└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # PEN-300 / OSEP
  2 | 
  3 | Public resources for PEN-300 Training. 
  4 | 
  5 | ## 1. Evasion Techniques and Breaching Defenses: General Course Information
  6 | 
  7 | ## 2. Operating System and Programming Theory
  8 | 
  9 | ## 3. Client Side Code Execution With Office
 10 | - 3.1.3.1: JavaScript
 11 |   - https://developer.mozilla.org/en-US/docs/Web/API/Navigator/msSaveBlob
 12 |   - https://docs.microsoft.com/en-us/previous-versions/hh772331(v=vs.85)
 13 | - 3.2.2.1: MyMarco
 14 |   - http://libertyboy.free.fr/computing/reference/envariables/
 15 |   - https://www.youtube.com/watch?v=fG5PsO0L8bI
 16 | - 3.2.3.1: MyMarco and PowerShell
 17 |   - https://www.abatchy.com/2017/03/powershell-download-file-one-liners
 18 | - 3.4.3.1: Calling Win32 APIs from VBA
 19 |   - https://sites.google.com/site/jrlhost/links/excelcdll
 20 |   - MessageBoxA
 21 |     - https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-messageboxa
 22 |     - https://stackov=erflow.com/questions/60753153/custom-message-box-code-fails-without-out-warning-in-latest-version-of-excel-on
 23 |     - https://www.cadsharp.com/docs/Win32API_PtrSafe.txt
 24 |   - FindWindowA
 25 |     - https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-findwindowa
 26 |     - http://users.skynet.be/am044448/Programmeren/VBA/vba_class_names.htm
 27 | - 3.5.1.1: Calling Win32 APIs from PowerShell
 28 |   - http://pinvoke.net/default.aspx/advapi32/GetUserName.html
 29 | - 3.5.2.1: Porting Shellcode Runner to PowerShell
 30 |   - http://pinvoke.net/default.aspx/kernel32/WaitForSingleObject.html
 31 | - 3.6.2.1: Leveraging UnsafeNativeMethods
 32 |   - https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulehandlea
 33 |   - https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getprocaddress
 34 | - 3.6.3.1: DelegateType Reflection
 35 |   - https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
 36 | 
 37 | ## 4. Client Side Code Execution With Windows Script Host
 38 | - 4.1.1.1: Creating a Basic Dropper in Jscript
 39 |   - https://stackoverflow.com/questions/1050293/vbscript-using-wscript-shell-to-execute-a-command-line-program-that-accesses-ac
 40 | - 4.1.2.1: Jscript Meterpreter Dropper
 41 |   - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms760236%28v%3dvs.85%29 (It is ServerXMLHTTP. Not XMLHTTP)
 42 |   - https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/scripting-articles/x05fawxd(v=vs.84)
 43 | - 4.2.2.1: DotNetToJscript
 44 |   - https://stackoverflow.com/questions/181719/how-do-i-start-a-process-from-c
 45 | 
 46 | ## 5. Process Injection and Migration
 47 | - 5.1.2.1: Process Injection in C# (VirtualAlloc and WriteProcessMemory Injection)
 48 |   - http://pinvoke.net/default.aspx/kernel32/OpenProcess.html
 49 |   - http://pinvoke.net/default.aspx/kernel32/VirtualAllocEx.html
 50 |   - http://pinvoke.net/default.aspx/kernel32/WriteProcessMemory.html
 51 |   - http://pinvoke.net/default.aspx/kernel32/CreateRemoteThread.html
 52 |   - https://docs.microsoft.com/en-us/dotnet/api/system.diagnostics.process.getprocessesbyname?view=netframework-4.8
 53 |   - https://docs.microsoft.com/en-us/dotnet/api/system.diagnostics.process.id?view=net-5.0
 54 |   - https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1
 55 | - 5.1.2.2: Extra Mile (NTMap Injection)
 56 |   - https://www.ired.team/offensive-security/code-injection-process-injection/ntcreatesection-+-ntmapviewofsection-code-injection
 57 |   - http://joyasystems.com/list-of-ntstatus-codes
 58 |   - NtCreationSection
 59 |     - http://pinvoke.net/default.aspx/ntdll/NtCreateSection.html
 60 |     - https://stackoverflow.com/questions/683491/how-to-declarate-large-integer-in-c-sharp
 61 |   - NtMapViewOfSection
 62 |     - http://pinvoke.net/default.aspx/ntdll/NtMapViewOfSection.html
 63 |     - http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FSection%2FSECTION_INHERIT.html
 64 |     - https://docs.microsoft.com/en-us/windows/win32/memory/memory-protection-constants
 65 |   - NtUnmapViewOfSection
 66 |     - http://pinvoke.net/default.aspx/ntdll/NtUnmapViewOfSection.html
 67 |   - NtClose
 68 |     - http://pinvoke.net/default.aspx/ntdll/NtClose.html 
 69 | 
 70 | ## 6. Introduction to Antivirus Evasion
 71 | - 6.6.2.1: Non-emulated APIs
 72 |   - https://docs.microsoft.com/en-us/windows/win32/api/fibersapi/nf-fibersapi-flsalloc
 73 |   - http://pinvoke.net/default.aspx/kernel32/FlsAlloc.html
 74 |   - https://social.msdn.microsoft.com/Forums/en-US/c85f867b-66f8-45bd-a105-a984d80bd720/flsoutofindexes?forum=winappswithnativecode
 75 | - 6.7.2.1: Stomping On Microsoft Word
 76 |   - https://github.com/outflanknl/EvilClippy
 77 | - 6.8.3.1: Obfuscating VBA
 78 |   - https://download.serviio.org/releases/serviio-1.8-win-setup.exe
 79 |   - https://www.exploit-db.com/exploits/41959
 80 |   - https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
 81 |   - https://www.vergiliusproject.com/kernels/x64/Windows%2010%20|%202016/1809%20Redstone%205%20(October%20Update)/_PEB32
 82 | 
 83 | ## 7. Advanced Antivirus Evasion
 84 | 
 85 | - 7.4.2.1: Patching the internals
 86 |   - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:O97M/OfficeWmiRunPowershell.B&ThreatID=2147772508
 87 |   - https://www.redteam.cafe/red-team/powershell/powershell-custom-runspace
 88 |   - https://isc.sans.edu/forums/diary/Powershell+Dropping+a+REvil+Ransomware/27012/
 89 | - 7.4.2.2: Extra Mile
 90 |   - https://rastamouse.me/blog/asb-bypass-pt3/
 91 | 
 92 | ## 8. Application Whitelisting
 93 | 
 94 | - 8.2.2.2: Extra Mile
 95 |   - https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
 96 | - 8.4.5.2: Extra Mile
 97 |   - https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild?view=vs-2019
 98 |   - https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-inline-tasks?view=vs-2019
 99 |   - https://docs.microsoft.com/en-us/visualstudio/msbuild/walkthrough-creating-an-inline-task?view=vs-2019
100 |   - https://www.ired.team/offensive-security/code-execution/using-msbuild-to-execute-shellcode-in-c
101 | - 8.5.2.2: Extra Mile
102 |   - https://github.com/cobbr/Covenant/wiki/Installation-And-Startup
103 |   - https://dotnet.microsoft.com/download/dotnet/3.1
104 |   - https://github.com/cobbr/Covenant/wiki
105 | 
106 | ## 9. Bypassing Network Filters
107 | 
108 | - 9.3.1.1: Case Study: Bypassing Norton HIPS with Custom Certificates
109 |   - https://www.hackingarticles.in/bypass-detection-for-meterpreter-shell-impersonate_ssl/
110 |   - https://www.reddit.com/r/netsecstudents/comments/9xpfhy/problem_with_metasploit_using_an_ssl_certificate/
111 | - 9.6.1.2: Extra Mile
112 |   - https://censys.io/certificates?q=parsed.names:%20azureedge.net
113 | - 9.6.2.2: Extra Mile
114 |   - https://github.com/BC-SECURITY/Empire/issues/230
115 | 
116 | ## 10. Linux Post-Exploitation
117 | 
118 | - 10.1.2.1: VIM Config Simple Keylogger
119 |   - https://askubuntu.com/questions/284957/vi-getting-multiple-sorry-the-command-is-not-available-in-this-version-af
120 | - 10.3.2.2: Extra Mile
121 |   - https://stackoverflow.com/questions/20381812/mprotect-always-returns-invalid-arguments
122 | 
123 | ## 11. Kiosk Breakouts
124 | - 11.2.4.2: Extra Mile
125 |   - https://developer.mozilla.org/en-US/docs/Web/API/Window/dump
126 |   - https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/browser.dom.window.dump.file
127 | 
128 | ## 12. Windows Credentials
129 | - 12.4.1.1: Memory Dump
130 |   - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
131 | 
132 | ## 13. Windows Lateral Movement
133 | - 13.1.4.1: RDP as a Console
134 |   - https://github.com/0xthirteen/SharpRDP
135 | - 13.1.5.1: Stealing Clear Text Credentials from RDP
136 |   - https://github.com/0x09AL/RdpThief
137 | - 13.2.2.1: Implementing Fileless Lateral Movement in C#
138 |   - https://github.com/Mr-Un1k0d3r/SCShell
139 | 
140 | ## 14. Linux Lateral Movement
141 | - 14.3: Kerberos on Linux
142 |   - https://www.vgemba.net/microsoft/Kerberos-Linux-Windows-AD/
143 | - 14.3.4.2: Extra Mile
144 |   - https://github.com/GhostPack/Rubeus#dump
145 |   - https://github.com/eloypgz/ticket_converter
146 |   - https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
147 |   - https://www.tarlogic.com/blog/how-to-attack-kerberos/
148 | 
149 | ## 15. Microsoft SQL Attacks
150 | - 15.2.1.1: Privilege Escalation using SQL Impersonation
151 |   - https://www.microfocus.com/documentation/enterprise-developer/ed231/ETS/GUID-AF131F1C-54B8-4D25-8088-22A59C1AEA9F.html
152 | - 15.3.1.1: Linked Server
153 |   - https://documentation.nodinite.com/Documentation/InstallAndUpdate?doc=/Troubleshooting/About%20Linked%20Server%20RPC%20and%20RPC%20Out%20option
154 | - 15.3.1.2: Extra Mile
155 |   - https://www.netspi.com/blog/technical/network-penetration-testing/how-to-hack-database-links-in-sql-server/
156 | - 15.3.2.2: Extra Mile
157 |   - https://github.com/NetSPI/PowerUpSQL/wiki/Setting-Up-PowerUpSQL
158 |   - https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet
159 | 
160 | ## 16. Active Directory Exploitation
161 | - 16.2.1.1: Keroberos Unconstrained Delegation
162 |   - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation
163 | - 16.2.2.1: I Am a Domain Controller
164 |   - https://github.com/leechristensen/SpoolSample
165 |   - https://www.c-sharpcorner.com/article/how-to-fix-ps1-can-not-be-loaded-because-running-scripts-is-disabled-on-this-sys/
166 | - 16.2.3.1: Constrained Delegation
167 |   - https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/configure-kerberos-constrained-delegation
168 | - 16.2.4.1: Resource-Based Constrained Delegation
169 |   - https://github.com/Kevin-Robertson/Powermad
170 | - 16.4.1.2: Extra Mile
171 |   - https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/
172 |   - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md
173 |   - https://adsecurity.org/?p=1588
174 | 
175 | ## 17. Combining the Pieces
176 | 
177 | ## 18. Trying Harder: The Labs
178 | 


--------------------------------------------------------------------------------