Tactical Lab

A curated list of tools, papers and techniques for Windows exploitation, incident response, and defence.

Created by Mosse Security.

Table of Contents

• Tactical Exploitation

  • Getting In
    • Social Engineering
    • Phishing
    • Man in the Middle
  • Web Backdoors
  • Malware Prototyping
  • Host Reconnaissance
  • Network Reconnaissance
  • Privilege Escalation
  • Persistence
  • Lateral Movement
  • Mimikatz
  • Exfiltration
  • Miscellaneous

• Tactical Response

  • Event Logs
  • DNS Logs
  • Web Logs
  • System Survey
  • Memory Analysis
  • Threat Intelligence

• Tactical Defence

  • Mimikatz Defence

• Courses

Tactical Exploitation

Getting In

• The Harvester - Information gathering tool utilizing public sources to gain information on a company/organization
• Generate-Macro - Malicious Microsoft Office doc generator
• Gitrob - GitHub organizations reconnaissance tool, hunts for sensitive data
• THC Hydra - Login bruteforcer

Social Engineering

• The Art of Human Hacking - Guide to social engineering
• Social Engineer Toolkit - Social engineering framework with multiple attack vectors
• Social Engineering Toolkit Guide - How to use the social engineering toolkit
• Beginning with the Social Engineering Toolkit - Guide on using the social engineering toolkit

Phishing

• Phishing Frenzy - Ruby on Rails Phishing Framework
• PhEmail - Python email phishing automator
• SPF SpeedPhishing Framework - Python tool for quick phishing exercises
• SeeS - Phishing email domain spoofer

Man in the Middle

• Ettercap - Suite of Man-In-The-Middle attacks
• Ettercap Tutorial - How to use ettercap

Web Backdoors

• Weevely3 - Web shell
• QuasiBot - Web shell manager
• PhpSploit - Stealth post-exploitation framework with a focus on privilege escalation

Malware Prototyping

• DBD Durandal's Backdoor - Portable Netcat clone with various features
• Pupy - RAT, uses reflective dll injection on windows platforms
• The Backdoor Factory - Patch binaries with shellcode without affecting binary execution
• Dragon - Listens on a magic port, can be used to download binaries from source IP connecting to the port
• File Joiner - Merges two files into one
• Empire - PowerShell post-exploitation agent
• Veil Evasion - Payload generator with a focus on AV evasion
• Gcat - Backdoor that uses Gmail for C&C
• PowerBreach - Backdoor toolkit
• PowerPick - Powershell functionality without powershell.exe
• Building Better Tools - Information on building penetration testing tools
• Process Hollowing - Method to hide the presence of a process

Autoit Resources:

• Windows Firewall
  • Enable or Disable the Windows Firewall
  • Add or Remove Authorized Applications to the Exclusions list
  • Add or Delete Ports from the Exclusions list.
  • Enable or Disable the use of Exceptions
  • Enable or Disable Notifications of blocked applications
  • Enable or Disable Existing Ports
  • List all Applications in the Exclusions List
  • List all Ports in the Exclusions List
  • List Properties of the current Firewall Configuration
  • Restore the Windows Firewall to its default configuration
• ZIP
  • Create Zip File
  • Add file to Zip Archive
  • Add folder to Zip Archive
  • Add folder's content to Zip Archive
  • Extract all files from Zip Archive
  • Extract file from Zip Archive
  • Count items in zip
  • Count All items in the Zip Archive Including SubDirectories
  • List items in zip
  • Search a File in the Zip Archive
  • Search in each File of the Zip Archive
• comerrorhandler
  • Catch and print COM errors
• EventLog
  • Backup event logs
  • Clear event logs
  • Open and close event logs
  • Count event logs
  • Decode data from event logs
  • Enable applications to receieve event notifications
  • Read event logs
  • Write to event logs
• Fast multi-client TCP server
  • Open and close TCP connections
• HKCUReg
  • Delete keys or values from registry
  • Read keys or values from registry
  • Import previously exported reg files to registry
  • Create a key or value in registry
  • Determine each user's Profile folder, the user's SID and if the profile is loaded to the registry
• Memory and File Compression
  • Decompress input binary data
  • Compress input data
• Persistent Process Killer V3
  • Scan for running processes
  • Kill specific processes whenever they're started
  • Track and compare running processes over time
• Reg
  • Load or unload registry hives
  • Restore or save to registry hive
  • Connect to remote registries
  • Read registry keys or values
  • Create or delete registry keys or values
• SecurityEx
  • Enables or disables special privileges as required by some DllCalls
• Services
  • Create or delete a service
  • Check for service existence
  • Retrieve a service's type
  • Start or stop a service
• taskplanerCOM
  • Create or delete a task folder
  • Check for task folder existence
  • Check for task existence
  • Stop or start a task
  • Enable or disable a task
  • Delete a task
  • Check for task status
  • List all tasks in a given task folder
  • Create or delete a scheduled task
• AD
  • Create users and groups
  • Add or remove users to groups
  • Get users or groups
  • List domain controllers
  • Change passwords
  • Create and delete mailboxes
  • Enable and disable password expiry

Host Reconnaissance

• Netview - Enumeration tool for shares,sessions,users and more
• Pass Hunt - Search drives for documents containing passwords
• Enum Shares - Enumerates shared folders
• NetRipper - Network traffic sniffer
• File Server Triage - Information regarding file server data pilfering

Network Reconnaissance

• Scanning and Enumeration - Information on reconnaissance techniques
• Hunting for Sensitive Data with Veil - Using veil to data mine file shares
• Post Exploitation Redux - Useful post-exploitation commands
• Lanmap2 - Builds database and visualizations of LAN structure from passively sifted information
• IVRE - Network reconnaissance framework
• Networkenum - Network enumerator that uses the Scapy framework
• NMAP Network Scanning - Modifying NMAP's timings
• PowerView - Powershell tool for network awareness

Privilege Escalation

• All Roads Lead to System - Information on the implications of misconfigured Windows Services
• Encyclopaedia Of Windows Privilege Escalation - Most common privilege escalation techniques up to 2011.
• PowerUp - Powershell privilege escalation tool.
• Group Policy Hijacking - Group policy hijacking example and description

Persistence

• Using WMI to Build a Backdoor - WMI for malicious use techniques and defences
• Many Ways of Malware Persistence - Various methods of malware persistence
• Triggers as a Windows Persistence Mechanism - Using triggers for malware persistence
• Persistence Wiki - Wiki page on persistence methods
• Practical Persistence with PowerShell - Using powershell for persistence
• Persistence - Powerpreter and Nishang - Using powerpreter and nishang for persistence
• Windows Registry Persistence Part 1 - Windows Registry locations and techniques for persistence part 1
• Windows Registry Persistence Part 2 - Windows Registry locations and techniques for persistence part 2

Lateral Movement

• Veil Catapult - Payload delivery tool
• WMIOps - Using WMI for a variety of local and remote functions
• PAExec - Remote execution tool
• Pivoter - Proxy tool to assist with lateral movement
• VPN Pivoting - Using a VPN pivot
• Making the Lateral Move - Different methods to move laterally in a network
• SprayWMI - SprayWMI is an easy way to get mass shells on systems that support WMI

Mimikatz

• Mimikatz - Official Mimikatz source code repository.
• Dumping Passwords - Using mimikatz to dump passwords
• Mimikatz Unofficial Guide - Guide to using mimikatz
• Golden Ticket Walkthrough - Using mimikatz with golden tickets
• Pass the Hash - Passing the hash with mimikatz

Exfiltration

• Post Exploitation Operations with Cloud Synchronization Services - Using cloud solutions with post exploitation techniques
• Threat Actors and Stealing Data - Analysis on methods APTs use for data exfiltration
• Firecat - Tool to create reverse TCP tunnels
• Advanced Data Exfiltration - Data exfiltration techniques including through VoIP
• Dnscat2 - DNS tunnel with encryption and a focus on C&C
• Tunna - Tunnels TCP communication over HTTP
• ICMPTX - Tunnels IP over ICMP
• DNSteal - Tunnels data over DNS
• Egress Assess - Tunnel data over FTP, HTTP, HTTPS
• Using Egress Assess- How to use the Egress Assess tool
• Egress Assess and Owning Data Exfiltration - Examples of using the Egress Assess tool
• Exfiltrating Data Via Video - How to exfiltrate data via video
• Network Tunneling Techniques

Miscellaneous

• Pentesting Procedure - Information on the penetrating testing procedure
• Nishang - Framework which enables the usage of PowerShell for red teaming
• Zarp - Network attack tool
• CrackMapExec - Variety of pentesting functions for Windows/Active Directory environments
• Ostinato - Packet/Traffic generator and analyzer
• Abusing Native Shims for Post Exploitation - How to use native shims for post exploitation tasks
• Meta Post Exploitation - Information about the use of automation and tactical tools post-exploitation
• Information Gathering - Information gathering steps
• Empire Offensive Powershell Part 1 - Guide to using Empire part 1
• Empire Offensive Powershell Part 2 - Guide to using Empire part 2
• Empire Offensive Powershell Part 3 - Guide to using Empire part 3
• Powercat - Netcat: The powershell version
• PSAttack - A portable console aimed at making pentesting with PowerShell a little easier

Tactical Response

Event Logs

• WMI Event Log Collection in Autoit - Script for dealing with event logs in autoit
• Autoit Function Event Log Opening - Script for opening and dealing with event logs in autoit
• Investigating Powershell: Command and Script Logging - How to log and investigate powershell use
• A Forensic Analysis of APT Lateral Movement in Windows - Investigating lateral movement using event logs
• Spotting the Adversary with Windows Event Log Monitoring - NSA paper on monitoring event logs for malicious attacks
• EVTXtract - Tool to recover and reconstruct fragments of EVTX log files from raw binary data, including unallocated space
• Process Forest - Tool to reconstruct the historical process heirarchies from event logs
• Tracking Lateral Movement - Tracking lateral movement using event logs

DNS Logs

• DNS Traffic Monitoring1 - How to identify malicious DNS traffic
• Using Log Correlation Engine to Monitor DNS - Examples and detection of malicious DNS logs
• DNS Traffic Monitoring2 - Defcon presentation on DNS monitoring
• Monitor DNS Traffic & You Just Might Catch A RAT - Looking for RATs in DNS traffic

Web Logs

• Web Server Log Analysis - Locations and information regarding web logs
• Apache Scalp - Scalp! is a log analyzer for the Apache web server that aims to look for security problems

System Survey

• Cheat Sheet
• Identifying Lateral Movement
• Lateral Movement Detection - Event logs and artefacts created when moving laterally in a network
• Monitoring Behaviors on Endpoints - Discovering threats by monitoring endpoint behaviour
• Detecting and Preventing Data Exfiltration - Detecting data exfiltration by analysing various exfiltration methods

Memory Analysis

• Detect Malware with Memory Forensics - Analysis of memory forensic techniques for malware detection
• Hunting Malware with Memory Analysis - Examples of memory analysis techniques
• Introduction to Windows Memory Analysis - Memory analysis guide
• Volatility - Tool for memory analysis
• Volatility Documentation Project - Documentation for the Volatility tool
• Volatility Cheat Sheet

Threat Intelligence

• The Diamond Model of Intrustion Analysis - Exploring the diamond model regarding threat intelligence
• Leveraging Threat Intelligence in Incident Response/Management
• APT Notes - Various public documents, whitepapers and articles about APT campaigns.
• APT Notes Extension - An extension of the work done by @kbandla to collate a repository of public Cyber Security APT Reports.
• DML Model for Threat Intelligence - Exploring the DML model regarding threat intelligence
• F3EAD for Offensive Response - Using the F3EAD model for threat intelligence

Information Feeds

• Threat Intelligence Review
• Emerging Threats Rulesets
• Malware Domains
• Malcode Malware Domains
• Palevo Tracker
• Zeus Tracker
• SSL Blacklist
• Binary Defense

Tactical Defence

Mimikatz Defence

• Defending Against Mimikatz - Information on preventing malicious mimikatz use

Courses

• The Offensive Techniques
• Tactical Incident Response
• Applied Reverse Engineering