SUMMARY.md

Table of contents

• What is ired.team?

Pinned

• Pentesting Cheatsheets
  • SQL Injection & XSS Playground
• Active Directory & Kerberos Abuse
  • From Domain Admin to Enterprise Admin
  • Kerberoasting
  • Kerberos: Golden Tickets
  • Kerberos: Silver Tickets
  • AS-REP Roasting
  • Kerberoasting: Requesting RC4 Encrypted TGS when AES is Enabled
  • Kerberos Unconstrained Delegation
  • Kerberos Constrained Delegation
  • Kerberos Resource-based Constrained Delegation: Computer Object Take Over
  • Domain Compromise via DC Print Server and Kerberos Delegation
  • DCShadow - Becoming a Rogue Domain Controller
  • DCSync: Dump Password Hashes from Domain Controller
  • PowerView: Active Directory Enumeration
  • Abusing Active Directory ACLs/ACEs
  • Privileged Accounts and Token Privileges
  • From DnsAdmins to SYSTEM to Domain Compromise
  • Pass the Hash with Machine$ Accounts
  • BloodHound with Kali Linux: 101
  • Backdooring AdminSDHolder for Persistence
  • Active Directory Enumeration with AD Module without RSAT or Admin Privileges
  • Enumerating AD Object Permissions with dsacls
  • Active Directory Password Spraying
  • Active Directory Lab with Hyper-V and PowerShell

offensive security

• Red Team Infrastructure
  • HTTP Forwarders / Relays
  • SMTP Forwarders / Relays
  • Phishing with Modlishka Reverse HTTP Proxy
  • Automating Red Team Infrastructure with Terraform
  • Cobalt Strike 101
  • Powershell Empire 101
  • Spiderfoot 101 with Kali using Docker
• Initial Access
  • Password Spraying Outlook Web Access: Remote Shell
  • Phishing with MS Office
    • Phishing: XLM / Macro 4.0
    • T1173: Phishing - DDE
    • T1137: Phishing - Office Macros
    • Phishing: OLE + LNK
    • Phishing: Embedded Internet Explorer
    • Phishing: .SLK Excel
    • Phishing: Replacing Embedded Video with Bogus Payload
    • Inject Macros from a Remote Dotm Template
    • Bypassing Parent Child / Ancestry Detections
    • Phishing: Embedded HTML Forms
  • Phishing with GoPhish and DigitalOcean
  • Forced Authentication
  • NetNTLMv2 hash stealing using Outlook
• Code Execution
  • regsvr32
  • MSHTA
  • Control Panel Item
  • Executing Code as a Control Panel Item through an Exported Cplapplet Function
  • Code Execution through Control Panel Add-ins
  • CMSTP
  • InstallUtil
  • Using MSBuild to Execute Shellcode in C#
  • Forfiles Indirect Command Execution
  • Application Whitelisting Bypass with WMIC and XSL
  • Powershell Without Powershell.exe
  • Powershell Constrained Language Mode ByPass
  • Forcing Iexplore.exe to Load a Malicious DLL via COM Abuse
  • pubprn.vbs Signed Script Code Execution
  • Binary Exploitation
    • 32-bit Stack-based Buffer Overflow
    • 64-bit Stack-based Buffer Overflow
    • Return-to-libc
    • ROP Chaining: Return Oriented Programming
• Code & Process Injection
  • CreateRemoteThread Shellcode Injection
  • DLL Injection
  • Reflective DLL Injection
  • Shellcode Reflective DLL Injection
  • Process Doppelganging
  • Loading and Executing Shellcode From PE Resources
  • Process Hollowing and Portable Executable Relocations
  • APC Queue Code Injection
  • Early Bird APC Queue Code Injection
  • Shellcode Execution in a Local Process with QueueUserAPC and NtTestAlert
  • Shellcode Execution through Fibers
  • Shellcode Execution via CreateThreadpoolWait
  • Local Shellcode Execution without Windows APIs
  • Injecting to Remote Process via Thread Hijacking
  • SetWindowHookEx Code Injection
  • Finding Kernel32 Base and Function Addresses in Shellcode
  • Executing Shellcode with Inline Assembly in C/C++
  • Writing Custom Shellcode Encoders and Decoders
  • Backdooring PE Files with Shellcode
  • NtCreateSection + NtMapViewOfSection Code Injection
  • AddressOfEntryPoint Code Injection without VirtualAllocEx RWX
  • Module Stomping for Shellcode Injection
  • PE Injection: Executing PEs inside Remote Processes
  • API Monitoring and Hooking for Offensive Tooling
  • Windows API Hooking
  • Import Adress Table (IAT) Hooking
  • DLL Injection via a Custom .NET Garbage Collector
  • Writing and Compiling Shellcode in C
  • Injecting .NET Assembly to an Unmanaged Process
• Defense Evasion
  • AV Bypass with Metasploit Templates and Custom Binaries
  • Evading Windows Defender with 1 Byte Change
  • Bypassing Windows Defender: One TCP Socket Away From Meterpreter and Beacon Sessions
  • Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs
  • Windows API Hashing in Malware
  • Detecting Hooked Syscalls
  • Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs
  • Retrieving ntdll Syscall Stubs from Disk at Run-time
  • Full DLL Unhooking with C++
  • Enumerating RWX Protected Memory Regions for Code Injection
  • Disabling Windows Event Logs by Suspending EventLog Service Threads
  • Obfuscated Powershell Invocations
  • Masquerading Processes in Userland via _PEB
  • Commandline Obfusaction
  • File Smuggling with HTML and JavaScript
  • Timestomping
  • Alternate Data Streams
  • Hidden Files
  • Encode/Decode Data with Certutil
  • Downloading Files with Certutil
  • Packed Binaries
  • Unloading Sysmon Driver
  • Bypassing IDS Signatures with Simple Reverse Shells
  • Preventing 3rd Party DLLs from Injecting into your Malware
  • ProcessDynamicCodePolicy: Arbitrary Code Guard (ACG)
  • Parent Process ID (PPID) Spoofing
  • Executing C# Assemblies from Jscript and wscript with DotNetToJscript
• Enumeration and Discovery
  • Windows Event IDs and Others for Situational Awareness
  • Enumerating COM Objects and their Methods
  • Enumerating Users without net, Services without sc and Scheduled Tasks without schtasks
  • Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging
  • Dump GAL from OWA
  • Application Window Discovery
  • Account Discovery & Enumeration
  • Using COM to Enumerate Hostname, Username, Domain, Network Drives
  • Detecting Sysmon on the Victim Host
• Privilege Escalation
  • Primary Access Token Manipulation
  • Windows NamedPipes 101 + Privilege Escalation
  • DLL Hijacking
  • WebShells
  • Image File Execution Options Injection
  • Unquoted Service Paths
  • Pass The Hash: Privilege Escalation with Invoke-WMIExec
  • Environment Variable $Path Interception
  • Weak Service Permissions
• Credential Access & Dumping
  • Dumping Credentials from Lsass Process Memory with Mimikatz
  • Dumping Lsass Without Mimikatz
  • Dumping Lsass without Mimikatz with MiniDumpWriteDump
  • Dumping Hashes from SAM via Registry
  • Dumping SAM via esentutl.exe
  • Dumping LSA Secrets
  • Dumping and Cracking mscash - Cached Domain Credentials
  • Dumping Domain Controller Hashes Locally and Remotely
  • Dumping Domain Controller Hashes via wmic and Vssadmin Shadow Copy
  • Network vs Interactive Logons
  • Reading DPAPI Encrypted Secrets with Mimikatz and C++
  • Credentials in Registry
  • Password Filter
  • Forcing WDigest to Store Credentials in Plaintext
  • Dumping Delegated Default Kerberos and NTLM Credentials w/o Touching Lsass
  • Intercepting Logon Credentials via Custom Security Support Provider and Authentication Packages
  • Pulling Web Application Passwords by Hooking HTML Input Fields
  • Intercepting Logon Credentials by Hooking msv1_0!SpAcceptCredentials
  • Credentials Collection via CredUIPromptForCredentials
• Lateral Movement
  • WinRM for Lateral Movement
  • WinRS for Lateral Movement
  • WMI for Lateral Movement
  • RDP Hijacking for Lateral Movement with tscon
  • Shared Webroot
  • Lateral Movement via DCOM
  • WMI + MSI Lateral Movement
  • Lateral Movement via Service Configuration Manager
  • Lateral Movement via SMB Relaying
  • WMI + NewScheduledTaskAction Lateral Movement
  • WMI + PowerShell Desired State Configuration Lateral Movement
  • Simple TCP Relaying with NetCat
  • Empire Shells with NetNLTMv2 Relaying
  • Lateral Movement with Psexec
  • From Beacon to Interactive RDP Session
  • SSH Tunnelling / Port Forwarding
  • Lateral Movement via WMI Event Subscription
  • Lateral Movement via DLL Hijacking
  • Lateral Movement over headless RDP with SharpRDP
  • ShadowMove: Lateral Movement by Duplicating Existing Sockets
• Persistence
  • DLL Proxying for Persistence
  • Schtask
  • Service Execution
  • Sticky Keys
  • Create Account
  • AddMonitor()
  • NetSh Helper DLL
  • Abusing Windows Managent Instrumentation
    • WMI as a Data Storage
  • Windows Logon Helper
  • Hijacking Default File Extension
  • Persisting in svchost.exe with a Service DLL
  • Modifying .lnk Shortcuts
  • Screensaver Hijack
  • Application Shimming
  • BITS Jobs
  • COM Hijacking
  • SIP & Trust Provider Hijacking
  • Hijacking Time Providers
  • Installing Root Certificate
  • Powershell Profile Persistence
  • RID Hijacking
  • Word Library Add-Ins
  • Office Templates
• Exfiltration
  • Powershell Payload Delivery via DNS using Invoke-PowerCloud

reversing, forensics & misc

• Internals
  • Configuring Kernel Debugging Environment with kdnet and WinDBG Preview
  • Compiling a Simple Kernel Driver, DbgPrint, DbgView
  • Loading Windows Kernel Driver for Debugging
  • Subscribing to Process Creation, Thread Creation and Image Load Notifications from a Kernel Driver
  • Listing Open Handles and Finding Kernel Object Addresses
  • Sending Commands From Your Userland Program to Your Kernel Driver using IOCTL
  • Windows Kernel Drivers 101
  • Windows x64 Calling Convention: Stack Frame
  • Linux x64 Calling Convention: Stack Frame
  • System Service Descriptor Table - SSDT
  • Interrupt Descriptor Table - IDT
  • Token Abuse for Privilege Escalation in Kernel
  • Manipulating ActiveProcessLinks to Hide Processes in Userland
  • ETW: Event Tracing for Windows 101
  • Exploring Injected Threads
  • Parsing PE File Headers with C++
  • Instrumenting Windows APIs with Frida
  • Exploring Process Environment Block
  • Writing a Custom Bootloader
• Cloud
  • AWS Accounts, Users, Groups, Roles, Policies
• Neo4j
• Dump Virtual Box Memory
• AES Encryption Using Crypto++ .lib in Visual Studio C++
• Reversing Password Checking Routine