# Red Team Notes ## Red Team Notes - [What is ired.team notes?](https://www.ired.team/readme): These are notes about all things focusing on, but not limited to, red teaming and offensive security. - [Pentesting Cheatsheets](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets): Convenient commands for your pentesting / red-teaming engagements, OSCP and CTFs. - [SQL Injection & XSS Playground](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground): This is my playground for SQL injection and XSS - [Active Directory & Kerberos Abuse](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse): A collection of techniques that exploit and abuse Active Directory, Kerberos authentication, Domain Controllers and similar matters. - [From Domain Admin to Enterprise Admin](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain): Explore Parent-Child Domain Trust Relationships and abuse it for Privilege Escalation - [Kerberoasting](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting): Credential Access - [Kerberos: Golden Tickets](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets): Persistence and Privilege Escalation with Golden Kerberots tickets - [Kerberos: Silver Tickets](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets): Credential Access - [AS-REP Roasting](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat) - [Kerberoasting: Requesting RC4 Encrypted TGS when AES is Enabled](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberoasting-requesting-rc4-encrypted-tgs-when-aes-is-enabled) - [Kerberos Unconstrained Delegation](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation) - [Kerberos Constrained Delegation](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation) - [Kerberos Resource-based Constrained Delegation: Computer Object Takeover](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution) - [Domain Compromise via DC Print Server and Kerberos Delegation](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-dc-print-server-and-kerberos-delegation) - [DCShadow - Becoming a Rogue Domain Controller](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1207-creating-rogue-domain-controllers-with-dcshadow) - [DCSync: Dump Password Hashes from Domain Controller](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync) - [PowerView: Active Directory Enumeration](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-powerview) - [Abusing Active Directory ACLs/ACEs](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces) - [Privileged Accounts and Token Privileges](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges) - [From DnsAdmins to SYSTEM to Domain Compromise](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise) - [Pass the Hash with Machine$ Accounts](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/pass-the-hash-with-machine-accounts) - [BloodHound with Kali Linux: 101](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux) - [Backdooring AdminSDHolder for Persistence](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence) - [Active Directory Enumeration with AD Module without RSAT or Admin Privileges](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges) - [Enumerating AD Object Permissions with dsacls](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions): Enumeration, living off the land - [Active Directory Password Spraying](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying) - [Active Directory Lab with Hyper-V and PowerShell](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-lab-with-hyper-v-and-powershell) - [ADCS + PetitPotam NTLM Relay: Obtaining krbtgt Hash with Domain Controller Machine Certificate](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/adcs-+-petitpotam-ntlm-relay-obtaining-krbtgt-hash-with-domain-controller-machine-certificate) - [From Misconfigured Certificate Template to Domain Admin](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-misconfigured-certificate-template-to-domain-admin) - [Shadow Credentials](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials): Persistence, lateral movement - [Abusing Trust Account$: Accessing Resources on a Trusted Domain from a Trusting Domain](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-trust-accountusd-accessing-resources-on-a-trusted-domain-from-a-trusting-domain) - [Red Team Infrastructure](https://www.ired.team/offensive-security/red-team-infrastructure) - [HTTP Forwarders / Relays](https://www.ired.team/offensive-security/red-team-infrastructure/redirectors-forwarders): Concealing attacking hosts through with redirectors/traffic forwarders using iptables or socat - [SMTP Forwarders / Relays](https://www.ired.team/offensive-security/red-team-infrastructure/smtp): SMTP Redirector + Stripping Email Headers - [Phishing with Modlishka Reverse HTTP Proxy](https://www.ired.team/offensive-security/red-team-infrastructure/how-to-setup-modliska-reverse-http-proxy-for-phishing) - [Automating Red Team Infrastructure with Terraform](https://www.ired.team/offensive-security/red-team-infrastructure/automating-red-team-infrastructure-with-terraform) - [Cobalt Strike 101](https://www.ired.team/offensive-security/red-team-infrastructure/cobalt-strike-101-installation-and-interesting-commands) - [Powershell Empire 101](https://www.ired.team/offensive-security/red-team-infrastructure/powershell-empire-101): Exploring key concepts of the Powershell Empire - [Spiderfoot 101 with Kali using Docker](https://www.ired.team/offensive-security/red-team-infrastructure/spiderfoot-101-with-kali-using-docker) - [Initial Access](https://www.ired.team/offensive-security/initial-access) - [Password Spraying Outlook Web Access: Remote Shell](https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell) - [Phishing with MS Office](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office) - [Phishing: XLM / Macro 4.0](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-xlm-macro-4.0) - [T1173: Phishing - DDE](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/t1173-dde): Dynamic Data Exchange code - executing code in Microsoft Office documents. - [T1137: Phishing - Office Macros](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/t1137-office-vba-macros): Code execution with VBA Macros - [Phishing: OLE + LNK](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-ole-+-lnk): Phishing, Initial Access using embedded OLE + LNK objects - [Phishing: Embedded Internet Explorer](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-embedded-internet-explorer): Code execution with embedded Internet Explorer Object - [Phishing: .SLK Excel](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-.slk-excel) - [Phishing: Replacing Embedded Video with Bogus Payload](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-replacing-embedded-video-with-bogus-payload) - [Inject Macros from a Remote Dotm Template](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/inject-macros-from-a-remote-dotm-template-docx-with-macros) - [Bypassing Parent Child / Ancestry Detections](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/bypassing-malicious-macro-detections-by-defeating-child-parent-process-relationships) - [Phishing: Embedded HTML Forms](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-embedded-html-forms): Code execution with embedded HTML Form Objects - [Phishing with GoPhish and DigitalOcean](https://www.ired.team/offensive-security/initial-access/phishing-with-gophish-and-digitalocean) - [Forced Authentication](https://www.ired.team/offensive-security/initial-access/t1187-forced-authentication): Credential Access, Stealing hashes - [NetNTLMv2 hash stealing using Outlook](https://www.ired.team/offensive-security/initial-access/netntlmv2-hash-stealing-using-outlook) - [Code Execution](https://www.ired.team/offensive-security/code-execution) - [regsvr32](https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo): regsvr32 (squiblydoo) code execution - bypass application whitelisting. - [MSHTA](https://www.ired.team/offensive-security/code-execution/t1170-mshta-code-execution): MSHTA code execution - bypass application whitelisting. - [Control Panel Item](https://www.ired.team/offensive-security/code-execution/t1196-control-panel-item-code-execution): Control Panel Item code execution - bypass application whitelisting. - [Executing Code as a Control Panel Item through an Exported Cplapplet Function](https://www.ired.team/offensive-security/code-execution/executing-code-in-control-panel-item-through-an-exported-cplapplet-function) - [Code Execution through Control Panel Add-ins](https://www.ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins) - [CMSTP](https://www.ired.team/offensive-security/code-execution/t1191-cmstp-code-execution): CMSTP code execution - bypass application whitelisting. - [InstallUtil](https://www.ired.team/offensive-security/code-execution/t1118-installutil): InstallUtil code execution - bypass application whitelisting. - [Using MSBuild to Execute Shellcode in C#](https://www.ired.team/offensive-security/code-execution/using-msbuild-to-execute-shellcode-in-c) - [Forfiles Indirect Command Execution](https://www.ired.team/offensive-security/code-execution/t1202-forfiles-indirect-command-execution): Defense Evasion - [Application Whitelisting Bypass with WMIC and XSL](https://www.ired.team/offensive-security/code-execution/application-whitelisting-bypass-with-wmic-and-xsl) - [Powershell Without Powershell.exe](https://www.ired.team/offensive-security/code-execution/powershell-without-powershell) - [Powershell Constrained Language Mode Bypass](https://www.ired.team/offensive-security/code-execution/powershell-constrained-language-mode-bypass): Understanding ConstrainedLanguageMode - [Forcing Iexplore.exe to Load a Malicious DLL via COM Abuse](https://www.ired.team/offensive-security/code-execution/forcing-iexplore.exe-to-load-a-malicious-dll-via-com-abuse) - [pubprn.vbs Signed Script Code Execution](https://www.ired.team/offensive-security/code-execution/t1216-signed-script-ce): Signed Script Proxy Execution - bypass application whitelisting using pubprn.vbs - [Code & Process Injection](https://www.ired.team/offensive-security/code-injection-process-injection) - [CreateRemoteThread Shellcode Injection](https://www.ired.team/offensive-security/code-injection-process-injection/process-injection): Injecting shellcode into a local process. - [DLL Injection](https://www.ired.team/offensive-security/code-injection-process-injection/dll-injection): Injecting DLL into a remote process. - [Reflective DLL Injection](https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection): Loading DLL from memory - [Shellcode Reflective DLL Injection](https://www.ired.team/offensive-security/code-injection-process-injection/reflective-shellcode-dll-injection) - [Process Doppelganging](https://www.ired.team/offensive-security/code-injection-process-injection/process-doppelganging) - [Loading and Executing Shellcode From PE Resources](https://www.ired.team/offensive-security/code-injection-process-injection/loading-and-executing-shellcode-from-portable-executable-resources) - [Process Hollowing and Portable Executable Relocations](https://www.ired.team/offensive-security/code-injection-process-injection/process-hollowing-and-pe-image-relocations): Code injection, evasion - [APC Queue Code Injection](https://www.ired.team/offensive-security/code-injection-process-injection/apc-queue-code-injection) - [Early Bird APC Queue Code Injection](https://www.ired.team/offensive-security/code-injection-process-injection/early-bird-apc-queue-code-injection) - [Shellcode Execution in a Local Process with QueueUserAPC and NtTestAlert](https://www.ired.team/offensive-security/code-injection-process-injection/shellcode-execution-in-a-local-process-with-queueuserapc-and-nttestalert) - [Shellcode Execution through Fibers](https://www.ired.team/offensive-security/code-injection-process-injection/executing-shellcode-with-createfiber) - [Shellcode Execution via CreateThreadpoolWait](https://www.ired.team/offensive-security/code-injection-process-injection/shellcode-execution-via-createthreadpoolwait) - [Local Shellcode Execution without Windows APIs](https://www.ired.team/offensive-security/code-injection-process-injection/local-shellcode-execution-without-windows-apis) - [Injecting to Remote Process via Thread Hijacking](https://www.ired.team/offensive-security/code-injection-process-injection/injecting-to-remote-process-via-thread-hijacking) - [SetWindowHookEx Code Injection](https://www.ired.team/offensive-security/code-injection-process-injection/setwindowhookex-code-injection) - [Finding Kernel32 Base and Function Addresses in Shellcode](https://www.ired.team/offensive-security/code-injection-process-injection/finding-kernel32-base-and-function-addresses-in-shellcode) - [Executing Shellcode with Inline Assembly in C/C++](https://www.ired.team/offensive-security/code-injection-process-injection/executing-shellcode-with-inline-assembly-in-c-c++) - [Writing Custom Shellcode Encoders and Decoders](https://www.ired.team/offensive-security/code-injection-process-injection/writing-custom-shellcode-encoders-and-decoders) - [Backdooring PE Files with Shellcode](https://www.ired.team/offensive-security/code-injection-process-injection/backdooring-portable-executables-pe-with-shellcode) - [NtCreateSection + NtMapViewOfSection Code Injection](https://www.ired.team/offensive-security/code-injection-process-injection/ntcreatesection-+-ntmapviewofsection-code-injection) - [AddressOfEntryPoint Code Injection without VirtualAllocEx RWX](https://www.ired.team/offensive-security/code-injection-process-injection/addressofentrypoint-code-injection-without-virtualallocex-rwx): Code Injection - [Module Stomping for Shellcode Injection](https://www.ired.team/offensive-security/code-injection-process-injection/modulestomping-dll-hollowing-shellcode-injection): Code Injection - [PE Injection: Executing PEs inside Remote Processes](https://www.ired.team/offensive-security/code-injection-process-injection/pe-injection-executing-pes-inside-remote-processes): Code Injection - [API Monitoring and Hooking for Offensive Tooling](https://www.ired.team/offensive-security/code-injection-process-injection/api-monitoring-and-hooking-for-offensive-tooling) - [Windows API Hooking](https://www.ired.team/offensive-security/code-injection-process-injection/how-to-hook-windows-api-using-c++) - [Import Adress Table (IAT) Hooking](https://www.ired.team/offensive-security/code-injection-process-injection/import-adress-table-iat-hooking) - [DLL Injection via a Custom .NET Garbage Collector](https://www.ired.team/offensive-security/code-injection-process-injection/injecting-dll-via-custom-.net-garbage-collector-environment-variable-complus_gcname) - [Writing and Compiling Shellcode in C](https://www.ired.team/offensive-security/code-injection-process-injection/writing-and-compiling-shellcode-in-c) - [Injecting .NET Assembly to an Unmanaged Process](https://www.ired.team/offensive-security/code-injection-process-injection/injecting-and-executing-.net-assemblies-to-unmanaged-process) - [Binary Exploitation](https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation) - [32-bit Stack-based Buffer Overflow](https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/stack-based-buffer-overflow) - [64-bit Stack-based Buffer Overflow](https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/64-bit-stack-based-buffer-overflow) - [Return-to-libc / ret2libc](https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/return-to-libc-ret2libc) - [ROP Chaining: Return Oriented Programming](https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/rop-chaining-return-oriented-programming) - [SEH Based Buffer Overflow](https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/seh-based-buffer-overflow) - [Format String Bug](https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/format-string-bug) - [Defense Evasion](https://www.ired.team/offensive-security/defense-evasion) - [AV Bypass with Metasploit Templates and Custom Binaries](https://www.ired.team/offensive-security/defense-evasion/av-bypass-with-metasploit-templates) - [Evading Windows Defender with 1 Byte Change](https://www.ired.team/offensive-security/defense-evasion/evading-windows-defender-using-classic-c-shellcode-launcher-with-1-byte-change) - [Bypassing Windows Defender: One TCP Socket Away From Meterpreter and Beacon Sessions](https://www.ired.team/offensive-security/defense-evasion/bypassing-windows-defender-one-tcp-socket-away-from-meterpreter-and-cobalt-strike-beacon) - [Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs](https://www.ired.team/offensive-security/defense-evasion/bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis): EDR / AV Evasion - [Windows API Hashing in Malware](https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware): Evasion - [Detecting Hooked Syscalls](https://www.ired.team/offensive-security/defense-evasion/detecting-hooked-syscall-functions) - [Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs](https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs) - [Retrieving ntdll Syscall Stubs from Disk at Run-time](https://www.ired.team/offensive-security/defense-evasion/retrieving-ntdll-syscall-stubs-at-run-time) - [Full DLL Unhooking with C++](https://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++): EDR evasion - [Enumerating RWX Protected Memory Regions for Code Injection](https://www.ired.team/offensive-security/defense-evasion/finding-all-rwx-protected-memory-regions): Code Injection, Defense Evasion - [Disabling Windows Event Logs by Suspending EventLog Service Threads](https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads) - [Obfuscated Powershell Invocations](https://www.ired.team/offensive-security/defense-evasion/t1027-obfuscated-powershell-invocations): Defense Evasion - [Masquerading Processes in Userland via \_PEB](https://www.ired.team/offensive-security/defense-evasion/masquerading-processes-in-userland-through-_peb): Understanding how malicious binaries can maquerade as any other legitimate Windows binary from the userland. - [Commandline Obfusaction](https://www.ired.team/offensive-security/defense-evasion/commandline-obfusaction): Commandline obfuscation - [File Smuggling with HTML and JavaScript](https://www.ired.team/offensive-security/defense-evasion/file-smuggling-with-html-and-javascript) - [Timestomping](https://www.ired.team/offensive-security/defense-evasion/t1099-timestomping): Defense Evasion - [Alternate Data Streams](https://www.ired.team/offensive-security/defense-evasion/t1096-alternate-data-streams) - [Hidden Files](https://www.ired.team/offensive-security/defense-evasion/t1158-hidden-files): Defense Evasion, Persistence - [Encode/Decode Data with Certutil](https://www.ired.team/offensive-security/defense-evasion/t1140-encode-decode-data-with-certutil): Defense Evasion - [Downloading Files with Certutil](https://www.ired.team/offensive-security/defense-evasion/downloading-file-with-certutil): Downloading additional files to the victim system using native OS binary. - [Packed Binaries](https://www.ired.team/offensive-security/defense-evasion/t1045-software-packing-upx): Defense Evasion, Code Obfuscation - [Unloading Sysmon Driver](https://www.ired.team/offensive-security/defense-evasion/unloading-sysmon-driver): Unload sysmon driver which causes the system to stop recording sysmon event logs. - [Bypassing IDS Signatures with Simple Reverse Shells](https://www.ired.team/offensive-security/defense-evasion/bypassing-ids-signatures-with-simple-reverse-shells) - [Preventing 3rd Party DLLs from Injecting into your Malware](https://www.ired.team/offensive-security/defense-evasion/preventing-3rd-party-dlls-from-injecting-into-your-processes) - [ProcessDynamicCodePolicy: Arbitrary Code Guard (ACG)](https://www.ired.team/offensive-security/defense-evasion/acg-arbitrary-code-guard-processdynamiccodepolicy) - [Parent Process ID (PPID) Spoofing](https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing) - [Executing C# Assemblies from Jscript and wscript with DotNetToJscript](https://www.ired.team/offensive-security/defense-evasion/executing-csharp-assemblies-from-jscript-and-wscript-with-dotnettojscript) - [Enumeration and Discovery](https://www.ired.team/offensive-security/enumeration-and-discovery) - [Windows Event IDs and Others for Situational Awareness](https://www.ired.team/offensive-security/enumeration-and-discovery/windows-event-ids-for-situational-awareness) - [Enumerating COM Objects and their Methods](https://www.ired.team/offensive-security/enumeration-and-discovery/enumerating-com-objects-and-their-methods) - [Enumerating Users without net, Services without sc and Scheduled Tasks without schtasks](https://www.ired.team/offensive-security/enumeration-and-discovery/enumerating-users-without-net-services-without-sc-and-scheduled-tasks-without-schtasks) - [Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging](https://www.ired.team/offensive-security/enumeration-and-discovery/enumerating-windows-domains-using-rpcclient-through-socksproxy-bypassing-command-line-logging) - [Dump Global Address List (GAL) from OWA](https://www.ired.team/offensive-security/enumeration-and-discovery/dumping-gal-global-address-list-from-outlook-web-application) - [Application Window Discovery](https://www.ired.team/offensive-security/enumeration-and-discovery/t1010-application-window-discovery): Discovery - [Account Discovery & Enumeration](https://www.ired.team/offensive-security/enumeration-and-discovery/t1087-account-discovery): Discovery - [Using COM to Enumerate Hostname, Username, Domain, Network Drives](https://www.ired.team/offensive-security/enumeration-and-discovery/using-com-to-enumerate-hostname-username-domain-network-drives) - [Detecting Sysmon on the Victim Host](https://www.ired.team/offensive-security/enumeration-and-discovery/detecting-sysmon-on-the-victim-host): Exploring ways to detect Sysmon presence on the victim system - [Privilege Escalation](https://www.ired.team/offensive-security/privilege-escalation) - [Primary Access Token Manipulation](https://www.ired.team/offensive-security/privilege-escalation/t1134-access-token-manipulation): Defense Evasion, Privilege Escalation by stealing an re-using security access tokens. - [Windows NamedPipes 101 + Privilege Escalation](https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation) - [DLL Hijacking](https://www.ired.team/offensive-security/privilege-escalation/t1038-dll-hijacking): DLL Search Order Hijacking for privilege escalation, code execution, etc. - [WebShells](https://www.ired.team/offensive-security/privilege-escalation/t1108-redundant-access): Redundant Access - Webshells for evading defenses and persistence. - [Image File Execution Options Injection](https://www.ired.team/offensive-security/privilege-escalation/t1183-image-file-execution-options-injection): Defense Evasion, Persistence, Privilege Escalation - [Unquoted Service Paths](https://www.ired.team/offensive-security/privilege-escalation/unquoted-service-paths) - [Pass The Hash: Privilege Escalation with Invoke-WMIExec](https://www.ired.team/offensive-security/privilege-escalation/pass-the-hash-privilege-escalation-with-invoke-wmiexec) - [Environment Variable $Path Interception](https://www.ired.team/offensive-security/privilege-escalation/environment-variable-path-interception) - [Weak Service Permissions](https://www.ired.team/offensive-security/privilege-escalation/weak-service-permissions) - [Credential Access & Dumping](https://www.ired.team/offensive-security/credential-access-and-credential-dumping) - [Dumping Credentials from Lsass Process Memory with Mimikatz](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-credentials-from-lsass.exe-process-memory): Local Security Authority (LSA) credential dumping with in-memory Mimikatz using powershell. - [Dumping Lsass Without Mimikatz](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz) - [Dumping Lsass without Mimikatz with MiniDumpWriteDump](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass): Evasion, Credential Dumping - [Dumping Hashes from SAM via Registry](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-hashes-from-sam-registry): Security Accounts Manager (SAM) credential dumping with living off the land binary. - [Dumping SAM via esentutl.exe](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-sam-via-esentutl.exe) - [Dumping LSA Secrets](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets) - [Dumping and Cracking mscash - Cached Domain Credentials](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials) - [Dumping Domain Controller Hashes Locally and Remotely](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration): Dumping NTDS.dit with Active Directory users hashes - [Dumping Domain Controller Hashes via wmic and Vssadmin Shadow Copy](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-domain-controller-hashes-via-wmic-and-shadow-copy-using-vssadmin) - [Network vs Interactive Logons](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/network-vs-interactive-logons): This lab explores/compares when credentials are susceptible to credential dumping. - [Reading DPAPI Encrypted Secrets with Mimikatz and C++](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++) - [Credentials in Registry](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/t1214-credentials-in-registry): Internal recon, hunting for passwords in Windows registry - [Password Filter](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/t1174-password-filter-dll): Credential Access - [Forcing WDigest to Store Credentials in Plaintext](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/forcing-wdigest-to-store-credentials-in-plaintext) - [Dumping Delegated Default Kerberos and NTLM Credentials w/o Touching Lsass](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-delegated-default-kerberos-and-ntlm-credentials-without-touching-lsass) - [Intercepting Logon Credentials via Custom Security Support Provider and Authentication Packages](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package): Credential Access, Persistence - [Pulling Web Application Passwords by Hooking HTML Input Fields](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/stealing-web-application-credentials-by-hooking-input-fields): Credential Access, Keylogger - [Intercepting Logon Credentials by Hooking msv1\_0!SpAcceptCredentials](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-by-hooking-msv1_0-spacceptcredentials): Hooking, Credential Stealing - [Credentials Collection via CredUIPromptForCredentials](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/credentials-collection-via-creduipromptforcredentials) - [Lateral Movement](https://www.ired.team/offensive-security/lateral-movement) - [WinRM for Lateral Movement](https://www.ired.team/offensive-security/lateral-movement/t1028-winrm-for-lateral-movement): PowerShell remoting for lateral movement. - [WinRS for Lateral Movement](https://www.ired.team/offensive-security/lateral-movement/winrs-for-lateral-movement) - [WMI for Lateral Movement](https://www.ired.team/offensive-security/lateral-movement/t1047-wmi-for-lateral-movement): Windows Management Instrumentation for code execution, lateral movement. - [RDP Hijacking for Lateral Movement with tscon](https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement): This lab explores a technique that allows a SYSTEM account to move laterally through the network using RDP without the need for credentials. - [Shared Webroot](https://www.ired.team/offensive-security/lateral-movement/t1051-shared-webroot): Lateral Movement - [Lateral Movement via DCOM](https://www.ired.team/offensive-security/lateral-movement/t1175-distributed-component-object-model): Lateral Movement via Distributed Component Object Model - [WMI + MSI Lateral Movement](https://www.ired.team/offensive-security/lateral-movement/wmi-+-msi-lateral-movement): WMI lateral movement with .msi packages - [Lateral Movement via Service Configuration Manager](https://www.ired.team/offensive-security/lateral-movement/lateral-movement-abusing-service-configuration-manager) - [Lateral Movement via SMB Relaying](https://www.ired.team/offensive-security/lateral-movement/lateral-movement-via-smb-relaying-by-abusing-lack-of-smb-signing) - [WMI + NewScheduledTaskAction Lateral Movement](https://www.ired.team/offensive-security/lateral-movement/wmi-via-newscheduledtask) - [WMI + PowerShell Desired State Configuration Lateral Movement](https://www.ired.team/offensive-security/lateral-movement/wmi-+-powershell-desired-state-configuration-lateral-movement): Lateral Movment, Privilege Escalation - [Simple TCP Relaying with NetCat](https://www.ired.team/offensive-security/lateral-movement/simple-tcp-relaying-with-netcat) - [Empire Shells with NetNLTMv2 Relaying](https://www.ired.team/offensive-security/lateral-movement/empire-shells-with-netnltmv2-relaying) - [Lateral Movement with Psexec](https://www.ired.team/offensive-security/lateral-movement/lateral-movement-with-psexec) - [From Beacon to Interactive RDP Session](https://www.ired.team/offensive-security/lateral-movement/from-beacon-to-interactive-remote-desktop-rdp-session): Lateral Movement, Tunnelling, Firewall Evasion - [SSH Tunnelling / Port Forwarding](https://www.ired.team/offensive-security/lateral-movement/ssh-tunnelling-port-forwarding): Exploring SSH tunneling - [Lateral Movement via WMI Event Subscription](https://www.ired.team/offensive-security/lateral-movement/lateral-movement-via-wmi-events) - [Lateral Movement via DLL Hijacking](https://www.ired.team/offensive-security/lateral-movement/lateral-movement-via-dll-hijacking) - [Lateral Movement over headless RDP with SharpRDP](https://www.ired.team/offensive-security/lateral-movement/lateral-movement-over-headless-rdp-with-sharprdp) - [Man-in-the-Browser via Chrome Extension](https://www.ired.team/offensive-security/lateral-movement/man-in-the-browser-via-chrome-extension) - [ShadowMove: Lateral Movement by Duplicating Existing Sockets](https://www.ired.team/offensive-security/lateral-movement/shadowmove-lateral-movement-by-stealing-duplicating-existing-connected-sockets) - [Persistence](https://www.ired.team/offensive-security/persistence) - [DLL Proxying for Persistence](https://www.ired.team/offensive-security/persistence/dll-proxying-for-persistence) - [Schtask](https://www.ired.team/offensive-security/persistence/t1053-schtask): Code execution, privilege escalation, lateral movement and persitence. - [Service Execution](https://www.ired.team/offensive-security/persistence/t1035-service-execution): Code Execution, Privilege Escalation - [Sticky Keys](https://www.ired.team/offensive-security/persistence/t1015-sethc): Sticky keys backdoor. - [Create Account](https://www.ired.team/offensive-security/persistence/t1136-create-account): Persistence - [AddMonitor()](https://www.ired.team/offensive-security/persistence/t1013-addmonitor): Persistence, Privilege Escalation - [NetSh Helper DLL](https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll): Persistence, code execution using netsh helper arbitrary libraries. - [Abusing Windows Managent Instrumentation](https://www.ired.team/offensive-security/persistence/t1084-abusing-windows-managent-instrumentation): Persistence, Privilege Escalation - [WMI as a Data Storage](https://www.ired.team/offensive-security/persistence/t1084-abusing-windows-managent-instrumentation/wmi-data-storage): Exploring WMI as a data storage for persistence by leveraging WMI classes and their properties. - [Windows Logon Helper](https://www.ired.team/offensive-security/persistence/windows-logon-helper) - [Hijacking Default File Extension](https://www.ired.team/offensive-security/persistence/hijacking-default-file-extension) - [Persisting in svchost.exe with a Service DLL](https://www.ired.team/offensive-security/persistence/persisting-in-svchost.exe-with-a-service-dll-servicemain) - [Modifying .lnk Shortcuts](https://www.ired.team/offensive-security/persistence/modifying-.lnk-shortcuts) - [Screensaver Hijack](https://www.ired.team/offensive-security/persistence/t1180-screensaver-hijack): Hijacking screensaver for persistence. - [Application Shimming](https://www.ired.team/offensive-security/persistence/t1138-application-shimming): Persistence, Privilege Escalation - [BITS Jobs](https://www.ired.team/offensive-security/persistence/t1197-bits-jobs): File upload to the compromised system. - [COM Hijacking](https://www.ired.team/offensive-security/persistence/t1122-com-hijacking): UAC Bypass/Defense Evasion, Persistence - [SIP & Trust Provider Hijacking](https://www.ired.team/offensive-security/persistence/t1198-trust-provider-hijacking): Defense Evasion, Persistence, Whitelisting Bypass - [Hijacking Time Providers](https://www.ired.team/offensive-security/persistence/t1209-hijacking-time-providers): Persistence - [Installing Root Certificate](https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate): Defense Evasion - [Powershell Profile Persistence](https://www.ired.team/offensive-security/persistence/powershell-profile-persistence) - [RID Hijacking](https://www.ired.team/offensive-security/persistence/rid-hijacking) - [Word Library Add-Ins](https://www.ired.team/offensive-security/persistence/word-library-add-ins) - [Office Templates](https://www.ired.team/offensive-security/persistence/office-templates) - [Exfiltration](https://www.ired.team/offensive-security/exfiltration) - [Powershell Payload Delivery via DNS using Invoke-PowerCloud](https://www.ired.team/offensive-security/exfiltration/payload-delivery-via-dns-using-invoke-powercloud): This lab demos a tool or rather a Powershell script I have written to do what the title says. - [Internals](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals) - [Configuring Kernel Debugging Environment with kdnet and WinDBG Preview](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/configuring-kernel-debugging-environment-with-kdnet-and-windbg-preview) - [Compiling a Simple Kernel Driver, DbgPrint, DbgView](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/compiling-first-kernel-driver-kdprint-dbgprint-and-debugview) - [Loading Windows Kernel Driver for Debugging](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/loading-a-windows-kernel-driver-osr-driver-loader-debugging-with-source-code) - [Subscribing to Process Creation, Thread Creation and Image Load Notifications from a Kernel Driver](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/subscribing-to-process-creation-thread-creation-and-image-load-notifications-from-a-kernel-driver) - [Listing Open Handles and Finding Kernel Object Addresses](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/get-all-open-handles-and-kernel-object-address-from-userland) - [Sending Commands From Your Userland Program to Your Kernel Driver using IOCTL](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/sending-commands-from-userland-to-your-kernel-driver-using-ioctl): Windows Driver Model (WDM) - [Windows Kernel Drivers 101](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/windows-kernel-drivers-101) - [Windows x64 Calling Convention: Stack Frame](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/windows-x64-calling-convention-stack-frame) - [Linux x64 Calling Convention: Stack Frame](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/linux-x64-calling-convention-stack-frame) - [System Service Descriptor Table - SSDT](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/glimpse-into-ssdt-in-windows-x64-kernel) - [Interrupt Descriptor Table - IDT](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/interrupt-descriptor-table-idt) - [Token Abuse for Privilege Escalation in Kernel](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/how-kernel-exploits-abuse-tokens-for-privilege-escalation) - [Manipulating ActiveProcessLinks to Hide Processes in Userland](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/manipulating-activeprocesslinks-to-unlink-processes-in-userland) - [ETW: Event Tracing for Windows 101](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/etw-event-tracing-for-windows-101) - [Exploring Injected Threads](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/get-injectedthread): A short exploration of injected threads with Get-InjectedThreads.ps1 and WinDBG - [Parsing PE File Headers with C++](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/pe-file-header-parser-in-c++) - [Instrumenting Windows APIs with Frida](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/instrumenting-windows-apis-with-frida) - [Exploring Process Environment Block](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/exploring-process-environment-block): Exploring a couple of interesting members of the PEB memory structure fields - [Writing a Custom Bootloader](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/writing-a-custom-bootloader) - [Cloud](https://www.ired.team/miscellaneous-reversing-forensics/cloud) - [AWS Accounts, Users, Groups, Roles, Policies](https://www.ired.team/miscellaneous-reversing-forensics/cloud/aws-accounts-users-groups-roles-policies) - [Neo4j](https://www.ired.team/miscellaneous-reversing-forensics/neo4j) - [Dump Virtual Box Memory](https://www.ired.team/miscellaneous-reversing-forensics/dump-virtual-box-memory): A quick reminder of one of the ways of how to dump memory of a VM running on VirtualBox in Linux environment. - [AES Encryption Using Crypto++ .lib in Visual Studio C++](https://www.ired.team/miscellaneous-reversing-forensics/aes-encryption-example-using-cryptopp-.lib-in-visual-studio-c++) - [Reversing Password Checking Routine](https://www.ired.team/miscellaneous-reversing-forensics/reversing-password-checking-routine)