https://github.com/Orange-Cyberdefense/GOAD

https://mayfly277.github.io/categories/proxmox/

https://www.detectionlab.network/

https://github.com/infosecn1nja/AD-Attack-Defense

https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki

https://dispatch.redteams.fyi/red-team-edr-bypass-team/

https://www.redsiege.com/wp-content/uploads/2019/09/AssumedBreach-ABM.pdf

https://github.com/Orange-Cyberdefense/arsenal/blob/master/mindmap/Pentesting_MS_Exchange_Server_on_the_Perimeter.png

https://github.com/dafthack/MailSniper

https://gist.github.com/superkojiman/11076951#file-namemash-py

https://github.com/dafthack/EmailAddressMangler

https://gist.github.com/snovvcrash/4e76aaf2a8750922f546eed81aa51438#file-oaburl-py

https://swarm.ptsecurity.com/attacking-ms-exchange-web-interfaces/

https://github.com/snovvcrash/peas

https://labs.withsecure.com/publications/accessing-internal-fileshares-through-exchange-activesync

https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-1-ProxyLogon/

https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c

https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-2-ProxyOracle/

https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell

https://unit42.paloaltonetworks.com/proxynotshell-cve-2022-41040-cve-2022-41082/

https://devco.re/blog/2022/10/19/a-new-attack-surface-on-MS-exchange-part-4-ProxyRelay/

https://rw.md/2022/11/09/ProxyNotRelay.html

https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys

https://github.com/pwntester/ysoserial.net

https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/

https://github.com/dirkjanm/privexchange/

https://sensepost.com/blog/2016/mapi-over-http-and-mailrule-pwnage/

https://github.com/sensepost/ruler

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-outlook-2013-june-13-2017-d52f7b9a-488c-dd5a-0d43-da5832eaac5f

https://sensepost.com/blog/2017/outlook-forms-and-shells/

https://support.microsoft.com/en-us/office/custom-form-script-is-now-disabled-by-default-bd8ea308-733f-4728-bfcc-d7cce0120e94

https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/

https://learn.microsoft.com/en-us/mem/configmgr/hotfix/2207/15599094

https://amsi.fail/

https://lolbas-project.github.io/

https://processhacker.sourceforge.io/

http://www.rohitab.com/apimonitor

https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell

https://pentestlaboratories.com/2021/05/17/amsi-bypass-methods/

https://github.com/danielbohannon/Invoke-Obfuscation

https://github.com/samratashok/nishang

https://github.com/besimorhino/powercat

https://pentestlab.blog/2021/05/17/persistence-amsi/

https://pentestlaboratories.com/2021/06/01/threat-hunting-amsi-bypasses/

https://blog.f-secure.com/hunting-for-amsi-bypasses/

https://www.tiraniddo.dev/2019/11/the-internals-of-applocker-part-1.html

https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/#what-does-constrained-language-constrain

https://www.hackingarticles.in/windows-applocker-policy-a-beginners-guide/

https://www.ired.team/offensive-security/code-execution/t1118-installutil

https://www.ired.team/offensive-security/code-execution/using-msbuild-to-execute-shellcode-in-c

https://github.com/api0cradle/UltimateAppLockerByPassList

https://github.com/p3nt4/PowerShdll

https://github.com/padovah4ck/PSByPassCLM

https://github.com/calebstewart/bypass-clm

https://blog.xpnsec.com/constrained-language-mode-bypass/

https://sp00ks-git.github.io/posts/CLM-Bypass/

https://github.com/microsoft/AaronLocker

https://improsec.com/tech-blog/one-thousand-and-one-application-blocks

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

https://github.com/trustedsec/SysmonCommunityGuide

https://github.com/SwiftOnSecurity/sysmon-config

https://github.com/Neo23x0/sysmon-config

https://github.com/olafhartong/sysmon-modular

https://cobbr.io/ScriptBlock-Logging-Bypass.html

https://cobbr.io/ScriptBlock-Warning-Event-Logging-Bypass.html

https://github.com/sans-blue-team/DeepBlueCLI

https://www.bc-security.org/post/powershell-logging-obfuscation-and-some-newish-bypasses-part-1/

https://www.bc-security.org/post/powershell-logging-obfuscation-and-some-newish-bypasses-part-2/

https://blog.ironmansoftware.com/protect-logging-bypass/

https://avantguard.io/en/blog/powershell-enhanced-logging-capabilities-bypass

https://github.com/OmerYa/Invisi-Shell and https://www.youtube.com/watch?v=Y3oMEiySxcc

https://github.com/mgeeky/Stracciatella

https://www.ired.team/offensive-security/enumeration-and-discovery/detecting-sysmon-on-the-victim-host

https://github.com/hlldz/Phant0m

https://github.com/ScriptIdiot/SysmonQuiet

https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html

https://github.com/matterpreter/Shhmon

https://bmcder.com/blog/a-begginers-all-inclusive-guide-to-etw

https://blog.f-secure.com/detecting-malicious-use-of-net-part-1/

https://blog.f-secure.com/detecting-malicious-use-of-net-part-2/

https://github.com/mandiant/SilkETW

https://github.com/GhostPack/Seatbelt

https://github.com/mkaring/ConfuserEx

https://whiteknightlabs.com/2021/12/11/bypassing-etw-for-fun-and-profit/

https://blog.xpnsec.com/hiding-your-dotnet-etw/

https://github.com/outflanknl/TamperETW

https://pre.empt.blog/2023/maelstrom-6-working-with-amsi-and-etw-for-red-and-blue

https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63

https://fatrodzianko.com/2020/08/25/getting-rastamouses-amsiscanbufferbypass-to-work-again/

https://p0w3rsh3ll.wordpress.com/2019/03/07/applocker-and-powershell-how-do-they-tightly-work-together/

https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/

https://www.detectionlab.network/introduction/prerequisites/

http://www.labofapenetrationtester.com/2018/10/deploy-deception.html

https://github.com/samratashok/ADModule

https://0xinfection.github.io/posts/wmi-basics-part-1/

https://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-1/

https://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-2/

https://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-3/

https://ldapwiki.com/wiki/Main

https://blog.ropnop.com/talk/2018/funwithldapkerb/

https://sensepost.com/blog/2018/a-new-look-at-null-sessions-and-user-enumeration/

https://github.com/sensepost/UserEnum

https://malicious.link/post/2022/ldapsearch-reference/

https://github.com/ropnop/windapsearch

https://github.com/tevora-threat/SharpView

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

https://powersploit.readthedocs.io/en/latest/Recon/

https://bloodhound.readthedocs.io/en/latest/

https://bloodhound.readthedocs.io/en/latest/data-collection/sharphound.html

https://github.com/hausec/Bloodhound-Custom-Queries

https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer

https://www.trustedsec.com/blog/adexplorer-on-engagements/

https://github.com/c3c/ADExplorerSnapshot.py

https://falconforce.nl/falconfriday-detecting-active-directory-data-collection-0xff21/

https://adsecurity.org/?page_id=183

https://www.slideshare.net/harmj0y/i-hunt-sys-admins-20

http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day1.html

https://www.youtube.com/watch?v=bzLvOu1awKM

https://github.com/samratashok/Deploy-Deception

https://www.bordergate.co.uk/active-directory-honey-tokens/

https://github.com/JavelinNetworks/HoneypotBuster

https://github.com/secureworks/dcept

https://github.com/EmpireProject/Empire/blob/dev/data/module_source/management/New-HoneyHash.ps1

https://stealthbits.com/blog/implementing-detections-for-the-honeyhash/

https://learn.microsoft.com/en-us/windows/win32/wmisdk/about-wmi

https://0xinfection.github.io/posts/wmi-ad-enum/

https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/lightweight-directory-access-protocol-ldap-api

https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications

https://github.com/eladshamir/Internal-Monologue

https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/

https://adsecurity.org/?p=2288

https://github.com/Porchetta-Industries/CrackMapExec

https://github.com/ropnop/kerbrute

https://github.com/dafthack/DomainPasswordSpray

https://en.hackndo.com/ntlm-relay/

https://github.com/lgandx/Responder

https://www.mdsec.co.uk/2021/02/farming-for-red-teams-harvesting-netntlm/

https://github.com/p0dalirius/windows-coerced-authentication-methods

https://github.com/leechristensen/SpoolSample

https://github.com/topotam/PetitPotam

https://github.com/Hackndo/WebclientServiceScanner

https://dtm.uk/exploring-search-connectors-and-library-files-on-windows/

https://github.com/ShutdownRepo/ShadowCoerce

https://github.com/Wh04m1001/DFSCoerce

https://en.hackndo.com/kerberos/

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/b4af186e-b2ff-43f9-b18e-eedb366abf13

https://dumpco.re/blog/asreqroast

https://github.com/lgandx/PCredz

https://hashcat.net/hashcat/

https://github.com/GhostPack/Rubeus

https://m365internals.com/2021/11/08/kerberoast-with-opsec/

https://github.com/Luct0r/KerberOPSEC

https://theitbros.com/deploying-local-administrator-password-solution-laps-in-active-directory/

https://github.com/leoloobeek/LAPSToolkit

https://github.com/kfosaaen/Get-LAPSPasswords

https://github.com/MichaelGrafnetter/DSInternals

https://github.com/rvazarkar/GMSAPasswordReader

https://github.com/micahvandeusen/gMSADumper

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#dumping-ad-domain-credentials

https://github.com/shellster/DCSYNCMonitor

https://www.netero1010-securitylab.com/detection/dcsync-detection

https://pentestlab.blog/2021/10/20/lateral-movement-webclient/

https://rioasmara.com/2020/07/04/kerberoasting-as-req-pre-auth-vs-non-pre-auth/

https://blog.netwrix.com/2022/11/03/cracking_ad_password_with_as_rep_roasting/

https://www.dsinternals.com/en/retrieving-cleartext-gmsa-passwords-from-active-directory/

https://cube0x0.github.io/Relaying-for-gMSA/

https://www.triplesec.info/slides/3c567aac7cf04f8646bf126423393434.pdf

https://mayfly277.github.io/posts/GOADv2-pwning-part4/

https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/

https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/webclient

https://labs.nettitude.com/blog/network-relaying-abuse-windows-domain/

https://en.hackndo.com/pass-the-hash/

https://learn.microsoft.com/en-us/defender-for-identity/lateral-movement-alerts

https://www.netwrix.com/pass_the_ticket.html

https://mayfly277.github.io/posts/GOADv2-pwning-part10/

https://www.thehacker.recipes/ad/movement/kerberos/delegations/unconstrained

https://pentestlab.blog/2022/03/21/unconstrained-delegation/

https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/silver-ticket#available-services

https://www.netspi.com/blog/technical/network-penetration-testing/cve-2020-17049-kerberos-bronze-bit-attack/

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/55fc19f2-55ba-4251-8a6a-103dd7c66280

https://www.thehacker.recipes/ad/movement/trusts#cve-2020-0665

https://github.com/Hackplayers/evil-winrm

https://cheats.philkeeble.com/active-directory/ad-privilege-escalation/jea

https://github.com/samratashok/RACE

https://blog.cptjesus.com/posts/userrightsassignment/

https://github.com/GhostPack/RestrictedAdmin

https://github.com/0xthirteen/SharpRDP

https://github.com/passthehashbrowns/SharpRDPThief

https://github.com/fortra/impacket

https://securityboulevard.com/2019/06/your-session-key-is-my-session-key-how-to-retrieve-the-session-key-for-any-authentication/

https://github.com/NotMedic/NetNTLMtoSilverTicket/blob/master/dementor.py

https://github.com/fox-it/cve-2019-1040-scanner

https://gist.github.com/JoeDibley/fd93a9c5b3d45dbd8cbfdd003ddc1bd1

https://github.com/FuzzySecurity/StandIn

https://github.com/Kevin-Robertson/Powermad

https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html

https://mayfly277.github.io/posts/GOADv2-pwning-part10/#without-protocol-transition

https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-4-bypass-sid-filtering-research

https://support.microsoft.com/en-us/topic/updates-to-tgt-delegation-across-incoming-trusts-in-windows-server-1a6632ac-1599-0a7c-550a-a754796c291e

https://dirkjanm.io/active-directory-forest-trusts-part-one-how-does-sid-filtering-work/

https://0xthirteen.com/2020/01/21/revisiting-remote-desktop-lateral-movement/

https://pentestlab.blog/2021/05/24/dumping-rdp-credentials/

https://learn.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard

https://neil-fox.github.io/Impacket-usage-&-detection/

https://www.synacktiv.com/publications/traces-of-windows-remote-command-execution.html

https://www.joeyverlinden.com/implementing-and-monitoring-attack-surface-reduction-rules-asr/

https://www.thehacker.recipes/ad/movement/ntlm/relay

https://www.praetorian.com/blog/ntlmv1-vs-ntlmv2/

https://blog.netwrix.com/2021/11/30/how-to-detect-pass-the-hash-attacks/

https://en.hackndo.com/constrained-unconstrained-delegation/#unconstrained-delegation

https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

https://pentestlab.blog/2021/10/18/resource-based-constrained-delegation/

https://www.notsoshant.io/blog/attacking-kerberos-constrained-delegation/

https://www.netspi.com/blog/technical/network-penetration-testing/cve-2020-17049-kerberos-bronze-bit-theory/

https://www.trustedsec.com/blog/ms14-068-full-compromise-step-step/

https://www.secura.com/uploads/whitepapers/Zerologon.pdf

https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html

https://mayfly277.github.io/posts/GOADv2-pwning-part5/#samaccountname-nopac

https://jlajara.gitlab.io/Potatoes_Windows_Privesc

https://specterops.io/wp-content/uploads/sites/3/2022/06/an_ace_up_the_sleeve.pdf

https://www.semperis.com/blog/spn-jacking-an-edge-case-in-writespn-abuse/

https://www.thehacker.recipes/ad/movement/kerberos/spn-jacking

https://secarma.com/using-machine-account-passwords-during-an-engagement/

https://pentestlab.blog/2022/02/01/machine-accounts/

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups

https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-3-sid-filtering-explained

https://petri.com/windows-server-2016-set-privileged-access-management/

http://www.labofapenetrationtester.com/2019/04/abusing-PAM.html

https://github.com/mubix/pykek

https://dirkjanm.io/a-different-way-of-abusing-zerologon/

https://www.thehacker.recipes/ad/movement/netlogon/zerologon

https://github.com/VoidSec/CVE-2020-1472

https://github.com/dirkjanm/CVE-2020-1472

https://www.thehacker.recipes/ad/movement/print-spooler-service/printnightmare#constraints

https://github.com/cube0x0/CVE-2021-1675

https://github.com/cube0x0/noPac

https://github.com/WazeHell/sam-the-admin

https://decoder.cloud/2023/02/13/localpotato-when-swapping-the-context-leads-you-to-system/

https://github.com/antonioCoco/RemotePotato0

https://www.thehacker.recipes/ad/movement/dacl

https://github.com/FsecureLABS/SharpGPOAbuse

https://neutronsec.com/privesc/windows/print_operators/

https://github.com/mpgn/BackupOperatorToDA

https://www.sentinelone.com/labs/relaying-potatoes-another-unexpected-privilege-escalation-vulnerability-in-windows-rpc-protocol/

https://pentestlab.blog/2021/05/04/remote-potato-from-domain-user-to-enterprise-admin/

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpod/260b58dc-da14-400b-8b82-6abbfd529fbf

https://learn.microsoft.com/en-us/powershell/module/grouppolicy/new-gplink?view=windowsserver2022-ps

https://en.hackndo.com/kerberos-silver-golden-tickets/

https://exploit.ph/revisiting-delegate-2-thyself.html

https://www.semperis.com/blog/a-diamond-ticket-in-the-ruff/

https://pgj11.com/posts/Diamond-And-Sapphire-Tickets/

https://unit42.paloaltonetworks.com/next-gen-kerberos-attacks/

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory

https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/

https://www.dcshadow.com/

https://www.semperis.com/blog/golden-gmsa-attack/

https://adsecurity.org/?p=1255

https://itm4n.github.io/lsass-runasppl/

https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/silver

https://www.varonis.com/blog/pac_requestor-and-golden-ticket-attacks

https://www.trustedsec.com/blog/red-vs-blue-kerberos-ticket-times-checksums-and-you/

https://github.com/0xe7/WonkaVision

https://www.thehacker.recipes/ad/persistence/sid-history

https://github.com/STEALTHbits/ServerUntrustAccount

https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Set-DCShadowPermissions.ps1

https://github.com/Semperis/GoldenGMSA

https://adsecurity.org/?p=1275

https://helgeklein.com/blog/permissions-a-primer-or-dacl-sacl-owner-sid-and-ace-explained/

https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf

https://learn.microsoft.com/en-us/training/modules/implement-manage-active-directory-certificate-services/2-explore-fundamentals-of-pki-ad-cs

https://github.com/AlmondOffSec/PassTheCert

https://offsec.almond.consulting/authenticating-with-certificates-when-pkinit-is-not-supported.html

https://speakerdeck.com/heirhabarov/hunting-for-active-directory-certificate-services-abuse

https://github.com/TheWover/CertStealer

https://github.com/GhostPack/SharpDPAPI

https://medium.com/falconforce/falconfriday-detecting-unpacing-and-shadowed-credentials-0xff1e-2246934247ce

https://github.com/GhostPack/Certify

https://shenaniganslabs.io/2021/06/21/Shadow-Credentials.html

https://github.com/eladshamir/Whisker

https://hideandsec.sh/books/cheatsheets-82c/page/active-directory-certificate-services

https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4

https://github.com/ly4k/Certipy

https://www.semperis.com/blog/ad-vulnerability-cve-2022-26923/

https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7

https://catalog.update.microsoft.com/Search.aspx?q=KB5025228

https://github.com/fortalice/modifyCertTemplate

https://redteam.wiki/postexploitation/active-directory/adcs/esc4

https://www.fortalicesolutions.com/posts/adcs-playing-with-esc4

https://www.redpacketsecurity.com/certsync-dump-ntds-with-golden-certificates-and-unpac-the-hash/

https://posts.specterops.io/from-da-to-ea-with-esc5-f9f045aa105c

https://luemmelsec.github.io/Skidaddle-Skideldi-I-just-pwnd-your-PKI/#esc7

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#esc8---ad-cs-relay-attack

https://mayfly277.github.io/posts/GOADv2-pwning-part6/#esc8---coerce-to-domain-admin

https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/

https://github.com/GhostPack/ForgeCert

https://www.mssqltips.com/sqlservertip/7212/sql-server-port-explanation-usage/

https://learn.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles?view=sql-server-ver16

https://www.mssqltips.com/sqlservertip/1887/understanding-sql-server-fixed-server-roles/

https://github.com/skahwah/SQLRecon

https://github.com/NetSPI/PowerUpSQL

https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet

https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server#common-enumeration

https://ppn.snovvcrash.rocks/pentest/infrastructure/dbms/mssql#enumeration

https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-2-user-impersonation/

https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/

https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/Invoke-SqlServer-Escalate-Dbowner.psm1

https://github.com/p0dalirius/MSSQL-Analysis-Coerce

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/juicypotato

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer

https://www.netspi.com/blog/technical/network-penetration-testing/get-sql-server-sysadmin-privileges-local-admin-powerupsql/

https://xpnsec.tumblr.com/post/145350063196/reading-mdf-hashes-with-powershell

https://github.com/xpn/Powershell-PostExploitation/tree/master/Invoke-MDFHashes

https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/xp_evil_template.cpp

https://www.netspi.com/blog/technical/adversary-simulation/attacking-sql-server-clr-assemblies/

https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/clr-strict-security?view=sql-server-ver16

https://github.com/sekirkity/SeeCLRly

https://www.imperva.com/blog/how-to-exploit-sql-server-using-ole-automation/

https://www.optiv.com/explore-optiv-insights/blog/mssql-agent-jobs-command-execution

https://cheats.philkeeble.com/active-directory/mssql#external-scripts

https://www.slideshare.net/nullbind/beyond-xpcmdshell-owning-the-empire-through-sql-server

https://www.netspi.com/blog/technical/adversary-simulation/decrypting-mssql-database-link-server-passwords/

https://keramas.github.io/2020/03/28/mssql-ad-enumeration2.html

https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/

https://github.com/NetSPI/PowerUpSQL/blob/master/scripts/pending/Invoke-SqlServer-Persist-StartupSp.psm1

https://learn.microsoft.com/en-us/sql/t-sql/statements/create-trigger-transact-sql?view=sql-server-ver16

https://learn.microsoft.com/en-us/sql/relational-databases/triggers/ddl-event-groups?view=sql-server-ver16

https://www.netspi.com/blog/technical/network-penetration-testing/maintaining-persistence-via-sql-server-part-2-triggers/

https://www.gosecure.net/blog/2021/11/22/gosecure-investigates-abusing-windows-server-update-services-wsus-to-enable-ntlm-relaying-attacks/

https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/design-a-hierarchy-of-sites

https://www.systemcenterdudes.com/complete-sccm-installation-guide-and-configuration/

https://http418infosec.com/grow-your-own-sccm-lab

https://www.securesystems.de/blog/active-directory-spotlight-attacking-the-microsoft-configuration-manager/

https://posts.specterops.io/coercing-ntlm-authentication-from-sccm-e6e23ea8260a

https://http418infosec.com/offensive-sccm-summary#Credential_Access_%E2%80%93_NAA

https://posts.specterops.io/sccm-site-takeover-via-automatic-client-push-installation-f567ec80d5b1

https://posts.specterops.io/site-takeover-via-sccms-adminservice-api-d932e22b2bf

https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867

https://github.com/GoSecure/pywsus

https://github.com/bettercap/bettercap

https://www.gosecure.net/blog/2020/09/03/wsus-attacks-part-1-introducing-pywsus/

https://github.com/GoSecure/WSuspicious

https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/deploy-windows-server-update-services

https://woshub.com/group-policy-settings-to-deploy-updates-using-wsus/

https://github.com/nettitude/SharpWSUS

https://github.com/alex-dengx/WSUSpendu

https://learn.microsoft.com/en-us/sysinternals/downloads/psexec

https://www.thehacker.recipes/ad/movement/sccm-mecm

https://github.com/MWR-CyberSec/PXEThief

https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Christopher%20Panayi%20-%20Pulling%20Passwords%20out%20of%20Configuration%20Manager%20Practical%20Attacks%20against%20Microsofts%20Endpoint%20Management%20Software.pdf

https://github.com/Mayyhem/SharpSCCM/

https://github.com/1njected/CMLoot

https://github.com/garrettfoster13/sccmhunter#mssql

https://gist.github.com/xpn/5f497d2725a041922c427c3aaa3b37d1

https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/setup-migrate-backup-recovery/enable-mfa-for-sms-provider-calls

https://informationonsecurity.blogspot.com/2015/11/microsofts-accidental-enterprise-dfir.html

https://www.youtube.com/watch?v=W9PC9erm_pI

https://www.youtube.com/watch?v=uyI5rgR0D-s

https://www.mwrcybersec.com/research_items/identifying-and-retrieving-credentials-from-sccm-mecm-task-sequences

https://http418infosec.com/offensive-sccm-summary

http://978-1-80461-136-4de-DEwww.packtpub.com

http://en-GBwww.packtpub.com/support/errataen-GB

https://packt.link/free-ebook/9781804611364en-GB2.

http://prepare.sh

http://en-GBsurname.name

https://hunter.io/en-GB,

https://mail.target.com/en-GBautodiscover/Autodiscover.xmlen-GB

https://mail.target.com/EWS/Exchange.en-GBasmxen-GB.

https://mail.target.com/owa/en-GB

http://exchanger.py

http://CVE-2020-0688.ps

http://privexchange.py

http://windomain.localen-GBntlmrelayx.py

https://github.com/splunk/attack_rangeen-GB2.

https://github.com/Orange-Cyberdefense/en-GBGOADen-GB3.

https://mayfly277.github.io/categories/en-GBproxmox/en-GB4.

https://www.detectionlab.network/en-GB5.

https://github.com/infosecn1nja/en-GBAD-Attack-Defenseen-GB6.

https://github.com/bluscreenofjeff/Red-Team-en-GBInfrastructure-Wikien-GB7.

https://dispatch.redteams.fyi/red-team-edr-bypass-en-GBteam/en-GB8.

https://www.redsiege.com/wp-content/en-GBuploads/2019/09/AssumedBreach-ABM.pdfen-GB9.

https://github.com/Orange-en-GBCyberdefense/arsenal/blob/master/mindmap/Pentesting_MS_Exchange_en-GBServer_on_the_Perimeter.pngen-GB10.

https://github.com/dafthack/MailSniperen-GB11.

https://gist.github.com/superkojiman/11076951#file-en-GBnamemash-pyen-GB12.

https://github.com/dafthack/EmailAddressMangleren-GB13.

https://gist.github.com/snovvcrashen-GB/4e76aaf2a8750922f546eed81aa51438#file-oaburl-py

https://swarm.ptsecurity.com/attacking-en-GBms-exchange-web-interfaces/en-GB15.

https://en-GBgithub.com/snovvcrash/peasen-GB16.

https://labs.withsecure.com/en-GBpublications/accessing-internal-fileshares-through-exchange-en-GBactivesyncen-GB17.

https://devco.re/blog/2021/08/06/a-en-GBnew-attack-surface-on-MS-exchange-part-1-ProxyLogon/en-GB18.

https://bi-zone.medium.com/hunting-down-ms-en-GBexchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-en-GB26857-6e885c5f197cen-GB19.

https://www.en-GBzerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-en-GBattack-surface-on-microsoft-exchange-proxyshellen-GB21.

https://unit42.en-GBpaloaltonetworks.com/proxynotshell-cve-2022-41040-cve-2022-41082/en-GB22.

https://devco.re/en-GBblog/2022/10/19/a-new-attack-surface-on-MS-exchange-part-4-en-GBProxyRelay/en-GB23.

https://rw.md/2022/11/09/ProxyNotRelay.htmlen-GB24.

https://en-GBwww.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-en-GBcode-execution-on-microsoft-exchange-server-through-fixed-en-GBcryptographic-keysen-GB25.

http://en-GBYsoserial.net

https://github.com/pwntester/ysoserial.neten-GB26.

https://dirkjanm.io/en-GBabusing-exchange-one-api-call-away-from-domain-admin/en-GB27.

https://github.com/dirkjanm/privexchange/en-GB28.

https://sensepost.com/en-GBblog/2016/mapi-over-http-and-mailrule-pwnage/en-GB29.

https://support.microsoft.com/en-us/topic/en-GBdescription-of-the-security-update-for-outlook-2013-june-13-en-GB2017-d52f7b9a-488c-dd5a-0d43-da5832eaac5fen-GB31.

https://sensepost.com/blog/2017/en-GBoutlook-forms-and-shells/en-GB32.

https://support.microsoft.com/en-us/office/en-GBcustom-form-script-is-now-disabled-by-default-bd8ea308-733f-en-GB4728-bfcc-d7cce0120e94en-GB33.

https://sensepost.com/blog/2017/en-GBoutlook-home-page-another-ruler-vector/en-GB34.

https://learn.microsoft.com/en-us/mem/en-GBconfigmgr/hotfix/2207/15599094

http://en-GBPowerShellTcpOneLine.ps

https://processhacker.sourceforge.io/en-GB2.

http://www.rohitab.com/apimonitoren-GB3.

https://github.com/S3cur3Th1sSh1t/en-GBAmsi-Bypass-Powershellen-GB4.

https://github.com/danielbohannon/Invoke-en-GBObfuscationen-GB6.

https://github.com/samratashok/nishangen-GB7.

https://github.com/besimorhino/powercaten-GB8.

https://pentestlab.blog/2021/05/17/persistence-en-GBamsi/en-GB9.

https://blog.f-secure.com/hunting-for-en-GBamsi-bypasses/en-GB11.

https://www.tiraniddo.dev/2019/11/en-GBthe-internals-of-applocker-part-1.htmlen-GB12.

https://www.hackingarticles.in/windows-en-GBapplocker-policy-a-beginners-guide/en-GB14.

https://www.ired.team/offensive-security/en-GBcode-execution/t1118-installutilen-GB15.

https://www.ired.team/offensive-security/en-GBcode-execution/using-msbuild-to-execute-shellcode-in-c

https://github.com/api0cradle/en-GBUltimateAppLockerByPassListen-GB17.

https://github.com/p3nt4/en-GBPowerShdllen-GB18.

https://github.com/en-GBpadovah4ck/PSByPassCLMen-GB19.

https://github.com/calebstewart/en-GBbypass-clmen-GB20.

https://blog.xpnsec.com/constrained-en-GBlanguage-mode-bypass/en-GB21.

https://github.com/microsoft/AaronLockeren-GB23.

https://improsec.com/tech-blog/one-thousand-en-GBand-one-application-blocksen-GB24.

https://docs.microsoft.com/en-us/sysinternals/downloads/en-GBsysmonen-GB25.

https://github.com/trustedsec/en-GBSysmonCommunityGuideen-GB26.

https://github.com/SwiftOnSecurity/en-GBsysmon-configen-GB27.

https://github.com/Neo23x0/sysmon-en-GBconfigen-GB28.

https://github.com/olafhartong/en-GBsysmon-modularen-GB29.

https://cobbr.io/ScriptBlock-Logging-en-GBBypass.htmlen-GB30.

http://cobbr.io

https://cobbr.io/ScriptBlock-en-GBWarning-Event-Logging-Bypass.htmlen-GB31.

https://github.com/sans-blue-team/DeepBlueCLIen-GB32.

https://www.bc-security.org/post/powershell-en-GBlogging-obfuscation-and-some-newish-bypasses-part-1/en-GB33.

https://www.bc-security.org/post/powershell-en-GBlogging-obfuscation-and-some-newish-bypasses-part-2/en-GB34.

https://blog.ironmansoftware.com/protect-en-GBlogging-bypass/

https://avantguard.io/en/blog/powershell-en-GBenhanced-logging-capabilities-bypassen-GB36.

https://github.com/OmerYa/Invisi-Shell

https://en-GBwww.youtube.com/watch?v=Y3oMEiySxccen-GB37.

https://github.com/mgeeky/Stracciatellaen-GB38.

https://www.ired.team/offensive-security/enumeration-en-GBand-discovery/detecting-sysmon-on-the-victim-hosten-GB39.

https://medium.com/@olafhartong/endpoint-detection-en-GBsuperpowers-on-the-cheap-part-3-sysmon-tampering-49c2dc9bf6d9en-GB40.

https://github.com/hlldz/Phant0men-GB41.

https://github.com/ScriptIdiot/SysmonQuieten-GB42.

https://codewhitesec.blogspot.com/2022/09/attacks-on-en-GBsysmon-revisited-sysmonente.htmlen-GB43.

https://github.com/matterpreter/Shhmonen-GB44.

https://bmcder.com/blog/a-begginers-all-inclusive-en-GBguide-to-etwen-GB45.

https://blog.f-secure.com/detecting-en-GBmalicious-use-of-net-part-1/en-GB46.

https://blog.f-secure.com/detecting-en-GBmalicious-use-of-net-part-2/en-GB47.

https://github.com/mandiant/SilkETWen-GB48.

https://github.com/GhostPack/Seatbelten-GB49.

https://github.com/mkaring/ConfuserExen-GB50.

https://blog.xpnsec.com/hiding-your-dotnet-etw/en-GB52.

https://github.com/outflanknl/TamperETWen-GB53.

https://pre.empt.blog/2023/maelstrom-6-working-en-GBwith-amsi-and-etw-for-red-and-blueen-GB54.

https://blog.palantir.com/tampering-with-windows-en-GBevent-tracing-background-offense-and-defense-4be7ac62ac63

https://en-GBp0w3rsh3ll.wordpress.com/2019/03/07/applocker-and-powershell-en-GBhow-do-they-tightly-work-together/en-GB

https://www.blackhillsinfosec.com/powershell-without-en-GBpowershell-how-to-bypass-application-whitelisting-environment-en-GBrestrictions-av/

http://www.en-GBlabofapenetrationtester.com/2018/10/deploy-deception.htmlen-GB

https://github.com/samratashok/ADModuleen-GB2.

https://0xinfection.github.io/posts/wmi-basics-en-GBpart-1/en-GB3.

https://blog.compass-security.com/2022/05/en-GBbloodhound-inner-workings-part-1/en-GB,

https://blog.en-GBcompass-security.com/2022/05/bloodhound-inner-workings-part-3/en-GB4.

https://ldapwiki.com/wiki/Mainen-GB5.

https://blog.ropnop.com/talk/2018/funwithldapkerb/en-GB6.

https://sensepost.com/blog/2018/a-en-GBnew-look-at-null-sessions-and-user-enumeration/

https://github.com/sensepost/UserEnumen-GB8.

https://malicious.link/post/2022/ldapsearch-reference/en-GB9.

https://github.com/ropnop/windapsearchen-GB10.

https://github.com/tevora-threat/SharpViewen-GB11.

https://github.com/PowerShellMafia/PowerSploit/blob/en-GBdev/Recon/PowerView.ps1en-GB12.

https://powersploit.readthedocs.io/en/latest/en-GBRecon/en-GB13.

https://bloodhound.readthedocs.io/en/latest/en-GB14.

https://bloodhound.readthedocs.io/en/latest/data-en-GBcollection/sharphound.htmlen-GB15.

https://github.com/hausec/Bloodhound-Custom-en-GBQueriesen-GB16.

https://learn.microsoft.com/en-us/sysinternals/downloads/en-GBadexploreren-GB17.

https://www.trustedsec.com/blog/adexplorer-en-GBon-engagements/en-GB18.

https://github.com/c3c/ADExplorerSnapshot.pyen-GB19.

https://falconforce.nl/falconfriday-detecting-en-GBactive-directory-data-collection-0xff21/en-GB20.

https://adsecurity.org/?page_id=183en-GB21.

https://www.slideshare.net/harmj0y/i-hunt-sys-admins-20en-GB22.

http://www.labofapenetrationtester.com/2017/08/en-GBweek-of-evading-microsoft-ata-day1.htmlen-GB23.

https://www.youtube.com/watch?v=bzLvOu1awKMen-GB24.

http://www.labofapenetrationtester.com/2018/10/en-GBdeploy-deception.htmlen-GB25.

https://github.com/samratashok/Deploy-Deceptionen-GB26.

https://www.bordergate.co.uk/en-GBactive-directory-honey-tokens/en-GB27.

https://github.com/JavelinNetworks/HoneypotBusteren-GB28.

https://github.com/EmpireProject/Empire/blob/dev/data/en-GBmodule_source/management/New-HoneyHash.ps1en-GB30.

https://stealthbits.com/blog/implementing-en-GBdetections-for-the-honeyhash/en-GBFurther

https://learn.microsoft.com/en-us/en-GBwindows/win32/wmisdk/about-wmien-GB

https://0xinfection.github.io/posts/en-GBwmi-ad-enum/en-GB

https://learn.microsoft.com/en-us/previous-en-GBversions/windows/desktop/ldap/lightweight-directory-access-en-GBprotocol-ldap-api

https://twitter.com/en-GBfilip_dragovic/status/1524730451826511872en-GB.en-GBGroup

https://en-GBwww.thehacker.recipes/ad/movement/mitm-and-coerced-authenticationsen-GB.

https://osandamalith.com/2017/03/24/places-of-en-GBinterest-in-stealing-netntlm-hashes/en-GB.en-GBTo

http://ntds.dit.save

http://system.save

https://en-GBgithub.com/eladshamir/Internal-Monologueen-GB2.

https://www.trustedsec.com/blog/en-GBdiving-into-pre-created-computer-accounts/en-GB3.

https://adsecurity.org/?p=2288en-GB4.

https://github.com/Porchetta-Industries/CrackMapExecen-GB5.

https://github.com/ropnop/kerbruteen-GB6.

https://github.com/dafthack/DomainPasswordSprayen-GB7.

https://en.hackndo.com/ntlm-relay/en-GB8.

https://github.com/lgandx/Responderen-GB9.

https://www.mdsec.co.uk/2021/02/farming-for-en-GBred-teams-harvesting-netntlm/en-GB10.

https://github.com/p0dalirius/windows-en-GBcoerced-authentication-methodsen-GB11.

https://github.com/leechristensen/SpoolSampleen-GB12.

https://github.com/topotam/PetitPotamen-GB13.

https://github.com/Hackndo/en-GBWebclientServiceScanner

https://dtm.uk/exploring-search-en-GBconnectors-and-library-files-on-windows/en-GB15.

https://github.com/ShutdownRepo/ShadowCoerceen-GB16.

https://github.com/Wh04m1001/DFSCoerceen-GB17.

https://en.hackndo.com/kerberos/en-GB18.

https://learn.microsoft.com/en-us/openspecs/windows_en-GBprotocols/ms-kile/b4af186e-b2ff-43f9-b18e-eedb366abf13en-GB19.

https://dumpco.re/blog/asreqroasten-GB20.

https://github.com/lgandx/PCredzen-GB21.

https://hashcat.net/hashcat/en-GB22.

https://github.com/GhostPack/Rubeusen-GB23.

https://m365internals.com/2021/11/08/kerberoast-en-GBwith-opsec/en-GB24.

https://github.com/Luct0r/KerberOPSECen-GB25.

https://theitbros.com/deploying-local-administrator-en-GBpassword-solution-laps-in-active-directory/en-GB26.

https://github.com/leoloobeek/LAPSToolkiten-GB27.

https://github.com/kfosaaen/Get-LAPSPasswordsen-GB28.

https://github.com/MichaelGrafnetter/DSInternalsen-GB29.

https://github.com/rvazarkar/GMSAPasswordReaderen-GB30.

https://github.com/micahvandeusen/gMSADumperen-GB31.

https://github.com/swisskyrepo/en-GBPayloadsAllTheThings/blob/master/Methodology%20and%20Resources/en-GBActive%20Directory%20Attack.md#dumping-ad-domain-credentialsen-GB32.

https://github.com/shellster/DCSYNCMonitoren-GB33.

https://www.netero1010-securitylab.com/en-GBdetection/dcsync-detection

https://en-GBrioasmara.com/2020/07/04/kerberoasting-as-req-pre-auth-vs-non-en-GBpre-auth/en-GB

https://blog.en-GBnetwrix.com/2022/11/03/cracking_ad_password_with_as_rep_roasting/en-GB

https://www.en-GBdsinternals.com/en/retrieving-cleartext-gmsa-passwords-from-en-GBactive-directory/en-GB

https://en-GBcube0x0.github.io/Relaying-for-gMSA/

https://en.hackndo.com/ntlm-relay/en-GB.

https://en-GBmayfly277.github.io/posts/GOADv2-pwning-part4/en-GB.en-GBLet

https://www.trustedsec.com/blog/a-comprehensive-en-GBguide-on-relaying-anno-2022/en-GB

http://en-GB.search

http://schemas.microsoft.com/windows/2009/en-GBsearchConnector

https://example.com

http://dementor.py

http://scan.py

https://labs.nettitude.com/blog/network-relaying-abuse-en-GBwindows-domain/en-GB

https://en.hackndo.com/pass-the-hash/en-GB.en-GB

https://learn.en-GBmicrosoft.com/en-us/defender-for-identity/lateral-movement-alertsen-GB

https://www.netwrix.com/en-GBpass_the_ticket.htmlen-GB.

https://mayfly277.en-GBgithub.io/posts/GOADv2-pwning-part10/en-GB.

https://www.thehacker.recipes/ad/movement/en-GBkerberos/delegations/unconstraineden-GB

https://pentestlab.blog/2022/03/21/unconstrained-en-GBdelegation/en-GB.en-GBTo

https://en-GBwww.netspi.com/blog/technical/network-penetration-testing/cve-en-GB2020-17049-kerberos-bronze-bit-theory/en-GB.en-GBIn

http://en-GBfindDelegation.py

https://en-GBwww.netspi.com/blog/technical/network-penetration-testing/cve-en-GB2020-17049-kerberos-bronze-bit-attack/en-GB.en-GB

https://learn.microsoft.com/en-us/openspecs/en-GBwindows_protocols/ms-pac/55fc19f2-55ba-4251-8a6a-103dd7c66280en-GB.en-GBBrie

http://a.name

http://b.name

https://www.thehacker.recipes/ad/en-GBmovement/trusts#cve-2020-0665en-GB.en-GBIf

https://github.com/Hackplayers/evil-winrmen-GB2.

https://cheats.philkeeble.com/active-directory/en-GBad-privilege-escalation/jeaen-GB3.

https://github.com/samratashok/RACEen-GB4.

https://blog.cptjesus.com/posts/en-GBuserrightsassignment/en-GB5.

https://github.com/GhostPack/RestrictedAdminen-GB6.

https://github.com/0xthirteen/SharpRDPen-GB7.

https://github.com/passthehashbrowns/SharpRDPThiefen-GB8.

https://github.com/fortra/impacketen-GB9.

https://securityboulevard.com/2019/06/your-en-GBsession-key-is-my-session-key-how-to-retrieve-the-session-key-en-GBfor-any-authentication/en-GB10.

https://github.com/NotMedic/NetNTLMtoSilverTicket/blob/en-GBmaster/dementor.pyen-GB11.

https://github.com/FuzzySecurity/StandInen-GB14.

https://github.com/Kevin-Robertson/Powermaden-GB15.

https://www.tiraniddo.dev/2022/05/en-GBexploiting-rbcd-using-normal-user.htmlen-GB16.

https://mayfly277.github.io/posts/en-GBGOADv2-pwning-part10/#without-protocol-transitionen-GB17.

https://improsec.com/tech-blog/sid-filter-as-en-GBsecurity-boundary-between-domains-part-4-bypass-sid-filtering-en-GBresearchen-GB18.

https://support.en-GBmicrosoft.com/en-us/topic/updates-to-tgt-delegation-across-en-GBincoming-trusts-in-windows-server-1a6632ac-1599-0a7c-550a-en-GBa754796c291een-GB19.

https://dirkjanm.io/active-directory-forest-trusts-en-GBpart-one-how-does-sid-filtering-work/en-GBFurther

https://neil-en-GBfox.github.io/Impacket-usage-&-detection/en-GB

https://en-GBwww.synacktiv.com/publications/traces-of-windows-remote-command-en-GBexecution.htmlen-GB

https://www.joeyverlinden.com/en-GBimplementing-and-monitoring-attack-surface-reduction-rules-asr/

https://www.en-GBthehacker.recipes/ad/movement/ntlm/relayen-GB

https://en-GBwww.praetorian.com/blog/ntlmv1-vs-ntlmv2/en-GB

https://blog.netwrix.com/2021/11/30/en-GBhow-to-detect-pass-the-hash-attacks/en-GB

https://en.hackndo.com/constrained-en-GBunconstrained-delegation/#unconstrained-delegationen-GB

https://social.technet.microsoft.com/wiki/en-GBcontents/articles/5392.active-directory-ldap-syntax-filters.aspxen-GB

https://pentestlab.blog/2021/10/18/en-GBresource-based-constrained-delegation/en-GB

https://en-GBwww.notsoshant.io/blog/attacking-kerberos-constrained-delegation/en-GB

https://www.netspi.com/blog/en-GBtechnical/network-penetration-testing/cve-2020-17049-kerberos-en-GBbronze-bit-theory/

https://www.trustedsec.com/blog/ms14-068-full-compromise-en-GBstep-step/en-GB.en-GBConcisely,

http://en-GBms14-068.py

https://www.secura.com/uploads/whitepapers/Zerologon.pdfen-GB.en-GB

http://en-GBzerologon.py

http://MEEREENen-GBsecretsdump.py

https://exploit.ph/en-GBcve-2021-42287-cve-2021-42278-weaponisation.htmlen-GB.en-GBWith

https://mayfly277.en-GBgithub.io/posts/GOADv2-pwning-part5/#samaccountname-nopacen-GB.en-GB

http://sam_the_admin.py

https://en-GBjlajara.gitlab.io/Potatoes_Windows_Privescen-GB.en-GB

https://specterops.io/wp-content/uploads/sites/3/2022/06/en-GBan_ace_up_the_sleeve.pdfen-GB

https://www.semperis.com/blog/spn-jacking-en-GBan-edge-case-in-writespn-abuse/en-GB

https://www.thehacker.recipes/ad/movement/kerberos/en-GBspn-jackingen-GB.en-GBUseren-GBAs

https://secarma.com/using-machine-en-GBaccount-passwords-during-an-engagement/en-GB.

https://en-GBpentestlab.blog/2022/02/01/machine-accounts/en-GB.en-GB

http://en-GBsecretsdump.py

http://SECURITYen-GBsecretsdump.py

https://medium.com/@esnesenon/en-GBfeature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83en-GB.en-GBTo

https://improsec.com/tech-blog/sid-filter-as-security-en-GBboundary-between-domains-part-3-sid-filtering-explaineden-GB

https://petri.com/windows-server-2016-set-privileged-access-en-GBmanagement/en-GB.en-GB

http://www.en-GBlabofapenetrationtester.com/2019/04/abusing-PAM.htmlen-GB.en-GB

https://github.com/mubix/pykeken-GB2.

https://dirkjanm.io/a-different-way-of-abusing-en-GBzerologon/en-GB3.

https://www.thehacker.recipes/ad/en-GBmovement/netlogon/zerologonen-GB4.

https://github.com/VoidSec/CVE-2020-1472en-GB

https://en-GBgithub.com/dirkjanm/CVE-2020-1472en-GB5.

https://www.thehacker.recipes/ad/en-GBmovement/print-spooler-service/printnightmare#constraints

https://github.com/cube0x0/CVE-2021-1675en-GB7.

https://github.com/cube0x0/noPacen-GB8.

https://github.com/WazeHell/sam-the-adminen-GB9.

https://decoder.cloud/2023/02/13/localpotato-when-en-GBswapping-the-context-leads-you-to-system/en-GB10.

https://github.com/antonioCoco/RemotePotato0en-GB11.

https://www.thehacker.recipes/ad/movement/daclen-GB12.

https://github.com/FsecureLABS/SharpGPOAbuseen-GB13.

https://neutronsec.com/privesc/windows/en-GBprint_operators/en-GB14.

https://github.com/mpgn/BackupOperatorToDAen-GBFurther

https://en-GBwww.sentinelone.com/labs/relaying-potatoes-another-unexpected-en-GBprivilege-escalation-vulnerability-in-windows-rpc-protocol/en-GB.en-GB

https://learn.en-GBmicrosoft.com/en-us/powershell/module/grouppolicy/en-GBnew-gplink?view=windowsserver2022-ps

https://en-GBen.hackndo.com/kerberos-silver-golden-tickets/en-GB.en-GBSilver

https://exploit.ph/revisiting-delegate-2-thyself.htmlen-GB.

https://unit42.en-GBpaloaltonetworks.com/next-gen-kerberos-attacks/en-GB.en-GBPromising

https://learn.microsoft.com/en-GBen-us/windows-server/identity/ad-ds/plan/security-best-practices/en-GBappendix-c--protected-accounts-and-groups-in-active-directoryen-GB.en-GBTo

https://blog.en-GBharmj0y.net/activedirectory/the-most-dangerous-user-right-you-en-GBprobably-have-never-heard-of/en-GB.

https://www.semperis.com/blog/golden-en-GBgmsa-attack/en-GB.en-GBUsingen-GB

https://en-GBadsecurity.org/?p=1255en-GB.en-GBMimikatz

https://www.thehacker.recipes/en-GBad/movement/kerberos/forged-tickets/silveren-GB2.

https://www.varonis.com/blog/pac_en-GBrequestor-and-golden-ticket-attacksen-GB3.

https://github.com/0xe7/WonkaVisionen-GB5.

https://www.thehacker.recipes/ad/persistence/en-GBsid-historyen-GB6.

https://github.com/STEALTHbits/ServerUntrustAccounten-GB7.

https://github.com/samratashok/nishang/blob/master/en-GBActiveDirectory/Set-DCShadowPermissions.ps1en-GB8.

https://github.com/Semperis/GoldenGMSAen-GB9.

https://adsecurity.org/?p=1275en-GB10.

https://helgeklein.com/blog/permissions-a-primer-or-en-GBdacl-sacl-owner-sid-and-ace-explained/

http://modifyCertTemplate.py

http://PetitPotam.py