Browse Source

more backlog/cleaning

pull/33/head
rmusser01 1 year ago
parent
commit
93853c12a3
6 changed files with 574 additions and 215 deletions
  1. +167
    -75
      Draft/Active_Directory.md
  2. +82
    -59
      Draft/Career.md
  3. +8
    -0
      Draft/Passwords.md
  4. +273
    -71
      Draft/PrivescPostEx.md
  5. +34
    -6
      Draft/RT.md
  6. +10
    -4
      README.md

+ 167
- 75
Draft/Active_Directory.md View File

@ -17,11 +17,11 @@
| [Group Policy](#grouppolicy) | [AD Vulnerabilities(CVEs)](#advulns) |
| [Kerberos](#kerberos) | [Defense Evasion](#addefev) |
| [LDAP](#ldap) | [Collection](#adcollect) |
| [Local Admin Password Solution](#laps) | [Credential Access](#adcred) |
| [Local Admin Password Solution](#laps) | [Credential Attacks](#adcred) |
| [Lync](#lync) | [Persistence](#adpersist) |
| [MS-SQL](#mssql) | [Privilege Escalation](#adprivesc) |
| [NTLM](#ntlm) | [Reconnaissance](#adrecon) |
| [Read-Only Domain Controllers](#rodc) | |
| [Read-Only Domain Controllers](#rodc) | |
| [Red Forest](#redforest) | |
| [Service Principal Names](#spn) | |
| [System Center Configuration Manager](#sccm) | |
@ -84,17 +84,25 @@
* [Get All AD Users Logon History with their Logged on Computers (with IPs)& OUs](https://gallery.technet.microsoft.com/scriptcenter/Get-All-AD-Users-Logon-9e721a89)
* This script will list the AD users logon information with their logged on computers by inspecting the Kerberos TGT Request Events(EventID 4768) from domain controllers. Not Only User account Name is fetched, but also users OU path and Computer Accounts are retrieved. You can also list the history of last logged on users. In Environment where Exchange Servers are used, the exchange servers authentication request for users will also be logged since it also uses EventID (4768) to for TGT Request. You can also export the result to CSV file format. Powershell version 3.0 is needed to use the script.
* **ADFS**<a name="adfs"></a>
* [118 Attacking ADFS Endpoints with PowerShell Karl Fosaaen](https://www.youtube.com/watch?v=oTyLdAUjw30)
* [Using PowerShell to Identify Federated Domains](https://blog.netspi.com/using-powershell-identify-federated-domains/)
* [LyncSniper: A tool for penetration testing Skype for Business and Lync deployments](https://github.com/mdsecresearch/LyncSniper)
* [Sniffing and replaying ADFS claims with Fiddler! - Paula Januszkiewicz](https://cqureacademy.com/blog/replaying-adfs-claims-with-fiddler)
* [Attacking ADFS Endpoints with PowerShell](http://www.irongeek.com/i.php?page=videos/derbycon6/118-attacking-adfs-endpoints-with-powershell-karl-fosaaen)
* **101**
* [Active Directory Federation Services - docs.ms](https://docs.microsoft.com/en-us/windows-server/identity/active-directory-federation-services)
* This document contains a list of all of the documentation areas for AD FS for Windows Server 2016, 2012 R2, and 2012.
* [Active Directory Federation Services - Wikipedia](https://en.wikipedia.org/wiki/Active_Directory_Federation_Services)
* [What is ADFS (Active Directory Federation Services)? - Serverfault.com(2017)](https://serverfault.com/questions/708669/what-is-adfs-active-directory-federation-services)
* **Articles/Blogposts/Writeups**
* [Using PowerShell to Identify Federated Domains](https://blog.netspi.com/using-powershell-identify-federated-domains/)
* [Sniffing and replaying ADFS claims with Fiddler! - Paula Januszkiewicz](https://cqureacademy.com/blog/replaying-adfs-claims-with-fiddler)
* **Talks/Presentations/Videos**
* [Attacking ADFS Endpoints with PowerShell - Karl Fosaaen(Derbycon 2016)](https://www.youtube.com/watch?v=oTyLdAUjw30)
* Active Directory Federation Services (ADFS) has become increasingly popular in the last few years. As a penetration tester, I'm seeing organizations opening themselves up to attacks on ADFS endpoints across the Internet. Manually completing attacks against these endpoints can be tedious. The current native Microsoft management tools are handy, but what if we weaponized them. During this talk, I will show you how to identify domains that support ADFS, confirm email addresses for users of the domain, and help you guess passwords for those users. We'll cover how you can set up your own hosted ADFS domain (on the cheap), and use it to attack other federated domains. On top of that, we'll show you how you can wrap all of the native functionality with PowerShell to automate your attacks. This talk should give penetration testers an overview on how they can start leveraging ADFS endpoints during a penetration test.
* **AdminSDHolder**<a name="adminsd"></a>
* [Reference Material | Understanding Privileged Accounts and the AdminSDHolder - Specopssoft.com](https://specopssoft.com/support-docs/specops-password-reset/reference-material/understanding-privileged-accounts-and-the-adminsdholder/)
* [Five common questions about AdminSdHolder and SDProp - blogs.technet](https://blogs.technet.microsoft.com/askds/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop/)
* [Sneaky Active Directory Persistence #15: Leverage AdminSDHolder & SDProp to (Re)Gain Domain Admin Rights](https://adsecurity.org/?p=1906)
* [Persistence Using Adminsdholder And Sdprop](https://blog.stealthbits.com/persistence-using-adminsdholder-and-sdprop/)
* [AdminSDHolder, Protected Groups and SDPROP - John Policelli - docs.ms](https://docs.microsoft.com/en-us/previous-versions/technet-magazine/ee361593(v=msdn.10)#id0250006)
* **101**
* [Reference Material | Understanding Privileged Accounts and the AdminSDHolder - Specopssoft.com](https://specopssoft.com/support-docs/specops-password-reset/reference-material/understanding-privileged-accounts-and-the-adminsdholder/)
* [Five common questions about AdminSdHolder and SDProp - blogs.technet](https://blogs.technet.microsoft.com/askds/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop/)
* [AdminSDHolder, Protected Groups and SDPROP - John Policelli - docs.ms](https://docs.microsoft.com/en-us/previous-versions/technet-magazine/ee361593(v=msdn.10)#id0250006)
* **Articles/Blogposts/Writeups**
* [Sneaky Active Directory Persistence #15: Leverage AdminSDHolder & SDProp to (Re)Gain Domain Admin Rights](https://adsecurity.org/?p=1906)
* [Persistence Using Adminsdholder And Sdprop](https://blog.stealthbits.com/persistence-using-adminsdholder-and-sdprop/)
* **ATA**<a name="ATA"></a>
* [ATA Suspicious Activity Playbook - technet.ms](https://gallery.technet.microsoft.com/ATA-Playbook-ef0a8e38)
* **(Discretionary)Access Control Lists**<a name="dacl">
@ -144,19 +152,43 @@
* By default any user in Active Directory can enumerate all DNS records in the Domain or Forest DNS zones, similar to a zone transfer. This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks.
* [Blogpost](https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/)
* **Domain Trusts**<a name="domain-trusts"></a>
* [Domain Trusts: Why You Should Care](http://www.harmj0y.net/blog/redteaming/domain-trusts-why-you-should-care/)
* [Trusts You Might Have Missed](http://www.harmj0y.net/blog/redteaming/trusts-you-might-have-missed/)
* [A Guide to Attacking Domain Trusts - harmj0y](https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/)
* [Domain Trusts: We’re Not Done Yet - harmj0y](http://www.harmj0y.net/blog/redteaming/domain-trusts-were-not-done-yet/)
* [The Trustpocalypse - harmj0y](http://www.harmj0y.net/blog/redteaming/the-trustpocalypse/)
* [Subverting Trust in Windows - Matt Graeber](https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf)
* [A Guide to Attacking Domain Trusts - harmj0y](https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944)
* [Trust Direction: An Enabler for Active Directory Enumeration and Trust Exploitation - BOHOPS](https://bohops.com/2017/12/02/trust-direction-an-enabler-for-active-directory-enumeration-and-trust-exploitation/)
* **101**
* [Primary and Trusted Domains - docs.ms](https://docs.microsoft.com/en-us/windows/win32/secmgmt/primary-and-trusted-domains)
* [Active Directory Domains and Trust - giritharan.com](https://giritharan.com/active-directory-domains-and-trust/)
* [Active Directory Trusts - Ace Fekay(2018)](https://blogs.msmvps.com/acefekay/2016/11/02/active-directory-trusts/)
* **Articles/Blogposts/Writeups**
* [Domain Trusts: Why You Should Care](http://www.harmj0y.net/blog/redteaming/domain-trusts-why-you-should-care/)
* [Trusts You Might Have Missed](http://www.harmj0y.net/blog/redteaming/trusts-you-might-have-missed/)
* [A Guide to Attacking Domain Trusts - harmj0y](https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/)
* [Domain Trusts: We’re Not Done Yet - harmj0y](http://www.harmj0y.net/blog/redteaming/domain-trusts-were-not-done-yet/)
* [The Trustpocalypse - harmj0y](http://www.harmj0y.net/blog/redteaming/the-trustpocalypse/)
* [Subverting Trust in Windows - Matt Graeber](https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf)
* [A Guide to Attacking Domain Trusts - harmj0y](https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944)
* [Trust Direction: An Enabler for Active Directory Enumeration and Trust Exploitation - BOHOPS](https://bohops.com/2017/12/02/trust-direction-an-enabler-for-active-directory-enumeration-and-trust-exploitation/)
* **Tools**
* **Forests**<a name="forests"></a>
* [How Domain and Forest Trusts Work - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10))
* [How NOT to use the PAM trust - Leveraging Shadow Principals for Cross Forest Attacks - Nikhil Mittal](http://www.labofapenetrationtester.com/2019/04/abusing-PAM.html)
* **101**
* [How Domain and Forest Trusts Work - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10))
* **Articles/Blogposts/Writeups**
* [How NOT to use the PAM trust - Leveraging Shadow Principals for Cross Forest Attacks - Nikhil Mittal](http://www.labofapenetrationtester.com/2019/04/abusing-PAM.html)
* **Internal Monologue**<a name="ilm"></a>
* **101**
* [Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS](https://github.com/eladshamir/Internal-Monologue/)
* In secure environments, where Mimikatz should not be executed, an adversary can perform an Internal Monologue Attack, in which they invoke a local procedure call to the NTLM authentication package (MSV1_0) from a user-mode application through SSPI to calculate a NetNTLM response in the context of the logged on user, after performing an extended NetNTLM downgrade.
* **Articles/Blogposts/Writeups**
* [Retrieving NTLM Hashes without touching LSASS: the “Internal Monologue” Attack - Andrea Fortuna(2018)](https://www.andreafortuna.org/2018/03/26/retrieving-ntlm-hashes-without-touching-lsass-the-internal-monologue-attack/)
* [Getting user credentials is not only admin’s privilege - Anton Sapozhnikov(Syscan14)](https://infocon.org/cons/SyScan/SyScan%202014%20Singapore/SyScan%202014%20presentations/SyScan2014_AntonSapozhnikov_GettingUserCredentialsisnotonlyAdminsPrivilege.pdf)
* [Stealing Hashes without Admin via Internal Monologue - Practical Exploitation(mubix@hak5)](https://www.youtube.com/watch?v=Q8IRcO0s-fU)
* **Tools**
* [selfhash](https://github.com/snowytoxa/selfhash)
* Selfhash allows you to get password hashes of the current user. This tool doesn't requere high privileges i.e. SYSTEM, but on another hand it returns NTLM Challenge Response, so you could crack it later.
* **Groups**
* [A Pentester’s Guide to Group Scoping - harmj0y](http://www.harmj0y.net/blog/activedirectory/a-pentesters-guide-to-group-scoping/)
* **101**
* [Active Directory Security Groups - docs.ms](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups)
* This reference topic for the IT professional describes the default Active Directory security groups.
* [How-to: Understand the different types of Active Directory group. - SS64](https://ss64.com/nt/syntax-groups.html)
* **Articles/Blogposts/Writeups**
* [A Pentester’s Guide to Group Scoping - harmj0y](http://www.harmj0y.net/blog/activedirectory/a-pentesters-guide-to-group-scoping/)
* **Group Policy**<a name="grouppolicy"></a>
* **101**
* [Group Policy - Wikipedia](https://en.wikipedia.org/wiki/Group_Policy)
@ -171,6 +203,7 @@
* [Local Group Enumeration - harmj0y](http://www.harmj0y.net/blog/redteaming/local-group-enumeration/)
* [Where My Admins At? (GPO Edition) - harmj0y](http://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/)
* [Bypassing Group Policy Proxy Settings Using The Windows Registry - Scriptmonkey](http://blog.scriptmonkey.eu/bypassing-group-policy-using-the-windows-registry/)
* [Local Admin Acces and Group Policy Don't Mix - Oddvar Moe(2019)](https://www.trustedsec.com/blog/local-admin-access-and-group-policy-dont-mix/)
* **Talks & Presentations**
* [Get-GPTrashFire - Mike Loss(BSides Canberra2018)](https://www.youtube.com/watch?v=JfyiWspXpQo)
* Identifying and Abusing Vulnerable Configurations in MS AD Group Policy
@ -289,14 +322,52 @@
* [PowerUpSQL](https://github.com/NetSPI/PowerUpSQL/wiki)
* [2018 Blackhat USA Arsenal Presentation](https://www.youtube.com/watch?reload=9&v=UX_tBJQtqW0&feature=youtu.be)
* [SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! - Annti Rantasaari(2013)](https://blog.netspi.com/how-to-hack-database-links-in-sql-server/)
* **NTLM**<a name="ntlm"></a>
* [Pwning with Responder – A Pentester’s Guide](https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/)
* [Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes)](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html)
* [Relaying credentials everywhere with ntlmrelayx](https://www.fox-it.com/en/insights/blogs/blog/inside-windows-network/)
* **NTLM Reflection**
* **101**
* [Windows: DCOM DCE/RPC Local NTLM Reflection Elevation of Privilege](https://bugs.chromium.org/p/project-zero/issues/detail?id=325&redir=1)
* [Windows: Local WebDAV NTLM Reflection Elevation of Privilege](https://bugs.chromium.org/p/project-zero/issues/detail?id=222&redir=1)
* **Articles/Blogposts/Writeups**
* **NTLM Relay**<a name="ntlm"></a>
* **Articles/Blogposts/Writeups**
* [Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes) - byt3bl33d3r](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html)
* [NTLM Relay - Pixis](https://en.hackndo.com/ntlm-relay/)
* [Playing with Relayed Credentials - @agsolino(2018)](https://www.secureauth.com/blog/playing-relayed-credentials)
* [Server Message Block: SMB Relay Attack (Attack That Always Works) - CQURE Academy](https://cqureacademy.com/blog/penetration-testing/smb-relay-attack)
* [An SMB Relay Race – How To Exploit LLMNR and SMB Message Signing for Fun and Profit - Jordan Drysdale](https://www.blackhillsinfosec.com/an-smb-relay-race-how-to-exploit-llmnr-and-smb-message-signing-for-fun-and-profit/)
* [Effective NTLM / SMB Relaying - mubix](https://malicious.link/post/2014/effective-ntlm-smb-relaying/)
* [SMB Relay with Snarf - Jeff Dimmock](https://bluescreenofjeff.com/2016-02-19-smb-relay-with-snarfjs-making-the-most-of-your-mitm/)
* [Pwning with Responder – A Pentester’s Guide](https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/)
* [Relaying credentials everywhere with ntlmrelayx](https://www.fox-it.com/en/insights/blogs/blog/inside-windows-network/)
* [Responder with NTLM relay and Empire - chryzsh](https://chryzsh.gitbooks.io/darthsidious/content/execution/responder-with-ntlm-relay-and-empire.html)
* [What is old is new again: The Relay Attack - @0xdeaddood, @agsolino(2020)](https://www.secureauth.com/blog/what-old-new-again-relay-attack)
* The purpose of this blog post is to present a new approach to ntlmrelayx.py allowing multi-relay attacks, that means, using just a single connection to attack several targets. On top of this, we added the capability of relaying connections for specific target users.
* [Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/)
* Earlier this week, Microsoft issued patches for CVE-2019-1040, which is a vulnerability that allows for bypassing of NTLM relay mitigations. The vulnerability was discovered by Marina Simakov and Yaron Zinar (as well as several others credited in the Microsoft advisory), and they published a technical write-up about the vulnerability here. The short version is that this vulnerability allows for bypassing of the Message Integrity Code in NTLM authentication. The impact of this however, is quite big if combined with the Printer Bug discovered by Lee Christensen and some of my own research that builds forth on the Kerberos research of Elad Shamir. Using a combination of these vulnerabilities, it is possible to relay SMB authentication to LDAP. This allows for Remote code execution as SYSTEM on any unpatched Windows server or workstation (even those that are in different Active Directory forests), and for instant escalation to Domain Admin via any unpatched Exchange server (unless Exchange permissions were reduced in the domain). The most important takeaway of this post is that you should apply the June 2019 patches as soon as possible.
* [CVE-2019-1040 scanner](https://github.com/fox-it/cve-2019-1040-scanner)
* **Mitigation**
* Enforce SMB Signing.
* [How to enable SMB signing in Windows NT - support.ms](https://support.microsoft.com/en-us/help/161372/how-to-enable-smb-signing-in-windows-nt)
* [All You Need To Know About Windows SMB Signing - Lavanya Rathnam(2018)](http://techgenix.com/windows-smb-signing/)
* **Read-Only Domain Controllers**<a name="rodc"></a>
* [Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory](https://adsecurity.org/?p=3592)
* **101**
* [Read-Only DCs and the Active Directory Schema - docs.ms](https://docs.microsoft.com/en-us/windows/win32/ad/rodc-and-active-directory-schema)
* Windows Server 2008 introduces a new type of domain controller, the Read-only Domain Controller (RODC). This provides a domain controller for use at branch offices where a full domain controller cannot be placed. The intent is to allow users in the branch offices to logon and perform tasks like file/printer sharing even when there is no network connectivity to hub sites.
* **Articles/Blogposts/Writeups**
* [Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory](https://adsecurity.org/?p=3592)
* **Red Forest**<a name="redforest"></a>
* [Attack and defend Microsoft Enhanced Security Administrative](https://download.ernw-insight.de/troopers/tr18/slides/TR18_AD_Attack-and-Defend-Microsoft-Enhanced-Security.pdf)
* **101**
* [Improving security by protecting elevated-privilege accounts at Microsoft - microsoft.com(2019)](https://www.microsoft.com/en-us/itshowcase/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft)
* [Active Directory Red Forest Design aka Enhanced Security Administrative Environment (ESAE) - social.technet](https://social.technet.microsoft.com/wiki/contents/articles/37509.active-directory-red-forest-design-aka-enhanced-security-administrative-environment-esae.aspx)
* **Articles/Blogposts/Writeups**
* [Privileged Access Workstations - docs.ms](https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations)
* [Planting the Red Forest: Improving AD on the Road to ESAE - Katie Knowles](https://www.f-secure.com/us-en/consulting/our-thinking/planting-the-red-forest-improving-ad-on-the-road-to-esae)
* [What is Microsoft ESAE and Red Forest - David Rowe](https://www.secframe.com/blog/what-is-microsoft-esae-and-red-forest)
* **Talks/Presentations/Videos**
* [Attack and defend Microsoft Enhanced Security Administrative Environment - Hao Wang, Yothin Rodanant(Troopers2018)](https://www.youtube.com/watch?v=0AUValgPTUs)
* [Slides](https://download.ernw-insight.de/troopers/tr18/slides/TR18_AD_Attack-and-Defend-Microsoft-Enhanced-Security.pdf)
* Microsoft Enhanced Security Administrative Environment (ESAE) known as “Red Forest” has become a very popular architecture solution to enhance the security of Active Directory. Can ESAE be used to completely prevent cyber attackers from compromising Active Directory? In this talk, we will demonstrate the commonly overlooked techniques that can be used to obtain domain dominance within ESAE.
* [Tiered Administrative Model - ESAE - Active Directory Red Forest Architecture - Russel Smith(2018)](https://www.youtube.com/watch?v=t4I2saNpoFE)
* [Understanding “Red Forest”: The 3-Tier Enhanced Security Admin Environment (ESAE) and Alternative Ways to Protect Privileged Credentials - ultimatewindowsecurity.com](https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=1409)
* **Service Principal Names**<a name="spn"></a>
* **101**
* [Service Principal Names - docs.ms](https://docs.microsoft.com/en-us/windows/win32/ad/service-principal-names)
@ -306,6 +377,7 @@
* [Active Directory Pentest Recon Part 1: SPN Scanning aka Mining Kerberos Service Principal Names - Sean Metcalf](https://adsecurity.org/?p=230)
* [SPN Discovery - pentestlab.blog](https://pentestlab.blog/2018/06/04/spn-discovery/)
* [Service Principal Name (SPN) - hackndo](https://en.hackndo.com/service-principal-name-spn/)
* See: [Kerberoasting](#kerberoasting)
* **System Center Configuration Manager**<a name="sccm"></a>
* [Targeted Workstation Compromise with SCCM - enigma0x3](https://enigma0x3.net/2015/10/27/targeted-workstation-compromise-with-sccm/)
* [LM Hash and NT Hash - AD Shot Gyan](http://www.adshotgyan.com/2012/02/lm-hash-and-nt-hash.html)
@ -371,24 +443,39 @@
* [DomainTrustExplorer](https://github.com/sixdub/DomainTrustExplorer)
* Python script for analyis of the "Trust.csv" file generated by Veil PowerView. Provides graph based analysis and output.
* **DCShadow**<a name="dcshadow"></a>
* [DCShadow](https://www.dcshadow.com/)
* DCShadow is a new feature in mimikatz located in the lsadump module. It simulates the behavior of a Domain Controller (using protocols like RPC used only by DC) to inject its own data, bypassing most of the common security controls and including your SIEM. It shares some similarities with the DCSync attack (already present in the lsadump module of mimikatz).
* [DCShadow explained: A technical deep dive into the latest AD attack technique - Luc Delsalle](https://blog.alsid.eu/dcshadow-explained-4510f52fc19d)
* [What is DCShadow? - Stealthbits](https://attack.stealthbits.com/how-dcshadow-persistence-attack-works)
* [DCShadow: Attacking Active Directory with Rogue DCs - Jeff Warren](https://blog.stealthbits.com/dcshadow-attacking-active-directory-with-rogue-dcs/)
* [Silently turn off Active Directory Auditing using DCShadow - Nikhil Mittal](http://www.labofapenetrationtester.com/2018/05/dcshadow-sacl.html)
* [Creating Persistence With Dcshadow](https://blog.stealthbits.com/creating-persistence-with-dcshadow/)
* **101**
* [Active Directory: What can make your million dollar SIEM go blind? - Vincent Le Toux, Benjamin Delpy](https://www.youtube.com/watch?v=KILnU4FhQbc)
* [Slides](https://www.dropbox.com/s/baypdb6glmvp0j9/Buehat%20IL%20v2.3.pdf)]
* [DCShadow](https://www.dcshadow.com/)
* DCShadow is a new feature in mimikatz located in the lsadump module. It simulates the behavior of a Domain Controller (using protocols like RPC used only by DC) to inject its own data, bypassing most of the common security controls and including your SIEM. It shares some similarities with the DCSync attack (already present in the lsadump module of mimikatz).
* [DCShadow explained: A technical deep dive into the latest AD attack technique - Luc Delsalle](https://blog.alsid.eu/dcshadow-explained-4510f52fc19d)
* [What is DCShadow? - Stealthbits](https://attack.stealthbits.com/how-dcshadow-persistence-attack-works)
* **Articles/Blogposts/Writeups**
* [DCShadow - Minimal permissions, Active Directory Deception, Shadowception and more - Nikhil Mittal](http://www.labofapenetrationtester.com/2018/04/dcshadow.html)
* [DCShadow: Attacking Active Directory with Rogue DCs - Jeff Warren](https://blog.stealthbits.com/dcshadow-attacking-active-directory-with-rogue-dcs/)
* [Silently turn off Active Directory Auditing using DCShadow - Nikhil Mittal](http://www.labofapenetrationtester.com/2018/05/dcshadow-sacl.html)
* [Creating Persistence With Dcshadow](https://blog.stealthbits.com/creating-persistence-with-dcshadow/)
* **Tools**
* [Mimikatz](https://github.com/gentilkiwi/mimikatz)
* **DCSync Attack**<a name="dcsync"></a>
* [What is DCSync? An Introduction - Lee Berg](https://blog.stealthbits.com/what-is-dcsync/)
* [DCSync - Yojimbo Security](https://yojimbosecurity.ninja/dcsync/)
* [[MS-DRSR]: Directory Replication Service (DRS) Remote Protocol - docs.ms](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47)
* [Abusing Active Directory Permissions with PowerView - harmj0y](http://www.harmj0y.net/blog/redteaming/abusing-active-directory-permissions-with-powerview/)
* [DCSync: Dump Password Hashes from Domain Controller - ired.team](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync)
* [Mimikatz DCSync Usage, Exploitation, and Detection - Sean Metcalf](https://adsecurity.org/?p=1729)
* [Mimikatz and DCSync and ExtraSids, Oh My - harmj0y](http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/)
* [Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync](https://adsecurity.org/?p=2053)
* [Extracting User Password Data with Mimikatz DCSync - Jeff Warren](https://blog.stealthbits.com/extracting-user-password-data-with-mimikatz-dcsync/)
* **101**
* [What is DCSync? An Introduction - Lee Berg](https://blog.stealthbits.com/what-is-dcsync/)
* [[MS-DRSR]: Directory Replication Service (DRS) Remote Protocol - docs.ms](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47)
* **Articles/Blogposts/Writeups**
* [DCSync - Yojimbo Security](https://yojimbosecurity.ninja/dcsync/)
* [DCSync: Dump Password Hashes from Domain Controller - ired.team](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync)
* [Mimikatz DCSync Usage, Exploitation, and Detection - Sean Metcalf](https://adsecurity.org/?p=1729)
* [Mimikatz and DCSync and ExtraSids, Oh My - harmj0y](http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/)
* [Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync](https://adsecurity.org/?p=2053)
* [Extracting User Password Data with Mimikatz DCSync - Jeff Warren](https://blog.stealthbits.com/extracting-user-password-data-with-mimikatz-dcsync/)
* **Tools**
* [Mimikatz](https://github.com/gentilkiwi/mimikatz)
* **Constrained-Delegation**<a name="constrained"></a>
* **101**
* [Kerberos Constrained Delegation Overview - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview)
* This overview topic for the IT professional describes new capabilities for Kerberos constrained delegation in Windows Server 2012 R2 and Windows Server 2012. Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016
* [What is Kerberos Delegation? An Overview of Kerberos Delegation - Kevin Joyce(2020)](https://blog.stealthbits.com/what-is-kerberos-delegation-an-overview-of-kerberos-delegation/)
* [Kerberos Constrained Delegation - AWS](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_key_concepts_kerberos.html)
* **Articles/Blogposts/Writeups**
* [Another Word on Delegation](https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/)
* [From Kekeo to Rubeus](https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/)
@ -405,15 +492,20 @@
* **Talks & Presentations**
* [Delegate to the Top Abusing Kerberos for Arbitrary Impersonations and RCE - Matan Hart(BHASIA 17)](https://www.youtube.com/watch?v=orkFcTqClIE)
* **Unconstrained Delegation**<a name="unconstrained"></a>
* **101**
* [Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain) - Sean Metcalf(2015)](https://adsecurity.org/?p=1667)
* **Articles/Blogposts/Writeups**
* [Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)](https://adsecurity.org/?p=1667)
* [Unconstrained Delegation Permissions](https://blog.stealthbits.com/unconstrained-delegation-permissions/)
* [Trust? Years to earn, seconds to break](https://labs.mwrinfosecurity.com/blog/trust-years-to-earn-seconds-to-break/)
* [Hunting in Active Directory: Unconstrained Delegation & Forests Trusts](https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1)
* [Getting Domain Admin with Kerberos Unconstrained Delegation - Nikhil Mittal](http://www.labofapenetrationtester.com/2016/02/getting-domain-admin-with-kerberos-unconstrained-delegation.html)
* [Domain Controller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest - adsecurity.org](https://adsecurity.org/?p=4056)
* [Abusing Users Configured with Unconstrained Delegation - ](https://exploit.ph/user-constrained-delegation.html)
* [“Relaying” Kerberos - Having fun with unconstrained delegation - Dirk-jan Mollema(2019)](https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/)
* **Talks & Presentations**
* [Red vs Blue: Modern Active Directory Attacks Detection and Protection - Sean Metcalf](https://www.youtube.com/watch?v=b6GUXerE9Ac)
* [Slides](https://www.blackhat.com/docs/us-15/materials/us-15-Metcalf-Red-Vs-Blue-Modern-Active-Directory-Attacks-Detection-And-Protection.pdf)
* [Paper](https://www.blackhat.com/docs/us-15/materials/us-15-Metcalf-Red-Vs-Blue-Modern-Active-Directory-Attacks-Detection-And-Protection-wp.pdf)
* [The Unintended Risks of Trusting Active Directory - Lee Christensen, Will Schroeder, Matt Nel(Derbycon 2018)](https://www.youtube.com/watch?v=-bcWZQCLk_4)
* Your crown jewels are locked in a database, the system is patched, utilizes modern endpoint security software, and permissions are carefully controlled and locked down. Once this system is joined to Active Directory, however, does that static trust model remain the same? Or has the number of attack paths to your data increased by an order of magnitude? We’ve spent the last year exploring the access control model of Active Directory and recently broadened our focus to include security descriptor misconfigurations/backdoor opportunities at the host level. We soon realized that the post-exploitation “attack surface” of Windows hosts spans well beyond what we originally realized, and that host misconfigurations can sometimes have a profound effect on the security of every other host in the forest. This talk will explore a number of lesser-known Active Directory and host-based permission settings that can be abused in concert for remote access, privilege escalation, or persistence. We will show how targeted host modifications (or existing misconfigurations) can facilitate complex Active Directory attack chains with far-reaching effects on other systems and services in the forest, and can allow new AD attack paths to be built without modifying Active Directory itself.
* [Slides](https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-active-directory)
@ -424,7 +516,13 @@
* Check if the spooler (MS-RPRN) is remotely available with powershell/c#
* [SpoolSample](https://github.com/leechristensen/SpoolSample)
* PoC tool to coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface. This is possible via other protocols as well.
* [krbrelayx](https://github.com/dirkjanm/krbrelayx)
* Kerberos unconstrained delegation abuse toolkit
* **Mitigation**
* [ADV190006 | Guidance to mitigate unconstrained delegation vulnerabilities portal.msrc](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190006)
* **Kerberoast(ing)**<a name="kerberoasting"></a>
* **101**
*
* **Articles/Blogposts/Writueps**
* [Kerberoasting - Part 1 - mubix](https://room362.com/post/2016/kerberoast-pt1/)
* [Kerberoasting - Part 2 - mubix](https://room362.com/post/2016/kerberoast-pt2/)
@ -463,6 +561,26 @@
* **AS-REP**
* [Roasting AS-REPs - harmj0y](http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/)
* tl;dr – if you can enumerate any accounts in a Windows domain that don’t require Kerberos preauthentication, you can now easily request a piece of encrypted information for said accounts and efficiently crack the material offline, revealing the user’s password.
* **Machine-Account Quota**
* **101**
* [MS-DS-Machine-Account-Quota attribute - docs.ms](https://docs.microsoft.com/en-us/windows/win32/adschema/a-ms-ds-machineaccountquota)
* The number of computer accounts that a user is allowed to create in a domain.
* **Articles/Blogposts/Writeups**
* [MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active Directory’s Oddest Settings - Kevin Robertson(2019)](https://blog.netspi.com/machineaccountquota-is-useful-sometimes/)
* **MS-Cache**<a name="mscache"></a>
* **101**
* [Interactive logon: Number of previous logons to cache (in case domain controller is not available) - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852209(v=ws.11)?redirectedfrom=MSDN)
* This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. Applies To: Windows Server 2003, Windows Vista, Windows XP, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8
* [(Win10)Interactive logon: Number of previous logons to cache (in case domain controller is not available) - docs.ms](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available)
* Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Number of previous logons to cache (in case domain controller is not available) security policy setting. Applies To: Win10
* [Cached domain logon information - support.ms](https://support.microsoft.com/en-us/help/172931/cached-domain-logon-information)
* **Articles/Blogposts/Writeups**
* [MSCash Hash Primer for Pentesters - webstersprodigy.com(2014)](https://webstersprodigy.net/2014/02/03/mscash-hash-primer-for-pentesters/)
* [Cracking MS-CACHE v2 hashes using GPU - Security.StackExchange](https://security.stackexchange.com/questions/30889/cracking-ms-cache-v2-hashes-using-gpu)
* [Interactive logon: Number of previous logons to cache (in case domain controller is not available - UltimateWindowsSecurity](https://www.ultimatewindowssecurity.com/wiki/page.aspx?spid=ILNumPrev)
* **Tools**
* [passlib.hash.msdcc2 - Windows’ Domain Cached Credentials v2](https://passlib.readthedocs.io/en/stable/lib/passlib.hash.msdcc2.html)
* This class implements the DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer to cache and verify remote credentials when the relevant server is unavailable. It is known by a number of other names, including “mscache2” and “mscash2” (Microsoft CAched haSH). It replaces the weaker msdcc v1 hash used by previous releases of Windows. Security wise it is not particularly weak, but due to its use of the username as a salt, it should probably not be used for anything but verifying existing cached credentials.
* **Pass-the-`*`**<a name="pth"></a>
* **101**
* **Cache**
@ -494,6 +612,8 @@
* [Mimikatz 2.0 - Silver Ticket Walkthrough](https://www.beneaththewaves.net/Projects/Mimikatz_20_-_Silver_Ticket_Walkthrough.html)
* [How Attackers Use Kerberos Silver Tickets to Exploit Systems](https://adsecurity.org/?p=2011)
* **Golden**
* [Abusing Microsoft Kerberos: Sorry You Guys Don't Get It - Alva Duckwall, Benjamin Delpy(BHUSA 2015)](https://www.youtube.com/watch?v=lJQn06QLwEw)
* Microsoft Active Directory uses Kerberos to handle authentication requests by default. However, if the domain is compromised, how bad can it really be? With the loss of the right hash, Kerberos can be completely compromised for years after the attacker gained access. Yes, it really is that bad. In this presentation Skip Duckwall, @passingthehash on twitter and Benjamin Delpy, @gentilkiwi on twitter and the author of Mimikatz, will demonstrate just how thoroughly compromised Kerberos can be under real world conditions.
* [mimikatz - golden ticket](http://rycon.hu/papers/goldenticket.html)
* [Golden Ticket - ldapwiki](http://ldapwiki.com/wiki/Golden%20Ticket)
* [Advanced Targeted Attack. PoC Golden Ticket Attack - BSides Tampa 17](https://www.irongeek.com/i.php?page=videos/bsidestampa2017/102-advanced-targeted-attack-andy-thompson)
@ -541,35 +661,7 @@
* [Slides](https://www.blackhat.com/docs/eu-17/materials/eu-17-Thompson-Red-Team-Techniques-For-Evading-Bypassing-And-Disabling-MS-Advanced-Threat-Protection-And-Advanced-Threat-Analytics.pdf)
* **Collection**<a name="adcollect"></a>
* [Accessing Internal Fileshares through Exchange ActiveSync - Adam Rutherford and David Chismon](https://labs.mwrinfosecurity.com/blog/accessing-internal-fileshares-through-exchange-activesync)
* **Credential Access**<a name="adcred"></a>
* **Articles/Blogposts/Writeups**
* [Remotely dump "Active Directory Domain Controller" machine user database using web shell - Indishell](http://www.mannulinux.org/2018/12/remotely-dump-active-directory-domain.html)
* [Auto-Dumping Domain Credentials using SPNs, PowerShell Remoting, and Mimikatz - Scott Sutherland](https://blog.netspi.com/auto-dumping-domain-credentials-using-spns-powershell-remoting-and-mimikatz/)
* [How Attackers Dump Active Directory Database Credentials - adsecurity.org](https://adsecurity.org/?p=2398)
* [Places of Interest in Stealing NetNTLM Hashes - osandamalith.com](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)
* [Multi-Factor Mixup: Who Were You Again? - Okta](https://www.okta.com/security-blog/2018/08/multi-factor-authentication-microsoft-adfs-vulnerability/)
* A weakness in the Microsoft ADFS protocol for integration with MFA products allows a second factor for one account to be used for second-factor authentication to all other accounts in an organization.
* [Playing with Relayed Credentials - SecureAuth](https://www.secureauth.com/blog/playing-relayed-credentials)
* [When Everyone's Dog is Named Fluffy: Abusing the Brand New Security Questions in Windows 10 to Gain Domain-Wide Persistence - Magal Baz, Tom Sela](https://www.blackhat.com/eu-18/briefings/schedule/index.html#when-everyone39s-dog-is-named-fluffy-abusing-the-brand-new-security-questions-in-windows-10-to-gain-domain-wide-persistence-12863)
* [Slides](https://i.blackhat.com/eu-18/Wed-Dec-5/eu-18-Baz-When-Everyones-Dog-Is-Named-Fluffy.pdf)
* [Active Directory Enumeration with PowerShell - Haboob](https://www.exploit-db.com/docs/english/46990-active-directory-enumeration-with-powershell.pdf)
* Nowadays, most of the environments are using Active Directory to manage their networks and resources. And over the past years, the attackers have been focused to abuse and attack the Active Directory environments using different techniques and methodologies. So in this research paper, we are going to use the power of the PowerShell to enumerate the resources of the Active Directory, like enumerating the domains, users, groups, ACL, GPOs, domain trusts also hunting the users and the domain admins. With this valuable information, we can increase our attack surface to abuse the AD like Privilege escalation, lateral movements and persistence and so on.
* [Cached Credentials: Important Facts That You Cannot Miss - CQURE](https://cqureacademy.com/blog/windows-internals/cached-credentials-important-facts)
* [Protect derived domain credentials with Windows Defender Credential Guard - docs.ms](https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard)
* [KB2871997 and Wdigest - Part 1 - docs.ms](https://docs.microsoft.com/en-us/archive/blogs/kfalde/kb2871997-and-wdigest-part-1)
* [Clearing cached/saved Windows credentials - University of Waterloo](https://uwaterloo.teamdynamix.com/TDClient/1804/Portal/KB/ArticleDet?ID=69756)
* [Cached domain logon information - support.ms](https://support.microsoft.com/en-us/help/172931/cached-domain-logon-information)
* [Interactive logon: Number of previous logons to cache (in case domain controller is not available) - docs.ms](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available)
* [Interactive logon: Number of previous logons to cache (in case domain controller is not available - UltimateWindowsSecurity](https://www.ultimatewindowssecurity.com/wiki/page.aspx?spid=ILNumPrev)
* [Using Domain Controller Account Passwords To HashDump Domains - Mubix](https://room362.blogspot.com/2015/09/using-domain-controller-account.html)
* **Presentations/Talks/Videos**
* **Tools**
* [DomainPasswordTest](https://github.com/rvazarkar/DomainPasswordTest)
* Tests AD passwords while respecting Bad Password Count
* [serviceFu](https://github.com/securifera/serviceFu)
* Automates credential skimming from service accounts in Windows Registry using Mimikatz lsadump::secrets. The use case for this tool is when you have administrative rights across certain computers in a domain but do not have any clear-text credentials. ServiceFu will remotely connect to target computers, check if any credentialed services are present, download the system and security registry hive, and decrypt clear-text credentials for the domain service account.
* [Credential Assessment: Mapping Privilege Escalation at Scale - Matt Weeks(Hack.lu 2016)](https://www.youtube.com/watch?v=tXx6RB0raEY)
* In countless intrusions from large retail giants to oil companies, attackers have progressed from initial access to complete network compromise. In the aftermath, much ink is spilt and products are sold on how the attackers first obtained access and how the malware they used could or could not have been detected, while little attention is given to the credentials they found that turned their access on a single-system into thousands more. This process, while critical for offensive operations, is often complex, involving many links in the escalation chain composed of obtaining credentials on system A that grant access to system B and credentials later used on system B that grant further access, etc. We’ll show how to identify and combat such credential exposure at scale with the framework we developed. We comprehensively identify exposed credentials and automatically construct the compromise chains to identify maximal access and privileges gained, useful for either offensive or defensive purposes.
* **Persistence**<a name="adpersist"></a>
* [The Active Directory Botnet - Ty Miller, Paul Kalinin(BHUSA 17)](https://www.blackhat.com/docs/us-17/wednesday/us-17-Miller-The-Active-Directory-Botnet.pdf)
* [Command and Control Using Active Directory - harmj0y](http://www.harmj0y.net/blog/powershell/command-and-control-using-active-directory/)


+ 82
- 59
Draft/Career.md View File

@ -41,6 +41,7 @@
------------------------------------------------------
### Career Information<a name="career-info"></a>
* **101**<a name="101"></a>
@ -139,6 +140,10 @@
* [Reversing w/o reversing – how to become Alex in practice - hexacorn](http://www.hexacorn.com/blog/2019/04/11/reversing-w-o-reversing-how-to-become-alex-in-practice/)
* **Security Analyst**
* [Security Analyst Workshop - Florian Roth(2019/3)](https://www.slideshare.net/FlorianRoth2/security-analyst-workshop-20190314)
* **Security Engineer**
* [So you want to be a security engineer? - Niru Ragupathy](https://medium.com/@niruragu/so-you-want-to-be-a-security-engineer-d8775976afb7)
* [How to Secure Anything - Veeral Patel](https://github.com/veeral-patel/how-to-secure-anything)
* How to systematically secure anything: a repository about security engineering
* **CEOs**
* [What Only the CEO Can Do - A. G. Lafley](https://hbr.org/2009/05/what-only-the-ceo-can-do)
* [How CEOs Manage Time - Michael E. Porter, Nitin Nohria](https://hbr.org/2018/07/the-leaders-calendar)
@ -165,6 +170,9 @@
* [American Cultural Assumption - wiki.c2.com](http://wiki.c2.com/?AmericanCulturalAssumption)
* [Containers Will Not Fix Your Broken Culture (and Other Hard Truths) - Complex socio-technical systems are hard; film at 11. - Bridget Kromhout](https://queue.acm.org/detail.cfm?id=3185224)
* [The Joel Test: 12 Steps to Better Code - Joel Spolsky](https://www.joelonsoftware.com/2000/08/09/the-joel-test-12-steps-to-better-code/)
* [How to Discourage Secretive Behavior From Members of Your Family/Team - kletische.com](https://kletische.com/discourage-secretive-behavior/)
* [This is not fine - Surviving Cynicism and Building Happy Security Teams - Chris Deibler(BlueHat v18)](https://www.youtube.com/watch?v=YUwBja45fBQ)
* [Slides](https://www.slideshare.net/MSbluehat/bhv18-keynote-this-is-not-fine-surviving-cynicism-and-building-happy-security-teams)
* **Compensation/Equity**<a name="comp"></a>
* [The Holloway Guide to Equity Compensation](https://www.holloway.com/g/equity-compensation)
* Stock options, RSUs, job offers, and taxes—a detailed reference, including hundreds of resources, explained from the ground up and made to be improved over time.
@ -176,19 +184,30 @@
* [How to Calculate and Communicate Your Desired Total Compensation - Danile Miessler](https://danielmiessler.com/blog/how-to-calculate-and-communicate-your-desired-compensation/)
* [Equifax Could Be Selling Your Salary History. Here’s How To Protect It(2017 - Joel Winston)](https://www.fastcompany.com/40508924/equifax-could-be-selling-your-salary-history-heres-how-to-protect-it)
* **Contracting & Consulting**<a name="contract"></a>
* [Why A Billable Hours Model Does not Work in Consulting - firmsconsulting.com](https://www.firmsconsulting.com/quarterly/billable-hours-strategy-consulting/)
* [How To Build Your Own Infosec Company - Mario Heiderich (BSides Lisbon 2018: Keynote)](https://www.youtube.com/watch?reload=9&v=UE5xS7-kFjE)
* [Not A Full Timer: Slight difference from Pro to cattle - Mohamed Hayibor](https://mohamedhayibor.github.io/blog/post/Not-A-Full-Timer/)
* [Pre-Engagement Interactions - @shai_saint](https://n00bpentesting.wordpress.com/lessons/ptes-101/pre-engagement-interactions/)
* [How to build your own Infosec Company - Mario Heiderich(nullcon Goa2019)](https://www.youtube.com/watch?v=N2JG7qIlpi0&feature=youtu.be)
* [What to Expect in an Ethical Hacking Interview - TheCyberMentor](https://www.youtube.com/watch?v=nrewE1mLlaU)
* [How I Made $100,000 in a Month - TheCyberMentor](https://www.youtube.com/watch?v=dRTqRJsr1ss)
* [Successful Infosec Consulting 101 - Ted Demopoulos](https://www.sans.org/webcasts/successful-infosec-consulting-101-111885)
* [Successful Infosec Consulting: Lessons from Three Decades in The Field - Ted Demopoulos](https://www.sans.org/webcasts/successful-infosec-consulting-lessons-decades-field-111890)
* [Managing Client Relationships as an Investment Banker, Lawyer or Consultant - Jim Donovan(2015)](https://www.youtube.com/watch?v=z8kqCIxXTEw)
* Goldman Sachs managing director and Law School adjunct professor Jim Donovan shares his insights on the skills necessary to manage and cultivate client relationships. Donovan is responsible for advising many of the largest corporate and individual clients of Goldman Sachs. (University of Virginia School of Law, Nov. 6, 2015)
* **Culture**
* [How to Discourage Secretive Behavior From Members of Your Family/Team - kletische.com](https://kletische.com/discourage-secretive-behavior/)
* **About**
* [Not A Full Timer: Slight difference from Pro to cattle - Mohamed Hayibor](https://mohamedhayibor.github.io/blog/post/Not-A-Full-Timer/)
* A quick litmus test: if you’re getting paid by the hour. You’re not a full time employee. You’re a contractor.
* **Billing**
* [Why A Billable Hours Model Does not Work in Consulting - firmsconsulting.com](https://www.firmsconsulting.com/quarterly/billable-hours-strategy-consulting/)
* [Why You Should Charge Clients More Than You Think You’re Worth - Dorie Clark(HBR)](https://hbr.org/2017/10/why-you-should-charge-clients-more-than-you-think-youre-worth)
* [How to Write a Statement of Work - Mary K Pratt](https://www.computerworld.com/article/2555324/how-to-write-a-statement-of-work.html)
* **Building**
* [How To Build Your Own Infosec Company - Mario Heiderich (BSides Lisbon 2018: Keynote)](https://www.youtube.com/watch?reload=9&v=UE5xS7-kFjE)
* [How to build your own Infosec Company - Mario Heiderich(nullcon Goa2019)](https://www.youtube.com/watch?v=N2JG7qIlpi0&feature=youtu.be)
* [Entrepreneurship for hackers - snyff(Christchurch CON 2019)](https://www.slideshare.net/snyff/entrepreneurship-for-hackers)
* **Consulting**
* [Successful Infosec Consulting 101 - Ted Demopoulos](https://www.sans.org/webcasts/successful-infosec-consulting-101-111885)
* [Successful Infosec Consulting: Lessons from Three Decades in The Field - Ted Demopoulos](https://www.sans.org/webcasts/successful-infosec-consulting-lessons-decades-field-111890)
* [Managing Client Relationships as an Investment Banker, Lawyer or Consultant - Jim Donovan(2015)](https://www.youtube.com/watch?v=z8kqCIxXTEw)
* Goldman Sachs managing director and Law School adjunct professor Jim Donovan shares his insights on the skills necessary to manage and cultivate client relationships. Donovan is responsible for advising many of the largest corporate and individual clients of Goldman Sachs. (University of Virginia School of Law, Nov. 6, 2015)
* **Engaging**
* [Pre-Engagement Interactions - Sabtu(2017)](http://pentestdiary.blogspot.com/2017/08/pre-engagement-interactions.html)
* [Pre-Engagement Interactions - @shai_saint](https://n00bpentesting.wordpress.com/lessons/ptes-101/pre-engagement-interactions/)
* [What to Expect in an Ethical Hacking Interview - TheCyberMentor](https://www.youtube.com/watch?v=nrewE1mLlaU)
* [How I Made $100,000 in a Month - TheCyberMentor](https://www.youtube.com/watch?v=dRTqRJsr1ss)
* **Policies & Regulations**
* [The SOC2 Starting Seven - Latacora Blog](https://latacora.micro.blog/2020/03/12/the-soc-starting.html)
* Sage advice about SOC2 from Latacora.
* **Difficult Conversations**<a name="difficult"></a>
* [Our 6 Must Reads for Cutting Through Conflict and Tough Conversations - firstround.com](https://firstround.com/review/our-6-must-reads-for-cutting-through-conflict-and-tough-conversations/)
* [7 Tips for Difficult Conversations - Daisy Wademan Dowling(HBR)](https://hbr.org/2009/03/7-tips-for-difficult-conversat)
@ -224,63 +243,61 @@
* [The Hiring Post - sockpuppet.org](https://sockpuppet.org/blog/2015/03/06/the-hiring-post/)
* [On Secretly Terrible Engineers - Danny Crichton](https://techcrunch.com/2015/03/08/on-secretly-terrible-engineers/)
* [Hiring and the market for lemons - Dan Luu](https://danluu.com/hiring-lemons/)
* [Our 6 Must Reads for Onboarding Tactics That Help New Hires Succeed (and Stay) - FirstRoundReview](https://firstround.com/review/our-6-must-reads-for-onboarding-tactics-that-help-new-hires-succeed-and-stay/)
* **Impostor Syndrome**<a name="imposter"></a>
* [Would the real imposter please stand up? - Dr. Jessica Barker(SteelCon2016)](https://www.youtube.com/watch?v=tGyBFOWsFbk&feature=share)
* [Dark Matter Developers: The Unseen 99%(2012) - Scott Hanselman](https://www.hanselman.com/blog/DarkMatterDevelopersTheUnseen99.aspx)
* **Independent Business**<a name="Independent"></a>
* [Why You Should Charge Clients More Than You Think You’re Worth - Dorie Clark(HBR)](https://hbr.org/2017/10/why-you-should-charge-clients-more-than-you-think-youre-worth)
* [How to Write a Statement of Work - Mary K Pratt](https://www.computerworld.com/article/2555324/how-to-write-a-statement-of-work.html)
* [Entrepreneurship for hackers - snyff(Christchurch CON 2019)](https://www.slideshare.net/snyff/entrepreneurship-for-hackers)
* [How to build your own Infosec Company - Mario Heiderich(nullcon Goa 2019)](https://www.youtube.com/watch?v=N2JG7qIlpi0)
* [The SOC2 Starting Seven - Latacora Blog](https://latacora.micro.blog/2020/03/12/the-soc-starting.html)
* Sage advice about SOC2 from Latacora.
* **Informal Laws & Principles(and other things)**<a name="laws"></a>
* [The Gervais Principle - RibbonFarm](https://www.ribbonfarm.com/the-gervais-principle/)
* [Peter Principle - Wikipedia](https://en.wikipedia.org/wiki/Peter_principle)
* The Peter principle is a concept in management developed by Laurence J. Peter, which observes that people in a hierarchy tend to rise to their "level of incompetence". In other words, employees are promoted based on their success in previous jobs until they reach a level at which they are no longer competent, as skills in one job do not necessarily translate to another. The concept was enunciated in the 1969 book The Peter Principle by Peter and Raymond Hull.
* It was originally written as a satire.
* [Akin's Laws of Spacecraft Design - David L. Akin](https://spacecraft.ssl.umd.edu/akins_laws.html)
* [The Fallacy Of Chesterton’s Fence - Keith Lee](https://abovethelaw.com/2014/01/the-fallacy-of-chestertons-fence/)
* If you think you can improve a policy or procedure in your office, first ask yourself: Are you falling victim to the fallacy of Chesterton's fence?
* [Conway's Law - Wikipedia](https://en.wikipedia.org/wiki/Conway%27s_law)
* [Dilbert Principle - Wikipedia](https://en.wikipedia.org/wiki/Dilbert_principle)
* The Dilbert principle refers to a 1990s theory by Dilbert cartoonist Scott Adams stating that companies tend to systematically promote their least competent employees to management (generally middle management), to limit the amount of damage they are capable of doing.
* [The Gervais Principle - RibbonFarm](https://www.ribbonfarm.com/the-gervais-principle/)
* [Golden Hammer - wiki.c2.com](http://wiki.c2.com/?GoldenHammer)
* [Goodhart's law - Wikipedia](https://en.wikipedia.org/wiki/Goodhart%27s_law)
* [Gresham’s Law: Why Bad Drives Out Good As Time Passes - Farnam Street](https://fs.blog/2009/12/mental-model-greshams-law/)
* [HiPPO FAQ](https://exp-platform.com/hippo/)
* Highest Paid Persons Opinion
* [Induced demand - Wikipedia](https://en.wikipedia.org/wiki/Induced_demand)
* [The Iron Law of Bureaucracy](https://www.jerrypournelle.com/reports/jerryp/iron.html)
* Pournelle's Iron Law of Bureaucracy states that in any bureaucratic organization there will be two kinds of people":
* `First, there will be those who are devoted to the goals of the organization. Examples are dedicated classroom teachers in an educational bureaucracy, many of the engineers and launch technicians and scientists at NASA, even some agricultural scientists and advisors in the former Soviet Union collective farming administration.`
* `Secondly, there will be those dedicated to the organization itself. Examples are many of the administrators in the education system, many professors of education, many teachers union officials, much of the NASA headquarters staff, etc.`
* The Iron Law states that in every case the second group will gain and keep control of the organization. It will write the rules, and control promotions within the organization.
* [Robustness Principle - Wikipedia](https://en.m.wikipedia.org/wiki/Robustness_principle)
* [Golden Hammer - wiki.c2.com](http://wiki.c2.com/?GoldenHammer)
* [The Shirky Principle - Technium](https://kk.org/thetechnium/the-shirky-prin/)
* “Institutions will try to preserve the problem to which they are the solution.” — Clay Shirky
* [Law #8: The Law of Duality - ericsink.com](https://ericsink.com/laws/Law_08.html)
* [No Silver Bullet - fmiljang.co.uk](http://www.fmjlang.co.uk/blog/NoSilverBullet.html)
* [Parkinson's Law - Wikipedia](https://en.wikipedia.org/wiki/Parkinson%27s_law)
* [Gresham’s Law: Why Bad Drives Out Good As Time Passes - Farnam Street](https://fs.blog/2009/12/mental-model-greshams-law/)
* [Akin's Laws of Spacecraft Design - David L. Akin](https://spacecraft.ssl.umd.edu/akins_laws.html)
* [The Fallacy Of Chesterton’s Fence - Keith Lee](https://abovethelaw.com/2014/01/the-fallacy-of-chestertons-fence/)
* If you think you can improve a policy or procedure in your office, first ask yourself: Are you falling victim to the fallacy of Chesterton's fence?
* [Simpson's paradox - Wikipedia](https://en.wikipedia.org/wiki/Simpson%27s_paradox)
* [HiPPO FAQ](https://exp-platform.com/hippo/)
* Highest Paid Persons Opinion
* [Parkinson’s law: how constraints can create freedom - Anne-Laure](https://nesslabs.com/parkinson-law)
* [Conway's Law - Wikipedia](https://en.wikipedia.org/wiki/Conway%27s_law)
* [Goodhart's law - Wikipedia](https://en.wikipedia.org/wiki/Goodhart%27s_law)
* [Peter Principle - Wikipedia](https://en.wikipedia.org/wiki/Peter_principle)
* The Peter principle is a concept in management developed by Laurence J. Peter, which observes that people in a hierarchy tend to rise to their "level of incompetence". In other words, employees are promoted based on their success in previous jobs until they reach a level at which they are no longer competent, as skills in one job do not necessarily translate to another. The concept was enunciated in the 1969 book The Peter Principle by Peter and Raymond Hull.
* It was originally written as a satire.
* [Robustness Principle - Wikipedia](https://en.m.wikipedia.org/wiki/Robustness_principle)
* [Simpson's paradox - Wikipedia](https://en.wikipedia.org/wiki/Simpson%27s_paradox)
* [The Shirky Principle - Technium](https://kk.org/thetechnium/the-shirky-prin/)
* “Institutions will try to preserve the problem to which they are the solution.” — Clay Shirky
* [hacker-laws](https://github.com/dwmkerr/hacker-laws)
* Laws, Theories, Principles and Patterns that developers will find useful.
* [Induced demand - Wikipedia](https://en.wikipedia.org/wiki/Induced_demand)
* **Interview Prep**<a name="interview"></a>
* [offensiveinterview - WebBreacher](https://github.com/WebBreacher/offensiveinterview)
* Interview questions to screen offensive (red team/pentest) candidates
* [The Hidden Flaw In Behavioral Interview Questions - Mark Murphy](https://www.forbes.com/sites/markmurphy/2014/12/03/the-hidden-flaw-in-behavioral-interview-questions)
* [test-your-admin-skills](https://github.com/trimstray/test-your-sysadmin-skills)
* A collection of \*nix Sysadmin Test Questions with Answers for Interview/Exam (2018 Edition).
* [Linux System Administrator/DevOps Interview Questions - chassing](https://github.com/chassing/linux-sysadmin-interview-questions/blob/master/README.md)
* [Tech Interview Handbook - yangshun.github.io](https://yangshun.github.io/tech-interview-handbook/)
* [Ten Rules for Negotiating a Job Offer - Haseeb Qureshi](https://haseebq.com/my-ten-rules-for-negotiating-a-job-offer/)
* [How Not to Bomb Your Offer Negotiation - Haseeb Qureshi](https://haseebq.com/farewell-app-academy-hello-airbnb-part-i/)
* [Deploying Guerrilla Tactics to Combat Stupid Tech Interviews - Erik Dietrch](https://daedtech.com/deploying-guerrilla-tactics-combat-stupid-tech-interviews/)
* [Security_Engineer_Interview_Questions - Tad Whitaker](https://github.com/tadwhitaker/Security_Engineer_Interview_Questions/blob/master/security-interview-questions)
* [Preparing the SRE interview - balthazar-rouberol](https://blog.balthazar-rouberol.com/preparing-the-sre-interview)
* [what-happens-when](https://github.com/alex/what-happens-when)
* An attempt to answer the age old interview question "What happens when you type google.com into your browser and press enter?"
* **Articles/Blogposts/Writeups**
* [The Hidden Flaw In Behavioral Interview Questions - Mark Murphy](https://www.forbes.com/sites/markmurphy/2014/12/03/the-hidden-flaw-in-behavioral-interview-questions)
* [Tech Interview Handbook - yangshun.github.io](https://yangshun.github.io/tech-interview-handbook/)
* [Ten Rules for Negotiating a Job Offer - Haseeb Qureshi](https://haseebq.com/my-ten-rules-for-negotiating-a-job-offer/)
* [How Not to Bomb Your Offer Negotiation - Haseeb Qureshi](https://haseebq.com/farewell-app-academy-hello-airbnb-part-i/)
* [Deploying Guerrilla Tactics to Combat Stupid Tech Interviews - Erik Dietrch](https://daedtech.com/deploying-guerrilla-tactics-combat-stupid-tech-interviews/)
* [Preparing the SRE interview - balthazar-rouberol](https://blog.balthazar-rouberol.com/preparing-the-sre-interview)
* **Interview Questions**
* [test-your-admin-skills](https://github.com/trimstray/test-your-sysadmin-skills)
* A collection of \*nix Sysadmin Test Questions with Answers for Interview/Exam (2018 Edition).
* [Linux System Administrator/DevOps Interview Questions - chassing](https://github.com/chassing/linux-sysadmin-interview-questions/blob/master/README.md)
* [offensiveinterview - WebBreacher](https://github.com/WebBreacher/offensiveinterview)
* Interview questions to screen offensive (red team/pentest) candidates
* [test-your-admin-skills](https://github.com/trimstray/test-your-sysadmin-skills)
* A collection of \*nix Sysadmin Test Questions with Answers for Interview/Exam (2018 Edition).
* [Security_Engineer_Interview_Questions - Tad Whitaker](https://github.com/tadwhitaker/Security_Engineer_Interview_Questions/blob/master/security-interview-questions)
* [what-happens-when](https://github.com/alex/what-happens-when)
* An attempt to answer the age old interview question "What happens when you type google.com into your browser and press enter?"
* **Interviewing**<a name="interviewing"></a>
* [STAR Method Technique Interview Questions & Answers - Christian Eilers](https://zety.com/blog/star-method-interview)
* [What I Learned Doing 250 Interviews at Google - Moishe Lettvin](https://www.youtube.com/watch?v=r8RxkpUvxK0)
@ -343,6 +360,12 @@
* [How to Design an Agenda for an Effective Meeting - Roger Schwarz(HBR)](https://hbr.org/2015/03/how-to-design-an-agenda-for-an-effective-meeting)
* **Mental Health**<a name="mentalh"></a>
* **General**
* [USA Mental Health First Aid](https://www.mentalhealthfirstaid.org/)
* [National Alliance on Mental Illness](https://www.nami.org/#)
* [Mental Health Hackers](https://www.mentalhealthhackers.org/)
* [Laziness Does Not Exist - But unseen barriers do - Devon Price](https://medium.com/@devonprice/laziness-does-not-exist-3af27e312d01)
* [#44CON: Establishing a Mental Health Toolbox - Dan Raywood](https://www.infosecurity-magazine.com/news/44con-mental-health-toolbox/)
* [Sick Systems: How to Keep Someone With You Forever - issendai](http://www.issendai.com/psychology/sick-systems.html)
* [Spoon theory - Wikipedia](https://en.wikipedia.org/wiki/Spoon_theory)
* [How to Be Kind to Yourself & Still Get Stuff Done - Leo Babauta](https://zenhabits.net/kind-done/)
* **Abusive Behaviour**
@ -357,13 +380,6 @@
* **Depression**
* [Living with Depression in Tech - Jonathan Zdziarski](https://www.zdziarski.com/blog/?p=7437)
* [The Only Thing You Cant Fix Is Killing Yourself - notdan](https://medium.com/@notdan/the-only-thing-you-cant-fix-is-killing-yourself-da8b555a99f1)
* **General**
* [USA Mental Health First Aid](https://www.mentalhealthfirstaid.org/)
* [National Alliance on Mental Illness](https://www.nami.org/#)
* [Mental Health Hackers](https://www.mentalhealthhackers.org/)
* [Laziness Does Not Exist - But unseen barriers do - Devon Price](https://medium.com/@devonprice/laziness-does-not-exist-3af27e312d01)
* [#44CON: Establishing a Mental Health Toolbox - Dan Raywood](https://www.infosecurity-magazine.com/news/44con-mental-health-toolbox/)
* [Sick Systems: How to Keep Someone With You Forever - issendai](http://www.issendai.com/psychology/sick-systems.html)
* **Stress**
* [Stress management - Mayo Clinic](https://www.mayoclinic.org/healthy-lifestyle/stress-management/in-depth/stress/art-20046037)
* [Understanding chronic stress - American Psychological Association](https://www.apa.org/helpcenter/understanding-chronic-stress)
@ -391,6 +407,8 @@
* **Non-Technical Skills**<a name="non-tech"></a>
* [Relearning the Art of Asking Questions - HBR](https://hbr.org/2015/03/relearning-the-art-of-asking-questions)
* [How To Ask Questions The Smart Way - Eric Raymond](http://www.catb.org/esr/faqs/smart-questions.html)
* **Offices**
* [The History of Office Design - k2space](https://k2space.co.uk/knowledge/history-of-office-design/)
* **Organizational Theory/Stuff about Organizations**<a name="orgtheory"></a>
* [Organizational Theory - Wikipedia](https://en.wikipedia.org/wiki/Organizational_theory)
* [Bureaucratic drift - Wikipedia](https://en.wikipedia.org/wiki/Bureaucratic_drift)
@ -474,6 +492,7 @@
* **History**
* [If I Told You I’d Have to Kill You: The Story Behind “The Secret History of Silicon Valley” - Steve Blank](https://steveblank.com/2009/03/23/if-i-told-you-i%e2%80%99d-have-to-kill-you-the-story-behind-the-secret-history-of-silicon-valley/)
* **Shady things**
* **Articles**
* [Amazon Scooped Up Data From Its Own Sellers to Launch Competing Products - Angela Owens(2020)](https://www.wsj.com/amp/articles/amazon-scooped-up-data-from-its-own-sellers-to-launch-competing-products-11587650015)
* [Amazon Met With Startups About Investing, Then Launched Competing Products - Dana Mattioloi, Cara Lombardo(2020)](https://www.wsj.com/articles/amazon-tech-startup-echo-bezos-alexa-investment-fund-11595520249)
* [What Does It Mean When Apple “Sherlocks” an App? - Justin Pot(2017)](https://www.google.com/amp/s/www.howtogeek.com/297651/what-does-it-mean-when-a-company-sherlocks-an-app)
@ -505,3 +524,7 @@
* Attrition.org (http://attrition.org/) is a computer security web site dedicated to the collection, dissemination and distribution of information about the security industry for anyone interested in the subject. They maintain one of the only open and honest grim look at the industry, reminding everyone that we must strive to be better than we have been historically. The crusade to expose industry frauds and inform the public about incorrect information in computer security articles is a primary goal of the site. Previously, Attrition.org maintained the largest catalogs of security advisories, text files, and humorous image galleries. They are also known for maintaining the largest mirror of Web site defacements and the creation of the Data Loss Database (Open Source), which eventually became DatalossDB (http://datalossdb.org/).
* **Other**
* [Microservices - KRAZAM](https://www.youtube.com/watch?v=y8OnoxKotPQ&app=desktop)
* [The Expert](https://www.youtube.com/watch?v=BKorP55Aqvg)
* [Elon Musk Today](https://elonmusk.today/)
* Like Donald Trump, But For Nerds

+ 8
- 0
Draft/Passwords.md View File

@ -278,6 +278,8 @@
* [Hashcat: GPU password cracking for maximum win - `_NSAKEY`(PhreakNIC 19)](https://www.youtube.com/watch?v=_QbVP1yh2YI)
* After briefly touching on the general concept of password cracking, the focus of the talk will be on the effectiveness of different attack modes in hashcat, with a heavy emphasis on rule-based attacks. While the name of the talk is “hashcat,†this talk will almost exclusively discuss the GPU-enabled versions (Specifically cudahashcat). The final phase of the talk will include the results of my own experiments in creating rule sets for password cracking, along with an analysis of the known plaintext passwords from the test hash list.
* [Slides](https://www.slideshare.net/_NSAKEY/hashcat-gpu-password-cracking-for-maximum-win-57720263)
* [SecTalks SYD0x37 (55th)-Password Cracking in 2020 (or) why does this still work? - Raaqim Mohammed(2020)](https://www.youtube.com/watch?v=Ovi0XdZ0gis)
* It was the 90s, I was but a child and LM hashes ruled the day. Windows didn't salt their hashes. It is 2020, I grew up and NTLM hashes ruled the day. Windows didn't salt their hashes. This presentation will provide a guide of what to do once you get your hands on these tasty hashes and need to figure out how to 'crack' them when things aren't as easy as you expected...
* **Password Rulesets**
* [Statistics Will Crack Your Password - Julian Dunning(2015)](https://www.praetorian.com/blog/statistics-will-crack-your-password-mask-structure)
* [Hob0Rules Released: Statistics Based Password Cracking Rules - Julian Dunning(2016)](https://www.praetorian.com/blog/hob064-statistics-based-password-cracking-rules-hashcat-d3adhob0)
@ -305,6 +307,7 @@
* **Articles/Papers/Talks/Writeups**
* [Cracking NTLMv1 \w ESS/SSP - crack.sh](https://crack.sh/cracking-ntlmv1-w-ess-ssp/)
* [LM, NTLM, Net-NTLMv2, oh my! A Pentester’s Guide to Windows Hashes- Peter Gombos](https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4)
* **Talks/Presentations/Videos**
* **Tools**
* [Rainbow Crackalack v1.2](https://github.com/jtesta/rainbowcrackalack)
* This project produces open-source code to generate rainbow tables as well as use them to look up password hashes. While the current release only supports NTLM, future releases may support MD5, SHA-1, SHA-256, and possibly more. Both Linux and Windows are supported!
@ -328,6 +331,11 @@
* [LM, NTLM, Net-NTLMv2, oh my! - Péter Gombos](https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4)
* [A 9-step recipe to crack a NTLMv2 Hash from a freshly acquired .pcap - kimvb3r](https://research.801labs.org/cracking-an-ntlmv2-hash/)
* [How to Dump NTLM Hashes & Crack Windows Passwords - Tokyoneon](https://null-byte.wonderhowto.com/how-to/hacking-windows-10-dump-ntlm-hashes-crack-windows-passwords-0198268/)
* [The NTLM Authentication Protocol and Security Support Provider - davenport.sourceforge](http://davenport.sourceforge.net/ntlm.html)
* [Live off the Land and Crack the NTLMSSP Protocol](https://www.mike-gualtieri.com/posts/live-off-the-land-and-crack-the-ntlmssp-protocol)
* Last month Bleeping Computer published an article about PKTMON.EXE, a little known utility in Windows 10 that provides the ability to sniff and monitor network traffic. I quickly wondered if it would be feasible to use this utility, and other native tools within Windows, to capture NTLMv2 network authentication handshakes. TL;DR: Yes it is possible and I wrote a Python3 script called NTLMRawUnHide that can extract NTLMv2 password hashes from packet dumps of many formats!
* [NTLMRawUnhide.py](https://github.com/mlgualtieri/NTLMRawUnHide)
* NTLMRawUnhide.py is a Python3 script designed to parse network packet capture files and extract NTLMv2 hashes in a crackable format. The tool was developed to extract NTLMv2 hashes from files generated by native Windows binaries like NETSH.EXE and PKTMON.EXE without conversion.
* **PDF**<a name="pdf"></a>
* [PDFCrack](http://pdfcrack.sourceforge.net/)
* PDFCrack is a GNU/Linux (other POSIX-compatible systems should work too) tool for recovering passwords and content from PDF-files. It is small, command line driven without external dependencies. The application is Open Source (GPL).


+ 273
- 71
Draft/PrivescPostEx.md View File

@ -42,22 +42,36 @@
| Linux Specific Technologies | macOS Specific Technologies | Windows Specific Technologies |
|:-- |:-- |:-- |
| | | [ClickOnce](#clickonce) |
| | | [Code Signing](#codesign) |
| | | [(Distributed) Component-Object-Model(COM)](#dcom) |
| | | [DPAPI](#dpapi) |
| | | [ETW](#etw) |
| | | [Alternate Data Streams](#wads) |
| | [Code Signing](#osxsign) | [AppLocker](#winapplocker) |
| | [Endpoint Security Framework](#osxesf) | [Application Shims](#winappshim) |
| | [GateKeeper](#osxgk) | [ClickOnce](#clickonce) |
| | | [Credential Guard](#credguard) |
| | [System Integrity Protection](#osxsip) | [Code Signing](#codesign) |
| | [Transparency, Consent, and Control](#osxtcc) | [(Distributed) Component-Object-Model(COM)](#dcom) |
| | [XProtect](#osxxprotect) | [Dynamic Link Library](#dll) |
| | | [Data Protection API(DPAPI)](#dpapi) |
| | | [Device Guard](#devguard) |
| | | [Event Tracing for Windows](#etw) |
| | | [Print & Fax](#printfax) |
| | | [File Extensions](#) |
| | | [LNK Files](#LNK) |
| | | [Windows Logging](#winlog) |
| | | [MS-SQL Server](#ms-sql-server) |
| | | [Named Pipes](#namedpipes) |
| | | [PowerShell](#powershell) |
| | | [PowerShell Desired State](#winpsc) |
| | | [Windows Communication Facility](#wcf) |
| | | [Windows Communication Foundation](#wcf) |
| | | [Windows Notification Facility](#wnf) |
| | | [Windows Remote Management](#winrm) |
| | | [Windows Scripting Host](#wsh) |
| | | |
----------------------------------------------------------------------
To Do
* Change AV Avoidance stuff to specific OS
* Sort AMSI stuff
------------------------------------------------------------------------------------------------------------------------
## <a name="privesc"></a>Privilege Escalation
@ -1199,8 +1213,66 @@
* [MacOS Red Teaming 209: macOS Frameworks for Command and Control - Action Dan](https://lockboxx.blogspot.com/2019/09/macos-red-teaming-209-macos-frameworks.html)
* [MacOS Red Teaming 210: Abusing Pkgs for Privilege Escalation - Action Dan](https://lockboxx.blogspot.com/2019/10/macos-red-teaming-210-abusing-pkgs-for.html)
* [MacOS Red Teaming 211: Dylib Hijacking - Action Dan](https://lockboxx.blogspot.com/2019/10/macos-red-teaming-211-dylib-hijacking.html)
* **Technologies**
---------------------------
#### macOS Technologies<a name="osxtech"></a>
* **Code Signing**<a name="osxsign"></a>
* [macOS Code Signing In Depth](https://developer.apple.com/library/content/technotes/tn2206/_index.html)
* [Launch Service Keys - `LSFileQuarantineEnabled`](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW10)
* **Endpoint Security Framework**<a name="osxesf"></a>
* [EndpointSecurity - developer.apple](https://developer.apple.com/documentation/endpointsecurity)
* Endpoint Security is a C API for monitoring system events for potentially malicious activity. Your client, which you can write in any language supporting native calls, registers with Endpoint Security to authorize pending events, or receive notifications of events that have already occurred. These events include process executions, mounting file systems, forking processes, and raising signals. Develop your system extension with Endpoint Security and package it in an app that uses the SystemExtensions framework to install and upgrade the extension on the user’s Mac.
* **GateKeeper**<a name="osxgk"></a>
* [App security overview - support.apple](https://support.apple.com/guide/security/app-security-overview-sec35dd877d0/1/web/1)
* [Protecting against malware - support.apple](https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/1/web/1)
* [Gatekeeper and runtime protection - support.apple](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/1/web/1)
* [Gatekeeper - Wikipedia](https://en.wikipedia.org/wiki/Gatekeeper_(macOS))
* 'macOS includes a technology called Gatekeeper, that's designed to ensure that only trusted software runs on your Mac.'
* [Safely open apps on your Mac - support.apple](https://support.apple.com/en-us/HT202491)
* **System Integrity Protection**<a name="osxsip"></a>
* [System Integrity Protection - Wikipedia](https://en.wikipedia.org/wiki/System_Integrity_Protection)
* [About System Integrity Protection on your Mac - support.apple.com](https://support.apple.com/en-us/HT204899)
* [Configuring System Integrity Protection - developer.apple](https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html#//apple_ref/doc/uid/TP40016462-CH5-SW1)
* **Transparency, Consent, and Control**<a name="osxtcc"></a>
* []()
* **XProtect**<a name="osxxprotect"></a>
* [XProtect Explained: How Your Mac’s Built-in Anti-malware Software Works - Chris Hoffman(2015)](https://www.howtogeek.com/217043/xprotect-explained-how-your-macs-built-in-anti-malware-works/)
* [How the “antimalware” XProtect for MacOS works and why it detects poorly and badly - ElevenPaths(2019)](https://business.blogthinkbig.com/antimalware-xprotect-macos/)
@ -1533,7 +1605,7 @@
* [Alternative psexec: no wmi, services or mof needed - Diablohorn](https://diablohorn.com/2013/10/19/alternative-psexec-no-wmi-services-or-mof-needed/)
* [Poc](https://github.com/DiabloHorn/DiabloHorn/tree/master/remote_appinitdlls)
* **Application Shimming**
* [Windows Persistence using Application Shimming - Raj Chandel(2020)](https://www.hackingarticles.in/windows-persistence-using-application-shimming/)
* [Windows Persistence using Application Shimming - Kavish Tyagi(2020)](https://www.hackingarticles.in/windows-persistence-using-application-shimming/)
* [Post Exploitation Persistence With Application Shims (Intro)](http://blacksunhackers.club/2016/08/post-exploitation-persistence-with-application-shims-intro/)
* [Shimming for Post Exploitation(blog)](http://www.sdb.tools/)
* [Demystifying Shims – or – Using the App Compat Toolkit to make your old stuff work with your new stuff](https://web.archive.org/web/20170910104808/https://blogs.technet.microsoft.com/askperf/2011/06/17/demystifying-shims-or-using-the-app-compat-toolkit-to-make-your-old-stuff-work-with-your-new-stuff/)
@ -1763,7 +1835,7 @@
* [AlwaysInstallElevated - docs.ms](https://docs.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated)
* [Always Install Elevated - NetbiosX](https://pentestlab.blog/2017/02/28/always-install-elevated/)
* [Get-RegistryAlwaysInstallElevated - PowerSploit](https://powersploit.readthedocs.io/en/latest/Privesc/Get-RegistryAlwaysInstallElevated/)
* **DLL Stuff** <a name="dll"></a>
* **DLL Stuff** <a name="dllstuff"></a>
* [Creating a Windows DLL with Visual Basic](http://www.windowsdevcenter.com/pub/a/windows/2005/04/26/create_dll.html)
* [Calling DLL Functions from Visual Basic Applications - msdn](https://msdn.microsoft.com/en-us/library/dt232c9t.aspx)
* **DLL Hijacking/Plant**
@ -1946,16 +2018,21 @@
* [CVE-2019-1040 scanner](https://github.com/fox-it/cve-2019-1040-scanner)
* Checks for CVE-2019-1040 vulnerability over SMB. The script will establish a connection to the target host(s) and send an invalid NTLM authentication. If this is accepted, the host is vulnerable to CVE-2019-1040 and you can execute the MIC Remove attack with ntlmrelayx. Note that this does not generate failed login attempts as the login information itself is valid, it is just the NTLM message integrity code that is absent, which is why the authentication is refused without increasing the badpwdcount.
* **NTLM Relay**
* [NTLM Relay - Pixis](https://en.hackndo.com/ntlm-relay/)
* [Playing with Relayed Credentials - @agsolino](https://www.secureauth.com/blog/playing-relayed-credentials)
* [Server Message Block: SMB Relay Attack (Attack That Always Works) - CQURE Academy](https://cqureacademy.com/blog/penetration-testing/smb-relay-attack)
* [Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes) - byt3bl33d3r](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html)
* [An SMB Relay Race – How To Exploit LLMNR and SMB Message Signing for Fun and Profit - Jordan Drysdale](https://www.blackhillsinfosec.com/an-smb-relay-race-how-to-exploit-llmnr-and-smb-message-signing-for-fun-and-profit/)
* [Effective NTLM / SMB Relaying - mubix](https://malicious.link/post/2014/effective-ntlm-smb-relaying/)
* [SMB Relay with Snarf - Jeff Dimmock](https://bluescreenofjeff.com/2016-02-19-smb-relay-with-snarfjs-making-the-most-of-your-mitm/)
* [Responder with NTLM relay and Empire - chryzsh](https://chryzsh.gitbooks.io/darthsidious/content/execution/responder-with-ntlm-relay-and-empire.html)
* [What is old is new again: The Relay Attack - @0xdeaddood, @agsolino(2020)](https://www.secureauth.com/blog/what-old-new-again-relay-attack)
* The purpose of this blog post is to present a new approach to ntlmrelayx.py allowing multi-relay attacks, that means, using just a single connection to attack several targets. On top of this, we added the capability of relaying connections for specific target users.
* **Articles/Blogposts/Writeups**
* [Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes) - byt3bl33d3r](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html)
* [NTLM Relay - Pixis](https://en.hackndo.com/ntlm-relay/)
* [Playing with Relayed Credentials - @agsolino(2018)](https://www.secureauth.com/blog/playing-relayed-credentials)
* [Server Message Block: SMB Relay Attack (Attack That Always Works) - CQURE Academy](https://cqureacademy.com/blog/penetration-testing/smb-relay-attack)
* [An SMB Relay Race – How To Exploit LLMNR and SMB Message Signing for Fun and Profit - Jordan Drysdale](https://www.blackhillsinfosec.com/an-smb-relay-race-how-to-exploit-llmnr-and-smb-message-signing-for-fun-and-profit/)
* [Effective NTLM / SMB Relaying - mubix](https://malicious.link/post/2014/effective-ntlm-smb-relaying/)
* [SMB Relay with Snarf - Jeff Dimmock](https://bluescreenofjeff.com/2016-02-19-smb-relay-with-snarfjs-making-the-most-of-your-mitm/)
* [Responder with NTLM relay and Empire - chryzsh](https://chryzsh.gitbooks.io/darthsidious/content/execution/responder-with-ntlm-relay-and-empire.html)
* [What is old is new again: The Relay Attack - @0xdeaddood, @agsolino(2020)](https://www.secureauth.com/blog/what-old-new-again-relay-attack)
* The purpose of this blog post is to present a new approach to ntlmrelayx.py allowing multi-relay attacks, that means, using just a single connection to attack several targets. On top of this, we added the capability of relaying connections for specific target users.
* **Mitigation**
* Enforce SMB Signing.
* [How to enable SMB signing in Windows NT - support.ms](https://support.microsoft.com/en-us/help/161372/how-to-enable-smb-signing-in-windows-nt)
* [All You Need To Know About Windows SMB Signing - Lavanya Rathnam(2018)](http://techgenix.com/windows-smb-signing/)
* **Hot Potato**
* [Hot Potato](https://foxglovesecurity.com/2016/01/16/hot-potato/)
* Hot Potato (aka: Potato) takes advantage of known issues in Windows to gain local privilege escalation in default configurations, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing.
@ -2488,6 +2565,7 @@
* [An Overview of KB2871997 - msrc-blog.ms](https://msrc-blog.microsoft.com/2014/06/05/an-overview-of-kb2871997/)
* Increasing complexity of retrieving clear-text creds
* [Cached and Stored Credentials Technical Overview - docs.ms(2016)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v%3Dws.11))
* Applies To: Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8
* **Articles/Blogposts/Writeups**
* [Cached and Stored Credentials - ldapwiki](https://ldapwiki.com/wiki/Cached%20and%20Stored%20Credentials)
* [Hunting for Credentials Dumping in Windows Environment - Teymur Kheirhabarov - ZeroNights](https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf)
@ -2551,12 +2629,16 @@
* [gosecretsdump](https://github.com/C-Sto/gosecretsdump)
* This is a conversion of the impacket secretsdump module into golang. It's not very good, but it is quite fast. Please let me know if you find bugs, I'll try and fix where I can - bonus points if you can provide sample .dit files for me to bash against.
* **Internal Monologue**
* [Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS](https://github.com/eladshamir/Internal-Monologue/)
* In secure environments, where Mimikatz should not be executed, an adversary can perform an Internal Monologue Attack, in which they invoke a local procedure call to the NTLM authentication package (MSV1_0) from a user-mode application through SSPI to calculate a NetNTLM response in the context of the logged on user, after performing an extended NetNTLM downgrade.
* [Getting user credentials is not only admin’s privilege - Anton Sapozhnikov(Syscan14)](https://infocon.org/cons/SyScan/SyScan%202014%20Singapore/SyScan%202014%20presentations/SyScan2014_AntonSapozhnikov_GettingUserCredentialsisnotonlyAdminsPrivilege.pdf)
* [Stealing Hashes without Admin via Internal Monologue - Practical Exploitation(mubix@hak5)](https://www.youtube.com/watch?v=Q8IRcO0s-fU)
* [selfhash](https://github.com/snowytoxa/selfhash)
* Selfhash allows you to get password hashes of the current user. This tool doesn't requere high privileges i.e. SYSTEM, but on another hand it returns NTLM Challenge Response, so you could crack it later.
* **101**
* [Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS](https://github.com/eladshamir/Internal-Monologue/)
* In secure environments, where Mimikatz should not be executed, an adversary can perform an Internal Monologue Attack, in which they invoke a local procedure call to the NTLM authentication package (MSV1_0) from a user-mode application through SSPI to calculate a NetNTLM response in the context of the logged on user, after performing an extended NetNTLM downgrade.
* **Articles/Blogposts/Writeups**
* [Retrieving NTLM Hashes without touching LSASS: the “Internal Monologue” Attack - Andrea Fortuna(2018)](https://www.andreafortuna.org/2018/03/26/retrieving-ntlm-hashes-without-touching-lsass-the-internal-monologue-attack/)
* [Getting user credentials is not only admin’s privilege - Anton Sapozhnikov(Syscan14)](https://infocon.org/cons/SyScan/SyScan%202014%20Singapore/SyScan%202014%20presentations/SyScan2014_AntonSapozhnikov_GettingUserCredentialsisnotonlyAdminsPrivilege.pdf)
* [Stealing Hashes without Admin via Internal Monologue - Practical Exploitation(mubix@hak5)](https://www.youtube.com/watch?v=Q8IRcO0s-fU)
* **Tools**
* [selfhash](https://github.com/snowytoxa/selfhash)
* Selfhash allows you to get password hashes of the current user. This tool doesn't requere high privileges i.e. SYSTEM, but on another hand it returns NTLM Challenge Response, so you could crack it later.
* **Keylogger**
* **Articles/Blogpost/Writeups**
* [Keylogging by Using Windows’ Built-in Mechanisms Only - Paula Januszkiewicz(2020)](https://cqureacademy.com/blog/windows-internals/keylogging)
@ -2586,13 +2668,14 @@
* **Tools**
* [windows_sshagent_extract](https://github.com/ropnop/windows_sshagent_extract)
* PoC code to extract private keys from Windows 10's built in ssh-agent service
* **Local Security Authority Subsystem Service(LSASS&LSA)**
* **Local Security Authority Subsystem Service(LSA & LSASS&)**
* **101**
* [Local Security Authority Subsystem Service - Wikipedia](https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service)
* [Local Security Authority SubSystem Service - ldapwiki](https://ldapwiki.com/wiki/Local%20Security%20Authority%20Subsystem%20Service)
* [Security Subsystem Architecture - 2012](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc961760(v=technet.10)?redirectedfrom=MSDN)
* [LSA Authentication - docs.ms(2018)](https://docs.microsoft.com/en-us/windows/win32/secauthn/lsa-authentication?redirectedfrom=MSDN)
* **Articles/Blogposts/Writeups**
* [Dumping LSA Secrets - @spottheplanet(2019)](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets)
* [Dumping Lsass.exe to Disk Without Mimikatz and Extracting Credentials - @spotheplanet](https://ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz)
* [Some ways to dump LSASS.exe - Mark Mo](https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf)
* [Extract credentials from lsass remotely - hackndo](https://en.hackndo.com/remote-lsass-dump-passwords/)
@ -2657,11 +2740,6 @@
* [Mimikatz DCSync Usage, Exploitation, and Detection - Sean Metcalf](https://adsecurity.org/?p=1729)
* [Mimikatz and DCSync and ExtraSids, Oh My - harmj0y](http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/)
* [Active Directory Attack - DCSync - c0d3xpl0it](https://www.c0d3xpl0it.com/2018/06/active-directory-attack-dcsync.html)
* **DCShadow**
* [DCShadow - Minimal permissions, Active Directory Deception, Shadowception and more - Nikhil Mittal](http://www.labofapenetrationtester.com/2018/04/dcshadow.html)
* [DCShadow](https://www.dcshadow.com/)
* DCShadow is a new feature in mimikatz located in the lsadump module. It simulates the behavior of a Domain Controller (using protocols like RPC used only by DC) to inject its own data, bypassing most of the common security controls and including your SIEM. It shares some similarities with the DCSync attack (already present in the lsadump module of mimikatz).
* [Active Directory: What can make your million dollar SIEM go blind? - Vincent Le Toux, Benjamin Delpy](https://www.dropbox.com/s/baypdb6glmvp0j9/Buehat%20IL%20v2.3.pdf)
* **pypykatz**
* [pypykatz](https://github.com/skelsec/pypykatz)
* Mimikatz implementation in pure Python
@ -2674,6 +2752,8 @@
* [NTLMRawUnhide.py](https://github.com/mlgualtieri/NTLMRawUnHide)
* NTLMRawUnhide.py is a Python3 script designed to parse network packet capture files and extract NTLMv2 hashes in a crackable format. The tool was developed to extract NTLMv2 hashes from files generated by native Windows binaries like NETSH.EXE and PKTMON.EXE without conversion.
* **Password Filter DLL**
* [PasswordStealing -PSBits](https://github.com/gtworek/PSBits/tree/master/PasswordStealing)
* "Password stealing DLL I wrote around 1999, some time before Active Directory was announced. And of course it still works. First, it was written in 32-bit Delphi (pardon my language) and when it stopped working as everything changed into 64-bit - in (so much simpler when it comes to Win32 API) C, as I did not have 64-bit Delphi. The original implementation was a bit more complex, including broadcasting the changed password over the network etc. but now it works as a demonstration of an idea, so let's keep it as simple as possible. It works everywhere - on local machines for local accounts and on DCs for domain accounts."
* [Credential Access – Password Filter DLL - NetbiosX](https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/)
* **Password Spraying**
* **Linux**
@ -2712,7 +2792,7 @@
* Extracts cookies from Chrome.
* [Blogpost](https://jmpesp.me/sharpcookiemonster/)
* **Wifi(saved)**
* [Credential Dumping: Wireless - Raj Chandel(2020)](https://www.hackingarticles.in/credential-dumping-wireless/)
* [Credential Dumping: Wireless - Yashika Dhir(2020)](https://www.hackingarticles.in/credential-dumping-wireless/)
* **Tools**
* [credgrap_ie_edge](https://github.com/HanseSecure/credgrap_ie_edge)
* Extract stored credentials from Internet Explorer and Edge
@ -2919,7 +2999,7 @@
* **Articles/Blogposts/Writeups**
* [Windows Remote Management - dmcxblue](https://dmcxblue.gitbook.io/red-team-notes/lateral-movement/windows-remote-management)
* [WS-Management COM: Another Approach for WinRM Lateral Movement - bohops(2020)](https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/)
* [WinRM Penetration Testing - Raj Chandel(2020)](https://www.hackingarticles.in/winrm-penetration-testing/)
* [WinRM Penetration Testing - Yashika Dhir(2020)](https://www.hackingarticles.in/winrm-penetration-testing/)
* [Lateral Movement Using WinRM and WMI - Tony Lambert(2017)](https://redcanary.com/blog/lateral-movement-winrm-wmi/)
* [Lateral Movement – WinRM - pentestlab.blog(2018)](https://pentestlab.blog/2018/05/15/lateral-movement-winrm/)
* [T1028: WinRM for Lateral Movement - @spottheplanet](https://www.ired.team/offensive-security/lateral-movement/t1028-winrm-for-lateral-movement)
@ -2930,7 +3010,7 @@
* **101**
* **Articles/Blogposts/Writeups**
* [T1047: WMI for Lateral Movement - @spottheplanet](https://www.ired.team/offensive-security/lateral-movement/t1047-wmi-for-lateral-movement)
* [Lateral Movement: WMI - Raj Chandel(2020)](https://www.hackingarticles.in/lateral-movement-wmi/)
* [Lateral Movement: WMI - Pavandeep Singh(2020)](https://www.hackingarticles.in/lateral-movement-wmi/)
* [No Win32_Process Needed – Expanding the WMI Lateral Movement Arsenal - Philip Tsukerman](https://www.cybereason.com/blog/no-win32-process-needed-expanding-the-wmi-lateral-movement-arsenal?hs_preview=UbvcDFUZ-5764480077)
* [Lateral Movement in an Environment with Attack Surface Reduction - Michael Bielenberg(2019)](https://ionize.com.au/lateral-movement-in-an-environment-with-attack-surface-reduction/)
* **Papers**
@ -3002,6 +3082,14 @@
---------------------------
#### Windows Technologies<a name="wintech"></a>
* **Alternate Data Streams**<a name="wads"></a>
* **101**
*
* **AppLocker**<a name="winapplocker"></a>
* [AppLocker - docs.ms](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)
* This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
* [What Is AppLocker? - docs.ms](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker)
* This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies.
* **Application Shims**<a name="winappshim"></a>
* [Windows - Application Shims](https://technet.microsoft.com/en-us/library/dd837644%28v=ws.10%29.aspx)
* **ClickOnce Applications**<a name="clickonce"></a>
@ -3011,6 +3099,9 @@
* [ClickOnce Applications in Enterprise Environments - Remko Weijnen](https://www.remkoweijnen.nl/blog/2013/08/05/clickonce-applications-in-enterprise-environments/)
* ClickOnce is a Microsoft technology that enables an end user to install an application from the web without administrative permissions.
* [Eight Evil Things Microsoft Never Showed You in the ClickOnce Demos (and What You Can Do About Some of Them) - Chris Williams](https://www.codemag.com/Article/0902031/Eight-Evil-Things-Microsoft-Never-Showed-You-in-the-ClickOnce-Demos-and-What-You-Can-Do-About-Some-of-Them)
* **Credential Guard**<a name="credguard"></a>
* **101**
*
* **Code Signing**<a name="codesign"></a>
* **Articles/Blogposts/Writeups**
* [Code Signing Certificate Cloning Attacks and Defenses - Matt Graeber](https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec)
@ -3040,6 +3131,10 @@
* **Papers**
* [The Dangers of Per-User COM Objects - Jon Larimer](https://www.virusbulletin.com/uploads/pdf/conference_slides/2011/Larimer-VB2011.pdf)
* **DLLs**<a name="dll"></a>
* **101**
* [What is a DLL? - support.ms](https://support.microsoft.com/en-us/help/815065/what-is-a-dll)
* [Dynamic-Link-Library - Wikipedia](https://en.wikipedia.org/wiki/Dynamic-link_library)
* [DLL Hell - Wikipedia](https://en.wikipedia.org/wiki/DLL_Hell)
* **Tools**
* [CMDLL](https://github.com/jfmaes/CMDLL)
* the most basic DLL ever to pop a cmd.
@ -3082,6 +3177,9 @@
* [The LaZagne Project](https://github.com/AlessandroZ/LaZagneForensic)
* LaZagne uses an internal Windows function called CryptUnprotectData to decrypt user passwords. This API should be called on the victim user session, otherwise, it does not work. If the computer has not been started (when the analysis is realized on an offline mounted disk), or if we do not want to drop a binary on the remote host, no passwords can be retrieved. LaZagneForensic has been created to avoid this problem. This work has been mainly inspired by the awesome work done by Jean-Michel Picod and Elie Bursztein for DPAPICK and Francesco Picasso for Windows DPAPI laboratory.
* [DataProtectionDecryptor v1.06 - Nirsoft](https://www.nirsoft.net/utils/dpapi_data_decryptor.html)
* **Device Guard**<a name="devguard"></a>
* **101**
*
* **ETW**<a name="etw"></a>
* **101**
* [Event Tracing - docs.ms](https://docs.microsoft.com/en-us/windows/win32/etw/event-tracing-portal)
@ -3111,7 +3209,10 @@
* **101**
* [Fibers - docs.ms](https://docs.microsoft.com/en-us/windows/win32/procthread/fibers)
* **Articles/Blogposts/Writeups**
* **File Extensions**
* **File Extensions**<a name="fext"></a>
* [Common file name extensions in Windows - support.ms](https://support.microsoft.com/en-us/help/4479981/windows-10-common-file-name-extensions)
* [File Types - docs.ms](https://docs.microsoft.com/en-us/windows/win32/shell/fa-file-types)
* This topic explains how to create new file types and how to associate your app with your file type and other well-defined file types. Files with a shared common file name extension (.doc, .html, and so on) are of the same type. For example, if you create a new text editor, then you can use the existing .txt file type. In other cases, you might need to create a new file type.
* [The case of the missing file extensions - NCCGroup(2014)](https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2014/may/the-case-of-the-missing-file-extensions/)
* **LNK Files**<a name="LNK"></a>
* **101**
@ -3135,7 +3236,7 @@
* [GENE: Go Evtx sigNature Engine](https://github.com/0xrawsec/gene)
* The idea behind this project is to provide an efficient and standard way to look into Windows Event Logs (a.k.a EVTX files). For those who are familiar with Yara, it can be seen as a Yara engine but to look for information into Windows Events.
* [Documentation](https://rawsec.lu/doc/gene/1.6/)
* **MS-SQL Server**
* **MS-SQL Server**<a name="ms-sql-server"></a>
* **101**
* **Articles/Blogposts/Writeups**
* [How to Get Started with SQL Server and .NET - Artemakis Artemiou(2018)](https://www.mssqltips.com/sqlservertip/5677/how-to-get-started-with-sql-server-and-net/)
@ -3150,11 +3251,12 @@
* QuickSQL is a simple MSSQL query tool that allows you to connect to MSSQL databases and does not require administrative level rights to use.
* [SqlClient](https://github.com/FortyNorthSecurity/SqlClient)
* POC for .NET mssql client for accessing database data through beacon
* **Named Pipes**
* [Named Pipe - Wikipedia](https://en.wikipedia.org/wiki/Named_pipe)
* [Named Pipes - docs.ms](https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes)
* [Named Pipe Security and Access Rights - docs.ms](https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipe-security-and-access-rights)
* [Named Pipe client](https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipe-client)
* **Named Pipes**<a name="namedpipes"></a>
* **101**
* [Named Pipe - Wikipedia](https://en.wikipedia.org/wiki/Named_pipe)
* [Named Pipes - docs.ms](https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes)
* [Named Pipe Security and Access Rights - docs.ms](https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipe-security-and-access-rights)
* [Named Pipe client](https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipe-client)
* **PowerShell**<a name="powershell"></a>
* **PowerShell Logging**
* **101**
@ -3170,13 +3272,42 @@
* [Understanding different (Six and more!) PowerShell profiles - Mohit Goyal](https://mohitgoyal.co/2017/04/30/understanding-different-six-and-more-powershell-profiles/)
* [PowerShell for Beginners (Part 6): PowerShell Profiles and the ISE - Patrick Gruenauer](https://sid-500.com/2018/01/16/powershell-for-beginners-part-6-powershell-profiles-and-the-ise/)
* **Articles/Blogposts/Writeups**
* [Abusing PowerShell Profiles - enigma0x3(2014)(https://enigma0x3.net/2014/06/16/abusing-powershell-profiles/)
* [Investigating Subversive PowerShell Profiles - Matt Graeber(2015)](http://www.exploit-monday.com/2015/11/investigating-subversive-powershell.html)
* [Persistence – PowerShell Profile - PentestLab.blog(2019)](https://pentestlab.blog/2019/11/05/persistence-powershell-profile/)
* [Persistent PowerShell: The PowerShell Profile - ](https://www.red-gate.com/simple-talk/sysadmin/powershell/persistent-powershell-the-powershell-profile/)
* **PowerShell without PowerShell**
* **101**
* **Articles/Blogposts/Writeups**
* [InsecurePowerShell - PowerShell without System.Management.Automation.dll - Ryan Cobb](https://cobbr.io/InsecurePowershell-PowerShell-Without-System-Management-Automation.html)
* [We don’t need powershell.exe - decoder.cloud](https://decoder.cloud/2017/11/02/we-dont-need-powershell-exe/)
* [Part 2](https://decoder.cloud/2017/11/08/we-dont-need-powershell-exe-part-2/)
* [Part 3](https://decoder.cloud/2017/11/17/we-dont-need-powershell-exe-part-3/)
* **Custom Runspace**
* [Executing PowerShell scripts from C# - docs.ms](https://docs.microsoft.com/en-us/archive/blogs/kebab/executing-powershell-scripts-from-c)
* [Calling C# code in Powershell and vice versa - Karthik Kk](https://blog.executeautomation.com/calling-c-code-in-powershell-and-vice-versa/)
* [How to run PowerShell Core scripts from .NET Core applications - keithbabinec(2020)](https://keithbabinec.com/2020/02/15/how-to-run-powershell-core-scripts-from-net-core-applications/)
* [Code](https://github.com/keithbabinec/PowerShellHostedRunspaceStarterkits)
* [How to execute PowerShell script or cmdlets from C# code? - Mitesh Sureja(2018)](https://miteshsureja.blogspot.com/2018/07/how-to-execute-powershell-script-or.html)
* [Code](https://gist.github.com/miteshsureja/f9cbc2f09264a01277a6555a7425debc)
* Project: [NotPowerShell](https://github.com/Ben0xA/nps)
* **Tools**
* [InsecurePowerShell - PowerShell without System.Management.Automation.dll - cobbr](https://cobbr.io/InsecurePowershell-PowerShell-Without-System-Management-Automation.html)
* [InsecurePowerShell](https://github.com/cobbr/InsecurePowerShell)
* InsecurePowershell is a fork of PowerShell Core v6.0.0, with key security features removed.
* [InsecurePowerShellHost](https://github.com/cobbr/InsecurePowerShellHost)
* InsecurePowerShellHost is a .NET Core host process for InsecurePowerShell, a version of PowerShell Core with key security features removed.
* [PowerPick](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick)
* This project focuses on allowing the execution of Powershell functionality without the use of Powershell.exe. Primarily this project uses.NET assemblies/libraries to start execution of the Powershell scripts.
* [UnmanagedPowerShell](https://github.com/leechristensen/UnmanagedPowerShell)
* Executes PowerShell from an unmanaged process.
* [PowerShdll](https://github.com/p3nt4/PowerShdll)
* Run PowerShell with dlls only.
* [NoPowerShell](https://github.com/bitsadmin/nopowershell)
* NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms. This .NET Framework 2 compatible binary can be loaded in Cobalt Strike to execute commands in-memory. No System.Management.Automation.dll is used; only native .NET libraries. An alternative usecase for NoPowerShell is to launch it as a DLL via rundll32.exe: rundll32 NoPowerShell.dll,main.
* [A Powerful New Tool: PowerLine - BHIS(2017)](https://www.youtube.com/watch?v=HiAtkLa8FOc)
* [PowerLine](https://github.com/fullmetalcache/PowerLine)
* [psfire](https://github.com/curi0usJack/psfire)
* simple demo of using C# & System.Management.Automation.dll to run powershell code (b64 encoded) without powershell.exe
* **PowerShell Desired State Configuration**<a name="winpsc"></a>
* **Documentation**
* [Windows PowerShell Desired State Configuration Overview - docs.ms](https://docs.microsoft.com/en-us/powershell/dsc/overview)
@ -3199,6 +3330,9 @@
* **Talks/Presentations/Videos**
* **Windows Notification Facility**<a name="wnf"></a>
* [Playing with the Windows Notification Facility (WNF) - Gwaby](https://blog.quarkslab.com/playing-with-the-windows-notification-facility-wnf.html)
* **Windows Remote Management**<a name="winrm"></a>
* **101**
* F
* **Windows Scripting Host**<a name="wsh"></a>
* **101**
* [Windows Scripting Host - Wikipedia](https://en.wikipedia.org/wiki/Windows_Script_Host)
@ -3417,7 +3551,14 @@
* C# code to use CreateThread to run position independent code in the running process. This code is provided AS IS, and will not be supported.
* [CSharp SetThreadContext](https://github.com/djhohnstein/CSharpSetThreadContext)
* C# Shellcode Runner to execute shellcode via CreateRemoteThread and SetThreadContext to evade Get-InjectedThread
* **Process Injection**
* **MSBuild-related**
* [Another MSBuild Invocation (February 2020 Edition) - Joe Leon(2020)](https://fortynorthsecurity.com/blog/another-msbuild-bypass-february-2020-edition/)
* **MS-SQL-related**
* [Attacking SQL Server CLR Assemblies - Scott Sutherland](https://www.netspi.com/webinars/attacking-sql-server-clr-assemblies-on-demand/)
* During this webinar we’ll review how to create, import, export, and modify CLR assemblies in SQL Server with the goal of privilege escalation, OS command execution, and persistence. Scott will also share a few PowerUpSQL functions that can be used to execute the CLR attacks on a larger scale in Active Directory environments.
* **Process Injection/Shellcode Execution**
* **Articles/Blogposts/Writeups**
* [Shellcode Execution in .NET using MSIL-based JIT Overwrite - Matt Graeber(2013)](http://www.exploit-monday.com/2013/04/MSILbasedShellcodeExec.html)
* **Tools**
* [C# Memory Injection Examples](https://github.com/pwndizzle/c-sharp-memory-injection)
* A set of scripts that demonstrate how to perform memory injection.
@ -3439,9 +3580,10 @@
* [ManagedInjection](https://github.com/malcomvetter/ManagedInjection)
* A proof of concept for injecting a pre-compiled .net assembly in memory at runtime with zero pre-knowledge of its assembly namespace or type. All that is necessary is a convention for the initial method name which will be instantiated, or just have the assembly initialize via its Constructor for a true "zero knowledge" scenario.
* **PS in C#**
* [Executing PowerShell scripts from C# - doc.ms(2014)](https://docs.microsoft.com/en-us/archive/blogs/kebab/executing-powershell-scripts-from-c)
* "In today’s post, I will demonstrate the basics of how to execute PowerShell scripts and code from within a C#/.NET applications. I will walk through how to setup your project prerequisites, populate the pipeline with script code and parameters, perform synchronous and asynchronous execution, capture output, and leverage shared namespaces."
* [Using C# for post-PowerShell attacks - John Bergbom(2018)](https://www.forcepoint.com/blog/x-labs/using-c-post-powershell-attacks)
* **Articles/Blogposts/Writeups**
* [Executing PowerShell scripts from C# - doc.ms(2014)](https://docs.microsoft.com/en-us/archive/blogs/kebab/executing-powershell-scripts-from-c)
* "In today’s post, I will demonstrate the basics of how to execute PowerShell scripts and code from within a C#/.NET applications. I will walk through how to setup your project prerequisites, populate the pipeline with script code and parameters, perform synchronous and asynchronous execution, capture output, and leverage shared namespaces."
* [Using C# for post-PowerShell attacks - John Bergbom(2018)](https://www.forcepoint.com/blog/x-labs/using-c-post-powershell-attacks)
* **Tools**
* [NoPowerShell](https://github.com/bitsadmin/nopowershell)
* NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms. This .NET Framework 2 compatible binary can be loaded in Cobalt Strike to execute commands in-memory. No System.Management.Automation.dll is used; only native .NET libraries. An alternative usecase for NoPowerShell is to launch it as a DLL via rundll32.exe: rundll32 NoPowerShell.dll,main.
@ -3453,11 +3595,12 @@
* [CScriptShell](https://github.com/Cn33liz/CScriptShell)
* [Stracciatella](https://github.com/mgeeky/Stracciatella)
* OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI, CLM and Script Block Logging disabled at startup
* **MSBuild-related**
* [Another MSBuild Invocation (February 2020 Edition) - Joe Leon(2020)](https://fortynorthsecurity.com/blog/another-msbuild-bypass-february-2020-edition/)
* **MS-SQL-related**
* [Attacking SQL Server CLR Assemblies - Scott Sutherland](https://www.netspi.com/webinars/attacking-sql-server-clr-assemblies-on-demand/)
* During this webinar we’ll review how to create, import, export, and modify CLR assemblies in SQL Server with the goal of privilege escalation, OS command execution, and persistence. Scott will also share a few PowerUpSQL functions that can be used to execute the CLR attacks on a larger scale in Active Directory environments.
* **Reflection**
* [Reflection (C#) - docs.ms](https://docs.microsoft.com/en-us/dotnet/csharp/programming-guide/concepts/reflection)
* Reflection provides objects (of type Type) that describe assemblies, modules, and types. You can use reflection to dynamically create an instance of a type, bind the type to an existing object, or get the type from an existing object and invoke its methods or access its fields and properties. If you are using attributes in your code, reflection enables you to access them. For more information, see Attributes.
* [How C# Reflection Works With Code Examples - stackify](https://stackify.com/what-is-c-reflection/)
* [Reflection in .NET - keesari_anjaiah(2010)](https://www.codeproject.com/Articles/55710/Reflection-in-NET)
* [What is Reflection in C#? - geeksforgeeks(2019)](https://www.geeksforgeeks.org/what-is-reflection-in-c-sharp/)
* **Resource Embedding**
Single File Executable - https://docs.microsoft.com/en-us/dotnet/core/whats-new/dotnet-core-3-0#single-file-executables
Assembly Linking - https://docs.microsoft.com/en-us/dotnet/core/whats-new/dotnet-core-3-0#assembly-linking
@ -3767,10 +3910,11 @@
* [The PowerSploit Manifesto - @mattifestation(2015)](http://www.exploit-monday.com/2015/12/the-powersploit-manifesto.html)
* [PowerShell is Not Special - An Offensive PowerShell Retrospective - @mattifestation(2017)](http://www.exploit-monday.com/2017/01/powershell-is-not-special-offensive.html)
* **Learning**
* [PowerShell 101 - Carlos Perez](https://www.darkoperator.com/powershellbasics/)
* [Get-Help: An Intro to PowerShell and How to Use it for Evil - Jared Haight](https://www.psattack.com/presentations/get-help-an-intro-to-powershell-and-how-to-use-it-for-evil/)
* [Brosec](https://github.com/gabemarshall/Brosec)
* Brosec is a terminal based reference utility designed to help us infosec bros and broettes with usefuPowershelll (yet sometimes complex) payloads and commands that are often used during work as infosec practitioners. An example of one of Brosec's most popular use cases is the ability to generate on the fly reverse shells (python, perl, powershell, etc) that get copied to the clipboard.
* **Articles/Blogposts/Writeups**
* [PowerShell 101 - Carlos Perez](https://www.darkoperator.com/powershellbasics/)
* [Get-Help: An Intro to PowerShell and How to Use it for Evil - Jared Haight](https://www.psattack.com/presentations/get-help-an-intro-to-powershell-and-how-to-use-it-for-evil/)
* [Brosec](https://github.com/gabemarshall/Brosec)
* Brosec is a terminal based reference utility designed to help us infosec bros and broettes with usefuPowershelll (yet sometimes complex) payloads and commands that are often used during work as infosec practitioners. An example of one of Brosec's most popular use cases is the ability to generate on the fly reverse shells (python, perl, powershell, etc) that get copied to the clipboard.
* **Talks/Presentations/Videos**
* [PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility - Satoshi Tanda(CodeBlueTokyo2017)](https://www.youtube.com/watch?v=EzpJTeFbe8c)
* [Slides](https://www.slideshare.net/codeblue_jp/powershell-inside-out-applied-net-hacking-for-enhanced-visibility-by-satoshi-tanda)
@ -3778,6 +3922,8 @@
* This talk will discuss how to gain greater visibility into managed program execution, especially for PowerShell, using a .NET native code hooking technique to help organizations protect themselves from such advanced attacker techniques. In this session, we will demonstrate how to enhance capabilities provided by AMSI and how to overcome its limitations, through a realistic implementation of the technique, all while analyzing the internals of .NET Framework and the PowerShell engine.
* [Defensive Coding Strategies for a High-Security Environment - Matt Graeber - PowerShell Conference EU 2017](https://www.youtube.com/watch?reload=9&v=O1lglnNTM18)
* How sure are you that your PowerShell code is prepared to handle anything that a user might throw at it? What if the user was an attacker attempting to circumvent security controls by exploiting a vulnerability in your script? This may sound unrealistic but this is a legitimate concern of the PowerShell team when including PowerShell code in the operating system. In a high-security environment where strict AppLocker or Device Guard rules are deployed, PowerShell exposes a large attack surface that can be used to circumvent security controls. While constrained language mode goes a long way in preventing malicious PowerShell code from executing, attackers will seek out vulnerabilities in trusted signed code in order to circumvent security controls. This talk will cover numerous different ways in which attackers can influence the execution of your code in unanticipated ways. A thorough discussion of mitigations against such attacks will then follow.
* [APTs LOVE PowerShell and Why You Should Too - Anthony Rose & Jake Krasnov(Defcon28RedTeamVillage)](https://www.youtube.com/watch?v=rLWySkU0U1U&list=PLruly0ngXhPHlQ0ebMbB3XuKVJPq3B0qS&index=33)
* "Quite often, you may have heard people mention, “Why should you bother learning PowerShell, isn’t it dead?” or “Why not just use C#?” Many individuals in the offensive security field have a common misconception that PowerShell is obsolete for red team operations. Meanwhile, it remains one of the primary attack vectors employed by Advanced Persistent Threats (APTs). APTs are known for implementing sophisticated hacking tactics, techniques, and procedures (TTPs) to gain access to a system for an extended period of time. Their actions typically focus on high-value targets, which leave potentially crippling consequences to both nation-states and corporations. It is crucial that Red Teams accurately emulate real-world threats and do not ignore viable attack options. For this talk, we will walk through how many threat actors adapt and employ PowerShell tools. Our discussion begins with examining how script block logging and AMSI are powerful anti-offensive PowerShell measures. However, the implementation of script block logging places a technical burden on organizations to conduct auditing on a substantial amount of data. While AMSI is trivial to bypass for any capable adversary. Finally, we will demonstrate APT-like PowerShell techniques that remain incredibly effective against the latest generation of network defenses.
* **File Parsing**
* [Parsing Binary File Formats with PowerShell - @mattifestation(2013)](http://www.exploit-monday.com/2013/03/ParsingBinaryFileFormatsWithPowerShell.html)
* **Logging**
@ -3807,10 +3953,19 @@
* Fileless Extraction of Sensitive Browser Information with PowerShell. This project will include various cmdlets for extracting credential, history, and cookie/session data from the top 3 most popular web browsers (Chrome, Firefox, and IE). The goal is to perform this extraction entirely in-memory, without touching the disk of the victim. Currently Chrome credential and cookie extraction is supported.
* **Execution**
* **Articles/Blogposts/Writeups**
* [Introducing PowerShell into your Arsenal with PS>Attack - Jared Haight](http://www.irongeek.com/i.php?page=videos/derbycon6/119-introducing-powershell-into-your-arsenal-with-psattack-jared-haight)
* [Meterpreter New Windows PowerShell Extension - Carlos Perez(2016)](https://www.darkoperator.com/blog/2016/4/2/meterpreter-new-windows-powershell-extension)
* [Introducing PowerShell into your Arsenal with PS>Attack - Jared Haight(Derbycon206)](http://www.irongeek.com/i.php?page=videos/derbycon6/119-introducing-powershell-into-your-arsenal-with-psattack-jared-haight)
* PS>Attack is a custom tool that was created to make it easier for Penetration Testers to incorporate PowerShell into their bag of tricks. It combines a lot of the best offensive tools from the offensive PowerShell community into a custom, encrypted console that emulates a PowerShell environment. It also includes a custom command, "Get-Attack" to act a search engine for attacks making it easy to find the right attack for any situation. In this presentation we will cover how PowerShell can be used during every part of a penetration test and how PS>Attack can help make the whole process a lot easier.
* **Tools**
* [Invoke-ReflectivePEInjection.ps1](https://github.com/clymb3r/PowerShell/blob/master/Invoke-ReflectivePEInjection/Invoke-ReflectivePEInjection.ps1)
* This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process, or it can reflectively load a DLL in to a remote process.
* **Add-Type & Reflection**
* **101**
* [Add-Type - docs.ms](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/add-type?view=powershell-7)
* Adds a Microsoft .NET Core class to a PowerShell session.
* [Add-Type - SS64](https://ss64.com/ps/add-type.html)
* [Add-Type vs. [reflection.assembly] in PowerShell - Tim Curwick(2013)](https://web.archive.org/web/20200315070535/http://www.madwithpowershell.com/2013/10/add-type-vs-reflectionassembly-in.html)
* [Using Add-Type in a PowerShell script that is run as a Scheduled Task - Craig Tolley(2016)](https://www.craig-tolley.co.uk/2016/02/09/using-add-type-in-a-powershell-script-that-is-run-as-a-scheduled-task/)
* **Constrained-Language Mode**
* **101**
* [About Language Modes - docs.ms](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-7)
@ -3818,7 +3973,6 @@
* [PowerShell Constrained Language Mode - PowerShell Team(2017)](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/)
* [A Comparison of Shell and Scripting Language Security - PowerShell Team](https://devblogs.microsoft.com/powershell/a-comparison-of-shell-and-scripting-language-security/)
* **Articles/Blogposts/Writeups**
* [AppLocker CLM Bypass via COM - MDSec](https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com/)
* [Detecting and Preventing PowerShell Downgrade Attacks - Lee Holmes(2017)](https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/)
* [Simple Bypass for PowerShell Constrained Language Mode - DaveHardy20(2017)](https://pentestn00b.wordpress.com/2017/03/20/simple-bypass-for-powershell-constrained-language-mode/)
@ -3826,9 +3980,9 @@
* [Exploiting PowerShell Code Injection Vulnerabilities to Bypass Constrained Language Mode - @mattifestation(2017)](http://www.exploit-monday.com/2017/08/exploiting-powershell-code-injection.html)
* [A Look at CVE-2017-8715: Bypassing CVE-2017-0218 using PowerShell Module Manifests - enigma0x3(2017)](https://enigma0x3.net/2017/11/06/a-look-at-cve-2017-8715-bypassing-cve-2017-0218-using-powershell-module-manifests/)
* [Pentesting and .hta (bypass PowerShell Constrained Language Mode) - Josh Graham(2018)](https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997)
* [Bypassing Applocker and Powershell contstrained language mode - DarthSidious](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode)
* [Bypassing Applocker and Powershell constrained language mode - DarthSidious](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode)
* [Powershell CLM Bypass Using Runspaces - Shaksham Jaiswal(2019)](https://www.secjuice.com/powershell-constrainted-language-mode-bypass-using-runspaces/)
* [CLMBypassBlogpost](https://github.com/MinatoTW/CLMBypassBlogpost)
* [Code](https://github.com/MinatoTW/CLMBypassBlogpost)
* **Talks/Presentations/Videos**
* [PowerShell Constrained Language Mode Enforcement and Bypass Deep Dive - Matt Graeber(2020)](https://www.youtube.com/watch?v=O6dtIvDfyuI)
* **Tools**
@ -3840,6 +3994,19 @@
* Bypass for PowerShell Constrained Language Mode
* [powershellveryless](https://github.com/decoder-it/powershellveryless)
* Constrained Language Mode + AMSI bypass all in one(Currently Blocked without modification)
* **C# in PS**
* **Articles/Blogposts/Writeups**
* [Weekend Scripter: Run C# Code from Within PowerShell - Dr Scripto(2013)](https://devblogs.microsoft.com/scripting/weekend-scripter-run-c-code-from-within-powershell/)
* [Using CSharp (C#) code in Powershell scripts - Stefan Gobner(2010)](https://blog.stefan-gossner.com/2010/05/07/using-csharp-c-code-in-powershell-scripts/)
* [PowerShell – .NET Scripting how to ? - audministrator](https://audministrator.wordpress.com/scripting/powershell/powershell-net-scripting-using-howto/)
* [Executing C# code using PowerShell script - Adam Furmanek(2016)](https://blog.adamfurmanek.pl/2016/03/19/executing-c-code-using-powershell-script/)
* [Use .Net Code (C#) and DLLs in Powershell - Hannes Hayashi(2016)](https://activedirectoryfaq.com/2016/01/use-net-code-c-and-dlls-in-powershell/)
* [Powershell: How do you add inline C#? - Dot Jim(2018)](https://dandraka.com/2018/11/12/powershell-how-do-you-add-inline-c/)
* [Add-Type - docs.ms](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/add-type?view=powershell-7)
* Adds a Microsoft .NET Core class to a PowerShell session.
* [Add-Type - SS64](https://ss64.com/ps/add-type.html)
* [Add-Type vs. [reflection.assembly] in PowerShell - Tim Curwick(2013)](https://web.archive.org/web/20200315070535/http://www.madwithpowershell.com/2013/10/add-type-vs-reflectionassembly-in.html)
* [Using Add-Type in a PowerShell script that is run as a Scheduled Task - Craig Tolley(2016)](https://www.craig-tolley.co.uk/2016/02/09/using-add-type-in-a-powershell-script-that-is-run-as-a-scheduled-task/)
* **Download Cradles**
* [Dropping Executables with Powershell - @mattifestation(2011)](http://www.exploit-monday.com/2011/09/dropping-executables-with-powershell.html)
* **Execution Policy**
@ -3855,11 +4022,14 @@
* [Deep Reflection - Defining Structs and Enums in PowerShell - @mattifestation(2012)](http://www.exploit-monday.com/2012/07/structs-and-enums-using-reflection.html)
* [Accessing the Windows API in PowerShell via internal .NET methods and reflection - @mattifestation(2012)](http://www.exploit-monday.com/2012/05/accessing-native-windows-api-in.html)
* [In-Memory Managed Dll Loading With PowerShell - @mattifestation(2012)](http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html)
* [Shellcode Execution in .NET using MSIL-based JIT Overwrite - @mattifestation(2013)](http://www.exploit-monday.com/2013/04/MSILbasedShellcodeExec.html)
* [Working with Unmanaged Callback Functions in PowerShell - @mattifestation(2013)](http://www.exploit-monday.com/2013/06/PowerShellCallbackFunctions.html)
* With a little bit of work, you can bind a scriptblock to an unmanaged callback function in PowerShell. The key to accomplishing this is by casting a scriptblock as a non-generic delegate that has the function signature of the desired callback function. Fortunately, creating non-generic delegates is made easy with my Get-DelegateType function.
* [Simple CIL Opcode Execution in PowerShell using the DynamicMethod Class and Delegates - @mattifestation(2013)](http://www.exploit-monday.com/2013/10/powershell-cil-opcode-execution.html)
* It is possible to assemble .NET methods with CIL opcodes (i.e. .NET bytecode) in PowerShell in only a few lines of code using dynamic methods and delegates.
* [PowerShell – Run a .Net Assembly DLL from in Memory - audministrator(2014)](https://audministrator.wordpress.com/2014/09/07/powershell-run-a-net-assembly-dll-from-in-memory/)
* [PowerShell – Run Assembly that is not registered in the GAC - audministrator(2014)](https://audministrator.wordpress.com/2014/09/05/powershell-run-assembly-that-is-not-registered-in-the-gac/)
* [PowerShell load .Net Assembly - PsCustomObject(2019)](https://pscustomobject.github.io/powershell/howto/PowerShell-Add-Assembly/)
* One common technique is loading .Net assemblies in PowerShell script or module to leverage functionalities otherwise not available natively in PowerShell. There are multiple methods we can use to add assemblies to PowerShell which we’re going to explore in the post.
* **Nishang**
* [Nishang](https://github.com/samratashok/nishang)
* Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.
@ -3901,13 +4071,37 @@
* [PowerLine](https://github.com/fullmetalcache/powerline)
* [Presentation](https://www.youtube.com/watch?v=HiAtkLa8FOc)
* Running into environments where the use of PowerShell is being monitored or is just flat-out disabled? Have you tried out the fantastic PowerOps framework but are wishing you could use something similar via Meterpreter, Empire, or other C2 channels? Look no further! In this talk, Brian Fehrman talks about his new PowerLine framework. He overviews the tool, walks you through how to use it, shows you how you can add additional PowerShell scripts with little effort, and demonstrates just how powerful (all pun intended) this little program can be!
* **Reflection**
* [Use PowerShell to Work with the .NET Framework Classes - devblogs.ms(2010)](https://devblogs.microsoft.com/scripting/use-powershell-to-work-with-the-net-framework-classes/)
* [PowerShell cmdLet add-type - renenyffenegger.ch](https://renenyffenegger.ch/notes/Windows/PowerShell/command-inventory/noun/type/add/index)
* [How to do .NET Reflection in PowerShell - Roger Lipscombe(2013)](https://blog.differentpla.net/blog/2013/04/17/how-to-do-net-reflection-in-powershell/)
* [Using Powershell and Reflection API to invoke methods from .NET Assemblies - Khai Tran(2013)](https://blog.netspi.com/using-powershell-and-reflection-api-to-invoke-methods-from-net-assemblies/)
* **Reflective DLL Injection**
* [Reflective DLL Injection with PowerShell - clymb3r(2013)](https://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/)
* [Invoke-DllInjection.ps1 - PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
* Injects a Dll into the process ID of your choosing.
* **Reflective PE Injection**
* [Invoke-ReflectivePEInjection.ps1 - PowerSploit](Invoke-ReflectivePEInjection.ps1)
* This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process, or it can reflectively load a DLL in to a remote process.
* [Reflective PE Injection In Windows 10 1909 - HUBBL3(2020)](https://www.bc-security.org/post/reflective-pe-injection-in-windows-10-1909/)
* **Running Shellcode**
* [Invoke-Shellcode.ps1 - PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1)
* Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process.
* **Token Manipulation**
* **101**
* [Use PowerShell to Duplicate Process Tokens via P/Invoke - Dr Scripto(2012)](https://devblogs.microsoft.com/scripting/use-powershell-to-duplicate-process-tokens-via-pinvoke/)
* "Summary: Guest blogger, Niklas Goude, shows how to use P/Invoke to duplicate process tokens from LSASS to elevate privileges."
* **Articles/Blogposts/Writeups**
* [PowerShell and Token Impersonation - clymb3r(2013)](https://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/)
* **Tools**
* [Invoke-TokenManipulation.ps1 - clymb3r](https://github.com/clymb3r/PowerShell/tree/master/Invoke-TokenManipulation)
* [Invoke-TokenManipulation.ps1 - PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-TokenManipulation.ps1)
* **WinAPI Access**
* **Articles/Blogposts/Writeups**
* [Accessing the Windows API in PowerShell via internal .NET methods and reflection - @mattifestation(2012)](http://www.exploit-monday.com/2012/05/accessing-native-windows-api-in.html)
* It is possible to invoke Windows API function calls via internal .NET native method wrappers in PowerShell without requiring P/Invoke or C# compilation. How is this useful for an attacker? You can call any Windows API function (exported or non-exported) entirely in memory. For those familiar with Metasploit internals, think of this as an analogue to railgun.
* [List All Win32/Native Functions Declared/Used By PowerShell - @mattifestation(2012)](http://www.exploit-monday.com/2012/12/list-all-win32native-functions.html)
* [Get-PEB – A Tool to Dump the Process Environment Block (PEB) of Any Process - @mattifestation(2013)](http://www.exploit-monday.com/2013/01/Get-PEB.html)
* [PowerShell and Win32 API Access - harmj0y(2014)](http://www.harmj0y.net/blog/powershell/powershell-and-win32-api-access/)
* [Use PowerShell to Interact with the Windows API: Part 1 - devblogs.msdn(2014)](https://devblogs.microsoft.com/scripting/use-powershell-to-interact-with-the-windows-api-part-1/)
* [Part2]()
@ -3921,10 +4115,10 @@
* [PSReflect](https://github.com/mattifestation/PSReflect)
* Easily define in-memory enums, structs, and Win32 functions in PowerShell
* **Persistence**
* PS Profiles
* [Practical Persistence with PowerShell - Matt Graeber(2013)](http://www.exploit-monday.com/2013/04/PersistenceWithPowerShell.html)
* [Investigating Subversive PowerShell Profiles - @mattifestation(2015)](http://www.exploit-monday.com/2015/11/investigating-subversive-powershell.html)
* [Nothing Lasts Forever: Persistence with Empire - harmj0y(2016)](https://www.harmj0y.net/blog/empire/nothing-lasts-forever-persistence-with-empire/)
* [Practical Persistence with PowerShell - Matt Graeber(2013)](http://www.exploit-monday.com/2013/04/PersistenceWithPowerShell.html)
* [Nothing Lasts Forever: Persistence with Empire - harmj0y(2016)](https://www.harmj0y.net/blog/empire/nothing-lasts-forever-persistence-with-empire/)
* **PS Profiles**
* [Investigating Subversive PowerShell Profiles - @mattifestation(2015)](http://www.exploit-monday.com/2015/11/investigating-subversive-powershell.html)
* **Credential Attacks**
* **Articles/Blogposts/Writeups**
* [PowerShell and Token Impersonation](https://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/)
@ -3949,16 +4143,20 @@
* [Inveigh](https://github.com/Kevin-Robertson/Inveigh)
* Inveigh is a PowerShell LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.
* **Privilege Escalation**
* [Client Side attacks using Powershell](http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html)
* [PowerUp](https://github.com/HarmJ0y/PowerUp)
* PowerUp is a powershell tool to assist with local privilege escalation on Windows systems. It contains several methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings, and escalation opportunities.
* [Sherlock](https://github.com/rasta-mouse/Sherlock/blob/master/README.md)
* PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.
* [Get-System-Techniques](https://github.com/S3cur3Th1sSh1t/Get-System-Techniques)
* [Client Side attacks using Powershell](http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html)
* **Tools**
* [PowerUp](https://github.com/HarmJ0y/PowerUp)
* PowerUp is a powershell tool to assist with local privilege escalation on Windows systems. It contains several methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings, and escalation opportunities.
* [Sherlock](https://github.com/rasta-mouse/Sherlock/blob/master/README.md)
* PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.
* [Get-System-Techniques](https://github.com/S3cur3Th1sSh1t/Get-System-Techniques)
* **Lateral Movement**
* **DCOM**
* [Invoke-DCOM.ps1](https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/Invoke-DCOM.ps1)
* **PS-Remoting**
* [Secrets of PowerShell Remoting - Don Jones, Tobias Weltner(2018)](https://devops-collective-inc.gitbook.io/secrets-of-powershell-remoting/about)
* Introduced in Windows PowerShell 2.0, Remoting is one of PowerShell's most useful, and most important, core technologies. It enables you to run almost any command that exists on a remote computer, opening up a universe of possibilities for bulk and remote administration. Remoting underpins other technologies, including Workflow, Desired State Configuration, certain types of background jobs, and much more. This guide isn't intended to be a complete document of what Remoting is and does, although it does provide a good introduction. Instead, this guide is designed to document all the little configuration details that don't appear to be documented elsewhere.
* **ScheduleTask**
* [Invoke-CommandAs](https://github.com/mkellerman/Invoke-CommandAs)
* Invoke Command as System/User on Local/Remote computer using ScheduleTask.
@ -3968,6 +4166,10 @@
* It used to be that most people were just starting to hear about PowerShell. Over the last 3 years, this has changed dramatically. We now see Offensive and Defensive PowerShell tools, exploits specifically leveraging PowerShell and WMI, and more organizations are starting to be intentional for detection and monitoring of PowerShell scripts and commands. With this visibility, it is becoming a game of cat and mouse to leverage and detect PowerShell. In this talk, I will highlight some secrets I use to ensure my PowerShell exploits are successful and some unique tactics which will bypass common defensive controls. I will also walk you through the creation of a custom PowerShell C# DLL which you can use to compromise your target. If you want to code with me, be sure to bring a laptop with Visual Studio 2013 or later installed.
* [Goodbye Obfuscation, Hello Invisi Shell: Hiding Your Powershell Script in Plain Sight - Omer Yair(Derbycon2018)](https://www.youtube.com/watch?v=Y3oMEiySxcc)
* “The very concept of objective truth is fading out of the world. Lies will pass into history.” George Orwell. Objective truth is essential for security. Logs, notifications and saved data must reflect the actual events for security tools, forensic teams and IT managers to perform their job correctly. Powershell is a prime example of the constant cat and mouse game hackers and security personnel play every day to either reveal or hide the “objective truth” of a running script. Powershell’s auto logging, obfuscation techniques, AMSI and more are all participants of the same game playing by the same rules. We don’t like rules, so we broke them. As a result, Babel-Shellfish and Invisi-Shelltwo new tools that both expose and disguise powershell scripts were born. Babel-Shellfish reveals the inner hidden code of any obfuscated script while Invisi-Shell offers a new method of hiding malicious scripts, even from the Powershell process running it. Join us as we present a new way to think about scripts.
* [APTs <3 PowerShell and Why You Should Too - Anthony Rose, Jake Krasnov(DefconSafeMode RTV 2020)](https://raw.githubusercontent.com/BC-SECURITY/DEFCONSafeMode/master/Red%20Team%20Village%20-%20APTs%20Love%20PowerShell%20and%20You%20Should%20Too.pdf)
* **Tools**
* [HiddenPowerShellDll](https://github.com/b4rtik/HiddenPowerShellDll)
* This .Net class library is used to run PowerShell scripts from c #. The bypasses are executed and then the scriptblock that invokes the stager is executed. Using the DllExport package the .Net DLL exports a function that allows it to be executed via rundll32 and this results in a bypass of the default AppLocker rules
* **Constrained-Language Mode**
* See above.
* **Crypters**


+ 34
- 6
Draft/RT.md View File

@ -101,6 +101,8 @@
* [Red v Blue Workshop - WOPR Summit - Taylor, Dan, Phil](https://github.com/ahhh/presentations/blob/master/Red%20V%20Blue%20Workshop.pdf)
* **General Informative Information**<a name="gii"></a>
* **Articles/Blogposts/Writeups**
* [Offensive Tool Design and the Weaponization Dilemma - Matt Graeber(2015)](http://www.exploit-monday.com/2015/12/offensive-tool-design-and-weaponization.html)
* [The PowerSploit Manifesto - Matt Graeber(2015)](http://www.exploit-monday.com/2015/12/the-powersploit-manifesto.html)
* [Fools of Golden Gate](https://blog.silentsignal.eu/2017/05/08/fools-of-golden-gate/)
* How major vulnerabilities/large amounts of publicly vulnerable systems can exist without public recognition for long periods of time. (i.e. CVEs(10.0) exist, but no mapping in nessus/metasploit/etc)
* [Red Teaming and the Adversarial Mindset: Have a Plan, Backup Plan and Escape Plan - ITS](https://www.itstactical.com/digicom/security/red-teaming-and-the-adversarial-mindset-have-a-plan-backup-plan-and-escape-plan/)
@ -382,8 +384,6 @@
--------------------------------------------------------
### <a name="cobaltstrike"></a>Cobalt Strike
* **101**<a name="cs101"></a>
@ -412,6 +412,10 @@
* [The Return of Aggressor - RastaMouse](https://rastamouse.me/2019/06/the-return-of-aggressor/)
* I’ve previously blogged about how to combine MSBuild and TikiSpawn to execute a Cobalt Strike agent, circumventing AppLocker and Defender on Windows 10 1903. Inspired by Forty North’s Aggressor implemention I thought it would be fun to knock something similar up to leverage TikiSpawn for lateral movement via MSBuild and WMI, and this will hopefully mark the beginning of more Aggressor for common/popular TikiTorch use cases.
* [Code](https://github.com/rasta-mouse/TikiTorch/tree/master/Aggressor)
* [RemoteProcessInjection](https://github.com/Mr-Un1k0d3r/RemoteProcessInjection)
* C# remote process injection utility for Cobalt Strike. The idea is to perform process injection without spawning Powershell and also use a custom obfuscated shellcode payload.
* [SharpCompile](https://github.com/SpiderLabs/SharpCompile)
* SharpCompile is an aggressor script for Cobalt Strike which allows you to compile and execute C# in realtime. This is a more slick approach than manually compiling an .NET assembly and loading it into Cobalt Strike. The project aims to make it easier to move away from adhoc PowerShell execution instead creating a temporary assembly and executing using beacon's 'execute-assembly' in seconds.
* **Beacon**<a name="csbeacon"></a>
* **101**
* [Beacon Object Files - cs.com](https://www.cobaltstrike.com/help-beacon-object-files)
@ -636,6 +640,9 @@
* **ARP**
* [Zarp](https://github.com/hatRiot/zarp)
* Zarp is a network attack tool centered around the exploitation of local networks. This does not include system exploitation, but rather abusing networking protocols and stacks to take over, infiltrate, and knock out. Sessions can be managed to quickly poison and sniff multiple systems at once, dumping sensitive information automatically or to the attacker directly. Various sniffers are included to automatically parse usernames and passwords from various protocols, as well as view HTTP traffic and more. DoS attacks are included to knock out various systems and applications.
* **BITS**
* [LOLBITS](https://github.com/Kudaes/LOLBITS)
* LOLBITS is a C# reverse shell that uses Microsoft's Background Intelligent Transfer Service (BITS) to communicate with the Command and Control backend. The Command and Control backend is hidden behind an apparently harmless flask web application and it's only accesible when the HTTP requests received by the app contain a valid authentication header.
* **Browser**
* [Browser-C2](https://github.com/0x09AL/Browser-C2)
* Post Exploitation agent which uses a browser to do C2 operations.
@ -808,6 +815,8 @@
* A guide to setting up domain fronting, and exploring additional quirks that StackPath can provide.
* [Hardening Your Azure Domain Front - Steve Borosh](https://medium.com/@rvrsh3ll/hardening-your-azure-domain-front-7423b5ab4f64)
* **Talks & Videos**
* [Domain Fronting is Dead, Long Live Domain Fronting Using TLS 1.3 - Erik Hunstad(DEF CON Safe Mode)](https://www.youtube.com/watch?v=TDg092qe50g&list=PL9fPq3eQfaaBk9DFnyJRpxPi8Lz1n7cFv&index=7)
* Domain fronting, the technique of circumventing internet censorship and monitoring by obfuscating the domain of an HTTPS connection was killed by major cloud providers in April of 2018. However, with the arrival of TLS 1.3, new technologies enable a new kind of domain fronting. This time, network monitoring and internet censorship tools are able to be fooled on multiple levels. This talk will give an overview of what domain fronting is, how it used to work, how TLS 1.3 enables a new form of domain fronting, and what it looks like to network monitoring. You can circumvent censorship and monitoring today without modifying your tools using an open source TCP and UDP pluggable transport tool that will be released alongside this talk.
* **Tools**
* **Finding Vulnerable Domains**
* [DomainFrontDiscover](https://github.com/peewpw/DomainFrontDiscover)
@ -936,11 +945,12 @@
* firstorder is designed to evade Empire's C2-Agent communication from anomaly-based intrusion detection systems. It takes a traffic capture file (pcap) of the network and tries to identify normal traffic profile. According to results, it creates an Empire HTTP listener with appropriate options.
* [e2modrewrite](https://github.com/infosecn1nja/e2modrewrite)
* Convert Empire profiles to Apache mod_rewrite scripts
* [PrintDemon](https://github.com/BC-SECURITY/Invoke-PrintDemon)
* This is an PowerShell Empire launcher PoC using PrintDemon and Faxhell. The module has the Faxhell dll already embedded which levages CVE-2020-1048 for privilege escalation. The vulnerability allows an unprivileged user to gain system-level privileges and is based on @ionescu007 PoC.
* **Multi-User GUI**
* [StarKiller](https://github.com/BC-SECURITY/Starkiller)
* Starkiller is a Frontend for Powershell Empire. It is an Electron application written in VueJS.
* [An Introduction to Starkiller - CX01N](https://www.bc-security.org/post/an-introduction-to-starkiller)
* [PrintDemon](https://github.com/BC-SECURITY/Invoke-PrintDemon)
* This is an PowerShell Empire launcher PoC using PrintDemon and Faxhell. The module has the Faxhell dll already embedded which levages CVE-2020-1048 for privilege escalation. The vulnerability allows an unprivileged user to gain system-level privileges and is based on @ionescu007 PoC.
@ -1291,6 +1301,19 @@
* This repo contains samples that demonstrate the API used in Windows classic desktop applications.
* [WinPwnage](https://github.com/rootm0s/WinPwnage)
* The meaning of this repo is to study the techniques. Techniques are found online, on different blogs and repos here on GitHub. I do not take credit for any of the findings, thanks to all the researchers.
* **Language Specific Stuff**
* **.NET/C#**
* See [CSharp Stuff]() in PrivescPostEx
* [Changeling - A Feature Morphing Creature - Adam Brown](https://coffeegist.com/security/changeling-a-feature-morphing-creature/)
* This post will be the first post in a continuing series that aims to add new methods to your arsenal, allowing you to build more payloads with less effort on your own assessments. The feature that we’ll be taking a look at today is Embedded Resources in C# projects. This is a feature that will allow us to compile code once, and reuse it on multiple assessments
* **Go**
* **Articles/Blogposts/Writeups**
* **Talks/Presentations/Videos**
* [(P|G)Ohst Exploitation - Carl Vincent](https://archive.org/details/P-G_Ohst_Exploitation)
* This talk focuses on showcasing examples of the GO programming language being utilized to rapidly prototype, and ultimately maintain software designed to perform common or useful post-exploitation tasks. Source code for each feature will be provided, and is intended to exaggerate the limited amount of code and code familiarity required to construct relatively complex payloads capable of performing offensive security tasks fully either in an automated, or fully antonymous context.
* **Libraries**
* [OffensiveGoLang](https://github.com/bluesentinelsec/OffensiveGoLang)
* Offensive GoLang is is a collection of Go packages containing commonly used cyber adversary emulation functions. Offensive GoLang accomplishes nothing by itself; rather, it is intended to support rapid red team tool development by providing common functions in a modular format.
* **Delivery & Staging**<a name="pds"></a>
* **Articles/Blogposts/Writeups**
* [Windows oneliners to download remote payload and execute arbitrary code](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
@ -1474,8 +1497,10 @@
--------------
### <a name="simtools"></a> Simulation Tools
### <a name="simtools"></a> Adversary Simulation Stuff
* **Articles/Blogposts/Writeups**<a name="sta"></a>
* [Offensive Tool Design and the Weaponization Dilemma - Matt Graeber(2015)](http://www.exploit-monday.com/2015/12/offensive-tool-design-and-weaponization.html)
* [The PowerSploit Manifesto - Matt Graeber(2015)](http://www.exploit-monday.com/2015/12/the-powersploit-manifesto.html)
* [Invoke-Adversary – Simulating Adversary Operations - Moti Bani](https://blogs.technet.microsoft.com/motiba/2018/04/09/invoke-adversary-simulating-adversary-operations/)
* [Advanced Threat Analytics Attack Simulation Playbook - Microsoft](https://gallery.technet.microsoft.com/Advanced-Threat-Analytics-8b0a86bc)
* **Talks/Presentations/Videos**<a name="stpv"></a>
@ -1483,6 +1508,7 @@
* The security marketplace is saturated with product claims of detection coverage that have been almost impossible to evaluate, all while intrusions continue to make headlines. To help organizations better understand the detection provided by a commercial or open-source technology platform, a framework is necessary to measure depth and breadth of coverage. This presentation builds on the MITRE ATT&CK framework by explaining how to measure the coverage and quality of ATT&CK, while demonstrating open-source Red Team tools and automation that generate artifacts of post-exploitation.
* [Automated Adversary Emulation - David Hunt(BSidesCharm2019)](https://www.youtube.com/watch?v=gTGnHXgqZCo)
* CALDERA is an open-source application designed to automate adversary emulation. With CALDERA, blue teams can create adversary profiles based on ATT&CK, unleashing them on their networks to test their vulnerability to specific techniques. Learn how to use and configure CALDERA to run a variety of tests, ranging from small scoped and heavily scripted, to AI-driven fully automated operations.
* [RedSourcing: Cyber War Tool Development Outsourcing - Christopher Glyer, Nick Carr(Cyber June'gle Virtual Summit 2020)](https://www.youtube.com/watch?v=tA37b7kOBy8&list=PLruly0ngXhPGvyl-gOp4d_TvIiedloX1l&index=8)
* **Adversary Simulation Tools**<a name="sast"></a>
* **Self-Contained**
* [Caldera](https://github.com/mitre/caldera)
@ -1504,6 +1530,8 @@
* PurpleSpray is an adversary simulation tool that executes password spray behavior under different scenarios and conditions with the purpose of generating attack telemetry in properly monitored Windows enterprise environments. Blue teams can leverage PurpleSpray to identify gaps in visibility as well as test the resilience, improve existing and build new detection analytics for password spraying attacks.
* [Leonidas](https://github.com/FSecureLABS/leonidas)
* This is the repository containing Leonidas, a framework for executing attacker actions in the cloud. It provides a YAML-based format for defining cloud attacker tactics, techniques and procedures (TTPs) and their associated detection properties.
* [0xsp-Mongoose](https://github.com/lawrenceamer/0xsp-Mongoose)
* A unique framework for cybersecurity simulation and red teaming operations, windows auditing for newer vulnerabilities, misconfigurations and privilege escalations attacks, replicate the tactics and techniques of an advanced adversary in a network.
* **Tooling Automation**
* [AutoTTP](https://github.com/jymcheong/AutoTTP)
* Automated Tactics Techniques & Procedures. Re-running complex sequences manually for regression tests, product evaluations, generate data for researchers & so on can be tedious. I toyed with the idea of making it easier to script Empire (or any frameworks/products/toolkits that provide APIs like Metasploit (RPC), Cobalt-Strike & so on) using IDE like Visual Studio Code (or equivalent). So I started to design AutoTTP. This is still very much work in progress. Test with Empire 2.2.
@ -1522,9 +1550,9 @@
-----------------------
### <a name="unusual"></a> Pen Testing Specific Stuff(that doesn't fit in PrivEsc/PostEx or Network_Attacks)
* Yes, I know how large the market share of SAP is. Thank you for the heads up.
* **AIX<a name="aix"></a>
* **General**
* [AIX for Penetration Testers 2017 thevivi.net](https://thevivi.net/2017/03/19/aix-for-penetration-testers/)


+ 10
- 4
README.md View File

@ -17,10 +17,12 @@ An Information Security Reference That Doesn't Suck
* I do this as a resource to learn and help others, and offer it publicly as a way of giving back to the general community.
* To be clear, these aren't personal notes. I keep this repo maintained as a way of having pointers to information that I feel might help build someone's skillset or increase their understanding of attacks/methods/defenses. This is not meant to condone illegal or malicious activities.
* **This page**
* This page isn't ~~terrible~~ the best on mobile. Use [https://rmusser.net/docs](https://rmusser.net/docs)t for better mobile formatting.
* To see a horribly colored, but nicely formatted version(irony): use [https://rmusser.net/docs](https://rmusser.net/docs), plus it looks better on mobile.
* For latest content updates, check the git history.
* Contributions are encouraged/appreciated.
* If this resource has helped you in any way, please consider making a donation to [Doctors Without Borders](https://donate.doctorswithoutborders.org/onetime.cfm) or [Amnesty International](https://www.amnesty.org/en/donate/).
* Could you spare a contribution? Any links or re-org is nice.
* If this resource has helped you in any way(and didn't increase your frustration), please consider making a donation to:
* [Doctors Without Borders](https://donate.doctorswithoutborders.org/onetime.cfm)
* [Amnesty International](https://www.amnesty.org/en/donate/).
## Index - Table of Contents
@ -57,7 +59,7 @@ An Information Security Reference That Doesn't Suck
* [:warning:Network Attacks & Defense:warning:](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/Network_Attacks.md)
* [:triangular\_flag\_on\_post:Network Security Monitoring & Logging:triangular\_flag\_on\_post:](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/L-SM-TH.md)
* [:telescope:Open Source Intelligence Gathering - OSINT:telescope:](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/OSI.md)
* [Passwords](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/passwords.md)
* [Passwords](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/Passwords.md)
* [:fishing\_pole\_and\_fish:Phishing:fishing\_pole\_and\_fish:](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/Phishing.md)
* [:door:Physical Security:door:](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/Physical_Security.md)
* [Privilege Escalation and Post-Exploitation](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/PrivescPostEx.md)
@ -77,4 +79,8 @@ An Information Security Reference That Doesn't Suck
* [Insurance Data Security Model Law](http://www.naic.org/documents/committees_ex_cybersecurity_tf_exposure_mod_draft_clean.pdf)
* [NIST Cyber Security Framework](https://www.nist.gov/cyberframework)
* [PCI-DSS V3.2.1](https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf)
```
"As the Americans learned so painfully in Earth's final century, free flow of information is the only safeguard against tyranny. The once-chained people whose leaders at last lose their grip on information flow will soon burst with freedom and vitality, but the free nation gradually constricting its grip on public discourse has begun its rapid slide into despotism. Beware of he who would deny you access to information, for in his heart he dreams himself your master."
- Commissioner Pravin Lal, Peacekeeping Forces (Alpha Centauri, 1999)
```

Loading…
Cancel
Save