Post Exploitation Resources

Lateral movement

• Eventvwr File-less UAC Bypass CNA
• Lateral movement using excel application and dcom
• WSH Injection: A Case Study
• Fileless UAC Bypass using sdclt
• Bypassing AMSI via COM Server Hijacking
• Window 10 Device Guard Bypass
• My First Go with BloodHound
• OPSEC Considerations for beacon commands
• Agentless Post Exploitation
• Windows Access Tokens and Alternate credentials
• PSAmsi - An offensive PowerShell module for interacting with the Anti-Malware Scan Interface in Windows 10
• Lay of the Land with BloodHound
• Bringing the hashes home with reGeorg & Empire
• Intercepting passwords with Empire and winning
• Outlook Home Page – Another Ruler Vector
• Outlook Forms and Shells
• Windows Privilege Escalation Checklist
• A Guide to Configuring Throwback
• Abusing DNSAdmins privilege for escalation in Active Directory
• Using SQL Server for attacking a Forest Trust
• Extending BloodHound for Red Teamers
• Pass hash pass ticket no pain
• process doppelganging
• App Locker ByPass List
• Windows 7 UAC whitelist
• Malicious Application Compatibility Shims,
• Junfeng Zhang from WinSxS dev team blog,
• Beyond good ol' Run key, series of articles,
• KernelMode.Info UACMe thread,
• Command Injection/Elevation - Environment Variables Revisited,
• "Fileless" UAC Bypass Using eventvwr.exe and Registry Hijacking,
• Bypassing UAC on Windows 10 using Disk Cleanup,
• Using IARPUninstallStringLauncher COM interface to bypass UAC,
• Bypassing UAC using App Paths,
• "Fileless" UAC Bypass using sdclt.exe,
• UAC Bypass or story about three escalations,
• Exploiting Environment Variables in Scheduled Tasks for UAC Bypass,
• First entry: Welcome and fileless UAC bypass,
• Reading Your Way Around UAC in 3 parts: Part 1. Part 2. Part 3.
• Research on CMSTP.exe,
• hiding registry keys with psreflect
• a guide to attacking domain trusts

Living Off The Land, Bins, and Useful Scripts

• GTFO Bins
• LOLBAS

Command and Control

• C2 Matrix
• Reverse Shell Generator (code)
• Reverse Shell Generator (front-end)
• Red Team Infrastructure Wiki
• How to Build a C2 Infrastructure with Digital Ocean – Part 1
• Infrastructure for Ongoing Red Team Operations
• Automated Red Team Infrastructure Deployment with Terraform - Part 1
• 6 RED TEAM INFRASTRUCTURE TIPS
• Red Teaming for Pacific Rim CCDC 2017
• How I Prepared to Red Team at PRCCDC 2015
• Red Teaming for Pacific Rim CCDC 2016
• Randomized Malleable C2 Profiles Made Easy
• Cobalt Strike HTTP C2 Redirectors with Apache mod_rewrite - Jeff Dimmock
• High-reputation Redirectors and Domain Fronting
• TOR Fronting – Utilising Hidden Services for Privacy
• Domain Fronting Via Cloudfront Alternate Domains
• The PlugBot: Hardware Botnet Research Project
• Attack Infrastructure Log Aggregation and Monitoring
• Finding Frontable Domain
• Apache2Mod Rewrite Setup
• Empre Domain Fronting
• Domain Hunter
• Migrating Your infrastructure
• Redirecting Cobalt Strike DNS Beacons
• Finding Domain frontable Azure domains - thoth / Fionnbharr (@a_profligate)
• Red Team Insights on HTTPS Domain Fronting Google Hosts Using Cobalt Strike
• Escape and Evasion Egressing Restricted Networks - Tom Steele and Chris Patten
• Command and Control Using Active Directory
• C2 with twitter
• C2 with DNS
• ICMP C2
• C2 with Dropbox
• C2 with https
• C2 with webdav
• C2 with gmail
• “Tasking” Office 365 for Cobalt Strike C2
• Simple domain fronting PoC with GAE C2 server
• Using WebDAV features as a covert channel
• Introducing Merlin — A cross-platform post-exploitation HTTP/2 Command & Control Tool
• InternetExplorer.Application for C2
• C2 WebSocket
• C2 WMI
• C2 Website
• C2 Image
• C2 Javascript
• C2 WebInterface
• Safe Red Team Infrastructure

Privilege Escalation

• Local Windows Privilege Escalation Checklist
• Windows local Privilege Escalation Awesome Script (C#.exe and .bat)
• Local Linux Privilege Escalation Checklist
• Linux local Privilege Escalation Awesome Script (.sh)
• LinEnum - Linux Privilege Escalation Enumeration