Awesome
Awesome Windows Red Team
A curated list of awesome Windows talks, tools and resources for Red Teams, from beginners to ninjas.
Contents
- Books
- Courses
- System Architecture
- Lateral Movement
- Privilege Escalation
- Defense Evasion
- Exfiltration
- PowerShell
- Phishing
- Tools
Books
- Windows Internals, Seventh Edition, Part 1
- Windows Internals, Sixth Edition, Part 1
- Windows Internals, Sixth Edition, Part 2
- How to Hack Like a PORNSTAR: A step by step process for breaking into a BANK
- Windows® via C/C++ (Developer Reference) (English Edition)
- The Hacker Playbook 3: Practical Guide To Penetration Testing
Courses
- Professor Messer's CompTIA SY0-501 Security+ Course
- Penetration Testing with Kali (PWK) Online Security Training Course
- Offensive Security Certified Expert
- Advanced Windows Exploitation: Live Hands-on Penetration Testing Training
- Windows API Exploitation Recipes: Processes, Tokens and Memory RW
- Powershell for Pentesters - Pentester Academy
- WMI Attacks and Defense - Pentester Academy
- Windows Red Team Lab - Pentester Academy
System Architecture
Active Directory
- ADsecurity.org
- DerbyCon4 - How to Secure and Sys Admin Windows like a Boss
- DEFCON 20: Owned in 60 Seconds: From Network Guest to Windows Domain Admin
- BH2015 - Red Vs. Blue: Modern Active Directory Attacks, Detection, And Protection
- BH2016 - Beyond the Mcse: Active Directory for the Security Professional
- BH2017 - Evading Microsoft ATA for Active Directory Domination
- DEFCON 26 - Exploiting Active Directory Administrator Insecurities
- BH2017 - An ACE Up the Sleeve: Designing Active Directory DACL Backdoors
- DerbyCon7 - Building the DeathStar getting Domain Admin with a push of a button (aka how I almost automated myself out pf a job)
- DerbyCon4 - Abusing Active Directory in Post Exploitation
Kerberos
- Kerberos (I): How does Kerberos work? – Theory
- Protecting Privileged Domain Accounts: Network Authentication In-Depth
- Basic attacks on communication protocols – replay and reflection attacks
- MicroNugget: How Does Kerberos Work?
- MIT 6.858 Fall 2014 Lecture 13: Kerberos
- DerbyCon4 - Et tu Kerberos
- DerbyCon7 - Return From The Underworld The Future Of Red Team Kerberos
- BH2014 - Abusing Microsoft Kerberos: Sorry You Guys Don't Get It
- DerbyCon4 - Attacking Microsoft Kerberos Kicking the Guard Dog of Hades
- Kerberos in the Crosshairs: Golden Tickets, Silver Tickets, MITM, and More
- How Attackers Use Kerberos Silver Tickets to Exploit Systems
Lsass SAM NTLM GPO
- Retrieving NTLM Hashes without touching LSASS: the “Internal Monologue” Attack
- ATT&CK - Credential Dumping
- BH2002 - Cracking NTLMv2 Authentication
- DerbyCon7 - Securing Windows with Group Policy
- Abusing GPO Permissions
- Targeted Kerberoasting
WinAPI
Lateral Movement
Pass the Hash
- ATT&CK - Pass the Hash
- BH2013 - Pass the Hash and other credential theft and reuse: Preventing Lateral Movement...
- BH2013 - Pass the Hash 2: The Admin's Revenge
- From Pass-the-Hash to Pass-the-Ticket with No Pain
- Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy
Pass the Ticket
LLMNR/NBT-NS poisoning
Privilege Escalation
- Level Up! Practical Windows Privilege Escalation - Andrew Smith
- Windows Privilege Escalation Presentation
- Windows Kernel Exploits
- DEF CON 22 - Kallenberg and Kovah - Extreme Privilege Escalation On Windows 8/UEFI Systems
- DEF CON 25 - Morten Schenk - Taking Windows 10 Kernel Exploitation to the next level
- DerbyCon7 - Not a Security Boundary Bypassing User Account Control
Token Impersonation
Defense Evasion
AV
- DerbyCon3 - Antivirus Evasion Lessons Learned
- DerbyCon7 - T110 Modern Evasion Techniques
- DerbyCon7 - Evading Autoruns
- Red Team Techniques for Evading, Bypassing & Disabling MS
- How to Bypass Anti-Virus to Run Mimikatz
- AV Evasion - Obfuscating Mimikatz
- Getting PowerShell Empire Past Windows Defender
AMSI
- Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’
- [Antimalware Scan Interface (AMSI) — A Red Team Analysis on Evasion] (https://iwantmore.pizza/posts/amsi.html)
LAPS
AppLocker & Application Whitelisting
Exfiltration
- Abusing Windows Management Instrumentation (WMI)
- DEF CON 23 - Panel - WhyMI so Sexy: WMI Attacks - Real Time Defense and Advanced Forensics
- DerbyCon3 - Living Off The Land A Minimalist's Guide To Windows Post Exploitation
PowerShell
- DEF CON 18 - David Kennedy "ReL1K" & Josh Kelley - Powershell...omfg
- DEF CON 22 - Investigating PowerShell Attacks
- DerbyCon2016 - 106 PowerShell Secrets and Tactics Ben0xA
- Daniel Bohannon – Invoke-Obfuscation: PowerShell obFUsk8tion
- BH2017 - Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science
Phishing
Maldocs
Macros
DDE
- About Dynamic Data Exchange
- Abusing Microsoft Office DDE
- Microsoft Office Dynamic Data Exchange(DDE) attacks
- Office-DDE-Payloads
HTA
Tools
Adversary Emulation
Other Awesome Lists & sources
- Awesome Red Teaming
- Red Teaming Toolkit
- Red Team Infrastructure Wiki
- Awesome Pentest
- Red Teaming Experiments
Contributing
Your contributions are always welcome! Please take a look at the contribution guidelines first.
If you have any question about this opinionated list, do not hesitate to contact me @_mvalle_ on Twitter or open an issue on GitHub.