SUMMARY.md

Table of contents

• About /?

Pinned posts

• Pentesting Cheatsheets
  • SQL Injection & XSS Playground
• Powershell Payload Delivery via DNS using Invoke-PowerCloud
• Masquerading Processes in Userland via _PEB
• Active Directory / Kerberos Abuse
  • From Domain Admin to Enterprise Admin
  • T1208: Kerberoasting
  • Kerberos: Golden Tickets
  • Kerberos: Silver Tickets
  • AS-REP Roasting
  • Domain Compromise via Unrestricted Kerberos Delegation
  • Domain Compromise via DC Print Server and Kerberos Delegation
  • T1207: DCShadow - Becoming a Rogue Domain Controller
  • DCSync: Dump Password Hashes from Domain Controller
  • PowerView: Active Directory Enumeration
  • Abusing Active Directory ACLs/ACEs
  • Privileged Accounts and Token Privileges
  • From DnsAdmins to SYSTEM to Domain Compromise
  • Pass the Hash with Machine$ Accounts
  • BloodHound with Kali Linux: 101
  • Backdooring AdminSDHolder for Persistence
  • Active Directory Enumeration with AD Module without RSAT or Admin Privileges
  • Enumerating AD Object Permissions with dsacls
  • Active Directory Password Spraying
  • AD Computer Object Take Over and Privileged Code Execution
  • Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging

offensive security

• T1055: Process Injection
  • CreateRemoteThread Shellcode Injection
  • DLL Injection
  • Reflective DLL Injection
  • Process Doppelganging
  • Loading and Executing Shellcode From PE Resources
  • T1093: Process Hollowing and Portable Executable Relocations
• Phishing with MS Office
  • Phishing: XLM / Macro 4.0
  • Phishing: Replacing Embedded Video with Bogus Payload
  • T1173: Phishing - DDE
  • T1137: Phishing - Office Macros
  • Phishing: OLE + LNK
  • Phishing: Embedded Internet Explorer
  • Phishing: .SLK Excel
  • Inject Macros from a Remote Dotm Template
  • Bypassing Parent Child / Ancestry Detections
  • Phishing: Embedded HTML Forms
• Password Spraying Outlook Web Access: Remote Shell
• Dump GAL from OWA
• T1003: Credential Dumping
  • Dumping Credentials from Lsass.exe Process Memory
  • Dumping Lsass.exe to Disk and Extracting Credentials
  • Dumping LSASS without Mimikatz == Reduced Chances of Getting Flagged by AVs
  • Security Accounts Manager
  • Dumping LSA Secrets
  • Dumping and Cracking mscash - Cached Domain Credentials
  • NTDS - Domain Controller
  • Network vs Interactive Logons
  • Reading DPAPI Encrypted Secrets with Mimikatz and C++
• T1134: Primary Access Token Manipulation
• AV Bypass with Metasploit Templates and Custom Binaries
• Evading Windows Defender with 1 Byte Change
• Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs
• Using MSBuild to Execute Shellcode in C#
• Cobalt Strike 101
• Red Team Infrastructure
  • HTTP Forwarders / Relays
  • SMTP Forwarders / Relays
  • Automating Red Team Infrastructure with Terraform
• File Smuggling with HTML and JavaScript
• Commandline Obfusaction
• T1027: Obfuscated Powershell Invocations
• SSH Tunnelling / Port Forwarding
• T1117: regsvr32
• Application Whitelisting Bypass with WMIC and XSL
• T1187: Forced Authentication
  • NetNTLMv2 hash stealing using Outlook
• T1099: Timestomping
• T1196: Control Panel Item
• T1170: MSHTA
• T1191: CMSTP
• T1118: InstallUtil
• T1053: Schtask
• T1214: Credentials in Registry
• T1028: WinRM for Lateral Movement
• T1047: WMI for Lateral Movement
• T1035: Service Execution
• T1216: pubprn.vbs Signed Script Code Execution
• T1138: Application Shimming
• T1015: Sticky Keys
• T1131: Authentication Packages
• T1136: Create Account
• T1197: BITS Jobs
• T1122: COM Hijacking
• T1038: DLL Hijacking
• T1158: Hidden Files
• T1128: NetSh Helper DLL
• T1013: AddMonitor()
• T1108: WebShells
• T1051: Shared Webroot
• T1198: SIP & Trust Provider Hijacking
• T1180: Screensaver Hijack
• T1209: Hijacking Time Providers
• T1084: Abusing Windows Managent Instrumentation
  • WMI as a Data Storage
• T1076: RDP Hijacking for Lateral Movement with tscon
• T1140: Encode/Decode Data with Certutil
• Downloading Files with Certutil
• T1183: Image File Execution Options Injection
• T1202: Forfiles Indirect Command Execution
• T1130: Installing Root Certificate
• T1096: Alternate Data Streams
• T1045: Packed Binaries
• T1174: Password Filter
• T1010: Application Window Discovery
• T1087: Account Discovery & Enumeration
• T1175: Lateral Movement via DCOM
• Powershell Empire 101
• Powershell Constrained Language Mode ByPass
• Powershell Without Powershell.exe
• Detecting Sysmon on the Victim Host
• Unloading Sysmon Driver
• WMI + MSI Lateral Movement
• WMI + NewScheduledTaskAction Lateral Movement
• WMI + PowerShell Desired State Configuration Lateral Movement
• Empire Shells with NetNLTMv2 Relaying
• Simple TCP Relaying with NetCat
• Lateral Movement via SMB Relaying
• Parsing PE File Headers with C++
• Phishing with GoPhish and DigitalOcean
• Windows NamedPipes 101 + Privilege Escalation
• Spiderfoot 101 with Kali using Docker

Memory Forensics

• Exploring Injected Threads
• Process Environment Block
• Dump Virtual Box Memory

CTFs / Walkthroughs

• Reversing Password Checking Routine