├── AdversaryAutomation.md
├── BlueAutomation.md
├── BlueNotes
    └── readme.md
├── BlueTools.md
├── C2.md
├── CsharpTools.md
├── PurpleNotes.md
├── README.md
└── RedServerless.md


/AdversaryAutomation.md:
--------------------------------------------------------------------------------
 1 | # Tools to automate attacker or end-user
 2 | 
 3 | * APT Simulator
 4 | * Atomic-Parser
 5 | * atomic-red-team
 6 | * ATTACK-Tools
 7 | * EDR-Testing-Script
 8 | * flightsim
 9 | * Invoke-Adversary
10 | * Invoke-UserSimulator
11 | * List of Adversary Emulation Tools - PenTestIT.html
12 | * MalwLess
13 | * metta
14 | * PurpleSharp
15 | * pyattck
16 | * RTA
17 | * sheepl
18 | * youzer
19 | 
20 | # Infrastructure & Labs
21 | * [Want to test out Microsoft #Security products (and others) but don't have the environment to thoroughly test? Want to simulate Active Directory, privileged users, to learn more about credential exposure? Check it out this Defend the Flag environment](https://twitter.com/yuridiogenes/status/1298362801216458762)
22 | * [DefendTheFlag](https://github.com/microsoft/DefendTheFlag/)
23 | 
24 | # Atomic RedTeam
25 | * Blue teams can now test their #ActiveDirectory attack detection mechanisms (SIEM, FW...) using #AtomicRedTeam by @redcanary [LINK](https://twitter.com/cnotin/status/1347176446842822656)
26 | ```
27 | T1003.006 DCSync https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md#atomic-test-1---dcsync
28 | T1207 DCShadow https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md#atomic-test-1---dcshadow---mimikatz
29 | T1558.001 Golden ticket https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md#atomic-test-1---crafting-golden-tickets-with-mimikatz
30 | T1110.001 Brute Force https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos
31 | T1110.003 Password spraying https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md#atomic-test-3---password-spray-all-domain-users-with-a-single-password-via-ldap-against-domain-controller-ntlm-or-kerberos
32 | T1055 Remote Process Injection https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md#atomic-test-3---remote-process-injection-in-lsass-via-mimikatz
33 | ```
34 | 


--------------------------------------------------------------------------------
/BlueAutomation.md:
--------------------------------------------------------------------------------
1 | # Automated tools and envs
2 | 
3 | * DarthSidious
4 | * DetectionLab
5 | * flare-vm
6 | * windows-domain-inabox
7 | * WindowsAttackAndDefenseLab
8 | * [Game of Active Directory](https://github.com/Orange-Cyberdefense/GOAD)
9 | 


--------------------------------------------------------------------------------
/BlueNotes/readme.md:
--------------------------------------------------------------------------------
 1 | ### IOC
 2 | 
 3 | * [DailyIOC](https://github.com/StrangerealIntel/DailyIOC)
 4 | 
 5 | ###
 6 | 
 7 | * [Process Spawn Control is a Powershell tool which aims to help in the behavioral (process) analysis of malware. PsC suspends newly launched processes, and gives the analyst the option to either keep the process suspended, or to resume it.](https://github.com/felixweyne/ProcessSpawnControl)
 8 | 
 9 | ### Random
10 | 
11 | * [Blue-Team-Notes](https://github.com/Purp1eW0lf/Blue-Team-Notes)
12 | 
13 | ### 
14 | * [driver block list](https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)
15 | 


--------------------------------------------------------------------------------
/BlueTools.md:
--------------------------------------------------------------------------------
 1 | # Collection of random tools
 2 | 
 3 | ## Cloud
 4 | 
 5 | * [hawk](https://github.com/T0pCyber/hawk)
 6 |   * Powershell Based tool for gathering information related to O365 intrusions and potential Breaches
 7 | 
 8 | ## Tools
 9 | 
10 | * Active Directory PingCastle Auditor
11 | * B2Response
12 | * CentOS7_Lockdown
13 | * Comae-Toolkit-Dumpit
14 | * DARKSURGEON
15 | * GetVulnerableGPO
16 | * hardentools
17 | * HELK
18 | * honeybits
19 | * hunt-detect-prevent
20 | * LogonTracer
21 | * malcom
22 | * MalwLess
23 | * mcafee
24 | * PassFiltEx
25 | * PcapXray
26 | * pcode2code
27 | * PS-WindowsForensics
28 | * re_lab
29 | * sinkhole
30 | * sof-elk
31 | * spy
32 | * Sysmon
33 | * SysMonster
34 | * ThreatHunter-Playbook
35 | * ToolAnalysisResultSheet
36 | * win10-secure-baseline-gpo
37 | * WindowsEnum
38 | * Zeek
39 |   * [Zeek-Intelligence-Feeds](https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds)
40 | 


--------------------------------------------------------------------------------
/C2.md:
--------------------------------------------------------------------------------
 1 | # C2 frameworks
 2 | 
 3 | ## Empire based
 4 | 
 5 | * BlueCommand
 6 | * Empire-GUI
 7 | * EmpireMobile
 8 | 
 9 | ## MSF based
10 | 
11 | * metasploit-execute-assembly
12 | * MsfWrapper
13 | * pymetasploit3
14 | * resource_files
15 | 
16 | ## Other
17 | 
18 | * [Mythic/Apollo](https://github.com/MythicAgents/Apollo)
19 | * AutoRDPwn
20 | * Browser-C2
21 | * C2Shell
22 | * C4
23 | * DarkSpiritz
24 | * DNS-Persist
25 | * DoHC2
26 | * Faction
27 | * FudgeC2
28 | * goDoH
29 | * GTRS
30 | * HRShell
31 | * icmpsh
32 | * Invoke-PowerCloud
33 | * koadic
34 | * merlin
35 | * Naga
36 | * PoshC2_Python
37 | * RedPeanut
38 | * redsails
39 | * redtunnel
40 | * SILENTTRINITY
41 | * sliver
42 | * ThunderDNS
43 | * trevorc2
44 | * WheresMyImplant
45 | 


--------------------------------------------------------------------------------
/CsharpTools.md:
--------------------------------------------------------------------------------
  1 | ## Offensive C# tools
  2 | 
  3 | There's also a separate public repository at [https://github.com/boh/RedCsharp](https://github.com/boh/RedCsharp) 
  4 | 
  5 | * [CasperStager](https://github.com/ustayready/CasperStager)
  6 |   * PoC for persisting .NET payloads in Windows Notification Facility (WNF) state names using low-level Windows Kernel API calls.
  7 | * [CSExec](https://github.com/malcomvetter/CSExec)
  8 |   * An implementation of PSExec in C#
  9 | * [CSharpCreateThreadExample](https://github.com/djhohnstein/CSharpCreateThreadExample)
 10 |   * C# code to run PIC using CreateThread
 11 | * [CSharpScripts](https://github.com/Arno0x/CSharpScripts)
 12 |   * Collection of C# scripts
 13 | * [CSharpSetThreadContext](https://github.com/djhohnstein/CSharpSetThreadContext)
 14 |   * C# Shellcode Runner to execute shellcode via CreateRemoteThread and SetThreadContext to evade Get-InjectedThread
 15 | * [DnsCache](https://github.com/malcomvetter/DnsCache)
 16 |   * This is a reference example for how to call the Windows API to enumerate cached DNS records in the Windows resolver. Proof of concept or pattern only.
 17 | * [FreshCookees](https://github.com/P1CKLES/FreshCookees)
 18 |   * C# .NET 3.5 tool that keeps proxy auth cookies fresh by maintaining a hidden IE process that navs to your hosted auto refresh page. Uses WMI event listeners to monitor for InstanceDeletionEvents of the Internet Explorer process, and starts a hidden IE process via COM object if no other IE processes are running.
 19 | * [GoldenTicket](https://github.com/ZeroPointSecurity/GoldenTicket)
 20 |   * This .NET assembly is specifically designed for creating Golden Tickets. It has been built with a custom version of SharpSploit and an old 2.0 alpha (x64) version of Powerkatz.
 21 | * [Grouper2](https://github.com/l0ss/Grouper2)
 22 |   * Find vulnerabilities in AD Group Policy
 23 | * [Inception](https://github.com/two06/Inception)
 24 |   * Provides In-memory compilation and reflective loading of C# apps for AV evasion.
 25 | * [KittyLitter ](https://github.com/djhohnstein/KittyLitter)
 26 |   * Credential Dumper. It is comprised of two components, KittyLitter.exe and KittyScooper.exe. This will bind across TCP, SMB, and MailSlot channels to communicate credential material to lowest privilege attackers.
 27 | * [Lockless](https://github.com/GhostPack/Lockless)
 28 |   * Lockless allows for the copying of locked files.
 29 | * [Minidump](https://github.com/3xpl01tc0d3r/Minidump)
 30 |   * The program is designed to dump full memory of the process by specifing process name or process id.
 31 | * [MiscTools](https://github.com/rasta-mouse/MiscTools)
 32 |   * Miscellaneous Tools
 33 | * [NamedPipes](https://github.com/malcomvetter/NamedPipes)
 34 |   * A pattern for client/server communication via Named Pipes via C#
 35 | * [nopowershell](https://github.com/bitsadmin/nopowershell)
 36 |   * PowerShell rebuilt in C# for Red Teaming purposes
 37 | * [Reg_Built](https://github.com/P1CKLES/Reg_Built)
 38 |   * C# Userland Registry RunKey persistence
 39 | * [RemoteProcessInjection](https://github.com/Mr-Un1k0d3r/RemoteProcessInjection)
 40 |   * C# remote process injection utility for Cobalt Strike
 41 | * [Rubeus](https://github.com/GhostPack/Rubeus)
 42 |   * Rubeus is a C# toolset for raw Kerberos interaction and abuses.
 43 | * RunProcessAsTask
 44 | * [RunSharp](https://github.com/fullmetalcache/RunSharp)
 45 |   * Simple program that allows you to run commands as another user without being prompted for their password. This is useful in cases where you don't always get feedback from a prompt, such as the case with some remote shells.
 46 | * [SafetyKatz](https://github.com/GhostPack/SafetyKatz)
 47 |   * SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subTee's .NET PE Loader
 48 | * [Seatbelt](https://github.com/GhostPack/Seatbelt)
 49 |   * Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
 50 | * [self-morphing-csharp-binary](https://github.com/bytecode77/self-morphing-csharp-binary)
 51 |   * C# binary that mutates its own code, encrypts and obfuscates itself on runtime
 52 | * [Sharp-InvokeWMIExec](https://github.com/TheWover/Sharp-InvokeWMIExec)
 53 |   * A native C# conversion of Kevin Robertsons Invoke-WMIExec powershell script
 54 | * [Sharp-Suite](https://github.com/rvrsh3ll/Sharp-Suite)
 55 |   * fork of FuzzySecurity/Sharp-Suite
 56 | * [SharpAdidnsdump](https://github.com/b4rtik/SharpAdidnsdump)
 57 |   * c# implementation of Active Directory Integrated DNS dumping (authenticated user)
 58 | * [SharpAttack](https://github.com/jaredhaight/SharpAttack)
 59 |   * SharpAttack is a console for certain things I use often during security assessments. It leverages .NET and the Windows API to perform its work. It contains commands for domain enumeration, code execution, and other fun things.
 60 | * [SharpClipHistory](https://github.com/FSecureLABS/SharpClipHistory)
 61 |   * SharpClipHistory is a .NET application written in C# that can be used to read the contents of a user's clipboard history in Windows 10 starting from the 1809 Build.
 62 | * [SharpCloud](https://github.com/chrismaddalena/SharpCloud)
 63 |   * Simple C# for checking for the existence of credential files related to AWS, Microsoft Azure, and Google Compute.
 64 | * [SharpCOM](https://github.com/rvrsh3ll/SharpCOM)
 65 |   * CSHARP DCOM Fun
 66 | * [SharpCompile](https://github.com/SpiderLabs/SharpCompile)
 67 |   * SharpCompile is an aggressor script for Cobalt Strike which allows you to compile and execute C# in realtime. This is a more slick approach than manually compiling an .NET assembly and loading it into Cobalt Strike.
 68 | * [SharpCradle](https://github.com/anthemtotheego/SharpCradle)
 69 |   * SharpCradle is a tool designed to help penetration testers or red teams download and execute .NET binaries into memory.
 70 | * [SharpDomainSpray](https://github.com/HunnicCyber/SharpDomainSpray)
 71 |   * Basic password spraying tool for internal tests and red teaming
 72 | * [SharpDoor](https://github.com/infosecn1nja/SharpDoor)
 73 |   * SharpDoor is alternative RDPWrap written in C# to allowed multiple RDP (Remote Desktop) sessions by patching termsrv.dll file.
 74 | * [SharpDPAPI](https://github.com/GhostPack/SharpDPAPI)
 75 |   * SharpDPAPI is a C# port of some Mimikatz DPAPI functionality.
 76 | * [SharpDump](https://github.com/GhostPack/SharpDump)
 77 |   * SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality.
 78 | * [SharpEdge](https://github.com/rvrsh3ll/SharpEdge)
 79 |   * C# Implementation of Get-VaultCredential
 80 | * [SharPersist](https://github.com/fireeye/SharPersist)
 81 |   * Windows persistence toolkit written in C#.
 82 | * [SharpExec](https://github.com/anthemtotheego/SharpExec)
 83 |   * SharpExec is an offensive security C# tool designed to aid with lateral movement. WMIExec. SMBExec. PSExec. WMI.
 84 | * [SharpFruit](https://github.com/rvrsh3ll/SharpFruit)
 85 |   * A C# penetration testing tool to discover low-haning web fruit via web requests.
 86 | * [SharpGPOAbuse](https://github.com/FSecureLABS/SharpGPOAbuse)
 87 |   * application written in C# that can be used to take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.
 88 | * [SharpHide](https://github.com/outflanknl/SharpHide)
 89 |   * Tool to create hidden registry keys.
 90 | * [SharpInvoke-SMBExec](https://github.com/checkymander/Sharp-SMBExec)
 91 |   * SMBExec C# module 
 92 | * [SharpLoadImage](https://github.com/b4rtik/SharpLoadImage)
 93 |   * Hide .Net assembly into png images
 94 | * [SharpLocker](https://github.com/Pickfordmatt/SharpLocker)
 95 |   * SharpLocker helps get current user credentials by popping a fake Windows lock screen, all output is sent to Console which works perfect for Cobalt Strike. 
 96 | * [SharpLogger](https://github.com/djhohnstein/SharpLogger)
 97 |   * Keylogger written in C#
 98 | * [SharpNeedle](https://github.com/ChadSki/SharpNeedle)
 99 |   * Inject C# code into a running process. Note: SharpNeedle currently only supports 32-bit processes.
100 | * [SharpPack](https://github.com/mdsecactivebreach/SharpPack)
101 |   * An Insider Threat Toolkit. SharpPack is a toolkit for insider threat assessments that lets you defeat application whitelisting to execute arbitrary DotNet and PowerShell tools.
102 | * [sharppcap](https://github.com/chmorgan/sharppcap)
103 |   * Official repository - Fully managed, cross platform (Windows, Mac, Linux) .NET library for capturing packets
104 | * [SharpPrinter](https://github.com/rvrsh3ll/SharpPrinter)
105 |   * Discover Printers
106 | * [SharpRoast](https://github.com/GhostPack/SharpRoast)
107 |   * SharpRoast is a C# port of various PowerView's Kerberoasting functionality.
108 | * [SharpSC](https://github.com/djhohnstein/SharpSC)
109 |   * Simple .NET assembly to interact with services.
110 | * [SharpSniper](https://github.com/HunnicCyber/SharpSniper)
111 |   * Find specific users in active directory via their username and logon IP address
112 | * [SharpSocks]( https://github.com/nettitude/SharpSocks)
113 |   * Tunnellable HTTP/HTTPS socks4a proxy written in C# and deployable via PowerShell
114 | * [SharpSploit](https://github.com/cobbr/SharpSploit)
115 |   * SharpSploit is a .NET post-exploitation library written in C# https://sharpsploit.cobbr.io/api/
116 | * [SharpSpray](https://github.com/jnqpblc/SharpSpray)
117 |   * SharpSpray a simple code set to perform a password spraying attack against all users of a domain using LDAP and is compatible with Cobalt Strike.
118 | * [SharpSSDP](https://github.com/rvrsh3ll/SharpSSDP)
119 |   * SSDP Service Discovery
120 | * [SharpTask](https://github.com/jnqpblc/SharpTask)
121 |   * SharpTask is a simple code set to interact with the Task Scheduler service api and is compatible with Cobalt Strike.
122 | * [SharpView](https://github.com/tevora-threat/SharpView)
123 |   * C# implementation of harmj0y's PowerView
124 | * [SharpWeb](https://github.com/djhohnstein/SharpWeb)
125 |   * .NET 2.0 CLR project to retrieve saved browser credentials from Google Chrome, Mozilla Firefox and Microsoft Internet Explorer/Edge.
126 | * [SharpWMI]( https://github.com/GhostPack/SharpWMI)
127 |   * SharpWMI is a C# implementation of various WMI functionality.
128 | * [SharPyShell](https://github.com/antonioCoco/SharPyShell )
129 |   * SharPyShell - tiny and obfuscated ASP.NET webshell for C# web applications
130 | * [SilkETW](https://github.com/fireeye/SilkETW)
131 |   * SilkETW & SilkService are flexible C# wrappers for ETW, they are meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection. While both projects have obvious defensive (and offensive) applications they should primarily be considered as research tools.
132 | * [SneakyService]( https://github.com/malcomvetter/SneakyService)
133 |   * A simple, minimal C# windows service implementation that can be used to demonstrate privilege escalation from misconfigured windows services.
134 | * [Stracciatella](https://github.com/mgeeky/Stracciatella)
135 |   * OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI and Script Block Logging disabled at startup
136 | * [taskkill](https://github.com/malcomvetter/taskkill )
137 |   * This is a reference example for how to call the Windows API to enumerate and kill a process similar to taskkill.exe. This is based on (incomplete) MSDN example code. Proof of concept or pattern only.
138 | * [TCPRelayInjecter2](https://github.com/Arno0x/TCPRelayInjecter2)
139 |   * Tool for injecting a "TCP Relay" managed assembly into an unmanaged process. 
140 | * [TikiTorch](https://github.com/rasta-mouse/TikiTorch)
141 |   * Process Injection. The basic concept of CACTUSTORCH is that it spawns a new process, allocates a region of memory, then uses CreateRemoteThread to run the desired shellcode within that target process. Both the process and shellcode are specified by the user.
142 | * [Watson](https://github.com/rasta-mouse/Watson)
143 |   * Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities
144 | 


--------------------------------------------------------------------------------
/PurpleNotes.md:
--------------------------------------------------------------------------------
1 | ### adversary simulation
2 | * [top10 ransomware TTPs](https://www.scythe.io/library/threat-thursday-top-ransomware-ttps)
3 | * [scythe random purple stuff](https://github.com/scythe-io/community-threats)
4 | * [F-Secure attack-detection-fundamentals-workshops](https://www.f-secure.com/en/consulting/events/attack-detection-fundamentals-workshops)
5 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # RedBlueNotes
  2 | 
  3 | ![red](https://user-images.githubusercontent.com/9626439/99510946-ef79e900-2987-11eb-9aa8-1443670a8bb3.jpg)
  4 | 
  5 | Personal notes and collection of useful links. 
  6 | 
  7 | Collection in early stage - more details will be added (URL/Description).
  8 | 
  9 | ## Approach
 10 | * [assume breach?](https://twitter.com/reybango/status/1308608385298898944)
 11 | 
 12 | ## Lab
 13 | * [designing-the-adversary-simulation-lab/](https://www.mdsec.co.uk/2020/04/designing-the-adversary-simulation-lab/)
 14 | 
 15 | ## .NET ETW 
 16 | * https://www.mdsec.co.uk/2020/03/hiding-your-net-etw/ (bypass by _xpn_)
 17 | * https://github.com/zacbrown/PowerKrabsEtw
 18 | * https://github.com/zacbrown/hiddentreasure-etw-demo
 19 | 
 20 | ## Windows syscalls
 21 | * https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
 22 | * https://github.com/jthuraisamy/SysWhispers
 23 | * https://jhalon.github.io/utilizing-syscalls-in-csharp-1/
 24 | * https://jhalon.github.io/utilizing-syscalls-in-csharp-2/
 25 | * https://www.solomonsklash.io/syscalls-for-shellcode-injection.html
 26 | * https://github.com/frkngksl/Celeborn
 27 | * https://github.com/m0rv4i/Syscalls-Extractor
 28 | * https://github.com/nick-frischkorn/SysWhispers-FunctionRandomizer
 29 | 
 30 | ## (API) (un)hook
 31 | * [Defeat Bitdefender total security using windows API unhooking to perform process injection](https://shells.systems/defeat-bitdefender-total-security-using-windows-api-unhooking-to-perform-process-injection/)
 32 | * [Part 1: Fs Minifilter Hooking](https://aviadshamriz.medium.com/part-1-fs-minifilter-hooking-7e743b042a9d)
 33 | * [Windows API Hooking](https://rcvalle.com/blog/2020/09/16/rust-lang-exploit-mitigations/)
 34 | 
 35 | ## EDR telemetry
 36 | * [TelemetrySourcerer](https://github.com/jthuraisamy/TelemetrySourcerer)
 37 | 
 38 | ## Build offensive tools 
 39 | * [OffensivePipeline](https://github.com/Aetsu/OffensivePipeline)
 40 | 
 41 | ## Infrastrcuture
 42 | * [Multi-Stage Offensive Operations with Mythic](https://blog.kyleavery.com/posts/multi-stage-mythic/)
 43 | 
 44 | ## Evasion
 45 | * [Blue team - EDR evolution](https://www.optiv.com/insights/source-zero/blog/endpoint-detection-and-response-how-hackers-have-evolved)
 46 | * [Nice webinar - understanding-modern-edr-tools](https://www.netspi.com/webinars/understanding-modern-edr-tools-thank-you/)
 47 | * [Lets Create An EDR… And Bypass It! Part 1](https://ethicalchaos.dev/2020/05/27/lets-create-an-edr-and-bypass-it-part-1/)
 48 | * [Lets Create An EDR… And Bypass It! Part 2](https://ethicalchaos.dev/2020/06/14/lets-create-an-edr-and-bypass-it-part-2/)
 49 | * [A Guide to Reversing and Evading EDRs: Part 1 Introduction](http://jackson-t.ca/edr-reversing-evading-01.html)
 50 | * [A Guide to Reversing and Evading EDRs: Part 2 Sensor reconnaisssance](http://jackson-t.ca/edr-reversing-evading-02.html)
 51 | * [A Guide to Reversing and Evading EDRs: Part 3 Diverting EDR telemetry to private infrastracture](http://jackson-t.ca/edr-reversing-evading-03.html)
 52 | * [Alaris](https://github.com/cribdragg3r/Alaris)
 53 | * [ScareCrow](https://github.com/optiv/ScareCrow)
 54 | * [Self deleting exe](https://www.catch22.net/tuts/win32/self-deleting-executables#)
 55 | * [Defeating Antivirus Real-time Protection From The Inside](https://breakdev.org/defeating-antivirus-real-time-protection-from-the-inside/)
 56 | * [Duping AV with handles](https://skelsec.medium.com/duping-av-with-handles-537ef985eb03)
 57 | * [Adventures in Dynamic Evasion](https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa)
 58 |   * [Companion PoC for the "Adventures in Dynamic Evasion" blog post](https://github.com/matterpreter/SHAPESHIFTER) 
 59 | * [Click your shortcut and… you got pwned.](https://redteamer.tips/click-your-shortcut-and-you-got-pwned/) 
 60 | * [Evade EDR with Shellcode Injection and gain persistence using Registry Run Keys](https://infosecwriteups.com/evade-avs-edr-with-shellcode-injection-159dde4dba1a)
 61 | * [Understanding and bypassing AMSI](https://x64sec.sh/understanding-and-bypassing-amsi/)
 62 | * [Masking Malicious Memory Artifacts – Part III: Bypassing Defensive Scanners](https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-iii-bypassing-defensive-scanners)
 63 | * [smaller-c-payloads-on-windows](https://www.solomonsklash.io/smaller-c-payloads-on-windows.html)
 64 | * [in-memory-shellcode-decoding-to-evade-avs](https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/)
 65 | * [MDSec Bypassing Image Load Kernel Callbacks](https://www.mdsec.co.uk/2021/06/bypassing-image-load-kernel-callbacks/)
 66 | * [EDR bypass via signed driver EDRSandblast](https://github.com/wavestone-cdt/EDRSandblast)
 67 | * [Bypass user-mode hooks](https://github.com/hlldz/RefleXXion)
 68 | * [Cool gitbook full of great tips not only for RedTeaming but pentesting in general](https://ppn.snovvcrash.rocks/)
 69 | 
 70 | ## Cloud
 71 | * [XPN - Azure AD Connect for Red Teamers](https://blog.xpnsec.com/azuread-connect-for-redteam/)
 72 | * [Making Clouds Rain :: Remote Code Execution in Microsoft Office 365](https://srcincite.io/blog/2021/01/12/making-clouds-rain-rce-in-office-365.html)
 73 | * [List of Azure CDN IP Addresses](https://github.com/Gelob/azure-cdn-ips)
 74 | * [AWS IAM explained for Red and Blue teams](https://infosecwriteups.com/aws-iam-explained-for-red-and-blue-teams-2dda8b20fbf7)
 75 | * [Exploiting AWS IAM permissions for total cloud compromise: a real world example (part 1/2)](https://infosecwriteups.com/exploiting-fine-grained-aws-iam-permissions-for-total-cloud-compromise-a-real-world-example-part-5a2f3de4be08)
 76 | * [Exploiting fine-grained AWS IAM permissions for total cloud compromise: a real world example (part 2/2)](https://infosecwriteups.com/exploiting-aws-iam-permissions-for-total-cloud-compromise-a-real-world-example-part-2-2-f27e4b57454e)
 77 | 
 78 | ## Lateral movement
 79 | * [lateral-movement-using-dcom-objects](https://www.scorpiones.io/articles/lateral-movement-using-dcom-objects)
 80 | 
 81 | # DLLs
 82 | * https://itm4n.github.io/windows-dll-hijacking-clarified/
 83 | * https://github.com/monoxgas/Koppeling (DLL hijacking)
 84 | * https://redteaming.co.uk/2020/07/12/dll-proxy-loading-your-favorite-c-implant/ (DLL proxy loading)
 85 | * [Full DLL Unhooking with C++](https://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++)
 86 | 
 87 | ## Injections
 88 | * https://sevrosecurity.com/2020/04/08/process-injection-part-1-createremotethread/
 89 | * https://sevrosecurity.com/2020/04/13/process-injection-part-2-queueuserapc/
 90 | 
 91 | ## Situational Awareness
 92 | * https://ired.team/offensive-security/enumeration-and-discovery/windows-event-ids-for-situational-awareness
 93 | 
 94 | ## Phishing
 95 | * [Post exploitation creds](https://medium.com/@shantanukhande/post-exploitation-creds-5a8de8676792)
 96 | * [Adversary phishing characteristics](https://blog.sannemaasakkers.com/adversary-phishing-characteristics.html)
 97 | * [Check the phishing server / landing page response](https://httpstatus.io/)
 98 | * [Security check of your URL ](https://sitecheck.sucuri.net/)
 99 | * [Check your phishing e-mail quality](https://www.mail-tester.com/)
100 | * [Recipe for a successful phishing campaign (part 1/2)](https://medium.com/bugbountywriteup/recipe-for-a-successful-phishing-campaign-part-1-2-dc23d927ec55)
101 |   * setup SPF, DKIM, PTR, MX and general approach
102 | * [Recipe for a successful phishing campaign (part 2/2)](https://medium.com/bugbountywriteup/recipe-for-a-successful-phishing-campaign-part-2-2-68552806dcba)
103 |   * setup DNS, gophishg, general tips for better campaign
104 | * [Building resilient phishing campaign infrastructure](https://godlikesecurity.com/index.php/tag/red-team/)
105 | * [email spoofing](https://github.com/chenjj/espoofer)
106 | * [docker,terradorm,ansible automation](https://github.com/ralphte/build_a_phish)
107 | * [Internal phishing](https://github.com/Yaxser/SharpPhish)
108 | * [Password protected Excel phishing](https://s3cur3th1ssh1t.github.io/Phish-password-protected-Excel-files/)
109 | * [Gophish notification](https://github.com/dunderhay/gophish-notifications)
110 | * [Gophish notification via webhooks](https://github.com/t94j0/gophish-notifier)
111 | * [HTML landing page obfuscation](https://github.com/BinBashBanana/html-obfuscator)
112 | * [HTML smuggling obfuscated](https://elliotonsecurity.com/creating-fully-undetectable-javscript-payloads-to-evade-next-generation-firewalls/)
113 | 
114 | ### Phishing platforms
115 | * [sendgrid](http://sendgrid.com/)
116 |   * useful service but honestly, You need Pro pain plan to be lucky not to be on a spamlist 
117 | * [mailgun](https://app.mailgun.com/)
118 |   * haven't had any problem
119 | * [Amazon AWS SES](https://aws.amazon.com/ses/)
120 | 
121 | ## Download and execute
122 | 
123 | * [Download via Defender](https://twitter.com/mohammadaskar2/status/1301263551638761477)
124 | * [Host your payloads and serve them based on your conditions](https://github.com/t3l3machus/Synergy-httpx)
125 | * [Host redteam payloads](https://github.com/outflanknl/RedFile)
126 | ![Defender download](https://pbs.twimg.com/media/Eg8ESSWWAAACTGo?format=jpg&name=large)
127 | * (You can use C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\MpCmdRun.exe -url <url> -path <local-path> to download your file using Windows defender itself.)
128 |   
129 | ## Reports and management
130 | * [Manage Red Team domain](https://posts.specterops.io/being-a-good-domain-shepherd-part-2-5e8597c3fe63)
131 | * [Domain Shepherd](https://github.com/GhostManager/Shepherd)
132 | * [CISA RedEye CS reporting tool](https://github.com/cisagov/RedEye)
133 | 
134 | ## SSH 
135 | * If you are always looking through your ssh conf files for a specific host entry, this simple bash function might be just what you need. 
136 | 
137 | ```
138 | function getssh() {
139 |   awk "/$1/,/^$/" < ~/.ssh/include/*
140 | }
141 | ```
142 | 
143 | ![SSH configs](https://pbs.twimg.com/media/EgW_CXzXsAEsh0r?format=png&name=small)
144 | 
145 | ## Tools
146 | * [Weaponry](https://github.com/jeffjbowie/Weaponry)
147 |   * A collection of offensive code used for red team engagements.                                    
148 | * [Mr-Un1k0d3r awesome repo](https://github.com/Mr-Un1k0d3r)  
149 | * [PowerShellArmoury](https://github.com/cfalta/PowerShellArmoury) 
150 | * [RedTeamTools](https://github.com/lengjibo/RedTeamTools)     
151 | * [inceptor](https://github.com/klezVirus/inceptor)   
152 | * [mgeeky awesome repo](https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming)
153 | * [Stealthy ACL recon AD](https://github.com/garrettfoster13/aced)                                  
154 | 
155 | ## HW
156 | * [Making the Perfect Red Team Dropbox (Part 1)](https://sensepost.com/blog/2020/making-the-perfect-red-team-dropbox-part-1/)
157 | * [Making the Perfect Red Team Dropbox (Part 2)](https://sensepost.com/blog/2020/making-the-perfect-red-team-dropbox-part-2/)
158 | 


--------------------------------------------------------------------------------
/RedServerless.md:
--------------------------------------------------------------------------------
 1 | # Serverless resources
 2 | 
 3 | ## serverless
 4 | https://serverless.com/
 5 | 
 6 | ## aws lambda
 7 | https://aws.amazon.com/lambda/
 8 | 
 9 | ## ngrok
10 | https://ngrok.com/
11 | 
12 | ## serveo
13 | https://serveo.net/
14 | 
15 | ## localtunnel
16 | https://localtunnel.github.io/www/
17 | 
18 | ## now.sh
19 | https://zeit.co/blog/now-2
20 | 
21 | ## nip.io
22 | https://nip.io/
23 | 


--------------------------------------------------------------------------------