Skip to content

Commit

Permalink
First commit
Browse files Browse the repository at this point in the history
  • Loading branch information
@marcosValle
marcosValle committed Sep 23, 2018
1 parent 71630ca commit 7576062
Show file tree
Hide file tree
Showing 2 changed files with 189 additions and 2 deletions.
16 changes: 16 additions & 0 deletions CONTRIBUTING.md
View file
@@ -0,0 +1,16 @@
# Contributing

Your contributions are always welcome!

## Guidelines

* Add one link per Pull Request.
* Add the link: `* [resource-name](http://example.com/) - A short description ends with a period.`
* Keep descriptions concise.
* Add a section if needed.
* Add the section description.
* Add the section title to Contents.
* Search previous suggestions before making a new one, as yours may be a duplicate.
* Check your spelling and grammar.
* Remove any trailing whitespace.
* Send a Pull Request with the reason why the resource is awesome.
175 changes: 173 additions & 2 deletions README.md
View file
@@ -1,2 +1,173 @@
# awesome-windows-red-team
A curated list of awesome Windows frameworks, libraries, software and resources for Red Teams
# Awesome Windows Red Team [![Awesome](https://awesome.re/badge.svg)](https://awesome.re)

> A curated list of awesome Windows talks, tools and resources for Red Teams, from beginners to ninjas.
## Contents

* [Books](#books)
* [Courses](#courses)
* [System Architecture](#system-architecture)
* [Active Directory](#active-directory)
* [Kerberos](#kerberos)
* [Lssass SAM NTLM GPO](#lssass-sam-ntlm-gpo)
* [WinAPI](#winapi)
* [Lateral Movement](#lateral-movement)
* [Pass the Hash](#pass-the-hash)
* [Pass the Ticket](#pass-the-ticket)
* [Privilege Escalation](#privilege-escalation)
* [UAC bypass](#uac-bypass)
* [Defense Evasion](#defense-evasion)
* [Exfiltration](#exfiltration)
* [PowerShell](#powershell)
* [Phishing](#phishing)
* [Maldocs](#maldocs)
* [Macros](#macros)
* [DDE](#dde)
* [HTA](#hta)
* [Tools](#tools)

## Books

* [Windows Internals, Seventh Edition, Part 1](https://www.amazon.com.br/Windows-Internals-Book-User-Mode/dp/0735684189?tag=goog0ef-20&smid=A1ZZFT5FULY4LN)
* [Windows Internals, Sixth Edition, Part 1](https://www.amazon.com.br/Windows-Internals-Part-Developer-Reference-ebook/dp/B00JDMPHIG?tag=goog0ef-20&smid=A18CNA8NWQSYHH)
* [Windows Internals, Sixth Edition, Part 2](https://www.amazon.com/Windows-Internals-Part-Developer-Reference/dp/0735665877)
* [How to Hack Like a PORNSTAR: A step by step process for breaking into a BANK](https://www.amazon.com/How-Hack-Like-PORNSTAR-breaking-ebook/dp/B01MTDLGQQ)
* [The Hacker Playbook 3: Practical Guide To Penetration Testing](https://www.amazon.com/Hacker-Playbook-Practical-Penetration-Testing-ebook/dp/B07CSPFYZ2)

## Courses

* [Professor Messer's CompTIA SY0-501 Security+ Course](http://www.professormesser.com/security-plus/sy0-501/sy0-501-training-course/)
* [Penetration Testing with Kali (PWK) Online Security Training Course](https://www.offensive-security.com/information-security-training/penetration-testing-training-kali-linux/)
* [Offensive Security Certified Expert](https://www.offensive-security.com/information-security-certifications/osce-offensive-security-certified-expert/)
* [Advanced Windows Exploitation: Live Hands-on Penetration Testing Training](https://www.offensive-security.com/information-security-training/advanced-windows-exploitation/)
* [Windows API Exploitation Recipes: Processes, Tokens and Memory RW](https://www.pentesteracademy.com/course?id=31)
* [Powershell for Pentesters - Pentester Academy](https://www.pentesteracademy.com/course?id=21)
* [WMI Attacks and Defense - Pentester Academy](https://www.pentesteracademy.com/course?id=34)
* [Windows Red Team Lab - Pentester Academy](https://www.pentesteracademy.com/redteamlab)

## System Architecture

### Active Directory

* [ADsecurity.org](https://adsecurity.org/)
* [DerbyCon4 - How to Secure and Sys Admin Windows like a Boss](https://www.youtube.com/watch?v=jKpaaDKVovk&t=0s&list=PLz8yKJBzAxrslURpq0TcmLl7JS-sRNmog&index=79)
* [DEFCON 20: Owned in 60 Seconds: From Network Guest to Windows Domain Admin](https://www.youtube.com/watch?v=nHU3ujyw_sQ)
* [BH2015 - Red Vs. Blue: Modern Active Directory Attacks, Detection, And Protection](https://www.youtube.com/watch?v=b6GUXerE9Ac)
* [BH2016 - Beyond the Mcse: Active Directory for the Security Professional](https://www.youtube.com/watch?v=2w1cesS7pGY)
* [BH2017 - Evading Microsoft ATA for Active Directory Domination ](https://www.youtube.com/watch?v=bHkv63-1GBY)
* [DEFCON 26 - Exploiting Active Directory Administrator Insecurities](https://www.youtube.com/watch?v=WaGgofGnWaI)
* [BH2017 - An ACE Up the Sleeve: Designing Active Directory DACL Backdoors](https://www.youtube.com/watch?v=ys1LZ1MzIxE)
* [DerbyCon7 - Building the DeathStar getting Domain Admin with a push of a button (aka how I almost automated myself out pf a job)](https://www.youtube.com/watch?v=kGoc_apljpU)
* [DerbyCon4 - Abusing Active Directory in Post Exploitation](https://www.youtube.com/watch?v=sTU-70dD-Ok&t=0s&list=PLz8yKJBzAxrslURpq0TcmLl7JS-sRNmog&index=12)


### Kerberos

* [MicroNugget: How Does Kerberos Work?](https://www.youtube.com/watch?v=kp5d8Yv3-0c)
* [MIT 6.858 Fall 2014 Lecture 13: Kerberos](https://www.youtube.com/watch?v=bcWxLl8x33c)
* [DerbyCon4 - Et tu Kerberos](https://www.youtube.com/watch?v=RIRQQCM4wz8&t=0s&list=PLz8yKJBzAxrslURpq0TcmLl7JS-sRNmog&index=14)
* [DerbyCon7 - Return From The Underworld The Future Of Red Team Kerberos](https://www.youtube.com/watch?v=E_BNhuGmJwM&t=0s&index=2&list=PLNhlcxQZJSm-PKUZTYe1C94ymf0omysM3)
* [BH2014 - Abusing Microsoft Kerberos: Sorry You Guys Don't Get It](https://www.youtube.com/watch?v=lJQn06QLwEw)
* [DerbyCon4 - Attacking Microsoft Kerberos Kicking the Guard Dog of Hades](https://www.youtube.com/watch?v=PUyhlN-E5MU&t=0s&list=PLz8yKJBzAxrslURpq0TcmLl7JS-sRNmog&index=57)

### Lsass SAM NTLM GPO

* [Retrieving NTLM Hashes without touching LSASS: the “Internal Monologue” Attack](https://www.andreafortuna.org/dfir/retrieving-ntlm-hashes-without-touching-lsass-the-internal-monologue-attack/)
* [ATT&CK - Credential Dumping](https://attack.mitre.org/wiki/Technique/T1003)
* [BH2002 - Cracking NTLMv2 Authentication](https://www.youtube.com/watch?v=x4c8J70kHKc)
* [DerbyCon7 - Securing Windows with Group Policy ](https://www.youtube.com/watch?v=Upeaa2rgozk&t=0s&index=66&list=PLNhlcxQZJSm-PKUZTYe1C94ymf0omysM3)
* [Abusing GPO Permissions](https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/)
* [Targeted Kerberoasting](https://www.harmj0y.net/blog/activedirectory/targeted-kerberoasting/)

### WinAPI

* [DerbyCon4 - Getting Windows to Play with Itself: A Pen Testers Guide to Windows API Abuse](https://www.youtube.com/watch?v=xll_RXQX_Is&index=7&list=PLNhlcxQZJSm8o9c_2_iDDTV6tCPdMp5dg&t=0s)

## Lateral Movement

### Pass the Hash

* [ATT&CK - Pass the Hash](https://attack.mitre.org/wiki/Technique/T1075)
* [BH2013 - Pass the Hash and other credential theft and reuse: Preventing Lateral Movement...](https://www.youtube.com/watch?v=xxwIh2pvbyw&t=345s)
* [BH2013 - Pass the Hash 2: The Admin's Revenge](https://www.youtube.com/watch?v=A5xntvKaRlk)
* [From Pass-the-Hash to Pass-the-Ticket with No Pain](https://resources.infosecinstitute.com/pass-hash-pass-ticket-no-pain/#gref)
* [Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy](http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/)

### Pass the Ticket

* [ATT&CK - Pass the Ticket](https://attack.mitre.org/wiki/Technique/T1097)

## Privilege Escalation

* [Level Up! Practical Windows Privilege Escalation - Andrew Smith](https://www.youtube.com/watch?v=PC_iMqiuIRQ)
* [Windows Privilege Escalation Presentation](https://www.youtube.com/watch?v=mcJ3aRSqGSo)
* [Windows Kernel Exploits](https://github.com/SecWiki/windows-kernel-exploits)
* [DEF CON 22 - Kallenberg and Kovah - Extreme Privilege Escalation On Windows 8/UEFI Systems](https://www.youtube.com/watch?v=d6VCri6sPnY)
* [DEF CON 25 - Morten Schenk - Taking Windows 10 Kernel Exploitation to the next level](https://www.youtube.com/watch?v=Gu_5kkErQ6Y)
* [DerbyCon7 - Not a Security Boundary Bypassing User Account Control](https://www.youtube.com/watch?v=c8LgqtATAnE&t=0s&index=21&list=PLNhlcxQZJSm-PKUZTYe1C94ymf0omysM3)

## Defense Evasion

* [DerbyCon3 - Antivirus Evasion Lessons Learned](https://www.youtube.com/watch?v=ycgaekqAkpA)
* [DerbyCon7 - T110 Modern Evasion Techniques](https://www.youtube.com/watch?v=xcA2riLyHtQ)
* [DerbyCon7 - Evading Autoruns](https://www.youtube.com/watch?v=AEmuhCwFL5I)
* [Red Team Techniques for Evading, Bypassing & Disabling MS](https://www.youtube.com/watch?v=2HNuzUuVyv0)

## Exfiltration

* [Abusing Windows Management Instrumentation (WMI)](https://www.youtube.com/watch?v=0SjMgnGwpq8)
* [DEF CON 23 - Panel - WhyMI so Sexy: WMI Attacks - Real Time Defense and Advanced Forensics](https://www.youtube.com/watch?v=xBd6p-Lz3kE)
* [DerbyCon3 - Living Off The Land A Minimalist's Guide To Windows Post Exploitation](https://www.youtube.com/watch?v=j-r6UonEkUw)

## PowerShell

* [DEF CON 18 - David Kennedy "ReL1K" & Josh Kelley - Powershell...omfg](https://www.youtube.com/watch?v=q5pA49C7QJg)
* [DEF CON 22 - Investigating PowerShell Attacks](https://www.youtube.com/watch?v=EcOf1s90vsg)
* [DerbyCon2016 - 106 PowerShell Secrets and Tactics Ben0xA](https://www.youtube.com/watch?v=mPPv6_adTyg)
* [Daniel Bohannon – Invoke-Obfuscation: PowerShell obFUsk8tion](https://www.youtube.com/watch?v=uE8IAxM_BhE)
* [BH2017 - Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science](https://www.youtube.com/watch?v=x97ejtv56xw)

## Phishing

### Maldocs

* [Phishing with Maldocs](https://www.n00py.io/2017/04/phishing-with-maldocs/)
* [Phishing with Empire](https://enigma0x3.net/2016/03/15/phishing-with-empire/)

### Macros

* [Phishing with Macros and Powershell](https://www.securitysift.com/phishing-with-macros-and-powershell/)

### DDE

* [About Dynamic Data Exchange](https://docs.microsoft.com/en-us/windows/desktop/dataxchg/about-dynamic-data-exchange)
* [Abusing Microsoft Office DDE](https://www.securitysift.com/abusing-microsoft-office-dde/)
* [Microsoft Office Dynamic Data Exchange(DDE) attacks](https://resources.infosecinstitute.com/microsoft-office-dynamic-data-exchangedde-attacks/#gref)
* [Office-DDE-Payloads](https://github.com/0xdeadbeefJERKY/Office-DDE-Payloads)

### HTA

* [Hacking around HTA files](http://blog.sevagas.com/?Hacking-around-HTA-files)

## Tools

* [Mimikatz](https://github.com/gentilkiwi/mimikatz)
* [Cobalt Strike](https://www.cobaltstrike.com/)
* [BloodHound](https://github.com/BloodHoundAD/BloodHound)
* [Empire](https://github.com/EmpireProject/Empire)
* [Nishang](https://github.com/samratashok/nishang)
* [Responder](https://github.com/SpiderLabs/Responder)
* [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)
* [PSExec](https://www.toshellandback.com/2017/02/11/psexec/)

# Other Awesome Lists

* [Awesome Red Teaming](https://github.com/yeyintminthuhtut/Awesome-Red-Teaming)
* [Red Teaming Toolkit](https://github.com/infosecn1nja/Red-Teaming-Toolkit)
* [Red Team Infrastructure Wiki](https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki)
* [Awesome Pentest](https://github.com/Muhammd/Awesome-Pentest)

# Contributing
Your contributions are always welcome! Please take a look at the contribution guidelines first.

If you have any question about this opinionated list, do not hesitate to contact me @_mvalle_ on Twitter or open an issue on GitHub.

0 comments on commit 7576062

Please sign in to comment.