DarthSidious
  • Darth Sidious
  • GETTING STARTED
    • Getting started
    • External network access to Domain Admin
    • Intro to Windows hashes
  • Building a lab
    • Building a lab
    • Preparing Kali
    • Building a small lab
    • Building a lab with ESXI and Vagrant
    • Cuckoo malware analysis lab
  • Initial access
    • Password spraying
    • Initial access through exchange
  • ENUMERATION
    • Powershell
    • BloodHound
    • PowerView
    • Azure enumeration
  • Execution
    • Pass the hash
    • Responder with NTLM relay and Empire
    • DeathStar
    • CrackMapExec
  • Privilege escalation
    • Mimikatz
    • Token Impersonation
    • Juicy Potato
    • ALPC bug 0day
  • Defense evasion
    • Bypassing Applocker and Powershell contstrained language mode
    • From RDS app to Empire shell
    • Stealth
  • OTHER
    • Link encyclopedia
    • Writeups
      • lkylabs v1
    • War stories
      • Domain admin in 30 minutes
  • Credential access
    • Password cracking and auditing
  • Command & Control
    • SILENTTRINITY
Powered by GitBook
On this page
  • Microsoft
  • Powershell
  • Empire
  • Powerview
  • Bloodhound
  • Mimikatz
  • Enumeration
  • Kerberos
  • Tunneling
  • Command and control (C2)
  • Exploit
  • Breaking out of locked down environments
  • Defense
  • Lab building
  • Other
  1. OTHER

Link encyclopedia

Going to try to keep this updated.

Microsoft

Powershell

  • Powershell 101

  • Learn Windows PowerShell in a Month of Lunches (Youtube) - Companion videos to the famous book

  • p3nt4/PowerShdll - Run PowerShell with dlls only. Does not require access to powershell.exe as it uses powershell automation dlls.

  • nullbind/Powershellery - GetSPN and other things

Empire

  • Empire 101 - Empire Introduction from official documentation

Powerview

  • Powerview repository - contains documentation and how to use Powerview

  • PowerView-3.0-tricks.ps1 - Powerview tips and tricks from HarmJ0y

Bloodhound

  • Bloodhound node info - Bloodhound Node info explanations

  • Lay of the land with bloodhound - General Bloodhound usage guide article

Mimikatz

  • Lazykats - Mass Mimikatz with AV bypass (questionable)

  • Direct link to Invoke-Mimikatz.ps1

  • Auto dumping domain credentials

  • eladshamir/Internal-Monologue - Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS

Enumeration

  • Invoke-Portscan.ps1 - Invoke-Portscan is a module from Powersploit that can perform port scans similar to Nmap straight from Powershell.

  • Walking back local admins - Finding local admins in AD

Kerberos

  • HarmJ0y - roasting-as-reps - Article about Kerberos preauthentication

  • HarmJ0y/ASREPRoast - Project that retrieves crackable hashes from KRB5 AS-REP responses for users without kerberoast preauthentication enabled.

Tunneling

  • SShuttle - SShuttle creates an SSH tunnel that works almost just like a VPN

Command and control (C2)

  • SANS Pentest Blog - Using Amazon AWS EC2 for C2

  • lukebaggett/dnscat2-powershell - Powershell implementation of dnscat2 client

  • C2 with dnscat2 and powershell - dnscat2 can be used with powershell for working over DNS to hide C2 activity

  • DNS tunneling - How DNS tunneling works

Exploit

  • SharpShooter - SharpShooter can create payloads for many formats like HTA, JS and VBS

  • DCShadow - DCShadow, attack technique to create a rogue domain controller

Mail

  • Ruler - Ruler can interact with Exchange servers remotely

Breaking out of locked down environments

  • Breaking Out of Citrix and other Restricted Desktop Environments

  • Applocker Case study - Breaking out of Applocker using advanced techniques

  • Bypass Applocker - List of most known Applocker bypass techniques

  • Babushka Dolls or How To Bypass Application Whitelisting and Constrained Powershell

Defense

  • MS - Securing privileged access - Reference material for securing admin access in AD

  • MS - What is AD Red Forest - Red forest design is building an administrative AD environement built with security in mind

  • Managing Applocker with Powershell

  • SANS - Finding Empire C2 activity

Lab building

  • The Eye - Official MSDN ISOs for all OSes

  • Automatedlab/Automatedlab - Automatedlab is a project for building a lab environment automatically using Powershell.

  • Building a lab with ESXI and Vagrant - Big article from this book about building a lab using ESXi

  • Mini lab - Small article from this book about creating a small lab for practicing things like Responder

Other

  • OSCP Survival Guide archived - contains a ton of useful commands for enumeration and exploitation

PreviousStealthNextWriteups

Last updated 7 years ago