Browse Source

prep

pull/25/head
rmusser01 2 years ago
parent
commit
7c23e7e903
29 changed files with 1106 additions and 369 deletions
  1. +8
    -0
      Draft/ATT&CK-Stuff/ATT&CK/Execution.md
  2. +103
    -71
      Draft/AnonOpSecPrivacy.md
  3. +4
    -2
      Draft/CTFs_Wargames.md
  4. +12
    -2
      Draft/Containers.md
  5. +32
    -37
      Draft/Crypto_Encrypt.md
  6. +68
    -22
      Draft/DFIR.md
  7. +24
    -0
      Draft/Defense.md
  8. +3
    -6
      Draft/Embedded.md
  9. +1
    -1
      Draft/Exfiltration.md
  10. +58
    -22
      Draft/Exploit_Dev.md
  11. +4
    -0
      Draft/Fuzzing.md
  12. +44
    -6
      Draft/Interesting_Things.md
  13. +78
    -3
      Draft/L-SM-TH.md
  14. +58
    -46
      Draft/Malware.md
  15. +8
    -2
      Draft/Network_Attacks.md
  16. +25
    -7
      Draft/Osint.md
  17. +1
    -1
      Draft/Passwords.md
  18. +42
    -1
      Draft/PrivescPostEx.md
  19. +88
    -28
      Draft/Programming_Language_Security.md
  20. +15
    -6
      Draft/RE.md
  21. +79
    -4
      Draft/RT.md
  22. +33
    -22
      Draft/Rootkits.md
  23. +30
    -4
      Draft/SCA.md
  24. +2
    -1
      Draft/SCADA.md
  25. +4
    -4
      Draft/UX.md
  26. +194
    -7
      Draft/Web.md
  27. +18
    -2
      Draft/Wireless.md
  28. +60
    -61
      Draft/bios_uefi.md
  29. +10
    -1
      Draft/sysinternals.md

+ 8
- 0
Draft/ATT&CK-Stuff/ATT&CK/Execution.md View File

@ -6,6 +6,14 @@
* [Windows oneliners to download remote payload and execute arbitrary code - arno0x0x](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
* [Arbitrary, Unsigned Code Execution Vector in Microsoft.Workflow.Compiler.exe - Matt Graeber](https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb)
* [How to Port Microsoft.Workflow.Compiler.exe Loader to Veil - FortyNorthSecurity](https://www.fortynorthsecurity.com/port-microsoft-workflow-compiler-exe-loader-to-veil/)
* [MSXSL.EXE AND WMIC.EXE — A Way to Proxy Code Execution - TH Team](https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75)
-------------------------------


+ 103
- 71
Draft/AnonOpSecPrivacy.md View File

@ -33,77 +33,6 @@
https://citizenlab.ca/2019/07/cant-picture-this-2-an-analysis-of-wechats-realtime-image-filtering-in-chats/
https://citizenlab.ca/2018/08/cant-picture-this-an-analysis-of-image-filtering-on-wechat-moments/
Remove hidden data and personal information by inspecting documents, presentations, or workbooks
https://support.office.com/en-us/article/remove-hidden-data-and-personal-information-by-inspecting-documents-presentations-or-workbooks-356b7b5d-77af-44fe-a07f-9aa4d085966f
https://www.fcc.gov/public-safety-and-homeland-security/policy-and-licensing-division/911-services/general/location-accuracy-indoor-benchmarks
https://www.wsj.com/articles/SB105546175751598400
https://opaque.link/post/dropgang/
https://github.com/ctrlaltdev/LMGTFY-queries
* [A DC Think Tank Used Fake Social Media Accounts, A Bogus Expert, And Fancy Events To Reach The NSA, FBI, And White House - Craig Silverman(BuzzFeed News)](https://www.buzzfeednews.com/article/craigsilverman/icit-james-scott-think-tank-fake-twitter-youtube#.dnqv2lQJr)
* [Opting Out Like A Boss - The OSINT Way (Part 1) - learnallthethings.net](https://www.learnallthethings.net/blog/2018/1/23/opting-out-like-a-boss-the-osint-way)
https://electricalstrategies.com/about/in-the-news/spies-in-the-xerox-machine/
https://discover.cobbtechnologies.com/blog/the-soviet-union-and-the-photocopier
https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/privacy/manage-windows-1809-endpoints.md
* [Creating Your Own Citizen Database - Aiganysh Aidarbekova](https://www.bellingcat.com/resources/how-tos/2019/02/14/creating-your-own-citizen-database/)
* [Manage connections from Windows operating system components to Microsoft services - docs.ms](https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services)
* [Cookies – what does ‘good’ look like? - UK Information Comissioner's Office - Ali Shah](https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/blog-cookies-what-does-good-look-like/)
https://www.freehaven.net/anonbib/
http://computer-outlines.over-blog.com/article-windows-ipv6-privacy-addresses-118018020.html
https://blog.superuser.com/2011/02/11/did-you-know-that-ipv6-may-include-your-mac-address-heres-how-to-stop-it/
https://www.bloomberg.com/news/articles/2018-08-30/google-and-mastercard-cut-a-secret-ad-deal-to-track-retail-sales
* [Ghostbuster: Detecting the Presence of Hidden Eavesdroppers](https://synrg.csl.illinois.edu/papers/ghostbuster-mobicom18.pdf)
* Propaganda
* [Project Feels: How USA Today, ESPN and The New York Times are targeting ads to mood - digiday](https://digiday.com/media/project-feels-usa-today-espn-new-york-times-targeting-ads-mood/)
* [The New York Times Advertising & Marketing Solutions Group Introduces ‘nytDEMO’: A Cross-Functional Team Focused on Bringing Insights and Data Solutions to Brands(2018)](https://investors.nytco.com/press/press-releases/press-release-details/2018/The-New-York-Times-Advertising--Marketing-Solutions-Group-Introduces-nytDEMO-A-Cross-Functional-Team-Focused-on-Bringing-Insights-and-Data-Solutions-to-Brands/default.aspx)
* [A DC Think Tank Used Fake Social Media Accounts, A Bogus Expert, And Fancy Events To Reach The NSA, FBI, And White House - Craig Silverman](https://www.buzzfeednews.com/article/craigsilverman/icit-james-scott-think-tank-fake-twitter-youtube#.dnqv2lQJr)
* [Toward an Information Operations Kill Chain - Bruce Schneier](https://www.lawfareblog.com/toward-information-operations-kill-chain)
* [Project Raven: Inside the UAE’s secret hacking team of American mercenaries(Christopher Bing, Joel Schectman)]
* [How to Purge Google and Start Over – Part 2 - Mike Felch](https://www.blackhillsinfosec.com/how-to-purge-google-and-start-over-part-2/)
* [Of Moles and Molehunters: A Review of Counterintelligence Literature, 1977-92](https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/U-Oct%20%201993-%20Of%20Moles%20-%20Molehunters%20-%20A%20Review%20of%20Counterintelligence%20Literature-%201977-92%20-v2.pdf)
* [Salamandra](https://github.com/eldraco/Salamandra)
* Salamandra is a tool to detect and locate spy microphones in closed environments. It find microphones based on the strength of the signal sent by the microphone and the amount of noise and overlapped frequencies. Based on the generated noise it can estimate how close or far away you are from the microphone.
* [zwsp-steg](https://github.com/offdev/zwsp-steg-js)
* Zero-Width Space Steganography. Encodes and decodes hidden messages as non printable/readable characters. [A demo can be found here](https://offdev.net/demos/zwsp-steg-js).
* [DEDA](https://github.com/dfd-tud/deda)
* DEDA - tracking Dots Extraction, Decoding and Anonymisation toolkit; Document Colour Tracking Dots, or yellow dots, are small systematic dots which encode information about the printer and/or the printout itself. This process is integrated in almost every commercial colour laser printer. This means that almost every printout contains coded information about the source device, such as the serial number.
* https://dfd.inf.tu-dresden.de/
* [The Spy and the Traitor: The Greatest Espionage Story of the Cold War - cia.gov](https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/csi-studies/studies/vol-63-no-1/spy_and_traitor.html)
* [How a Bitcoin Evangelist Made Himself Vanish, in 15 (Not So Easy) Steps - Nathaniel Popper](https://www.nytimes.com/2019/03/12/technology/how-to-disappear-surveillance-state.html)
* [A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients - Vasile C. Perta, Marco V. Barbera, Gareth Tyson, Hamed Haddadi, and Alessandro Mei(2/2015)](https://www.petsymposium.org/2015/papers/02_Perta.pdf)
* [Forensic Analysis and Anonymisation of Printed Documents](https://dl.acm.org/citation.cfm?doid=3206004.3206019)
* Contrary to popular belief, the paperless office has not yet established itself. Printer forensics is therefore still an important field today to protect the reliability of printed documents or to track criminals. An important task of this is to identify the source device of a printed document. There are many forensic approaches that try to determine the source device automatically and with commercially available recording devices. However, it is difficult to find intrinsic signatures that are robust against a variety of influences of the printing process and at the same time can identify the specific source device. In most cases, the identification rate only reaches up to the printer model. For this reason we reviewed document colour tracking dots, an extrinsic signature embedded in nearly all modern colour laser printers. We developed a refined and generic extraction algorithm, found a new tracking dot pattern and decoded pattern information. Through out we propose to reuse document colour tracking dots, in combination with passive printer forensic methods. From privacy perspective we additional investigated anonymization approaches to defeat arbitrary tracking. Finally we propose our toolkitdeda which implements the entire workflow of extracting, analysing and anonymisation of a tracking dot pattern.
* [NCCA Polygraph Countermeasure Course Files Leaked](https://antipolygraph.org/blog/2018/06/09/ncca-polygraph-countermeasure-course-files-leaked/)
* [Fooling automated surveillance cameras: adversarial patches to attack person detection - Simen Thys, Wiebe Van Ranst, Toon Goedemé](https://arxiv.org/abs/1904.08653)
* Adversarial attacks on machine learning models have seen increasing interest in the past years. By making only subtle changes to the input of a convolutional neural network, the output of the network can be swayed to output a completely different result. The first attacks did this by changing pixel values of an input image slightly to fool a classifier to output the wrong class. Other approaches have tried to learn "patches" that can be applied to an object to fool detectors and classifiers. Some of these approaches have also shown that these attacks are feasible in the real-world, i.e. by modifying an object and filming it with a video camera. However, all of these approaches target classes that contain almost no intra-class variety (e.g. stop signs). The known structure of the object is then used to generate an adversarial patch on top of it. In this paper, we present an approach to generate adversarial patches to targets with lots of intra-class variety, namely persons. The goal is to generate a patch that is able successfully hide a person from a person detector. An attack that could for instance be used maliciously to circumvent surveillance systems, intruders can sneak around undetected by holding a small cardboard plate in front of their body aimed towards the surveillance camera. From our results we can see that our system is able significantly lower the accuracy of a person detector. Our approach also functions well in real-life scenarios where the patch is filmed by a camera. To the best of our knowledge we are the first to attempt this kind of attack on targets with a high level of intra-class variety like persons.
@ -157,6 +86,8 @@ https://www.bloomberg.com/news/articles/2018-08-30/google-and-mastercard-cut-a-s
* [iTerm2 Leaks Everything You Hover in Your Terminal via DNS Requests](https://www.bleepingcomputer.com/news/security/iterm2-leaks-everything-you-hover-in-your-terminal-via-dns-requests/)
* [Google Has Quietly Dropped Ban on Personally Identifiable Web Tracking - ProPublica(2016)](https://www.propublica.org/article/google-has-quietly-dropped-ban-on-personally-identifiable-web-tracking)
* [No boundaries: Exfiltration of personal data by session-replay scripts - Freedom to Tinker](https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/)
* [Notes on privacy and data collection of Matrix.org - maxidorius](https://gist.github.com/maxidorius/5736fd09c9194b7a6dc03b6b8d7220d0)
* [PSA: Go 1.13 Default Module Proxy Privacy - codeengineered.org](https://codeengineered.com/blog/2019/go-mod-proxy-psa/)
* **De-Anonymization**<a name="de-anon"></a>
* **Articles/Blogposts/Writeups**
* [De-Anonymizing Alt.Anonymous. Messages - Tom Ritter - Defcon21](https://www.youtube.com/watch?v=_Tj6c2Ikq_E)
@ -426,3 +357,104 @@ https://www.bloomberg.com/news/articles/2018-08-30/google-and-mastercard-cut-a-s
* **Talks**
* [Governments and UFOs: A Historical Analysis of Disinformation and Deception - Richard Thieme](http://www.irongeek.com/i.php?page=videos/bsideslasvegas2013/1-2-7-governments-and-ufos-a-historical-analysis-of-disinformation-and-deception-richard-thieme)
* [[TROOPERS15] Azhar Desai, Marco Slaviero - Weapons of Mass Distraction](https://www.youtube.com/watch?v=jdaPJLJCK1M)
### Sort
* [Pixel Tracking: How it’s used and abused - Barry Kimball(OISF19)](http://www.irongeek.com/i.php?page=videos/oisf2019/oisf-2019-05-pixel-tracking-how-its-used-and-abused-barry-kimball)
* [SyTech’s FSB Document Dump: Owning The Information Space and Disconnecting It - Krytp3ia](https://krypt3ia.wordpress.com/2019/08/03/sytechs-fsb-document-dump-owning-the-information-space-and-disconnecting-it/)
https://www.vice.com/en_us/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec
https://rastating.github.io/opsec-in-the-after-life/
https://github.com/VSCodium/vscodium/
http://tscm.com/
https://dat.foundation/
https://ssbc.github.io/scuttlebutt-protocol-guide/
http://www.servalproject.org/
* [DMVs Are Selling Your Data to Private Investigators - Joseph Cox(Vice)](https://www.vice.com/en_us/article/43kxzq/dmvs-selling-data-private-investigators-making-millions-of-dollars)
* [Create a Reusable Burner OS with Docker, Part 1: Making an Ubuntu Hacking Container - EvilToddler](https://null-byte.wonderhowto.com/how-to/create-reusable-burner-os-with-docker-part-1-making-ubuntu-hacking-container-0175328/)
* [Part 2](https://null-byte.wonderhowto.com/how-to/create-reusable-burner-os-with-docker-part-2-customizing-our-hacking-container-0175353/)
https://citizenlab.ca/2019/07/cant-picture-this-2-an-analysis-of-wechats-realtime-image-filtering-in-chats/
https://citizenlab.ca/2018/08/cant-picture-this-an-analysis-of-image-filtering-on-wechat-moments/
Remove hidden data and personal information by inspecting documents, presentations, or workbooks
https://support.office.com/en-us/article/remove-hidden-data-and-personal-information-by-inspecting-documents-presentations-or-workbooks-356b7b5d-77af-44fe-a07f-9aa4d085966f
https://www.fcc.gov/public-safety-and-homeland-security/policy-and-licensing-division/911-services/general/location-accuracy-indoor-benchmarks
https://www.wsj.com/articles/SB105546175751598400
https://opaque.link/post/dropgang/
https://github.com/ctrlaltdev/LMGTFY-queries
* [A DC Think Tank Used Fake Social Media Accounts, A Bogus Expert, And Fancy Events To Reach The NSA, FBI, And White House - Craig Silverman(BuzzFeed News)](https://www.buzzfeednews.com/article/craigsilverman/icit-james-scott-think-tank-fake-twitter-youtube#.dnqv2lQJr)
* [Opting Out Like A Boss - The OSINT Way (Part 1) - learnallthethings.net](https://www.learnallthethings.net/blog/2018/1/23/opting-out-like-a-boss-the-osint-way)
https://electricalstrategies.com/about/in-the-news/spies-in-the-xerox-machine/
https://discover.cobbtechnologies.com/blog/the-soviet-union-and-the-photocopier
https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/privacy/manage-windows-1809-endpoints.md
* [Creating Your Own Citizen Database - Aiganysh Aidarbekova](https://www.bellingcat.com/resources/how-tos/2019/02/14/creating-your-own-citizen-database/)
* [Manage connections from Windows operating system components to Microsoft services - docs.ms](https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services)
* [Cookies – what does ‘good’ look like? - UK Information Comissioner's Office - Ali Shah](https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/blog-cookies-what-does-good-look-like/)
https://www.eff.org/nsa-spying/nsadocs
https://www.freehaven.net/anonbib/
http://computer-outlines.over-blog.com/article-windows-ipv6-privacy-addresses-118018020.html
https://blog.superuser.com/2011/02/11/did-you-know-that-ipv6-may-include-your-mac-address-heres-how-to-stop-it/
https://www.bloomberg.com/news/articles/2018-08-30/google-and-mastercard-cut-a-secret-ad-deal-to-track-retail-sales
* [Ghostbuster: Detecting the Presence of Hidden Eavesdroppers](https://synrg.csl.illinois.edu/papers/ghostbuster-mobicom18.pdf)
* Propaganda
* [Project Feels: How USA Today, ESPN and The New York Times are targeting ads to mood - digiday](https://digiday.com/media/project-feels-usa-today-espn-new-york-times-targeting-ads-mood/)
* [The New York Times Advertising & Marketing Solutions Group Introduces ‘nytDEMO’: A Cross-Functional Team Focused on Bringing Insights and Data Solutions to Brands(2018)](https://investors.nytco.com/press/press-releases/press-release-details/2018/The-New-York-Times-Advertising--Marketing-Solutions-Group-Introduces-nytDEMO-A-Cross-Functional-Team-Focused-on-Bringing-Insights-and-Data-Solutions-to-Brands/default.aspx)
* [A DC Think Tank Used Fake Social Media Accounts, A Bogus Expert, And Fancy Events To Reach The NSA, FBI, And White House - Craig Silverman](https://www.buzzfeednews.com/article/craigsilverman/icit-james-scott-think-tank-fake-twitter-youtube#.dnqv2lQJr)
* [Toward an Information Operations Kill Chain - Bruce Schneier](https://www.lawfareblog.com/toward-information-operations-kill-chain)
* [Attacks on applications of k-anonymity for password retrieval - Jack Cable](https://cablej.io/blog/k-anonymity/)
* [Project Raven: Inside the UAE’s secret hacking team of American mercenaries(Christopher Bing, Joel Schectman)]
* [How to Purge Google and Start Over – Part 2 - Mike Felch](https://www.blackhillsinfosec.com/how-to-purge-google-and-start-over-part-2/)
* [Of Moles and Molehunters: A Review of Counterintelligence Literature, 1977-92](https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/U-Oct%20%201993-%20Of%20Moles%20-%20Molehunters%20-%20A%20Review%20of%20Counterintelligence%20Literature-%201977-92%20-v2.pdf)
* [Salamandra](https://github.com/eldraco/Salamandra)
* Salamandra is a tool to detect and locate spy microphones in closed environments. It find microphones based on the strength of the signal sent by the microphone and the amount of noise and overlapped frequencies. Based on the generated noise it can estimate how close or far away you are from the microphone.
* [zwsp-steg](https://github.com/offdev/zwsp-steg-js)
* Zero-Width Space Steganography. Encodes and decodes hidden messages as non printable/readable characters. [A demo can be found here](https://offdev.net/demos/zwsp-steg-js).
* [DEDA](https://github.com/dfd-tud/deda)
* DEDA - tracking Dots Extraction, Decoding and Anonymisation toolkit; Document Colour Tracking Dots, or yellow dots, are small systematic dots which encode information about the printer and/or the printout itself. This process is integrated in almost every commercial colour laser printer. This means that almost every printout contains coded information about the source device, such as the serial number.
* https://dfd.inf.tu-dresden.de/
* [The Spy and the Traitor: The Greatest Espionage Story of the Cold War - cia.gov](https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/csi-studies/studies/vol-63-no-1/spy_and_traitor.html)
* [How a Bitcoin Evangelist Made Himself Vanish, in 15 (Not So Easy) Steps - Nathaniel Popper](https://www.nytimes.com/2019/03/12/technology/how-to-disappear-surveillance-state.html)
* [A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients - Vasile C. Perta, Marco V. Barbera, Gareth Tyson, Hamed Haddadi, and Alessandro Mei(2/2015)](https://www.petsymposium.org/2015/papers/02_Perta.pdf)
* [Forensic Analysis and Anonymisation of Printed Documents](https://dl.acm.org/citation.cfm?doid=3206004.3206019)
* Contrary to popular belief, the paperless office has not yet established itself. Printer forensics is therefore still an important field today to protect the reliability of printed documents or to track criminals. An important task of this is to identify the source device of a printed document. There are many forensic approaches that try to determine the source device automatically and with commercially available recording devices. However, it is difficult to find intrinsic signatures that are robust against a variety of influences of the printing process and at the same time can identify the specific source device. In most cases, the identification rate only reaches up to the printer model. For this reason we reviewed document colour tracking dots, an extrinsic signature embedded in nearly all modern colour laser printers. We developed a refined and generic extraction algorithm, found a new tracking dot pattern and decoded pattern information. Through out we propose to reuse document colour tracking dots, in combination with passive printer forensic methods. From privacy perspective we additional investigated anonymization approaches to defeat arbitrary tracking. Finally we propose our toolkitdeda which implements the entire workflow of extracting, analysing and anonymisation of a tracking dot pattern.
* [NCCA Polygraph Countermeasure Course Files Leaked](https://antipolygraph.org/blog/2018/06/09/ncca-polygraph-countermeasure-course-files-leaked/)
* [Fooling automated surveillance cameras: adversarial patches to attack person detection - Simen Thys, Wiebe Van Ranst, Toon Goedemé](https://arxiv.org/abs/1904.08653)
* Adversarial attacks on machine learning models have seen increasing interest in the past years. By making only subtle changes to the input of a convolutional neural network, the output of the network can be swayed to output a completely different result. The first attacks did this by changing pixel values of an input image slightly to fool a classifier to output the wrong class. Other approaches have tried to learn "patches" that can be applied to an object to fool detectors and classifiers. Some of these approaches have also shown that these attacks are feasible in the real-world, i.e. by modifying an object and filming it with a video camera. However, all of these approaches target classes that contain almost no intra-class variety (e.g. stop signs). The known structure of the object is then used to generate an adversarial patch on top of it. In this paper, we present an approach to generate adversarial patches to targets with lots of intra-class variety, namely persons. The goal is to generate a patch that is able successfully hide a person from a person detector. An attack that could for instance be used maliciously to circumvent surveillance systems, intruders can sneak around undetected by holding a small cardboard plate in front of their body aimed towards the surveillance camera. From our results we can see that our system is able significantly lower the accuracy of a person detector. Our approach also functions well in real-life scenarios where the patch is filmed by a camera. To the best of our knowledge we are the first to attempt this kind of attack on targets with a high level of intra-class variety like persons.

+ 4
- 2
Draft/CTFs_Wargames.md View File

@ -1,5 +1,6 @@
# CTFs & Wargames
-------------------------
## Table of Contents
- [General](#general)
- [101](#101)
@ -14,15 +15,16 @@
- [Wargames](#wargames)
- [Writeups](#writeups)
-------------------------
https://github.com/stripe-ctf/stripe-ctf-2.0/
https://www.counterhackchallenges.com/
https://labs.nettitude.com/blog/derbycon-2018-ctf-write-up/
http://ctfhacker.com/reverse/2018/09/16/flareon-2018-wasabi.html
-----
----------------------------------------
### <a name="general">General</a>
* **General**
* [ctf-time](https://ctftime.org/)


+ 12
- 2
Draft/Containers.md View File

@ -207,6 +207,11 @@
* [FreeBSD Handbook: Jails](https://www.freebsd.org/doc/handbook/jails.html)
* **Tools**<a name="jtools"></a>
* [ezjail – Jail administration framework](https://erdgeist.org/arts/software/ezjail/)
* **LXC**
* **101**
* [Linux containers](https://linuxcontainers.org/)
* **Articles/Blogposts/Writeups**
* [LXC 1.0: Blog post series [0/10] - Stephane Graber](https://stgraber.org/2013/12/20/lxc-1-0-blog-post-series/)
* **Kubernetes**<a name="kubernetes"></a>
* **101**<a name="k101"></a>
* [An Introduction to Kubernetes(2018) - Justin Ellingwood(DO tutorials)](https://www.digitalocean.com/community/tutorials/an-introduction-to-kubernetes)
@ -275,7 +280,6 @@
* This talk will give you practical advice about securing your Kubernetes clusters, from an attacker’s perspective. We’ll walk through the attack process from discovery to post-exploitation, and you’ll walk away with tools and techniques that can be used for prevention along the way. Learn how to keep your infrastructure safer by making a hacker’s job harder.
* [Crafty Requests: Deep Dive Into Kubernetes CVE-2018-1002105 - Ian Coldwater(CloudNativeConEU19)](https://www.youtube.com/watch?v=VjSJqc13PNk&list=PLKDRii1YwXnLmd8ngltnf9Kzvbja3DJWx&index=6&t=0s)
* You may have heard about CVE-2018-1002105, one of the most severe Kubernetes security vulnerabilities of all time. But how does this flaw work? How can it be exploited, and what does it all mean? This deep dive will walk the audience through the Kubernetes back end, going over relevant concepts like aggregated API servers, the kubelet API, and permissions for namespace-constrained users. We will explain the details of how this flaw works, how a cluster’s moving parts can fit together to create a vulnerable context, and the risks involved in leaving this CVE unpatched in the wild. A live demonstration will show the audience exactly how easy it is to exploit this vulnerability. After explaining the attack pathways, the audience will leave with practical advice about mitigation and how to protect their clusters.
* **Tools**
* **Authentication**
* **Operating**
@ -342,4 +346,10 @@ https://sysdig.com/blog/oss-container-security-stack/
https://sysdig.com/blog/docker-image-scanning/
https://docs.google.com/presentation/d/1u6S1ycs8DURORf6S9XYKjP56oszJpouOca6xlkH9ILs/edit#slide=id.p
https://medium.com/@mccode/understanding-how-uid-and-gid-work-in-docker-containers-c37a01d01cf
* [Getting vulnerabilities and metadata for images - cloud.google](https://cloud.google.com/container-registry/docs/get-image-vulnerabilities)
* [Getting vulnerabilities and metadata for images - cloud.google](https://cloud.google.com/container-registry/docs/get-image-vulnerabilities)
https://blog.aquasec.com/dns-spoofing-kubernetes-clusters
https://blog.aquasec.com/a-brief-history-of-containers-from-1970s-chroot-to-docker-2016
https://www.cyberark.com/threat-research-blog/kubernetes-pentest-methodology-part-2/
https://blog.appsecco.com/from-thick-client-exploitation-to-becoming-kubernetes-cluster-admin-the-story-of-a-fun-bug-we-fe92a7e70aa2

+ 32
- 37
Draft/Crypto_Encrypt.md View File

@ -39,42 +39,6 @@
- [Ethereum](#ether)
https://tls.ulfheim.net/
https://bearssl.org/
https://thecryptobible.co/protocols/tls.html
https://research.checkpoint.com/cryptographic-attacks-a-guide-for-the-perplexed/
https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Eng.pdf
* [A Diagram for Sabotaging Cryptosystems - @Jackson_T](https://web.archive.org/web/20180129010248/http://jackson.thuraisamy.me/crypto-backdoors.html)
* [A Detailed Look at RFC 8446 (a.k.a. TLS 1.3) - Cloudflare](https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/)
* [Hash collisions and exploitations - Ange Albertini and Marc Stevens](https://github.com/corkami/collisions)
* The goal is to explore extensively existing attacks - and show on the way how weak MD5 is (instant collisions of any JPG, PNG, PDF, MP4, PE...) - and also explore in detail common file formats to determine how they can be exploited with present or with future attacks. Indeed, the same file format trick can be used on several hashes (the same JPG tricks were used for MD5, malicious SHA-1 and SHA1), as long as the collisions follow the same byte patterns. This document is not about new attacks (the most recent one was documented in 2012), but about new forms of exploitations of existing attacks.
https://blog.doyensec.com/2019/08/01/common-crypto-bugs.html
https://github.com/corkami/collisions
* [SSL/TLS and PKI History](https://www.feistyduck.com/ssl-tls-and-pki-history/)
* A comprehensive history of the most important events that shaped the SSL/TLS and PKI ecosystem.
https://tls.ulfheim.net/
https://asecuritysite.com/subjects/chapter58
https://github.com/ashutosh1206/Crypton
https://thecryptobible.co/primitives/symmetric_encryption.html
* [An Illustrated Guide to the BEAST Attack - Joshua Davies](http://commandlinefanatic.com/cgi-bin/showarticle.cgi?article=art027)
* [SHATTERED](https://shattered.io/)
http://securityintelligence.com/cve-2014-0195-adventures-in-openssls-dtls-fragmented-land/
https://www.wst.space/ssl-part1-ciphersuite-hashing-encryption/
https://wiki.mozilla.org/images/0/0b/Thunderbird-enigmail-report.pdf
https://malicioussha1.github.io/
-----
@ -453,4 +417,35 @@ To Do:
* [Auditing KRACKs in Wi-Fi - Preventing all attacks is hard in practice By Mathy Vanhoef of imec-DistriNet, KU Leuven, 2018](https://www.krackattacks.com/followup.html)
* [Hash-based Signatures: An illustrated Primer - Matthew Green](https://blog.cryptographyengineering.com/2018/04/07/hash-based-signatures-an-illustrated-primer/)
* [Hash-based Signatures: An illustrated Primer - Matthew Green](https://blog.cryptographyengineering.com/2018/04/07/hash-based-signatures-an-illustrated-primer/)
https://thecryptobible.co/primitives/symmetric_encryption.html
https://tls.ulfheim.net/
https://bearssl.org/
https://thecryptobible.co/protocols/tls.html
https://research.checkpoint.com/cryptographic-attacks-a-guide-for-the-perplexed/
https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Eng.pdf
* [A Diagram for Sabotaging Cryptosystems - @Jackson_T](https://web.archive.org/web/20180129010248/http://jackson.thuraisamy.me/crypto-backdoors.html)
* [A Detailed Look at RFC 8446 (a.k.a. TLS 1.3) - Cloudflare](https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/)
* [Hash collisions and exploitations - Ange Albertini and Marc Stevens](https://github.com/corkami/collisions)
* The goal is to explore extensively existing attacks - and show on the way how weak MD5 is (instant collisions of any JPG, PNG, PDF, MP4, PE...) - and also explore in detail common file formats to determine how they can be exploited with present or with future attacks. Indeed, the same file format trick can be used on several hashes (the same JPG tricks were used for MD5, malicious SHA-1 and SHA1), as long as the collisions follow the same byte patterns. This document is not about new attacks (the most recent one was documented in 2012), but about new forms of exploitations of existing attacks.
https://blog.doyensec.com/2019/08/01/common-crypto-bugs.html
https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html
https://github.com/corkami/collisions
* [SSL/TLS and PKI History](https://www.feistyduck.com/ssl-tls-and-pki-history/)
* A comprehensive history of the most important events that shaped the SSL/TLS and PKI ecosystem.
https://tls.ulfheim.net/
https://asecuritysite.com/subjects/chapter58
https://github.com/ashutosh1206/Crypton
https://thecryptobible.co/primitives/symmetric_encryption.html
* [An Illustrated Guide to the BEAST Attack - Joshua Davies](http://commandlinefanatic.com/cgi-bin/showarticle.cgi?article=art027)
* [SHATTERED](https://shattered.io/)
http://securityintelligence.com/cve-2014-0195-adventures-in-openssls-dtls-fragmented-land/
https://www.wst.space/ssl-part1-ciphersuite-hashing-encryption/
https://wiki.mozilla.org/images/0/0b/Thunderbird-enigmail-report.pdf
https://malicioussha1.github.io/

+ 68
- 22
Draft/DFIR.md View File

@ -19,8 +19,7 @@
#### Sort
* [Firefed](https://github.com/numirias/firefed)
* Firefed is a command-line tool to inspect Firefox profiles. It can extract saved passwords, preferences, addons, history and more. You may use it for forensic analysis, to audit your config for insecure settings or just to quickly extract some data without starting up the browser.
* [Forensics: Monitor Active Directory Privileged Groups with PowerShell - Ashley McGlone](https://blogs.technet.microsoft.com/ashleymcglone/2014/12/17/forensics-monitor-active-directory-privileged-groups-with-powershell/)
https://zeltser.com/security-incident-questionnaire-cheat-sheet/
https://zeltser.com/security-incident-survey-cheat-sheet/
@ -28,6 +27,11 @@ https://zeltser.com/security-incident-log-review-checklist/
* [Touch Screen Lexicon Forensics (TextHarvester/WaitList.dat) - Barnaby Skeggs](https://b2dfir.blogspot.com/2016/10/touch-screen-lexicon-forensics.html?m=1)
* Sort sections alphabetically
* Update ToC
* [Planning for Compromise - docs.ms](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/planning-for-compromise)
* [ADTimeline](https://github.com/ANSSI-FR/ADTimeline)
* PowerShell script creating a timeline of Active Directory changes with replication metadata
* [Strategies to Mitigate Cyber Security Incidents - Mitigation Details - Australian Cyber Security Center](https://www.cyber.gov.au/publications/strategies-to-mitigate-cyber-security-incidents-mitigation-details)
* [Digging Up the Past: Windows Registry Forensics Revisited - David Via](https://www.fireeye.com/blog/threat-research/2019/01/digging-up-the-past-windows-registry-forensics-revisited.html)
* [National Incident Management System -USA](https://www.fema.gov/national-incident-management-system)
* [Investigating CloudTrail Logs](https://medium.com/starting-up-security/investigating-cloudtrail-logs-c2ecdf578911)
* [pagerduty Incident Response](https://response.pagerduty.com/)
@ -40,10 +44,53 @@ https://zeltser.com/security-incident-log-review-checklist/
https://medium.com/starting-up-security/who-fixes-that-bug-f17d48443e21
https://www.sans.org/score/law-enforcement-faq/
https://www.sans.org/score/incident-forms/
* [Extracting Bitlocker Keys from a TPM - Denis Andzakovic](https://pulsesecurity.co.nz/articles/TPM-sniffing)
DFIR
https://github.com/yampelo/beagle
https://medium.com/@forensic_matt/opcode-and-task-enumeration-and-shell-items-bd4ff0b548a3
https://www.linkedin.com/pulse/invoke-liveresponse-matthew-green
https://github.com/mgreen27/Powershell-IR
https://docs.velociraptor.velocidex.com/
https://www.andreafortuna.org/2019/06/12/windows-security-event-logs-my-own-cheatsheet/
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx
https://www.crowdstrike.com/blog/automating-mac-forensic-triage/
https://www.irongeek.com/i.php?page=videos/bsidescleveland2019/bsides-cleveland-c-04-incident-response-on-macos-thomas-reed
https://github.com/certsocietegenerale/IRM/tree/master/EN
https://www.incidentresponse.com/playbooks/
https://docs.microsoft.com/en-us/office365/securitycompliance/siem-server-integration
* [The only PowerShell Command you will ever need to find out who did what in Active Directory - Przemyslaw Klys](https://evotec.xyz/the-only-powershell-command-you-will-ever-need-to-find-out-who-did-what-in-active-directory/)
* [Regipy: Automating registry forensics with python - Martin Korman](https://medium.com/dfir-dudes/regipy-automating-registry-forensics-with-python-b170a1e2b474)
* [regipy](https://github.com/mkorman90/regipy)
* Regipy is an os independent python library for parsing offline registry hives
Cloud IR
* https://www.sans.org/reading-room/whitepapers/cloud/digital-forensic-analysis-amazon-linux-ec2-instances-38235
* https://www.sans.org/reading-room/whitepapers/incident/paper/36902
* https://www.blackhat.com/docs/us-16/materials/us-16-Krug-Hardening-AWS-Environments-And-Automating-Incident-Response-For-AWS-Compromises-wp.pdf
* https://aws.amazon.com/blogs/publicsector/building-a-cloud-specific-incident-response-plan/
* https://www.amazon.com/Incident-Response-Strategic-Handling-Security/dp/1578702569
* http://threatresponse-derbycon.s3-website-us-west-2.amazonaws.com/#/step-1
* https://cloud.gov/docs/ops/security-ir/
* https://www.slideshare.net/AmazonWebServices/incident-response-in-the-cloud-sid319-reinvent-2017
* https://www.slideshare.net/AmazonWebServices/incident-response-in-the-cloud-sid319-reinvent-2017
* https://www.youtube.com/watch?v=Y9cAHxd0kW4
* [Cleaning the Apple Orchard - Using Venator to Detect macOS Compromise - Richie Cyrus(BSides Charm2019)](http://www.irongeek.com/i.php?page=videos/bsidescharm2019/1-02-cleaning-the-apple-orchard-using-venator-to-detect-macos-compromise-richie-cyrus)
* Various solutions exist to detect malicious activity on macOS. However, they are not intended for enterprise use or involve installation of an agent. This session will introduce and demonstrate how to detect malicious macOS activity using the tool Venator. Venator is a python based macOS tool designed to provide defenders with the data to proactively identify malicious macOS activity at scale.
https://www.youtube.com/watch?v=YGJaj6_3dGA
https://aboutdfir.com/
https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/
* [HAWK 1.1.4](https://www.powershellgallery.com/packages/HAWK/1.1.4)
* The Hawk module has been designed to ease the burden on O365 administrators who are performing a forensic analysis in their organization. It accelerates the gathering of data from multiple sources in the service. It does NOT take the place of a human reviewing the data generated and is simply here to make data gathering easier.
https://github.com/giMini/PowerMemory
@ -59,13 +106,7 @@ https://github.com/giMini/PowerMemory
* [Data recovery on dead micro SD card - HDD Recovery Services](https://www.youtube.com/watch?v=jjB6wliyE_Y&feature=youtu.be)
* [Digital Forensics Tips&Tricks: How to Detect an Intruder-driven Group Policy Changes - volnodumcev](https://habr.com/en/post/444048/)
* [SQLite-Parser](https://github.com/mdegrazia/SQLite-Deleted-Records-Parser)
* Script to recover deleted entries in an SQLite database
@ -274,18 +315,23 @@ https://cert.societegenerale.com/en/publications.html
* [Google Chrome Forensics-SANS](https://digital-forensics.sans.org/blog/2010/01/21/google-chrome-forensics#)
* **General**
* **Tools**
* [MozillaRecovery](https://github.com/gtfy/MozillaRecovery)
* Recovers the master password of key3.db files, i.e. Thunderbird, Firefox
* [Extension Finder](https://github.com/brad-anton/extension_finder)
* Python and PowerShell utilities for finding installed browser extensions, plug-ins and add-ons. Attempts to find installed browser extensions (sometimes called add-ons or plug-ins, depending on the browser).
* [MozillaRecovery](https://github.com/gtfy/MozillaRecovery)
* Recovers the master password of key3.db files, i.e. Thunderbird, Firefox
* [Chrome Ragamuffin](https://github.com/cube0x8/chrome_ragamuffin)
* Volatility plugin designed to extract useful information from Google Chrome's address space. The goal of this plugin is to make possible the analysis of a Google Chrome running instance. Starting from a memory dump, Chrome Ragamuffin can list which page was open on which tab and it is able to extract the DOM Tree in order to analyze the full page structure.
* [firefox_decrypt](https://github.com/unode/firefox_decrypt)
* Firefox Decrypt is a tool to extract passwords from Mozilla (Firefox/Thunderbird/Seabird) profiles
* [firepwd.py](https://github.com/lclevy/firepwd)
* firepwd.py, an open source tool to decrypt Mozilla protected passwords
* **Chrome**
* [Chrome Ragamuffin](https://github.com/cube0x8/chrome_ragamuffin)
* Volatility plugin designed to extract useful information from Google Chrome's address space. The goal of this plugin is to make possible the analysis of a Google Chrome running instance. Starting from a memory dump, Chrome Ragamuffin can list which page was open on which tab and it is able to extract the DOM Tree in order to analyze the full page structure.
* **Firefox**
* [MozillaRecovery](https://github.com/gtfy/MozillaRecovery)
* Recovers the master password of key3.db files, i.e. Thunderbird, Firefox
* [MozillaRecovery](https://github.com/gtfy/MozillaRecovery)
* Recovers the master password of key3.db files, i.e. Thunderbird, Firefox
* [firefox_decrypt](https://github.com/unode/firefox_decrypt)
* Firefox Decrypt is a tool to extract passwords from Mozilla (Firefox/Thunderbird/Seabird) profiles
* [firepwd.py](https://github.com/lclevy/firepwd)
* firepwd.py, an open source tool to decrypt Mozilla protected passwords
* [Firefed](https://github.com/numirias/firefed)
* Firefed is a command-line tool to inspect Firefox profiles. It can extract saved passwords, preferences, addons, history and more. You may use it for forensic analysis, to audit your config for insecure settings or just to quickly extract some data without starting up the browser.
* **Neutral**
* [Extension Finder](https://github.com/brad-anton/extension_finder)
* Python and PowerShell utilities for finding installed browser extensions, plug-ins and add-ons. Attempts to find installed browser extensions (sometimes called add-ons or plug-ins, depending on the browser).
* **Miscellaneous**


+ 24
- 0
Draft/Defense.md View File

@ -568,6 +568,8 @@
* **Articles/Blogposts/Writeups**
* [Vulnerability Management Program Best Practices – Irfahn Khimji](https://www.tripwire.com/state-of-security/vulnerability-management/vulnerability-management-program-best-practices-part-1/)
* [The Five Stages of Vulnerability Management - Irfahn Khimji](https://www.tripwire.com/state-of-security/vulnerability-management/the-five-stages-of-vulnerability-management/)
* [Building a VulnerabilityManagement Program: A project management approach - Wylie Shanks(2015)](https://www.sans.org/reading-room/whitepapers/projectmanagement/building-vulnerability-management-program-project-management-approach-35932)
* Abstract: This paper examines the critical role of project management in building a successful vulnerability management program. This paper outlines how organizational risk and regulatory compliance needs can be addressed through a "Plan-Do-Check-Act" approach to a vulnerability management program.
* **Identifying Assets**
* [PowerShell: Documenting your environment by running systeminfo on all Domain-Computers - Patrick Gruenauer](https://sid-500.com/2017/08/09/powershell-documenting-your-environment-by-running-systeminfo-on-all-domain-computers/)
* [A Faster Way to Identify High Risk Windows Assets - Scott Sutherland](https://blog.netspi.com/a-faster-way-to-identify-high-risk-windows-assets/)
@ -663,3 +665,25 @@ Active Directory
* [Stored passwords found all over the place after installing Windows in company networks :( - Sami Laiho](http://blog.win-fu.com/2017/08/stored-passwords-found-all-over-place.html)
* [Protect Yourself From Malicious PKI Administrator – Role Separation In PKI - Paula Januszkiewicz](https://cqureacademy.com/blog/securing-infrastructure/role-separation-pki)
* [Cost Effective Drone Detection - Alex Farrant](https://www.contextis.com/en/blog/cost-effective-drone-detection)
https://www.slideshare.net/HuyKha2/adsvs-v10-improving-the-security-of-active-directory
https://www.slideshare.net/HuyKha2/adstg-v20-guidance
https://www.slideshare.net/HuyKha2/iam-policy-ad
https://www.slideshare.net/HuyKha2/delegate-backup-important-stuff-in-active-directory
https://support.microsoft.com/en-us/help/4020089/windows-10-in-s-mode-faq
https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/All-your-creds-are-belong-to-us/ba-p/855124
* [Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016](https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b)
* [Project Phinn](https://github.com/duo-labs/phinn)
* A toolkit to generate an offline Chrome extension to detect phishing attacks using a bespoke convolutional neural network.
* [IsThisLegit?](https://github.com/duo-labs/isthislegit)
* IsThisLegit is a dashboard and Chrome extension that makes it easy to receive, analyze, and respond to phishing reports.
* [How to grill Malicious Macros - SSTIC15 - Decalage](https://decalage.info/en/sstic15)
* [Applied Machine Learning: Defeating Modern Malicious Documents](https://www.youtube.com/embed/ZAuCEgA3itI?enablejsapi=1&modestbranding=1&disablekb=1&rel=0)
* [MacroMilter](https://github.com/sbidy/MacroMilter)
* This python based milter (mail-filter) checks an incoming mail for suspicious VBA macro code in MS 20xx Office attachments (doc, xls, ppt ...).
* [MaliciousMacroBot](https://github.com/egaus/MaliciousMacroBot)
* [Hunting for evil: detect macros being executed - Pieter Ceelen](https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/)

+ 3
- 6
Draft/Embedded.md View File

@ -1,6 +1,5 @@
# Embedded Device Security
-----------------------------------
## Table of Contents
- [General](#general)
@ -29,7 +28,6 @@
- [Voting Machines](#voting)
- [Specific Attacks](#specific)
-----------------------------
* **To-Do**
* Fingeprint readers
@ -43,10 +41,6 @@
* TPM
* [Attackin the TPM part 2](https://www.youtube.com/watch?v=h-hohCfo4LA)
--------
### General
* [ArduPilot](http://ardupilot.org/ardupilot/index.html)
@ -564,3 +558,6 @@ Drone hacking
* [DEVIATIONTX WITH NRF24L01 MODULE, THE UNIVERSAL DRONE REMOTE CONTROL. - garagedrone](https://dronegarageblog.wordpress.com/2016/06/07/deviationtx-with-nrf24l01-module-the-universal-drone-remote/)
https://github.com/phodal/awesome-iot
https://github.com/V33RU/IoTSecurity101
* [Hardware Hacking for the Masses (and you!) - BusesCanFly(LevelUp 0x05)](https://www.youtube.com/watch?v=95vRsoGG9dc&list=PLIK9nm3mu-S4vjC0EGZVEK3WAKwT3rAFy&index=2&t=0s)
* Custom summary: Intro(ish)-level talk for getting started/introduced to HardwareHacking. Good stuff.
* [Slides](https://github.com/BusesCanFly/HardwareHackingForTheMasses/blob/master/HardwareHackingForTheMasses.pdf)

+ 1
- 1
Draft/Exfiltration.md View File

@ -1,6 +1,5 @@
# Exfiltration
## Table of Contents
* [General](#general)
@ -24,6 +23,7 @@ https://github.com/moloch--/wire-transfer
##### End Sort
https://github.com/TarlogicSecurity/Arecibo
* [Secure WebDav Egress: AMZ EC2, Apache, and Let's Encrypt - Chris Patten](http://rift.stacktitan.com/alternate-unc-webdav-ssl-and-lets-encrypt/)
https://github.com/alcor/itty-bitty/


+ 58
- 22
Draft/Exploit_Dev.md View File

@ -66,63 +66,96 @@
* Add more on Borrowed-Instruction-Set Computing
* [Why .shared sections are a security hole](https://devblogs.microsoft.com/oldnewthing/?p=38253)
https://rastating.github.io/creating-a-custom-shellcode-encoder/
https://www.corelan.be/index.php/2019/04/23/windows-10-egghunter/
https://blog.flanker017.me/galaxy-leapfrogging-pwning-the-galaxy-s8/
https://blog.flanker017.me/galaxy-leapfrogging-pwning-the-galaxy-s8/
http://blog.azimuthsecurity.com/2013/05/exploiting-samsung-galaxy-s4-secure-boot.html
https://github.com/swisskyrepo/PayloadsAllTheThings
https://github.com/Cn33liz/MS17-012
https://github.com/qazbnm456/awesome-cve-poc#cve-2018-5318
https://github.com/Cn33liz/Tater
https://exploit.education/
https://www.contextis.com/en/blog/a-beginners-guide-to-windows-shellcode-execution-techniques
* [High-Level Approaches for Finding Vulnerabilities - @Jackson_T](https://web.archive.org/web/20171119102445/https://jackson.thuraisamy.me/finding-vulnerabilities.html)
https://m0chan.github.io/2019/08/21/Win32-Buffer-Overflow-SEH.html
https://googleprojectzero.blogspot.com/2019/09/windows-exploitation-tricks-spoofing.html
* [High-Level Approaches for Finding Vulnerabilities - @Jackson_T](https://web.archive.org/web/20171119102445/https://jackson.thuraisamy.me/finding-vulnerabilities.html)
* [Bypassing Windows ASLR in Microsoft Office using ActiveX controls - Parvez](https://www.greyhathacker.net/?p=894)
* [Exploiting the Linux kernel via packet sockets - Andrey Konovalov](https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html)
* https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308
https://github.com/CENSUS/shadow
https://heap-exploitation.dhavalkapil.com/attacks/house_of_spirit.html
http://blog.sevagas.com/?Code-segment-encryption
Solaris
* https://techblog.mediaservice.net/2018/11/cve-2018-14665-exploit-local-privilege-escalation-on-solaris-11/
* https://www.giac.org/paper/gcih/700/local-privilege-escalation-solaris-8-solaris-9-buffer-overflow-passwd1/105309
* https://www.exploit-db.com/exploits/715
* [I Am Groot: Examining the Guardians of Windows 10 Security - Chuanda Ding(Defcon China 1)](https://www.youtube.com/watch?v=a0AB76YNMlQ)
* Being one of the main targets of 3 Pwn2Own competitions, Microsoft Windows 10, along with Microsoft Edge, is proven more and more difficult to exploit. Now Windows 10 has been released for more than 2 years, Microsoft has been constantly updating the security mitigations integrated with the operating system. After 5 major releases, multiple levels of protections have been added to prevent a programming error from turning into a full system compromise. You may have heard many of them marketed as "Guards" under the Windows Defender brand. But how do they actually work? As Pwn2Own participants (and winners), we closely watched Windows 10 security evolve over the years. In this talk, you will get a behind-the-scene view of Windows 10 security mitigation implementations, how it helped make attackers' life harder, and how the attackers overcame it.
* https://j00ru.vexillium.org/papers/2018/bochspwn_reloaded.pdf
* https://www.thezdi.com/blog/2019/3/13/cve-2019-0604-details-of-a-microsoft-sharepoint-rce-vulnerability
* https://habr.com/ru/company/pt/blog/448378/
* https://blog.ret2.io/2018/08/28/pwn2own-2018-sandbox-escape/
* CVE-2017-11882
* http://www.trapkit.de/books/bhd/en.html#code
iOS Exploitation - Title: 2PAC 2FURIOUS: Envisioning an iOS compromise in 2019
* https://googleprojectzero.blogspot.com/2019/04/splitting-atoms-in-xnu.html
* https://www.qualcomm.com/media/documents/files/whitepaper-pointer-authentication-on-armv8-3.pdf
Android Chrome exploitation infiltrate
* https://vimeo.com/270454588
https://osandamalith.com/2018/02/01/exploiting-format-strings-in-windows/
https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
* [Get Cozy with OpenBSM Auditing...the good, the bad, & the ugly - Patrick Wardle](https://objective-see.com/talks/Wardle_ShmooCon2018.pdf)
* [Getting Cozy With OpenBSM Auditing On MacOS - Patrick Wardle](https://www.youtube.com/watch?v=CqlpJ7rIT6M)
* With the demise of dtrace on macOS, and Apple’s push to rid the kernel of 3rd-party kexts, another option is needed to perform effective auditing on macOS. Lucky for us, OpenBSM fits the bill. Though quite powerful, this auditing mechanism is rather poorly documented and suffered from a variety of kernel vulnerabilities. In this talk, we’ll begin with an introductory overview of OpenBSM’s goals, capabilities, and components before going ‘behind-the-scenes’ to take a closer look at it’s kernel-mode implementation. Armed with this understanding, we’ll then detail exactly how to build powerful user-mode macOS monitoring utilities such as file, process, and networking monitors based on the OpenBSM framework and APIs. Next we’ll don our hacker hats and discuss a handful of kernel bugs discovered during a previous audit of the audit subsystem (yes, quite meta): a subtle off-by-one read error, a blotched patch that turned the off-by-one into a kernel info leak, and finally an exploitable heap overflow. Though now patched, the discussion of these bugs provides an interesting ‘case-study’ of finding and exploiting several types of bugs that lurked within the macOS kernel for many years
https://www.youtube.com/watch?v=gu_i6LYuePg
https://j00ru.vexillium.org/syscalls/nt/64/
http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html
https://hovav.net/ucsd/dist/noret-ccs.pdf
* [Bypassing Windows ASLR by determining the library address using shared pages - stackoverflow](https://stackoverflow.com/questions/29865977/bypassing-windows-aslr-by-determining-the-library-address-using-shared-pages)
https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/
Prep for https://medium.com/@iphelix/exodus-vuln-dev-master-class-44741b1ebdd5
https://msrc-blog.microsoft.com/2009/02/02/preventing-the-exploitation-of-structured-exception-handler-seh-overwrites-with-sehop/
https://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf
https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/ASIACCS11.pdf
https://www.corelan.be/index.php/2013/07/02/root-cause-analysis-integer-overflows/
http://www.phreedom.org/research/heap-feng-shui/
http://illmatics.com/Understanding_the_LFH_Slides.pdf
https://net-ninja.net/article/2012/Mar/1/heap-overflows-for-humans-104/
https://github.com/googleprojectzero/iOS-messaging-tools
https://googleprojectzero.blogspot.com/2019/04/windows-exploitation-tricks-abusing.html
https://googleprojectzero.blogspot.com/p/working-at-project-zero.html
http://blog.sevagas.com/?Code-segment-encryption
* [Return-Oriented Programming without Returns - Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy](https://hovav.net/ucsd/papers/cddssw10.html)
* We show that on both the x86 and ARM architectures it is possible to mount return-oriented programming attacks without using return instructions. Our attacks instead make use of certain instruction sequences that behave like a return, which occur with sufficient frequency in large libraries on (x86) Linux and (ARM) Android to allow creation of Turing-complete gadget sets. Because they do not make use of return instructions, our new attacks have negative implications for several recently proposed classes of defense against return-oriented programming: those that detect the too-frequent use of returns in the instruction stream; those that detect violations of the last-in, first-out invariant normally maintained for the return-address stack; and those that modify compilers to produce code that avoids the return instruction.
* [windows-kernel-exploits](https://github.com/SecWiki/windows-kernel-exploits)
* https://j00ru.vexillium.org/papers/2018/bochspwn_reloaded.pdf
https://www.youtube.com/watch?v=gu_i6LYuePg
https://j00ru.vexillium.org/syscalls/nt/64/
http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html
https://hovav.net/ucsd/dist/noret-ccs.pdf
* [Practical case: Buffer Overflow 0x01 - ](https://maxkersten.nl/binary-analysis-course/assembly-basics/practical-case-buffer-overflow-0x01/)
https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html
---------------
### <a name="general">General</a>
* **General**
@ -199,6 +232,9 @@ https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-explo
* [Practical Return-Oriented Programming, Dino A. Dai Zovi, 2010](http://www.sourceconference.com/bos10pubs/Dino.pdf)
* [Return-Oriented Programming without Returns](https://www.cs.uic.edu/~s/papers/noret_ccs2010/noret_ccs2010.pdf)
* [Introduction to ROP programming](http://codearcana.com/posts/2013/05/28/introduction-to-return-oriented-programming-rop.html)
* [Return-Oriented Programming without Returns - Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy](https://hovav.net/ucsd/papers/cddssw10.html)
* We show that on both the x86 and ARM architectures it is possible to mount return-oriented programming attacks without using return instructions. Our attacks instead make use of certain instruction sequences that behave like a return, which occur with sufficient frequency in large libraries on (x86) Linux and (ARM) Android to allow creation of Turing-complete gadget sets. Because they do not make use of return instructions, our new attacks have negative implications for several recently proposed classes of defense against return-oriented programming: those that detect the too-frequent use of returns in the instruction stream; those that detect violations of the last-in, first-out invariant normally maintained for the return-address stack; and those that modify compilers to produce code that avoids the return instruction.
#### Blind ROP
* [Blind Return Oriented Programming (BROP)](http://www.scs.stanford.edu/~sorbo/brop/)


+ 4
- 0
Draft/Fuzzing.md View File

@ -358,3 +358,7 @@ https://github.com/googleprojectzero/BrokenType
Binary Instrumentation
* http://deniable.org/reversing/binary-instrumentation
* https://thefengs.com/wuchang/courses/cs492/afl/#0
http://joxeankoret.com/blog/2015/03/13/diaphora-a-program-diffing-plugin-for-ida-pro/
http://joxeankoret.com/blog/2018/08/12/histories-of-comparing-binaries-with-source-codes/
http://joxeankoret.com/blog/2018/11/04/new-cfg-based-heuristic-diaphora/

+ 44
- 6
Draft/Interesting_Things.md View File

@ -7,6 +7,7 @@
https://www.recordedfuture.com/disinformation-service-campaigns/
https://getindico.io/
https://www.niceideas.ch/roller2/badtrash/entry/deciphering-the-bengladesh-bank-heist
@ -16,9 +17,36 @@ https://citizenlab.ca/2018/10/the-kingdom-came-to-canada-how-saudi-linked-digita
* Molly Schweickert, Vice President Global Media from Cambridge Analytica on "How digital advertising worked for the US 2016 presidential campaign". How they used Facebook user data and other sources to target specific users with individual messages for the 2016 Trump election campaign. She is Alexander Nix' digital marketing expert.
http://www.tidepools.co/history.html
https://www.iafrikan.com/2019/09/02/south-africa-mass-surveillance-spying-undersea-fiber-cables/
http://habitatchronicles.com/2007/03/the-untold-history-of-toontowns-speedchat-or-blockchattm-from-disney-finally-arrives/
https://v1.escapistmagazine.com/articles/view/video-games/issues/issue_101/559-Will-Bobba-for-Furni.3
* [HiJackThis Fork v3](https://github.com/dragokas/hijackthis)
* [Revealed: How a secret Dutch mole aided the U.S.-Israeli Stuxnet cyberattack on Iran - Kim Zetter, Huib Modderkolk(Yahoo News)](https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html)
* [Why Arabs Lose Wars - Norvell B. De Atkine - Middle East Quarterly(1999)](https://www.meforum.org/441/why-arabs-lose-wars)
* [Flame Warriors - Mike Reed](http://www.flamewarriorsguide.com/)
* Spying
* https://theintercept.com/2018/05/19/japan-dfs-surveillance-agency/
* http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html
* https://commons.erau.edu/cgi/viewcontent.cgi?article=1008&context=ibpp
* http://science.sciencemag.org/content/363/6425/374
* https://www.amazon.com/The-Widow-Spy-Martha-Peterson/dp/0983878129
* http://www.wect.com/story/31012495/ex-cia-spy-recalls-her-time-in-russia/
* https://espionagehistoryarchive.com/2015/03/24/the-kgbs-intelligence-school/
* https://ia800300.us.archive.org/16/items/MoraleOperations/MoraleOperations.pdf
* https://repository.library.georgetown.edu/bitstream/handle/10822/553096/mobleyBlake.pdf?se
* https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/csi-studies/studies/vol.-57-no.-1-a/vol.-57-no.-1-a-pdfs/Burkett-MICE%20to%20RASCALS.pdf
* https://drive.google.com/file/d/0Bzt0K7_O4qyqNE1UMG5Uc1VGcXc/edit
* https://longreads.com/2015/01/12/the-dark-arts-a-corporate-espionage-reading-list/
* https://www.gov.uk/government/speeches/mi6-c-speech-on-fourth-generation-espionage
* https://www.bellingcat.com/resources/how-tos/2019/02/01/tracking-illicit-transactions-with-blockchain-a-guide-featuring-mueller/
* https://www.reuters.com/investigates/special-report/usa-spying-raven/
China
* https://www.theguardian.com/news/2018/dec/07/china-plan-for-global-media-dominance-propaganda-xi-jinping
https://theblog.okcupid.com/the-case-for-an-older-woman-99d8cabacdf5
https://theblog.okcupid.com/the-big-lies-people-tell-in-online-dating-a9e3990d6ae2
https://pagedout.institute/?page=issues.php
https://www.cnet.com/forums/discussions/beyond-the-grave-virus-infecting-hedge-funds/
@ -26,22 +54,31 @@ https://www.cnet.com/forums/discussions/beyond-the-grave-virus-infecting-hedge-f
https://elpais.com/elpais/2019/03/13/inenglish/1552464196_279320.html
http://www.catb.org/~esr/jargon/html/koans.html
* [An Interview With A Google Search Quality Rater - Matt McGee](https://searchengineland.com/interview-google-search-quality-rater-108702)
* [Cyber-Mercenary Groups Shouldn't be Trusted in Your Browser or Anywhere Else - Cooper Quintin(EFF)](https://www.eff.org/deeplinks/2019/02/cyber-mercenary-groups-shouldnt-be-trusted-your-browser-or-anywhere-else)
https://www.brennancenter.org/blog/standards-opening-fbi-investigation-so-low-they-make-statistic-meaningless
https://cepr.shorthandstories.com/haiti-contractors/index.html
https://www.brennancenter.org/analysis/just-what-fbi-investigation-fact-sheet
https://vault.fbi.gov/FBI%20Domestic%20Investigations%20and%20Operations%20Guide%20%28DIOG%29/FBI%20Domestic%20Investigations%20and%20Operations%20Guide%20%28DIOG%29%202016%20Version/FBI%20Domestic%20Investigations%20and%20Operations%20Guide%20%28DIOG%29%202016%20Version%20Part%2001%20of%2002/view
* [gotty](https://github.com/yudai/gotty)
* Share your terminal as a web application
https://baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html
https://www.ribbonfarm.com/2012/03/08/halls-law-the-nineteenth-century-prequel-to-moores-law/
https://epic.org/2019/01/border-agency-finalizes-social.html
https://epic.org/foia/epic-v-dhs-media-monitoring/
https://www.govinfo.gov/content/pkg/FR-2018-12-27/pdf/2018-27944.pdf
https://www.rand.org/research/gun-policy/analysis/essays/mass-shootings.html
https://priceonomics.com/the-san-francisco-drug-economy/
https://cosmism.blogspot.com/2010/05/existentialism-today-terror-management.html
* [The Virgin CSV vs. the Chad TSV - Imagine unironically escaping special characters](https://www.256kilobytes.com/content/show/10868/the-virgin-csv-vs-the-chad-tsv)
https://trollfactory.yle.fi/
https://www.mail-archive.com/lt@lists.liberationtech.org/msg00104.html
* [A Verified Information-Flow Architecture](http://www.crash-safe.org/assets/verified-ifc-long-draft-2013-11-10.pdf)
* SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies. We present a formal, machine-checked model of the key hardware and software mechanisms used to control information flow in SAFE and an end- to-end proof of noninterference for this model.
@ -85,7 +122,8 @@ https://dynamicland.org/
* [lowRISC](https://www.lowrisc.org/)
* [Tagged memory and minion cores in the lowRISC SoC](https://www.lowrisc.org/downloads/lowRISC-memo-2014-001.pdf)
* **Open Source**
* [How to abandon a FLOSS project - Drew DeVault](https://drewdevault.com/2018/12/04/How-to-abandon-a-FLOSS-project.html)
* [BE YOUR OWN VPN PROVIDER WITH OPENBSD (v2)](https://networkfilter.blogspot.com/2017/04/be-your-own-vpn-provider-with-openbsd-v2.html)
#### End Sort


+ 78
- 3
Draft/L-SM-TH.md View File

@ -5,16 +5,63 @@
## Table of Contents
https://www.youtube.com/watch?v=YGJaj6_3dGA
https://adsecurity.org/wp-content/uploads/2017/04/2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf
* [Mental Models for Effective Searching - Chris Sanders](https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1555082140.pdf)
* [kethash](https://github.com/cyberark/ketshash)
* A little tool for detecting suspicious privileged NTLM connections, in particular Pass-The-Hash attack, based on event viewer logs.
https://www.endgame.com/blog/technical-blog/hunting-memory-net-attacks
* [Hunting for SILENTTRINITY - Wee-Jing Chung](https://countercept.com/blog/hunting-for-silenttrinity/)
* [Use Windows Event Forwarding to help with intrusion detection - docs.ms](Use Windows Event Forwarding to help with intrusion detection)
* [Digital Steganography as an Advanced Malware Detection Evasion Technique - z3roTrust(Masters Thesis)](https://medium.com/@z3roTrust/digital-steganography-as-an-advanced-malware-detection-evasion-technique-40d4eeb19830)
* [Sysinternals Sysmon suspicious activity guide - Moti Bani](https://blogs.technet.microsoft.com/motiba/2017/12/07/sysinternals-sysmon-suspicious-activity-guide/)
* [Background Intelligent Transfer Protocol - TH Team](https://medium.com/@threathuntingteam/background-intelligent-transfer-protocol-ab81cd900aa7)
https://blog.xpnsec.com/evading-sysmon-dns-monitoring/
* [GENE: Go Evtx sigNature Engine](https://github.com/0xrawsec/gene)
* The idea behind this project is to provide an efficient and standard way to look into Windows Event Logs (a.k.a EVTX files). For those who are familiar with Yara, it can be seen as a Yara engine but to look for information into Windows Events.
https://medium.com/mitre-attack/getting-started-with-attack-detection-a8e49e4960d0
* [Obtaining and Detecting Domain Persistence - Grant Bugher(DEF CON 23)](https://www.youtube.com/watch?v=gajEuuC2-Dk)
* When a Windows domain is compromised, an attacker has several options to create backdoors, obscure his tracks, and make his access difficult to detect and remove. In this talk, I discuss ways that an attacker who has obtained domain administrator privileges can extend, persist, and maintain control, as well as how a forensic examiner or incident responder could detect these activities and root out an attacker.
* [Mental Models for Effective Searching - Chris Sanders](https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1555082140.pdf)
https://fortinetweb.s3.amazonaws.com/fortiguard/research/Learn_How_to_Build_Your_Own_Utility_to_Monitor_Malicious_Behaviors_of_Malware_on%20macOS_KaiLu.pdf
https://www.blackhat.com/us-18/arsenal.html#learn-how-to-build-your-own-utility-to-monitor-malicious-behaviors-of-malware-on-macos
https://jpcertcc.github.io/ToolAnalysisResultSheet/
https://techcommunity.microsoft.com/t5/Azure-Sentinel/Identifying-Threat-Hunting-opportunities-in-your-data/ba-p/915721
https://www.endgame.com/blog/technical-blog/hunting-memory-net-attacks
https://www.peerlyst.com/posts/security-monitoring-and-attack-detection-with-elasticsearch-logstash-and-kibana-martin-boller
https://github.com/littl3field/Audix
https://digital-forensics.sans.org/blog/2019/02/09/investigating-wmi-attacks
https://github.com/hunters-forge/API-To-Event
https://www.peerlyst.com/posts/threat-hunting-basics-getting-manual-soc-prime
* [Windows Privilege Abuse: Auditing, Detection, and Defense - Palantir](https://medium.com/palantir/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e)
https://www.youtube.com/watch?v=iweEI60PWeY
* [Container Forensics: What to Do When Your Cluster is a Cluster - Maya Kaczorowski & Ann Wallace(CloudNativeConEU19) ](https://www.youtube.com/watch?v=MyXROAqO7YI&list=PLKDRii1YwXnLmd8ngltnf9Kzvbja3DJWx&index=7&t=0s)
* When responding to an incident in your containers, you don’t necessarily have the same tools at your disposal that you do with VMs - and so your incident investigation process and forensics are different. In a best case scenario, you have access to application logs, orchestrator logs, node snapshots, and more. In this talk, we’ll go over where to get information about what’s happening in your cluster, including logs and open source tools you can install, and how to tie this information together to get a better idea of what’s happening in your infrastructure. Armed with this info, we’ll review the common mitigation options such as to alert, isolate, pause, restart, or kill a container. For common types of container attacks, we'll discuss what options are best and why. Lastly, we’ll talk about restoring services after an incident, and the best steps to take to prevent the next one.
* [Get Cozy with OpenBSM Auditing...the good, the bad, & the ugly - Patrick Wardle](https://objective-see.com/talks/Wardle_ShmooCon2018.pdf)
* [Getting Cozy With OpenBSM Auditing On MacOS - Patrick Wardle](https://www.youtube.com/watch?v=CqlpJ7rIT6M)
* With the demise of dtrace on macOS, and Apple’s push to rid the kernel of 3rd-party kexts, another option is needed to perform effective auditing on macOS. Lucky for us, OpenBSM fits the bill. Though quite powerful, this auditing mechanism is rather poorly documented and suffered from a variety of kernel vulnerabilities. In this talk, we’ll begin with an introductory overview of OpenBSM’s goals, capabilities, and components before going ‘behind-the-scenes’ to take a closer look at it’s kernel-mode implementation. Armed with this understanding, we’ll then detail exactly how to build powerful user-mode macOS monitoring utilities such as file, process, and networking monitors based on the OpenBSM framework and APIs. Next we’ll don our hacker hats and discuss a handful of kernel bugs discovered during a previous audit of the audit subsystem (yes, quite meta): a subtle off-by-one read error, a blotched patch that turned the off-by-one into a kernel info leak, and finally an exploitable heap overflow. Though now patched, the discussion of these bugs provides an interesting ‘case-study’ of finding and exploiting several types of bugs that lurked within the macOS kernel for many years
https://github.com/maus-/slack-auditor
* [When Macs Come Under ATT&CK - Richie Cyrus(Derbycon2018)](http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-01-when-macs-come-under-attck-richie-cyrus)
* Macs are becoming commonplace in corporate environments as a alternative to Windows systems. Developers, security teams, and executives alike favor the ease of use and full administrative control Macs provide. However, their systems are often joined to an active directory domain and ripe for attackers to leverage for initial access and lateral movement. Mac malware is evolving as Mac computers continue to grow in popularity. As a result, there is a need for proactive detection of attacks targeting MacOS systems in a enterprise environment. Despite advancements in MacOS security tooling for a single user/endpoint, little is known and discussed regarding detection at a enterprise level. This talk will discuss common tactics, techniques and procedures used by attackers on MacOS systems, as well as methods to detect adversary activity. We will take a look at known malware, mapping the techniques utilized to the MITRE ATT&CK framework. Attendees will leave equipped to begin hunting for evil lurking within their MacOS fleet.
https://blog.stealthbits.com/windows-file-activity-monitoring/
https://github.com/salesforce/bro-sysmon
* [Detecting Kerberoasting activity using Azure Security Center - Moti Bani](https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/)
* [Practical PowerShell Security: Enable Auditing and Logging with DSC - Ashley McGlone](https://blogs.technet.microsoft.com/ashleymcglone/2017/03/29/practical-powershell-security-enable-auditing-and-logging-with-dsc/)
* [Detecting Offensive PowerShell Attack Tools - adsecurity.org](https://adsecurity.org/?p=2604)
https://github.com/djhohnstein/EventLogParser
https://blog.redteam.pl/2019/08/threat-hunting-dns-firewall.html?m=1
* [Windows 10, version 1809 basic level Windows diagnostic events and fields](https://docs.microsoft.com/en-gb/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809#windows-error-reporting-events)
* [How to Detect Overpass-The-Hash Attacks - Jeff Warren](https://blog.stealthbits.com/how-to-detect-overpass-the-hash-attacks/)
* [Implementing Sysmon and Applocker - BHIS](https://www.youtube.com/watch?v=9qsP5h033Qk)
* In almost every BHIS webcast we talk about how important application whitelisting and Sysmon are to a healthy security infrastructure. And yet, we have not done a single webcast on these two topics. Let's fix that. In this webcast we cover how to implement Sysmon and Applocker. We cover overall strategies for implementation and how to deploy them via Group Policy. We walk through a basic sample of malware and show how both of these technologies react to it. Finally, we cover a couple of different "bypass" techniques for each. Everything in security has weaknesses, and these two technologies are no exception.
* [The Role of Evidence Intention - Chris Sanders](https://rhinosecuritylabs.com/application-security/simplifying-api-pentesting-swagger-files/)
* [$SignaturesAreDead = “Long Live RESILIENT Signatures” wide ascii nocase - Matthew Dunwoody, Daniel Bohannon(BruCON 0x0A)](https://www.youtube.com/watch?v=YGJaj6_3dGA)
@ -34,6 +81,8 @@ https://blog.trailofbits.com/2018/04/10/what-do-you-wish-osquery-could-do/
https://github.com/davehull/Kansa
* [WebDAV Traffic To Malicious Sites - Didier Stevens](https://blog.didierstevens.com/2017/11/13/webdav-traffic-to-malicious-sites/)
* https://github.com/beahunt3r/Windows-Hunting
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
@ -41,10 +90,35 @@ https://www.microsoft.com/en-us/download/confirmation.aspx?id=52630
https://www.microsoft.com/en-us/download/details.aspx?id=50034
* [Logs Are Streams, Not Files - Adam Wiggins](https://adam.herokuapp.com/past/2011/4/1/logs_are_streams_not_files/)
https://www.youtube.com/watch?v=YwR7m3Qt2ao&feature=youtu.be
* [Getting Cozy With OpenBSM Auditing On MacOS - Patrick Wardle(Shmoocon2018)](https://www.youtube.com/watch?v=CqlpJ7rIT6M)
https://posts.specterops.io/threat-hunting-with-jupyter-notebooks-part-1-your-first-notebook-9a99a781fde7
OSQuery
* https://github.com/facebook/osquery/tree/master/packs
* https://osquery.readthedocs.io/en/stable/
* [Mordor](https://github.com/Cyb3rWard0g/mordor)
* The Mordor project provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption. The pre-recorded data is categorized by platforms, adversary groups, tactics and techniques defined by the Mitre ATT&CK Framework. The pre-recorded data represents not only specific known malicious events but additional context/events that occur around it. This is done on purpose so that you can test creative correlations across diverse data sources, enhancing your detection strategy and potentially reducing the number of false positives in your own environment.
ThreatHunting
* https://github.com/ThreatHuntingProject/ThreatHunting
* https://sqrrl.com/media/Framework-for-Threat-Hunting-Whitepaper.pdf
* https://www.threathunting.net/files/huntpedia.pdf
* https://www.sans.org/reading-room/whitepapers/threats/paper/37172
* [Mental Models for Effective Searching - Chris Sanders](https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1555082140.pdf)
* [DNS based threat hunting and DoH (DNS over HTTPS) - blog.redteam.pl](https://blog.redteam.pl/2019/04/dns-based-threat-hunting-and-doh.html)
* [Hunting COM Objects - Charles Hamilton](https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html)
* [Hunting COM Objects (Part Two) - Brett Hawkins](https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects-part-two.html)
https://posts.specterops.io/threat-hunting-with-jupyter-notebooks-part-4-sql-join-via-apache-sparksql-6630928c931e
@ -87,7 +161,8 @@ http://penconsultants.com/blog/crown-jewels-monitoring-vs-mitigating/
https://github.com/Yelp/elastalert
* [Mordor](https://github.com/Cyb3rWard0g/mordor)
* The Mordor project provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption. The pre-recorded data is categorized by platforms, adversary groups, tactics and techniques defined by the Mitre ATT&CK Framework. The pre-recorded data represents not only specific known malicious events but additional context/events that occur around it. This is done on purpose so that you can test creative correlations across diverse data sources, enhancing your detection strategy and potentially reducing the number of false positives in your own environment.


+ 58
- 46
Draft/Malware.md View File

@ -28,12 +28,21 @@ Table of Contents
- [Static Analysis](#static)
- [Honeypots](#honey)
* https://pentest.blog/n-ways-to-unpack-mobile-malware/
https://github.com/MISP/MISP
* [Golem Malware - The Malware Hiding in Your Windows Fonts Folder - Pierre-Alexandre Braeken](https://sysadminconcombre.blogspot.com/2018/11/golem-malware-malware-hiding-in-your.html)
https://www.youtube.com/watch?reload=9&v=CGvQIgoBd3Q
https://medium.com/@z3roTrust/digital-steganography-as-an-advanced-malware-detection-evasion-technique-40d4eeb19830
https://research.checkpoint.com/macos-malware-pedia/
https://objective-see.com/blog/blog_0x32.html
https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html
https://github.com/hfiref0x/VBoxHardenedLoader
https://research.checkpoint.com/macos-malware-pedia/
* Extend
* maldocs section
@ -51,44 +60,13 @@ https://research.checkpoint.com/macos-malware-pedia/
* FSG
* PESpin
* [Windows API resolution via hashing](https://github.com/LloydLabs/Windows-API-Hashing)
* Although this method of API obfuscation is relatively old, my friend who was wanting to increase his skills in the Windows sphere confronted me about a way a few malware families seem to resolve APIs. It's pretty simple, however he could not find any documentation with a solid programming example on the matter at the time, so I thought I'd quickly write something up regarding it. I was going to write my own loader for this example (loading the desired module via LdrLoadDll within kernel32.dll, walking the InMemoryOrderModuleList to find the desired loaded module, finding the exported function we're after within the EAT..) - however I thought this might of have been a bit overkill for such a simple concept, I want to cover writing your own PE loader in the future though as it's an interesting subject.
* [Tip: how to find malware samples containing specific strings - Decalage](https://decalage.info/en/malware_string_search)
* [Betabot still alive with multi-stage packing. - Wojciech](https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39)
* [Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis) - fumko](https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/)
* [Predator The Thief: In-depth analysis (v2.3.5) - fumko](https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/)
* [PDF Analysis - zbetheckin](https://github.com/zbetcheckin/PDF_analysis)
* Several PDF analysis reassembled with additional tips and tools
* [Vba2Graph](https://github.com/MalwareCantFly/Vba2Graph)
* Generate call graphs from VBA code, for easier analysis of malicious documents.
https://github.com/rj-chap/CFWorkshop
https://github.com/tarcisio-marinho/GonnaCry?files=1
https://0x00sec.org/t/how-ransomware-works-and-gonnacry-linux-ransomware/4594
https://medium.com/@tarcisioma/how-ransomware-works-and-gonnacry-linux-ransomware-17f77a549114
https://medium.com/@tarcisioma/ransomware-encryption-techniques-696531d07bb9
* [loffice - Lazy Office Analyzer](https://github.com/tehsyntx/loffice)
* Loffice is making use of WinAppDbg to extract URLs' from Office documents but also VB-script and Javascript. By setting strategical breakpoints it's possible to neutralize obfuscation and get the URL and file destination. Anti-analysis via WMI, for example detecting running processes or installed software is handled by patching the query string before the query is run.
@ -514,13 +492,6 @@ https://github.com/rj-chap/CFWorkshop
--------------------------
### <a name="honey"></a> Honeypots
* **General**
@ -688,3 +659,44 @@ https://github.com/rj-chap/CFWorkshop
* [Malvertising: Under The Hood by Chris Boyd - BSides Manchester2017](https://www.youtube.com/watch?v=VESvOsr91_M&index=1&list=PLcgqQkap1lNrOBNCXqpPqpPAqckxv0XhP)
* [Computer Viruses In This Modern Age - alcopaul/brigada ocho 2014](http://spth.virii.lu/dc6/TEXTS/alcopaul/virus_alcopaul.txt)
* [Windows API resolution via hashing](https://github.com/LloydLabs/Windows-API-Hashing)
* Although this method of API obfuscation is relatively old, my friend who was wanting to increase his skills in the Windows sphere confronted me about a way a few malware families seem to resolve APIs. It's pretty simple, however he could not find any documentation with a solid programming example on the matter at the time, so I thought I'd quickly write something up regarding it. I was going to write my own loader for this example (loading the desired module via LdrLoadDll within kernel32.dll, walking the InMemoryOrderModuleList to find the desired loaded module, finding the exported function we're after within the EAT..) - however I thought this might of have been a bit overkill for such a simple concept, I want to cover writing your own PE loader in the future though as it's an interesting subject.
* [Tip: how to find malware samples containing specific strings - Decalage](https://decalage.info/en/malware_string_search)
* [Digital Steganography as an Advanced Malware Detection Evasion Technique - z3roTrust(Masters Thesis)](https://medium.com/@z3roTrust/digital-steganography-as-an-advanced-malware-detection-evasion-technique-40d4eeb19830)
* [Betabot still alive with multi-stage packing. - Wojciech](https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39)
https://objective-see.com/blog/blog_0x49.html
* [Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis) - fumko](https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/)
* [Predator The Thief: In-depth analysis (v2.3.5) - fumko](https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/)
* [PDF Analysis - zbetheckin](https://github.com/zbetcheckin/PDF_analysis)
* Several PDF analysis reassembled with additional tips and tools
* [Vba2Graph](https://github.com/MalwareCantFly/Vba2Graph)
* Generate call graphs from VBA code, for easier analysis of malicious documents.
https://github.com/kevthehermit/RATDecoders
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money/
Malware writeup (use for COM)
* [IcoScript: using webmail to control malware - Grooten](https://www.virusbulletin.com/virusbulletin/2014/08/icoscript-using-webmail-control-malware)
* [Major shift in strategy for ZeroAccess rootkit malware, as it shifts to user-mode - James Wyke](https://nakedsecurity.sophos.com/2012/06/06/zeroaccess-rootkit-usermode/)
* [BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger - Bryan Lee, Josh Grunzweig](https://unit42.paloaltonetworks.com/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/)
https://malpedia.caad.fkie.fraunhofer.de/
* [Malware Theory - Oligomorphic, Polymorphic and Metamorphic Viruses - MalwareAnalysisForHedgehogs](https://www.youtube.com/watch?v=Jsohdah8ZCg)
https://shasaurabh.blogspot.com/2018/01/analyzing-atm-malwares.html
https://shasaurabh.blogspot.com/2017/07/virtual-machine-detection-techniques.html
https://github.com/rj-chap/CFWorkshop
https://www.youtube.com/watch?v=imq8CG5oNug
* [Unprotect Project](http://unprotect.tdgt.org/index.php/Unprotect_Project)
* Malware are one of the most aggressive threats in the IT field. They are often used to cause damage, steal data, or spy on a target. Companies and Security Industry are working to be more effective against this threat and detecting new variants. Malware authors spend a great deal of time and effort to develop complex code to perform malicious actions against a target system. It is crucial for malware to remain undetected and avoid sandbox analysis, antiviruses or malware analysts. With this kind of technics, malware are able to pass under the radar and stay undetected on a system. The purpose of this wiki is to try to centralise all these techniques, to understand and detect new generation of malware.
https://www.slideshare.net/matrosov/cybercrime-in-russia-trends-and-issues

+ 8
- 2
Draft/Network_Attacks.md View File

@ -76,6 +76,12 @@
https://github.com/ceicke/bettercap-elbsides
* [Signaling vulnerabilities in wiretapping systems](http://www.crypto.com/papers/wiretap.pdf)
https://www.nds.rub.de/media/ei/arbeiten/2017/01/30/exploiting-printers.pdf
https://web-in-security.blogspot.com/2017/01/printer-security.html
* [pentest-machine](https://github.com/DanMcInerney/pentest-machine)
* [More of using rpcclient to find usernames - carnal0wnage](http://carnal0wnage.attackresearch.com/2007/08/more-of-using-rpcclient-to-find.html)
@ -105,11 +111,11 @@ https://kn100.me/exploiting-upnp-literally-childsplay/
https://github.com/s0md3v/Striker
http://www.guadalajaracon.org/talleres/desarrollando-para-nmap-scripting-engine-nse/
https://github.com/unixrox/prebellico
https://incogbyte.github.io/bypass_nac/
https://hypothetical.me/short/dns-0x20/
https://www.digitalinterruption.com/single-post/2018/04/22/NET-Deserialization-to-NTLM-hashes
https://techblog.mediaservice.net/2018/02/from-xml-external-entity-to-ntlm-domain-hashes/
https://github.com/ceicke/bettercap-elbsides
* [Windows Management Instrumentation (WMI)Offense, Defense, and Forensics](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf)


+ 25
- 7
Draft/Osint.md View File

@ -18,8 +18,7 @@
- [Miscellaneous](#misc)
* [WhatsMyName](https://github.com/webbreacher/whatsmyname)
* This repository has the unified data required to perform user and username enumeration on various websites. Content is in a JSON file and can easily be used in other projects
#### Sort
* Add list of Sources:
@ -30,17 +29,31 @@
* Operating Licenses/Permits;
* Trade Journals;
* [keyhacks](https://github.com/streaak/keyhacks)
* Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.
* [Threat Intel RSS Feeds via Twitter Lists - Joe Hopper](https://www.fracturelabs.com/posts/2018/threat-intel-rss-feeds-via-twitter-lists/)
https://ahrefs.com/blog/google-advanced-search-operators/
* [Username enumeration techniques and their value - Ben Williams](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/june/username-enumeration-techniques-and-their-value/)
* [WhatsMyName](https://github.com/webbreacher/whatsmyname)
* This repository has the unified data required to perform user and username enumeration on various websites. Content is in a JSON file and can easily be used in other projects
* [git-all-secrets](https://github.com/anshumanbh/git-all-secrets)
* A tool to capture all the git secrets by leveraging multiple open source git searching tools
https://github.com/hisxo/gitGraber
https://posts.specterops.io/gathering-open-source-intelligence-bee58de48e05
https://github.com/intrigueio/intrigue-core
* https://www.bellingcat.com/resources/how-tos/2019/04/08/using-phone-contact-book-apps-for-digital-research/
* [How To Tell Stories: A Beginner’s Guide For Open Source Researchers - Natalia Antonova](https://www.bellingcat.com/resources/2019/07/12/how-to-tell-stories-a-beginners-guide-for-open-source-researchers/)
https://github.com/vysecurity/DomLink
https://www.icscybersecurityconference.com/intelligence-gathering-on-u-s-critical-infrastructure/
* [GitHub for Bug Bounty Hunters - Ed Overflow](https://edoverflow.com/2017/github-for-bugbountyhunters/)
* [pastebin_scraper](https://github.com/Critical-Start/pastebin_scraper)
* https://www.criticalstart.com/2019/03/automated-tool-to-monitor-pastebin-for-interesting-information/
https://github.com/woj-ciech/kamerka
https://github.com/SourcingDenis/free-online-competitive-intelligence/blob/master/README.md
https://github.com/0days/Blue
https://github.com/digininja/leakyrepo
* [Username enumeration techniques and their value - Ben Williams](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/june/username-enumeration-techniques-and-their-value/)
* [MailInt - Profiling China based Employees](https://web.archive.org/web/20180706004654/https://vincentyiu.co.uk/maiint-profiling-china-based-employees/)
* [Giggity](https://github.com/needmorecowbell/giggity)
@ -59,6 +72,10 @@ https://github.com/ZephrFish/GoogD0rker
https://github.com/GeneralTesler/deluxe
* [Weaponizing Corporate Intel - Mike Felch and Beau Bullock(B-Sides Orlando 2019)](https://www.youtube.com/watch?v=EfVXgvABkGg)
* Strategically targeting a corporation requires deep knowledge of their technologies and employees. Successfully compromising an organization can depend on the quality of reconnaissance a tester performs up front. Often times testers only resort to using publicly available tools which can overlook critical assets. In this presentation, we will begin by examining some commonly overlooked methods to discover external resources. Next, we will show how to discover employees of a target organization and quickly locate their social media accounts. Finally, we will strategically identify and weaponize personal information about the employees to target the organization directly using new attack techniques. Attendees will learn an external defense evasion method, a new process to gain credentialed access, and be the first to receive a newly released tool! While the approach is designed to assist offensive security professionals, the presentation will be informative for technical and non-technical audiences; demonstrating the importance of security-awareness for everyone.
* [ODIN](https://github.com/chrismaddalena/ODIN)
* ODIN aims to automate the basic recon tasks used by red teams to discover and collect data on network assets, including domains, IP addresses, and internet-facing systems. The key feature of ODIN is the data management and reporting. The data is organized in a database and then, optionally, that database can be converted into an HTML report or a Neo4j graph database for visualizing the data.
@ -73,7 +90,8 @@ https://support.office.com/en-us/article/remove-hidden-data-and-personal-informa
* [yar](https://github.com/Furduhlutur/yar)
* yar is an OSINT tool for reconnaissance of repositories/users/organizations on Github. Yar clones repositories of users/organizations given to it and goes through the whole commit history in order of commit time, in search for secrets/tokens/passwords, essentially anything that shouldn't be there. Whenever yar finds a secret, it will print it out for you to further assess. Yar searches either by regex, entropy or both, the choice is yours. You can think of yar as a bigger and better truffleHog, it does everything that truffleHog does and more!


+ 1
- 1
Draft/Passwords.md View File

@ -25,7 +25,7 @@ https://github.com/hyc/fcrackzip
http://pdfcrack.sourceforge.net/
https://www.betterbuys.com/estimating-password-cracking-times/
* [brut3k1t](https://github.com/ex0dus-0x/brut3k1t)
https://github.com/clr2of8/DPAT
* [Comprehensive Guide on Cewl Tool - rajhackingarticles.blogspot.com](https://rajhackingarticles.blogspot.com/2018/11/hello-friends-in-this-article-we-are.html)


+ 42
- 1
Draft/PrivescPostEx.md View File

@ -947,6 +947,7 @@ To do:
* **DCSync**
* [Mimikatz DCSync Usage, Exploitation, and Detection - Sean Metcalf](https://adsecurity.org/?p=1729)
* [Mimikatz and DCSync and ExtraSids, Oh My - harmj0y](http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/)
* [Active Directory Attack - DCSync - c0d3xpl0it](https://www.c0d3xpl0it.com/2018/06/active-directory-attack-dcsync.html)
* **DCShadow**
* [DCShadow - Minimal permissions, Active Directory Deception, Shadowception and more - Nikhil Mittal](http://www.labofapenetrationtester.com/2018/04/dcshadow.html)
* [DCShadow](https://www.dcshadow.com/)
@ -1447,6 +1448,8 @@ To do:
* [Demo of kerberoasting on EvilCorp Derbycon6](https://adsecurity.org/wp-content/uploads/2016/09/DerbyCon6-2016-AttackingEvilCorp-Anatomy-of-a-Corporate-Hack-Demo-4-kerberoast.mp4)
* [Attacking EvilCorp Anatomy of a Corporate Hack - Sean Metcalf, Will Schroeder](https://www.youtube.com/watch?v=nJSMJyRNvlM&feature=youtu.be&t=16)
* [Slides](https://adsecurity.org/wp-content/uploads/2016/09/DerbyCon6-2016-AttackingEvilCorp-Anatomy-of-a-Corporate-Hack-Presented.pdf)
* [Kerberos & Attacks 101 - Tim Medin(SANS Webcast)](https://www.youtube.com/watch?v=LmbP-XD1SC8)
* Want to understand how Kerberos works? Would you like to understand modern Kerberos attacks? If so, then join Tim Medin as he walks you through how to attack Kerberos with ticket attacks and Kerberoasting. Well cover the basics of Kerberos authentication and then show you how the trust model can be exploited for persistence, pivoting, and privilege escalation.
* **Tools**
* [kerberoast](https://github.com/nidem/kerberoast)
* Kerberoast is a series of tools for attacking MS Kerberos implementations.
@ -2719,4 +2722,42 @@ https://github.com/mkorman90/sysmon-config-bypass-finder
Bug Chains
* [CVE-2018-873X - NagiosXI Vulnerability Chaining; Death By a Thousand Cuts](https://blog.redactedsec.net/exploits/2018/04/26/nagios.html)
* tl;dr: We found four vulnerabilities in NagiosXI, and chained them together to create a root RCE exploit
* tl;dr: We found four vulnerabilities in NagiosXI, and chained them together to create a root RCE exploit
https://pentestlab.blog/2019/10/07/persistence-new-service/
https://pentestlab.blog/2019/10/08/persistence-shortcut-modification/
https://pentestlab.blog/2019/10/09/persistence-screensaver/
https://iwantmore.pizza/posts/meterpreter-shellcode-inject.html
https://www.contextis.com/documents/166/WSUSuspect_Presentation.pdf
https://www.contextis.com/services/research/white-papers/wsuspect-compromising-windows-enterprise/
* [Breaking Antivirus Software - Joxean Koret, COSEINC(SYSCAN2014)](http://mincore.c9x.org/breaking_av_software.pdf)
https://googleprojectzero.blogspot.com/2015/06/analysis-and-exploitation-of-eset.html
https://secrary.com/Random/RedTeamTrick/
https://www.contextis.com/en/blog/common-language-runtime-hook-for-persistence
* [Obtain D.C. Hashes within Azure in 4 Easy Steps - FortyNorth Security](https://www.fortynorthsecurity.com/obtain-d-c-hashes-within-azure-in-4-easy-steps/)
* [PowerShell, Azure, and Password Hashes in 4 steps - FortyNorth Security](https://www.fortynorthsecurity.com/powershell-azure-and-password-hashes-in-4-steps/)
* this blog post will walk you through the process of obtaining hashes from a domain controller within Azure using PowerShell.
https://pentestlab.blog/2019/09/04/microsoft-exchange-domain-escalation/
https://pentestlab.blog/2019/09/05/microsoft-exchange-password-spraying/
https://andripwn.github.io/Labs/RCE1/
https://pentestlab.blog/2019/09/12/microsoft-exchange-acl/
https://github.com/infosecn1nja/SharpDoor
* [ Proxy-Aware Payload Testing - redxorblue](https://blog.redxorblue.com/2019/09/proxy-aware-payload-testing.html)
* "I get told that I am too wordy, so if you want the summary, here are some steps to setup a virtual testing environment to test payloads to see if they can handle HTTP(S) proxies and if so, can they authenticate properly through them as well. This post will cover the proxy setup without authentication since that is the easier part, and I will do a second post shortly to hack together the authentication portion of it."
https://blog.redteam.pl/2019/10/internal-domain-name-collision-dns.html
* [Delegating like a boss: Abusing Kerberos Delegation in Active Directory - Kevin Murphy](https://www.guidepointsecurity.com/2019/09/04/delegating-like-a-boss-abusing-kerberos-delegation-in-active-directory/)
* I wanted to write a post that could serve as a (relatively) quick reference for how to abuse the various types of Kerberos delegation that you may find in an Active Directory environment during a penetration test or red team engagement.
https://pentestlab.blog/2019/10/07/persistence-new-service/
https://pentestlab.blog/2019/10/09/persistence-screensaver/
https://pentestlab.blog/2019/10/08/persistence-shortcut-modification/
https://techblog.mediaservice.net/2019/10/remote-desktop-tunneling-tips-tricks/
https://www.vdalabs.com/2019/09/25/windows-credential-theft-rdp-internet-explorer-11/
https://medium.com/@PenTest_duck/almost-all-the-ways-to-file-transfer-1bd6bf710d65
* [Dynamic Microsoft Office 365 AMSI In Memory Bypass Using VBA - @rd_pentest](https://secureyourit.co.uk/wp/2019/05/10/dynamic-microsoft-office-365-amsi-in-memory-bypass-using-vba/)
https://codewhitesec.blogspot.com/2018/06/cve-2018-0624.html

+ 88
- 28
Draft/Programming_Language_Security.md View File

@ -20,14 +20,75 @@
https://graphql.org/
https://github.com/doyensec/graph-ql
* [Android's billion-dollar mistake(s) - Jean-Michel Fayard ](https://web.archive.org/web/20190930114632/https://dev.to/jmfayard/android-s-billion-dollar-mistake-327b)
https://videogg.com/watch?v=BA9DqsgfgRQ
https://github.com/coinbase/salus
https://www.youtube.com/watch?v=IAzPKzwY-ks
https://vulncat.fortify.com/en
https://www.youtube.com/watch?v=HIdexRqjpWc&t=0s&list=PLpr-xdpM8wG-bXotGh7OcWk9Xrc1b4pIJ&index=23
https://www.youtube.com/watch?v=-bZM_48Ghv0&t=0s&list=PLpr-xdpM8wG-bXotGh7OcWk9Xrc1b4pIJ&index=25
https://www.youtube.com/watch?v=VbW-X0j35gw&t=0s&list=PLpr-xdpM8wG-bXotGh7OcWk9Xrc1b4pIJ&index=21
https://blogs.dropbox.com/tech/2017/02/meet-securitybot-open-sourcing-automated-security-at-scale/
https://www.youtube.com/watch?v=jNxjUKZpDWo
https://www.youtube.com/watch?v=Ivc5Sj0nj2c&app=desktop
https://engineering.salesforce.com/announcing-providence-rapid-vulnerability-prevention-3505ffd17e17
https://github.com/Netflix-Skunkworks/Scumblr/issues
https://www.youtube.com/watch?v=4rjmtdvrGrg&app=desktop
https://www.youtube.com/watch?v=4rjmtdvrGrg&app=desktop
https://www.youtube.com/watch?v=3PgWM8qwWas
https://www.youtube.com/watch?v=7KT4Fi_vW-c
https://www.youtube.com/watch?v=NUTNN7W4Pro&list=PLpr-xdpM8wG-bXotGh7OcWk9Xrc1b4pIJ&index=41&t=0s
https://github.com/willbengtson/trailblazer-aws
https://github.com/Netflix-Skunkworks/aws-credential-compromise-detection
https://www.youtube.com/watch?v=aVVX8hV_ywI&t=0s&list=PLpr-xdpM8wG-bXotGh7OcWk9Xrc1b4pIJ&index=13
https://www.youtube.com/watch?v=c9A8v5hiqoA&t=0s&list=PLpr-xdpM8wG-bXotGh7OcWk9Xrc1b4pIJ&index=28
https://ieeexplore.ieee.org/ielx7/6954656/6956545/06956589.pdf?tp=&arnumber=6956589&isnumber=6956545
https://www.youtube.com/watch?v=6WwP7eUY52Y&app=desktop
https://www.youtube.com/watch?v=IvdKtf3ol2U
https://www.youtube.com/watch?v=VXJNuDV6DQo&t=1s
https://www.youtube.com/watch?v=eY3RmQ_eNgA
https://www.youtube.com/watch?v=ImJqBX0OXew&app=desktop
https://www.youtube.com/watch?v=ltXYbIacHr8&list=PLpr-xdpM8wG-bXotGh7OcWk9Xrc1b4pIJ&index=17
https://www.youtube.com/watch?index=17&list=PLFTyE08qmQMVgSobf2QmBEGkjfuvjfpyj&v=ETkHISgEh3g&app=desktop
https://www.youtube.com/watch?v=6iNpqTZrwjE&list=PLpr-xdpM8wG-bXotGh7OcWk9Xrc1b4pIJ&index=20&t=0s
https://slack.engineering/moving-fast-and-securing-things-540e6c5ae58a
http://www.cyrius.com/publications/michlmayr_fitzgerald-time_based_release_management.pdf
https://www.youtube.com/watch?v=IKsQsxubuAA
https://wozniak.ca/blog/2014/08/03/What-ORMs-have-taught-me-just-learn-SQL/
PS Workshop
https://github.com/darkoperator/DEFCON25_PS_Workshop
https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20workshops/DEFCON-25-Carlos-Perez-Leveraging-PowerShell.pdf
https://github.com/mre/awesome-static-analysis
https://www.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour
https://awesome-tech.readthedocs.io/security/#php-security
https://github.com/Instagram/LibCST
https://pyre-check.org/
* [PowerShell Productivity Hacks: How I use Get-Command - Mike Robbins](https://mikefrobbins.com/2019/09/05/powershell-productivity-hacks-how-i-use-get-command/)
https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-lekies.pdf
https://github.com/in-toto/in-toto
https://edoverflow.com/2019/ci-knew-there-would-be-bugs-here/
https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43322.pdf
https://www.youtube.com/watch?v=2mevf60qm60
https://github.com/Instagram/LibCST
https://pyre-check.org/
* https://github.com/guardrailsio/awesome-golang-security
* [DevSecOps State of the Union - Clint Gibler(BSidesSF 2019)](https://www.youtube.com/watch?v=AusPKzwNnMg)
* Many companies have shared their lessons learned in scaling their security efforts, leading to hundreds of blog posts and conference talks. Sharing knowledge is fantastic, but when you're a busy AppSec engineer or manager struggling to keep up with day-to-day requirements, it can be difficult to stay on top of or even be aware of relevant research. This talk will summarize and distill the unique tips and tricks, lessons learned, and tools discussed in a vast number of blog posts and conference talks over the past few years and combine it with knowledge gained from in-person discussions with AppSec engineers at a number of companies with mature security teams. Topics covered will include: Principles, mindsets, and methodologies of highly effective AppSec teams, Best practices in developing security champions and building a positive security culture, High value engineering projects that can prevent classes of bugs, How and where to integrate security automation into the CI/CD process in a high signal, low noise way, Open source tools that help with one or more of the above. Attendees will leave this talk with an understanding of the current state of the art in DevSecOps, links to tools they can use, resources where they can dive into specific topics of interest, and most importantly an actionable path forward for taking their security program to the next level.
https://github.com/facebookincubator/SPARTA
https://engineering.fb.com/security/zoncolan/
* [Static Analysis at Scale: An Instagram Story - Benjamin Woodruff](https://instagram-engineering.com/static-analysis-at-scale-an-instagram-story-8f498ab71a0c)
@ -41,18 +102,17 @@ https://github.com/OWASP/Benchmark
* [I Forgot Your Password: Randomness Attacks Against PHP Applications - George Argyros, Aggelos Kiayis](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.360.4033&rep=rep1&type=pdf)
* [10 common security gotchas in Python and how to avoid them - Anthony Shaw](https://hackernoon.com/10-common-security-gotchas-in-python-and-how-to-avoid-them-e19fbe265e03?gi=ac211b3349e8)
https://viewsourcecode.org/snaptoken/kilo/index.html
https://cacm.acm.org/magazines/2016/7/204032-why-google-stores-billions-of-lines-of-code-in-a-single-repository/fulltext
* [Roslyn](https://github.com/dotnet/roslyn)
* Roslyn provides open-source C# and Visual Basic compilers with rich code analysis APIs. It enables building code analysis tools with the same APIs that are used by Visual Studio.
* [Overview](https://github.com/dotnet/roslyn/wiki/Roslyn%20Overview)
http://pentest.cryptocity.net/code-audits/
* [Typeful Programming - Luca Cardelli](http://lucacardelli.name/Papers/TypefulProg.pdf)
* [Tasks - C#](https://kudchikarsk.com/tasks-in-csharp/csharp-task/)
https://danger.systems/js/
https://www.zerodayinitiative.com/blog/2018/4/12/inverting-your-assumptions-a-guide-to-jit-comparisons
https://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html
https://github.com/mre/awesome-static-analysis
https://github.com/troessner/reek
https://github.com/seattlerb/flay
@ -62,6 +122,8 @@ http://www.rubyguides.com/2015/08/static-analysis-in-ruby/
https://github.com/rubocop-hq/rubocop
https://realpython.com/python-csv/
https://alex.kaskaso.li/post/effective-security-pipeline
https://gist.github.com/carnal0wnage/ed9e4c10e065bd00e21e2af67301e9d9
https://blog.ripstech.com/2018/woocommerce-php-object-injection/
@ -69,7 +131,7 @@ https://blog.ripstech.com/2018/woocommerce-php-object-injection/
* [Static Analysis at Scale: An Instagram Story - Benjamin Woodruff](https://instagram-engineering.com/static-analysis-at-scale-an-instagram-story-8f498ab71a0c)
* [StackStorm](https://stackstorm.com/)
https://www.blackhillsinfosec.com/pyfunnels-data-normalization-for-infosec-workflows/
https://github.com/packetvitality/PyFunnels
@ -82,12 +144,10 @@ https://github.com/slackhq/go-audit
* [The Evil within the Comparison Functions - Andrey Karpov](https://www.viva64.com/en/b/0509/)
* [Bypassing Python3.8 Audit Hooks [Part 1] - daddycocoaman](https://daddycocoaman.dev/posts/bypassing-python38-audit-hooks-part-1/)
https://www.python.org/dev/peps/pep-0551/
https://www.python.org/dev/peps/pep-0578/
* [Why does Python need security transparency? - Steve Dower](https://www.youtube.com/watch?v=K7qUVyeh10U)
@ -161,6 +221,7 @@ https://github.com/slackhq/go-audit
* Attendees of this talk will benefit from learning about what constitutes insecure code and the associated attacks that stem from such code. Applicable attacks ranging from injection to reversing will be demonstrated to reinforce contents of this talk. This way, the attendee would not only be taught about “What not to do?” but also, “Why this should not do, what they ought not to do?”. Finally, attendees will also be introduced to secure development processes such as protection needs elicitation, threat modeling, code review and analysis and secure deployment, to illustrate that while writing secure code is one important aspect of software security, there is more to securing applications, than what meets the eye. Come for a fun filled, interactive session and your chance to win one of the personalized and autographed copies of the speaker’s renowned book – The 7 qualities of highly secure software.
* [Code Insecurity or Code in Security - Mano 'dash4rk' Paul](http://www.irongeek.com/i.php?page=videos/derbycon4/t205-code-insecurity-or-code-in-security-mano-dash4rk-paul)
* Attendees of this talk will benefit from learning about what constitutes insecure code and the associated attacks that stem from such code. Applicable attacks ranging from injection to reversing will be demonstrated to reinforce contents of this talk. This way, the attendee would not only be taught about “What not to do?” but also, “Why this should not do, what they ought not to do?”. Finally, attendees will also be introduced to secure development processes such as protection needs elicitation, threat modeling, code review and analysis and secure deployment, to illustrate that while writing secure code is one important aspect of software security, there is more to securing applications, than what meets the eye. Come for a fun filled, interactive session and your chance to win one of the personalized and autographed copies of the speaker’s renowned book – The 7 qualities of highly secure software.
* [Seth & Ken’s Excellent Adventures in Secure Code Review - thesecuredeveloper.com](https://www.thesecuredeveloper.com/post/seth-ken-s-excellent-adventures-in-secure-code-review)
* **Tools**
* [RIPS](http://rips-scanner.sourceforge.net/)
* RIPS is a tool written in PHP to find vulnerabilities in PHP applications using static code analysis. By tokenizing and parsing all source code files RIPS is able to transform PHP source code into a program model and to detect sensitive sinks (potentially vulnerable functions) that can be tainted by user input (influenced by a malicious user) during the program flow. Besides the structured output of found vulnerabilities RIPS also offers an integrated code audit framework for further manual analysis.
@ -193,11 +254,12 @@ https://github.com/slackhq/go-audit
* Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It's comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible.
* [cloc](https://github.com/AlDanial/cloc)
* cloc counts blank lines, comment lines, and physical lines of source code in many programming languages.
* [CRASS](https://github.com/floyd-fuh/crass)
* The "code review audit script scanner" (CRASS) started as a source code grep-er with a set of selected high-potential strings that may result in (security) problems. By now it is searching for strings that are interesting for analysts. Simplicity is the key: You don't need anything than a couple of standard `*nix` command line tools (especially grep), while the project still serves as a "what can go wrong" collection of things we see over the years.
----------------
### APIs
### APIs<a name="apis"></a>
* **101**
* [API Security Checklist](https://github.com/shieldfy/API-Security-Checklist/)
* Checklist of the most important security countermeasures when designing, testing, and releasing your API
@ -254,7 +316,7 @@ https://github.com/slackhq/go-audit
----------
### Android (Kotlin/Android Java)
### Android (Kotlin/Android Java)<a name="android"></a>
* [Kotlin - Wikipedia](https://en.wikipedia.org/wiki/Kotlin_(programming_language))
* [Java - Wikipedia](https://en.wikipedia.org/wiki/Java_(programming_language))
* **Learn**
@ -268,11 +330,8 @@ https://github.com/slackhq/go-audit
----------
### Bash
### Bash<a name="bash"></a>
* [Bash - GNU](https://www.gnu.org/software/bash/)
* [Bash (Unix shell) - Wikipedia](https://en.wikipedia.org/wiki/Bash_(Unix_shell))
* **Learn**
@ -332,6 +391,9 @@ https://github.com/slackhq/go-audit
* [Compiling C# Code at Runtime](https://www.codeproject.com/Tips/715891/Compiling-Csharp-Code-at-Runtime)
* [The 68 things the CLR does before executing a single line of your code (`*`)](https://web.archive.org/web/20170614215931/http://mattwarren.org:80/2017/02/07/The-68-things-the-CLR-does-before-executing-a-single-line-of-your-code/)
* [Dynamic Source Code Generation and Compilation](https://docs.microsoft.comen-us/dotnet/framework/reflection-and-codedom/dynamic-source-code-generation-and-compilation)
* [Roslyn](https://github.com/dotnet/roslyn)
* Roslyn provides open-source C# and Visual Basic compilers with rich code analysis APIs. It enables building code analysis tools with the same APIs that are used by Visual Studio.
* [Overview](https://github.com/dotnet/roslyn/wiki/Roslyn%20Overview)
----------
@ -465,7 +527,7 @@ $err = $ErrorSource + " reports: " + $ErrorMessage
----------
### PHP
### PHP<a name="php"></a>
* [awesome-php](https://github.com/ziadoz/awesome-php)
* A curated list of amazingly awesome PHP libraries, resources and shiny things.
* **Documentation**
@ -576,7 +638,7 @@ $err = $ErrorSource + " reports: " + $ErrorMessage
----------
### SQL
### SQL<a name="sql"></a>
* [SafeSQL](https://github.com/stripe/safesql)
* SafeSQL is a static analysis tool for Go that protects against SQL injections.
* [The Hitchhiker's Guide to SQL Injection prevention](https://phpdelusions.net/sql_injection)
@ -585,12 +647,12 @@ $err = $ErrorSource + " reports: " + $ErrorMessage
---------------
### Swift
### Swift <a name="swift"></a>
* [Alamofire](https://github.com/Alamofire/Alamofire)
* Alamofire is an HTTP networking library written in Swift.
----------
### UEFI Programming
### UEFI Programming <a name="uefi"></a>
* [Unified Extensible Firmware Interface Forum](http://www.uefi.org/)
* [Unified Extensible Firmware Interface](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface)
* **Learn**
@ -606,14 +668,12 @@ $err = $ErrorSource + " reports: " + $ErrorMessage
-----------------------------------------
### Software Build & Deployment Process
### Software Build & Deployment Process <a name="build"></a>
* [Providence](https://github.com/salesforce/Providence)
* Providence is a system for code commit & bug system monitoring. It is deployed within an organization to monitor code commits for security (or other) concerns, via customizable plugins. A plugin performs logic whenever a commit occurs.
----
### Other
### Other <a name="sql"></a>
* [A successful Git branching model](http://nvie.com/posts/a-successful-git-branching-model/)
* [Mostly Adequate Guide](https://drboolean.gitbooks.io/mostly-adequate-guide/)
* This is a book on the functional paradigm in general. We'll use the world's most popular functional programming language: JavaScript. Some may feel this is a poor choice as it's against the grain of the current culture which, at the moment, feels predominately imperative.
* [Reflective DLL Injection](http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf)
* [Porting Windows Dynamic Link Libraries to Linux](https://github.com/taviso/loadlibrary)

+ 15
- 6
Draft/RE.md View File

@ -23,14 +23,23 @@ http://ropgadget.com/posts/pebwalk.html
https://github.com/TakahiroHaruyama/ida_haru/tree/master/bindiff
https://blog.xpnsec.com/analysing-rpc-with-ghidra-neo4j/
http://kakaroto.homelinux.net/2017/11/introduction-to-reverse-engineering-and-assembly/
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/june/advanced-frida-witchcraft-turning-an-android-application-into-a-voodoo-doll/
* [Using WPP and TraceLoggingTracing to Facilitate Dynamic and Static Windows RE - Matt Graeber](https://drive.google.com/file/d/1wtQXVdvJmhG7ba99pq3BZq_Fyf6E3F71/view)
RE
https://fkie-cad.github.io/FACT_core/
https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool
https://dyninst.org/
https://drmemory.org/strace_for_windows.html
https://www.frida.re/
http://dynamorio.org/
https://arxiv.org/pdf/1901.01161.pdf
* https://github.com/JusticeRage/Manalyze
* https://bordplate.no/blog/en/post/debugging-a-windows-service/
https://doc.dustri.org/reverse/Brian%20Pak%20-%20Effective%20Patch%20Analysis%20for%20Microsoft%20Updates%20-%20Power%20of%20Community%20-%202016.11.pdf
* [How to break PDF Signatures](https://www.pdf-insecurity.org/)
* [Technical Writeup](https://www.pdf-insecurity.org/signature/signature.html)
@ -38,7 +47,7 @@ https://github.com/TakahiroHaruyama/ida_haru/tree/master/bindiff
* A proper ToC
* Sort bottom section
https://blog.xpnsec.com/analysing-rpc-with-ghidra-neo4j/
https://ezequieltbh.me/posts/2019/05/love-is-in-the-air-reverse-engineering-a-shitty-drone/
* [Advanced Portable Executable File Analyzer](https://github.com/blacknbunny/peanalyzer)
* Advanced Portable Executable File Analyzer And Disassembler 32 & 64 Bit


+ 79
- 4
Draft/RT.md View File

@ -25,29 +25,101 @@
* **To Do**
* [Victor or Victim Strategies for Avoiding an InfoSec Cold War - Jason Lang, Stuart McIntosh(Derbycon 2018)](https://www.youtube.com/watch?v=9_cZ5xn-huc)
https://github.com/vysec/RedTips
* [Finding Domain frontable Azure domains - thoth / Fionnbharr](https://theobsidiantower.com/2017/07/24/d0a7cfceedc42bdf3a36f2926bd52863ef28befc.html)
https://blogs.technet.microsoft.com/motiba/2018/04/09/invoke-adversary-simulating-adversary-operations/
* [Playing Cat and Mouse: Three Techniques Abused to Avoid Detection - ZLAB-YOROI](https://blog.yoroi.company/research/playing-cat-and-mouse-three-techniques-abused-to-avoid-detection/)
* [sh00t](https://github.com/pavanw3b/sh00t)
* Security Testing is not as simple as right click > Scan. It's messy, a tough game. What if you had missed to test just that one thing and had to regret later? Sh00t is a highly customizable, intelligent platform that understands the life of bug hunters and emphasizes on manual security testing.
https://hackmd.io/EhFjuYHESIGhFQXFQ6duTQ?view
http://threatexpress.com/redteaming/redteamplanning/tradecraft/
https://github.com/HunnicCyber/SharpSniper
https://blog.xpnsec.com/rundll32-your-dotnet/
* [Domi-Owned](https://github.com/coldfusion39/domi-owned)
* Domi-Owned is a tool used for compromising IBM/Lotus Domino servers.
* [Macros and More with SharpShooter v2.0 - MDSec](https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/)
* [SharpShooter](https://github.com/mdsecactivebreach/SharpShooter)
* SharpShooter is a payload creation framework for the retrieval and execution of arbitrary CSharp source code. SharpShooter is capable of creating payloads in a variety of formats, including HTA, JS, VBS and WSF. It leverages James Forshaw's DotNetToJavaScript tool to invoke methods from the SharpShooter DotNet serialised object. Payloads can be retrieved using Web or DNS delivery or both; SharpShooter is compatible with the MDSec ActiveBreach PowerDNS project. Alternatively, stageless payloads with embedded shellcode execution can also be generated for the same scripting formats.
https://bitbucket.org/gavinanders/callback-catcher/src/master/
https://medium.com/@prsecurity_/how-to-build-an-internal-red-team-7957ec644695
* [Advanced Pen-Testing Tricks: Building a Lure to Collect High Value Credentials - Bobby Kuzma](https://www.coresecurity.com/article/advanced-pen-testing-tricks-building-a-lure-to-collect-high-value-credentials)
* [Powershell Empire Stagers 1: Phishing with an Office Macro and Evading AVs - fzuckerman](https://fzuckerman.wordpress.com/2016/10/06/powershell-empire-stagers-1-phishing-with-an-office-macro-and-evading-avs/)
* [Invoke-Apex](https://github.com/securemode/Invoke-Apex)
* Invoke-Apex is a PowerShell-based toolkit consisting of a collection of techniques and tradecraft for use in red team, post-exploitation, adversary simulation, or other offensive security tasks. It can also be useful in identifying lapses in "malicious" activity detection processes for defenders as well.
* [Hacking Corporate Emil Systems - Nate Power(BSides Columbus 2016)](https://www.youtube.com/watch?v=mJ172K1dxoM)
https://github.com/praetorian-code/purple-team-attack-automation
* [Tips, Tricks, and Cheats Gathered from Red vs. Blue Team-Based Training - Ed Skoudis, Joshua Wright](https://www.sans.org/webcasts/tips-tricks-cheats-gathered-red-vs-blue-team-based-training-111505/success)
https://speakerdeck.com/patrickwardle/harnessing-weapons-of-mac-destruction?slide=23
https://www.coalfire.com/The-Coalfire-Blog/Sept-2018/From-OSINT-to-Internal-Gaining-Domain-Admin
https://github.com/mthbernardes/GTRS/blob/master/README.md
https://github.com/tearsecurity/firstorder
https://github.com/CylanceSPEAR/MarkovObfuscate
https://lockboxx.blogspot.com/2019/03/macos-red-teaming-201-introduction.html
https://rastamouse.me/2019/06/the-return-of-aggressor/
https://labs.mwrinfosecurity.com/tools/c3/
https://github.com/mwrlabs/C3
https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
https://github.com/BishopFox/sliver/blob/master/README.md
https://medium.com/@d.bougioukas/red-team-diary-entry-1-making-nsas-peddlecheap-rat-invisible-f88ccbdc484d
* [Empire Fails - harmj0y](http://www.harmj0y.net/blog/empire/empire-fails/)
https://ired.team/offensive-security/red-team-infrastructure
* [From OSINT to Internal – Gaining Access from outside the perimeter - n00py](https://www.n00py.io/2017/03/from-osint-to-internal-gaining-access-from-the-outside-the-perimeter/)
http://www.harmj0y.net/blog/powershell/command-and-control-using-active-directory/
* [Invoke-Apex](https://github.com/securemode/Invoke-Apex)
* Invoke-Apex is a PowerShell-based toolkit consisting of a collection of techniques and tradecraft for use in red team, post-exploitation, adversary simulation, or other offensive security tasks. It can also be useful in identifying lapses in "malicious" activity detection processes for defenders as well.
https://www.slideshare.net/JasonLang1/red-team-methodology-a-naked-look-169879355
* [DeviceDetector.NET](https://github.com/totpero/DeviceDetector.NET)
* The Universal Device Detection library will parse any User Agent and detect the browser, operating system, device used (desktop, tablet, mobile, tv, cars, console, etc.), brand and model.
* [DNSlivery](https://github.com/no0be/DNSlivery)
* Easy files and payloads delivery over DNS.
https://blog.obscuritylabs.com/merging-web-apps-and-red-teams/
* [Invoke-Adversary – Simulating Adversary Operations - Moti Bani](https://blogs.technet.microsoft.com/motiba/2018/04/09/invoke-adversary-simulating-adversary-operations/)
* [Harlem Shake JS script](https://gist.github.com/devn/5007287)
https://ijustwannared.team/2017/10/28/outlooktoolbox/
https://github.com/francisck/DanderSpritz_lab
* [Post Exploitation with KOADIC - Ian Kings](https://www.prismacsi.com/en/post-exploitation-with-koadic/)
* [How to Start a Cyber War: Lessons from Brussels - Chris Kubecka(BSides Charm 2019)](http://www.irongeek.com/i.php?page=videos/bsidescharm2019/1-06-how-to-start-a-cyber-war-lessons-from-brussels-chris-kubecka)
* A sanitized peek behind the diplomatic curtain, revealing challenges, decisions & tools at their disposal. The Vanguard cyber warfare exercises in Brussels involving EU & NATO member states. Nation-states leveraging software, hardware and human vulnerabilities into digital warfare, with devastating consequences. Embassy threats, leaked Intel agency tools, hacking back & mass casualties.
https://blogs.technet.microsoft.com/motiba/2018/04/09/invoke-adversary-simulating-adversary-operations/
https://www.sprocketsecurity.com/blog/penetration-testing-dropbox-setup-part2
https://mthbernardes.github.io/persistence/2019/03/07/using-firefox-webextensions-as-c2-client.html
https://www.welivesecurity.com/2018/08/22/turla-unique-outlook-backdoor/
* [Docker Your Command & Control (C2) - obscuritylabs](https://blog.obscuritylabs.com/docker-command-controll-c2/)
* [Firework: Leveraging Microsoft Workspaces in a Penetration Test - trustwave](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/firework-leveraging-microsoft-workspaces-in-a-penetration-test/)
https://github.com/gen0cide/gscript
https://chigstuff.com/blog/metasploit-domain-fronting-with-microsoft-azure/
https://medium.com/@rvrsh3ll/hardening-your-azure-domain-front-7423b5ab4f64
* [Cracking The Perimeter: How Red Teams Penetrate - Dominic Chell(BSidesMCR 2018)](https://www.youtube.com/watch?v=u-MHX9-O890)
https://github.com/panagioto/Covenant