Awesome Windows Red Team

A curated list of awesome Windows talks, tools and resources for Red Teams, from beginners to ninjas.

Contents

• Books
• Courses
• System Architecture
  • Active Directory
  • Kerberos
  • Lssass SAM NTLM GPO
  • WinAPI
• Lateral Movement
  • Pass the Hash
  • Pass the Ticket
  • LLMNR/NBT-NS poisoning
• Privilege Escalation
  • UAC bypass
  • Token Impersonation
• Defense Evasion
  • AV evasion
  • AMSI
• Exfiltration
• PowerShell
• Phishing
  • Maldocs
  • Macros
  • DDE
  • HTA
• Tools

Books

• Windows Internals, Seventh Edition, Part 1
• Windows Internals, Sixth Edition, Part 1
• Windows Internals, Sixth Edition, Part 2
• How to Hack Like a PORNSTAR: A step by step process for breaking into a BANK
• Windows® via C/C++ (Developer Reference) (English Edition)
• The Hacker Playbook 3: Practical Guide To Penetration Testing

Courses

• Professor Messer's CompTIA SY0-501 Security+ Course
• Penetration Testing with Kali (PWK) Online Security Training Course
• Offensive Security Certified Expert
• Advanced Windows Exploitation: Live Hands-on Penetration Testing Training
• Windows API Exploitation Recipes: Processes, Tokens and Memory RW
• Powershell for Pentesters - Pentester Academy
• WMI Attacks and Defense - Pentester Academy
• Windows Red Team Lab - Pentester Academy

System Architecture

Active Directory

• ADsecurity.org
• DerbyCon4 - How to Secure and Sys Admin Windows like a Boss
• DEFCON 20: Owned in 60 Seconds: From Network Guest to Windows Domain Admin
• BH2015 - Red Vs. Blue: Modern Active Directory Attacks, Detection, And Protection
• BH2016 - Beyond the Mcse: Active Directory for the Security Professional
• BH2017 - Evading Microsoft ATA for Active Directory Domination
• DEFCON 26 - Exploiting Active Directory Administrator Insecurities
• BH2017 - An ACE Up the Sleeve: Designing Active Directory DACL Backdoors
• DerbyCon7 - Building the DeathStar getting Domain Admin with a push of a button (aka how I almost automated myself out pf a job)
• DerbyCon4 - Abusing Active Directory in Post Exploitation

Kerberos

• Kerberos (I): How does Kerberos work? – Theory
• Protecting Privileged Domain Accounts: Network Authentication In-Depth
• Basic attacks on communication protocols – replay and reflection attacks
• MicroNugget: How Does Kerberos Work?
• MIT 6.858 Fall 2014 Lecture 13: Kerberos
• DerbyCon4 - Et tu Kerberos
• DerbyCon7 - Return From The Underworld The Future Of Red Team Kerberos
• BH2014 - Abusing Microsoft Kerberos: Sorry You Guys Don't Get It
• DerbyCon4 - Attacking Microsoft Kerberos Kicking the Guard Dog of Hades
• Kerberos in the Crosshairs: Golden Tickets, Silver Tickets, MITM, and More
• How Attackers Use Kerberos Silver Tickets to Exploit Systems

Lsass SAM NTLM GPO

• Retrieving NTLM Hashes without touching LSASS: the “Internal Monologue” Attack
• ATT&CK - Credential Dumping
• BH2002 - Cracking NTLMv2 Authentication
• DerbyCon7 - Securing Windows with Group Policy
• Abusing GPO Permissions
• Targeted Kerberoasting

WinAPI

• DerbyCon4 - Getting Windows to Play with Itself: A Pen Testers Guide to Windows API Abuse

Lateral Movement

Pass the Hash

• ATT&CK - Pass the Hash
• BH2013 - Pass the Hash and other credential theft and reuse: Preventing Lateral Movement...
• BH2013 - Pass the Hash 2: The Admin's Revenge
• From Pass-the-Hash to Pass-the-Ticket with No Pain
• Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy

Pass the Ticket

• ATT&CK - Pass the Ticket

LLMNR/NBT-NS poisoning

• An SMB Relay Race – How To Exploit LLMNR and SMB Message Signing for Fun and Profit

Privilege Escalation

• Level Up! Practical Windows Privilege Escalation - Andrew Smith
• Windows Privilege Escalation Presentation
• Windows Kernel Exploits
• DEF CON 22 - Kallenberg and Kovah - Extreme Privilege Escalation On Windows 8/UEFI Systems
• DEF CON 25 - Morten Schenk - Taking Windows 10 Kernel Exploitation to the next level
• DerbyCon7 - Not a Security Boundary Bypassing User Account Control

Token Impersonation

• Fun with Incógnito
• Rotten Potato

Defense Evasion

AV

• DerbyCon3 - Antivirus Evasion Lessons Learned
• DerbyCon7 - T110 Modern Evasion Techniques
• DerbyCon7 - Evading Autoruns
• Red Team Techniques for Evading, Bypassing & Disabling MS
• How to Bypass Anti-Virus to Run Mimikatz
• AV Evasion - Obfuscating Mimikatz
• Getting PowerShell Empire Past Windows Defender

AMSI

• Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’
• [Antimalware Scan Interface (AMSI) — A Red Team Analysis on Evasion] (https://iwantmore.pizza/posts/amsi.html)

LAPS

• Local Administrator Password Solution
• Malicious use of Microsoft LAPS

AppLocker & Application Whitelisting

• What Is AppLocker?
• How to Evade Application Whitelisting Using REGSVR32
• UltimateAppLockerByPassList

Exfiltration

• Abusing Windows Management Instrumentation (WMI)
• DEF CON 23 - Panel - WhyMI so Sexy: WMI Attacks - Real Time Defense and Advanced Forensics
• DerbyCon3 - Living Off The Land A Minimalist's Guide To Windows Post Exploitation

PowerShell

• DEF CON 18 - David Kennedy "ReL1K" & Josh Kelley - Powershell...omfg
• DEF CON 22 - Investigating PowerShell Attacks
• DerbyCon2016 - 106 PowerShell Secrets and Tactics Ben0xA
• Daniel Bohannon – Invoke-Obfuscation: PowerShell obFUsk8tion
• BH2017 - Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science

Phishing

Maldocs

• Phishing with Maldocs
• Phishing with Empire

Macros

• Phishing with Macros and Powershell

DDE

• About Dynamic Data Exchange
• Abusing Microsoft Office DDE
• Microsoft Office Dynamic Data Exchange(DDE) attacks
• Office-DDE-Payloads

HTA

• Hacking around HTA files

Tools

• Mimikatz
• BloodHound
• Empire
• Nishang
• Responder
• CrackMapExec
• PSExec

Adversary Emulation

• Cobalt Strike
• Red Team Automation - RTA
• CALDERA
• Atomic Red Team
• Metta

Other Awesome Lists & sources

• Awesome Red Teaming
• Red Teaming Toolkit
• Red Team Infrastructure Wiki
• Awesome Pentest
• Red Teaming Experiments

Contributing

Your contributions are always welcome! Please take a look at the contribution guidelines first.

If you have any question about this opinionated list, do not hesitate to contact me @_mvalle_ on Twitter or open an issue on GitHub.