
Trust Direction: An Enabler for Active Directory Enumeration and Trust Exploitation | | | |
SPN Discovery | | | |
Table of Contents / ↑ Lateral Movement |
A Citrix Story | | | |
Jumping Network Segregation with RDP | | | |
Pass hash pass ticket no pain | | | |
Abusing DNSAdmins privilege for escalation in Active Directory | | | |
Using SQL Server for attacking a Forest Trust | | | |
Extending BloodHound for Red Teamers | | | |
OPSEC Considerations for beacon commands | | | |
My First Go with BloodHound | | | |
Kerberos Party Tricks: Weaponizing Kerberos Protocol Flaws | | | |
Lateral movement using excel application and dcom | | | |
Lay of the Land with BloodHound | | | |
The Most Dangerous User Right You (Probably) Have Never Heard Of | | | |
Agentless Post Exploitation | | | |
A Guide to Attacking Domain Trusts | | | |
Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy | | | |
Targeted Kerberoasting | | | |
Kerberoasting Without Mimikatz | | | |
Abusing GPO Permissions | | | |
Abusing Active Directory Permissions with PowerView | | | |
Roasting AS-REPs | | | |
Getting the goods with CrackMapExec: Part 1 | | | |
Getting the goods with CrackMapExec: Part 2 | | | |
DiskShadow: The Return of VSS Evasion, Persistence, and Active Directory Database Extraction | | | |
Abusing Exported Functions and Exposed DCOM Interfaces for Pass-Thru Command Execution and Lateral Movement | | | |
a guide to attacking domain trusts | | | |
Outlook Home Page – Another Ruler Vector | | | |
Outlook Forms and Shells | | | |
Abusing the COM Registry Structure: CLSID, LocalServer32, & InprocServer32 | | | |
LethalHTA - A new lateral movement technique using DCOM and HTA | | | |
Abusing DCOM For Yet Another Lateral Movement Technique | | | |
Table of Contents / ↑ Collection |
Accessing clipboard from the lock screen in Windows 10 Part 1 | | | |
Accessing clipboard from the lock screen in Windows 10 Part 2 | | | |
Table of Contents / ↑ Exfiltration |
DNS Data exfiltration — What is this and How to use? | | | |
DNS Tunnelling | | | |
sg1: swiss army knife for data encryption, exfiltration & covert communication | | | |
Data Exfiltration over DNS Request Covert Channel: DNSExfiltrator | | | |
DET (extensible) Data Exfiltration Toolkit | 158 | about 5 years ago | |
Data Exfiltration via Formula Injection Part1 | | | |
Table of Contents / ↑ Command and Control / Domain Fronting |
Empre Domain Fronting | | | |
Escape and Evasion Egressing Restricted Networks - Tom Steele and Chris Patten | | | |
Finding Frontable Domain | 615 | over 1 year ago | |
TOR Fronting – Utilising Hidden Services for Privacy | | | |
Simple domain fronting PoC with GAE C2 server | | | |
Domain Fronting Via Cloudfront Alternate Domains | | | |
Finding Domain frontable Azure domains - thoth / Fionnbharr (@a_profligate) | | | |
Google Groups: Blog post on finding 2000+ Azure domains using Censys | | | |
Red Team Insights on HTTPS Domain Fronting Google Hosts Using Cobalt Strike | | | |
SSL Domain Fronting 101 | | | |
How I Identified 93k Domain-Frontable CloudFront Domains | | | |
Validated CloudFront SSL Domains | | | |
CloudFront Hijacking | | | |
CloudFrunt GitHub Repo | 347 | over 4 years ago | |
Table of Contents / ↑ Command and Control / Connection Proxy |
Redirecting Cobalt Strike DNS Beacons | | | |
Apache2Mod Rewrite Setup | 81 | over 7 years ago | |
Cobalt Strike HTTP C2 Redirectors with Apache mod_rewrite | | | |
High-reputation Redirectors and Domain Fronting | | | |
Cloud-based Redirectors for Distributed Hacking | | | |
Combatting Incident Responders with Apache mod_rewrite | | | |
Operating System Based Redirection with Apache mod_rewrite | | | |
Invalid URI Redirection with Apache mod_rewrite | | | |
Strengthen Your Phishing with Apache mod_rewrite and Mobile User Redirection | | | |
mod_rewrite rule to evade vendor sandboxes | | | |
Expire Phishing Links with Apache RewriteMap | | | |
Serving random payloads with NGINX | | | |
Mod_Rewrite Automatic Setup | | | |
Hybrid Cobalt Strike Redirectors | | | |
Expand Your Horizon Red Team – Modern SAAS C2 | | | |
RTOps: Automating Redirector Deployment With Ansible | | | |
Table of Contents / ↑ Command and Control / Web Services |
C2 with Dropbox | | | |
C2 with gmail | | | |
C2 with twitter | | | |
Office 365 for Cobalt Strike C2 | | | |
Red Team Insights on HTTPS Domain Fronting Google Hosts Using Cobalt Strike | | | |
A stealthy Python based Windows backdoor that uses Github as a C&C server | | | |
External C2 (Third-Party Command and Control) | | | |
Cobalt Strike over external C2 – beacon home in the most obscure ways | | | |
External C2 for Cobalt Strike | 281 | about 7 years ago | |
External C2 framework for Cobalt Strike | | | |
External C2 framework - GitHub Repo | 226 | over 1 year ago | |
Hiding in the Cloud: Cobalt Strike Beacon C2 using Amazon APIs | 226 | over 1 year ago | |
Exploring Cobalt Strike's ExternalC2 framework | | | |
Table of Contents / ↑ Command and Control / Application Layer Protocol |
C2 WebSocket | | | |
C2 WMI | | | |
C2 Website | | | |
C2 Image | | | |
C2 Javascript | | | |
C2 WebInterface | | | |
C2 with DNS | | | |
C2 with https | | | |
C2 with webdav | | | |
Introducing Merlin — A cross-platform post-exploitation HTTP/2 Command & Control Tool | | | |
InternetExplorer.Application for C2 | | | |
Table of Contents / ↑ Command and Control / Infrastructure |
Automated Red Team Infrastructure Deployment with Terraform - Part 1 | | | |
Automated Red Team Infrastructure Deployment with Terraform - Part 2 | | | |
Red Team Infrastructure - AWS Encrypted EBS | | | |
6 RED TEAM INFRASTRUCTURE TIPS | | | |
How to Build a C2 Infrastructure with Digital Ocean – Part 1 | | | |
Infrastructure for Ongoing Red Team Operations | | | |
Attack Infrastructure Log Aggregation and Monitoring | | | |
Randomized Malleable C2 Profiles Made Easy | | | |
Migrating Your infrastructure | | | |
ICMP C2 | | | |
Using WebDAV features as a covert channel | | | |
Safe Red Team Infrastructure | | | |
EGRESSING BLUECOAT WITH COBALTSTIKE & LET'S ENCRYPT | | | |
Command and Control Using Active Directory | | | |
A Vision for Distributed Red Team Operations | | | |
Designing Effective Covert Red Team Attack Infrastructure | | | |
Serving Random Payloads with Apache mod_rewrite | | | |
Mail Servers Made Easy | | | |
Securing your Empire C2 with Apache mod_rewrite | | | |
Automating Gophish Releases With Ansible and Docker | | | |
How to Write Malleable C2 Profiles for Cobalt Strike | | | |
How to Make Communication Profiles for Empire | | | |
A Brave New World: Malleable C2 | | | |
Malleable Command and Control | | | |
Table of Contents / ↑ Embedded and Peripheral Devices Hacking |
Gettting in with the Proxmark3 & ProxBrute | | | |
Practical Guide to RFID Badge copying | | | |
Contents of a Physical Pentester Backpack | | | |
MagSpoof - credit card/magstripe spoofer | 3,940 | over 2 years ago | |
Wireless Keyboard Sniffer | | | |
RFID Hacking with The Proxmark 3 | | | |
Swiss Army Knife for RFID | | | |
Exploring NFC Attack Surface | | | |
Outsmarting smartcards | | | |
Reverse engineering HID iClass Master keys | | | |
Android Open Pwn Project (AOPP) | | | |
Table of Contents / ↑ Misc |
Red Tips of Vysec | 1,049 | over 4 years ago | |
Cobalt Strike Tips for 2016 ccde red teams | | | |
Models for Red Team Operations | | | |
Planning a Red Team exercise | 611 | over 7 years ago | |
Raphael Mudge - Dirty Red Team tricks | | | |
introducing the adversary resilience methodology part 1 | | | |
introducing the adversary resilience methodology part 2 | | | |
Responsible red team | | | |
Red Teaming for Pacific Rim CCDC 2017 | | | |
How I Prepared to Red Team at PRCCDC 2015 | | | |
Red Teaming for Pacific Rim CCDC 2016 | | | |
Responsible Red Teams | | | |
Awesome-CobaltStrike | 4,033 | about 1 year ago | |
Part-1 | | | RedTeaming from Zero to One |
Table of Contents / ↑ RedTeam Gadgets |
LAN Tap Pro | | | |
LAN Turtle | | | |
Bash Bunny | | | |
Key Croc | | | |
Packet Squirrel | | | |
Shark Jack | | | |
WiFi Pineapple | | | |
Alpha Long range Wireless USB | | | |
Wifi-Deauth Monster | | | |
Crazy PA | | | |
Signal Owl | | | |
BLE Key | | | |
Proxmark3 | | | |
Zigbee Sniffer | | | |
Attify IoT Exploit kit | | | |
HackRF One Bundle | | | |
RTL-SDR | | | |
YARD stick one Bundle | | | |
Ubertooth | | | |
Key Grabber | | | |
Magspoof | | | |
Poison tap | | | |
keysweeper | | | |
USB Rubber Ducky | | | |
Screen Crab | | | |
O.MG Cable | | | |
Keysy | | | |
Dorothy for Okta SSO | 175 | 4 months ago | |
Table of Contents / ↑ Ebooks |
Next Generation Red Teaming | | | |
Targeted Cyber Attack | | | |
Advanced Penetration Testing: Hacking the World's Most Secure Networks | | | |
Social Engineers' Playbook Practical Pretexting | | | |
The Hacker Playbook 3: Practical Guide To Penetration Testing | | | |
How to Hack Like a PORNSTAR: A step by step process for breaking into a BANK | | | |
Table of Contents / ↑ Training ( Free ) |
Tradecraft - a course on red team operations | | | |
Advanced Threat Tactics Course & Notes | | | |
FireEye - a whiteboard session on red team operations | | | |
Building an Effective Active Directory Lab Environment for Testing | | | |
Setting up DetectionLab | | | |
vulnerable-AD - Script to make your home AD Lab vulnerable | 2,014 | 8 months ago | |
Table of Contents / ↑ Certification |
CREST Certified Simulated Attack Specialist | | | |
CREST Certified Simulated Attack Manager | | | |
SEC564: Red Team Operations and Threat Emulation | | | |
ELearn Security Penetration Testing eXtreme | | | |
Certified Red Team Professional | | | |
Certified Red Teaming Expert | | | |
PentesterAcademy Certified Enterprise Security Specialist (PACES) | | | |