Link encyclopedia

Going to try to keep this updated.

Microsoft

Powershell

• Powershell 101

• Learn Windows PowerShell in a Month of Lunches (Youtube) - Companion videos to the famous book

• p3nt4/PowerShdll - Run PowerShell with dlls only. Does not require access to powershell.exe as it uses powershell automation dlls.

• nullbind/Powershellery - GetSPN and other things

Empire

• Empire 101 - Empire Introduction from official documentation

Powerview

• Powerview repository - contains documentation and how to use Powerview

• PowerView-3.0-tricks.ps1 - Powerview tips and tricks from HarmJ0y

Bloodhound

• Bloodhound node info - Bloodhound Node info explanations

• Lay of the land with bloodhound - General Bloodhound usage guide article

Mimikatz

• Lazykats - Mass Mimikatz with AV bypass (questionable)

• Direct link to Invoke-Mimikatz.ps1

• Auto dumping domain credentials

• eladshamir/Internal-Monologue - Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS

Enumeration

• Invoke-Portscan.ps1 - Invoke-Portscan is a module from Powersploit that can perform port scans similar to Nmap straight from Powershell.

• Walking back local admins - Finding local admins in AD

Kerberos

• HarmJ0y - roasting-as-reps - Article about Kerberos preauthentication

• HarmJ0y/ASREPRoast - Project that retrieves crackable hashes from KRB5 AS-REP responses for users without kerberoast preauthentication enabled.

Tunneling

• SShuttle - SShuttle creates an SSH tunnel that works almost just like a VPN

Command and control (C2)

• SANS Pentest Blog - Using Amazon AWS EC2 for C2

• lukebaggett/dnscat2-powershell - Powershell implementation of dnscat2 client

• C2 with dnscat2 and powershell - dnscat2 can be used with powershell for working over DNS to hide C2 activity

• DNS tunneling - How DNS tunneling works

Exploit

• SharpShooter - SharpShooter can create payloads for many formats like HTA, JS and VBS

• DCShadow - DCShadow, attack technique to create a rogue domain controller

Mail

• Ruler - Ruler can interact with Exchange servers remotely

Breaking out of locked down environments

• Breaking Out of Citrix and other Restricted Desktop Environments

• Applocker Case study - Breaking out of Applocker using advanced techniques

• Bypass Applocker - List of most known Applocker bypass techniques

• Babushka Dolls or How To Bypass Application Whitelisting and Constrained Powershell

Defense

• MS - Securing privileged access - Reference material for securing admin access in AD

• MS - What is AD Red Forest - Red forest design is building an administrative AD environement built with security in mind

• Managing Applocker with Powershell

• SANS - Finding Empire C2 activity

Lab building

• The Eye - Official MSDN ISOs for all OSes

• Automatedlab/Automatedlab - Automatedlab is a project for building a lab environment automatically using Powershell.

• Building a lab with ESXI and Vagrant - Big article from this book about building a lab using ESXi

• Mini lab - Small article from this book about creating a small lab for practicing things like Responder

Other

• OSCP Survival Guide archived - contains a ton of useful commands for enumeration and exploitation