SUMMARY.md

Table of contents

• About /?

Pinned posts

• Pentesting Cheatsheets
  • SQL Injection & XSS Playground
• Powershell Payload Delivery via DNS using Invoke-PowerCloud
• Masquerading Processes in Userland via _PEB
• Active Directory
  • From Domain Admin to Enterprise Admin
  • T1208: Kerberoasting
  • Kerberos: Golden Tickets
  • Kerberos: Silver Tickets
  • Domain Compromise via Unrestricted Kerberos Delegation
  • Domain Compromise via DC Print Server and Kerberos Delegation
  • T1207: DCShadow
  • PowerView: Active Directory Enumeration
  • Abusing Active Directory ACLs/ACEs
  • From DnsAdmins to SYSTEM to Domain Compromise

offensive security

• T1055: Process Injection
  • CreateRemoteThread Shellcode Injection
  • DLL Injection
  • Reflective DLL Injection
• Phishing with MS Office
  • Phishing: XLM / Macro 4.0
  • T1173: Phishing - DDE
  • T1137: Phishing - Office Macros
  • Phishing: OLE + LNK
  • Phishing: Embedded Internet Explorer
  • Phishing: .SLK Excel
  • Phishing: Embedded HTML Forms
• T1003: Credential Dumping
  • Local Security Authority
  • Security Accounts Manager
  • NTDS - Domain Controller
  • Network vs Interactive Logons
• T1134: Primary Access Token Manipulation
• AV Bypass with Metasploit Templates and Custom Binaries
• Red Team Infrastructure
  • HTTP Forwarders / Relays
  • SMTP Forwarders / Relays
• File Smuggling with HTML and JavaScript
• Commandline Obfusaction
• T1027: Obfuscated Powershell Invocations
• SSH Tunnelling / Port Forwarding
• T1117: regsvr32
• T1187: Forced Authentication
• T1099: Timestomping
• T1196: Control Panel Item
• T1170: MSHTA
• T1191: CMSTP
• T1118: InstallUtil
• T1053: Schtask
• T1214: Credentials in Registry
• T1028: WinRM for Lateral Movement
• T1047: WMI for Lateral Movement
• T1035: Service Execution
• T1216: pubprn.vbs Signed Script Code Execution
• T1138: Application Shimming
• T1015: Sticky Keys
• T1131: Authentication Packages
• T1136: Create Account
• T1197: BITS Jobs
• T1122: COM Hijacking
• T1038: DLL Hijacking
• T1158: Hidden Files
• T1128: NetSh Helper DLL
• T1013: AddMonitor()
• T1108: WebShells
• T1051: Shared Webroot
• T1198: SIP & Trust Provider Hijacking
• T1180: Screensaver Hijack
• T1209: Hijacking Time Providers
• T1084: Abusing Windows Managent Instrumentation
  • WMI as a Data Storage
• T1076: RDP Hijacking for Lateral Movement with tscon
• T1140: Encode/Decode Data with Certutil
• Downloading Files with Certutil
• T1183: Image File Execution Options Injection
• T1202: Forfiles Indirect Command Execution
• T1130: Installing Root Certificate
• T1096: Alternate Data Streams
• T1045: Packed Binaries
• T1174: Password Filter
• T1010: Application Window Discovery
• T1087: Account Discovery & Enumeration
• T1175: Lateral Movement via DCOM
• Powershell Empire 101
• Powershell Constrained Language Mode ByPass
• Powershell Without Powershell.exe
• Detecting Sysmon on the Victim Host
• Unloading Sysmon Driver
• WMI + MSI Lateral Movement
• WMI + NewScheduledTaskAction Lateral Movement
• WMI + PowerShell Desired State Configuration Lateral Movement
• Empire Shells with NetNLTMv2 Relaying
• Parsing PE File Headers with C++

Memory Forensics

• Exploring Injected Threads
• Process Environment Block
• Dump Virtual Box Memory