Windows Pentesting Resources :
Fun with LDAP, Kerberos (and MSRPC) in AD Environments
https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments
From XML External Entity to NTLM Domain Hashes
https://techblog.mediaservice.net/2018/02/from-xml-external-entity-to-ntlm-domain-hashes/
Windows Privilege Escalation Guide
https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
Windows oneliners to download remote payload and execute arbitrary code
Passing the hash with native RDP client (mstsc.exe)
https://michael-eder.net/post/2018/native_rdp_pass_the_hash/
Escalating privileges with ACLs in Active Directory
https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/
Automation Framework for the Atomic Red Team
https://github.com/redcanaryco/atomic-red-team/blob/master/Automation/readme.md
Skip Cracking Responder Hashes and Relay Them
Exchange-AD-Privesc. Repository of Exchange privilege escalations to Active Directory
This repository provides a few techniques and scripts regarding the impact of Microsoft Exchange deployment on Active Directory security.
https://github.com/gdedrouas/Exchange-AD-Privesc
WMIC.EXE Whitelisting Bypass - Hacking with Style, Stylesheets
https://subt0x11.blogspot.com.br/2018/04/wmicexe-whitelisting-bypass-hacking.html
Hiding Metasploit Shellcode to Evade Windows Defender
https://blog.rapid7.com/2018/05/03/hiding-metasploit-shellcode-to-evade-windows-defender/
Unofficial Guide to Mimikatz & Command Reference
https://adsecurity.org/?page_id=1821
Gathering AD Data with the Active Directory PowerShell Module
https://adsecurity.org/?p=3719
Detecting hypervisor presence on windows 10
https://revers.engineering/detecting-hypervisor-presence-on-windows-10
Domain user Enumeration Tool
https://github.com/sensepost/UserEnum/blob/master/README.md
Blue Cloud of Death: Red Teaming Azure
https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
Ring +3 Malwares: Few tricks
http://www.blackstormsecurity.com/docs/BSIDES_2018_RELEASE.pdf
Kerberos Party Tricks: Weaponizing Kerberos Protocol Flaws
http://www.exumbraops.com/blog/2016/6/1/kerberos-party-tricks-weaponizing-kerberos-protocol-flaws
Executing Commands and Bypassing AppLocker with PowerShell Diagnostic Scripts
Microsoft's User Account Control feature, introduced in Windows Vista, has been a topic of interest to many in the security community. Since UAC was designed to force user approval for administrative actions, attackers (and red teamers) encounter UAC on nearly every engagement. As a result, bypassing this control is a task that an actor often has to overcome, despite its lack of formal designation as a security boundary. This talk highlights what UAC is, previous work by others, research methodology, and details several technical UAC bypasses developed by the author.
Windows Userland Persistence Fundamentals
http://www.fuzzysecurity.com/tutorials/19.html
DLL Hijacking via URL files
https://insert-script.blogspot.com.br/2018/05/dll-hijacking-via-url-files.html
DLL Hijacking via URL files
https://insert-script.blogspot.com.br/2018/05/dll-hijacking-via-url-files.html
Enumerating remote access policies through GPO
https://labs.mwrinfosecurity.com/blog/enumerating-remote-access-policies-through-gpo/
https://github.com/dafthack/MailSniper
DomainPasswordSpray
DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain.
https://github.com/dafthack/DomainPasswordSpray
5 Ways to Find Systems Running Domain Admin Processes
https://blog.netspi.com/5-ways-to-find-systems-running-domain-admin-processes/
How to bypass GPO Policy restriction for Powershell usage
https://github.com/p3nt4/PowerShdll
ADAPE - Active Directory Assessment and Privilege Escalation Script
https://github.com/hausec/ADAPE-Script
Kerberoasting, exploiting unpatched systems – a day in the life of a Red Teamer
Understanding and Evading Get-InjectedThread
https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/
PowerLessShell rely on MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe. You can also execute raw shellcode using the same approach.
https://github.com/Mr-Un1k0d3r/PowerLessShell
Dumping Clear-Text Credentials
https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/
Office365 ActiveSync Username Enumeration
https://www.sec-1.com/blog/2017/office365-activesync-username-enumeration
his script will attempt to list and get TGTs for those users that have the property 'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH). For those users with such configuration, a John The Ripper output will be generated so you can send it for cracking.
https://github.com/CoreSecurity/impacket/commit/bada8a719f8ed7be4633514eea94bc768dbaf019
NBNS Spoofing
https://pentestlab.blog/2018/05/08/nbns-spoofing/
NTLMv1 Multitool
This tool modifies NTLMv1/NTLMv1-ESS/MSCHAPv2 hashes so they can be cracked with DES Mode 14000 in hashcat
https://github.com/evilmog/ntlmv1-multi/
Invoke-Phant0m
This script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
https://artofpwn.com/phant0m-killing-windows-event-log.html https://github.com/hlldz/Invoke-Phant0m
Dumping Active Directory Domain Info – with PowerUpSQL!
https://blog.netspi.com/dumping-active-directory-domain-info-with-powerupsql/
15 Ways to Bypass the PowerShell Execution Policy
https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/
Elevate, UAC bypass, persistence, privilege escalation, dll hijack techniques
https://github.com/rootm0s/WinPwnage
Abusing DCOM For Yet Another Lateral Movement Technique
https://bohops.com/2018/04/28/abusing-dcom-for-yet-another-lateral-movement-technique
Invoke-WMILM
This is a PoC script for various methods to acheive authenticated remote code execution via WMI, without (at least directly) using the Win32_Process class. The type of technique is determined by the "Type" parameter.
https://github.com/Cybereason/Invoke-WMILM/blob/master/README.md
[Kernel Exploitation] 7: Arbitrary Overwrite (Win7 x86)
https://www.abatchy.com/2018/01/kernel-exploitation-7
Active Directory as a C2 (Command & Control)
https://akijosberryblog.wordpress.com/2018/03/17/active-directory-as-a-c2-command-control
Bypassing Device Guard with .NET Assembly Compilation Methods
http://www.exploit-monday.com/2017/07/bypassing-device-guard-with-dotnet-methods.html
DiskShadow: The Return of VSS Evasion, Persistence, and Active Directory Database Extraction
Jumping Network Segregation with RDP
https://rastamouse.me/2017/08/jumping-network-segregation-with-rdp/
PowerShell Shellcode Injection on Win 10 (v1803)
https://blog.cobaltstrike.com/2018/05/24/powershell-shellcode-injection-on-win-10-v1803/
Empire Web v2 Launched, A Web Interface to Powershell empire.
https://github.com/interference-security/empire-web
Hidden Administrative Accounts: BloodHound to the Rescue
https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/
Extracting Service Account Passwords with Kerberoasting
https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/
MSDAT (Microsoft SQL Database Attacking Tool) is an open source penetration testing tool that tests the security of Microsoft SQL Databases remotely.
https://github.com/quentinhardy/msdat
Powercat
Netcat: The powershell version.
https://github.com/besimorhino/powercat
Windows Privilege Escalation Methods for Pentesters
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
Getting Domain Admin with Kerberos Unconstrained Delegation
Scanning for Active Directory Privileges & Privileged Accounts
https://adsecurity.org/?p=3658
Automated AD and Windows test lab deployments with Invoke-ADLabDeployer
Simplifying Password Spraying
https://www.trustwave.com/Resources/SpiderLabs-Blog/Simplifying-Password-Spraying/
A Password Spraying tool for Active Directory Credentials
https://github.com/SpiderLabs/Spray
Abusing SeLoadDriverPrivilege for privilege escalation
https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/
Exploring PowerShell AMSI and Logging Evasion
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
Weaponizing .SettingContent-ms Extensions for Code Execution
https://www.trustedsec.com/2018/06/weaponizing-settingcontent
WMImplant Post-Exploitation – An Introduction
https://www.fortynorthsecurity.com/wmimplant-post-exploitation-an-introduction
WMImplant Post-Exploitation – An Introduction
https://www.fortynorthsecurity.com/wmimplant-post-exploitation-an-introduction
PowerShell: How to get a list of all installed Software on Remote Computers
Tokenvator: A Tool to Elevate Privilege using Windows Tokens
https://blog.netspi.com/tokenvator-a-tool-to-elevate-privilege-using-windows-tokens
Disabling AMSI in JScript with One Simple Trick
https://tyranidslair.blogspot.com/2018/06/disabling-amsi-in-jscript-with-one.html
Inveigh is a PowerShell LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.
https://github.com/Kevin-Robertson/Inveigh/blob/master/README.md
A multithreaded tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB, plus now with a user hunter
https://github.com/Raikia/CredNinja
PSScriptAnalyzer is a static code checker for Windows PowerShell modules and scripts. PSScriptAnalyzer checks the quality of Windows PowerShell code by running a set of rules. The rules are based on PowerShell best practices identified by PowerShell Team and the community. It generates DiagnosticResults (errors and warnings) to inform users about potential code defects and suggests possible solutions for improvements.
https://github.com/PowerShell/PSScriptAnalyzer
Bypassing SQL Server Logon Trigger Restrictions
https://blog.netspi.com/bypass-sql-logon-triggers/
Spoof SSDP replies to phish for NTLM hashes on a network. Creates a fake UPNP device, tricking users into visiting a malicious phishing page.
https://gitlab.com/initstring/evil-ssdp
https://twitter.com/subTee/status/1012657434702123008?s=19
Incapacitating Windows Defender
http://www.offensiveops.io/tools/incapacitating-windows-defender/
Red Team Tales 0x01: From MSSQL to RCE
https://www.tarlogic.com/en/blog/red-team-tales-0x01
LethalHTA - A new lateral movement technique using DCOM and HTA
https://codewhitesec.blogspot.com/2018/07/lethalhta.html
What is it that Makes a Microsoft Executable a Microsoft Executable? An Attacker’s and a Defender’s Perspective
Powershell script to Enumerate executables with auto-elevation enabled, handy for privilege escalation purposes.
https://gist.github.com/Evilcry/71e03a969689b8fd1297a1803aa4d7cf
Using a SCF File to gather Hashes
https://1337red.wordpress.com/using-a-scf-file-to-gather-hashes/
A Guide to Attacking Domain Trusts
http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
RE: Evading Autoruns PoCs on Windows 10
https://medium.com/@KyleHanslovan/re-evading-autoruns-pocs-on-windows-10-dd810d7e8a3f
Feature, not bug: DNSAdmin to DC compromise in one line
https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS
https://blog.netspi.com/exploiting-adidns
https://github.com/Kevin-Robertson/Powermad/blob/master/README.md
Domain Access With Write Access on the Domain NC Head
Extracting User Password Data with Mimikatz DCSync
https://blog.stealthbits.com/extracting-user-password-data-with-mimikatz-dcsync/
Passing-the-Hash to NTLM Authenticated Web Applications
https://labs.mwrinfosecurity.com/blog/pth-attacks-against-ntlm-authenticated-web-applications/
Application Whitelisting Bypass and Arbitrary Unsigned Code Execution Technique in winrm.vbs
Veil Payloads and Veil-Ordnance
https://www.fortynorthsecurity.com/veil-payloads-and-veil-ordnance/
Clear all your logs in linux/windows servers
https://github.com/Rizer0/Log-killer
Catch me if u can: Bypassing Memory Scanners with Cobalt Strike and Gargoyle
PowerShell module to check if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH, StrongNaming, and Authenticode.
https://github.com/NetSPI/PESecurity
Exploiting a Windows 10 PagedPool off-by-one overflow (WCTF 2018)
https://j00ru.vexillium.org/2018/07/exploiting-a-windows-10-pagedpool-off-by-one/
Anonymously Enumerating Azure File Resources
https://blog.netspi.com/anonymously-enumerating-azure-file-resources
Weaponize PDF with embedding SettingContent-ms inside PDF.
https://github.com/DidierStevens/DidierStevensSuite/blob/master/make-pdf-embedded.py
Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe
Compromising a Azure Windows 2008 R2 SP1 VM
https://guptaashish.com/2018/07/04/compromising-a-azure-windows-2008-r2-sp1-vm
Microsoft LAPS Security & Active Directory LAPS Configuration Recon
https://adsecurity.org/?p=3164
PowerShell is definitely a "gateway drug" to C# - GhostPack is a collection of new security tools (currently C#), getting rid of the attention that powershell monitoring is getting
Pass the Hash with Kerberos
https://malicious.link/post/2018/pass-the-hash-with-kerberos/
GhostPack
https://posts.specterops.io/ghostpack-d835018c5fc4 Domain Goodness – How I Learned to LOVE AD Explorer
https://www.blackhillsinfosec.com/domain-goodness-learned-love-ad-explorer/
Another way to get to a system shell – Assistive Technology
https://oddvar.moe/2018/07/23/another-way-to-get-to-a-system-shell
Robber : An open source tool for finding executables prone to DLL hijacking
https://github.com/MojtabaTajik/Robber
safetyKatz: a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subtee's .NET PE Loader.
https://github.com/GhostPack/SafetyKatz
Stored passwords found all over the place after installing Windows in company networks
http://blog.win-fu.com/2017/08/stored-passwords-found-all-over-place.html
Security Fun: Bloodhound, MS16-072 and GPO Discoverability
Netsh DLL Helpers
http://liberty-shell.com/sec/2018/07/28/netshlep/
Post Exploitation Using WMIC (System Command)
http://www.hackingarticles.in/post-exploitation-using-wmic-system-command/
Updated PoC Mimikatz Loader for 2018
PoC: https://gist.github.com/caseysmithrc/87f6572547f633f13a8482a0c91fb7b7
One-Liner: https://gist.github.com/xillwillx/96e2c5011577d8583635ad7bf6d4fb58
Notes on Windows Privilege Escalation
http://memorycorruption.org/windows/2018/07/29/Notes-On-Windows-Privilege-Escalation.html
Domain Penetration Testing: Using BloodHound, Crackmapexec, & Mimikatz to get Domain Admin
Ultimate AppLocker ByPass List: The goal of this repository is to document the most common techniques to bypass AppLocker.
https://github.com/api0cradle/UltimateAppLockerByPassList/tree/Dev
LDAP Injection Cheat Sheet, Attack Examples & Protection
https://www.checkmarx.com/knowledge/knowledgebase/LDAP
PowerShell script which allows pausing\unpausing Win32/64 exes
https://github.com/besimorhino/Pause-Process
ASP.NET resource files (.RESX) and deserialisation issues
Exploiting XXE Vulnerabilities in IIS/.NET
When "ASLR" Is Not Really ASLR - The Case of Incorrect Assumptions and Bad Defaults
Capturing NetNTLM Hashes with Office [DOT] XML Documents
https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents
pOWershell obFUsCation
https://n1cfury.com/ps-obfuscation
Copying Files via WMI and PowerShell
https://www.fortynorthsecurity.com/copying-files-via-wmi-and-powershell
Using WinRM Through Meterpreter
https://www.trustedsec.com/2017/09/using-winrm-meterpreter
TBAL: an (accidental?) DPAPI Backdoor for local users
https://vztekoverflow.com/2018/07/31/tbal-dpapi-backdoor
PoC:
P0wnedShell: PowerShell Runspace Post Exploitation Toolkit
https://github.com/Cn33liz/p0wnedShell
mimiDbg: PowerShell oneliner to retrieve wdigest passwords from the memory
https://github.com/giMini/mimiDbg
Golden Ticket Attack Execution Against AD-Integrated SSO providers
https://www.fractalindustries.com/newsroom/blog/gt-attacks-and-sso
Windows Privilege Escalation Fundamentals
http://www.fuzzysecurity.com/tutorials/16.html
Disabling AMSI in JScript with One Simple Trick
https://tyranidslair.blogspot.com/2018/06/disabling-amsi-in-jscript-with-one.html
Unstoppable Service: A pattern for a self-installing Windows service in C# with the unstoppable attributes in C#.
https://github.com/malcomvetter/UnstoppableService
Driver loader for bypassing Windows x64 Driver Signature Enforcement
https://github.com/hfiref0x/TDL
Subverting Sysmon: Application of a Formalized Security Product Evasion Methodology
Code: https://github.com/mattifestation/BHUSA2018_Sysmon/tree/master/Code
Slides: https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Slides_Subverting_Sysmon.pdf
Whitepaper: https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Whitepaper_Subverting_Sysmon.pdf
An implementation of PSExec in C#
https://github.com/malcomvetter/CSExec
SMBetray: Backdooring and Breaking Signatures
https://quickbreach.io/2018/08/12/smbetray-backdooring-and-breaking-signatures
https://github.com/QuickBreach/SMBetray.git
ADRecon: Active Directory Recon Blackhat Arsenal 2018
https://github.com/sense-of-security/adrecon
Ps1jacker: A tool for generating COM Hijacking payload.
https://github.com/darkw1z/Ps1jacker
DEF CON 26 (2018) – Exploiting Active Directory Administrator Insecurities
https://adsecurity.org/wp-content/uploads/2018/08/2018-DEFCON-ExploitingADAdministratorInsecurities-Metcalf.pdf From Workstation to Domain Admin: Why Secure Administration isn’t Secure and How to Fix it
Tools for instrumenting Windows Defender's mpengine.dll
https://github.com/0xAlexei/WindowsDefenderTools
Art of Anti Detection 1 – Introduction to AV & Detection Techniques
https://pentest.blog/art-of-anti-detection-1-introduction-to-av-detection-techniques
Ridrelay: Enumerate usernames on a domain where you have no creds by using SMB Relay with low priv.
https://github.com/skorov/ridrelay
Remotely Enumerate Anti-Virus Configurations
https://www.fortynorthsecurity.com/remotely-enumerate-anti-virus-configurations
Juicy Potato (abusing the golden privileges)
https://decoder.cloud/2018/08/10/juicy-potato
Juicy Potato (abusing the golden privileges)
https://ohpe.github.io/juicy-potato
Hacking around HTA files
http://blog.sevagas.com/?Hacking-around-HTA-files
Koadic C3 COM Command & Control - JScript RAT
https://github.com/zerosum0x0/koadic
Phishing – Ask and ye shall receive
https://blog.fox-it.com/2018/08/14/phishing-ask-and-ye-shall-receive
Windows Exploitation Tricks: Exploiting Arbitrary Object Directory Creation for Local Elevation of Privilege
https://googleprojectzero.blogspot.com/2018/08/windows-exploitation-tricks-exploiting.html
Bypass in Microsoft AD FS Multi-Factor Authentication protocol (CVE-2018-8340):
Multi-Factor Mixup: Who Were You Again?
https://www.okta.com/security-blog/2018/08/multi-factor-authentication-microsoft-adfs-vulnerability
Reconerator: C# Targeted Attack Reconnissance Tools
https://github.com/stufus/reconerator
DCShadow - Minimal permissions, Active Directory Deception, Shadowception and more
http://www.labofapenetrationtester.com/2018/04/dcshadow.html
Skeleton Key Attack
https://pentestlab.blog/2018/04/10/skeleton-key
Arbitrary, Unsigned Code Execution Vector in Microsoft.Workflow.Compiler.exe
SANS Webcast: PowerShell for PenTesting
https://www.youtube.com/watch?v=a8_DqEVFwO8
Microsoft.Workflow.Compiler.exe Mimikatz Runner.
https://gist.github.com/caseysmithrc/b1190e023cd29c1910c01a164675a22e
List-RDP-Connections-History
Use powershell to list the RDP Connections History of logged-in users or all users
https://github.com/3gstudent/List-RDP-Connections-History
A Universal Windows Bootkit
An analysis of the MBR bootkit referred to as “HDRoot"
http://williamshowalter.com/a-universal-windows-bootkit
Broadcast Name Resolution Poisoning / WPAD Attack Vector
https://p16.praetorian.com/blog/broadcast-name-resolution-poisoning-wpad-attack-vector .NET Deserialization To NTLM Hashes
https://www.digitalinterruption.com/single-post/2018/04/22/NET-Deserialization-to-NTLM-hashes
Python tool to inject fake updates into unencrypted WSUS traffic
https://github.com/pdjstone/wsuspect-proxy
Remotely Modify Anti-Virus Configurations
https://www.fortynorthsecurity.com/remotely-modify-anti-virus-configurations
Making The Perfect Injector: Abusing Windows Address Sanitization And CoW
Leaking Environment Variables in Windows Explorer via .URL or desktop.ini files
https://insert-script.blogspot.com/2018/08/leaking-environment-variables-in_20.html
Extracting SSH Private Keys from Windows 10 ssh-agent
https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent
Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition)
CVE-2018-0952: Privilege Escalation Vulnerability in Windows Standard Collector Service
Operational Guidance for Offensive User DPAPI Abuse
https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107
Kerberoasting and SharpRoast output parsing!
https://grumpy-sec.blogspot.com/2018/08/kerberoasting-and-sharproast-output.html
whitelist_bypass_server
This module is designed to be a platform to test an endpoints application whitelisting effectiveness by providing bypasses to solutions such as software restriction policies and applocker.
rapid7/metasploit-framework#8783
Clientside Exploitation - Tricks of the Trade 0x01 - Sharpshooter + SquibblyTwo
https://0x00sec.org/t/clientside-exploitation-tricks-of-the-trade-0x01-sharpshooter-squibblytwo/8178
Privilege Escalation & Post-Exploitation Docs
https://rmusser.net/docs/Privilege Escalation & Post-Exploitation.html
Task Scheduler ALPC exploit (unpatched) && PoC by SandboxEscaper
https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar
Remote NTLM relaying through meterpreter on Windows port 445
https://diablohorn.com/2018/08/25/remote-ntlm-relaying-through-meterpreter-on-windows-port-445
Microsoft.Workflow.Compiler.exe, Veil, and Cobalt Strike
https://www.fortynorthsecurity.com/microsoft-workflow-compiler-exe-veil-and-cobalt-strike
Bypassing Workflows Protection Mechanisms - Remote Code Execution on SharePoint
Having Fun with ActiveX Controls in Microsoft Word
https://www.blackhillsinfosec.com/having-fun-with-activex-controls-in-microsoft-word
Invoke-AtomicTest - Automating MITRE ATT&CK with Atomic Red Team
http://subt0x11.blogspot.com/2018/08/invoke-atomictest-automating-mitre-att.html
AppLocker Bypass - CMSTP
https://pentestlab.blog/2018/05/10/applocker-bypass-cmstp
Persistence using AdminSDHolder and SDProp
https://blog.stealthbits.com/persistence-using-adminsdholder-and-sdprop
Red Teaming Microsoft: Part 1 – Active Directory Leaks via Azure
https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure
Walk-through Mimikatz sekurlsa module
https://jetsecurity.github.io/post/mimikatz/walk-through_sekurlsa
windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems
https://github.com/pentestmonkey/windows-privesc-check
Understanding how DLL Hijacking works
https://astr0baby.wordpress.com/2018/09/08/understanding-how-dll-hijacking-works
Playing with Relayed Credentials
https://www.coresecurity.com/blog/playing-relayed-credentials
DDE Downloaders, Excel Abuse, and a PowerShell Backdoor
http://rinseandrepeatanalysis.blogspot.com/2018/09/dde-downloaders-excel-abuse-and.html
A detailed technical explanation of CVE-2018-8120
https://xiaodaozhi.com/exploit/156.html
A PowerShell example of the Windows zero day priv esc
https://github.com/OneLogicalMyth/zeroday-powershell/blob/master/README.md
You can't contain me! :: Analyzing and Exploiting an Elevation of Privilege Vulnerability in Docker for Windows
CVE-2018-8420 - Microsoft XML Core Services MSXML RCE through web browser PoC
https://github.com/Theropord/CVE-2018-8420
Bypassing AppLocker Custom Rules
0x09AL Security blog Bypassing AppLocker Custom Rules
Introduction Jonhnathan Jonhnathan Jonhnathan w0rk3r's Windows Hacking Library Exploiting STOPzilla AntiMalware Arbitrary Write Vulnerability using SeCreateTokenPrivilege
http://www.greyhathacker.net/?p=1025
Jonhnathan Jonhnathan Jonhnathan w0rk3r's Windows Hacking Library How to add a module in Mimikatz?
https://littlesecurityprince.com/security/2018/03/18/ModuleMimikatz.html
Multiple Ways to Bypass UAC using Metasploit
http://www.hackingarticles.in/multiple-ways-to-bypass-uac-using-metasploit
Jonhnathan Jonhnathan Jonhnathan w0rk3r's Windows Hacking Library From OSINT to Internal: Gaining Domain Admin from Outside the Perimeter
https://www.coalfire.com/The-Coalfire-Blog/Sept-2018/From-OSINT-to-Internal-Gaining-Domain-Admin
Using Mimikatz From a JSP shell
https://blog.securitycompass.com/whiteboard-wednesday-using-mimikatz-from-a-jsp-shell-54f8a21693cc
Poking Around With 2 lsass Protection Options
Introducing SharpSploit: A C# Post-Exploitation Library
https://posts.specterops.io/introducing-sharpsploit-a-c-post-exploitation-library-5c7be5f16c51
Faster Domain Escalation using LDAP
https://blog.netspi.com/faster-domain-escalation-using-ldap
A Lesson in .NET Framework Versions
https://rastamouse.me/2018/09/a-lesson-in-.net-framework-versions
Command and Control Using Active Directory
http://www.harmj0y.net/blog/powershell/command-and-control-using-active-directory
L1TF (Foreshadow) VM guest to host memory read PoC
https://github.com/gregvish/l1tf-poc
SMB hash hijacking & user tracking in MS Outlook
SharpBox is a C# tool for compressing, encrypting, and exfiltrating data to DropBox using the DropBox API
https://github.com/P1CKLES/SharpBox
From Kekeo to Rubeus
https://posts.specterops.io/from-kekeo-to-rubeus-86d2ec501c14
Tokenvator: Release 2
https://blog.netspi.com/tokenvator-release-2
AppLocker CLM Bypass via COM
https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com
Injdrv is a proof-of-concept Windows Driver for injecting DLL into user-mode processes using APC
https://github.com/wbenny/injdrv
Responder and Layer 2 Pivots
https://ijustwannared.team/2017/05/27/responder-and-layer-2-pivots
PowerShell: Documenting your environment by running systeminfo on all Domain-Computers
The power of backup operators
https://decoder.cloud/2018/02/12/the-power-of-backup-operatos
Abusing Windows Library Files for Persistence
https://www.countercept.com/blog/abusing-windows-library-files-for-persistence
Domain Controlller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest
https://adsecurity.org/?p=4056
invoke-Confusion .NET attacker of Powershell Remotely
https://homjxi0e.wordpress.com/2018/10/02/invoke-confusion-attack-of-powershell
Creating Persistence with DCShadow
https://blog.stealthbits.com/creating-persistence-with-dcshadow
Time Travel Debugging: finding Windows GDI flaws
https://www.pentestpartners.com/security-blog/time-travel-debugging-finding-windows-gdi-flaws
Malicious use of Microsoft “Local Administrator Password Solution”
http://archive.hack.lu/2017/HackLU_2017_Malicious_use_LAPS_Clementz_Goichot.pdf
Tokenvator Wiki
https://github.com/0xbadjuju/Tokenvator/wiki
ServiceFu: Harvesting Service Account Credentials Remotely
https://www.securifera.com/blog/2018/10/07/servicefu
Operating Offensively Against Sysmon
https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
Exploiting Regedit: Invisible Persistence & Binary Storage
https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf
PoC: https://github.com/ewhitehats/InvisiblePersistence/tree/master/InvisibleKeys
Attacking Azure Environments with PowerShell
MicroBurst: A collection of scripts for assessing Microsoft Azure security
https://github.com/NetSPI/MicroBurst
Icebreaker.py: Gaining a foothold in Active Directory in one command Dan McInerney at SaintCon
[Tool] Icebreaker: Gets plaintext Active Directory credentials if you're on the internal network but outside the AD environment
https://github.com/DanMcInerney/icebreaker Leveraging WSUS – Part One
https://ijustwannared.team/2018/10/15/leveraging-wsus-part-one
Powershell Payload Delivery via DNS using Invoke-PowerCloud
SharpAttack: A console for certain tasks on security assessments. It leverages .NET and the Windows API to perform its work( and cobbr_io SharpSploit). It contains commands for domain enumeration, code execution, and other fun things.
https://github.com/jaredhaight/SharpAttack
Living Off the Land
https://liberty-shell.com/sec/2018/10/20/living-off-the-land