- Pentesting Cheatsheets
- Active Directory & Kerberos Abuse
- From Domain Admin to Enterprise Admin
- Kerberoasting
- Kerberos: Golden Tickets
- Kerberos: Silver Tickets
- AS-REP Roasting
- Kerberoasting: Requesting RC4 Encrypted TGS when AES is Enabled
- Kerberos Unconstrained Delegation
- Kerberos Constrained Delegation
- Kerberos Resource-based Constrained Delegation: Computer Object Takeover
- Domain Compromise via DC Print Server and Kerberos Delegation
- DCShadow - Becoming a Rogue Domain Controller
- DCSync: Dump Password Hashes from Domain Controller
- PowerView: Active Directory Enumeration
- Abusing Active Directory ACLs/ACEs
- Privileged Accounts and Token Privileges
- From DnsAdmins to SYSTEM to Domain Compromise
- Pass the Hash with Machine$ Accounts
- BloodHound with Kali Linux: 101
- Backdooring AdminSDHolder for Persistence
- Active Directory Enumeration with AD Module without RSAT or Admin Privileges
- Enumerating AD Object Permissions with dsacls
- Active Directory Password Spraying
- Active Directory Lab with Hyper-V and PowerShell
- ADCS + PetitPotam NTLM Relay: Obtaining krbtgt Hash with Domain Controller Machine Certificate
- From Misconfigured Certificate Template to Domain Admin
- Shadow Credentials
- Abusing Trust Account$: Accessing Resources on a Trusted Domain from a Trusting Domain
- Red Team Infrastructure
- Initial Access
- Password Spraying Outlook Web Access: Remote Shell
- Phishing with MS Office
- Phishing: XLM / Macro 4.0
- T1173: Phishing - DDE
- T1137: Phishing - Office Macros
- Phishing: OLE + LNK
- Phishing: Embedded Internet Explorer
- Phishing: .SLK Excel
- Phishing: Replacing Embedded Video with Bogus Payload
- Inject Macros from a Remote Dotm Template
- Bypassing Parent Child / Ancestry Detections
- Phishing: Embedded HTML Forms
- Phishing with GoPhish and DigitalOcean
- Forced Authentication
- NetNTLMv2 hash stealing using Outlook
- Code Execution
- regsvr32
- MSHTA
- Control Panel Item
- Executing Code as a Control Panel Item through an Exported Cplapplet Function
- Code Execution through Control Panel Add-ins
- CMSTP
- InstallUtil
- Using MSBuild to Execute Shellcode in C#
- Forfiles Indirect Command Execution
- Application Whitelisting Bypass with WMIC and XSL
- Powershell Without Powershell.exe
- Powershell Constrained Language Mode Bypass
- Forcing Iexplore.exe to Load a Malicious DLL via COM Abuse
- pubprn.vbs Signed Script Code Execution
- Code & Process Injection
- CreateRemoteThread Shellcode Injection
- DLL Injection
- Reflective DLL Injection
- Shellcode Reflective DLL Injection
- Process Doppelganging
- Loading and Executing Shellcode From PE Resources
- Process Hollowing and Portable Executable Relocations
- APC Queue Code Injection
- Early Bird APC Queue Code Injection
- Shellcode Execution in a Local Process with QueueUserAPC and NtTestAlert
- Shellcode Execution through Fibers
- Shellcode Execution via CreateThreadpoolWait
- Local Shellcode Execution without Windows APIs
- Injecting to Remote Process via Thread Hijacking
- SetWindowHookEx Code Injection
- Finding Kernel32 Base and Function Addresses in Shellcode
- Executing Shellcode with Inline Assembly in C/C++
- Writing Custom Shellcode Encoders and Decoders
- Backdooring PE Files with Shellcode
- NtCreateSection + NtMapViewOfSection Code Injection
- AddressOfEntryPoint Code Injection without VirtualAllocEx RWX
- Module Stomping for Shellcode Injection
- PE Injection: Executing PEs inside Remote Processes
- API Monitoring and Hooking for Offensive Tooling
- Windows API Hooking
- Import Adress Table (IAT) Hooking
- DLL Injection via a Custom .NET Garbage Collector
- Writing and Compiling Shellcode in C
- Injecting .NET Assembly to an Unmanaged Process
- Binary Exploitation
- Defense Evasion
- AV Bypass with Metasploit Templates and Custom Binaries
- Evading Windows Defender with 1 Byte Change
- Bypassing Windows Defender: One TCP Socket Away From Meterpreter and Beacon Sessions
- Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs
- Windows API Hashing in Malware
- Detecting Hooked Syscalls
- Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs
- Retrieving ntdll Syscall Stubs from Disk at Run-time
- Full DLL Unhooking with C++
- Enumerating RWX Protected Memory Regions for Code Injection
- Disabling Windows Event Logs by Suspending EventLog Service Threads
- Obfuscated Powershell Invocations
- Masquerading Processes in Userland via _PEB
- Commandline Obfusaction
- File Smuggling with HTML and JavaScript
- Timestomping
- Alternate Data Streams
- Hidden Files
- Encode/Decode Data with Certutil
- Downloading Files with Certutil
- Packed Binaries
- Unloading Sysmon Driver
- Bypassing IDS Signatures with Simple Reverse Shells
- Preventing 3rd Party DLLs from Injecting into your Malware
- ProcessDynamicCodePolicy: Arbitrary Code Guard (ACG)
- Parent Process ID (PPID) Spoofing
- Executing C# Assemblies from Jscript and wscript with DotNetToJscript
- Enumeration and Discovery
- Windows Event IDs and Others for Situational Awareness
- Enumerating COM Objects and their Methods
- Enumerating Users without net, Services without sc and Scheduled Tasks without schtasks
- Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging
- Dump GAL from OWA
- Application Window Discovery
- Account Discovery & Enumeration
- Using COM to Enumerate Hostname, Username, Domain, Network Drives
- Detecting Sysmon on the Victim Host
- Privilege Escalation
- Credential Access & Dumping
- Dumping Credentials from Lsass Process Memory with Mimikatz
- Dumping Lsass Without Mimikatz
- Dumping Lsass without Mimikatz with MiniDumpWriteDump
- Dumping Hashes from SAM via Registry
- Dumping SAM via esentutl.exe
- Dumping LSA Secrets
- Dumping and Cracking mscash - Cached Domain Credentials
- Dumping Domain Controller Hashes Locally and Remotely
- Dumping Domain Controller Hashes via wmic and Vssadmin Shadow Copy
- Network vs Interactive Logons
- Reading DPAPI Encrypted Secrets with Mimikatz and C++
- Credentials in Registry
- Password Filter
- Forcing WDigest to Store Credentials in Plaintext
- Dumping Delegated Default Kerberos and NTLM Credentials w/o Touching Lsass
- Intercepting Logon Credentials via Custom Security Support Provider and Authentication Packages
- Pulling Web Application Passwords by Hooking HTML Input Fields
- Intercepting Logon Credentials by Hooking msv1_0!SpAcceptCredentials
- Credentials Collection via CredUIPromptForCredentials
- Lateral Movement
- WinRM for Lateral Movement
- WinRS for Lateral Movement
- WMI for Lateral Movement
- RDP Hijacking for Lateral Movement with tscon
- Shared Webroot
- Lateral Movement via DCOM
- WMI + MSI Lateral Movement
- Lateral Movement via Service Configuration Manager
- Lateral Movement via SMB Relaying
- WMI + NewScheduledTaskAction Lateral Movement
- WMI + PowerShell Desired State Configuration Lateral Movement
- Simple TCP Relaying with NetCat
- Empire Shells with NetNLTMv2 Relaying
- Lateral Movement with Psexec
- From Beacon to Interactive RDP Session
- SSH Tunnelling / Port Forwarding
- Lateral Movement via WMI Event Subscription
- Lateral Movement via DLL Hijacking
- Lateral Movement over headless RDP with SharpRDP
- Man-in-the-Browser via Chrome Extension
- ShadowMove: Lateral Movement by Duplicating Existing Sockets
- Persistence
- DLL Proxying for Persistence
- Schtask
- Service Execution
- Sticky Keys
- Create Account
- AddMonitor()
- NetSh Helper DLL
- Abusing Windows Managent Instrumentation
- Windows Logon Helper
- Hijacking Default File Extension
- Persisting in svchost.exe with a Service DLL
- Modifying .lnk Shortcuts
- Screensaver Hijack
- Application Shimming
- BITS Jobs
- COM Hijacking
- SIP & Trust Provider Hijacking
- Hijacking Time Providers
- Installing Root Certificate
- Powershell Profile Persistence
- RID Hijacking
- Word Library Add-Ins
- Office Templates
- Exfiltration
- Internals
- Configuring Kernel Debugging Environment with kdnet and WinDBG Preview
- Compiling a Simple Kernel Driver, DbgPrint, DbgView
- Loading Windows Kernel Driver for Debugging
- Subscribing to Process Creation, Thread Creation and Image Load Notifications from a Kernel Driver
- Listing Open Handles and Finding Kernel Object Addresses
- Sending Commands From Your Userland Program to Your Kernel Driver using IOCTL
- Windows Kernel Drivers 101
- Windows x64 Calling Convention: Stack Frame
- Linux x64 Calling Convention: Stack Frame
- System Service Descriptor Table - SSDT
- Interrupt Descriptor Table - IDT
- Token Abuse for Privilege Escalation in Kernel
- Manipulating ActiveProcessLinks to Hide Processes in Userland
- ETW: Event Tracing for Windows 101
- Exploring Injected Threads
- Parsing PE File Headers with C++
- Instrumenting Windows APIs with Frida
- Exploring Process Environment Block
- Writing a Custom Bootloader
- Cloud
- Neo4j
- Dump Virtual Box Memory
- AES Encryption Using Crypto++ .lib in Visual Studio C++
- Reversing Password Checking Routine