├── .github └── FUNDING.yml ├── 0-main ├── 1-Methodology-Master.md ├── 2-Misc-Notes.md └── assets │ └── display_group_recurse.png ├── 1-PS-Bypassing ├── 1-Adv-Powershell.md ├── 2-Bypassing-AV-Signatures-PowerShell.md ├── 3-Offensive-dot-NET-Introduction.md └── assets │ ├── Confuserx_2.png │ ├── Confuserx_protect_4.png │ ├── Confuserx_settings_3.png │ ├── antiscan_new_8.png │ ├── antiscan_old_7.png │ ├── hash_6.png │ ├── threatcheck_1.png │ └── threatcheck_recheck_5.png ├── 2-Domain-Enumeration ├── 1-Basic-Enumeration.md ├── 2-GPO-Enumeration.md ├── 3-ACL-Enumeration.md ├── 4-Trust-Enumeration.md ├── 5-BloodHound-Enumeration.md └── assets │ └── blood-hound.jpeg ├── 3-Local-Priv-Esc └── 1-Service-Priv-Esc.md ├── 4-Lateral-Movement ├── 1-Invoke-Command-PSSession.md └── 2-Dumping-Credetials.md ├── 5-Domain-Priv-Esc ├── 1-Unconstrained-Delegation.md ├── 2-Constrained-Delegation-with-Protocol-Transition.md ├── 3-LAPS.md ├── 4-MS-Exchange.md └── 5-Resource-Based-Constrained-Delegation.md ├── 6-Domain-Persistence ├── 1-Golden-Ticket.md ├── 2-Silver-Ticket.md ├── 3-Skeleton-Key.md └── 4-Diamond-Ticket.md ├── 7-Cross-Domain-Attacks ├── 1-Azure-AD-Integration-PHS.md ├── 2-AD-CS.md ├── 3-Shadow-Credentials.md └── assets │ ├── 1.png │ ├── 10.png │ ├── 11.png │ ├── 12.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ ├── 5.png │ ├── 6.png │ ├── 7.png │ ├── 8.png │ └── 9.png ├── 8-Cross-Forest-Attacks ├── 1-Kerberoast.md ├── 2-Forest-Root-Trust-Key.md └── 3-PAM-Trust.md ├── 9-Trust-Abuse └── 1-MSSQL-Abuse.md ├── CRTE-Lab-Pwn ├── CRTE_Lab_Report.md └── assets │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ ├── 5.png │ ├── 6.png │ └── 7.png └── README.md /.github/FUNDING.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/.github/FUNDING.yml -------------------------------------------------------------------------------- /0-main/1-Methodology-Master.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/0-main/1-Methodology-Master.md -------------------------------------------------------------------------------- /0-main/2-Misc-Notes.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/0-main/2-Misc-Notes.md -------------------------------------------------------------------------------- /0-main/assets/display_group_recurse.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/0-main/assets/display_group_recurse.png -------------------------------------------------------------------------------- /1-PS-Bypassing/1-Adv-Powershell.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/1-PS-Bypassing/1-Adv-Powershell.md -------------------------------------------------------------------------------- /1-PS-Bypassing/2-Bypassing-AV-Signatures-PowerShell.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/1-PS-Bypassing/2-Bypassing-AV-Signatures-PowerShell.md -------------------------------------------------------------------------------- /1-PS-Bypassing/3-Offensive-dot-NET-Introduction.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/1-PS-Bypassing/3-Offensive-dot-NET-Introduction.md -------------------------------------------------------------------------------- /1-PS-Bypassing/assets/Confuserx_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/1-PS-Bypassing/assets/Confuserx_2.png -------------------------------------------------------------------------------- /1-PS-Bypassing/assets/Confuserx_protect_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/1-PS-Bypassing/assets/Confuserx_protect_4.png -------------------------------------------------------------------------------- /1-PS-Bypassing/assets/Confuserx_settings_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/1-PS-Bypassing/assets/Confuserx_settings_3.png -------------------------------------------------------------------------------- /1-PS-Bypassing/assets/antiscan_new_8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/1-PS-Bypassing/assets/antiscan_new_8.png -------------------------------------------------------------------------------- /1-PS-Bypassing/assets/antiscan_old_7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/1-PS-Bypassing/assets/antiscan_old_7.png -------------------------------------------------------------------------------- /1-PS-Bypassing/assets/hash_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/1-PS-Bypassing/assets/hash_6.png -------------------------------------------------------------------------------- /1-PS-Bypassing/assets/threatcheck_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/1-PS-Bypassing/assets/threatcheck_1.png -------------------------------------------------------------------------------- /1-PS-Bypassing/assets/threatcheck_recheck_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/1-PS-Bypassing/assets/threatcheck_recheck_5.png -------------------------------------------------------------------------------- /2-Domain-Enumeration/1-Basic-Enumeration.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/2-Domain-Enumeration/1-Basic-Enumeration.md -------------------------------------------------------------------------------- /2-Domain-Enumeration/2-GPO-Enumeration.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/2-Domain-Enumeration/2-GPO-Enumeration.md -------------------------------------------------------------------------------- /2-Domain-Enumeration/3-ACL-Enumeration.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/2-Domain-Enumeration/3-ACL-Enumeration.md -------------------------------------------------------------------------------- /2-Domain-Enumeration/4-Trust-Enumeration.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/2-Domain-Enumeration/4-Trust-Enumeration.md -------------------------------------------------------------------------------- /2-Domain-Enumeration/5-BloodHound-Enumeration.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/2-Domain-Enumeration/5-BloodHound-Enumeration.md -------------------------------------------------------------------------------- /2-Domain-Enumeration/assets/blood-hound.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/2-Domain-Enumeration/assets/blood-hound.jpeg -------------------------------------------------------------------------------- /3-Local-Priv-Esc/1-Service-Priv-Esc.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/3-Local-Priv-Esc/1-Service-Priv-Esc.md -------------------------------------------------------------------------------- /4-Lateral-Movement/1-Invoke-Command-PSSession.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/4-Lateral-Movement/1-Invoke-Command-PSSession.md -------------------------------------------------------------------------------- /4-Lateral-Movement/2-Dumping-Credetials.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/4-Lateral-Movement/2-Dumping-Credetials.md -------------------------------------------------------------------------------- /5-Domain-Priv-Esc/1-Unconstrained-Delegation.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/5-Domain-Priv-Esc/1-Unconstrained-Delegation.md -------------------------------------------------------------------------------- /5-Domain-Priv-Esc/2-Constrained-Delegation-with-Protocol-Transition.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/5-Domain-Priv-Esc/2-Constrained-Delegation-with-Protocol-Transition.md -------------------------------------------------------------------------------- /5-Domain-Priv-Esc/3-LAPS.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/5-Domain-Priv-Esc/3-LAPS.md -------------------------------------------------------------------------------- /5-Domain-Priv-Esc/4-MS-Exchange.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/5-Domain-Priv-Esc/4-MS-Exchange.md -------------------------------------------------------------------------------- /5-Domain-Priv-Esc/5-Resource-Based-Constrained-Delegation.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/5-Domain-Priv-Esc/5-Resource-Based-Constrained-Delegation.md -------------------------------------------------------------------------------- /6-Domain-Persistence/1-Golden-Ticket.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/6-Domain-Persistence/1-Golden-Ticket.md -------------------------------------------------------------------------------- /6-Domain-Persistence/2-Silver-Ticket.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/6-Domain-Persistence/2-Silver-Ticket.md -------------------------------------------------------------------------------- /6-Domain-Persistence/3-Skeleton-Key.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/6-Domain-Persistence/3-Skeleton-Key.md -------------------------------------------------------------------------------- /6-Domain-Persistence/4-Diamond-Ticket.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/6-Domain-Persistence/4-Diamond-Ticket.md -------------------------------------------------------------------------------- /7-Cross-Domain-Attacks/1-Azure-AD-Integration-PHS.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/7-Cross-Domain-Attacks/1-Azure-AD-Integration-PHS.md -------------------------------------------------------------------------------- /7-Cross-Domain-Attacks/2-AD-CS.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/7-Cross-Domain-Attacks/2-AD-CS.md -------------------------------------------------------------------------------- /7-Cross-Domain-Attacks/3-Shadow-Credentials.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/7-Cross-Domain-Attacks/3-Shadow-Credentials.md -------------------------------------------------------------------------------- /7-Cross-Domain-Attacks/assets/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/7-Cross-Domain-Attacks/assets/1.png -------------------------------------------------------------------------------- /7-Cross-Domain-Attacks/assets/10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/7-Cross-Domain-Attacks/assets/10.png -------------------------------------------------------------------------------- /7-Cross-Domain-Attacks/assets/11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/7-Cross-Domain-Attacks/assets/11.png -------------------------------------------------------------------------------- /7-Cross-Domain-Attacks/assets/12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/7-Cross-Domain-Attacks/assets/12.png -------------------------------------------------------------------------------- /7-Cross-Domain-Attacks/assets/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/7-Cross-Domain-Attacks/assets/2.png -------------------------------------------------------------------------------- /7-Cross-Domain-Attacks/assets/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/7-Cross-Domain-Attacks/assets/3.png -------------------------------------------------------------------------------- /7-Cross-Domain-Attacks/assets/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/7-Cross-Domain-Attacks/assets/4.png -------------------------------------------------------------------------------- /7-Cross-Domain-Attacks/assets/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/7-Cross-Domain-Attacks/assets/5.png -------------------------------------------------------------------------------- /7-Cross-Domain-Attacks/assets/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/7-Cross-Domain-Attacks/assets/6.png -------------------------------------------------------------------------------- /7-Cross-Domain-Attacks/assets/7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/7-Cross-Domain-Attacks/assets/7.png -------------------------------------------------------------------------------- /7-Cross-Domain-Attacks/assets/8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/7-Cross-Domain-Attacks/assets/8.png -------------------------------------------------------------------------------- /7-Cross-Domain-Attacks/assets/9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/7-Cross-Domain-Attacks/assets/9.png -------------------------------------------------------------------------------- /8-Cross-Forest-Attacks/1-Kerberoast.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/8-Cross-Forest-Attacks/1-Kerberoast.md -------------------------------------------------------------------------------- /8-Cross-Forest-Attacks/2-Forest-Root-Trust-Key.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/8-Cross-Forest-Attacks/2-Forest-Root-Trust-Key.md -------------------------------------------------------------------------------- /8-Cross-Forest-Attacks/3-PAM-Trust.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/8-Cross-Forest-Attacks/3-PAM-Trust.md -------------------------------------------------------------------------------- /9-Trust-Abuse/1-MSSQL-Abuse.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/9-Trust-Abuse/1-MSSQL-Abuse.md -------------------------------------------------------------------------------- /CRTE-Lab-Pwn/CRTE_Lab_Report.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/CRTE-Lab-Pwn/CRTE_Lab_Report.md -------------------------------------------------------------------------------- /CRTE-Lab-Pwn/assets/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/CRTE-Lab-Pwn/assets/1.png -------------------------------------------------------------------------------- /CRTE-Lab-Pwn/assets/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/CRTE-Lab-Pwn/assets/2.png -------------------------------------------------------------------------------- /CRTE-Lab-Pwn/assets/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/CRTE-Lab-Pwn/assets/3.png -------------------------------------------------------------------------------- /CRTE-Lab-Pwn/assets/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/CRTE-Lab-Pwn/assets/4.png -------------------------------------------------------------------------------- /CRTE-Lab-Pwn/assets/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/CRTE-Lab-Pwn/assets/5.png -------------------------------------------------------------------------------- /CRTE-Lab-Pwn/assets/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/CRTE-Lab-Pwn/assets/6.png -------------------------------------------------------------------------------- /CRTE-Lab-Pwn/assets/7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/CRTE-Lab-Pwn/assets/7.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xStarlight/CRTE-Notes/HEAD/README.md --------------------------------------------------------------------------------