Going to try to keep this updated.

Microsoft

Powershell

• ​Powershell 101​

• ​Learn Windows PowerShell in a Month of Lunches (Youtube) - Companion videos to the famous book

• ​p3nt4/PowerShdll - Run PowerShell with dlls only. Does not require access to powershell.exe as it uses powershell automation dlls.

• ​nullbind/Powershellery - GetSPN and other things

Empire

• ​Empire 101 - Empire Introduction from official documentation

Powerview

• ​Powerview repository - contains documentation and how to use Powerview

• ​PowerView-3.0-tricks.ps1 - Powerview tips and tricks from HarmJ0y

Bloodhound

• ​Bloodhound node info - Bloodhound Node info explanations

• ​Lay of the land with bloodhound - General Bloodhound usage guide article

Mimikatz

• ​Lazykats - Mass Mimikatz with AV bypass (questionable)

• ​Direct link to Invoke-Mimikatz.ps1​

• ​Auto dumping domain credentials​

• ​eladshamir/Internal-Monologue - Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS

Enumeration

• ​Invoke-Portscan.ps1 - Invoke-Portscan is a module from Powersploit that can perform port scans similar to Nmap straight from Powershell.

• ​Walking back local admins - Finding local admins in AD

Kerberos

• ​HarmJ0y - roasting-as-reps - Article about Kerberos preauthentication

• ​HarmJ0y/ASREPRoast - Project that retrieves crackable hashes from KRB5 AS-REP responses for users without kerberoast preauthentication enabled.

Tunneling

• ​SShuttle - SShuttle creates an SSH tunnel that works almost just like a VPN

Command and control (C2)

• ​SANS Pentest Blog - Using Amazon AWS EC2 for C2

• ​lukebaggett/dnscat2-powershell - Powershell implementation of dnscat2 client

• ​C2 with dnscat2 and powershell - dnscat2 can be used with powershell for working over DNS to hide C2 activity

• ​DNS tunneling - How DNS tunneling works

Exploit

• ​SharpShooter - SharpShooter can create payloads for many formats like HTA, JS and VBS

• ​DCShadow - DCShadow, attack technique to create a rogue domain controller

Mail

• ​Ruler - Ruler can interact with Exchange servers remotely

Breaking out of locked down environments

• ​Breaking Out of Citrix and other Restricted Desktop Environments​

• ​Applocker Case study - Breaking out of Applocker using advanced techniques

• ​Bypass Applocker - List of most known Applocker bypass techniques

• ​Babushka Dolls or How To Bypass Application Whitelisting and Constrained Powershell​

Defense

• ​MS - Securing privileged access - Reference material for securing admin access in AD

• ​MS - What is AD Red Forest - Red forest design is building an administrative AD environement built with security in mind

• ​Managing Applocker with Powershell​

• ​SANS - Finding Empire C2 activity​

Lab building

• ​The Eye - Official MSDN ISOs for all OSes

• ​Automatedlab/Automatedlab - Automatedlab is a project for building a lab environment automatically using Powershell.

• ​Building a lab with ESXI and Vagrant - Big article from this book about building a lab using ESXi

• ​Mini lab - Small article from this book about creating a small lab for practicing things like Responder

Other

• ​OSCP Survival Guide archived - contains a ton of useful commands for enumeration and exploitation