Scribd
Upload
644 views125 pages

Windows Server AD and O365 Advanced PenTest

This document provides links to resources about penetration testing Windows Server and Active Directory environments. It covers topics like enumeration of Windows and Active Directory, using BloodHound to analyze permissions, exploiting the Zerologon vulnerability, using DCSYNC to dump password hashes, Kerberos attacks like Golden Tickets, general penetration testing of Active Directory, attacking WSUS servers, Windows privilege escalation techniques, and DLL hijacking. The resources linked are articles, blog posts, videos, and GitHub repositories containing techniques, guides and tools to aid in penetration testing these environments.

Uploaded by

jjjabriyel jabri
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
644 views125 pages

Windows Server AD and O365 Advanced PenTest

This document provides links to resources about penetration testing Windows Server and Active Directory environments. It covers topics like enumeration of Windows and Active Directory, using BloodHound to analyze permissions, exploiting the Zerologon vulnerability, using DCSYNC to dump password hashes, Kerberos attacks like Golden Tickets, general penetration testing of Active Directory, attacking WSUS servers, Windows privilege escalation techniques, and DLL hijacking. The resources linked are articles, blog posts, videos, and GitHub repositories containing techniques, guides and tools to aid in penetration testing these environments.

Uploaded by

jjjabriyel jabri
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 125

PenTest in Windows Server and

Active Directory - Overview


Joas Antonio
Details
• O objetivo do PDF é trazer os diferentes tipos de técnicas utilizadas
para comprometer um servidor Windows e um ambiente de Active
Directory;
• Esse PDF é mais teórico e não contém passo a passo nem nada
prático, apenas materiais de referência para auxiliar você nessa
jornada;
• Meu LinkedIn: https://www.linkedin.com/in/joas-antonio-dos-santos
• Outros ebooks: https://bit.ly/3n8Ghgc
Enumeration Win and AD 1
• https://medium.com/bugbountywriteup/automating-ad-enumeration-with-
frameworks-f8c7449563be
• https://medium.com/@Shorty420/enumerating-ad-98e0821c4c78
• https://www.exploit-db.com/docs/english/46990-active-directory-enumeration-
with-powershell.pdf
• https://github.com/CroweCybersecurity/ad-ldap-enum
• https://www.ired.team/offensive-security-experiments/active-directory-
kerberos-abuse/active-directory-enumeration-with-powerview
• https://owasp.org/www-pdf-
archive/OWASP_FFM_41_OffensiveActiveDirectory_101_MichaelRitter.pdf
• https://www.trustedsec.com/blog/targeted-active-directory-host-enumeration/
• https://www.attackdebris.com/?p=470
Enumeration Win and AD 2
• https://www.youtube.com/watch?v=TKXc2n9Qucc&ab_channel=PwnDefe
nd
• https://www.youtube.com/watch?v=gl6-8AXlfL4&ab_channel=YaksasCSC
• https://www.youtube.com/watch?v=DBx-
AA9nOc0&ab_channel=PentesterAcademyTV
• https://adsecurity.org/?p=3719
• https://0xdarkvortex.dev/index.php/2019/01/01/active-directory-
penetration-dojo-ad-environment-enumeration-1/
• https://www.sakshamdixit.com/powershell-enum-of-active-directory-part-
1/
• https://derkvanderwoude.medium.com/active-directory-enumeration-
detected-by-microsoft-security-solutions-9f983ab3382a
Enumeration Win and AD 3
• https://arnavtripathy98.medium.com/smb-enumeration-for-
penetration-testing-e782a328bf1b
• https://www.varonis.com/blog/powershell-for-pentesters/
• https://www.hackercoolmagazine.com/windows-powershell-
enumeration-post-exploit/
• https://resources.infosecinstitute.com/topic/powershell-for-
pentesters-part-1-introduction-to-powershell-and-cmdlets/
• http://www.lifeoverpentest.com/2018/02/enumeration-cheat-sheet-
for-windows.html
Enumeration Win and AD 4
• https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-
active-directory/
• https://www.ired.team/offensive-security-experiments/active-
directory-kerberos-abuse/abusing-active-directory-acls-aces
• https://book.hacktricks.xyz/windows/active-directory-
methodology/acl-persistence-abuse
• https://www.sakshamdixit.com/domain-enumeration-part-3/
• https://pentesttools.net/adrecon-active-directory-reconnaissance/
• http://thewindowsupdate.com/2019/04/17/ldap-reconnaissance-
the-foundation-of-active-directory-attacks/
Enumeration Win and AD 5
• https://attack.stealthbits.com/ldap-reconnaissance-active-directory
• https://techcommunity.microsoft.com/t5/microsoft-security-and/ldap-
reconnaissance-the-foundation-of-active-directory-attacks/ba-p/462973
• https://minutodaseguranca.blog.br/overview-para-pen-test-no-active-
directory/
• https://github.com/sense-of-security/ADRecon
• https://www.youtube.com/watch?v=1sN8gqDdm3k&ab_channel=Motase
mHamdan-CyberSecurityTrainer
• https://becomepentester.gitbook.io/pentesting/active-directory-
enumeration-1/active-directory-enumeration-part-1
Enumeration Win and AD 6
• https://adsecurity.org/?p=1508
• https://pentestlab.blog/2018/06/04/spn-discovery/
• https://stealthbits.com/blog/extracting-service-account-passwords-
with-kerberoasting/
• https://stealthbits.com/blog/20170501discovering-service-accounts-
without-using-privileges/
• https://pentestlab.blog/2019/09/12/microsoft-exchange-acl/
BloodHound 1
• https://wald0.com/?p=112
• https://stealthbits.com/blog/attacking-active-directory-permissions-
with-bloodhound/
• https://mcpmag.com/articles/2019/11/13/bloodhound-active-
directory-domain-admin.aspx
• https://www.pentestpartners.com/security-blog/bloodhound-
walkthrough-a-tool-for-many-tradecrafts/
• https://www.youtube.com/watch?v=1OSdHTvF03Y&ab_channel=Sem
peris
BloodHound 2
• https://www.youtube.com/watch?v=RUbADHcBLKg&ab_channel=SpecterO
ps
• https://www.ired.team/offensive-security-experiments/active-directory-
kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux
• https://blog.compass-security.com/2019/12/finding-active-directory-
attack-paths-using-bloodhound/
• https://www.microsoft.com/security/blog/2020/08/27/stopping-active-
directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-
machine-learning/
• https://datacellsolutions.com/2020/11/10/active-directory-domain-
enumeration-and-exploitation-using-bloodhound/
Zerologon
• https://www.trendmicro.com/en_us/what-is/zerologon.html
• https://www.youtube.com/watch?v=U_1RTCl63hc&ab_channel=Dani
elDonda
• https://www.youtube.com/watch?v=6xMGsdD-
ArI&ab_channel=TheCyberMentor
• https://www.kroll.com/en/insights/publications/cyber/cve-2020-
1472-zerologon-exploit-detection-cheat-sheet
DCSYNC
• https://adsecurity.org/?p=1729
• https://www.ired.team/offensive-security-experiments/active-
directory-kerberos-abuse/dump-password-hashes-from-domain-
controller-with-dcsync
• https://attack.stealthbits.com/privilege-escalation-using-mimikatz-
dcsync
• https://www.exploit-db.com/docs/48298
• https://www.qomplx.com/kerberos_dcsync_attacks_explained/
• https://pentestlab.blog/tag/dcsync/
Kerberos & Golden Ticket
• https://attack.stealthbits.com/how-golden-ticket-attack-works
• https://www.varonis.com/blog/kerberos-how-to-stop-golden-tickets/
• https://adsecurity.org/?tag=goldenticket
• https://www.ired.team/offensive-security-experiments/active-
directory-kerberos-abuse/kerberos-golden-tickets
• https://owasp.org/www-pdf-archive/OWASP_Frankfurt_-
44_Kerberoasting.pdf
Kerberos
• https://periciacomputacional.com/exploiting-smb-and-kerberos-to-
obtain-administrator-access/
• https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-
101.html
• https://www.zdnet.com/article/proof-of-concept-exploit-code-
published-for-new-kerberos-bronze-bit-attack/
• https://www.youtube.com/watch?v=ErWhWBdDwTU&ab_channel=
MotasemHamdan-CyberSecurityTrainer
• https://www.youtube.com/watch?v=JkIA7eWeVoY&ab_channel=Anki
tJoshi
PenTest AD
• https://medium.com/@daniela.mh20/attacktive-directory-thm-walkthrough-9a7f0c7cc925
• https://www.blackhat.com/docs/us-15/materials/us-15-Metcalf-Red-Vs-Blue-Modern-Active-
Directory-Attacks-Detection-And-Protection.pdf
• https://www.blackhat.com/docs/eu-17/materials/eu-17-Thompson-Red-Team-Techniques-For-
Evading-Bypassing-And-Disabling-MS-Advanced-Threat-Protection-And-Advanced-Threat-
Analytics.pdf
• https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-
And-Defending-Office-365.pdf
• https://www.blackhat.com/docs/us-15/materials/us-15-Metcalf-Red-Vs-Blue-Modern-Active-
Directory-Attacks-Detection-And-Protection-wp.pdf
• https://i.blackhat.com/eu-19/Wednesday/eu-19-Lagadec-Advanced-VBA-Macros-Attack-And-
Defence-2.pdf
• https://www.blackhat.com/docs/webcast/05172018-BlackHat-Active-Directory-Delegation-
Dissected.pdf
PenTest AD 2
• https://github.com/balaasif6789/AD-Pentesting
• https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-
Sheet
• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Meth
odology%20and%20Resources/Active%20Directory%20Attack.md
• https://github.com/SofianeHamlaoui/Pentest-
Notes/blob/master/Security_cheatsheets/windows/active-directory.md
• https://github.com/initstring/pentest-methodology/blob/master/internal-
ad.md
• https://github.com/browninfosecguy/ADLab
• https://github.com/R3dy/capsulecorp-pentest/blob/master/README.md
• https://github.com/Twi1ight/AD-Pentest-Script
WSUS PenTest
• https://www.gosecure.net/blog/2020/09/03/wsus-attacks-part-1-
introducing-pywsus/
• https://pentestit.com/wsuxploit-weaponized-wsus-exploit-script/
• https://www.contextis.com/en/blog/securing-against-wsus-attacks
• https://github.com/AlsidOfficial/WSUSpendu
• https://resources.infosecinstitute.com/topic/targeting-wsus-server/
• https://medium.com/@bazyli.michal/more-than-a-penetration-test-
cve-2019-1082-647ba2e59034
Privilege Escalation
• https://book.hacktricks.xyz/windows/windows-local-privilege-
escalation
• https://medium.com/bugbountywriteup/privilege-escalation-in-
windows-380bee3a2842
• https://medium.com/@SumitVerma101/windows-privilege-
escalation-part-1-unquoted-service-path-
c7a011a8d8ae#:~:text=When%20a%20service%20is%20created,of%2
0the%20time%20it%20is
• https://medium.com/@orhan_yildirim/windows-privilege-escalation-
unquoted-service-paths-61d19a9a1a6a
Privilege Escalation 2
• https://www.ired.team/offensive-security/privilege-
escalation/unquoted-service-paths
• https://pentestlab.blog/2017/03/09/unquoted-service-path/
• https://gracefulsecurity.com/privesc-insecure-service-permissions/
• https://medium.com/@shy327o/windows-privilege-escalation-
insecure-service-1-ec4c428e4800
• https://itm4n.github.io/windows-registry-rpceptmapper-eop/
• https://labs.f-secure.com/assets/BlogFiles/mwri-windows-services-
all-roads-lead-to-system-whitepaper.pdf
Privilege Escalation 3
• https://sec-consult.com/blog/detail/windows-privilege-escalation-an-
approach-for-penetration-testers/
• https://medium.com/@anastasisvasileiadis/windows-privilege-
escalation-alwaysinstallelevated-641e660b54bd
• https://www.hackingarticles.in/windows-privilege-escalation-
alwaysinstallelevated/
• https://pentestlab.blog/2017/02/28/always-install-elevated/
• https://www.rapid7.com/db/modules/exploit/windows/local/always_
install_elevated/
Privilege Escalation 4
• https://medium.com/techzap/dll-hijacking-part-1-basics-b6dfb8260cf1
• https://www.ibliss.com.br/dll-hijacking-exploracao/
• https://pentestlab.blog/2017/03/27/dll-hijacking/
• https://www.cyberark.com/resources/threat-research-blog/dllspy-tighten-
your-defense-by-discovering-dll-hijacking-easily
• https://itm4n.github.io/windows-dll-hijacking-clarified/
• https://medium.com/@dannyp4p/privilege-escalation-dll-hijacking-
668d7235bc98
• https://book.hacktricks.xyz/windows/windows-local-privilege-
escalation/dll-hijacking
Privilege Escalation 5
• https://ivanitlearning.wordpress.com/2019/03/26/windows-privilege-escalation-
via-dll-hijacking/
• https://www.ired.team/offensive-security/privilege-escalation/t1038-dll-hijacking
• https://www.youtube.com/watch?v=e_l5TCgw3wo&ab_channel=PentesterAcade
myTV
• https://www.youtube.com/watch?v=9-
HNMUo9urA&ab_channel=MotasemHamdan-CyberSecurityTrainer
• https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-
internals/how-kernel-exploits-abuse-tokens-for-privilege-escalation
• https://book.hacktricks.xyz/windows/windows-local-privilege-
escalation/privilege-escalation-abusing-tokens
• https://lifars.com/2018/10/privilege-escalation-on-windows-abusing-tokens/
Privilege Escalation 6
• https://medium.com/@shadowslayerqwerty/windows-token-based-
privilege-escalation-8f282f722e03
• https://medium.com/palantir/windows-privilege-abuse-auditing-
detection-and-defense-3078a403d74e
• https://www.cynet.com/network-attacks/privilege-escalation/
• https://www.ired.team/offensive-security/privilege-escalation/
• https://github.com/carlospolop/privilege-escalation-awesome-
scripts-suite/tree/master/linPEAS
• https://lolbas-project.github.io/
• https://pentestlab.blog/2017/03/31/insecure-registry-permissions/
Privilege Escalation 7
• https://blueteamdope.gitbook.io/penetration-testing-playbook/privilege-
escalation/windows-privilege-escalation
• https://github.com/frizb/Windows-Privilege-Escalation
• https://github.com/carlospolop/winPE
• https://github.com/togie6/Windows-Privesc
• https://github.com/netbiosX/Checklists/blob/master/Windows-Privilege-
Escalation.md
• https://github.com/TCM-Course-Resources/Windows-Privilege-Escalation-
Resources
• https://github.com/M4ximuss/Powerless
• https://github.com/antonioCoco/RogueWinRM
• https://cd6629.gitbook.io/oscp-notes/windows-privesc/windows-privesc-arena-
wlk
• https://github.com/rhodejo/OSCP-Prep/blob/master/Priv-Esc.md
Privilege Escalation 8
• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/
Methodology%20and%20Resources/Windows%20-
%20Privilege%20Escalation.md
• https://www.fuzzysecurity.com/tutorials/16.html
• https://sushant747.gitbooks.io/total-oscp-
guide/content/privilege_escalation_windows.html
• https://sec-consult.com/blog/detail/windows-privilege-escalation-an-
approach-for-penetration-testers/
C2 and C3
• https://howto.thec2matrix.com/
• https://akijosberryblog.wordpress.com/2018/03/17/active-directory-as-a-c2-command-control/
• https://www.harmj0y.net/blog/powershell/command-and-control-using-active-directory/
• https://www.hackingloops.com/c2/
• https://www.blackhillsinfosec.com/c2-c3-whatever-it-takes/
• https://securityonline.info/spray-ad-a-cobalt-strike-tool-to-audit-active-directory-user-accounts/
• https://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/
• https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-
using-ldap-for-c2-communication-c274a7f00961
• https://www.ired.team/offensive-security/red-team-infrastructure/cobalt-strike-101-installation-
and-interesting-commands
• https://github.com/FSecureLABS/C3
• https://0x1.gitlab.io/exploitation-tools/C3/
C2 and C3 - 2
• https://mohad.red/Integrating-C3-With-Cobalt-Strike/
• https://www.mdsec.co.uk/2019/02/external-c2-ie-com-objects-and-
how-to-use-them-for-command-and-control/
• https://stealthbits.com/blog/next-gen-open-source-c2-frameworks/
• https://fatrodzianko.com/2019/08/14/getting-started-with-covenant-
c2/
• https://www.youtube.com/watch?v=gbX0A1mx6no&ab_channel=Def
secone
Lateral Movement
• https://www.hackingarticles.in/lateral-movement-over-pass-the-hash/
• https://attack.mitre.org/techniques/T1550/002/
• https://www.varonis.com/blog/penetration-testing-explained-part-vi-
passing-the-hash/
• https://logrhythm.com/blog/detecting-lateral-movement-from-pass-the-
hash-attacks/
• https://dmcxblue.gitbook.io/red-team-notes/lateral-movement/pass-the-
hash
• https://www.hackingarticles.in/lateral-movement-pass-the-ticket-attack/
Lateral Movement 2
• https://resources.infosecinstitute.com/topic/pass-hash-pass-ticket-no-
pain/
• https://bouj33boy.com/lateral-movement-without-lsass/
• https://redcanary.com/blog/lateral-movement-and-cryptomining/
• https://hackmag.com/security/lateral-movement/
• https://medium.com/attivotechblogs/lateral-movement-using-smb-
session-enumeration-f4b1b17b6ee8
• https://www.ired.team/offensive-security/lateral-movement/lateral-
movement-with-psexec
• https://redcanary.com/blog/threat-hunting-psexec-lateral-movement/
• https://www.mindpointgroup.com/blog/lateral-movement-with-psexec/
Lateral Movement 3
• https://posts.specterops.io/offensive-lateral-movement-
1744ae62b14f
• https://logrhythm.com/blog/what-is-lateral-movement-and-how-to-
detect-it/
• https://pentestlab.blog/2020/07/21/lateral-movement-services/
• https://medium.com/redteam-blueteam-series/lateral-movement-
702e5b2a5177
• https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-
Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-
Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
Lateral Movement 4
• https://github.com/Mr-Un1k0d3r/SCShell
• https://github.com/JPCERTCC/DetectLM
• https://github.com/codewhitesec/LethalHTA
• https://github.com/0xthirteen/MoveKit
• https://github.com/CompassSecurity/Readinizer
• https://github.com/rmusser01/Infosec_Reference/blob/master/Draft
/ATT%26CK-Stuff/ATT%26CK/Lateral%20Movement.md
• https://riccardoancarani.github.io/2019-10-04-lateral-movement-
megaprimer/
Powershell PenTest
• https://www.optiv.com/explore-optiv-insights/blog/unmanaged-
powershell-binaries-and-endpoint-protection
• https://github.com/leechristensen/UnmanagedPowerShell
• https://www.youtube.com/watch?v=7tvfb9poTKg
• https://periciacomputacional.com/pentesting-with-powershell-in-six-
steps/
• https://book.hacktricks.xyz/windows/basic-powershell-for-pentesters
• https://www.varonis.com/blog/powershell-for-pentesters/
• https://resources.infosecinstitute.com/topic/powershell-for-pentesters-
part-1-introduction-to-powershell-and-cmdlets/
• https://medium.com/@akash.sarode1234/pentesting-with-powershell-
5918dfcd0eb4
LLMNR POISONING
• https://medium.com/coreshield/research-llmnr-e-nbt-ns-poisoning-
attack-ad58c039b97e
• https://medium.com/@subhammisra45/llmnr-poisoning-and-relay-
5477949b7bef
• https://attack.mitre.org/techniques/T1557/001/
• https://www.aptive.co.uk/blog/llmnr-nbt-ns-spoofing/
• https://www.sternsecurity.com/blog/local-network-attacks-llmnr-
and-nbt-ns-poisoning/
• https://dmcxblue.gitbook.io/red-team-notes/untitled-1/llmnr-nbt-ns-
poisoning-and-relay
LDAP RELAY
• https://www.youtube.com/watch?v=pKt9IJJOM3I
• https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-
for-rce-and-domain-admin/
• https://www.praetorian.com/blog/obtaining-laps-passwords-
through-ldap-relaying-attacks
Persistence AD
• https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-
evasion-persistence-and-active-directory-database-extraction/
• https://pentestlab.blog/2019/11/04/persistence-scheduled-tasks/
• https://www.ired.team/offensive-security/persistence/t1053-schtask
• https://isc.sans.edu/forums/diary/Adding+Persistence+Via+Schedule
d+Tasks/23633/
• https://attack.mitre.org/techniques/T1053/005/
• https://attack.mitre.org/techniques/T1053/
• https://adsecurity.org/?p=1929
Persistence AD 2
• https://adsecurity.org/?tag=ad-sneaky-persistence
• https://attack.stealthbits.com/adminsdholder-modification-ad-persistence
• https://www.ired.team/offensive-security-experiments/active-directory-
kerberos-abuse/how-to-abuse-and-backdoor-adminsdholder-to-obtain-
domain-admin-persistence
• https://www.youtube.com/watch?v=9ZYsVl5Xmrg&ab_channel=RaphaelM
udge
• https://ijustwannared.team/2019/03/11/browser-pivot-for-chrome/
• https://lsdsecurity.com/2020/02/lateral-movement-in-active-
directorywindows-some-simple-forgotten-yet-effective-ad-pivoting-
techniques-part-1/
• https://attack.mitre.org/techniques/T1185/
Persistence AD 3
• https://bohops.com/2018/04/28/abusing-dcom-for-yet-another-lateral-
movement-technique/
• https://pt.slideshare.net/nikhil_mittal/race-minimal-rights-and-ace-for-
active-directory-dominance
• https://www.ired.team/offensive-security/lateral-movement/t1175-
distributed-component-object-model
• https://adsecurity.org/?p=1785
• https://adsecurity.org/?tag=winrm
• https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
• https://resources.infosecinstitute.com/topic/active-directory-walkthrough-
series-golden-ticket/
• https://github.com/Hackplayers/evil-winrm
Pivoting
• https://ijustwannared.team/2019/11/07/c2-over-rdp-virtual-
channels/
• https://github.com/shunf4/proxychains-windows
• https://blog.techorganic.com/2012/10/10/introduction-to-pivoting-
part-2-proxychains/
• https://www.ivoidwarranties.tech/posts/pentesting-
tuts/pivoting/proxychains/
• https://github.com/klsecservices/rpivot
• https://securityonline.info/rpivot-socks4-reverse-proxy/
Pivoting 2
• https://nagarrosecurity.com/blog/smb-named-pipe-pivoting-meterpreter
• https://medium.com/@petergombos/smb-named-pipe-pivoting-in-
meterpreter-462580fd41c5
• https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/
• https://www.bordergate.co.uk/lateral-movement-with-named-pipes/
• https://rhq.reconinfosec.com/tactics/lateral_movement/
• https://github.com/mis-team/rsockspipe
• https://www.youtube.com/watch?v=lelRK-SDubc
• https://github.com/blackarrowsec/mssqlproxy
LAB AD
• https://medium.com/@browninfosecguy/active-directory-lab-for-
penetration-testing-5d7ac393c0c4
• https://www.hebunilhanli.com/wonderland/ad-pentest/ad-pentest-
lab-setup/
• https://www.youtube.com/watch?v=xftEuVQ7kY0&ab_channel=TheC
yberMentor
• https://1337red.wordpress.com/building-and-attacking-an-active-
directory-lab-with-powershell/
• https://forum.hackthebox.eu/discussion/2996/building-an-active-
directory-pen-test-lab
TTPs (Mitre)
• https://attack.mitre.org/techniques/T1087/
• https://attack.mitre.org/techniques/T1482/
• https://attack.mitre.org/techniques/T1087/002/
• https://attack.mitre.org/techniques/T1018/
• https://redcanary.com/threat-detection-report/techniques/domain-trust-discovery/
• https://attack.mitre.org/techniques/T1574/001/
• https://attack.mitre.org/techniques/T1003/006/
• https://www.corelight.com/mitre-attack/c2/t1094-custom-command-and-control-
protocol/
• https://attack.mitre.org/tactics/TA0011/
• https://attack.mitre.org/techniques/T1095/
• https://attack.mitre.org/techniques/T1550/003/
Cheatsheet
• https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets
• https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-
Sheet
• https://www.ired.team/offensive-security-experiments/offensive-security-
cheetsheets
• https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/
• https://pentest.tonyng.net/windows-privilege-escalation-a-cheatsheet/
• https://ceso.github.io/posts/2020/04/hacking/oscp-cheatsheet/
• https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-
Sheet
• https://book.hacktricks.xyz/windows/active-directory-methodology





• HTTPS://WWW.LINKEDIN.COM/IN/JOAS-ANTONIO-DOS-SANTOS/





• HTTPS://LEANPUB.COM/POWERSHELL101

• HTTPS://DOCS.MICROSOFT.COM/PT-BR/POWERSHELL/SCRIPTING/LEARN/PS101/01-GETTING-
STARTED?VIEW=POWERSHELL-7

• HTTPS://WWW.COMPARITECH.COM/NET-ADMIN/POWERSHELL-CHEAT-SHEET/

• HTTP://RAMBLINGCOOKIEMONSTER.GITHUB.IO/IMAGES/CHEAT-SHEETS/POWERSHELL-BASIC-CHEAT-SHEET2.PDF

• HTTPS://GIST.GITHUB.COM/PCGEEK86/336E08D1A09E3DD1A8F0A30A9FE61C8A

• HTTPS://GITHUB.COM/LAZYWINADMIN/POWERSHELL

• HTTPS://GITHUB.COM/CLYMB3R/POWERSHELL

• HTTPS://DOCS.MICROSOFT.COM/PT-BR/POWERSHELL/SCRIPTING/SAMPLES/SAMPLE-SCRIPTS-FOR-
ADMINISTRATION?VIEW=POWERSHELL-7

• HTTPS://WWW.UDEMY.COM/COURSE/APRENDA-POWERSHELL-DO-ZERO/

• HTTPS://WWW.UDEMY.COM/COURSE/AUTOMATIZANDO-ADMINISTRACAO-COM-POWERSHELL-CURSO-10961/

• HTTPS://WWW.YOUTUBE.COM/WATCH?V=XODFGOJFR9Q


• HTTPS://MEDIUM.COM/@NALLAMUTHU/POWERSHELL-PORT-SCAN-BF27FC754585

• HTTPS://SID-500.COM/2017/11/12/TEST-PORT-USE-POWERSHELL-AS-A-PORT-SCANNER/

• HTTPS://TECHCOMMUNITY.MICROSOFT.COM/T5/ITOPS-TALK-BLOG/POWERSHELL-BASICS-HOW-TO-SCAN-OPEN-PORTS-WITHIN-A-
NETWORK/BA-P/924149

• HTTPS://GITHUB.COM/BORNTOBEROOT/POWERSHELL_IPV4PORTSCANNER

• HTTP://5UBTOOLS.BLOGSPOT.COM/

• HTTPS://GITHUB.COM/Z3R0TH-13/ENUM

• HTTPS://WWW.YOUTUBE.COM/WATCH?V=QKZSIBEKAC0&AB_CHANNEL=TECHSNIPS

• HTTPS://GITHUB.COM/PYROTEK3/POWERSHELL-AD-RECON

• HTTPS://BLOG.STEALTHBITS.COM/PERFORMING-DOMAIN-RECONNAISSANCE-USING-POWERSHELL/

• HTTPS://MEDIUM.COM/@SMURF3R5/RECON-DOMAIN-SHARES-872914697980

• HTTPS://WWW.TRUSTEDSEC.COM/BLOG/POWERSHELL-RECONNAISSANCE/

• HTTPS://WWW.HEBUNILHANLI.COM/WONDERLAND/AD-PENTEST/RECON-WITH-POWERSHELL/

• HTTPS://PERICIACOMPUTACIONAL.COM/PENTESTING-WITH-POWERSHELL-IN-SIX-STEPS/

• HTTPS://GITHUB.COM/ELITELOSER/PSNMAP
• HTTPS://MEDIUM.COM/@DRAG0N/SOME-USEFUL-INTERESTING-POWERSHELL-SCRIPTS-
9B9490CEE0CD
• HTTPS://ADSECURITY.ORG/?P=2535

• HTTPS://WWW.VARONIS.COM/BLOG/POWERVIEW-FOR-PENETRATION-TESTING/

• HTTPS://WWW.SANS.ORG/BLOG/PEN-TEST-POSTER-WHITE-BOARD-POWERSHELL-BUILT-IN-PORT-
SCANNER/

• HTTPS://GITHUB.COM/SCIPAG/POWERSHELLUTILITIES

• HTTPS://WWW.ADAMCOUCH.CO.UK/CONDUCTING-POWERSHELL-PORT-SCAN/

• HTTPS://WWW.INFOSECMATTER.COM/MINIMALISTIC-TCP-AND-UDP-PORT-SCANNER/

• HTTPS://GITHUB.COM/XORRIOR/REMOTERECON

• HTTPS://GITHUB.COM/MATTIFESTATION/PSREFLECT
• HTTPS://GITHUB.COM/HARMJ0Y/CHEATSHEETS/BLOB/MASTER/POWERUP.PDF

• HTTPS://GITHUB.COM/HARMJ0Y/CHEATSHEETS/BLOB/MASTER/POWERSPLOIT.PDF

• HTTPS://GITHUB.COM/HARMJ0Y/CHEATSHEETS/BLOB/MASTER/EMPIRE.PDF

• HTTPS://GITHUB.COM/HARMJ0Y/CHEATSHEETS/BLOB/MASTER/POWERVIEW.PDF
• HTTPS://GITHUB.COM/POWERSHELLMAFIA/POWERSPLOIT/BLOB/MASTER/PRIVESC/POWERUP.P
S1

• HTTPS://WWW.HARMJ0Y.NET/BLOG/POWERSHELL/POWERUP-A-USAGE-GUIDE/

• HTTPS://RECIPEFORROOT.COM/ADVANCED-POWERUP-PS1-USAGE/

• HTTPS://JANIKVONROTZ.GITHUB.IO/POWERSHELL-POWERUP/

• HTTPS://MEDIUM.COM/BUGBOUNTYWRITEUP/PRIVILEGE-ESCALATION-IN-WINDOWS-
380BEE3A2842
• HTTPS://WWW.YOUTUBE.COM/WATCH?V=DNWWTJFQW78&AB_CHANNEL=METASPLOITATIO
N

• HTTPS://WWW.YOUTUBE.COM/WATCH?V=DLJYKGFKOKQ&AB_CHANNEL=SECURITYWEEKLY
• HTTPS://GITHUB.COM/POWERSHELLMAFIA/POWERSPLOIT
• HTTPS://PENTESTLAB.BLOG/TAG/POWERSPLOIT/
• HTTPS://WWW.CYBERPUNK.RS/POWERSPLOIT-POWERSHELL-POST-EXPLOITATION-FRAMEWORK
• HTTPS://WWW.DARKNET.ORG.UK/2015/12/POWERSPLOIT-POWERSHELL-POST-EXPLOITATION-
FRAMEWORK/
• HTTPS://ATTACK.MITRE.ORG/SOFTWARE/S0194/
• HTTPS://ADSECURITY.ORG/?TAG=POWERSPLOIT
• HTTPS://MEDIUM.COM/@BENOIT.SEVENS/POWERSHELL-AV-EVASION-4E4BB6A6A961
• HTTPS://WWW.YOUTUBE.COM/WATCH?V=OTPPNWBEADA&AB_CHANNEL=CHIEFRIVER
• HTTPS://WWW.YOUTUBE.COM/WATCH?V=LELL6QA-REY&AB_CHANNEL=METASPLOITATION
• HTTPS://WWW.YOUTUBE.COM/WATCH?V=B-XJNMFZ7LS&AB_CHANNEL=%5BMISTER_BERT0NI%5D
• HTTPS://WWW.YOUTUBE.COM/WATCH?V=ZBMOS_FNXNG&AB_CHANNEL=SECURITYNOTES
• HTTPS://DANIELDONDA.COM/2019/04/07/POWERSHELL-EMPIRE/

• HTTPS://WWW.YOUTUBE.COM/WATCH?V=52XKWBDMUUM&AB_CHANNEL=HACKERSPLOIT

• HTTPS://WWW.YOUTUBE.COM/WATCH?V=0GHS3U9ZMKI&AB_CHANNEL=GUSKHAWAJA

• HTTPS://WWW.YOUTUBE.COM/WATCH?V=67EXQPHK2SE&AB_CHANNEL=SECKC

• HTTPS://WWW.YOUTUBE.COM/WATCH?V=9-KWVLJDXWS&AB_CHANNEL=ROOTSPLOIT

• HTTPS://WWW.POWERSHELLEMPIRE.COM/

• HTTPS://WWW.CYBERPUNK.RS/EMPIRE-POWERSHELL-POST-EXPLOITATION-FRAMEWORK

• HTTPS://NULL-BYTE.WONDERHOWTO.COM/HOW-TO/USE-POWERSHELL-EMPIRE-GETTING-STARTED-WITH-POST-
EXPLOITATION-WINDOWS-HOSTS-0178664/

• HTTPS://WWW.HACKINGARTICLES.IN/HACKING-WITH-EMPIRE-POWERSHELL-POST-EXPLOITATION-AGENT/

• HTTPS://MEDIUM.COM/@RATIROS01/TRYHACKME-PS-EMPIRE-BD96FBF822CC

• HTTPS://BLOG.STEALTHBITS.COM/NEXT-GEN-OPEN-SOURCE-C2-FRAMEWORKS/
• HTTPS://GITHUB.COM/JAREDHAIGHT/INVOKE-METASPLOITPAYLOAD
• HTTPS://MEDIUM.COM/SWLH/FUN-WITH-POWERSHELL-PAYLOAD-EXECUTION-AND-EVASION-F5051FD149B2
• HTTPS://GITHUB.COM/TRUSTEDSEC/UNICORN
• HTTPS://GITHUB.COM/LOADENMB/TVASION
• HTTPS://THREAT.TEVORA.COM/DISSECTING-VEIL-EVASION-POWERSHELL-PAYLOADS-AND-CONVERTING-TO-A-BIND-SHELL/
• HTTPS://HAKIN9.ORG/XENCRYPT-A-POWERSHELL-SCRIPT-ANTI-VIRUS-EVASION-TOOL/
• HTTPS://ARNO0X0X.WORDPRESS.COM/2016/04/13/METERPRETER-AV-IDS-EVASION-POWERSHELL/
• HTTPS://HACK-ED.NET/2016/04/04/VEIL-EVASION-PAYLOADS-MADE-EASY/
• HTTPS://KAIZENSECURITY.WORDPRESS.COM/2016/08/19/METASPLOIT-AV-EVASION-WITH-POWERSHELL/
• HTTPS://WWW.BLACKHAT.COM/DOCS/EU-17/MATERIALS/EU-17-THOMPSON-RED-TEAM-TECHNIQUES-FOR-EVADING-
BYPASSING-AND-DISABLING-MS-ADVANCED-THREAT-PROTECTION-AND-ADVANCED-THREAT-ANALYTICS.PDF
• HTTPS://WWW.BLACKHAT.COM/DOCS/US-14/MATERIALS/US-14-KAZANCIYAN-INVESTIGATING-POWERSHELL-ATTACKS-
WP.PDF
• HTTPS://RESOURCES.INFOSECINSTITUTE.COM/POWERSHELL-FOR-PENTESTERS-PART-5-REMOTING-WITH-
POWERSHELL/

• HTTPS://PENTESTN00B.WORDPRESS.COM/2016/08/22/POWERSHELL-PSREMOTING-PWNAGE/

• HTTPS://KALILINUXTUTORIALS.COM/EVIL-WINRM-HACKING-PENTESTING/

• HTTPS://WWW.RAPID7.COM/DB/MODULES/EXPLOIT/WINDOWS/LOCAL/POWERSHELL_REMOTING

• HTTPS://WWW.YOUTUBE.COM/WATCH?V=TVGJ-9FJKXE&AB_CHANNEL=HAK5
• HTTPS://GIST.GITHUB.COM/EGRE55/C058744A4240AF6515EB32B2D33FBED3

• HTTPS://GITHUB.COM/SWISSKYREPO/PAYLOADSALLTHETHINGS/BLOB/MASTER/METHODOLOGY%20AND%20RESOURCES/
REVERSE%20SHELL%20CHEATSHEET.MD
• HTTPS://WWW.YOUTUBE.COM/WATCH?V=NJ5XBHRTWWA&AB_CHANNEL=CYBERSECURITYLEARNING

• HTTPS://WWW.YOUTUBE.COM/WATCH?V=KKFRJTLM5LI&AB_CHANNEL=INFOSECADDICTS

• HTTPS://HACKERSINTERVIEW.COM/OSCP/REVERSE-SHELL-ONE-LINERS-OSCP-CHEATSHEET/

• HTTPS://WWW.YOUTUBE.COM/WATCH?V=KKFRJTLM5LI&AB_CHANNEL=INFOSECADDICTS

• HTTPS://WWW.OFFENSIVE-SECURITY.COM/OFFSEC/KALI-LINUX-POWERSHELL-PENTESTING/

• HTTPS://SECURITYONLINE.INFO/REVERSE-POWERSHELL/

• HTTPS://BLOG.NETSPI.COM/POWERSHELL-REMOTING-CHEATSHEET/

• HTTPS://WWW.IRED.TEAM/MISCELLANEOUS-REVERSING-FORENSICS/GET-INJECTEDTHREAD

• HTTPS://MEDIUM.COM/@THREATPOINTER/PENTESTING-POWERSHELL-REMOTING-FA605EF325D4
• HTTPS://GITHUB.COM/JODYWEIJERS/BADUSB-DIGISPARK

• HTTPS://WWW.ZDNET.COM/ARTICLE/RARE-BADUSB-ATTACK-DETECTED-IN-THE-WILD-AGAINST-US-
HOSPITALITY-PROVIDER/

• HTTPS://HACKADAY.COM/TAG/BADUSB/

• HTTPS://WWW.YOUTUBE.COM/WATCH?V=IAH5RUYO2VY&AB_CHANNEL=DIMUSTECH

• HTTPS://WWW.YOUTUBE.COM/WATCH?V=M6BHXX75RMS&AB_CHANNEL=HAK5

• HTTPS://WWW.YOUTUBE.COM/WATCH?V=M0AWKEF0B8C&AB_CHANNEL=IMMUNETECHNOLOGYINS
TITUTE

• HTTPS://GITHUB.COM/SCREETSEC/BRUTAL

• HTTPS://ATTACK.MITRE.ORG/TECHNIQUES/T1059/001/
• HTTPS://MEDIUM.COM/@SUBHAMMISRA45/LATERAL-MOVEMENT-POWERSHELL-REMOTING-89DA402A9885
• HTTPS://POSTS.SPECTEROPS.IO/OFFENSIVE-LATERAL-MOVEMENT-1744AE62B14F

• HTTPS://PT.SLIDESHARE.NET/KIERANJACOBSEN/LATERAL-MOVEMENT-WITH-POWER-SHELL-2
• HTTPS://WWW.IRED.TEAM/OFFENSIVE-SECURITY/LATERAL-MOVEMENT/WMI-+-POWERSHELL-DESIRED-STATE-
CONFIGURATION-LATERAL-MOVEMENT

• HTTPS://GENNAROMIGLIACCIO.COM/LATERAL-MOVEMENT-TACTICS-AND-TECHNIQUES
• HTTPS://REDCANARY.COM/BLOG/LATERAL-MOVEMENT-WINRM-WMI/
• HTTPS://WWW.FORWARDDEFENSE.COM/PDFS/LATERAL-MOVEMENT-ANALYSIS.PDF
• HTTPS://WWW.SNAPLABS.IO/INSIGHTS/LATERAL-MOVEMENT-METHODS-AND-GOOD-PRACTICES

• HTTPS://GIST.GITHUB.COM/JAREDCATKINSON/C95FD1E4E76A4B9B966861F64782F5A9
• HTTPS://ATTACK.MITRE.ORG/SOFTWARE/S0029/
• HTTPS://WWW.OFFENSIVE-SECURITY.COM/METASPLOIT-UNLEASHED/PSEXEC-PASS-HASH/
• HTTPS://WWW.CONTEXTIS.COM/DE/BLOG/LATERAL-MOVEMENT-A-DEEP-LOOK-INTO-PSEXEC
• HTTPS://WWW.MINDPOINTGROUP.COM/BLOG/LATERAL-MOVEMENT-WITH-PSEXEC/
• HTTPS://REDCANARY.COM/BLOG/THREAT-HUNTING-PSEXEC-LATERAL-MOVEMENT/
• HTTPS://MEDIUM.COM/@UPADHYAY.VARUN/PASS-THE-HASH-ATTACK-B0F214B2884A
• HTTPS://PERICIACOMPUTACIONAL.COM/WINDOWS-ACCOUNT-HIJACKING-PSEXEC-E-SUAS-POSSIBILIDADES/
• HTTPS://PENTESTLAB.BLOG/TAG/PSEXEC/
• HTTPS://WWW.TOSHELLANDBACK.COM/2017/02/11/PSEXEC/
• HTTPS://WWW.POFTUT.COM/USE-PSEXEC-TOOLS-RUN-COMMANDS-GET-SHELL-REMOTE-WINDOWS-SYSTEMS/
• HTTPS://WWW.IRED.TEAM/OFFENSIVE-SECURITY/LATERAL-MOVEMENT/LATERAL-MOVEMENT-WITH-PSEXEC
• HTTPS://WWW.VARONIS.COM/BLOG/HOW-TO-USE-POWERSHELL-FOR-PRIVILEGE-ESCALATION-WITH-LOCAL-COMPUTER-ACCOUNTS/

• HTTPS://GITHUB.COM/FRIZB/WINDOWS-PRIVILEGE-ESCALATION

• HTTPS://WWW.YOUTUBE.COM/WATCH?V=-SBXN-CGUD0&AB_CHANNEL=PENTESTERACADEMYTV

• HTTPS://HAKIN9.ORG/PRIVESCCHECK-PRIVILEGE-ESCALATION-ENUMERATION-SCRIPT-FOR-WINDOWS/

• HTTPS://GITHACKTOOLS.BLOGSPOT.COM/2019/04/WINROOTHELPER-WINDOWS-PRIVILEGE-ESCALATION-POWERSHELL-SCRIPT.HTML

• HTTPS://WWW.HACKINGARTICLES.IN/WINDOW-PRIVILEGE-ESCALATION-VIA-AUTOMATED-SCRIPT/

• HTTPS://WWW.YOUTUBE.COM/WATCH?V=VLKPCSQW8QY&AB_CHANNEL=UBEERILABS

• HTTPS://WWW.YOUTUBE.COM/WATCH?V=BANOHAIAQ7U&AB_CHANNEL=SANSPENTESTTRAINING

• HTTPS://WWW.YOUTUBE.COM/WATCH?V=2VZOSUJ4NWU&AB_CHANNEL=CYBERSTORM-WARFAREINTHE5THDOMAIN

• HTTPS://WWW.YOUTUBE.COM/WATCH?V=V0ZYORQ0EEY&AB_CHANNEL=POWERSHELLEMPIRETUTORIALS

• HTTPS://WWW.YOUTUBE.COM/WATCH?V=DZJFIIW3KZE&AB_CHANNEL=MOSS%C3%A9CYBERSECURITYINSTITUTE

• HTTPS://WWW.YOUTUBE.COM/WATCH?V=_BPBQUU91-Q&AB_CHANNEL=BREAKTHESECURITY

• HTTPS://GITHUB.COM/RMUSSER01/INFOSEC_REFERENCE/BLOB/MASTER/DRAFT/PRIVESCPOSTEX.MD
• HTTPS://PENTESTLAB.BLOG/2017/08/19/COMMAND-AND-CONTROL-POWERSHELL/

• HTTPS://ENIGMA0X3.NET/2014/01/17/COMMAND-AND-CONTROL-USING-POWERSHELL-AND-YOUR-
FAVORITE-WEBSITE/

• HTTPS://WWW.SNAPLABS.IO/INSIGHTS/COMMAND-AND-CONTROL-WITH-POWERSHELL-EMPIRE-PT1

• HTTPS://WWW.YOUTUBE.COM/WATCH?V=WVHVDUVFQNM&AB_CHANNEL=DEMMSEC

• HTTPS://WWW.YOUTUBE.COM/WATCH?V=OH-LCN5K9K8&AB_CHANNEL=COVER6SOLUTIONS

• HTTPS://TRUNESKI.GITHUB.IO/BLOG/2017/03/03/DROPBOX-COMMAND-AND-CONTROL-OVER-
POWERSHELL-WITH-INVOKE-DBC2/

• HTTPS://WWW.COVER6SOLUTIONS.COM/WEBINAR-INTRO-TO-C2-WITH-POWERSHELL-EMPIRE/
• HTTPS://PENTESTLAB.BLOG/2019/11/05/PERSISTENCE-POWERSHELL-PROFILE/

• HTTPS://PENTESTLAB.BLOG/2019/11/04/PERSISTENCE-SCHEDULED-TASKS/

• HTTPS://GITHUB.COM/EMILYANNCR/WINDOWS-POST-EXPLOITATION

• HTTPS://ADSECURITY.ORG/?P=429

• HTTPS://BOOK.HACKTRICKS.XYZ/WINDOWS/BASIC-POWERSHELL-FOR-PENTESTERS

• HTTPS://MEDIA.BLACKHAT.COM/EU-13/BRIEFINGS/MITTAL/BH-EU-13-POWERSHELL-FOR-PENETRATION-
MITTAL-SLIDES.PDF
• HTTPS://WWW.IRED.TEAM/OFFENSIVE-SECURITY/EXFILTRATION
• HTTPS://AZERIA-LABS.COM/DATA-EXFILTRATION/
• HTTPS://WWW.HACKINGARTICLES.IN/DATA-EXFILTRATION-USING-POWERSHELL-EMPIRE/
• HTTPS://WWW.SANS.ORG/WEBCASTS/PEN-TESTING-POWERSHELL-DATA-EXFILTRATION-TECHNIQUES-108740
• HTTPS://BLOG.STACKATTACK.NET/2019/03/14/QUICK-HIT-BASE64-POWERSHELL-EXFILTRATION/
• HTTPS://NIICONSULTING.COM/CHECKMATE/2016/03/EXFILTRATION-USING-POWERSHELL-OUTLOOK/
• HTTPS://WWW.SEVENLAYERS.COM/INDEX.PHP/305-POWERSHELL-DATA-EXFIL
• HTTPS://WWW.YOUTUBE.COM/WATCH?V=8ZAREHY5HBW
• HTTPS://WWW.YOUTUBE.COM/WATCH?V=TBBT1C2ZJMS&AB_CHANNEL=HAK5
• HTTPS://WWW.YOUTUBE.COM/WATCH?V=MIQVVX943FW&AB_CHANNEL=SANSPENTESTTRAINING
• HTTPS://GITHUB.COM/TOPICS/PENETRATION-TESTING?L=POWERSHELL
• HTTPS://WWW.FIREEYE.COM/CONTENT/DAM/FIREEYE-WWW/GLOBAL/EN/SOLUTIONS/PDFS/WP-LAZANCIYAN-
INVESTIGATING-POWERSHELL-ATTACKS.PDF
• HTTPS://LIVE.SYSINTERNALS.COM/
• HTTPS://GITHUB.COM/BLUSCREENOFJEFF/RED-TEAM-INFRASTRUCTURE-WIKI
• HTTPS://BLOG.HARMJ0Y.NET/
• HTTPS://ENIGMA0X3.NET/
• HTTPS://WALD0.COM/
• HTTPS://POSTS.SPECTEROPS.IO/
• HTTP://WWW.EXPLOIT-MONDAY.COM/
• HTTPS://ADSECURITY.ORG/
• HTTP://WWW.INVOKE-IR.COM/
• HTTPS://SPECTEROPS.IO/RESOURCES/RESEARCH-AND-DEVELOPMENT
• HTTPS://WWW.BLACKHAT.COM/US-16/TRAINING/ADVANCED-POWERSHELL-FOR-OFFENSIVE-
OPERATIONS.HTML







Pentest in Office365 and
Security
Joas Antonio
Details
• This pdf aims to bring techniques and tools for performing pentesting
in Office365 environments
My LinkedIn: https://www.linkedin.com/in/joas-antonio-dos-santos
Introduction
• https://docs.microsoft.com/pt-br/microsoft-365/?view=o365-worldwide
• https://docs.microsoft.com/pt-br/office/
• https://docs.axway.com/bundle/AMPLIFY_Integration_Builder_allOS_en/p
age/microsoft_office_365_api_documentation.html
• https://system.suny.edu/userservices/office365-faq/
• https://github.com/MicrosoftDocs/microsoft-365-docs
• https://techdocs.blogs.brynmawr.edu/6634
• https://www.varonis.com/blog/microsoft-office-365-file-sharing/
• https://www.youtube.com/watch?v=01T6gSvR0xs
Introduction
• https://www.microsoft.com/pt-br/microsoft-365
• https://www.microsoft.com/pt-br/microsoft-365/microsoft-office
• https://www.microsoft.com/pt-br/microsoft-365/microsoft-365-for-
existing-subscribers
• https://www.youtube.com/watch?v=HhgpVvqZhzA
• https://www.youtube.com/watch?v=zsBt85WjtIY
PenTest in Office365
• https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement
• https://www.agileit.com/news/pentesting-microsoft-office-365/
• https://bond-o.medium.com/microsoft-office-365-enumeration-58f9b5ba21c8
• https://www.mdsec.co.uk/2019/07/introducing-the-office-365-attack-toolkit/
• https://thecyphere.com/blog/office365-security-best-practices/
• https://www.lmgsecurity.com/will-you-be-pwned-in-an-office-365-brute-force-attack-
use-this-free-tool-for-testing/
• https://intercom.help/cobalt/en/articles/4641747-network-office-365-penetration-
testing
• https://www.trustedsec.com/blog/owning-o365-through-better-brute-forcing/
• https://www.redscan.com/news/office-365-security-six-ways-to-safeguard-your-
environment-against-cyber-attacks/
• https://www.kitploit.com/2019/07/o365-attack-toolkit-toolkit-to-attack.html?m=0
PenTest in Office365
• https://vapt.ee/offensive-security/penetration-testing/cloud-penetration-testing/office365-
penetration-testing/
• https://www.blackhillsinfosec.com/tag/office365/
• https://github.com/0xZDH/o365spray
• https://github.com/S3cur3Th1sSh1t/Pentest-Tools
• https://github.com/mdsecresearch/LyncSniper
• https://github.com/byt3bl33d3r/SprayingToolkit
• https://github.com/sensepost/ruler
• https://pentestbook.six2dez.com/enumeration/cloud/azure
• https://www.blackhatethicalhacking.com/tools/o365-attack-toolkit/
• https://www.cryptron.ch/security-analysis-microsoft-office-365-advanced-threat-protection/
• https://securityonline.info/raindance/
• https://www.microsoft.com/pt-br/msrc/pentest-rules-of-engagement
PenTest in Office365
• https://www.agileit.com/news/pentesting-microsoft-office-365/
• https://www.mdsec.co.uk/2019/07/introducing-the-office-365-attack-toolkit/
• https://thecyphere.com/blog/office365-security-best-practices/
• https://www.linkedin.com/pulse/risk-assessment-penetration-testing-microsoft-azure-satinder/
• https://www.cryptron.ch/security-analysis-microsoft-office-365-advanced-threat-protection/
• https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-
Office-365.pdf
• https://i.blackhat.com/USA-19/Wednesday/us-19-Metcalf-Attacking-And-Defending-The-Microsoft-Cloud.pdf
• https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-
Powershell-For-Covert-C2.pdf
• https://github.com/Kyuu-Ji/Awesome-Azure-Pentest
• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-
%20Azure%20Pentest.md
• https://book.hacktricks.xyz/cloud-security/cloud-security-review
• https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/
• https://www.optiv.com/insights/source-zero/blog/go365-office-365-password-spraying-tool
Phishing Office365
• https://github.com/duocircle/Office365-Phishing-Rules
• https://github.com/AlteredSecurity/365-Stealer
• https://github.com/mdsecactivebreach/o365-attack-toolkit
• https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-
authentication?redirectSourcePath=%252fen-us%252farticle%252fSet-up-multi-factor-authentication-for-
Office-365-users-8f0454b2-f51a-4d9c-bcde-2c48e41621c6&view=o365-worldwide#enablemfaoffice365
• https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/microsoft-365/security/office-365-
security/set-up-anti-phishing-policies.md
• https://github.com/pentestgeek/phishing-frenzy-templates/tree/master/office365
• https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/microsoft-365/campaigns/m365-
campaigns-phishing-and-attacks.md
• https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/microsoft-365/security/office-365-
security/tuning-anti-phishing.md
• https://github.com/milo2012/phishing-scripts/blob/master/o365.py
• https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/microsoft-365/security/office-365-
security/recommended-settings-for-eop-and-office365.md
Phishing Office365
• https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/microsoft-
365/security/office-365-security/attack-simulation-training.md
• https://techcommunity.microsoft.com/t5/security-compliance-and-identity/attack-simulator-
need-a-real-phishing-template-library-to-be/m-p/1405895
• https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/
• https://medium.com/sekoia-io-blog/analysis-and-detection-of-mitm-phishing-attacks-bypassing-
2fa-o365-use-case-cf0ffdae9cae
• https://hooksecurity.co/phishing-examples/github-phishing-example
• https://otx.alienvault.io/pulse/5df9f836cfe26eacac1703ad
• https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/microsoft-
365/security/office-365-security/attack-simulator.md
• https://github.com/MicrosoftLearning/MS-500-Microsoft-365-
Security/blob/master/Instructions/Labs/MS500T00/LAB_AK_06_Lab1_Ex1_Phishing_attack.md
• https://github.com/MicrosoftLearning/MS-101T00-Microsoft-365-Mobility-and-
Security/blob/master/Instructions/Labs/LAB_AK_03_Lab3_Ex1_AttackSim_Phishing_attack.md
Office 365 Security
• https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/microsoft-365/security/office-365-security/defender-for-office-365.md
• https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Delivery/Open%20email%20link.txt
• https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/microsoft-365/security/office-365-security/security-recommendations-for-
priority-accounts.md
• https://docs.microsoft.com/pt-br/microsoft-365/security/defender/overview-security-center?view=o365-
worldwide#:~:text=O%20Microsoft%20365%20de%20seguran%C3%A7a,seguran%C3%A7a%20para%20o%20portal%20unificado.&text=As%20fun%C3
%A7%C3%B5es%20j%C3%A1%20nos%20produtos,portal%20Microsoft%20365%20seguran%C3%A7a%2C%20automaticamente.
• https://www.microsoft.com/security/blog/office-365-security/
• https://www.cloudfastpath.com/office-365-migration/top-office-365-security-features-examples/
• https://docs.microsoft.com/pt-br/microsoft-365/security/office-365-security/security-dashboard?view=o365-worldwide
• https://www.youtube.com/watch?v=eBByRs1GsuA
• https://www.youtube.com/watch?v=hI4Kid-uzxY
• https://techcommunity.microsoft.com/t5/security-compliance-and-identity/announcing-microsoft-365-security-for-it-pros-2021-edition/m-
p/1518661
• https://medium.com/falconforce/reducing-your-office365-attack-surface-1073a4d46a7b
• https://www.beazley.com/documents/TMB/Insights/beazley-bbr-hardening_O365_best_practices_08312018.pdf
• https://www.cisecurity.org/benchmark/microsoft_office/
• https://static1.squarespace.com/static/5bbb4a7301232c6e6c8757fa/t/603f6ea2dbc4a57691453b61/1614769826578/Office+365+Hardening.pdf
Windows Privilege Escalation
- Overview
Joas Antonio
Details
• This book aims to show the techniques of Privilege Escalation in
Windows;
• It is not a practical book, just an overview with references to help you
in your research;
• https://www.linkedin.com/in/joas-antonio-dos-santos
Low Hanging Passwords
• https://medium.com/hackernoon/picking-the-low-hanging-
passwords-b64684fe2c7
• https://vdalabs.com/2019/10/17/password-security/
Enumeration
• https://arnavtripathy98.medium.com/smb-enumeration-for-penetration-
testing-e782a328bf1b
• https://medium.com/bugbountywriteup/automating-ad-enumeration-
with-frameworks-f8c7449563be
• https://medium.com/@Shorty420/enumerating-ad-98e0821c4c78
• https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/Po
werView.ps1
• https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-
Sheet#domain-enumeration
• https://www.ired.team/offensive-security/enumeration-and-discovery
Interesting Files and Registrys
• https://medium.com/@hakluke/sensitive-files-to-grab-in-windows-
4b8f0a655f40
Important Extensions: install, backup, .bak, .log, .bat, .cmd, .vbs, .conf,
.cnf, .config, .ini, .xml, .txt, .gpg, .pgp, .p12, der, id_rsa, .ovpn

Command CMD: findstr /i ovpn

• Configuration files are critical, especially for collecting default


passwords
• In addition to the registry keys that often contain passwords
Password Manager Abusing
• https://posts.specterops.io/operational-guidance-for-offensive-user-
dpapi-abuse-1fb7fac8b107
• https://resources.infosecinstitute.com/topic/steal-windows-login-
credentials-abusing-server-message-block-smb-protocol/
• https://dl.packetstormsecurity.net/papers/general/abusing-
windowsdpapi.pdf
Services Exploitation
• https://sushant747.gitbooks.io/total-oscp-
guide/content/privilege_escalation_windows.html
• https://medium.com/@SumitVerma101/windows-privilege-escalation-
part-1-unquoted-service-path-c7a011a8d8ae
• https://www.youtube.com/watch?v=zdu3f2oZZLI&ab_channel=PentesterA
cademyTV
• https://www.youtube.com/watch?v=MGqypN2uSjM&ab_channel=raulcpo
p
• https://pentestlab.blog/2017/03/30/weak-service-permissions/
• https://www.noobsec.net/privesc-windows/
• https://www.ired.team/offensive-security/privilege-escalation/weak-
service-permissions
Kernel Exploitation
• https://github.com/SecWiki/windows-kernel-exploits
• https://kakyouim.hatenablog.com/entry/2020/05/27/010807
• https://www.hackingarticles.in/windows-kernel-exploit-privilege-
escalation/
• https://pentestlab.blog/2017/04/24/windows-kernel-exploits/
• https://blog.xpnsec.com/windows-warbird-privesc/
• https://www.offensive-security.com/metasploit-unleashed/privilege-
escalation/
DLL Hijacking
• https://book.hacktricks.xyz/windows/windows-local-privilege-
escalation/dll-hijacking
• https://medium.com/@dannyp4p/privilege-escalation-dll-hijacking-
668d7235bc98
• https://ivanitlearning.wordpress.com/2019/03/26/windows-privilege-
escalation-via-dll-hijacking/
• https://pentestlab.blog/2017/03/27/dll-hijacking/
• https://www.youtube.com/watch?v=9-
HNMUo9urA&ab_channel=MotasemHamdan-CyberSecurityTrainer
• https://www.youtube.com/watch?v=zvQIi2Kfk-
k&ab_channel=PentesterAcademyTV
DLL Hijacking 2
• https://www.youtube.com/watch?v=e_l5TCgw3wo&ab_channel=Pen
testerAcademyTV
• https://www.youtube.com/watch?v=OON0LdwCi0Q&ab_channel=Pe
ntesterAcademyTV
• https://itm4n.github.io/windows-dll-hijacking-clarified/
• https://gracefulsecurity.com/privesc-dll-hijacking/
Exploitation Path
• https://medium.com/@SumitVerma101/windows-privilege-
escalation-part-1-unquoted-service-path-c7a011a8d8ae
• https://gracefulsecurity.com/privesc-unquoted-service-path/
• https://trustfoundry.net/practical-guide-to-exploiting-the-unquoted-
service-path-vulnerability-in-windows/
• https://ivanitlearning.wordpress.com/2018/12/05/windows-
privilege-escalation-by-unquoted-service-paths/
• https://packetstormsecurity.com/files/157263/Microsoft-Windows-
Unquoted-Service-Path-Privilege-Escalation.html
Task Scheduled
• https://www.exploit-db.com/exploits/15589
• http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-
schedulerservice.html
• https://www.youtube.com/watch?v=Kgga91U3B4s&ab_channel=SagiShahar
• https://packetstormsecurity.com/files/153698/Microsoft-Windows-Task-
Scheduler-Local-Privilege-Escalation.html
• https://www.youtube.com/watch?v=GSCPiOCWzes&ab_channel=TheHackerNew
s
• https://www.youtube.com/watch?v=c9vQJoeJDA8&ab_channel=0patchbyACROS
Security
• https://www.youtube.com/watch?v=gd-F1dlWBAw&ab_channel=EricRomang
UACME
• https://github.com/hfiref0x/UACME
• https://medium.com/@lucideus/privilege-escalation-on-windows-7-8-10-
lucideus-research-c8a24aa55679
• https://technologyredefine.blogspot.com/2018/01/privilege-escalation.html
• https://securityonline.info/uacme-defeating-windows-user-account-control/
• https://www.youtube.com/watch?v=3BQKpPNlTSo&ab_channel=ZeroDayInitiativ
e
• https://www.youtube.com/watch?v=C9GfMfFjhYI&ab_channel=Hak5
• https://medium.com/@mattharr0ey/privilege-escalation-uac-bypass-in-
changepk-c40b92818d1b
• https://null-byte.wonderhowto.com/how-to/bypass-uac-escalate-privileges-
windows-using-metasploit-0196076/
• https://github.com/yanncam/LPE_AT-UAC
UACME & GETSYSTEM
• https://docs.rapid7.com/metasploit/meterpreter-getsystem/
• https://medium.com/@cmpbilge/privilege-escalation-with-
meterpreter-3e3f999d9978
• https://54m4ri74n.medium.com/windows-7-privilege-escalation-
using-uac-bypass-b08f5523b7de
• https://blog.xpnsec.com/becoming-system/
• https://ivanitlearning.wordpress.com/2018/12/02/privilege-
escalation-on-win-7/
• https://kellgon.com/common-privilege-escalation-vectors-for-
windows-and-linux/
• https://www.youtube.com/watch?v=gdMt5G6ajx0&ab_channel=Don
Does30Official
GETSYSTEM: Leaked Handle
• https://book.hacktricks.xyz/windows/windows-local-privilege-
escalation/leaked-handle-exploitation
• https://www.youtube.com/watch?v=IzZ649EvWXI&ab_channel=Meet
Sektor7
• http://dronesec.pw/blog/2019/08/22/exploiting-leaked-process-and-
thread-handles/
• https://masthoon.github.io/exploit/2019/03/29/cygeop.html
GETSYSTEM: Named Pipes
• https://www.ired.team/offensive-security/privilege-
escalation/windows-namedpipes-privilege-escalation
• https://www.exploit-db.com/exploits/22882
• https://www.elastic.co/guide/en/security/current/privilege-
escalation-via-named-pipe-impersonation.html
• https://www.securityfocus.com/bid/8128/exploit
Token Abusing
• https://book.hacktricks.xyz/windows/windows-local-privilege-
escalation/privilege-escalation-abusing-tokens
• https://www.ired.team/miscellaneous-reversing-forensics/windows-
kernel-internals/how-kernel-exploits-abuse-tokens-for-privilege-
escalation
• https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-
for-windows-local-privilege-escalation/
• https://www.exploit-db.com/exploits/42556
• https://stark0de.com/2019/08/05/abuse-privilege-access-token.html
• https://attack.mitre.org/techniques/T1134/
Privilege Escalation Courses
• https://www.udemy.com/course/windows-privilege-
escalation/?src=sac&kw=windows+privilege
• https://www.udemy.com/course/windows-privilege-escalation-for-
beginners/?src=sac&kw=windows+privilege
• https://institute.sektor7.net/rto-lpe-windows
• https://www.udemy.com/course/advanced-windows-privilege-
escalation-with-hack-the-box/?src=sac&kw=windows%20privilege
Extras
• https://github.com/TCM-Course-Resources/Windows-Privilege-Escalation-
Resources
• https://www.youtube.com/watch?v=WKmbIhH9Wv8&ab_channel=Motase
mHamdan-CyberSecurityTrainer
• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Meth
odology%20and%20Resources/Windows%20-
%20Privilege%20Escalation.md
• https://github.com/rhodejo/OSCP-Prep/blob/master/Priv-Esc.md
• https://medium.com/bugbountywriteup/privilege-escalation-in-windows-
380bee3a2842
• https://www.hackingdream.net/2020/03/windows-privilege-escalation-
cheatsheet-for-oscp.html
• https://github.com/frizb/Windows-Privilege-Escalation
Extras 2
• https://github.com/togie6/Windows-Privesc
• https://github.com/netbiosX/Checklists/blob/master/Windows-
Privilege-Escalation.md
• https://github.com/carlospolop/winPE
• https://github.com/sagishahar/lpeworkshop
• https://www.youtube.com/watch?v=Wc7NVl-wNXI
Windows
Persistence
Techniques
Joas Antonio
Details

Just an overview of some persistence techniques on windows


operating systems

https://www.linkedin.com /in /joas -antonio-dos-santos


Introduction
https://www.linkedin.com /in /joas -antonio -dos-santos
Addenum

h ttp s : / / me dia. ho wa rd .co m / C NET/ USE R_M ANUAL/ 2E 5 17 7A4 - 15 9 B- 4 A2E -


9 B D 8 - A AD9 0AC B0 9 81 .p df

h ttp s : / / nim ax - img .de / Pro du ktd ow nlo ad s / ad de nd um _1 88 7 7. pd f

h ttp s : / / w ww.eld oled .com / cms _ f ile .ph p?f ro mDB =55 6 7

h ttp s : / / w ww.micr os o f t. com /e n - u s /lice ns ing / p ro du ct - licen sin g / pr od ucts

h ttp s : / / w ww.en er gy tr us t.or g / wp -


co n te n t / up loa ds / 2 01 6 /1 0 /HE S_FM _ Win do w sAd de nd u m.p df

h ttp s : / / githu b. com /Ju anito9 9 /W ind ow s .C om pu te r. DataOn De man d .Add en du m


PrivEsc
Techniques
https://www.linkedin.com /in /joas -antonio -dos-santos
My ebook

https://drive.google.com /file /d /1Hjq_Hc8dQEF_ZhNFtGMrl2GELo


ryboyW/view?usp=sharing
Folder and Registre Keys

h ttp s : / / me diu m.co m / r 3d -b u ck3 t /a bu s e - s er vice - r egis tr y - a c ls - win do w s -


p r i ve s c -f 88 07 9 14 0 50 9

h ttp s : / / b ook .h acktricks . xyz / win do ws / w ind ow s -lo cal - pr ivile ge -


e s ca l a tio n / p rivileg e - es cala tion - with- au to ru n - bin ar ies

h ttp s : / / b ook .h acktricks . xyz / win do ws / w ind ow s -lo cal - pr ivile ge -e s calation

h ttp s : / / p en tes tla b. blog / ca teg or y /p rivile ge - e s calatio n /

h ttp s : / / d mcxb lue. gitb oo k.io / re d - te am - n otes / pe rs is tence / r egis tr y - ke ys -


s ta r tu p -fo lde r

h ttp s : / / w ww.s em pe ris .co m / blo g /g r ou p - po licy -p rivile ge - e s calatio n /

h ttp s : / / inf os ecw riteu ps . com /p rivileg e - es ca latio n - in- win d ow s -3 8 0b ee 3a 28 42


Logon Scripts

h ttp s : / / blo g. gd s s ecu rity. com /la bs / 2 01 5 /1 / 26 / ba ds a mb a - ex p loitin g-


w i n d o w s -s tar tup - s crip ts - us in g - a- maliciou .h tml

h ttp s : / / githu b. com /f riz b / Win do ws - Pr ivilege - Es cala tion

h ttp s : / / w ww.h ackin ga r ticles .in / win do w - p rivileg e - es cala tion - au to mated -
s cr i p t /

h ttp s : / / rah ma tn ur f au zi. med ium .com / win do ws - pr ivileg e - es cala tion - s cripts -
te ch n i qu es - 3 0fa 37 b d1 94

h ttp s : / / d mcxb lue. gitb oo k.io / re d - te am - n otes / pe rs is tence / log on - s crip ts

h ttp s : / / h akin 9. or g /p rives cch eck - p rivileg e - es cala tion - en ume ratio n - s crip t-
f o r - w in do w s /
Screensaver

https://blogs.msmvps.com /donna /2004/11/24/microsoft -


windows-logon-screensaver-local-privilege-escalation-
vulnerability /

https://packetstormsecurity.com /files /137387/League -Of-


Legends-Screensaver-File-Permission-Privilege-Escalation.html

https://www.w4rri0r.com /sequence -of-commands /privilege -


escalation-attacks.html
DLL Proxying

h t t p s :/ / it m4 n. g i thu b. i o / dl l - prox yin g /

h t t p s :/ / ke vi na l ma n sa . g i thu b. i o / a ppl i c a ti o n% 2 0 s e c u ri ty / D LL - P r ox y i n g /

h t t p s :/ / www. i re d . te a m / o f f e n si ve - s e c uri ty / pe r si s te n c e /dl l -p rox yin g - f o r -


p e r s i s t e nc e

h t t p s :/ / g i thu b. c o m / to thi / dl l -hi j a c k - b y - prox yi ng

h t t p s :/ / mil o s i lo. c o m /h a c k i ng / mic r o s o f t -te a ms -p rox y - dl l -hi j a c k i ng /

h t t p s :/ / www. yo u tub e . c o m / wa tc h ?v= ra LnL 4 D dvK U

h t t p s :/ / www. yo u tub e . c o m / wa tc h ?v= tS dyf a J 7 T 5 0

h t t p s :/ / www. c yne t. c o m /a tta c k - te c h ni que s - ha n ds - o n / dl ls - a nd - wa ys -t he y - c a n -


h u r t - us /
Component object model

https://research.nccgroup.com /2020/04/15/cve -2019-1381-and-


cve-2020-0859-how-misleading-documentation-led-to-a-broken-
patch-for-a-windows-arbitrary-file-disclosure-vulnerability/

https://www.elastic.co /guide /en /security/7.x /component -object-


model-hijacking.html

https://attack.mitre.org /techniques /T1559/001/

https://dmcxblue.gitbook.io /red -team-notes /execution /com


Persistence
Techniques
https://www.linkedin.com /in /joas -antonio -dos-santos
Eleveted Schedule Task

https://www.windowstricks.in/2018/08/how -to-run-the-powershell-script-in-scheduled-task-with-
run-as-administrator.html

https://stackoverflow.com/questions/62245797/how -to-setup-a-powershell-script-in-windows-task-
scheduler-with-admin-permission

https://superuser.com/questions/1640613/how -to-run-a-powershell-script-with-elevated-access-
using-task-scheduler

https://blog.netwrix.com/2018/07/03/how -to-automate-powershell-scripts-with-task-scheduler/

https://www.reddit.com/r/PowerShell/comments/6qvp30/task_schedule_powershell_script_with_ad
min_rights/

https://o365reports.com/2019/08/02/schedule -powershell-script-task-scheduler/

https://pentestlab.blog/2019/11/04/persistence -scheduled-tasks/

https://www.elastic.co/guide/en/security/current/persistence -via-telemetrycontroller-scheduled-
task-hijack.html

https://attack.mitre.org/techniques/T1053/005/
Multiaction Task

https://securitybyexper t.com /windows -persistence-multi-action-


scheduled-task /
https://www.f ireeye.com /blog /threat -research /2019/09/sharpersist -
windows-persistence-toolkit.html
https://www.igi -global.com /dictionary /assessment -of-task-
persistence /50930
https://techdocs.broadcom.com /us /en /symantec -security-
sof tware /identity -security /identity-manager/14-4/conf iguring /task -
persistence.html
https://www.elastic.co /guide /en /security /7.x /persistence -via-
telemetr ycontroller -scheduled-task-hijack.html
WMI Event Subscription

https://pentestlab.blog/2020/01/21/persistence -wmi-event-subscription/

https://www.elastic.co/guide/en/security/current/persistence -via-wmi-event-subscription.html

https://medium.com/threatpunter/detecting -removing-wmi-persistence-60ccbb7dff96

https://www.mdsec.co.uk/2019/05/persistence -the-continued-or-prolonged-existence-of-
something-part-3-wmi-event-subscription/

https://in.security/an -intro-into-abusing-and-identifying-wmi-event-subscriptions -for-persistence/

https://liberty-shell.com/sec/2019/06/16/wmi -persistence/

https://techcommunity.microsoft.com/t5/microsoft -defender-for-endpoint/asr-in-intune-for-quot-
block-persistence-through-wmi-event/m-p/2068130

https://microsoftintune.uservoice.com/forums/291681 -ideas/suggestions/40862476 -asr-rule-block-


persistence-through-wmi-event-subs

https://www.rapid7.com/db/modules/exploit/windows/local/wmi_persistence/
Appcert DLLS

https://www.elastic.co /guide /en /security /current /registry -


persistence-via-appcer t-dll.html
https://attack.mitre.org /techniques /T1546/009/
https://pentestlab.blog /2020/01/07/persistence -appinit -dlls /
https://eqllib.readthedocs.io /en /latest /analytics /14f90406 -10a0-
4d36-a672-31cabe149f2f.html
https://github.com /ewilded /Windows_persistence /blob /master/REGIS
TRY.md
https://dmfrsecurity.com /2021/01/02/review -red-team-operator-
windows-persistence-course-by-sektor7-institute /
Appinit DLLS

https://eforensicsmag.com /appinit -dll-injection-by-siddharth-sharma /

https://attack.mitre.org /techniques /T1546/010/

h t t p s : / / w w w. e l a s t i c . c o / g u i d e / e n / s e c u r i t y / c u r r e n t / r e g i s t r y - p e r s i s t e n c e - v i a - a p p i n i t -
dll.html

https://eqllib.readthedocs.io /en /latest /analytics /822dc4c5 -b355-4df8-bd37-


2 9 c 4 5 8 9 9 7 b 8 f. h t m l

https://github.com /redcanar yco /atomic -red-


team /blob /master/atomics /T1546.010/T1546.010.md

https://github.com /akapv/atomic -red-


t e a m / b l o b / m a s t e r / W i n d o w s / Pe r s i s t e n c e / A p p I n i t _ D L L s . m d

https://docs.microsoft.com /en -us /windows /win32/dlls /secure -boot-and-appinit-dlls

h t t p s : / / w w w. c y b e r h u n t i n g g u i d e . n e t / t 1 5 4 6 0 1 0 . h t m l
Netsh Helper DLL

https://pentestlab.blog /2019/10/29/persistence -netsh-helper-dll /

h t t p s : / / a t t a c k . m i t r e . o r g / t e c h n i q u e s / T 1 5 4 6 / 0 0 7/

h t t p s : / / w w w. i r e d . t e a m / o f f e n s i v e - s e c u r i t y / p e r s i s t e n c e / t 1 1 2 8 - n e t s h - h e l p e r - d l l

https://github.com /rtcrowley /Offensive -Netsh-Helper

https://dmcxblue.gitbook.io /red -team-notes-2-0/red-team-


techniques /persistence /t1546 -event-triggered-execution /netsh -helper-dll

h t t p s : / / w w w. h a c k i n g a r t i c l e s . i n / w i n d o w s - p e r s i s t e n c e - u s i n g - n e t s h /

h t t p s : / / w w w. r e d d i t . c o m / r / n e t s e c / c o m m e n t s / d o n w j 5 / p e r s i s t e n c e _ n e t s h _ h e l p e r _ d l l /

h t t p s : / / l i b e r t y - s h e l l . c o m / s e c / 2 0 1 8 / 0 7/ 2 8 / n e t s h l e p /

https://eqllib.readthedocs.io /en /latest /analytics /5f9a71f4 -f5ef-4d35-aff8-


f67d63d3c896.html
Time Provider Persistence

h ttp s : / / w ww.ire d.tea m / of f en sive - s ecu rity / pe rs is te nce / t1 2 09 - hijack ing -tim e-
p r ov i de rs

h ttp s : / / p en tes tla b. blog / 2 01 9 /1 0 /2 2 / p er sis ten ce - time -p rovid er s /

h ttp s : / / atta ck.mitre .or g / tech niq ue s / T1 5 47/ 0 03 /

h ttp s : / / githu b. com /e las tic / d ete ction - ru les / is s ue s /8 5 3

h ttp s : / / githu b. com /e nd ga mein c / eqllib / blo b /m as te r / eq llib / an alytics / p er s is ten


ce / T1 2 0 9 - p er s is te nce -tim e- pr ov ider s .toml

h ttp s : / / ins titute.s e kto r 7.n et / r to - win do ws - p ers is ten ce

h ttp s : / / me diu m.co m / @gab riel. pir jo les cu / de mys tifyin g - win do w s -m alwa re -
h u n ti ng - pa r t- 1 -d etectin g - p er sis ten ce - with- os q ue r y -b 53 5 73 c2 aac0
Port Monitors

https://pentestlab.blog /2019/10/28/persistence -port-


monitors /#:~:text=Interaction%20with%20 the%20 service%20is,conf
iguration%2C%20data%20and%20monitor%20f iles .

https://www.hackingar ticles.in /windows -persistence-port-monitors /

https://posts.slayerlabs.com /monitor -persistence /

https://github.com /air zero24/Por tMonitorPersist

https://www.ired.team /offensive -security /persistence /t1013 -


addmonitor

https://windows -internals.com /printdemon -cve-2020-1048/


lsa-as-a-persistence

h ttp s : / / ad s ecu rity.o rg / ?p =1 76 0

http s: / / atta ck.mitre .or g / tactics / TA00 0 3/

h ttp s : / / p en tes tla b. blog / 2 01 9 /1 0 /2 1 /p er s is ten ce - s ecu rity -s u pp or t- pr ovide r /

h ttp s : / / w ww.elas tic.co / gu ide / en / s ecu rity / cur re nt / po te ntial - ls a -


a u th e n tication -p ack ag e - ab us e .html

http s: / / lifar s .com / 20 2 1/ 0 1/ co mmo n - malwar e - p ersistence - techniq ues /

h ttp s : / / w ww.cs oo nlin e.co m / ar ticle /3 3 93 26 8 /h ow - to -o utwit -a tta cker s - us in g -


tw o - w i nd ow s - re gis tr y- s ettin g s .html

h ttp s : / / d ocs .micr os o f t.co m / en - us / p re viou s-ver sio n s /w ind ow s / it-


p r o / w i n do ws - s e r ve r- 2 01 2 - r 2- a nd -2 0 12 /h h 99 45 6 5( v=ws . 11 )

h ttp s : / / w ww.n ds s - s ymp os iu m.o rg / w p - co nte nt / up loa ds / 2 01 7/ 09 / P0 1_ 3 .pd f


Metasploit Persistence

h t t p s :/ / www. ha ck i n g a r ti c l e s . in / mul ti pl e - wa ys -to - p e rs i s te nc e - o n -wi n do w s - 1 0 -wi t h -


m e t a spl o i t /

h t t p s :/ / www. o f f e n si ve -s e c u ri ty. c o m /me t a s pl o i t -u nl e a s h e d /me te rp re t e r - s e r vi c e /

h t t p s :/ / www. o f f e n si ve -s e c u ri ty. c o m /me t a s pl o i t -u nl e a s h e d /p e rs i s te n t -b a c k do o r s /

h t t p s :/ / www. ha cke rs -a ri s e . c o m /h o w - t o - ma ke -th e -me te rp re t e r - pe r si s te nt

h t t p s :/ / s e c uri tyo nl i ne . in f o / a ut o ma te d - p e rs i s te nt -b a c k do o r - me ta s pl o i t /

h t t p s :/ / s e c nha ck . i n / te ch ni qu e -t o -p e rs i s te n ce -o n -wi n do w s -1 0 - wi th - me ta s pl o i t /

h t t p s :/ / pe n te s tl a b. bl o g / 2 0 2 0 / 0 2 / 0 4 / p e rs i s te nc e -wa i t f o r /

h t t p s :/ / www. ra pi d7 . c o m /d b /mo d ul e s / e x pl o i t /wi n do w s / lo c a l / pe r si s te n c e /

h t t p s :/ / way s2 ha c k . co m / me ta spl o i t -f ra me w o r k /

You might also like