SUMMARY.md

Table of contents

• What is this?

Pinned

• Pentesting Cheatsheets
  • SQL Injection & XSS Playground
• Active Directory & Kerberos Abuse
  • From Domain Admin to Enterprise Admin
  • T1208: Kerberoasting
  • Kerberos: Golden Tickets
  • Kerberos: Silver Tickets
  • AS-REP Roasting
  • Kerberoasting: Requesting RC4 Encrypted TGS when AES is Enabled
  • Kerberos Unrestricted Delegation
  • Kerberos Constrained Delegation
  • Kerberos Resource-based Constrained Delegation: Computer Object Take Over
  • Domain Compromise via DC Print Server and Kerberos Delegation
  • T1207: DCShadow - Becoming a Rogue Domain Controller
  • DCSync: Dump Password Hashes from Domain Controller
  • PowerView: Active Directory Enumeration
  • Abusing Active Directory ACLs/ACEs
  • Privileged Accounts and Token Privileges
  • From DnsAdmins to SYSTEM to Domain Compromise
  • Pass the Hash with Machine$ Accounts
  • BloodHound with Kali Linux: 101
  • Backdooring AdminSDHolder for Persistence
  • Active Directory Enumeration with AD Module without RSAT or Admin Privileges
  • Enumerating AD Object Permissions with dsacls
  • Active Directory Password Spraying

offensive security

• Red Team Infrastructure
  • HTTP Forwarders / Relays
  • SMTP Forwarders / Relays
  • Phishing with Modlishka Reverse HTTP Proxy
  • Automating Red Team Infrastructure with Terraform
  • Cobalt Strike 101
  • Powershell Empire 101
  • Spiderfoot 101 with Kali using Docker
• Initial Access
  • Password Spraying Outlook Web Access: Remote Shell
  • Phishing with MS Office
    • Phishing: XLM / Macro 4.0
    • T1173: Phishing - DDE
    • T1137: Phishing - Office Macros
    • Phishing: OLE + LNK
    • Phishing: Embedded Internet Explorer
    • Phishing: .SLK Excel
    • Phishing: Replacing Embedded Video with Bogus Payload
    • Inject Macros from a Remote Dotm Template
    • Bypassing Parent Child / Ancestry Detections
    • Phishing: Embedded HTML Forms
  • Phishing with GoPhish and DigitalOcean
  • T1187: Forced Authentication
  • NetNTLMv2 hash stealing using Outlook
• Code Execution
  • T1117: regsvr32
  • T1170: MSHTA
  • T1196: Control Panel Item
  • Executing Code as a Control Panel Item through an Exported Cplapplet Function
  • T1191: CMSTP
  • T1118: InstallUtil
  • Using MSBuild to Execute Shellcode in C#
  • T1202: Forfiles Indirect Command Execution
  • Application Whitelisting Bypass with WMIC and XSL
  • Powershell Without Powershell.exe
  • Powershell Constrained Language Mode ByPass
  • Forcing Iexplore.exe to Load a Malicious DLL via COM Abuse
  • T1216: pubprn.vbs Signed Script Code Execution
• Code & Process Injection
  • CreateRemoteThread Shellcode Injection
  • DLL Injection
  • Reflective DLL Injection
  • Shellcode Reflective DLL Injection
  • Process Doppelganging
  • Loading and Executing Shellcode From PE Resources
  • T1093: Process Hollowing and Portable Executable Relocations
  • APC Queue Code Injection
  • Early Bird APC Queue Code Injection
  • Shellcode Execution in a Local Process with QueueUserAPC and NtTestAlert
  • SetWindowHookEx Code Injection
  • Finding Kernel32 Base and Function Addresses in Shellcode
  • Executing Shellcode with Inline Assembly in C/C++
  • Backdooring PE Files with Shellcode
  • NtCreateSection + NtMapViewOfSection Code Injection
  • AddressOfEntryPoint Code Injection without VirtualAllocEx RWX
  • PE Injection: Executing PEs inside Remote Processes
  • API Monitoring and Hooking for Offensive Tooling
  • Windows API Hooking
  • Import Adress Table (IAT) Hooking
• Defense Evasion
  • AV Bypass with Metasploit Templates and Custom Binaries
  • Evading Windows Defender with 1 Byte Change
  • Bypassing Windows Defender: One TCP Socket Away From Meterpreter and Beacon Sessions
  • Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs
  • Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs
  • Full DLL Unhooking with C++
  • Enumerating RWX Protected Memory Regions for Code Injection
  • T1027: Obfuscated Powershell Invocations
  • Masquerading Processes in Userland via _PEB
  • Commandline Obfusaction
  • File Smuggling with HTML and JavaScript
  • T1099: Timestomping
  • T1096: Alternate Data Streams
  • T1158: Hidden Files
  • T1140: Encode/Decode Data with Certutil
  • Downloading Files with Certutil
  • T1045: Packed Binaries
  • Unloading Sysmon Driver
  • Bypassing IDS Signatures with Simple Reverse Shells
  • Preventing 3rd Party DLLs from Injecting into your Malware
  • Executing C# Assemblies from Jscript and wscript with DotNetToJscript
• Enumeration and Discovery
  • Enumerating Users without net, Services without sc and Scheduled Tasks without schtasks
  • Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging
  • Dump GAL from OWA
  • T1010: Application Window Discovery
  • T1087: Account Discovery & Enumeration
  • Using COM to Enumerate Hostname, Username, Domain, Network Drives
  • Detecting Sysmon on the Victim Host
• Privilege Escalation
  • T1134: Primary Access Token Manipulation
  • Windows NamedPipes 101 + Privilege Escalation
  • T1038: DLL Hijacking
  • T1108: WebShells
  • T1183: Image File Execution Options Injection
  • Unquoted Service Paths
  • Pass The Hash: Privilege Escalation with Invoke-WMIExec
  • Weak Service Permissions
• Credential Access & Dumping
  • Dumping Credentials from Lsass.exe Process Memory
  • Dumping Lsass.exe to Disk Without Mimikatz and Extracting Credentials
  • Dumping LSASS without Mimikatz with MiniDumpWriteDump == Reduced Chances of Getting Flagged by AVs
  • Dumping Hashes from SAM
  • Dumping LSA Secrets
  • Dumping and Cracking mscash - Cached Domain Credentials
  • Dumping Domain Controller Hashes Locally and Remotely
  • Dumping Domain Controller Hashes via wmic and Shadow Copy
  • Network vs Interactive Logons
  • Reading DPAPI Encrypted Secrets with Mimikatz and C++
  • T1214: Credentials in Registry
  • T1174: Password Filter
  • Forcing WDigest to Store Credentials in Plaintext
  • Dumping Delegated Default Kerberos and NTLM Credentials w/o Touching LSASS
• Lateral Movement
  • T1028: WinRM for Lateral Movement
  • T1047: WMI for Lateral Movement
  • T1076: RDP Hijacking for Lateral Movement with tscon
  • T1051: Shared Webroot
  • T1175: Lateral Movement via DCOM
  • WMI + MSI Lateral Movement
  • Lateral Movement Abusing Service Configuration Manager
  • Lateral Movement via SMB Relaying
  • WMI + NewScheduledTaskAction Lateral Movement
  • WMI + PowerShell Desired State Configuration Lateral Movement
  • Simple TCP Relaying with NetCat
  • Empire Shells with NetNLTMv2 Relaying
  • Lateral Movement with Psexec
  • From Beacon to Interactive RDP Session
  • SSH Tunnelling / Port Forwarding
• Persistence
  • T1053: Schtask
  • T1035: Service Execution
  • T1015: Sticky Keys
  • T1136: Create Account
  • T1013: AddMonitor()
  • T1128: NetSh Helper DLL
  • T1084: Abusing Windows Managent Instrumentation
    • WMI as a Data Storage
  • T1180: Screensaver Hijack
  • T1138: Application Shimming
  • T1131: Authentication Packages
  • T1197: BITS Jobs
  • T1122: COM Hijacking
  • T1198: SIP & Trust Provider Hijacking
  • T1209: Hijacking Time Providers
  • T1130: Installing Root Certificate
  • Powershell Profile Persistence
  • Word Library Add-Ins
  • Office Templates
• Exfiltration
  • Powershell Payload Delivery via DNS using Invoke-PowerCloud

miscellaneous

• Windows Kernel
  • Configuring Kernel Debugging Environment with kdnet and WinDBG Preview
  • Loading a Windows Kernel Driver to Windows 10
  • A Glimpse into SSDT inside Windows x64 Kernel
• Exploring Process Environment Block
• Parsing PE File Headers with C++
• Exploring Injected Threads
• Dump Virtual Box Memory
• AES Encryption Using Crypto++ .lib in Visual Studio C++
• Reversing Password Checking Routine