https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350

https://github.com/BloodHoundAD/BloodHound

https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json

https://github.com/CompassSecurity/BloodHoundQueries/blob/master/customqueries.json

https://raw.githubusercontent.com/ShutdownRepo/Exegol/master/sources/bloodhound/customqueries.json

https://github.com/ly4k/Certipy/blob/main/customqueries.json

https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993

https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell

https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office

https://www.ired.team/offensive-security/initial-access/phishing-with-gophish-and-digitalocean

https://www.ired.team/offensive-security/code-execution

https://posts.specterops.io/the-hitchhikers-guide-to-initial-access-57b66aa80dd6

https://www.blackhillsinfosec.com/empires-cross-platform-office-macro/

https://www.blackhillsinfosec.com/phishing-with-powerpoint/

https://enigma0x3.net/2016/03/15/phishing-with-empire/

https://hakshop.com/products/bash-bunny

https://owasp.org/www-pdf-archive/Presentation_Social_Engineering.pdf

https://www.redteamsecure.com/usb-drop-attacks-the-danger-of-lost-and-found-thumb-drives/

https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEF%20CON%2024%20-%20Seymour-Tully-Weaponizing-Data-Science-For-Social-Engineering-WP.pdf

https://www.cobaltstrike.com/help-spear-phish

https://blog.cobaltstrike.com/2014/12/17/whats-the-go-to-phishing-technique-or-exploit/

https://www.youtube.com/watch?v=V7UJjVcq2Ao

https://cybersyndicates.com/2016/05/email-reconnaissance-phishing-template-generation-made-simple/

http://www.rvrsh3ll.net/blog/phishing/phishing-for-access/

https://4sysops.com/archives/excel-macros-with-powershell/

https://phishme.com/powerpoint-and-custom-actions/

https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/

https://medium.com/@malcomvetter/multi-platform-macro-phishing-payloads-3b688e8eff68

https://rhinosecuritylabs.com/research/abusing-microsoft-word-features-phishing-subdoc/

https://enigma0x3.net/2017/07/13/phishing-against-protected-view/

https://fzuckerman.wordpress.com/2016/10/06/powershell-empire-stagers-1-phishing-with-an-office-macro-and-evading-avs/

https://www.redteamsecure.com/the-plugbot-hardware-botnet-research-project/

https://www.shellntel.com/blog/2016/9/13/luckystrike-a-database-backed-evil-macro-generator

http://georgemauer.net/2017/10/07/csv-injection.html

https://furoner.wordpress.com/2017/10/17/macroless-malware-that-avoids-detection-with-yara-rule/amp/

https://medium.com/@vivami/phishing-between-the-app-whitelists-1b7dcdab4279

https://stealingthe.network/executing-metasploit-empire-payloads-from-ms-office-document-properties-part-1-of-2/

https://stealingthe.network/executing-metasploit-empire-payloads-from-ms-office-document-properties-part-2-of-2/

https://www.social-engineer.org/

http://www.darkreading.com/the-7-best-social-engineering-attacks-ever/d/d-id/1319411

https://www.rsaconference.com/writable/presentations/file_upload/das-301_williams_rader.pdf

https://1337red.wordpress.com/using-the-dde-attack-with-powershell-empire/

https://www.kitploit.com/2018/02/pot-phishing-on-twitter.html

https://pentestlab.blog/2017/12/18/microsoft-office-ntlm-hashes-via-frameset/

https://oddvar.moe/2017/09/13/defense-in-depth-writeup/

https://blog.inspired-sec.com/archive/2017/05/07/Phishing.html

https://0x1.gitlab.io/pentesting/Red-Teaming-Toolkit/

https://captainroot.com/blog/getting-started-with-covenant-c2-in-kali-linux/

https://michaelkoczwara.medium.com/covenant-c2-quick-setup-on-windows-296a0d400de2

https://github.com/cobbr/Covenant/wiki/Installation-And-Startup

https://dotnet.microsoft.com/download/dotnet-core

https://dotnet.microsoft.com/download/dotnet-core/3.1

https://dotnet.microsoft.com/download/dotnet-core/thank-you/sdk-3.1.403-linux-x64-binaries

https://192.168.1.10:7443/

https://dian-pentest.medium.com/install-covenant-on-kali-linux-c0350804648d

https://www.youtube.com/watch?v=6C8tzKb3kEQ

https://infosecwriteups.com/hack-the-box-sauna-write-up-w-covenant-c2-c2d71141c90b

https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462

https://petruknisme.medium.com/getting-started-with-covenant-c2-for-red-teaming-8eeb94273b52

https://github.com/active-labs/ACTIVEBlog/blob/master/Red%20Team%20Infrastructure%20-%20C2/Red%20Team%20Infrastructure%20-%20C2.md

https://github.com/nickvourd/Windows_Privilege_Escalation_CheatSheet

https://github.com/ohpe/juicy-potato

https://github.com/TsukiCTF/Lovely-Potato

https://github.com/itm4n/PrintSpoofer

https://github.com/antonioCoco/RoguePotato

https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/

https://blog.zecops.com/vulnerabilities/exploiting-smbghost-cve-2020-0796-for-a-local-privilege-escalation-writeup-and-poc/

https://github.com/danigargu/CVE-2020-0796

https://github.com/cube0x0/CVE-2021-36934

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Privesc/PowerUp.ps1

https://github.com/AlessandroZ/BeRoot

https://github.com/enjoiz/Privesc

https://github.com/itm4n/FullPowers

https://github.com/itm4n/PPLdump

https://blog.scrt.ch/2021/04/22/bypassing-lsa-protection-in-userland

https://adsecurity.org/?page_id=1821

https://medium.com/red-teaming-with-a-blue-team-mentaility/poking-around-with-2-lsass-protection-options-880590a72b1a

https://github.com/HarmJ0y/ASREPRoast

https://github.com/dafthack/DomainPasswordSpray

https://github.com/byt3bl33d3r/CrackMapExec

https://github.com/wavestone-cdt/Invoke-CleverSpray

https://github.com/Greenwolf/Spray

https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials

https://github.com/PowerShellMafia/PowerSploit/tree/dev/Recon

https://github.com/Kevin-Robertson/Powermad

https://github.com/GhostPack/Rubeus

https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html

https://blog.stealthbits.com/resource-based-constrained-delegation-abuse/

https://www.harmj0y.net/blog/redteaming/rubeus-now-with-more-kekeo/

https://github.com/giuliano108/SeBackupPrivilege

https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/

https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys

https://github.com/dirkjanm/PrivExchange

https://www.dionach.com/blog/printer-server-bug-to-domain-administrator/

https://github.com/NotMedic/NetNTLMtoSilverTicket

https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/

https://github.com/fox-it/aclpwn.py

https://github.com/fox-it/Invoke-ACLPwn

https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/

https://github.com/fox-it/mitm6

https://www.itprotoday.com/windows-8/sid-filtering

https://www.itprotoday.com/windows-8/sid-history

https://adsecurity.org/?p=1640

http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/

https://medium.com/@gorkemkaradeniz/sharepoint-cve-2019-0604-rce-exploitation-ab3056623b7d

https://github.com/k8gege/CVE-2019-0604

https://www.zerodayinitiative.com/blog/2019/9/18/cve-2019-1257-code-execution-on-microsoft-sharepoint-through-bdc-deserialization

https://www.zerodayinitiative.com/blog/2020/4/28/cve-2020-0932-remote-code-execution-on-microsoft-sharepoint-using-typeconverters

https://github.com/thezdi/PoC/tree/master/CVE-2020-0932

https://www.secura.com/whitepapers/zerologon-whitepaper

https://github.com/nccgroup/nccfsas/tree/main/Tools/SharpZeroLogon

https://github.com/BC-SECURITY/Invoke-ZeroLogon

https://github.com/bb00/zer0dump

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527

https://github.com/cube0x0/CVE-2021-1675

https://github.com/cube0x0/CVE-2021-1675/tree/main/SharpPrintNightmare

https://github.com/GhostPack/Certify

https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing

https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html

https://github.com/cube0x0/noPac

https://github.com/WazeHell/sam-the-admin

https://github.com/Ridter/noPac

https://adsecurity.org/?page_id=183

https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet

https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet/tree/master/H%20-%20Persistence

https://speakerdeck.com/pwntester/attacking-net-serialization

https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf

https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf

https://www.youtube.com/watch?v=ZBfBYoK_Wr0

https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_Slides.pdf

https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf

https://googleprojectzero.blogspot.com.es/2017/04/exploiting-net-managed-dcom.html

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/march/finding-and-exploiting-.net-remoting-over-http-using-deserialisation/

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/december/beware-of-deserialisation-in-.net-methods-and-classes-code-execution-via-paste/

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/

https://www.nccgroup.trust/uk/our-research/use-of-deserialisation-in-.net-framework-methods-and-classes/?research=Whitepapers

https://community.microfocus.com/t5/Security-Research-Blog/New-NET-deserialization-gadget-for-compact-payload-When-size/ba-p/1763282

https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/august/getting-shell-with-xamlx-files/

https://soroush.secproject.com/blog/2019/08/uploading-web-config-for-fun-and-profit-2/

https://cert.360.cn/warning/detail?id=e689288863456481733e01b093c986b6

https://labs.mwrinfosecurity.com/advisories/milestone-xprotect-net-deserialization-vulnerability/

https://soroush.secproject.com/blog/2018/12/story-of-two-published-rces-in-sharepoint-workflows/

https://srcincite.io/blog/2018/08/31/you-cant-contain-me-analyzing-and-exploiting-an-elevation-of-privilege-in-docker-for-windows.html

https://www.redteam-pentesting.de/de/advisories/rt-sa-2017-014/-cyberark-password-vault-web-access-remote-code-execution

https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf

https://www.zerodayinitiative.com/blog/2019/3/13/cve-2019-0604-details-of-a-microsoft-sharepoint-rce-vulnerability

https://www.zerodayinitiative.com/blog/2018/8/14/voicemail-vandalism-getting-remote-code-execution-on-microsoft-exchange-server

https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-smartermail/

https://www.nccgroup.trust/uk/our-research/technical-advisory-code-execution-by-viewing-resource-files-in-net-reflector/

https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/

https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys

https://speakerdeck.com/pwntester/dot-net-serialization-detecting-and-defending-vulnerable-endpoints

https://gosecure.github.io/presentations/2018-03-18-confoo_mtl/Security_boot_camp_for_.NET_developers_Confoo_v2.pdf

https://illuminopi.com/assets/files/BSidesIowa_RCEvil.net_20190420.pdf

https://nullcon.net/website/archives/pdf/goa-2018/rohit-slides.pdf

https://github.com/pwntester/ViewStatePayloadGenerator

https://github.com/0xACB/viewgen

https://github.com/Illuminopi/RCEvil.NET

https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet

https://adsecurity.org/?p=2288

https://blog.rapid7.com/2016/07/27/pentesting-in-the-real-world-group-policy-pwnage/

https://adsecurity.org/?p=525

https://labs.mwrinfosecurity.com/blog/digging-into-ms14-068-exploitation-and-defence/

https://www.trustedsec.com/2014/12/ms14-068-full-compromise-step-step/

https://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html

https://adsecurity.org/?p=4064

https://adsecurity.org/?p=4056

https://adsecurity.org/?p=1667

https://blog.stealthbits.com/unconstrained-delegation-permissions/

https://labs.mwrinfosecurity.com/blog/trust-years-to-earn-seconds-to-break/

https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1

https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/

https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/

https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/

https://www.secureauth.com/blog/kerberos-delegation-spns-and-more

https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/

https://wald0.com/?p=179

https://github.com/rasta-mouse/GPO-Abuse

https://blog.stealthbits.com/exploiting-weak-active-directory-permissions-with-powersploit/

https://www.harmj0y.net/blog/redteaming/abusing-active-directory-permissions-with-powerview/

https://wald0.com/?p=112

https://adsecurity.org/?p=3658

https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Active-Directory-Access-Control-List-8211-Attacks-and-Defense/ba-p/250315

https://www.slideshare.net/DirkjanMollema/aclpwn-active-directory-acl-exploitation-with-bloodhound

https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/

https://adsecurity.org/?p=1588

https://dirkjanm.io/active-directory-forest-trusts-part-one-how-does-sid-filtering-work

https://hackmag.com/security/ad-forest/

https://posts.specterops.io/not-a-security-boundary-breaking-forest-trusts-cd125829518d

https://www.harmj0y.net/blog/redteaming/the-trustpocalypse/

https://blog.stealthbits.com/privilege-escalation-with-dcshadow/

https://pentestlab.blog/2018/04/16/dcshadow/

https://blog.alsid.eu/dcshadow-explained-4510f52fc19d

https://www.labofapenetrationtester.com/2018/05/dcshadow-sacl.html

https://www.labofapenetrationtester.com/2018/04/dcshadow.html

https://blog.stealthbits.com/rid-hijacking-when-guests-become-admins/

https://blog.netspi.com/get-sql-server-sysadmin-privileges-local-admin-powerupsql/

https://blog.stealthbits.com/compromise-with-powerupsql-sql-attacks/

https://download.ernw-insight.de/troopers/tr18/slides/TR18_AD_Attack-and-Defend-Microsoft-Enhanced-Security.pdf

https://blog.netspi.com/how-to-hack-database-links-in-sql-server/

https://blog.netspi.com/sql-server-link-crawling-powerupsql/

https://blog.stealthbits.com/passing-the-hash-with-mimikatz

https://blog.cobaltstrike.com/2015/05/21/how-to-pass-the-hash-with-mimikatz/

https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/

https://enigma0x3.net/2015/10/27/targeted-workstation-compromise-with-sccm/

https://github.com/PowerShellMafia/PowerSCCM

https://www.sixdub.net/?p=623

https://www.blackhat.com/docs/us-17/wednesday/us-17-Coltel-WSUSpendu-Use-WSUS-To-Hang-Its-Clients-wp.pdf

https://ijustwannared.team/2018/10/15/leveraging-wsus-part-one/

https://www.youtube.com/watch?v=xB26QhnL64c

https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/

https://github.com/SpiderLabs/Spray

https://github.com/GoFetchAD/GoFetch

https://github.com/byt3bl33d3r/DeathStar

https://github.com/vysec/ANGRYPUPPY

https://labs.mwrinfosecurity.com/blog/experimenting-bypassing-memory-scanners-with-cobalt-strike-and-gargoyle/

https://www.youtube.com/playlist?list=PL9HO6M_MU2nc5Q31qd2CwpZ8J4KFMhgnK

https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html

https://youtu.be/l8nkXCOYQC4

https://github.com/FuzzySecurity/Sharp-Suite

https://blog.cobaltstrike.com/2017/10/25/modern-defenses-and-you/

https://blog.cobaltstrike.com/2017/06/23/opsec-considerations-for-beacon-commands/

https://sec564.com/#!docs/tradecraft.md

https://www.youtube.com/watch?v=RoqVunX_sqA

https://www.blackhat.com/docs/eu-17/materials/eu-17-Thompson-Red-Team-Techniques-For-Evading-Bypassing-And-Disabling-MS-Advanced-Threat-Protection-And-Advanced-Threat-Analytics.pdf

https://www.slideshare.net/nikhil_mittal/red-team-revenge-attacking-microsoft-ata

https://www.slideshare.net/nikhil_mittal/evading-microsoft-ata-for-active-directory-domination

https://cobbr.io/ScriptBlock-Logging-Bypass.html

https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html

https://www.blackhat.com/docs/us-16/materials/us-16-Mittal-AMSI-How-Windows-10-Plans-To-Stop-Script-Based-Attacks-And-How-Well-It-Does-It.pdf

https://www.cyberark.com/threat-research-blog/amsi-bypass-patching-technique/

https://github.com/OmerYa/Invisi-Shell

https://gist.github.com/mattifestation/ef0132ba4ae3cc136914da32a88106b9

https://github.com/LOLBAS-Project/LOLBAS

https://github.com/mattifestation/BHUSA2018_Sysmon

https://github.com/mkorman90/sysmon-config-bypass-finder

https://www.labofapenetrationtester.com/2018/10/deploy-deception.html

https://jblog.javelin-networks.com/blog/the-honeypot-buster/

https://github.com/hlldz/Invoke-Phant0m

https://adsecurity.org/?p=451

https://blog.stealthbits.com/extracting-password-hashes-from-the-ntds-dit-file/

https://github.com/eladshamir/Internal-Monologue

https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/

https://adsecurity.org/?p=2293

https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/

https://www.cyberark.com/blog/cracking-service-account-passwords-kerberoasting/

https://gist.github.com/edermi/f8b143b11dc020b854178d3809cf91b5

https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/

https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/

https://rastamouse.me/2017/08/jumping-network-segregation-with-rdp/

https://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/

https://adsecurity.org/?p=1729

https://adsecurity.org/?p=2053

https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/

https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/

https://blog.stealthbits.com/compromising-plain-text-passwords-in-active-directory

https://pentestlab.blog/2018/04/09/golden-ticket/

https://adsecurity.org/?p=1772

https://adsecurity.org/?p=2011

https://adsecurity.org/?p=2753

https://blog.stealthbits.com/creating-persistence-with-dcshadow/

https://adsecurity.org/?p=1906

https://blog.stealthbits.com/persistence-using-adminsdholder-and-sdprop/

https://adsecurity.org/?p=2716

https://blog.stealthbits.com/unlocking-all-the-doors-to-active-directory-with-the-skeleton-key-attack/

https://pentestlab.blog/2018/04/10/skeleton-key/

https://adsecurity.org/?p=1275

https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/

https://www.youtube.com/watch?v=OiqaO9RHskU

https://adsecurity.org/?p=1760

https://adsecurity.org/?p=1714

https://adsecurity.org/?p=1785

https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors-wp.pdf

https://www.cyberark.com/threat-research-blog/shadow-admins-stealthy-accounts-fear/

https://www.slideshare.net/harmj0y/the-unintended-risks-of-trusting-active-directory

https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

https://github.com/SecureAuthCorp/impacket

https://github.com/canix1/ADACLScanner

https://github.com/cyberark/zBang

https://github.com/NetSPI/PowerUpSQL

https://github.com/gentilkiwi/mimikatz

https://github.com/l0ss/Grouper

https://0x1.gitlab.io/pentesting/Active-Directory-Kill-Chain-Attack-and-Defense/

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md

https://github.com/CyberSecurityUP/Red-Team-Management/tree/main/Adversary%20Emulation

http://ADRecon.ps

http://AzureHound.ps

https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe

https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1

http://SharpHound.ps

https://github.com/fox-it/BloodHound.py

http://domain.com

http://dotnet.microsoft.com

https://github.com/cobbr/Covenant

http://file.ps

http://Get-PassHashes.ps

http://Invoke-Mimikatz.ps

http://GetUserSPNs.py

http://GetNPUsers.py

http://Powermad.ps

http://PowerView.ps

http://example.cab

http://smbclient.py

http://secretsdump.py

http://aclpwn.py

http://Invoke-PowerShellTcp.ps

http://Invoke-SDPropagator.ps

http://ysoserial.net