windows-pentesting-resources

Windows Pentesting Resources  :

Fun with LDAP, Kerberos (and MSRPC) in AD Environments

https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments

From XML External Entity to NTLM Domain Hashes

https://techblog.mediaservice.net/2018/02/from-xml-external-entity-to-ntlm-domain-hashes/

Windows Privilege Escalation Guide

https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/

Windows oneliners to download remote payload and execute arbitrary code

https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/amp/

Passing the hash with native RDP client (mstsc.exe)

https://michael-eder.net/post/2018/native_rdp_pass_the_hash/

Escalating privileges with ACLs in Active Directory

https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/

Automation Framework for the Atomic Red Team

https://github.com/redcanaryco/atomic-red-team/blob/master/Automation/readme.md

Skip Cracking Responder Hashes and Relay Them

http://threat.tevora.com/quick-tip-skip-cracking-responder-hashes-and-replay-them/amp/?__twitter_impression=true

Exchange-AD-Privesc. Repository of Exchange privilege escalations to Active Directory

This repository provides a few techniques and scripts regarding the impact of Microsoft Exchange deployment on Active Directory security.

https://github.com/gdedrouas/Exchange-AD-Privesc

WMIC.EXE Whitelisting Bypass - Hacking with Style, Stylesheets

https://subt0x11.blogspot.com.br/2018/04/wmicexe-whitelisting-bypass-hacking.html

Hiding Metasploit Shellcode to Evade Windows Defender

https://blog.rapid7.com/2018/05/03/hiding-metasploit-shellcode-to-evade-windows-defender/

Unofficial Guide to Mimikatz & Command Reference

https://adsecurity.org/?page_id=1821

Gathering AD Data with the Active Directory PowerShell Module

https://adsecurity.org/?p=3719

Detecting hypervisor presence on windows 10

https://revers.engineering/detecting-hypervisor-presence-on-windows-10

Domain user Enumeration Tool

https://github.com/sensepost/UserEnum/blob/master/README.md

Blue Cloud of Death: Red Teaming Azure

https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1

Ring +3 Malwares: Few tricks

http://www.blackstormsecurity.com/docs/BSIDES_2018_RELEASE.pdf

Kerberos Party Tricks: Weaponizing Kerberos Protocol Flaws

http://www.exumbraops.com/blog/2016/6/1/kerberos-party-tricks-weaponizing-kerberos-protocol-flaws

Executing Commands and Bypassing AppLocker with PowerShell Diagnostic Scripts

https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts

Microsoft's User Account Control feature, introduced in Windows Vista, has been a topic of interest to many in the security community. Since UAC was designed to force user approval for administrative actions, attackers (and red teamers) encounter UAC on nearly every engagement. As a result, bypassing this control is a task that an actor often has to overcome, despite its lack of formal designation as a security boundary. This talk highlights what UAC is, previous work by others, research methodology, and details several technical UAC bypasses developed by the author.

https://youtu.be/c8LgqtATAnE

Windows Userland Persistence Fundamentals

http://www.fuzzysecurity.com/tutorials/19.html

DLL Hijacking via URL files

https://insert-script.blogspot.com.br/2018/05/dll-hijacking-via-url-files.html

DLL Hijacking via URL files

https://insert-script.blogspot.com.br/2018/05/dll-hijacking-via-url-files.html

Enumerating remote access policies through GPO

https://labs.mwrinfosecurity.com/blog/enumerating-remote-access-policies-through-gpo/

https://github.com/dafthack/MailSniper

DomainPasswordSpray

DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain.

https://github.com/dafthack/DomainPasswordSpray

5 Ways to Find Systems Running Domain Admin Processes

https://blog.netspi.com/5-ways-to-find-systems-running-domain-admin-processes/

How to bypass GPO Policy restriction for Powershell usage

https://github.com/p3nt4/PowerShdll

ADAPE - Active Directory Assessment and Privilege Escalation Script

https://github.com/hausec/ADAPE-Script

Kerberoasting, exploiting unpatched systems – a day in the life of a Red Teamer

http://niiconsulting.com/checkmate/2018/05/kerberoasting-exploiting-unpatched-systems-a-day-in-the-life-of-a-red-teamer/

Understanding and Evading Get-InjectedThread

https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/

PowerLessShell rely on MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe. You can also execute raw shellcode using the same approach.

https://github.com/Mr-Un1k0d3r/PowerLessShell

Dumping Clear-Text Credentials

https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/

Office365 ActiveSync Username Enumeration

https://www.sec-1.com/blog/2017/office365-activesync-username-enumeration

his script will attempt to list and get TGTs for those users that have the property 'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH). For those users with such configuration, a John The Ripper output will be generated so you can send it for cracking.

https://github.com/CoreSecurity/impacket/commit/bada8a719f8ed7be4633514eea94bc768dbaf019

NBNS Spoofing

https://pentestlab.blog/2018/05/08/nbns-spoofing/

NTLMv1 Multitool

This tool modifies NTLMv1/NTLMv1-ESS/MSCHAPv2 hashes so they can be cracked with DES Mode 14000 in hashcat

https://github.com/evilmog/ntlmv1-multi/

Invoke-Phant0m

This script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.

https://artofpwn.com/phant0m-killing-windows-event-log.html https://github.com/hlldz/Invoke-Phant0m

Dumping Active Directory Domain Info – with PowerUpSQL!

https://blog.netspi.com/dumping-active-directory-domain-info-with-powerupsql/

15 Ways to Bypass the PowerShell Execution Policy

https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/

Elevate, UAC bypass, persistence, privilege escalation, dll hijack techniques

https://github.com/rootm0s/WinPwnage

Abusing DCOM For Yet Another Lateral Movement Technique

https://bohops.com/2018/04/28/abusing-dcom-for-yet-another-lateral-movement-technique

Invoke-WMILM

This is a PoC script for various methods to acheive authenticated remote code execution via WMI, without (at least directly) using the Win32_Process class. The type of technique is determined by the "Type" parameter.

https://github.com/Cybereason/Invoke-WMILM/blob/master/README.md

[Kernel Exploitation] 7: Arbitrary Overwrite (Win7 x86)

https://www.abatchy.com/2018/01/kernel-exploitation-7

Active Directory as a C2 (Command & Control)

https://akijosberryblog.wordpress.com/2018/03/17/active-directory-as-a-c2-command-control

Bypassing Device Guard with .NET Assembly Compilation Methods

http://www.exploit-monday.com/2017/07/bypassing-device-guard-with-dotnet-methods.html

DiskShadow: The Return of VSS Evasion, Persistence, and Active Directory Database Extraction

https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/

Jumping Network Segregation with RDP

https://rastamouse.me/2017/08/jumping-network-segregation-with-rdp/

PowerShell Shellcode Injection on Win 10 (v1803)

https://blog.cobaltstrike.com/2018/05/24/powershell-shellcode-injection-on-win-10-v1803/

Empire Web v2 Launched, A Web Interface to Powershell empire.

https://github.com/interference-security/empire-web

Hidden Administrative Accounts: BloodHound to the Rescue

https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/

Extracting Service Account Passwords with Kerberoasting

https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/

MSDAT (Microsoft SQL Database Attacking Tool) is an open source penetration testing tool that tests the security of Microsoft SQL Databases remotely.

https://github.com/quentinhardy/msdat

Powercat

Netcat: The powershell version.

https://github.com/besimorhino/powercat

Windows Privilege Escalation Methods for Pentesters

https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/

Getting Domain Admin with Kerberos Unconstrained Delegation

http://www.labofapenetrationtester.com/2016/02/getting-domain-admin-with-kerberos-unconstrained-delegation.html

Scanning for Active Directory Privileges & Privileged Accounts

https://adsecurity.org/?p=3658

Automated AD and Windows test lab deployments with Invoke-ADLabDeployer

https://outflank.nl/blog/2018/03/30/automated-ad-and-windows-test-lab-deployments-with-invoke-adlabdeployer/

Simplifying Password Spraying

https://www.trustwave.com/Resources/SpiderLabs-Blog/Simplifying-Password-Spraying/

A Password Spraying tool for Active Directory Credentials

https://github.com/SpiderLabs/Spray

Abusing SeLoadDriverPrivilege for privilege escalation

https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/

Exploring PowerShell AMSI and Logging Evasion

https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/

Weaponizing .SettingContent-ms Extensions for Code Execution

https://www.trustedsec.com/2018/06/weaponizing-settingcontent

WMImplant Post-Exploitation – An Introduction

https://www.fortynorthsecurity.com/wmimplant-post-exploitation-an-introduction

WMImplant Post-Exploitation – An Introduction

https://www.fortynorthsecurity.com/wmimplant-post-exploitation-an-introduction

PowerShell: How to get a list of all installed Software on Remote Computers

https://sid-500.com/2018/04/02/powershell-how-to-get-a-list-of-all-installed-software-on-remote-computers

Tokenvator: A Tool to Elevate Privilege using Windows Tokens

https://blog.netspi.com/tokenvator-a-tool-to-elevate-privilege-using-windows-tokens

Disabling AMSI in JScript with One Simple Trick

https://tyranidslair.blogspot.com/2018/06/disabling-amsi-in-jscript-with-one.html

Inveigh is a PowerShell LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.

https://github.com/Kevin-Robertson/Inveigh/blob/master/README.md

A multithreaded tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB, plus now with a user hunter

https://github.com/Raikia/CredNinja

PSScriptAnalyzer is a static code checker for Windows PowerShell modules and scripts. PSScriptAnalyzer checks the quality of Windows PowerShell code by running a set of rules. The rules are based on PowerShell best practices identified by PowerShell Team and the community. It generates DiagnosticResults (errors and warnings) to inform users about potential code defects and suggests possible solutions for improvements.

https://github.com/PowerShell/PSScriptAnalyzer

Bypassing SQL Server Logon Trigger Restrictions

https://blog.netspi.com/bypass-sql-logon-triggers/

Spoof SSDP replies to phish for NTLM hashes on a network. Creates a fake UPNP device, tricking users into visiting a malicious phishing page.

https://gitlab.com/initstring/evil-ssdp

https://twitter.com/subTee/status/1012657434702123008?s=19

Incapacitating Windows Defender

http://www.offensiveops.io/tools/incapacitating-windows-defender/

Red Team Tales 0x01: From MSSQL to RCE

https://www.tarlogic.com/en/blog/red-team-tales-0x01

LethalHTA - A new lateral movement technique using DCOM and HTA

https://codewhitesec.blogspot.com/2018/07/lethalhta.html

What is it that Makes a Microsoft Executable a Microsoft Executable? An Attacker’s and a Defender’s Perspective

https://posts.specterops.io/what-is-it-that-makes-a-microsoft-executable-a-microsoft-executable-b43ac612195e

Powershell script to Enumerate executables with auto-elevation enabled, handy for privilege escalation purposes.

https://gist.github.com/Evilcry/71e03a969689b8fd1297a1803aa4d7cf

Using a SCF File to gather Hashes

https://1337red.wordpress.com/using-a-scf-file-to-gather-hashes/

A Guide to Attacking Domain Trusts

http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/

RE: Evading Autoruns PoCs on Windows 10

https://medium.com/@KyleHanslovan/re-evading-autoruns-pocs-on-windows-10-dd810d7e8a3f

Feature, not bug: DNSAdmin to DC compromise in one line

https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83

Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS

https://blog.netspi.com/exploiting-adidns

https://github.com/Kevin-Robertson/Powermad/blob/master/README.md

Domain Access With Write Access on the Domain NC Head

https://sdmsoftware.com/group-policy-blog/security-policy/elevating-ad-domain-access-with-write-access-on-the-domain-nc-head

Extracting User Password Data with Mimikatz DCSync

https://blog.stealthbits.com/extracting-user-password-data-with-mimikatz-dcsync/

Passing-the-Hash to NTLM Authenticated Web Applications

https://labs.mwrinfosecurity.com/blog/pth-attacks-against-ntlm-authenticated-web-applications/

Application Whitelisting Bypass and Arbitrary Unsigned Code Execution Technique in winrm.vbs

https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404

Veil Payloads and Veil-Ordnance

https://www.fortynorthsecurity.com/veil-payloads-and-veil-ordnance/

Clear all your logs in linux/windows servers

https://github.com/Rizer0/Log-killer

Catch me if u can: Bypassing Memory Scanners with Cobalt Strike and Gargoyle

https://labs.mwrinfosecurity.com/blog/experimenting-bypassing-memory-scanners-with-cobalt-strike-and-gargoyle

PowerShell module to check if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH, StrongNaming, and Authenticode.

https://github.com/NetSPI/PESecurity

Exploiting a Windows 10 PagedPool off-by-one overflow (WCTF 2018)

https://j00ru.vexillium.org/2018/07/exploiting-a-windows-10-pagedpool-off-by-one/

Anonymously Enumerating Azure File Resources

https://blog.netspi.com/anonymously-enumerating-azure-file-resources

Weaponize PDF with embedding SettingContent-ms inside PDF.

https://github.com/DidierStevens/DidierStevensSuite/blob/master/make-pdf-embedded.py

Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe

https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe

Compromising a Azure Windows 2008 R2 SP1 VM

https://guptaashish.com/2018/07/04/compromising-a-azure-windows-2008-r2-sp1-vm

Microsoft LAPS Security & Active Directory LAPS Configuration Recon

https://adsecurity.org/?p=3164

PowerShell is definitely a "gateway drug" to C# - GhostPack is a collection of new security tools (currently C#), getting rid of the attention that powershell monitoring is getting

https://github.com/GhostPack

Pass the Hash with Kerberos

https://malicious.link/post/2018/pass-the-hash-with-kerberos/

GhostPack

https://posts.specterops.io/ghostpack-d835018c5fc4 Domain Goodness – How I Learned to LOVE AD Explorer

https://www.blackhillsinfosec.com/domain-goodness-learned-love-ad-explorer/

Another way to get to a system shell – Assistive Technology

https://oddvar.moe/2018/07/23/another-way-to-get-to-a-system-shell

Robber : An open source tool for finding executables prone to DLL hijacking

https://github.com/MojtabaTajik/Robber

safetyKatz: a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subtee's .NET PE Loader.

https://github.com/GhostPack/SafetyKatz

Stored passwords found all over the place after installing Windows in company networks

http://blog.win-fu.com/2017/08/stored-passwords-found-all-over-place.html

Security Fun: Bloodhound, MS16-072 and GPO Discoverability

https://sdmsoftware.com/group-policy-blog/security-related/security-fun-bloodhound-ms16-072-gpo-discoverability

Netsh DLL Helpers

http://liberty-shell.com/sec/2018/07/28/netshlep/

Post Exploitation Using WMIC (System Command)

http://www.hackingarticles.in/post-exploitation-using-wmic-system-command/

Updated PoC Mimikatz Loader for 2018

PoC: https://gist.github.com/caseysmithrc/87f6572547f633f13a8482a0c91fb7b7

One-Liner: https://gist.github.com/xillwillx/96e2c5011577d8583635ad7bf6d4fb58

Notes on Windows Privilege Escalation

http://memorycorruption.org/windows/2018/07/29/Notes-On-Windows-Privilege-Escalation.html

Domain Penetration Testing: Using BloodHound, Crackmapexec, & Mimikatz to get Domain Admin

https://hausec.com/2017/10/21/domain-penetration-testing-using-bloodhound-crackmapexec-mimikatz-to-get-domain-admin

Ultimate AppLocker ByPass List: The goal of this repository is to document the most common techniques to bypass AppLocker.

https://github.com/api0cradle/UltimateAppLockerByPassList/tree/Dev

LDAP Injection Cheat Sheet, Attack Examples & Protection

https://www.checkmarx.com/knowledge/knowledgebase/LDAP

PowerShell script which allows pausing\unpausing Win32/64 exes

https://github.com/besimorhino/Pause-Process

ASP.NET resource files (.RESX) and deserialisation issues

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/

Exploiting XXE Vulnerabilities in IIS/.NET

https://pen-testing.sans.org/blog/2017/12/08/entity-inception-exploiting-iis-net-with-xxe-vulnerabilities

When "ASLR" Is Not Really ASLR - The Case of Incorrect Assumptions and Bad Defaults

https://insights.sei.cmu.edu/cert/2018/08/when-aslr-is-not-really-aslr---the-case-of-incorrect-assumptions-and-bad-defaults.html

Capturing NetNTLM Hashes with Office [DOT] XML Documents

https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents

pOWershell obFUsCation

https://n1cfury.com/ps-obfuscation

Copying Files via WMI and PowerShell

https://www.fortynorthsecurity.com/copying-files-via-wmi-and-powershell

Using WinRM Through Meterpreter

https://www.trustedsec.com/2017/09/using-winrm-meterpreter

TBAL: an (accidental?) DPAPI Backdoor for local users

https://vztekoverflow.com/2018/07/31/tbal-dpapi-backdoor

PoC:

https://youtu.be/NIPKMSV-KTw

P0wnedShell: PowerShell Runspace Post Exploitation Toolkit

https://github.com/Cn33liz/p0wnedShell

mimiDbg: PowerShell oneliner to retrieve wdigest passwords from the memory

https://github.com/giMini/mimiDbg

Golden Ticket Attack Execution Against AD-Integrated SSO providers

https://www.fractalindustries.com/newsroom/blog/gt-attacks-and-sso

Windows Privilege Escalation Fundamentals

http://www.fuzzysecurity.com/tutorials/16.html

Disabling AMSI in JScript with One Simple Trick

https://tyranidslair.blogspot.com/2018/06/disabling-amsi-in-jscript-with-one.html

Unstoppable Service: A pattern for a self-installing Windows service in C# with the unstoppable attributes in C#.

https://github.com/malcomvetter/UnstoppableService

Driver loader for bypassing Windows x64 Driver Signature Enforcement

https://github.com/hfiref0x/TDL

Subverting Sysmon: Application of a Formalized Security Product Evasion Methodology

Code: https://github.com/mattifestation/BHUSA2018_Sysmon/tree/master/Code

Slides: https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Slides_Subverting_Sysmon.pdf

Whitepaper: https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Whitepaper_Subverting_Sysmon.pdf

An implementation of PSExec in C#

https://github.com/malcomvetter/CSExec

SMBetray: Backdooring and Breaking Signatures

https://quickbreach.io/2018/08/12/smbetray-backdooring-and-breaking-signatures

https://github.com/QuickBreach/SMBetray.git

ADRecon: Active Directory Recon Blackhat Arsenal 2018

https://www.slideshare.net/mobile/prashant3535/adrecon-bh-usa-2018-arsenal-and-def-con-26-demo-labs-presentation

https://github.com/sense-of-security/adrecon

Ps1jacker: A tool for generating COM Hijacking payload.

https://github.com/darkw1z/Ps1jacker

DEF CON 26 (2018) – Exploiting Active Directory Administrator Insecurities

https://adsecurity.org/wp-content/uploads/2018/08/2018-DEFCON-ExploitingADAdministratorInsecurities-Metcalf.pdf From Workstation to Domain Admin: Why Secure Administration isn’t Secure and How to Fix it

https://adsecurity.org/wp-content/uploads/2018/08/us-18-Metcalf-From-Workstation-To-Domain-Admin-Why-Secure-Administration-Isnt-Secure-Final.pdf

Tools for instrumenting Windows Defender's mpengine.dll

https://github.com/0xAlexei/WindowsDefenderTools

Art of Anti Detection 1 – Introduction to AV & Detection Techniques

https://pentest.blog/art-of-anti-detection-1-introduction-to-av-detection-techniques

Ridrelay: Enumerate usernames on a domain where you have no creds by using SMB Relay with low priv.

https://github.com/skorov/ridrelay

Remotely Enumerate Anti-Virus Configurations

https://www.fortynorthsecurity.com/remotely-enumerate-anti-virus-configurations

Juicy Potato (abusing the golden privileges)

https://decoder.cloud/2018/08/10/juicy-potato

Juicy Potato (abusing the golden privileges)

https://ohpe.github.io/juicy-potato

Hacking around HTA files

http://blog.sevagas.com/?Hacking-around-HTA-files

Koadic C3 COM Command & Control - JScript RAT

https://github.com/zerosum0x0/koadic

Phishing – Ask and ye shall receive

https://blog.fox-it.com/2018/08/14/phishing-ask-and-ye-shall-receive

Windows Exploitation Tricks: Exploiting Arbitrary Object Directory Creation for Local Elevation of Privilege

https://googleprojectzero.blogspot.com/2018/08/windows-exploitation-tricks-exploiting.html

Bypass in Microsoft AD FS Multi-Factor Authentication protocol (CVE-2018-8340):

Multi-Factor Mixup: Who Were You Again?

https://www.okta.com/security-blog/2018/08/multi-factor-authentication-microsoft-adfs-vulnerability

Reconerator: C# Targeted Attack Reconnissance Tools

https://github.com/stufus/reconerator

DCShadow - Minimal permissions, Active Directory Deception, Shadowception and more

http://www.labofapenetrationtester.com/2018/04/dcshadow.html

Skeleton Key Attack

https://pentestlab.blog/2018/04/10/skeleton-key

Arbitrary, Unsigned Code Execution Vector in Microsoft.Workflow.Compiler.exe

https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb

SANS Webcast: PowerShell for PenTesting

https://www.youtube.com/watch?v=a8_DqEVFwO8

Microsoft.Workflow.Compiler.exe Mimikatz Runner.

https://gist.github.com/caseysmithrc/b1190e023cd29c1910c01a164675a22e

List-RDP-Connections-History

Use powershell to list the RDP Connections History of logged-in users or all users

https://github.com/3gstudent/List-RDP-Connections-History

A Universal Windows Bootkit

An analysis of the MBR bootkit referred to as “HDRoot"

http://williamshowalter.com/a-universal-windows-bootkit

Broadcast Name Resolution Poisoning / WPAD Attack Vector

https://p16.praetorian.com/blog/broadcast-name-resolution-poisoning-wpad-attack-vector .NET Deserialization To NTLM Hashes

https://www.digitalinterruption.com/single-post/2018/04/22/NET-Deserialization-to-NTLM-hashes

Python tool to inject fake updates into unencrypted WSUS traffic

https://github.com/pdjstone/wsuspect-proxy

Remotely Modify Anti-Virus Configurations

https://www.fortynorthsecurity.com/remotely-modify-anti-virus-configurations

Making The Perfect Injector: Abusing Windows Address Sanitization And CoW

https://blog.can.ac/2018/05/02/making-the-perfect-injector-abusing-windows-address-sanitization-and-cow

Leaking Environment Variables in Windows Explorer via .URL or desktop.ini files

https://insert-script.blogspot.com/2018/08/leaking-environment-variables-in_20.html

Extracting SSH Private Keys from Windows 10 ssh-agent

https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent

Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition)

https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa

CVE-2018-0952: Privilege Escalation Vulnerability in Windows Standard Collector Service

https://www.atredis.com/blog/cve-2018-0952-privilege-escalation-vulnerability-in-windows-standard-collector-service

Operational Guidance for Offensive User DPAPI Abuse

https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107

Kerberoasting and SharpRoast output parsing!

https://grumpy-sec.blogspot.com/2018/08/kerberoasting-and-sharproast-output.html

whitelist_bypass_server

This module is designed to be a platform to test an endpoints application whitelisting effectiveness by providing bypasses to solutions such as software restriction policies and applocker.

rapid7/metasploit-framework#8783

Clientside Exploitation - Tricks of the Trade 0x01 - Sharpshooter + SquibblyTwo

https://0x00sec.org/t/clientside-exploitation-tricks-of-the-trade-0x01-sharpshooter-squibblytwo/8178

Privilege Escalation & Post-Exploitation Docs

https://rmusser.net/docs/Privilege Escalation & Post-Exploitation.html

Task Scheduler ALPC exploit (unpatched) && PoC by SandboxEscaper

https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar

Remote NTLM relaying through meterpreter on Windows port 445

https://diablohorn.com/2018/08/25/remote-ntlm-relaying-through-meterpreter-on-windows-port-445

Microsoft.Workflow.Compiler.exe, Veil, and Cobalt Strike

https://www.fortynorthsecurity.com/microsoft-workflow-compiler-exe-veil-and-cobalt-strike

Bypassing Workflows Protection Mechanisms - Remote Code Execution on SharePoint

https://www.nccgroup.trust/uk/our-research/technical-advisory-bypassing-workflows-protection-mechanisms-remote-code-execution-on-sharepoint

Having Fun with ActiveX Controls in Microsoft Word

https://www.blackhillsinfosec.com/having-fun-with-activex-controls-in-microsoft-word

Invoke-AtomicTest - Automating MITRE ATT&CK with Atomic Red Team

http://subt0x11.blogspot.com/2018/08/invoke-atomictest-automating-mitre-att.html

AppLocker Bypass - CMSTP

https://pentestlab.blog/2018/05/10/applocker-bypass-cmstp

Persistence using AdminSDHolder and SDProp

https://blog.stealthbits.com/persistence-using-adminsdholder-and-sdprop

Red Teaming Microsoft: Part 1 – Active Directory Leaks via Azure

https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure

Walk-through Mimikatz sekurlsa module

https://jetsecurity.github.io/post/mimikatz/walk-through_sekurlsa

windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems

https://github.com/pentestmonkey/windows-privesc-check

Understanding how DLL Hijacking works

https://astr0baby.wordpress.com/2018/09/08/understanding-how-dll-hijacking-works

Playing with Relayed Credentials

https://www.coresecurity.com/blog/playing-relayed-credentials

DDE Downloaders, Excel Abuse, and a PowerShell Backdoor

http://rinseandrepeatanalysis.blogspot.com/2018/09/dde-downloaders-excel-abuse-and.html

A detailed technical explanation of CVE-2018-8120

https://xiaodaozhi.com/exploit/156.html

A PowerShell example of the Windows zero day priv esc

https://github.com/OneLogicalMyth/zeroday-powershell/blob/master/README.md

You can't contain me! :: Analyzing and Exploiting an Elevation of Privilege Vulnerability in Docker for Windows

https://srcincite.io/blog/2018/08/31/you-cant-contain-me-analyzing-and-exploiting-an-elevation-of-privilege-in-docker-for-windows.html

CVE-2018-8420 - Microsoft XML Core Services MSXML RCE through web browser PoC

https://github.com/Theropord/CVE-2018-8420

Bypassing AppLocker Custom Rules

https://0x09al.github.io/security/applocker/bypass/custom/rules/windows/2018/09/13/applocker-custom-rules-bypass.html

0x09AL Security blog Bypassing AppLocker Custom Rules

Introduction Jonhnathan Jonhnathan Jonhnathan w0rk3r's Windows Hacking Library Exploiting STOPzilla AntiMalware Arbitrary Write Vulnerability using SeCreateTokenPrivilege

http://www.greyhathacker.net/?p=1025

Jonhnathan Jonhnathan Jonhnathan w0rk3r's Windows Hacking Library How to add a module in Mimikatz?

https://littlesecurityprince.com/security/2018/03/18/ModuleMimikatz.html

Multiple Ways to Bypass UAC using Metasploit

http://www.hackingarticles.in/multiple-ways-to-bypass-uac-using-metasploit

Jonhnathan Jonhnathan Jonhnathan w0rk3r's Windows Hacking Library From OSINT to Internal: Gaining Domain Admin from Outside the Perimeter

https://www.coalfire.com/The-Coalfire-Blog/Sept-2018/From-OSINT-to-Internal-Gaining-Domain-Admin

Using Mimikatz From a JSP shell

https://blog.securitycompass.com/whiteboard-wednesday-using-mimikatz-from-a-jsp-shell-54f8a21693cc

Poking Around With 2 lsass Protection Options

https://medium.com/red-teaming-with-a-blue-team-mentaility/poking-around-with-2-lsass-protection-options-880590a72b1a

Introducing SharpSploit: A C# Post-Exploitation Library

https://posts.specterops.io/introducing-sharpsploit-a-c-post-exploitation-library-5c7be5f16c51

Faster Domain Escalation using LDAP

https://blog.netspi.com/faster-domain-escalation-using-ldap

A Lesson in .NET Framework Versions

https://rastamouse.me/2018/09/a-lesson-in-.net-framework-versions

Command and Control Using Active Directory

http://www.harmj0y.net/blog/powershell/command-and-control-using-active-directory

L1TF (Foreshadow) VM guest to host memory read PoC

https://github.com/gregvish/l1tf-poc

SMB hash hijacking & user tracking in MS Outlook

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/smb-hash-hijacking-and-user-tracking-in-ms-outlook

SharpBox is a C# tool for compressing, encrypting, and exfiltrating data to DropBox using the DropBox API

https://github.com/P1CKLES/SharpBox

From Kekeo to Rubeus

https://posts.specterops.io/from-kekeo-to-rubeus-86d2ec501c14

Tokenvator: Release 2

https://blog.netspi.com/tokenvator-release-2

AppLocker CLM Bypass via COM

https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com

Injdrv is a proof-of-concept Windows Driver for injecting DLL into user-mode processes using APC

https://github.com/wbenny/injdrv

Responder and Layer 2 Pivots

https://ijustwannared.team/2017/05/27/responder-and-layer-2-pivots

PowerShell: Documenting your environment by running systeminfo on all Domain-Computers

https://sid-500.com/2017/08/09/powershell-documenting-your-environment-by-running-systeminfo-on-all-domain-computers

The power of backup operators

https://decoder.cloud/2018/02/12/the-power-of-backup-operatos

Abusing Windows Library Files for Persistence

https://www.countercept.com/blog/abusing-windows-library-files-for-persistence

Domain Controlller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest

https://adsecurity.org/?p=4056

invoke-Confusion .NET attacker of Powershell Remotely

https://homjxi0e.wordpress.com/2018/10/02/invoke-confusion-attack-of-powershell

Creating Persistence with DCShadow

https://blog.stealthbits.com/creating-persistence-with-dcshadow

Time Travel Debugging: finding Windows GDI flaws

https://www.pentestpartners.com/security-blog/time-travel-debugging-finding-windows-gdi-flaws

Malicious use of Microsoft “Local Administrator Password Solution”

http://archive.hack.lu/2017/HackLU_2017_Malicious_use_LAPS_Clementz_Goichot.pdf

Tokenvator Wiki

https://github.com/0xbadjuju/Tokenvator/wiki

ServiceFu: Harvesting Service Account Credentials Remotely

https://www.securifera.com/blog/2018/10/07/servicefu

Operating Offensively Against Sysmon

https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon

Exploiting Regedit: Invisible Persistence & Binary Storage

https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf

PoC: https://github.com/ewhitehats/InvisiblePersistence/tree/master/InvisibleKeys

Attacking Azure Environments with PowerShell

https://youtu.be/IdORwgxDpkw

MicroBurst: A collection of scripts for assessing Microsoft Azure security

https://github.com/NetSPI/MicroBurst

Icebreaker.py: Gaining a foothold in Active Directory in one command Dan McInerney at SaintCon

https://youtu.be/1LR5u8uKO8I

[Tool] Icebreaker: Gets plaintext Active Directory credentials if you're on the internal network but outside the AD environment

https://github.com/DanMcInerney/icebreaker Leveraging WSUS – Part One

https://ijustwannared.team/2018/10/15/leveraging-wsus-part-one

Powershell Payload Delivery via DNS using Invoke-PowerCloud

https://how.ired.team/offensive-security-experiments/payload-delivery-via-dns-using-invoke-powercloud

SharpAttack: A console for certain tasks on security assessments. It leverages .NET and the Windows API to perform its work( and cobbr_io SharpSploit). It contains commands for domain enumeration, code execution, and other fun things.

https://github.com/jaredhaight/SharpAttack

Living Off the Land

https://liberty-shell.com/sec/2018/10/20/living-off-the-land