Windows渗透测试资源共享

2020年9月7日07:40:50评论298 views字数 23058阅读76分51秒阅读模式

Windows渗透测试资源共享

在AD环境中使用LDAP，Kerberos（和MSRPC）的乐趣https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments
从XML外部实体到NTLM域哈希From XML External Entity to NTLM Domain Hashes
Windows特权升级指南https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
Windows oneliners下载远程有效负载并执行任意代码https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/amp/
通过本机RDP客户端（mstsc.exe）传递哈希https://michael-eder.net/post/2018/native_rdp_pass_the_hash/

在Active Directory中使用ACL升级特权https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/
原子红队自动化框架https://github.com/redcanaryco/atomic-red-team/blob/master/Automation/readme.md
跳过裂化响应器哈希并中继它们http://threat.tevora.com/quick-tip-skip-cracking-responder-hashes-and-replay-them/amp/?__twitter_impression=true
Exchange-AD-Privesc。Exchange特权升级到Active Directory的存储库
该存储库提供了一些有关Microsoft Exchange部署对Active Directory安全性影响的技术和脚本。https://github.com/gdedrouas/Exchange-AD-Privesc

WMIC.EXE白名单绕过-破坏样式，样式表https://subt0x11.blogspot.com.br/2018/04/wmicexe-whitelisting-bypass-hacking.html
隐藏Metasploit Shellcode以逃避Windows Defenderhttps://blog.rapid7.com/2018/05/03/hiding-metasploit-shellcode-to-evade-windows-defender/
非官方Mimikatz指南和命令参考Mimikatz
使用Active Directory PowerShell模块收集AD数据
Gathering AD Data with the Active Directory PowerShell Module
在Windows 10上检测虚拟机监控程序的存在
Detecting Hypervisor Presence on Windows 10
域用户枚举工具https://github.com/sensepost/UserEnum/blob/master/README.md
死亡蓝云：红色团队合作Azurehttps://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1

响动+3恶意软件：几招
http://www.blackstormsecurity.com/docs/BSIDES_2018_RELEASE.pdf
Kerberos派对技巧：武器化Kerberos协议缺陷
http://www.exumbraops.com/blog/2016/6/1/kerberos-party-tricks-weaponizing-kerberos-protocol-flaws

执行命令并使用PowerShell诊断脚本绕过AppLocker
https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts
Windows Vista中引入的Microsoft用户帐户控制功能已引起安全社区中许多人的关注。由于UAC旨在强制用户批准管理行为，因此攻击者（和红色团队）几乎在每次接触时都会遇到UAC。结果，尽管缺乏正式指定作为安全边界，但是绕过此控制是参与者通常必须克服的任务。本演讲重点介绍UAC是什么，其他人之前的工作，研究方法，并详细介绍作者开发的几种技术性UAC绕过技术。
https://youtu.be/c8LgqtATAnE
Windows Userland持久性基础
http://www.fuzzysecurity.com/tutorials/19.html
通过URL文件进行DLL劫持
https://insert-script.blogspot.com.br/2018/05/dll-hijacking-via-url-files.html
通过URL文件进行DLL劫持
https://insert-script.blogspot.com.br/2018/05/dll-hijacking-via-url-files.html
通过GPO枚举远程访问策略
https://labs.mwrinfosecurity.com/blog/enumerating-remote-access-policies-through-gpo/
https://github.com/dafthack/MailSniper
DomainPasswordSpray
DomainPasswordSpray是用PowerShell编写的工具，用于对域用户执行密码喷雾攻击。默认情况下，它将自动从域中生成用户列表。
https://github.com/dafthack/DomainPasswordSpray
查找运行域管理进程的系统的5种方法
5 Ways to Find Systems Running Domain Admin Processes


如何绕过Powershell使用的GPO策略限制
https://github.com/p3nt4/PowerShdll

ADAPE-Active Directory评估和特权升级脚本
https://github.com/hausec/ADAPE-脚本
使用Kerberoasting，利用未打补丁的系统– Red Teamer的一天
http://niiconsulting.com/checkmate/2018/05/kerberoasting-exploiting-unpatched-systems-a-day-in-the-life-of-a-red-teamer/

了解和规避Get-InjectedThread
https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/
PowerLessShell依靠MSBuild.exe远程执行PowerShell脚本和命令，而不会生成powershell.exe。您也可以使用相同的方法执行原始Shellcode。
https://github.com/Mr-Un1k0d3r/PowerLessShell

转储明文凭证
Dumping Clear-Text Credentials
Office365 ActiveSync用户名枚举
https://www.sec-1.com/blog/2017/office365-activesync-username-enumeration

他的脚本将尝试为具有该属性的用户列出并获取TGT设置了“不需要Kerberos预身份验证”（UF_DONT_REQUIRE_PREAUTH）。对于具有这种配置的用户，将生成John The Ripper输出，因此您可以发送它进行破解。
https://github.com/CoreSecurity/impacket/commit/bada8a719f8ed7be4633514eea94bc768dbaf019

NBNS欺骗
NBNS Spoofing
NTLMv1多功能工具
此工具会修改NTLMv1 / NTLMv1-ESS / MSCHAPv2哈希，以便可以使用哈希猫中的DES模式14000对其进行破解
https://github.com/evilmog/ntlmv1-multi/

Invoke-Phant0分钟
该脚本遍历事件日志服务进程（专用svchost.exe）的线程堆栈，并标识事件日志线程以杀死事件日志服务线程。因此，系统将无法收集日志，同时事件日志服务似乎正在运行。
https://artofpwn.com/phant0m-killing-windows-event-log.htmlhttps://github.com/hlldz/Invoke-Phant0m
使用PowerUpSQL转储Active Directory域信息！
Dumping Active Directory Domain Info – with PowerUpSQL!


绕过PowerShell执行策略的15种方法
15 Ways to Bypass the PowerShell Execution Policy


提升，UAC绕过，持久性，特权升级，dll劫持技术
https://github.com/rootm0s/WinPwnage
滥用DCOM进行另一种横向移动技术
Abusing DCOM For Yet Another Lateral Movement Technique
调用WMILM
这是PoC脚本，用于通过WMI来实现经过身份验证的远程代码执行的各种方法，而无需（至少直接使用）Win32_Process类。技术的类型由“类型”（Type）参数确定。
https://github.com/Cybereason/Invoke-WMILM/blob/master/README.md
[内核开发] 7：任意覆盖（Win7 x86）
https://www.abatchy.com/2018/01/kernel-exploitation-7

Active Directory作为C2（命令和控制）
https://akijosberryblog.wordpress.com/2018/03/17/active-directory-as-a-c2-command-control
.NET程序集编译方法绕过Device Guard
http://www.exploit-monday.com/2017/07/bypassing-device-guard-with-dotnet-methods.html
DiskShadow：VSS规避，持久性和Active Directory数据库提取的返回
https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/

使用RDP进行网络隔离
https://rastamouse.me/2017/08/jumping-network-segregation-with-rdp/

Win 10（v1803）上的PowerShell Shellcode注入
https://blog.cobaltstrike.com/2018/05/24/powershell-shellcode-injection-on-win-10-v1803/

推出了Empire Web v2，这是Powershell帝国的Web界面。
https://github.com/interference-security/empire-web
隐藏的管理帐户：抢救的猎犬
https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/

使用Kerberoasting提取服务帐户密码
https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/
MSDAT（Microsoft SQL数据库攻击工具）是一种开源渗透测试工具，可以远程测试Microsoft SQL数据库的安全性。
https://github.com/quentinhardy/msdat



强力猫
Netcat：Powershell版本。
https://github.com/besimorhino/powercat
渗透测试人员的Windows特权升级方法
Windows Privilege Escalation Methods for Pentesters

使用Kerberos无约束委派获取域管理员
http://www.labofapenetrationtester.com/2016/02/getting-domain-admin-with-kerberos-unconstrained-delegation.html
扫描Active Directory特权和特权帐户
Scanning for Active Directory Privileges & Privileged Accounts

使用Invoke-ADLabDeployer进行自动化的AD和Windows测试实验室部署
Automated AD and Windows test lab deployments with Invoke-ADLabDeployer


简化密码喷涂
https://www.trustwave.com/Resources/SpiderLabs-Blog/Simplifying-Password-Spraying/
Active Directory凭据的密码喷涂工具
https://github.com/SpiderLabs/Spray
滥用SeLoadDriverPrivilege进行特权升级
https://www.tarlogic.com/cn/blog/abusing-seloaddriverprivilege-for-privilege-escalation/
探索PowerShell AMSI和记录逃避
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
进行代码执行的Weaponizing .SettingContent-ms扩展
https://www.trustedsec.com/2018/06/weaponizing-settingcontent

WMImplant开发后-简介
https://www.fortynorthsecurity.com/wmimplant-post-exploitation-an-introduction

WMImplant开发后-简介
https://www.fortynorthsecurity.com/wmimplant-post-exploitation-an-introduction

PowerShell：如何获取远程计算机上所有已安装软件的列表
https://sid-500.com/2018/04/02/powershell-how-to-get-a-list-of-all-installed-software-on-remote-computers
Tokenvator：使用Windows令牌提升特权的工具
Tokenvator: A Tool to Elevate Privilege using Windows Tokens

使用一个简单的技巧在JScript中禁用AMSI
https://tyranidslair.blogspot.com/2018/06/disabling-amsi-in-jscript-with-one.html
Inveigh是PowerShell LLMNR / mDNS / NBNS欺骗者和中间人工具，旨在帮助发现自己仅限于Windows系统的渗透测试人员/红色团队合作者。
https://github.com/Kevin-Robertson/Inveigh/blob/master/README.md
一种多线程工具，旨在通过SMB大规模地识别凭证在网络中是有效，无效还是本地管理员有效凭证，现在还可以与用户猎人一起使用
https://github.com/Raikia/CredNinja

PSScriptAnalyzer是Windows PowerShell模块和脚本的静态代码检查器。PSScriptAnalyzer通过运行一组规则来检查Windows PowerShell代码的质量。规则基于PowerShell团队和社区确定的PowerShell最佳做法。它生成DiagnosticResults（错误和警告），以告知用户潜在的代码缺陷，并提出可能的改进方案。
https://github.com/PowerShell/PSScriptAnalyzer
绕过SQL Server登录触发器限制
Bypassing SQL Server Logon Trigger Restrictions

欺骗性SSDP会针对网络上的NTLM哈希回复网络钓鱼。创建一个伪造的UPNP设备，诱使用户访问恶意网页仿冒页面。
https://gitlab.com/initstring/evil-ssdp
https://twitter.com/subTee/status/1012657434702123008?s=19
丧失能力的Windows Defender
Incapacitating Windows Defender

红队故事0x01：从MSSQL到RCE
https://www.tarlogic.com/cn/blog/red-team-tales-0x01
LethalHTA-使用DCOM和HTA的新横向移动技术
https://codewhitesec.blogspot.com/2018/07/lethalhta.html
是什么使Microsoft可执行文件成为Microsoft可执行文件？攻击者和防御者的观点
https://posts.specterops.io/what-is-it-that-makes-a-microsoft-executable-a-microsoft-executable-b43ac612195e

Powershell脚本，用于枚举启用了自动提升的可执行文件，方便进行特权升级。
https://gist.github.com/Evilcry/71e03a969689b8fd1297a1803aa4d7cf
使用SCF文件收集哈希
Using a SCF file to Gather Hashes
攻击域信任的指南
A Guide to Attacking Domain Trusts


RE：在Windows 10上规避自动运行PoC
https://medium.com/@KyleHanslovan/re-evading-autoruns-pocs-on-windows-10-dd810d7e8a3f

功能，而不是错误：DNSAdmin可以DC折衷
https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83

超越LLMNR / NBNS欺骗–利用Active Directory集成的DNS
Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS

https://github.com/Kevin-Robertson/Powermad/blob/master/README.md
域NC磁头上具有写访问权限的域访问
Elevating AD Domain Access With Write Access on the Domain NC Head

使用Mimikatz DCSync提取用户密码数据
https://blog.stealthbits.com/extracting-user-password-data-with-mimikatz-dcsync/
将哈希传递给NTLM身份验证的Web应用程序
https://labs.mwrinfosecurity.com/blog/pth-attacks-against-ntlm-authenticated-web-applications/
winrm.vbs中的应用程序白名单绕过和任意无符号代码执行技术
https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
面纱有效载荷和面纱军械
https://www.fortynorthsecurity.com/veil-payloads-and-veil-ordnance/

清除Linux / Windows服务器中的所有日志
https://github.com/Rizer0/Log-killer
如果可以的话，请捕获我：用Cobalt Strike和石像鬼绕过内存扫描仪
https://labs.mwrinfosecurity.com/blog/experimenting-bypassing-memory-scanners-with-cobalt-strike-and-gargoyle
用于检查Windows二进制文件（EXE / DLL）是否已通过ASLR，DEP，SafeSEH，StrongNaming和Authenticode编译的PowerShell模块。
https://github.com/NetSPI/PESecurity
利用Windows 10 PagedPool一次性关闭溢出（WCTF 2018）
https://j00ru.vexillium.org/2018/07/exploiting-a-windows-10-pagedpool-off-by-one/
匿名枚举Azure文件资源
Anonymously Enumerating Azure File Resources

通过将SettingContent-ms嵌入PDF来武器化PDF。
https://github.com/DidierStevens/DidierStevensSuite/blob/master/make-pdf-embedded.py
在图像文件执行选项中使用GlobalFlags的持久性–从Autoruns.exe隐藏
https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe

破坏Azure Windows 2008 R2 SP1 VM
https://guptaashish.com/2018/07/04/compromising-a-azure-windows-2008-r2-sp1-vm

Microsoft LAPS安全性和Active Directory LAPS配置侦听
Microsoft LAPS Security & Active Directory LAPS Configuration Recon


PowerShell绝对是C＃的“网关药物”-GhostPack是新安全工具（当前为C＃）的集合，摆脱了Powershell监控的关注
https://github.com/GhostPack
通过Kerberos传递哈希
https://malicious.link/post/2018/pass-the-hash-with-kerberos/

幽灵包
https://posts.specterops.io/ghostpack-d835018c5fc4域名善良–我如何学习爱AD Explorer
Domain Goodness – How I Learned to LOVE AD Explorer

进入系统外壳的另一种方法-辅助技术
Another way to get to a system shell – Assistive Technology
Robber：一种开放源代码工具，用于查找易于发生DLL劫持的可执行文件
https://github.com/MojtabaTajik/Robber
safetyKatz：@gentilkiwi的Mimikatz项目和@subtee的.NET PE Loader的略微修改版本的组合。
https://github.com/GhostPack/SafetyKatz
在公司网络中安装Windows后，到处都可以找到存储的密码 
http://blog.win-fu.com/2017/08/stored-passwords-found-all-over-place.html
安全性乐趣：猎犬，MS16-072和GPO可发现性
Security Fun: Bloodhound, MS16-072 and GPO Discoverability

Netsh DLL帮助器
http://liberty-shell.com/sec/2018/07/28/netshlep/
使用WMIC（系统命令）进行后期开发
Post Exploitation Using WMIC (System Command)


2018年更新的PoC Mimikatz装载机
PoC：https：//gist.github.com/caseysmithrc/87f6572547f633f13a8482a0c91fb7b7
一线式：https://gist.github.com/xillwillx/96e2c5011577d8583635ad7bf6d4fb58
Windows特权升级注意事项
http://memorycorruption.org/windows/2018/07/29/Notes-On-Windows-Privilege-Escalation.html
域渗透测试：使用BloodHound，Crackmapexec和Mimikatz获取域管理员
https://hausec.com/2017/10/21/domain-penetration-testing-using-bloodhound-crackmapexec-mimikatz-to-get-domain-admin
最终的AppLocker绕过列表：此存储库的目的是记录绕过AppLocker的最常用技术。
https://github.com/api0cradle/UltimateAppLockerByPassList/tree/Dev
LDAP注入备忘单，攻击示例和防护
https://www.checkmarx.com/knowledge/knowledgebase/LDAP

允许暂停取消暂停Win32 / 64 exe的PowerShell脚本
https://github.com/besimorhino/Pause-Process
ASP.NET资源文件（.RESX）和反序列化问题
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/
利用IIS / .NET中的XXE漏洞
https://pen-testing.sans.org/blog/2017/12/08/entity-inception-exploiting-iis-net-with-xxe-vulnerabilities

当“ ASLR”不是真正的ASLR时-错误假设和错误默认值的情况
https://insights.sei.cmu.edu/cert/2018/08/when-aslr-is-not-really-aslr---the-case-of-incorrect-assumptions-and-bad-defaults.html

使用Office [DOT] XML文档捕获NetNTLM哈希
https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents

外壳混淆
pOWershell obFUsCation

通过WMI和PowerShell复制文件
https://www.fortynorthsecurity.com/copying-files-via-wmi-and-powershell
通过Meterpreter使用WinRM
https://www.trustedsec.com/2017/09/using-winrm-meterpreter
TBAL：本地用户的（偶然的？）DPAPI后门
TBAL: an (accidental?) DPAPI Backdoor for local users

PoC：
https://youtu.be/NIPKMSV-KTw
P0wnedShell：PowerShell Runspace发布后利用工具包
https://github.com/Cn33liz/p0wnedShell

mimiDbg：PowerShell oneliner从内存中检索最糟糕的密码
https://github.com/giMini/mimiDbg

针对AD集成的SSO提供者的金票攻击执行
https://www.fractalindustries.com/newsroom/blog/gt-attacks-and-sso

Windows特权升级基础
http://www.fuzzysecurity.com/tutorials/16.html
使用一个简单的技巧在JScript中禁用AMSI
https://tyranidslair.blogspot.com/2018/06/disabling-amsi-in-jscript-with-one.html

不可阻挡的服务：一种在C＃中具有不可停止属性的C＃自安装Windows服务的模式。
https://github.com/malcomvetter/UnstoppableService
驱动程序加载器，用于绕过Windows x64驱动程序签名实施
https://github.com/hfiref0x/TDL
颠覆Sysmon：形式化安全产品规避方法的应用
码：https://github.com/mattifestation/BHUSA2018_Sysmon/tree/master/Code
幻灯片：https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Slides_Subverting_Sysmon.pdf
白皮书：https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Whitepaper_Subverting_Sysmon.pdf

PSExec在C＃中的实现
https://github.com/malcomvetter/CSExec
SMBetray：后门和破坏性签名
https://quickbreach.io/2018/08/12/smbetray-backdooring-and-breaking-signatures
https://github.com/QuickBreach/SMBetray.git
ADRecon：Active Directory Recon Blackhat Arsenal 2018
https://www.slideshare.net/mobile/prashant3535/adrecon-bh-usa-2018-arsenal-and-def-con-26-demo-labs-presentation
https://github.com/sense-of-security/adrecon
PS1jacker：用于生成COM劫持有效负载的工具。
https://github.com/darkw1z/Ps1jacker
DEF CON 26（2018）–利用Active Directory管理员的不安全因素
https://adsecurity.org/wp-content/uploads/2018/08/2018-DEFCON-ExploitingADAdministratorInsecurities-Metcalf.pdf从工作站到域管理员：为什么安全管理不安全以及如何解决
https://adsecurity.org/wp-content/uploads/2018/08/us-18-Metcalf-From-Workstation-To-Domain-Admin-Why-Secure-Administration-Isnt-Secure-Final.pdf
用于检测Windows Defender的mpengine.dll的工具
https://github.com/0xAlexei/WindowsDefenderTools
反检测的艺术1 – AV和检测技术简介
Art of Anti Detection 1 –  Introduction to AV & Detection Techniques


Ridrelay：通过使用具有低priv的SMB中继来枚举您没有信誉的域上的用户名。
https://github.com/skorov/ridrelay
远程枚举防病毒配置
https://www.fortynorthsecurity.com/remotely-enumerate-anti-virus-configurations
多汁的土豆（滥用黄金特权）
https://decoder.cloud/2018/08/10/juicy-potato

多汁的土豆（滥用黄金特权）
https://ohpe.github.io/juicy-potato
黑客攻击HTA文件
http://blog.sevagas.com/?Hacking-around-HTA-files

Koadic C3 COM命令和控制-JScript RAT
https://github.com/zerosum0x0/koadic
网络钓鱼-询问并获得
https://blog.fox-it.com/2018/08/14/phishing-ask-and-ye-shall-receive
Windows开发技巧：利用任意对象目录创建本地特权提升
https://googleprojectzero.blogspot.com/2018/08/windows-exploitation-tricks-exploiting.html
绕过Microsoft AD FS多重身份验证协议（CVE-2018-8340）：
多因素混合：谁又是你？
https://www.okta.com/security-blog/2018/08/multi-factor-authentication-microsoft-adfs-vulnerability

协调器：C＃目标攻击一致性工具
https://github.com/stufus/reconerator
DCShadow-最小权限，Active Directory欺骗，Shadowception等
http://www.labofapenetrationtester.com/2018/04/dcshadow.html
万能钥匙攻击
https://pentestlab.blog/2018/04/10/skeleton-key
Microsoft.Workflow.Compiler.exe中的任意无符号代码执行向量
https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb

SANS网络广播：用于PenTesting的PowerShell
https://www.youtube.com/watch?v=a8_DqEVFwO8
Microsoft.Workflow.Compiler.exe Mimikatz运行程序。
https://gist.github.com/caseysmithrc/b1190e023cd29c1910c01a164675a22e
列表-RDP-连接历史
使用powershell列出已登录用户或所有用户的RDP连接历史记录
https://github.com/3gstudent/List-RDP-Connections-History
通用Windows Bootkit
对MBR引导程序（称为“ HDRoot”）的分析
http://williamshowalter.com/a-universal-windows-bootkit
广播名称解析中毒/ WPAD攻击向量
https://p16.praetorian.com/blog/broadcast-name-resolution-poisoning-wpad-attack-vector.NET反序列化为NTLM哈希
https://www.digitalinterruption.com/single-post/2018/04/22/NET-Deserialization-to-NTLM-hashhes
使用Python工具将虚假更新注入未加密的WSUS流量
https://github.com/pdjstone/wsuspect-proxy
远程修改防病毒配置
https://www.fortynorthsecurity.com/remotely-modify-anti-virus-configurations

制作完美的注射器：滥用Windows地址清理和CoW
Making the Perfect Injector: Abusing Windows Address Sanitization and CoW

通过.URL或desktop.ini文件泄漏Windows资源管理器中的环境变量
https://insert-script.blogspot.com/2018/08/leaking-environment-variables-in_20.html

从Windows 10 ssh-agent提取SSH私钥
https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent

午餐前我在内部网络上获得域管理员的五种方式（2018年版）
https://medium.com/@adam.toscher/top-five-way-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa
CVE-2018-0952：Windows Standard Collector服务中的特权升级漏洞
https://www.atredis.com/blog/cve-2018-0952-privilege-escalation-vulnerability-in-windows-standard-collector-service
攻击性用户DPAPI滥用的操作指南
https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107

Kerberoasting和SharpRoast输出解析！
https://grumpy-sec.blogspot.com/2018/08/kerberoasting-and-sharproast-output.html
whitelist_bypass_server
通过提供对诸如软件限制策略和applocker之类的解决方案的绕过，该模块旨在成为测试端点应用程序白名单有效性的平台。
https://github.com/rapid7/metasploit-framework/pull/8783
客户端开发-交易技巧0x01-Sharpshooter + SquibblyTwo
https://0x00sec.org/t/clientside-exploitation-tricks-of-the-trade-0x01-sharpshooter-squibblytwo/8178

权限提升和开发后文件
https://rmusser.net/docs/权限升级和Post-Exploitation.html

任务计划程序ALPC漏洞利用（未修补）和＆PoC by SandboxEscaper
https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar
通过Windows端口445上的meterpreter进行远程NTLM中继
https://diablohorn.com/2018/08/25/remote-ntlm-relaying-through-meterpreter-on-windows-port-445
Microsoft.Workflow.Compiler.exe，Veil和Cobalt Strike
https://www.fortynorthsecurity.com/microsoft-workflow-compiler-exe-veil-and-cobalt-strike
绕过工作流保护机制-SharePoint上的远程执行代码
https://www.nccgroup.trust/uk/our-research/technical-advisory-bypassing-workflows-protection-mechanisms-remote-code-execution-on-sharepoint
在Microsoft Word中玩ActiveX控件
https://www.blackhillsinfosec.com/having-fun-with-activex-controls-in-microsoft-word
Invoke-AtomicTest-与Atomic Red Team自动化MITER ATT＆CK
http://subt0x11.blogspot.com/2018/08/invoke-atomictest-automating-mitre-att.html
AppLocker绕过-CMSTP
https://pentestlab.blog/2018/05/10/applocker-bypass-cmstp
使用AdminSDHolder和SDProp的持久性
https://blog.stealthbits.com/persistence-using-adminsdholder-and-sdprop
Red Teaming Microsoft：第1部分–通过Azure进行Active Directory泄漏
https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure
演练Mimikatz sekurlsa模块
https://jetsecurity.github.io/post/mimikatz/walk-through_sekurlsa

Windows-privesc-check-独立的可执行文件，用于检查Windows系统上的简单权限提升向量
https://github.com/pentestmonkey/windows-privesc-check

了解DLL劫持的工作方式
https://astr0baby.wordpress.com/2018/09/08/understanding-how-dll-hijacking-works
玩中继凭证
https://www.coresecurity.com/blog/playing-relayed-credentials
DDE下载器，Excel滥用和PowerShell后门
http://rinseandrepeatanalysis.blogspot.com/2018/09/dde-downloaders-excel-abuse-and.html
CVE-2018-8120的详细技术说明
https://xiaodaozhi.com/exploit/156.html
Windows零日特权esc的PowerShell示例
https://github.com/OneLogicalMyth/zeroday-powershell/blob/master/README.md
你不能遏制我！::分析和利用Docker for Windows中的特权提升漏洞
https://srcincite.io/blog/2018/08/31/you-cant-contain-me-analyzing-and-exploiting-an-elevation-of-privilege-in-docker-for-windows.html
CVE-2018-8420-通过Web浏览器PoC的Microsoft XML核心服务MSXML RCE
https://github.com/Theropord/CVE-2018-8420

绕过AppLocker自定义规则
https://0x09al.github.io/security/applocker/bypass/custom/rules/windows/2018/09/13/applocker-custom-rules-bypass.html
0x09AL安全博客绕过AppLocker自定义规则
介绍乔纳森（Jonhnathan）乔纳森（Jonhnathan）w0rk3r的Windows黑客库使用SeCreateTokenPrivilege利用STOPzilla AntiMalware任意写入漏洞
Exploiting STOPzilla AntiMalware Arbitrary Write Vulnerability using SeCreateTokenPrivilege
乔纳森（Jonhnathan）乔纳森（Jonhnathan）w0rk3r的Windows黑客库如何在Mimikatz中添加模块？
https://littlesecurityprince.com/security/2018/03/18/ModuleMimikatz.html
使用Metasploit绕过UAC的多种方法
Multiple Ways to Bypass UAC using Metasploit
乔纳森（Jonhnathan）乔纳森（Jonhnathan）w0rk3r的Windows黑客库从OSINT到内部：从外围获得域管理员
https://www.coalfire.com/The-Coalfire-Blog/Sept-2018/From-OSINT-to-Internal-Gaining-Domain-Admin
从JSP Shell使用Mimikatz
https://blog.securitycompass.com/whiteboard-wednesday-using-mimikatz-from-a-jsp-shell-54f8a21693cc
随身携带2个lsass保护选项
https://medium.com/red-teaming-with-a-blue-team-mentaility/poking-around-with-2-lsass-protection-options-880590a72b1a
SharpSploit简介：AC＃开发后库
https://posts.specterops.io/introducing-sharpsploit-ac-post-exploitation-library-5c7be5f16c51
使用LDAP加快域升级
Faster Domain Escalation using LDAP

.NET Framework版本中的一课
https://rastamouse.me/2018/09/a-lesson-in-.net-framework-versions
使用Active Directory进行命令和控制
Command and Control Using Active Directory


L1TF（Foreshadow）VM来宾到主机的内存读取PoC
https://github.com/gregvish/l1tf-poc

MS Outlook中的SMB哈希劫持和用户跟踪
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/smb-hash-hijacking-and-user-tracking-in-ms-outlook
SharpBox是C＃工具，用于使用DropBox API将数据压缩，加密和渗漏到DropBox中
https://github.com/P1CKLES/SharpBox
从Kekeo到Rubeus
https://posts.specterops.io/from-kekeo-to-rubeus-86d2ec501c14
Tokenvator：版本2
Tokenvator: Release 2

通过COM的AppLocker CLM旁路
https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com

Injdrv是概念验证的Windows驱动程序，用于使用APC将DLL注入用户模式进程
https://github.com/wbenny/injdrv

响应者和第2层枢轴
https://ijustwannared.team/2017/05/27/responder-and-layer-2-pivots

PowerShell：通过在所有域计算机上运行systeminfo记录环境
https://sid-500.com/2017/08/09/powershell-documenting-your-environment-by-running-systeminfo-on-all-domain-computers
备用操作员的力量
https://decoder.cloud/2018/02/12/the-power-of-backup-operatos
滥用Windows库文件以实现持久性
https://www.countercept.com/blog/abusing-windows-library-files-for-persistence
域控制打印服务器+不受约束的Kerberos委派=拥有的Active Directory林
Domain Controller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest

Powershell的invoke-Confusion .NET远程攻击者
https://homjxi0e.wordpress.com/2018/10/02/invoke-confusion-attack-of-powershell
使用DCShadow创建持久性
https://blog.stealthbits.com/creating-persistence-with-dcshadow
时间旅行调试：发现Windows GDI缺陷
Time Travel Debugging: finding Windows GDI flaws

恶意使用Microsoft“本地管理员密码解决方案”
http://archive.hack.lu/2017/HackLU_2017_Malicious_use_LAPS_Clementz_Goichot.pdf

Tokenvator Wiki
https://github.com/0xbadjuju/Tokenvator/wiki
ServiceFu：远程收集服务帐户凭据
https://www.securifera.com/blog/2018/10/07/servicefu对Sysmon进攻
https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
利用Regedit：看不见的持久性和二进制存储
https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf
PoC：https://github.com/ewhitehats/InvisiblePersistence/tree/master/InvisibleKeys
使用PowerShell攻击Azure环境
https://youtu.be/IdORwgxDpkw
MicroBurst：一组用于评估Microsoft Azure安全性的脚本
https://github.com/NetSPI/MicroBurst
Icebreaker.py：通过一个命令在Active Directory中立足SaintCon的Dan McInerney
https://youtu.be/1LR5u8uKO8I
[工具]破冰船：如果您位于内部网络上但不在AD环境中，则获取纯文本Active Directory凭据
https://github.com/DanMcInerney/icebreaker利用WSUS –第一部分
https://ijustwannared.team/2018/10/15/leveraging-wsus-part-one
使用Invoke-PowerCloud通过DNS进行Powershell有效负载交付
https://how.ired.team/offensive-security-experiments/payload-delivery-via-dns-using-invoke-powercloud

SharpAttack：用于执行某些安全评估任务的控制台。它利用.NET和Windows API来执行其工作（和cobbr_io SharpSploit）。它包含用于域枚举，代码执行和其他有趣功能的命令。
https://github.com/jaredhaight/SharpAttack
在陆地上生活
https://liberty-shell.com/sec/2018/10/20/living-off-the-land