Personal notes and collection of useful links.

Collection in early stage - more details will be added (URL/Description).

• assume breach?

• designing-the-adversary-simulation-lab/

• https://www.mdsec.co.uk/2020/03/hiding-your-net-etw/ (bypass by xpn)
• https://github.com/zacbrown/PowerKrabsEtw
• https://github.com/zacbrown/hiddentreasure-etw-demo

• https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
• https://github.com/jthuraisamy/SysWhispers
• https://jhalon.github.io/utilizing-syscalls-in-csharp-1/
• https://jhalon.github.io/utilizing-syscalls-in-csharp-2/
• https://www.solomonsklash.io/syscalls-for-shellcode-injection.html
• https://github.com/frkngksl/Celeborn
• https://github.com/m0rv4i/Syscalls-Extractor

• Defeat Bitdefender total security using windows API unhooking to perform process injection
• Part 1: Fs Minifilter Hooking
• Windows API Hooking

• TelemetrySourcerer

• OffensivePipeline

• Multi-Stage Offensive Operations with Mythic

• Blue team - EDR evolution
• Nice webinar - understanding-modern-edr-tools
• Lets Create An EDR… And Bypass It! Part 1
• Lets Create An EDR… And Bypass It! Part 2
• A Guide to Reversing and Evading EDRs: Part 1 Introduction
• A Guide to Reversing and Evading EDRs: Part 2 Sensor reconnaisssance
• A Guide to Reversing and Evading EDRs: Part 3 Diverting EDR telemetry to private infrastracture
• Alaris
• ScareCrow
• Self deleting exe
• Defeating Antivirus Real-time Protection From The Inside
• Duping AV with handles
• Adventures in Dynamic Evasion
  • Companion PoC for the "Adventures in Dynamic Evasion" blog post
• Click your shortcut and… you got pwned.
• Evade EDR with Shellcode Injection and gain persistence using Registry Run Keys
• Understanding and bypassing AMSI
• Masking Malicious Memory Artifacts – Part III: Bypassing Defensive Scanners
• smaller-c-payloads-on-windows
• in-memory-shellcode-decoding-to-evade-avs
• MDSec Bypassing Image Load Kernel Callbacks

• XPN - Azure AD Connect for Red Teamers
• Making Clouds Rain :: Remote Code Execution in Microsoft Office 365
• List of Azure CDN IP Addresses
• AWS IAM explained for Red and Blue teams
• Exploiting AWS IAM permissions for total cloud compromise: a real world example (part 1/2)
• Exploiting fine-grained AWS IAM permissions for total cloud compromise: a real world example (part 2/2)

• lateral-movement-using-dcom-objects

• https://itm4n.github.io/windows-dll-hijacking-clarified/
• https://github.com/monoxgas/Koppeling (DLL hijacking)
• https://redteaming.co.uk/2020/07/12/dll-proxy-loading-your-favorite-c-implant/ (DLL proxy loading)
• Full DLL Unhooking with C++

• https://sevrosecurity.com/2020/04/08/process-injection-part-1-createremotethread/
• https://sevrosecurity.com/2020/04/13/process-injection-part-2-queueuserapc/

• https://ired.team/offensive-security/enumeration-and-discovery/windows-event-ids-for-situational-awareness

• Post exploitation creds
• Adversary phishing characteristics
• Check the phishing server / landing page response
• Security check of your URL
• Check your phishing e-mail quality
• Recipe for a successful phishing campaign (part 1/2)
  • setup SPF, DKIM, PTR, MX and general approach
• Recipe for a successful phishing campaign (part 2/2)
  • setup DNS, gophishg, general tips for better campaign
• Building resilient phishing campaign infrastructure
• email spoofing
• docker,terradorm,ansible automation
• Internal phishing
• Password protected Excel phishing
• Gophish notification
• Gophish notification via webhooks

• sendgrid
  • useful service but honestly, You need Pro pain plan to be lucky not to be on a spamlist
• mailgun
  • haven't had any problem
• Amazon AWS SES

• Download via Defender
• (You can use C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\MpCmdRun.exe -url -path to download your file using Windows defender itself.)

• Manage Red Team domain
• Domain Shepherd

• If you are always looking through your ssh conf files for a specific host entry, this simple bash function might be just what you need.

function getssh() {
  awk "/$1/,/^$/" < ~/.ssh/include/*
}

• Weaponry
  • A collection of offensive code used for red team engagements.
• Mr-Un1k0d3r awesome repo
• PowerShellArmoury
• RedTeamTools
• inceptor
• mgeeky awesome repo

• Making the Perfect Red Team Dropbox (Part 1)
• Making the Perfect Red Team Dropbox (Part 2)