Index
Expand All
Collapse All
****************************
-
Programmation
General Vocabulary - General Tips and Tricks
-
IDE
CodeBlocks
Clion
Resources
-
REGEX
PHP regex
Bash
-
Powershell
Some examples
tips
-
Python
All Python modules
github from course "La Formation Complete Python"
Socket
Reverse string
-
C#
-
Variables/arrays/loop/etc
Bytes array
POO (Class)
User input
Enumerate directories
Command line argument
Define C structure in C#
Type Marshalling
MessageBox with C#
CreateProcess with C#
-
C++
Header files
VARIABLES
CONDITIONS & BRANCHING
-
FUNCTIONS
VIRTUAL FUNCTIONS !!!!not done!!!!
LOOPS
INPUT & OUTPUT
NEW keyword
-
POINTERS
Allocation Dynamique
REFERENCES/ALIAS
-
ARRAYS
STATIC
DYNAMIC or VECTOR
-
POO - Object Oriented
CLASSES
Visibility
Inheritance
Header et Source - Découper son code
Consrtuctor/Deconstructor
Methodes CONSTANTES
Operateur de comparaison - OPERATOR==
Operateur de flux et d'arithmétique - OPERATOR+
Structures
ENUM
countof() equivalent
CASTING
-
C
** pointer to pointer
-
Memory in C
Fr basic explications
links
Basic cheatsheet from CodeAcademy
-
Windows programming in C/C++
#pragma comment(lib,"blabla.lib")
TIPS
Debug with Visual Studio
HELP - Read the documentation
Guide / Vocabulary
Windows Data Types
-
Fundamentals
Handling Errors
Strings
Windows Version
System Information
-
HANDLES & OBJECTS
Viewing process handles TOOL
HANDLE Duplication
HANDLE Inheritance
Sharing Objects
Sharing Memory Between Proc By Name
Private Name Spaces
User GDI Objects
-
Codes made during learing fundamentals
Monitor.cpp
fundamentals & errors C++ code
Linked List
-
Process and Thread Programming
-
Enumeration
CreateToolHelpSnapshot
EnumProcess
-
NtQuerySystemInformation
Without opening any handles
Process Creation
Windows API Function Cheatsheets
VBA
.NET Primer
ASM languages
-
Web Dev
-
Javascript
AJAX request
JQuery
THINK about IT!!!
PHP - some notes
-
Automation Deployement with Ansible/vagrant/terraform
-
Vagrant
VagrantFile
Ansible
****************************
****************************
-
NETWORKING
Binary basics
OSI model
-
TCP/IP
resources
UDP/IP
IP
DNS (Domain Name System)
Routing
HTTP things
Tools
Some notes CCNA
Anonymous
****************************
****************************
-
CYBERWARFARE - Enterprise Security Lab
Setup VM
****************************
****************************
SEC560
SEC599 LAB
SEC699 LAB
****************************
****************************
-
ZeroPointSecurity Courses
-
CRTO I
-
CRTO Notes
-
Domain recon
Commands & Result
THE LAB
Initial compromise
Certificate exercise
CRTO exam
-
CRTO II - CRTL
Exam
****************************
****************************
-
HTB academy
Bug Hunter Path - Entire path
****************************
****************************
Web App Hacking
****************************
****************************
Windows trial license extending
TODO
-
PENTEST/REDTEAM NOTES
DevOps - CI/CD pipeline/automate
Vocabulary/Definitions...What is ...?
OPSEC in engagement
TOP Online Resources
RED TEAMING SURVIVAL GUIDE (cheatsheet sortof)
PENTESTING PROCESS
Rules Of Engagement - ROE
RedTeam Toolkit github repo
++++++++++++++++++++++++++++++
-
++++++ INFRASTRSUCTURE +++++++
-
Phishing Infrastructure
-
DNS Records - bypass spam filters
SPF/DKIM/DMARC
SMS Success Notifications
-
C2 infrastructure
-
Communications (short/long haul, domain fronting/redirectors))
-
REDIRECTORS
-
For HTTP/HTTPS
-
Filtered Redirect - Only C2 traffic forwarded to C2
mod_rewrite
NGINX
Caddy
Satellite (software)
CDN Redirectors (good option!!!)
-
No Filtered Redirect - ALL HTTP/S traffic forwarded to C2
Socat redirectors for HTTP/S
IPTABLE redirectors for HTTP/S
-
For DNS
Socat redirectors for DNS
IPTABLE redirectors for DNS
Domain Fronting
Testing Payloads for proxy aware
Red team auto deploy infrastructures
++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++
-
++ WHAT AND HOW IT WORKS? ++
-
Windows
-
Windows Internals
Users & File System
Users Rights & Policies
Credential Storage
NTFS vs Shares permissions
Registry
Windows session
SMB - Server Message Block
NBT NetBios
RPC - Remote Procedure Call
WMI - Windows Management Instrumentation
SCCM - MECM
-
Processes
Process Creation
Threads
Process monitoring
-
Services
Service Permissions
COM Object
-
SECURITY & AUTH MECHANISM
-
Windows Authentication Process
-
LSA - Local Security Authority
LSA Secrets
Authentication Packages (APs) / Security Support Providers (SSPs)
Interactive and Non-Interactive Authentications
Logon Sessions
-
Windows Authorization Process
-
Security Principal
-
SID/RID
Well-Known SID
-
Access Control Entries/List - ACE/ACL/DACL/SACL
Case study
Security Descriptor
-
ACCESS TOKENS
Integrity level
LSASS - Local Security Authority Subsystem Service
Windows Privileges
LANMAN
NTLM
PROTECTED PROCESS
UAC - User Account Control
CREDENTIAL GUARD
Remote Credential Guard
Credential Manager
DPAPI - Data Protection API
CLM - Constrained Language Mode
AMSI - Anti-Malware Scanning Interface
LAPS - Local Administrator Password Solution
JEA - Just Enough Administrator
JIT - Just In Time
PAW - Privileged Access Workstation
PAM - Privileged Access Management
ETW - Event Tracing for Windows
ASR - Attack Surface Reduction
APPLOCKER
EXPLOIT GUARD (ASR feature) - MDEG (ex WDEG) - Microsoft Defender Exploit Guard
APPLICATION CONTROL - WDAC (ex Device Guard) - Windows Defender Application Control
-
Powershell Basics
resources
SQL Servers
WSL - Windows Subsystem for Linux
-
Linux
Tips
Cronjobs
SUDO - /etc/sudoers
-
CLI - Command Line Interface
Documents
-
Security Solutions
Host Security Solution
Network Security Solution
YARA
++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++
-
++++++++++ RECON ++++++++++++
-
External Reconnaissance
TOOLs for Passive Recon
-
Usernames/emails gathering
Using Null Session (SMB/RPC/LDAP/enum4linux/kerbrute)
Document metadata
Finding Address Space
Client Fingerprinting
-
Third Party Services
Cloud resources
Exchange
Office365
Outlook Web Access - OWA
GMAIL or OKTA
-
Mail - MX records - identify mail providers
Mail rules
-
Domain Name Recon - Domain/Subdomain Recon
-
Subdomain Enumeration/Bruteforcing & (Sub)Domain Takeovers
Certificate transparency
Virtual Host enumeration
DNS Spoofing aka DNS Cache Poisoning
Some tools
Social Media
-
Dorks
Google Dork
Github Dorks
Leaked Credentials
-
Wordlists making (usernames/emails/permutations/etc)
Password profiler
Rules Based
Passwords attacks
Password Spraying
Specialized Search Engines for Recon
Active Directory domain name
ADFS - Active Directory Federation Service
OSINT-tool list
VPN recon
RECONNESS - Framework for recon
++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++
-
++++ INITIAL COMPROMISE ++++
OSINT Methodology
Initial Execution without binaries/executables
-
Phishing All - Attacks (maldocs/hta/etc)
Fileless threats - Chaining Multiples Download
-
Attacks - Maldocs/Cred harvesting/Hybrid
Some little phishing/SE tips
Hybrid Phishing Attacks
-
Credentials Harvesting
Browser in the Browser (BITB)
-
EvilGinx
Evilginx & BITB
EvilGinx 2023
EVILGINX + GOPHISH - Best of BOTH!!!
noVNC - Steal Credentials & Bypass 2FA Using noVNC
SHTML
-
MalDocs - VBA/Macros
SCT files
SCF Files
RTF - Rich Text Format
-
Word/Excel
Macro
Remote Template Injection
OLE - Object Linking and Embedded
-
VBA
MessageBox with VBA
CreateProcess with VBA
VBA STOMPING & PURGING
Amsi Bypass - VBA
Bypass AV - VBA
PPID spoofing and cli argument spoofing
Various VB Macros-based RCE techniques
resolving exports in runtime without NtQueryInformationProcess or GetProcAddress
Backdooring Office Structures
-
Containerized Malware (ISO/IMG/PDF/etc)
MOTW - Mark Of The Web
-
Code Execution
HTML Smuggling
MSI
HTA - HTML Application
-
LNK - link abuse
Capturing Hash With LnK
CLICKONCE application/executable
GadgetToJscript
Some videos
github repo
-
Tools Used
Using GoPhish Example
Mail programming
MFA bypass
-
Others Vectors - Web App/AWS/Github repo/etc
TEAMS - a slack/discord-like on windows
Exchange
++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++
-
++++++ PENTESTING ALL ++++++
Methodology Internal Pentest
Common Ports
Network Recon after initial compromise
-
Windows Specific
-
Offensive CMD
resources
-
Offensive Powershell
one liners
CLSID spawn script .ps1
reverse shell from CRTP
-
Offensive .NET
ppidinjection.cs
Pentest WINDOWS from LINUX
-
SMTP - Simple Mail Transfer Protocol
Python script to VRFY users/mail
IMAP/POP3
SNMP - Simple Network Management Protocol
DNS attacks
FTP - File Transfer Protocol
-
SSH Pentesting
Stolen Key doesnt work
Rsync
RServices
-
RDP - Remote Desktop Protocol (SharpRDP)
RDP Session Hijack
RDP - PassTheHash (PTH)
WinRM
-
NTLM pentesting
Real scenarios article/writeup
-
Obtaining NTLM hashes
Internal Monologue Attack
WPAD auto discovery protocols
MITM - man in the middle
Netbios & LLMNR - insecure name resolution
HTTP NetNTLM gathering
Using LnK (most interesting with HTTP netNTLM gathering)
Using Outlook - via mail signature (HTTP gathering)
Using OFFICE - WORD
Using MSSQL
PetitPotam
Abusing ETW to obtain NTLM hashes
Using SCF files
SCCM coercing
NTLM Hashes using IPv6
-
Abusing ntlm with relay
NTLM relay
NTLM Relay with CS
-
relay everywhere
imap
smb
ldap/ldaps
WPAD
-
SMB Pentesting
Enumeration
Exploitation SMB
Cheatsheet
ippsec videos
Pentesting
-
MySQL
MySQL UDF Windows version
-
MSSQL
Footprinting MSSQL
-
MSSQL Server Abuse
MSSQL Command Execution
-
Abusing MSSQL link
-
Obtain REVERSE SHELL
Impacket reverse shell
Search through Databases
Capture MSSQL Service Hash
PowerUpSQL cheatsheet
MSSQL PrivEsc - From Service to System
Oracle Transparent Network Substrate (TNS)
IPMI - Intelligent Platform Management Interface
Interesting resource
++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++
-
++++ ACTIVE DIRECTORY ++++
CRTP bootcamp lab
Note taking
-
CHEATSHEETS
-
AD ATTACKS cheatsheet
Kerberos attacks 101
Pentesting Active Directory Cheatsheet TOP
AD EXPLOITATION CheatSheet & COMMAND REFERENCE
-
AZURE AD
Password Spraying in Azure AD
-
AD - Active Directory
Terminology
AD Objects
-
KERBEROS
Kerberos (French)
PAC - Privilege Attribute Certificate (French)
Kerberos
LDAP
-
DELEGATION
Unconstrained
-
Constrained
Traditional Constrained
Resource-Based Constrained
GPO
ACL/ACE
NTLM
-
Domain/Forest Trust
Parent/child
Ports
Protected Users
-
Pentesting Active Directory
KRB_AP_ERR_SKEW(Clock skew too great)
-
LDAP Queries for Offensive Operations
LDAP Queries For Stealthy Enumeration
-
Decouvrir les serveurs clés & d'interets
Adidnsdump
-
Enumeration - Internal Recon
DNS enumeration
-
User/Group/Domain/computers
-
AD module
Using the AD Module for User Enumeration
Using the AD Module for Computer Enumeration
-
ADSI
Using ADSI for User Enumeration
Using ADSI for Computer Enumeration
-
ADFind
Using ADFind for User Enumeration
Using ADFind for Computer Enumeration
-
ADExplorer
Using ADExplorer for User Enumeration
Using ADExplorer for Computer Enumeration
-
Powerview
SharpView
WMIC
Bloodhound
-
Politique mots de passe - Account lockout policy
Enumerate password policy from Linux
-
Enumerate password policy from windows
Using ADmodule/ADSI/ADFind/ADExplorer
Fine-Grained Policy
PASSWD_NOTREQD Field - No Passwd Policy For some user
SID convertion
Domain Enumeration
-
Domain Trust Enumeration
trust_explorer.py
Using ADmodule/ADSI/ADFind/ADExplorer
USER HUNTING (local/doamin admins, loggedon users) OPSEC
-
SPN enumeration
Common SPNs
GPO Enumeration
OU Enumeration
-
ACL Enumeration
-
Enumeration with Powerview
Powerview cheatsheet
Enumerating ACL with BloodHound
Permissions Object
Find web app
-
Shares - Domain context
OPSEC enumerate user's accessible dir
-
Kerberos Delegation - Enumeration
Unconstrained Delegation Enumeration
Constrained Delegation Enumeration
-
Scripts
ADenum.ps1 from OSCP
powerview.ps1 (dev)
Import-ActiveDirectory.ps1
-
Cheatsheet (powerview/powerup/powersploit)
Cheatsheets pdf
Native commands
Enumeration AD from Linux
-
Internal Password Spraying
From Linux
From Windows
With Cobaltstrike
-
LDAP pentesting
Exploiting LDAP Server NULL Bind
Testing LDAP servers
ldapsearch/windapsearch
Sniffing LDAP credentails
-
MS Exchange
Exchange ACL
Attacking MS Exchange Web Interfaces
-
Abusing Groups Privilege
Backup Operators
Event Log Readers
DnsAdmins
Hyper-V Administrators
Print Operators
Server Operators
Exploiting SCCM/MECM
-
POST-EXPLOIT/LATERAL Movement
Double "Hop" Problem
-
Kerberos Attacks
-
Tool cheatsheet
Purge tickets
Linux Kerberos Ticket
-
AS-REP ROASTING
Quering-Cracking Kerberos Tickets!
-
KERBEROASTING
Kerberoasting from Windows
Kerberoasting Using MS-SQL Server
List of SPN
OVER-PASS-THE-HASH
UnPAC the Hash
PASS-THE-KEY
-
PASS-THE-TICKET PtT
Pass the Ticket (PtT) from Linux
PASS-THE-CACHE
PASS-THE-CERTIFICATE
SILVER TICKET
GOLDEN TICKET
DIAMOND TICKET
-
DELEGATION
Unconstrained Delegation
-
Constrained Delegation
-
Traditional
-
S4U2Self & S4U2Proxy Abuse - Protocol Transition Abuse
S4U2Self Abuse/trick
S4U2Proxy Abuse
Resources based
Useful Tickets
ressources
NoPAC/sAMAccountName spoofing
PASS-THE-HASH
Elevate CMD to admin
-
PSRemoting
Invoke-Mimikatz example
Test-PSRemoting
-
LAPS
Enumerate with LAPSToolkit/ADmodule/ADSI/ADFind/ADExplorer
LAPS - DACL Abuse
Credentials Dumping: LAPS
NTLM Pentesting
-
LLMR/NBT-NS poisoning
LLMNR-NBT-NS poisonning on Linux
LLMNR-NBT-NS poisonning on windows
SMB relay
WPAD
-
gMSA - group Managed Service Account
Enumerate Using ADmodule/ADSI/ADFind/ADExplorer
-
DACLs/ACEs Abuse
ACL Abuse Chain Example
Useful Abuse Example
GPP Abuse - Group Policy Preference
Autologon configured via Group Policy
GPO Abuse
DCSync
Abusing TOKEN
-
Cetificate Attacks
ADCS - Active Directory Certificate Service
PASS-THE-CERTIFICATE
-
PETITPOTAM
-
PetitPotam – NTLM Relay to AD CS
PetitPotam.ps1
PETITPOTAM - from linux
Persistence ADCS Certificates - User & Computer
Forged Certificates
-
Domain Trust Abuse
-
Parent-Child Trusts Abuse
from WINDOWS - Attacking Parent/Child Trusts
from LINUX - Attacking Parent/Child Trusts
-
One Way - Inbound/Outbound
One Way - inbound
One Way - Outbound
-
Cross-Forest Trusts Abuse
-
from WINDOWS - Cross-Forest Trust Abuse
Kerberoasting Cross-Forest
SID History Abuse
Admin Password Re-Use & Group Membership
-
from LINUX - Cross-Forest Trust Abuse
Kerberoasting Cross-Forest
Hunting Foreign Group Membership with Bloodhound-python
PrintNightmare
Printer Bug
Internal Web Apps
Exchange Privesc
SSCM
Dumping/stole credentials/hashes
-
DOMAIN DOMINANCE (persistence)
SKELETON KEY
SHADOW CREDENTIAL - DC SHADOW
DSRM
MACHINE ACCOUNT
SSP
Constrained Delegation
-
ACLs Persistence
AdminSDHolder
Right Abuse
Security Descriptor Abuse
ACL Backdoors
Forged/Golden Certificates
-
LAPS
LAPS Persistence
LAPS Backdoor
ADCS Certificates Persistence - User & Computer
Resources
++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++
-
++++ POST-EXPLOITATION ++++
Objectives of Privesc/Lateral Movement
Web proxies
-
Pivoting/Tunneling and Port Forwarding
DNS Tunneling with Dnscat2
-
SSH
SSH Port Forwarding
Sshuttle - SSH Pivoting
SSH for Windows: PLINK.exe
-
CHISEL - SOCKS5 Tunneling
ERROR: /lib/x86_64-linux-gnu/libc.so.6
Tunneling Through Windows Machines with Chisel
CHISEL - SOCKS5 Tunneling
-
Windows
SSH for Windows: PLINK.exe
Netsh Windows - Port Forwarding
RDP and SOCKS Tunneling with SocksOverRDP
-
Metasploit Pivoting
Through Cobaltstrike socks4a
Cobaltstrike pivoting
-
SOCAT
Redirection with a Reverse Shell
Redirection with a Bind Shell
RPIVOT - Web Server Pivoting
Netcat Relay
Global Cheatsheet
Detection & Prevention
*********
-
WINDOWS
OPSEC/Pro tips
-
PrivEsc/Lateral Movement
-
Privilege Escalation
-
Initial Enumeration
Tools
Sektor7 course
Methodology checkbox
-
Windows Privileges (SeBackup/SeRestore/etc/etc)
SeImpersonatePrivilege / SeAssignPrimaryTokenPrivilege
SeDebugPrivilege
-
SeTakeOwnerShipPrivilege
EnableAllTokenPrivs.ps1
SeBackupPrivilege/SeRestorePrivilege
SeLoadDriverPrivilege
-
Exploitation Tools - All Potatoes
RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato
JuicyPotato
RottenPotato
Research paper - Indepth paper
Steal Token manually
-
Dumping/stole credentials/hashes
-
DPAPI - Credential Manager
Google Chrome Case
NTDS database (ntds.dit)
LSA Secrets
WDIGEST
SAM database
Pillaging - Credential Hunting
VMDK/VHD/VHDX - read HDD of VMs
-
Lateral Movement
AT/SCHtasks/SC
-
LSASS.exe - CREDENTIAL STEALING TECHNIQUES
Credentials from dmp file
Extraction des secrets de lsass à distance
Got Hashes? What's next?
Windows Apps Proxy GUI
Living Off the Land
-
PASS-THE-HASH (PtH)
PTH from Windows
PTH from Linux
PtH Tools/techniques
-
RDP - Remote Desktop Protocol
RDP - Shadow Attack
WMI for Lateral Movement
DCOM object for lateral Movement
Browse as your victim (CursedChrome)
-
Run BeaconObjectFile (BOF) outside CS
RunOF - Arbitrary BeaconObjectFile tool
Use Malicious Drivers
Keepass - extract master passwd
Abusing Cookies to access Instant Messaging
Slack
Teams
-
Download files from Windows
cradles
Cheatsheet
Transfer Files - Exfiltrate from Windows
Resources (book/articles/etc)
*********
-
PERSISTENCE
APT perssitence
-
COM Object Hijacking
Hunting For COM Hijack - Practice Example (CRTO)
CLSID spawn registry folder
WMI Persistence
TaskScheduler with Cobaltstrike & SharpPersist
*********
-
Linux
-
PrivEsc Methodology & Techniques
MySQL UDF Linux version
Checklist
LinEnum - Understand the output
PERSISTENCE
-
Find/Attack/Pillaging Local Password
Pillaging - Credential Hunting
Passwd, Shadow & Opasswd
-
File Transfer Methods
resources
Data Exfiltration
*********
*********
-
Password CRACKING
NTLM
Cracking Protected Files
Cracking Protected archive
++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++
-
++++++ EVASION/BYPASS ++++++
!!!! - TOOLs TOP evasion/creation - !!!!
-
BYOL - Bring Your Own Lab
Simulate SIEM/EDR with wazuh and sysmon
AD lab
EDR Labs
Exchange Lab - Proxyshell/Proxylogon
SCCM / MECM Lab
Detection lab
BYPASS Security Products
BYPASS EVENT ID number X
Drivers
-
Bypass Powershell Security
Bypass Constrained Language Mode - CLM
Bypass CMD/PWSH blocked
Powershell without pwsh
-
PPID Spoofing
With TaskScheduler and COM
With WMI and COM - Emotet method
CLI arguments spoofing
Bypass Hash blacklist & signature whitelist
-
UAC Bypass
Using UACMe
Some scripts
-
AMSI bypass
Manual Bypass Method
-
Byte Patching
My modified rasta bypass (WORK!!!) - BYTE PATCHING
Rastamouse bypass
VBA amsi bypass
Windows DEFENDER
Bypassing Defender with ThreatCheck & Ghidra
-
Bypass Static Detection
.NET - Bypass Static detection
Powershell - Bypass Static Detection
-
ASR - Attack Surface Reduction
-
Bypass ASR
-
OFFICE RULES & BYPASS
Block All Office App from creating child processes
Block All Office App from creating executables content
Block Win32 API call from Office macros
Block JS and VBScript from launching downloaded executable content
EXPLOIT GUARD (ASR feature) - MDEG (ex WDEG) - Microsoft Defender Exploit Guard
-
APPLICATION CONTROL - WDAC (ex Device Guard) - Windows Defender Application Control
Bypass WDAC
APPLICATION GUARD - MDAG (ex WDAG) - Microsoft Defender App Guard
Credential Guard Bypass
-
APPLOCKER
Applocker Bypass
JEA bypass
JIT bypass
PAW bypass
ETW Bypass
SYSMON
Windows Event Log Blinding
SANDBOX Evasion
Anti-Debugging techniques
DONUT
Indirect EXE execution
Protected View - Office
Bypass PPL - Bypass Protected Process
++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++
-
+++++++ MALWARE DEV ++++++++
Tips and tricks
(void (*)()) explained
-
Sript utilities
hex_to_0x.py
string_to_hex.py
custom_padding.c
bin2sc.py
The basics of Malware Dev
Understanding Concepts Of VA, RVA and File pointer/raw adresses & Offsets
-
Windows Internals from MalDev POV
-
Windows Memory management
Allocate/write/free memory examples with WinAPI
Undocumented structures
The Native API (NTAPI)
Win32AP_Offensive_Cheatsheet
-
Malware Dev beyond the basics
Get a pointer to PE HEADERS
-
DLL - Dynamic Link Libraries
Dynamic linking
-
PE file (exe, DLL)
-
HEADERS (DOS/PE/OPTIONAL/etc)
DOS HEADER
DOS STUB
RICH HEADER
-
NT/PE HEADER (IMAGE_NT_HEADERS)
Signature
File Header (IMAGE_FILE_HEADER)
-
Optional Header (IMAGE_OPTIONAL_HEADER)
-
Data Directory
-
Export Address Table (EAT) - IMAGE_EXPORT_DIRECTORY
Code source
Import Directory/Address/lookup table - IDT/IAT/ILT
Sections
Relocation
Export Address Table (EAT) - IMAGE_EXPORT_DIRECTORY
Import Address Table - IAT
-
PEB - Process Environment Block
PEB address in ASM for EDR EVASION
TEB - Thread Environment Block
PAYLOAD EXECUTION
DLL SideLoading
DLL Proxying
Payloads in different PE sections
Backdooring PE
-
EDR/AV Evasion/bypass/unhooking
-
Unhooking EDR/AV
Import Address Table (IAT) hooking
Prevent AV/EDR injection
-
Spoofing (stack/return address/etc)
Thread Stack Spoofing
spoof ret address
Stack spoofing
-
Module Stomping - hide payload in memory
(void (*)()) explained
encrypting heap allocation
-
Specific techniques - HellsGate,HaloGate,PerunsFart,etc
HELLS GATE
HALO Gate
PERUNS FART
-
Evasions techniques
Code Signing
Binary Detail
TARGETED payloads
Evade Memory Scanner
Ordinals
Function Call Obfuscation
ARTICLES on EDR evasion stuff
-
Payload Encryption/obfuscation
-
Encryption
-
XOR
^ Bitwise XOR
RC4
-
AES
AES code from Sektor7
-
Obfuscation
IPv4/IPv6Fuscation
MACFucscation
UUIDFuscation
-
Payload Staging
Web Server
Windows Registry
-
SYSCALLS
DIRECT SYSCALLS
INDIRECT SYSCALLS
Article SYSCALL
Syscall tooling
-
API Hashing
Combining Indirect Dynamic Syscalls and API Hashing
-
C#
P/invoke
-
D/Invoke
MessageBox with D/Invoke
NtCreateUserProcess with D/Invoke
Powershell - WinAPI with powershell
-
PROCESS/THREAD Injection/Hollowing/Ghosting/etc
Memory Execution Alternatives
-
Shellcode Injection
WOW64 32bit and 64bit
-
Abusing DLL - DLL injection (Normal & Reflective)
-
Dll Injection
Code From MalDev
Reflective Loader/ReflectiveDLL injection
Process Hollowing
Process Mockingjay
Section Manipulation
Map Sections & Views - MapView
-
QueueUserAPC
C++ code
-
THREAD hijacking
-
With Thread Creation
Local Thread Creation
Remote Thread Creation
-
Without Thread Creation
-
Local Thread Enumeration
From THM/Sektor7
Remote Thread Enumeration
-
C# (Process Injection, etc)
Type Marshalling
Define C structure in C#
MessageBox with C#
CreateProcess with C#
CreateThread for shellcode injection in C#
QueueUserAPC for shellcode injection in C#
Executing Position Independent Shellcode from Object Files in Memory
Look at BlueTeam Detecion/stuff
Videos MUST LOOK adavanced techniques/concepts
8 articles on malware dev
malapi.io - Malware WinAPI used
Virustotal-like
Remove CRT runtime
DLL proyfying
++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++
-
+++ GUIDES/CHEATSHEET/TIPS +++
-
Guides/Cheatsheet
-
OSCP guide
OSCP methodology checkbox list
-
Pentesting Methodology cheatsheet
Penetration Testing Tools Cheat Sheet
GUIDE FROM CONTI RANSOMWARE GROUP
REDTEAM cheatsheet (seems incomplete as fuck)
Docker commands
Mindmap
IPPSEC notes/tips
-
Tips and Tricks
BASE64 Enc
++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++
-
++++++++ TOOLING ++++++++++
RedTeam Tool from mgeeky
-
Cobaltstrike
Extending CS
-
Pro_Tips/OPSEc_tips
REMINDER
-
Listeners/Beacons types
Pivot Listener
Initial Access, Recon, and Post-Exploitation
INJECT - Process Injection
NTLM Relaying
-
GPO Abuse
RSAT For Create/Manage GPOs
SharpGPOAbuse
DACL Abuse
Bypass Powershell Constrained Language Mode (CLM) with CS
UAC Bypass
-
Lateral Movement
OPTH Using Cobaltstrike
Kerberoasting
Constrained Delegation
Unconstrained Delegation
Printer Bug
-
Extracting kerberos ticket
Extracting Kerberos Ticket From Linux Machine
MSSQL Linked DB
MSSQL PrivEsc - SweetPotato
-
Pivoting with CS
SOCKS Proxies
Reverse Ports Forward
Persistence (locally persist)
-
Domain Dominance
DCSYNC
AdminSDHolder
Remote Registry Backdoor
Silver Ticket
Golden Ticket
Forged Certificates
-
Domain Trust Abuse
One Way - Inbound
One Way - Outbound
-
Malleable C2 Profiles
Automated Profile Creation
Process injection choice
-
BOF - Beacon Object File
Hide beacon during BOF execution
-
KITS
Artifact Kit
Resource Kit
-
ElevateKit
Extend Elevate kit
sleepmask - own implementation
Process injection
-
Aggressor script
Examples scripts
Ressources
-
Others C2
-
Metasploit
Using the Database
Searching for Modules
Writing & Importing Modules
Plugins
Local PrivEsc
Meterpreter
resources
Firewall & IDS/IPS Evasion
Empire
HAVOC
-
TOOLS
-
Cheatsheet
WADComs - Interactive cheatsheet
Praticals Tools (nc,socat,powercat)
-
Port Scanner
MASSCAN
-
NMAP
Network enumeration with Nmap
IDS/IPS
resources
NSE - nmap script engine
-
TCPDUMP
Document
-
Bloodhound
Custom queries
BloodHound From Linux - BloodHound.py
-
Mimikatz en long et travers
Invoke-Mimikatz
cURL
httpie
Responder
Inveigh
SharpHound
MITM6
POWERUP (privEsc)
NTLMRELAYx
Rubeus
PowerUpSQL cheatsheet
John The Ripper - JTR
Evil-Winrm
WireShark
ffuf
Vortex
-
Shell
windows rev shell
Interactive reverse shell
Reverse shell cheatsheet
++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++
-
++++++++ REPORTING ++++++++
-
REPORTING
RedTeam Assesment Reporting
++++++++++++++++++++++++++++++
****************************