├── LICENSE
├── README.md
└── README_CN.md


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2017 Ye Yint @ Rolan
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # This List is no longer updated.
  2 | 
  3 | ## Awesome Red Teaming
  4 | 
  5 | List of Awesome Red Team / Red Teaming Resources
  6 | 
  7 | This list is for anyone wishing to learn about Red Teaming but do not have a starting point.
  8 | 
  9 | Anyway, this is a living resources and will update regularly with latest Adversarial Tactics and Techniques based on [Mitre ATT&CK](https://attack.mitre.org/wiki/Main_Page)
 10 | 
 11 | You can help by sending Pull Requests to add more information.
 12 | 
 13 | 
 14 | Table of Contents
 15 | =================
 16 | 
 17 |  * [Initial Access](#-initial-access)
 18 |  * [Execution](#-execution)
 19 |  * [Persistence](#-persistence)
 20 |  * [Privilege Escalation](#-privilege-escalation)
 21 |  * [Defense Evasion](#-defense-evasion)
 22 |  * [Credential Access](#-credential-access)
 23 |  * [Discovery](#-discovery)
 24 |  * [Lateral Movement](#-lateral-movement)
 25 |  * [Collection](#-collection)
 26 |  * [Exfiltration](#-exfiltration)
 27 |  * [Command and Control](#-command-and-control)
 28 |  * [Embedded and Peripheral Devices Hacking](#-embedded-and-peripheral-devices-hacking)
 29 |  * [Misc](#-misc)
 30 |  * [RedTeam Gadgets](#-redteam-gadgets)
 31 |  * [Ebooks](#-ebooks)
 32 |  * [Training](#-training--free-)
 33 |  * [Certification](#-certification)
 34 |  
 35 |  
 36 | ## [↑](#table-of-contents) Initial Access
 37 | * [The Hitchhiker’s Guide To Initial Access](https://posts.specterops.io/the-hitchhikers-guide-to-initial-access-57b66aa80dd6)
 38 | * [How To: Empire’s Cross Platform Office Macro](https://www.blackhillsinfosec.com/empires-cross-platform-office-macro/)
 39 | * [Phishing with PowerPoint](https://www.blackhillsinfosec.com/phishing-with-powerpoint/)
 40 | * [PHISHING WITH EMPIRE](https://enigma0x3.net/2016/03/15/phishing-with-empire/)
 41 | * [Bash Bunny](https://hakshop.com/products/bash-bunny)
 42 | * [OWASP Presentation of Social Engineering - OWASP](https://owasp.org/www-pdf-archive/Presentation_Social_Engineering.pdf)
 43 | * [USB Drop Attacks: The Danger of “Lost And Found” Thumb Drives](https://www.redteamsecure.com/usb-drop-attacks-the-danger-of-lost-and-found-thumb-drives/)
 44 | * [Weaponizing data science for social engineering: Automated E2E spear phishing on Twitter - Defcon 24](https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEF%20CON%2024%20-%20Seymour-Tully-Weaponizing-Data-Science-For-Social-Engineering-WP.pdf)
 45 | * [Cobalt Strike - Spear Phishing documentation](https://www.cobaltstrike.com/help-spear-phish)
 46 | * [Cobalt Strike Blog - What's the go-to phishing technique or exploit?](https://blog.cobaltstrike.com/2014/12/17/whats-the-go-to-phishing-technique-or-exploit/)
 47 | * [Spear phishing with Cobalt Strike - Raphael Mudge](https://www.youtube.com/watch?v=V7UJjVcq2Ao)
 48 | * [EMAIL RECONNAISSANCE AND PHISHING TEMPLATE GENERATION MADE SIMPLE](https://cybersyndicates.com/2016/05/email-reconnaissance-phishing-template-generation-made-simple/)
 49 | * [Phishing for access](http://www.rvrsh3ll.net/blog/phishing/phishing-for-access/)
 50 | * [Excel macros with PowerShell](https://4sysops.com/archives/excel-macros-with-powershell/)
 51 | * [PowerPoint and Custom Actions](https://phishme.com/powerpoint-and-custom-actions/)
 52 | * [Macro-less Code Exec in MSWord](https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/)
 53 | * [Multi-Platform Macro Phishing Payloads](https://medium.com/@malcomvetter/multi-platform-macro-phishing-payloads-3b688e8eff68)
 54 | * [Abusing Microsoft Word Features for Phishing: “subDoc”](https://rhinosecuritylabs.com/research/abusing-microsoft-word-features-phishing-subdoc/)
 55 | * [Phishing Against Protected View](https://enigma0x3.net/2017/07/13/phishing-against-protected-view/)
 56 | * [POWERSHELL EMPIRE STAGERS 1: PHISHING WITH AN OFFICE MACRO AND EVADING AVS](https://fzuckerman.wordpress.com/2016/10/06/powershell-empire-stagers-1-phishing-with-an-office-macro-and-evading-avs/)
 57 | * [The PlugBot: Hardware Botnet Research Project](https://www.redteamsecure.com/the-plugbot-hardware-botnet-research-project/)
 58 | * [Luckystrike: An Evil Office Document Generator](https://www.shellntel.com/blog/2016/9/13/luckystrike-a-database-backed-evil-macro-generator)
 59 | * [The Absurdly Underestimated Dangers of CSV Injection](http://georgemauer.net/2017/10/07/csv-injection.html)
 60 | * [Macroless DOC malware that avoids detection with Yara rule](https://furoner.wordpress.com/2017/10/17/macroless-malware-that-avoids-detection-with-yara-rule/amp/)
 61 | * [Phishing between the app whitelists](https://medium.com/@vivami/phishing-between-the-app-whitelists-1b7dcdab4279)
 62 | * [Executing Metasploit & Empire Payloads from MS Office Document Properties (part 1 of 2)](https://stealingthe.network/executing-metasploit-empire-payloads-from-ms-office-document-properties-part-1-of-2/)
 63 | * [Executing Metasploit & Empire Payloads from MS Office Document Properties (part 2 of 2)](https://stealingthe.network/executing-metasploit-empire-payloads-from-ms-office-document-properties-part-2-of-2/)
 64 | * [Social Engineer Portal](https://www.social-engineer.org/)
 65 | * [7 Best social Engineering attack](http://www.darkreading.com/the-7-best-social-engineering-attacks-ever/d/d-id/1319411)
 66 | * [Using Social Engineering Tactics For Big Data Espionage - RSA Conference Europe 2012](https://www.rsaconference.com/writable/presentations/file_upload/das-301_williams_rader.pdf)
 67 | * [USING THE DDE ATTACK WITH POWERSHELL EMPIRE](https://1337red.wordpress.com/using-the-dde-attack-with-powershell-empire/)
 68 | * [Phishing on Twitter - POT](https://www.kitploit.com/2018/02/pot-phishing-on-twitter.html)
 69 | * [Microsoft Office – NTLM Hashes via Frameset](https://pentestlab.blog/2017/12/18/microsoft-office-ntlm-hashes-via-frameset/)
 70 | * [Defense-In-Depth write-up](https://oddvar.moe/2017/09/13/defense-in-depth-writeup/)
 71 | * [Spear Phishing 101](https://blog.inspired-sec.com/archive/2017/05/07/Phishing.html)
 72 | 
 73 |  
 74 | ## [↑](#table-of-contents) Execution 
 75 | * [Research on CMSTP.exe,](https://msitpros.com/?p=3960)
 76 | * [Windows oneliners to download remote payload and execute arbitrary code](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
 77 | * [Executing Commands and Bypassing AppLocker with PowerShell Diagnostic Scripts](https://bohops.com/2017/12/02/clickonce-twice-or-thrice-a-technique-for-social-engineering-and-untrusted-command-execution/)
 78 | * [WSH Injection: A Case Study](https://posts.specterops.io/wsh-injection-a-case-study-fd35f79d29dd)
 79 | * [Gscript Dropper](http://lockboxx.blogspot.com/2018/02/intro-to-using-gscript-for-red-teams.html)
 80 | 
 81 |  
 82 | ## [↑](#table-of-contents) Persistence
 83 | * [A View of Persistence](https://rastamouse.me/blog/view-of-persistence/)
 84 | * [hiding registry keys with psreflect](https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353)
 85 | * [Persistence using RunOnceEx – Hidden from Autoruns.exe](https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/)
 86 | * [Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe](https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/)
 87 | * [Putting data in Alternate data streams and how to execute it – part 2](https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/)
 88 | * [WMI Persistence with Cobalt Strike](https://blog.inspired-sec.com/archive/2017/01/20/WMI-Persistence.html)
 89 | * [Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence](https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/)
 90 | * [Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence (Part 2)](https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/)
 91 | * [Vshadow: Abusing the Volume Shadow Service for Evasion, Persistence, and Active Directory Database Extraction](https://bohops.com/2018/02/10/vshadow-abusing-the-volume-shadow-service-for-evasion-persistence-and-active-directory-database-extraction/)
 92 |  
 93 | ## [↑](#table-of-contents) Privilege Escalation
 94 | 
 95 | ### User Account Control Bypass
 96 | * [First entry: Welcome and fileless UAC bypass,](https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/)
 97 | * [Exploiting Environment Variables in Scheduled Tasks for UAC Bypass,](https://tyranidslair.blogspot.ru/2017/05/exploiting-environment-variables-in.html)
 98 | * Reading Your Way Around UAC in 3 parts:
 99 |    [Part 1.](https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-1.html)
100 |    [Part 2.](https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-2.html)
101 |    [Part 3.](https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-3.html)
102 | * [Bypassing UAC using App Paths,](https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/)
103 | * ["Fileless" UAC Bypass using sdclt.exe,](https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/)
104 | * [UAC Bypass or story about three escalations,](https://habrahabr.ru/company/pm/blog/328008/)
105 | * ["Fileless" UAC Bypass Using eventvwr.exe and Registry Hijacking,](https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/)
106 | * [Bypassing UAC on Windows 10 using Disk Cleanup,](https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/)
107 | * [Using IARPUninstallStringLauncher COM interface to bypass UAC,](http://www.freebuf.com/articles/system/116611.html)
108 | * [Fileless UAC Bypass using sdclt](https://posts.specterops.io/fileless-uac-bypass-using-sdclt-exe-3e9f9ad4e2b3)
109 | * [Eventvwr File-less UAC Bypass CNA](https://www.mdsec.co.uk/2016/12/cna-eventvwr-uac-bypass/)
110 | * [Windows 7 UAC whitelist](http://www.pretentiousname.com/misc/win7_uac_whitelist2.html)
111 | 
112 | ### Escalation
113 | * [Windows Privilege Escalation Checklist](https://github.com/netbiosX/Checklists/blob/master/Windows-Privilege-Escalation.md)
114 | * [From Patch Tuesday to DA](https://blog.inspired-sec.com/archive/2017/03/17/COM-Moniker-Privesc.html)
115 | * [A Path for Privilege Escalation](https://blog.cobaltstrike.com/2016/12/08/cobalt-strike-3-6-a-path-for-privilege-escalation/)
116 | 
117 | ## [↑](#table-of-contents) Defense Evasion
118 | * [Window 10 Device Guard Bypass](https://github.com/tyranid/DeviceGuardBypasses)
119 | * [App Locker ByPass List](https://github.com/api0cradle/UltimateAppLockerByPassList)
120 | * [Window Signed Binary](https://github.com/vysec/Windows-SignedBinary)
121 | * [Bypass Application Whitelisting Script Protections - Regsvr32.exe & COM Scriptlets (.sct files)](http://subt0x10.blogspot.sg/2017/04/bypass-application-whitelisting-script.html)
122 | * [Bypassing Application Whitelisting using MSBuild.exe - Device Guard Example and Mitigations](http://subt0x10.blogspot.sg/2017/04/bypassing-application-whitelisting.html)
123 | * [Empire without powershell](https://bneg.io/2017/07/26/empire-without-powershell-exe/)
124 | * [Powershell without Powershell to bypass app whitelist](https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/)
125 | * [MS Signed mimikatz in just 3 steps](https://github.com/secretsquirrel/SigThief)
126 | * [Hiding your process from sysinternals](https://riscybusiness.wordpress.com/2017/10/07/hiding-your-process-from-sysinternals/)
127 | * [code signing certificate cloning attacks and defenses](https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec)
128 | * [userland api monitoring and code injection detection](https://0x00sec.org/t/userland-api-monitoring-and-code-injection-detection/5565)
129 | * [In memory evasion](https://blog.cobaltstrike.com/2018/02/08/in-memory-evasion/)
130 | * [Bypassing AMSI via COM Server Hijacking](https://posts.specterops.io/bypassing-amsi-via-com-server-hijacking-b8a3354d1aff)
131 | * [process doppelganging](https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/)
132 | * [Week of Evading Microsoft ATA - Announcement and Day 1 to Day 5](http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day1.html)
133 | * [VEIL-EVASION AES ENCRYPTED HTTPKEY REQUEST: SAND-BOX EVASION](https://cybersyndicates.com/2015/06/veil-evasion-aes-encrypted-httpkey-request-module/)
134 | * [Putting data in Alternate data streams and how to execute it](https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/)
135 | * [AppLocker – Case study – How insecure is it really? – Part 1](https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/)
136 | * [AppLocker – Case study – How insecure is it really? – Part 2](https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/)
137 | * [Harden Windows with AppLocker – based on Case study part 2](https://oddvar.moe/2017/12/13/harden-windows-with-applocker-based-on-case-study-part-1/)
138 | * [Harden Windows with AppLocker – based on Case study part 2](https://oddvar.moe/2017/12/21/harden-windows-with-applocker-based-on-case-study-part-2/)
139 | * [Office 365 Safe links bypass](https://oddvar.moe/2018/01/03/office-365-safe-links-bypass/)
140 | * [Windows Defender Attack Surface Reduction Rules bypass](https://oddvar.moe/2018/03/15/windows-defender-attack-surface-reduction-rules-bypass/)
141 | * [Bypassing Device guard UMCI using CHM – CVE-2017-8625](https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/)
142 | * [Bypassing Application Whitelisting with BGInfo](https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/)
143 | * [Cloning and Hosting Evil Captive Portals using a Wifi PineApple](https://blog.inspired-sec.com/archive/2017/01/10/cloning-captive-portals.html)
144 | * [https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/](https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/)
145 | * [Executing Commands and Bypassing AppLocker with PowerShell Diagnostic Scripts](https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/)
146 | * [mavinject.exe Functionality Deconstructed](https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e)
147 |   
148 | ## [↑](#table-of-contents) Credential Access
149 | * [Windows Access Tokens and Alternate credentials](https://blog.cobaltstrike.com/2015/12/16/windows-access-tokens-and-alternate-credentials/)
150 | * [Bringing the hashes home with reGeorg & Empire](https://sensepost.com/blog/2016/bringing-the-hashes-home-with-regeorg-empire/)
151 | * [Intercepting passwords with Empire and winning](https://sensepost.com/blog/2016/intercepting-passwords-with-empire-and-winning/)
152 | * [Local Administrator Password Solution (LAPS) Part 1](https://rastamouse.me/blog/laps-pt1/)
153 | * [Local Administrator Password Solution (LAPS) Part 2](https://rastamouse.me/blog/laps-pt2/)
154 | * [USING A SCF FILE TO GATHER HASHES](https://1337red.wordpress.com/using-a-scf-file-to-gather-hashes/)
155 | * [Remote Hash Extraction On Demand Via Host Security Descriptor Modification](https://www.harmj0y.net/blog/)
156 | * [Offensive Encrypted Data Storage](https://www.harmj0y.net/blog/redteaming/offensive-encrypted-data-storage/)
157 | * [Practical guide to NTLM Relaying](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html)
158 | * [Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync](https://adsecurity.org/?p=2053)
159 | * [Dumping Domain Password Hashes](https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/)
160 |   
161 | ## [↑](#table-of-contents) Discovery
162 | * [Red Team Operating in a Modern Environment](https://www.owasp.org/images/4/4b/Red_Team_Operating_in_a_Modern_Environment.pdf)
163 | * [My First Go with BloodHound](https://blog.cobaltstrike.com/2016/12/14/my-first-go-with-bloodhound/)
164 | * [Introducing BloodHound](https://wald0.com/?p=68)
165 | * [A Red Teamer’s Guide to GPOs and OUs](https://wald0.com/?p=179)
166 | * [Automated Derivative Administrator Search](https://wald0.com/?p=14)
167 | * [A Pentester’s Guide to Group Scoping](https://www.harmj0y.net/blog/activedirectory/a-pentesters-guide-to-group-scoping/)
168 | * [Local Group Enumeration](https://www.harmj0y.net/blog/redteaming/local-group-enumeration/)
169 | * [The PowerView PowerUsage Series #1 - Mass User Profile Enumeration](http://www.harmj0y.net/blog/powershell/the-powerview-powerusage-series-1/)
170 | * [The PowerView PowerUsage Series #2 – Mapping Computer Shortnames With the Global Catalog](http://www.harmj0y.net/blog/powershell/the-powerview-powerusage-series-2/)
171 | * [The PowerView PowerUsage Series #3 – Enumerating GPO edit rights in a foreign domain](http://www.harmj0y.net/blog/powershell/the-powerview-powerusage-series-3/)
172 | * [The PowerView PowerUsage Series #4 – Finding cross-trust ACEs](http://www.harmj0y.net/blog/powershell/the-powerview-powerusage-series-3/)
173 | * [Aggressor PowerView](http://threat.tevora.com/aggressor-powerview/)
174 | * [Lay of the Land with BloodHound](http://threat.tevora.com/lay-of-the-land-with-bloodhound/)
175 | * [Scanning for Active Directory Privileges & Privileged Accounts](https://adsecurity.org/?p=3658)
176 | * [Microsoft LAPS Security & Active Directory LAPS Configuration Recon](https://adsecurity.org/?p=3164)
177 | * [Trust Direction: An Enabler for Active Directory Enumeration and Trust Exploitation](https://bohops.com/2017/12/02/trust-direction-an-enabler-for-active-directory-enumeration-and-trust-exploitation/)
178 | * [SPN Discovery](https://pentestlab.blog/2018/06/04/spn-discovery/)
179 |    
180 | ## [↑](#table-of-contents) Lateral Movement 
181 | 
182 | * [A Citrix Story](https://rastamouse.me/blog/a-citrix-story/)
183 | * [Jumping Network Segregation with RDP](https://rastamouse.me/blog/rdp-jump-boxes/)
184 | * [Pass hash pass ticket no pain](http://resources.infosecinstitute.com/pass-hash-pass-ticket-no-pain/)
185 | * [Abusing DNSAdmins privilege for escalation in Active Directory](http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html)
186 | * [Using SQL Server for attacking a Forest Trust](http://www.labofapenetrationtester.com/2017/03/using-sql-server-for-attacking-forest-trust.html)
187 | * [Extending BloodHound for Red Teamers](https://www.youtube.com/watch?v=Pn7GWRXfgeI)
188 | * [OPSEC Considerations for beacon commands](https://blog.cobaltstrike.com/2017/06/23/opsec-considerations-for-beacon-commands/)
189 | * [My First Go with BloodHound](https://blog.cobaltstrike.com/2016/12/14/my-first-go-with-bloodhound/)
190 | * [Kerberos Party Tricks: Weaponizing Kerberos Protocol Flaws](http://www.exumbraops.com/blog/2016/6/1/kerberos-party-tricks-weaponizing-kerberos-protocol-flaws)
191 | * [Lateral movement using excel application and dcom](https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/)
192 | * [Lay of the Land with BloodHound](http://threat.tevora.com/lay-of-the-land-with-bloodhound/)
193 | * [The Most Dangerous User Right You (Probably) Have Never Heard Of](https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/)
194 | * [Agentless Post Exploitation](https://blog.cobaltstrike.com/2016/11/03/agentless-post-exploitation/)
195 | * [A Guide to Attacking Domain Trusts](https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/)   
196 | * [Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy](https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/)
197 | * [Targeted Kerberoasting](https://www.harmj0y.net/blog/activedirectory/targeted-kerberoasting/)
198 | * [Kerberoasting Without Mimikatz](https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/)
199 | * [Abusing GPO Permissions](https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/)
200 | * [Abusing Active Directory Permissions with PowerView](https://www.harmj0y.net/blog/redteaming/abusing-active-directory-permissions-with-powerview/)
201 | * [Roasting AS-REPs](https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/)
202 | * [Getting the goods with CrackMapExec: Part 1](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-1.html)
203 | * [Getting the goods with CrackMapExec: Part 2](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-2.html)
204 | * [DiskShadow: The Return of VSS Evasion, Persistence, and Active Directory Database Extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/)
205 | * [Abusing Exported Functions and Exposed DCOM Interfaces for Pass-Thru Command Execution and Lateral Movement](https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/)
206 | * [a guide to attacking domain trusts](https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944)
207 | * [Outlook Home Page – Another Ruler Vector](https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/)
208 | * [Outlook Forms and Shells](https://sensepost.com/blog/2017/outlook-forms-and-shells/)
209 | * [Abusing the COM Registry Structure: CLSID, LocalServer32, & InprocServer32](https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/)
210 | * [LethalHTA - A new lateral movement technique using DCOM and HTA](https://codewhitesec.blogspot.com/2018/07/lethalhta.html)
211 | * [Abusing DCOM For Yet Another Lateral Movement Technique](https://bohops.com/2018/04/28/abusing-dcom-for-yet-another-lateral-movement-technique/)
212 |    
213 | ## [↑](#table-of-contents) Collection  
214 | * [Accessing clipboard from the lock screen in Windows 10 Part 1](https://oddvar.moe/2017/01/24/accessing-clipboard-from-the-lock-screen-in-windows-10/)
215 | * [Accessing clipboard from the lock screen in Windows 10 Part 2](https://oddvar.moe/2017/01/27/access-clipboard-from-lock-screen-in-windows-10-2/)
216 | 
217 |   
218 |    
219 | ## [↑](#table-of-contents) Exfiltration
220 | * [DNS Data exfiltration — What is this and How to use?](https://blog.fosec.vn/dns-data-exfiltration-what-is-this-and-how-to-use-2f6c69998822)
221 | * [DNS Tunnelling](http://resources.infosecinstitute.com/dns-tunnelling/)
222 | * [sg1: swiss army knife for data encryption, exfiltration & covert communication](https://securityonline.info/sg1-swiss-army-knife-for-data-encryption-exfiltration-covert-communication/?utm_source=ReviveOldPost&utm_medium=social&utm_campaign=ReviveOldPost)
223 | * [Data Exfiltration over DNS Request Covert Channel: DNSExfiltrator](https://n0where.net/data-exfiltration-over-dns-request-covert-channel-dnsexfiltrator)
224 | * [DET (extensible) Data Exfiltration Toolkit](https://github.com/PaulSec/DET)
225 | * [Data Exfiltration via Formula Injection Part1](https://www.notsosecure.com/data-exfiltration-formula-injection/)
226 | 
227 | 
228 | ## [↑](#table-of-contents) Command and Control
229 | 
230 | ### Domain Fronting
231 | * [Empre Domain Fronting](https://www.xorrior.com/Empire-Domain-Fronting/)
232 | * [Escape and Evasion Egressing Restricted Networks - Tom Steele and Chris Patten](https://www.optiv.com/blog/escape-and-evasion-egressing-restricted-networks)
233 | * [Finding Frontable Domain](https://github.com/rvrsh3ll/FindFrontableDomains)
234 | * [TOR Fronting – Utilising Hidden Services for Privacy](https://www.mdsec.co.uk/2017/02/tor-fronting-utilising-hidden-services-for-privacy/)
235 | * [Simple domain fronting PoC with GAE C2 server](https://www.securityartwork.es/2017/01/31/simple-domain-fronting-poc-with-gae-c2-server/)
236 | * [Domain Fronting Via Cloudfront Alternate Domains](https://www.mdsec.co.uk/2017/02/domain-fronting-via-cloudfront-alternate-domains/)
237 | * [Finding Domain frontable Azure domains - thoth / Fionnbharr (@a_profligate)](https://theobsidiantower.com/2017/07/24/d0a7cfceedc42bdf3a36f2926bd52863ef28befc.html)
238 | * [Google Groups: Blog post on finding 2000+ Azure domains using Censys](https://groups.google.com/forum/#!topic/traffic-obf/7ygIXCPebwQ)
239 | * [Red Team Insights on HTTPS Domain Fronting Google Hosts Using Cobalt Strike](https://www.cyberark.com/threat-research-blog/red-team-insights-https-domain-fronting-google-hosts-using-cobalt-strike/)
240 | * [SSL Domain Fronting 101](http://www.rvrsh3ll.net/blog/offensive/ssl-domain-fronting-101/)
241 | * [How I Identified 93k Domain-Frontable CloudFront Domains](https://www.peew.pw/blog/2018/2/22/how-i-identified-93k-domain-frontable-cloudfront-domains)
242 | * [Validated CloudFront SSL Domains](https://medium.com/@vysec.private/validated-cloudfront-ssl-domains-27895822cea3)
243 | * [CloudFront Hijacking](https://www.mindpointgroup.com/blog/pen-test/cloudfront-hijacking/)
244 | * [CloudFrunt GitHub Repo](https://github.com/MindPointGroup/cloudfrunt)
245 | 
246 | ### Connection Proxy
247 | * [Redirecting Cobalt Strike DNS Beacons](http://www.rvrsh3ll.net/blog/offensive/redirecting-cobalt-strike-dns-beacons/)
248 | * [Apache2Mod Rewrite Setup](https://github.com/n0pe-sled/Apache2-Mod-Rewrite-Setup)
249 | * [Cobalt Strike HTTP C2 Redirectors with Apache mod_rewrite](https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/)
250 | * [High-reputation Redirectors and Domain Fronting](https://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/)
251 | * [Cloud-based Redirectors for Distributed Hacking](https://blog.cobaltstrike.com/2014/01/14/cloud-based-redirectors-for-distributed-hacking/)
252 | * [Combatting Incident Responders with Apache mod_rewrite](https://bluescreenofjeff.com/2016-04-12-combatting-incident-responders-with-apache-mod_rewrite/)
253 | * [Operating System Based Redirection with Apache mod_rewrite](https://bluescreenofjeff.com/2016-04-05-operating-system-based-redirection-with-apache-mod_rewrite/)
254 | * [Invalid URI Redirection with Apache mod_rewrite](https://bluescreenofjeff.com/2016-03-29-invalid-uri-redirection-with-apache-mod_rewrite/)
255 | * [Strengthen Your Phishing with Apache mod_rewrite and Mobile User Redirection](https://bluescreenofjeff.com/2016-03-22-strengthen-your-phishing-with-apache-mod_rewrite-and-mobile-user-redirection/)
256 | * [mod_rewrite rule to evade vendor sandboxes](https://gist.github.com/curi0usJack/971385e8334e189d93a6cb4671238b10)
257 | * [Expire Phishing Links with Apache RewriteMap](https://bluescreenofjeff.com/2016-04-19-expire-phishing-links-with-apache-rewritemap/)
258 | * [Serving random payloads with NGINX](https://gist.github.com/jivoi/a33ace2e25515a31aa2ffbae246d98c9)
259 | * [Mod_Rewrite Automatic Setup](https://blog.inspired-sec.com/archive/2017/04/17/Mod-Rewrite-Automatic-Setup.html)
260 | * [Hybrid Cobalt Strike Redirectors](https://zachgrace.com/2018/02/20/cobalt_strike_redirectors.html)
261 | * [Expand Your Horizon Red Team – Modern SAAS C2](https://cybersyndicates.com/2017/04/expand-your-horizon-red-team/)
262 | * [RTOps: Automating Redirector Deployment With Ansible](http://threat.tevora.com/automating-redirector-deployment-with-ansible/)
263 | 
264 | ### Web Services
265 | * [C2 with Dropbox](https://pentestlab.blog/2017/08/29/command-and-control-dropbox/)
266 | * [C2 with gmail](https://pentestlab.blog/2017/08/03/command-and-control-gmail/)
267 | * [C2 with twitter](https://pentestlab.blog/2017/09/26/command-and-control-twitter/)
268 | * [Office 365 for Cobalt Strike C2](https://labs.mwrinfosecurity.com/blog/tasking-office-365-for-cobalt-strike-c2/)
269 | * [Red Team Insights on HTTPS Domain Fronting Google Hosts Using Cobalt Strike](https://www.cyberark.com/threat-research-blog/red-team-insights-https-domain-fronting-google-hosts-using-cobalt-strike/)
270 | * [A stealthy Python based Windows backdoor that uses Github as a C&C server](http://securityblog.gr/4434/a-stealthy-python-based-windows-backdoor-that-uses-github-as-a-cc-server/)
271 | * [External C2 (Third-Party Command and Control)](https://www.cobaltstrike.com/help-externalc2)
272 | * [Cobalt Strike over external C2 – beacon home in the most obscure ways](https://outflank.nl/blog/2017/09/17/blogpost-cobalt-strike-over-external-c2-beacon-home-in-the-most-obscure-ways/)
273 | * [External C2 for Cobalt Strike](https://github.com/ryhanson/ExternalC2/)
274 | * [External C2 framework for Cobalt Strike](http://www.insomniacsecurity.com/2018/01/11/externalc2.html)
275 | * [External C2 framework - GitHub Repo](https://github.com/Und3rf10w/external_c2_framework)
276 | * [Hiding in the Cloud: Cobalt Strike Beacon C2 using Amazon APIs](https://github.com/Und3rf10w/external_c2_framework)
277 | * [Exploring Cobalt Strike's ExternalC2 framework](https://blog.xpnsec.com/exploring-cobalt-strikes-externalc2-framework/)
278 | 
279 | ### Application Layer Protocol
280 | * [C2 WebSocket](https://pentestlab.blog/2017/12/06/command-and-control-websocket/)
281 | * [C2 WMI](https://pentestlab.blog/2017/11/20/command-and-control-wmi/)
282 | * [C2 Website](https://pentestlab.blog/2017/11/14/command-and-control-website/)
283 | * [C2 Image](https://pentestlab.blog/2018/01/02/command-and-control-images/)
284 | * [C2 Javascript](https://pentestlab.blog/2018/01/08/command-and-control-javascript/)
285 | * [C2 WebInterface](https://pentestlab.blog/2018/01/03/command-and-control-web-interface/)
286 | * [C2 with DNS](https://pentestlab.blog/2017/09/06/command-and-control-dns/)
287 | * [C2 with https](https://pentestlab.blog/2017/10/04/command-and-control-https/)
288 | * [C2 with webdav](https://pentestlab.blog/2017/09/12/command-and-control-webdav/)
289 | * [Introducing Merlin — A cross-platform post-exploitation HTTP/2 Command & Control Tool](https://medium.com/@Ne0nd0g/introducing-merlin-645da3c635a)
290 | * [InternetExplorer.Application for C2](https://adapt-and-attack.com/2017/12/19/internetexplorer-application-for-c2/)
291 | 
292 | ### Infrastructure
293 | * [Automated Red Team Infrastructure Deployment with Terraform - Part 1](https://rastamouse.me/blog/terraform-pt1/)
294 | * [Automated Red Team Infrastructure Deployment with Terraform - Part 2](https://rastamouse.me/blog/terraform-pt2/)
295 | * [Red Team Infrastructure - AWS Encrypted EBS](https://rastamouse.me/blog/encrypted-ebs/)
296 | * [6 RED TEAM INFRASTRUCTURE TIPS](https://cybersyndicates.com/2016/11/top-red-team-tips/)
297 | * [How to Build a C2 Infrastructure with Digital Ocean – Part 1](https://www.blackhillsinfosec.com/build-c2-infrastructure-digital-ocean-part-1/)
298 | * [Infrastructure for Ongoing Red Team Operations](https://blog.cobaltstrike.com/2014/09/09/infrastructure-for-ongoing-red-team-operations/)
299 | * [Attack Infrastructure Log Aggregation and Monitoring](https://posts.specterops.io/attack-infrastructure-log-aggregation-and-monitoring-345e4173044e)
300 | * [Randomized Malleable C2 Profiles Made Easy](https://bluescreenofjeff.com/2017-08-30-randomized-malleable-c2-profiles-made-easy/)
301 | * [Migrating Your infrastructure](https://blog.cobaltstrike.com/2015/10/21/migrating-your-infrastructure/)
302 | * [ICMP C2](https://pentestlab.blog/2017/07/28/command-and-control-icmp/)
303 | * [Using WebDAV features as a covert channel](https://arno0x0x.wordpress.com/2017/09/07/using-webdav-features-as-a-covert-channel/)
304 | * [Safe Red Team Infrastructure](https://medium.com/@malcomvetter/safe-red-team-infrastructure-c5d6a0f13fac)
305 | * [EGRESSING BLUECOAT WITH COBALTSTIKE & LET'S ENCRYPT](https://cybersyndicates.com/2016/12/egressing-bluecoat-with-cobaltstike-letsencrypt/)
306 | * [Command and Control Using Active Directory](http://www.harmj0y.net/blog/powershell/command-and-control-using-active-directory/)
307 | * [A Vision for Distributed Red Team Operations](https://blog.cobaltstrike.com/2013/02/12/a-vision-for-distributed-red-team-operations/)
308 | * [Designing Effective Covert Red Team Attack Infrastructure](https://bluescreenofjeff.com/2017-12-05-designing-effective-covert-red-team-attack-infrastructure/)
309 | * [Serving Random Payloads with Apache mod_rewrite](https://bluescreenofjeff.com/2017-06-13-serving-random-payloads-with-apache-mod_rewrite/)
310 | * [Mail Servers Made Easy](https://blog.inspired-sec.com/archive/2017/02/14/Mail-Server-Setup.html)
311 | * [Securing your Empire C2 with Apache mod_rewrite](https://thevivi.net/2017/11/03/securing-your-empire-c2-with-apache-mod_rewrite/)
312 | * [Automating Gophish Releases With Ansible and Docker](https://jordan-wright.com/blog/post/2018-02-04-automating-gophish-releases/)
313 | * [How to Write Malleable C2 Profiles for Cobalt Strike](https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/)
314 | * [How to Make Communication Profiles for Empire](https://bluescreenofjeff.com/2017-03-01-how-to-make-communication-profiles-for-empire/)
315 | * [A Brave New World: Malleable C2](http://www.harmj0y.net/blog/redteaming/a-brave-new-world-malleable-c2/)
316 | * [Malleable Command and Control](https://www.cobaltstrike.com/help-malleable-c2)
317 | 
318 | 
319 | ## [↑](#table-of-contents) Embedded and Peripheral Devices Hacking
320 | * [Gettting in with the Proxmark3 & ProxBrute](https://www.trustwave.com/Resources/SpiderLabs-Blog/Getting-in-with-the-Proxmark-3-and-ProxBrute/)
321 | * [Practical Guide to RFID Badge copying](https://blog.nviso.be/2017/01/11/a-practical-guide-to-rfid-badge-copying/)
322 | * [Contents of a Physical Pentester Backpack](https://www.tunnelsup.com/contents-of-a-physical-pen-testers-backpack/)
323 | * [MagSpoof - credit card/magstripe spoofer](https://github.com/samyk/magspoof)
324 | * [Wireless Keyboard Sniffer](https://samy.pl/keysweeper/)
325 | * [RFID Hacking with The Proxmark 3](https://blog.kchung.co/rfid-hacking-with-the-proxmark-3/)
326 | * [Swiss Army Knife for RFID](https://www.cs.bham.ac.uk/~garciaf/publications/Tutorial_Proxmark_the_Swiss_Army_Knife_for_RFID_Security_Research-RFIDSec12.pdf)
327 | * [Exploring NFC Attack Surface](https://media.blackhat.com/bh-us-12/Briefings/C_Miller/BH_US_12_Miller_NFC_attack_surface_WP.pdf)
328 | * [Outsmarting smartcards](http://gerhard.dekoninggans.nl/documents/publications/dekoninggans.phd.thesis.pdf)
329 | * [Reverse engineering HID iClass Master keys](https://blog.kchung.co/reverse-engineering-hid-iclass-master-keys/)
330 | * [Android Open Pwn Project (AOPP)](https://www.pwnieexpress.com/aopp)
331 | 
332 | 
333 | ## [↑](#table-of-contents) Misc
334 | * [Red Tips of Vysec](https://github.com/vysec/RedTips)
335 | * [Cobalt Strike Tips for 2016 ccde red teams](https://blog.cobaltstrike.com/2016/02/23/cobalt-strike-tips-for-2016-ccdc-red-teams/)
336 | * [Models for Red Team Operations](https://blog.cobaltstrike.com/2015/07/09/models-for-red-team-operations/)
337 | * [Planning a Red Team exercise](https://github.com/magoo/redteam-plan)
338 | * [Raphael Mudge - Dirty Red Team tricks](https://www.youtube.com/watch?v=oclbbqvawQg)
339 | * [introducing the adversary resilience methodology part 1](https://posts.specterops.io/introducing-the-adversary-resilience-methodology-part-one-e38e06ffd604)
340 | * [introducing the adversary resilience methodology part 2](https://posts.specterops.io/introducing-the-adversary-resilience-methodology-part-two-279a1ed7863d)
341 | * [Responsible red team](https://medium.com/@malcomvetter/responsible-red-teams-1c6209fd43cc)
342 | * [Red Teaming for Pacific Rim CCDC 2017](https://bluescreenofjeff.com/2017-05-02-red-teaming-for-pacific-rim-ccdc-2017/)
343 | * [How I Prepared to Red Team at PRCCDC 2015](https://bluescreenofjeff.com/2015-04-15-how-i-prepared-to-red-team-at-prccdc-2015/)
344 | * [Red Teaming for Pacific Rim CCDC 2016](https://bluescreenofjeff.com/2016-05-24-pacific-rim-ccdc_2016/)
345 | * [Responsible Red Teams](https://medium.com/@malcomvetter/responsible-red-teams-1c6209fd43cc)
346 | * [Awesome-CobaltStrike](https://github.com/zer0yu/Awesome-CobaltStrike)
347 | * RedTeaming from Zero to One [Part-1](https://payatu.com/redteaming-from-zero-to-one-part-1) [Part-2](https://payatu.com/redteaming-zero-one-part-2)
348 | 
349 | ## [↑](#table-of-contents) RedTeam Gadgets
350 | #### Network Implants
351 | * [LAN Tap Pro](https://hackerwarehouse.com/product/lan-tap-pro/)
352 | * [LAN Turtle](https://hakshop.com/collections/network-implants/products/lan-turtle)
353 | * [Bash Bunny](https://hakshop.com/collections/physical-access/products/bash-bunny)
354 | * [Key Croc](https://shop.hak5.org/collections/sale/products/key-croc)
355 | * [Packet Squirrel](https://hakshop.com/products/packet-squirrel)
356 | * [Shark Jack](https://shop.hak5.org/collections/sale/products/shark-jack)
357 | #### Wifi Auditing
358 | * [WiFi Pineapple](https://hakshop.com/products/wifi-pineapple)
359 | * [Alpha Long range Wireless USB](https://hackerwarehouse.com/product/alfa-802-11bgn-long-range-usb-wireless-adapter/)
360 | * [Wifi-Deauth Monster](https://www.tindie.com/products/lspoplove/dstike-wifi-deauther-monster/)
361 | * [Crazy PA](https://www.amazon.com/gp/product/B00VYA3A2U/ref=as_li_tl)
362 | * [Signal Owl](https://shop.hak5.org/products/signal-owl)
363 | #### IoT
364 | * [BLE Key](https://hackerwarehouse.com/product/blekey/)
365 | * [Proxmark3](https://hackerwarehouse.com/product/proxmark3-kit/)
366 | * [Zigbee Sniffer](https://www.attify-store.com/products/zigbee-sniffing-tool-atmel-rzraven)
367 | * [Attify IoT Exploit kit](https://www.attify-store.com/collections/frontpage/products/jtag-exploitation-kit-with-lab-manual)
368 | #### Software Defined Radio - SDR
369 | * [HackRF One Bundle](https://hackerwarehouse.com/product/hackrf-one-kit/)
370 | * [RTL-SDR](https://hackerwarehouse.com/product/rtlsdr/)
371 | * [YARD stick one Bundle](https://hackerwarehouse.com/product/yard-stick-one-kit/)
372 | * [Ubertooth](https://hackerwarehouse.com/product/ubertooth-one/)
373 | #### Misc
374 | * [Key Grabber](https://hackerwarehouse.com/product/keygrabber/)
375 | * [Magspoof](https://store.ryscc.com/products/magspoof%20)
376 | * [Poison tap](https://samy.pl/poisontap/)
377 | * [keysweeper](https://samy.pl/keysweeper/)
378 | * [USB Rubber Ducky](https://hakshop.com/collections/physical-access/products/usb-rubber-ducky-deluxe)
379 | * [Screen Crab](https://shop.hak5.org/collections/sale/products/screen-crab)
380 | * [O.MG Cable](https://shop.hak5.org/collections/featured-makers/products/o-mg-cable)
381 | * [Keysy](https://shop.hak5.org/collections/featured-makers/products/keysy)
382 | * [Dorothy for Okta SSO](https://github.com/elastic/dorothy)
383 | 
384 | ## [↑](#table-of-contents) Ebooks
385 | * [Next Generation Red Teaming](https://www.amazon.com/Next-Generation-Teaming-Henry-Dalziel/dp/0128041714)
386 | * [Targeted Cyber Attack](https://www.amazon.com/Targeted-Cyber-Attacks-Multi-staged-Exploits/dp/0128006048)
387 | * [Advanced Penetration Testing: Hacking the World's Most Secure Networks](https://www.amazon.com/Advanced-Penetration-Testing-Hacking-Networks/dp/1119367689)
388 | * [Social Engineers' Playbook Practical Pretexting](https://www.amazon.com/Social-Engineers-Playbook-Practical-Pretexting/dp/0692306617/)
389 | * [The Hacker Playbook 3: Practical Guide To Penetration Testing](https://www.amazon.com/Hacker-Playbook-Practical-Penetration-Testing-ebook/dp/B07CSPFYZ2)
390 | * [How to Hack Like a PORNSTAR: A step by step process for breaking into a BANK ](https://www.amazon.com/How-Hack-Like-PORNSTAR-breaking-ebook/dp/B01MTDLGQQ)
391 | 
392 | ## [↑](#table-of-contents) Training ( Free )
393 | * [Tradecraft - a course on red team operations](https://www.youtube.com/watch?v=IRpS7oZ3z0o&list=PL9HO6M_MU2nesxSmhJjEvwLhUoHPHmXvz)
394 | * [Advanced Threat Tactics Course & Notes](https://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/)
395 | * [FireEye - a whiteboard session on red team operations](https://www.fireeye.com/services/red-team-assessments/red-team-operations-video-training.html)
396 | 
397 | #### Home Lab
398 | * [Building an Effective Active Directory Lab Environment for Testing](https://adsecurity.org/?p=2653)
399 | * [Setting up DetectionLab](https://www.c2.lol/articles/setting-up-chris-longs-detectionlab)
400 | * [vulnerable-AD - Script to make your home AD Lab vulnerable](https://github.com/WazeHell/vulnerable-AD)
401 | 
402 | ## [↑](#table-of-contents) Certification
403 | * [CREST Certified Simulated Attack Specialist](http://www.crest-approved.org/examination/certified-simulated-attack-specialist/)
404 | * [CREST Certified Simulated Attack Manager](http://www.crest-approved.org/examination/certified-simulated-attack-manager/)
405 | * [SEC564: Red Team Operations and Threat Emulation](https://www.sans.org/course/red-team-operations-and-threat-emulation)
406 | * [ELearn Security Penetration Testing eXtreme](https://www.elearnsecurity.com/course/penetration_testing_extreme/)
407 | * [Certified Red Team Professional](https://www.pentesteracademy.com/activedirectorylab)
408 | * [Certified Red Teaming Expert](https://www.pentesteracademy.com/redteamlab)
409 | * [PentesterAcademy Certified Enterprise Security Specialist (PACES)](https://www.pentesteracademy.com/gcb)
410 | 


--------------------------------------------------------------------------------
/README_CN.md:
--------------------------------------------------------------------------------
  1 | # Awesome Red Teaming
  2 | 一个最好的红队资源清单
  3 | 
  4 | 此列表同样适用于希望了解红队但没有相关知识储备的人
  5 | 
  6 | 
  7 | 无论如何，这是一个活跃的列表，会定期更新最新的对抗策略与技术
  8 | 
  9 | 你可以通过发起 PR 来添加更多有用信息！
 10 | 
 11 | 目录
 12 | =================
 13 | 
 14 |  * [社会工程](#社会工程)
 15 |  * [OSINT](#-osint)
 16 |  * [投递](#投递)
 17 |  * [植入](#植入)
 18 |  * [横向移动](#横向移动)
 19 |  * [命令控制](#命令控制)
 20 |  * [嵌入式与物理设备](#嵌入式与物理设备)
 21 |  * [杂项](#杂项)
 22 |  * [电子书籍](#电子书籍)
 23 |  * [培训](#培训)
 24 |  * [认证](#认证)
 25 | 
 26 | ## [↑](#table-of-contents) 社会工程
 27 | 
 28 | * [社会工程门户网站](https://www.social-engineer.org/)
 29 | * [7 个最好的社会工程攻击案例](http://www.darkreading.com/the-7-best-social-engineering-attacks-ever/d/d-id/1319411)
 30 | * [在大数据中使用社会工程策略 - RSA Conference Europe 2012](https://www.rsaconference.com/writable/presentations/file_upload/das-301_williams_rader.pdf)
 31 | * [为社会工程武装数据科学：Twitter 中的自动 E2E 鱼叉式网络钓鱼 - Defcon 23](https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Seymour-Tully-Weaponizing-Data-Science-For-Social-Engineering-WP.pdf)
 32 | * [OWASP 社会工程介绍 - OWASP](https://www.owasp.org/images/5/54/Presentation_Social_Engineering.pdf)
 33 | * [USB 丢失攻击：USB 设备丢失与发现的危险](https://www.redteamsecure.com/usb-drop-attacks-the-danger-of-lost-and-found-thumb-drives/)
 34 | * [PyPhishing 工具包](https://github.com/redteamsecurity/PyPhishing)
 35 | * [发送电子邮件的最佳时间](https://coschedule.com/blog/best-time-to-send-email/)
 36 | 
 37 | ## [↑](#table-of-contents) OSINT
 38 | 
 39 | * [最好的 OSINT 列表](https://github.com/jivoi/awesome-osint) - 覆盖了很多 OSINT 资源
 40 | * [使用 LinkedInt 进行侦察](https://www.mdsec.co.uk/2017/07/reconnaissance-using-linkedint/)
 41 | 
 42 | 
 43 | ## [↑](#table-of-contents) 投递
 44 | 
 45 | * [Cobalt Strike - 鱼叉式网络钓鱼文档](https://www.cobaltstrike.com/help-spear-phish)
 46 | * [Cobalt Strike - 什么是钓鱼？如何利用？](https://blog.cobaltstrike.com/2014/12/17/whats-the-go-to-phishing-technique-or-exploit/)
 47 | * [使用 Cobalt Strike 进行网络钓鱼- Raphael Mudge](https://www.youtube.com/watch?v=V7UJjVcq2Ao)
 48 | * [针对受保护的视图进行钓鱼](https://enigma0x3.net/2017/07/13/phishing-against-protected-view/)
 49 | * [VEIL-EVASION 的 AES 加密 HTTPKEY 请求: 沙盒逃逸](https://cybersyndicates.com/2015/06/veil-evasion-aes-encrypted-httpkey-request-module/)
 50 | * [EGRESSING BLUECOAT WITH COBALTSTIKE & LET'S ENCRYPT](https://cybersyndicates.com/2016/12/egressing-bluecoat-with-cobaltstike-letsencrypt/)
 51 | * [电子邮件侦察与钓鱼邮件模版生成](https://cybersyndicates.com/2016/05/email-reconnaissance-phishing-template-generation-made-simple/)
 52 | * [不必依赖 DNS 通信](https://blog.cobaltstrike.com/2015/05/14/an-unnecessary-addiction-to-dns-communication/)
 53 | * [POWERSHELL EMPIRE 策略1: 使用 Office 宏指令进行钓鱼与逃避杀软](https://fzuckerman.wordpress.com/2016/10/06/powershell-empire-stagers-1-phishing-with-an-office-macro-and-evading-avs/)
 54 | * [使用 PowerPoint 进行钓鱼](https://www.blackhillsinfosec.com/phishing-with-powerpoint/)
 55 | * [使用 EMPIRE 进行钓鱼](https://enigma0x3.net/2016/03/15/phishing-with-empire/)
 56 | * [Empire 与工具多样性：整合是关键](http://www.sixdub.net/?p=627)
 57 | 
 58 | 
 59 | ## [↑](#table-of-contents) 植入
 60 | * [CVE-2017-0199: HTA 处理漏洞](https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/)
 61 | * [CVE-2017-0199 工具包](https://github.com/bhdresh/CVE-2017-0199)
 62 | * [CVE-2017-8759 Exploit 示例](https://github.com/vysec/CVE-2017-8759-Exploit-sample)
 63 | * [签名 Window 二进制程序](https://github.com/vysec/Windows-SignedBinary)
 64 | * [Wepwnise](https://labs.mwrinfosecurity.com/tools/wepwnise/)
 65 | * [Bash Bunny](https://hakshop.com/products/bash-bunny)
 66 | * [生成宏的工具](https://github.com/enigma0x3/Generate-Macro)
 67 | * [Empire 中的跨平台 Office 宏](https://www.blackhillsinfosec.com/empires-cross-platform-office-macro/)
 68 | * [使用 PowerShell 执行 Excel 宏](https://4sysops.com/archives/excel-macros-with-powershell/)
 69 | * [PowerPoint 与自定义行为](https://phishme.com/powerpoint-and-custom-actions/)
 70 | * [三步签名 mimikatz](https://github.com/secretsquirrel/SigThief)
 71 | * [在 sysinternals 中隐藏你的进程](https://riscybusiness.wordpress.com/2017/10/07/hiding-your-process-from-sysinternals/)
 72 | * [Luckystrike: 邪恶 Office 文档生成器](https://www.shellntel.com/blog/2016/9/13/luckystrike-a-database-backed-evil-macro-generator)
 73 | * [被低估的 CSV 注入风险](http://georgemauer.net/2017/10/07/csv-injection.html)
 74 | * [MSWord 中无宏代码执行](https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/)
 75 | * [跨平台宏钓鱼载荷](https://medium.com/@malcomvetter/multi-platform-macro-phishing-payloads-3b688e8eff68)
 76 | * [Macroless DOC 恶意软件躲避 Yara 规则](https://furoner.wordpress.com/2017/10/17/macroless-malware-that-avoids-detection-with-yara-rule/amp/)
 77 | * [无 Powershell 的 Empire](https://bneg.io/2017/07/26/empire-without-powershell-exe/)
 78 | * [无 Powershell 的 Powershell 来绕过应用程序白名单](https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/)
 79 | * [应用程序白名单的钓鱼](https://medium.com/@vivami/phishing-between-the-app-whitelists-1b7dcdab4279)
 80 | * [绕过应用程序白名单脚本保护 -  Regsvr32.exe 与 COM 脚本(.sct 文件)](http://subt0x10.blogspot.sg/2017/04/bypass-application-whitelisting-script.html)
 81 | * [使用 MSBuild.exe 绕过应用程序白名单 - Device Guard 示例与缓解措施](http://subt0x10.blogspot.sg/2017/04/bypassing-application-whitelisting.html)
 82 | 
 83 | 
 84 | ## [↑](#table-of-contents) 横向移动
 85 | * [Eventvwr File-less UAC Bypass CNA](https://www.mdsec.co.uk/2016/12/cna-eventvwr-uac-bypass/)
 86 | * [使用 Excel 与 dcom 进行横向移动](https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/)
 87 | * [WSH 注射案例研究](https://posts.specterops.io/wsh-injection-a-case-study-fd35f79d29dd)
 88 | * [Fileless UAC Bypass using sdclt](https://posts.specterops.io/fileless-uac-bypass-using-sdclt-exe-3e9f9ad4e2b3)
 89 | * [劫持 COM 服务器绕过 AMSI](https://posts.specterops.io/bypassing-amsi-via-com-server-hijacking-b8a3354d1aff)
 90 | * [绕过 Window 10 的 Device Guard](https://github.com/tyranid/DeviceGuardBypasses)
 91 | * [My First Go with BloodHound](https://blog.cobaltstrike.com/2016/12/14/my-first-go-with-bloodhound/)
 92 | * [OPSEC 有关 beacon command 的注意事项](https://blog.cobaltstrike.com/2017/06/23/opsec-considerations-for-beacon-commands/)
 93 | * [无代理载荷投递](https://blog.cobaltstrike.com/2016/11/03/agentless-post-exploitation/)
 94 | * [Windows 访问令牌与备用凭据](https://blog.cobaltstrike.com/2015/12/16/windows-access-tokens-and-alternate-credentials/)
 95 | * [PSAmsi - Windows 10 中与反恶意软件扫描接口交互的进攻性 PowerShell 模块](http://www.irongeek.com/i.php?page=videos/derbycon7/t104-psamsi-an-offensive-powershell-module-for-interacting-with-the-anti-malware-scan-interface-in-windows-10-ryan-cobb)
 96 | * [Lay of the Land with BloodHound](http://threat.tevora.com/lay-of-the-land-with-bloodhound/)
 97 | * [使用 reGeorg 与 Empire 得到哈希](https://sensepost.com/blog/2016/bringing-the-hashes-home-with-regeorg-empire/)
 98 | * [使用 Empire 截取密码](https://sensepost.com/blog/2016/intercepting-passwords-with-empire-and-winning/)
 99 | * [Outlook 主页 – 另一个攻击向量](https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/)
100 | * [Outlook 的 Form 与 Shell](https://sensepost.com/blog/2017/outlook-forms-and-shells/)
101 | * [Windows 提权清单](https://github.com/netbiosX/Checklists/blob/master/Windows-Privilege-Escalation.md)
102 | * [配置回滚指南](https://silentbreaksecurity.com/throwback-thursday-a-guide-to-configuring-throwback/)
103 | 
104 | 
105 | ## [↑](#table-of-contents) 命令控制
106 | 
107 | * [使用 Digital Ocean 构建 C2](https://www.blackhillsinfosec.com/build-c2-infrastructure-digital-ocean-part-1/)
108 | * [红队行动的基础设施](https://blog.cobaltstrike.com/2014/09/09/infrastructure-for-ongoing-red-team-operations/)
109 | * [使用 Terraform 进行红队基础设施自动化部署](https://rastamouse.me/2017/08/automated-red-team-infrastructure-deployment-with-terraform---part-1/)
110 | * [6 个红队基础设施的小提示](https://cybersyndicates.com/2016/11/top-red-team-tips/)
111 | * [Pacific Rim CCDC 2017 中的红队](https://bluescreenofjeff.com/2017-05-02-red-teaming-for-pacific-rim-ccdc-2017/)
112 | * [在 PRCCDC 2015 中我是如何进行红队准备的？](https://bluescreenofjeff.com/2015-04-15-how-i-prepared-to-red-team-at-prccdc-2015/)
113 | * [Pacific Rim CCDC 2016 中的红队](https://bluescreenofjeff.com/2016-05-24-pacific-rim-ccdc_2016/)
114 | * [随机化 Malleable 的 C2 配置](https://bluescreenofjeff.com/2017-08-30-randomized-malleable-c2-profiles-made-easy/)
115 | * [使用 Apache 和 mod_rewrite 重定向 Cobalt Strike 的 HTTP C2 - Jeff Dimmock](https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/)
116 | * [高信誉的重定向与域名前置](https://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/)
117 | * [TOR Fronting – 利用隐藏服务保护隐私](https://www.mdsec.co.uk/2017/02/tor-fronting-utilising-hidden-services-for-privacy/)
118 | * [通过 Cloudfront Alternate Domains 部署域名前置](https://www.mdsec.co.uk/2017/02/domain-fronting-via-cloudfront-alternate-domains/)
119 | * [PlugBot: 硬件僵尸网络研究项目](https://www.redteamsecure.com/the-plugbot-hardware-botnet-research-project/)
120 | * [攻击基础设施日志聚合与监视](https://posts.specterops.io/attack-infrastructure-log-aggregation-and-monitoring-345e4173044e)
121 | * [发现前置域名](https://github.com/rvrsh3ll/FindFrontableDomains)
122 | * [安装 Apache2Mod Rewrite](https://github.com/n0pe-sled/Apache2-Mod-Rewrite-Setup)
123 | * [Empre 域名前置](https://www.xorrior.com/Empire-Domain-Fronting/)
124 | * [域名猎手](https://github.com/minisllc/domainhunter)
125 | * [迁移您的基础设施](https://blog.cobaltstrike.com/2015/10/21/migrating-your-infrastructure/)
126 | * [重定向 Cobalt Strike 的 DNS Beacon](http://www.rvrsh3ll.net/blog/offensive/redirecting-cobalt-strike-dns-beacons/)
127 | * [发现 Azure 中的前置域名 - thoth / Fionnbharr (@a_profligate)](https://theobsidiantower.com/2017/07/24/d0a7cfceedc42bdf3a36f2926bd52863ef28befc.html)
128 | * [对 Google Host 中的 HTTPS 域名前置的红队洞察](https://www.cyberark.com/threat-research-blog/red-team-insights-https-domain-fronting-google-hosts-using-cobalt-strike/)
129 | * [逃出出口受限网络 - Tom Steele and Chris Patten](https://www.optiv.com/blog/escape-and-evasion-egressing-restricted-networks)
130 | * [使用 Active Directory 构建 C2](http://www.harmj0y.net/blog/powershell/command-and-control-using-active-directory/)
131 | * [使用 Twitter 构建 C2](https://pentestlab.blog/2017/09/26/command-and-control-twitter/)
132 | * [使用 DNS 构建 C2](https://pentestlab.blog/2017/09/06/command-and-control-dns/)
133 | * [使用 ICMP 构建 C2](https://pentestlab.blog/2017/07/28/command-and-control-icmp/)
134 | * [使用 Dropbox 构建 C2](https://pentestlab.blog/2017/08/29/command-and-control-dropbox/)
135 | * [使用 HTTPS 构建 C2](https://pentestlab.blog/2017/10/04/command-and-control-https/)
136 | * [使用 webdav 构建 C2](https://pentestlab.blog/2017/09/12/command-and-control-webdav/)
137 | * [使用 Gmail 构建 C2](https://pentestlab.blog/2017/08/03/command-and-control-gmail/)
138 | * [使用 Office 365 的任务用于 Cobalt Strike 的 C2](https://labs.mwrinfosecurity.com/blog/tasking-office-365-for-cobalt-strike-c2/)
139 | * [GAE C2 服务器简单域名前置 PoC](https://www.securityartwork.es/2017/01/31/simple-domain-fronting-poc-with-gae-c2-server/)
140 | 
141 | ## [↑](#table-of-contents) 嵌入式与物理设备
142 | * [从 Proxmark3 与 ProxBrute 开始](https://www.trustwave.com/Resources/SpiderLabs-Blog/Getting-in-with-the-Proxmark-3-and-ProxBrute/)
143 | * [RFID Badge 复制实用指南](https://blog.nviso.be/2017/01/11/a-practical-guide-to-rfid-badge-copying/)
144 | * [一个物理渗透测试人员的背包](https://www.tunnelsup.com/contents-of-a-physical-pen-testers-backpack/)
145 | * [MagSpoof - 信用卡/磁条卡伪造](https://github.com/samyk/magspoof)
146 | * [无线键盘嗅探器](https://samy.pl/keysweeper/)
147 | * [使用 Proxmark 3 进行 RFID 入侵](https://blog.kchung.co/rfid-hacking-with-the-proxmark-3/)
148 | * [RFID 的瑞士军刀](https://www.cs.bham.ac.uk/~garciaf/publications/Tutorial_Proxmark_the_Swiss_Army_Knife_for_RFID_Security_Research-RFIDSec12.pdf)
149 | * [探索 NFC 的攻击面](https://media.blackhat.com/bh-us-12/Briefings/C_Miller/BH_US_12_Miller_NFC_attack_surface_WP.pdf)
150 | * [智能卡](http://gerhard.dekoninggans.nl/documents/publications/dekoninggans.phd.thesis.pdf)
151 | * [逆向 HID iClass 的主密钥](https://blog.kchung.co/reverse-engineering-hid-iclass-master-keys/)
152 | * [Android Open Pwn Project (AOPP)](https://www.pwnieexpress.com/aopp)
153 | 
154 | ## [↑](#table-of-contents) 杂项
155 | * [Vysec 的红队技巧](https://github.com/vysec/RedTips)
156 | * [Cobalt Strike 红队技巧 - 2016](https://blog.cobaltstrike.com/2016/02/23/cobalt-strike-tips-for-2016-ccdc-red-teams/)
157 | * [红队行动模型](https://blog.cobaltstrike.com/2015/07/09/models-for-red-team-operations/)
158 | * [红队实践计划](https://github.com/magoo/redteam-plan)
159 | * [Raphael Mudge - 肮脏的红队技巧](https://www.youtube.com/watch?v=oclbbqvawQg)
160 | 
161 | ## [↑](#table-of-contents) 电子书籍
162 | * [下一代红队行动](https://www.amazon.com/Next-Generation-Teaming-Henry-Dalziel/dp/0128041714)
163 | * [针对性网络攻击](https://www.amazon.com/Targeted-Cyber-Attacks-Multi-staged-Exploits/dp/0128006048)
164 | * [高级渗透测试：入侵全球最安全的网络](https://www.amazon.com/Advanced-Penetration-Testing-Hacking-Networks/dp/1119367689)
165 | * [社会工程的手边书](https://www.amazon.com/Social-Engineers-Playbook-Practical-Pretexting/dp/0692306617/ref=as_li_ss_tl?ie=UTF8&linkCode=sl1&tag=talamantesus-20&linkId=37b63c7702c9be6b9f6a1b921c88c8cd)
166 | 
167 | ## [↑](#table-of-contents) 培训（免费）
168 | * [Tradecraft - 关于红队行动的课程](https://www.youtube.com/watch?v=IRpS7oZ3z0o&list=PL9HO6M_MU2nesxSmhJjEvwLhUoHPHmXvz)
169 | * [高级威胁战术课程与笔记](https://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/)
170 | 
171 | ## [↑](#table-of-contents) 认证
172 | * [CREST 模拟攻击专家](http://www.crest-approved.org/examination/certified-simulated-attack-specialist/)
173 | * [CREST 模拟攻击管理员](http://www.crest-approved.org/examination/certified-simulated-attack-manager/)
174 | * [SEC564: 红队行动与威胁仿真](https://www.sans.org/course/red-team-operations-and-threat-emulation)
175 | 


--------------------------------------------------------------------------------