> For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ired.team/offensive-security.md).

# offensive security

- [Red Team Infrastructure](https://www.ired.team/offensive-security/red-team-infrastructure.md)
- [HTTP Forwarders / Relays](https://www.ired.team/offensive-security/red-team-infrastructure/redirectors-forwarders.md): Concealing attacking hosts through with redirectors/traffic forwarders using iptables or socat
- [SMTP Forwarders / Relays](https://www.ired.team/offensive-security/red-team-infrastructure/smtp.md): SMTP Redirector + Stripping Email Headers
- [Phishing with Modlishka Reverse HTTP Proxy](https://www.ired.team/offensive-security/red-team-infrastructure/how-to-setup-modliska-reverse-http-proxy-for-phishing.md)
- [Automating Red Team Infrastructure with Terraform](https://www.ired.team/offensive-security/red-team-infrastructure/automating-red-team-infrastructure-with-terraform.md)
- [Cobalt Strike 101](https://www.ired.team/offensive-security/red-team-infrastructure/cobalt-strike-101-installation-and-interesting-commands.md)
- [Powershell Empire 101](https://www.ired.team/offensive-security/red-team-infrastructure/powershell-empire-101.md): Exploring key concepts of the Powershell Empire
- [Spiderfoot 101 with Kali using Docker](https://www.ired.team/offensive-security/red-team-infrastructure/spiderfoot-101-with-kali-using-docker.md)
- [Initial Access](https://www.ired.team/offensive-security/initial-access.md)
- [Password Spraying Outlook Web Access: Remote Shell](https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell.md)
- [Phishing with MS Office](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office.md)
- [Phishing: XLM / Macro 4.0](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-xlm-macro-4.0.md)
- [T1173: Phishing - DDE](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/t1173-dde.md): Dynamic Data Exchange code - executing code in Microsoft Office documents.
- [T1137: Phishing - Office Macros](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/t1137-office-vba-macros.md): Code execution with VBA Macros
- [Phishing: OLE + LNK](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-ole-+-lnk.md): Phishing, Initial Access using embedded OLE + LNK objects
- [Phishing: Embedded Internet Explorer](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-embedded-internet-explorer.md): Code execution with embedded Internet Explorer Object
- [Phishing: .SLK Excel](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-.slk-excel.md)
- [Phishing: Replacing Embedded Video with Bogus Payload](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-replacing-embedded-video-with-bogus-payload.md)
- [Inject Macros from a Remote Dotm Template](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/inject-macros-from-a-remote-dotm-template-docx-with-macros.md)
- [Bypassing Parent Child / Ancestry Detections](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/bypassing-malicious-macro-detections-by-defeating-child-parent-process-relationships.md)
- [Phishing: Embedded HTML Forms](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-embedded-html-forms.md): Code execution with embedded HTML Form Objects
- [Phishing with GoPhish and DigitalOcean](https://www.ired.team/offensive-security/initial-access/phishing-with-gophish-and-digitalocean.md)
- [Forced Authentication](https://www.ired.team/offensive-security/initial-access/t1187-forced-authentication.md): Credential Access, Stealing hashes
- [NetNTLMv2 hash stealing using Outlook](https://www.ired.team/offensive-security/initial-access/netntlmv2-hash-stealing-using-outlook.md)
- [Code Execution](https://www.ired.team/offensive-security/code-execution.md)
- [regsvr32](https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo.md): regsvr32 (squiblydoo) code execution - bypass application whitelisting.
- [MSHTA](https://www.ired.team/offensive-security/code-execution/t1170-mshta-code-execution.md): MSHTA code execution - bypass application whitelisting.
- [Control Panel Item](https://www.ired.team/offensive-security/code-execution/t1196-control-panel-item-code-execution.md): Control Panel Item code execution - bypass application whitelisting.
- [Executing Code as a Control Panel Item through an Exported Cplapplet Function](https://www.ired.team/offensive-security/code-execution/executing-code-in-control-panel-item-through-an-exported-cplapplet-function.md)
- [Code Execution through Control Panel Add-ins](https://www.ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins.md)
- [CMSTP](https://www.ired.team/offensive-security/code-execution/t1191-cmstp-code-execution.md): CMSTP code execution - bypass application whitelisting.
- [InstallUtil](https://www.ired.team/offensive-security/code-execution/t1118-installutil.md): InstallUtil code execution - bypass application whitelisting.
- [Using MSBuild to Execute Shellcode in C#](https://www.ired.team/offensive-security/code-execution/using-msbuild-to-execute-shellcode-in-c.md)
- [Forfiles Indirect Command Execution](https://www.ired.team/offensive-security/code-execution/t1202-forfiles-indirect-command-execution.md): Defense Evasion
- [Application Whitelisting Bypass with WMIC and XSL](https://www.ired.team/offensive-security/code-execution/application-whitelisting-bypass-with-wmic-and-xsl.md)
- [Powershell Without Powershell.exe](https://www.ired.team/offensive-security/code-execution/powershell-without-powershell.md)
- [Powershell Constrained Language Mode Bypass](https://www.ired.team/offensive-security/code-execution/powershell-constrained-language-mode-bypass.md): Understanding ConstrainedLanguageMode
- [Forcing Iexplore.exe to Load a Malicious DLL via COM Abuse](https://www.ired.team/offensive-security/code-execution/forcing-iexplore.exe-to-load-a-malicious-dll-via-com-abuse.md)
- [pubprn.vbs Signed Script Code Execution](https://www.ired.team/offensive-security/code-execution/t1216-signed-script-ce.md): Signed Script Proxy Execution - bypass application whitelisting using pubprn.vbs
- [Code & Process Injection](https://www.ired.team/offensive-security/code-injection-process-injection.md)
- [CreateRemoteThread Shellcode Injection](https://www.ired.team/offensive-security/code-injection-process-injection/process-injection.md): Injecting shellcode into a local process.
- [DLL Injection](https://www.ired.team/offensive-security/code-injection-process-injection/dll-injection.md): Injecting DLL into a remote process.
- [Reflective DLL Injection](https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection.md): Loading DLL from memory
- [Shellcode Reflective DLL Injection](https://www.ired.team/offensive-security/code-injection-process-injection/reflective-shellcode-dll-injection.md)
- [Process Doppelganging](https://www.ired.team/offensive-security/code-injection-process-injection/process-doppelganging.md)
- [Loading and Executing Shellcode From PE Resources](https://www.ired.team/offensive-security/code-injection-process-injection/loading-and-executing-shellcode-from-portable-executable-resources.md)
- [Process Hollowing and Portable Executable Relocations](https://www.ired.team/offensive-security/code-injection-process-injection/process-hollowing-and-pe-image-relocations.md): Code injection, evasion
- [APC Queue Code Injection](https://www.ired.team/offensive-security/code-injection-process-injection/apc-queue-code-injection.md)
- [Early Bird APC Queue Code Injection](https://www.ired.team/offensive-security/code-injection-process-injection/early-bird-apc-queue-code-injection.md)
- [Shellcode Execution in a Local Process with QueueUserAPC and NtTestAlert](https://www.ired.team/offensive-security/code-injection-process-injection/shellcode-execution-in-a-local-process-with-queueuserapc-and-nttestalert.md)
- [Shellcode Execution through Fibers](https://www.ired.team/offensive-security/code-injection-process-injection/executing-shellcode-with-createfiber.md)
- [Shellcode Execution via CreateThreadpoolWait](https://www.ired.team/offensive-security/code-injection-process-injection/shellcode-execution-via-createthreadpoolwait.md)
- [Local Shellcode Execution without Windows APIs](https://www.ired.team/offensive-security/code-injection-process-injection/local-shellcode-execution-without-windows-apis.md)
- [Injecting to Remote Process via Thread Hijacking](https://www.ired.team/offensive-security/code-injection-process-injection/injecting-to-remote-process-via-thread-hijacking.md)
- [SetWindowHookEx Code Injection](https://www.ired.team/offensive-security/code-injection-process-injection/setwindowhookex-code-injection.md)
- [Finding Kernel32 Base and Function Addresses in Shellcode](https://www.ired.team/offensive-security/code-injection-process-injection/finding-kernel32-base-and-function-addresses-in-shellcode.md)
- [Executing Shellcode with Inline Assembly in C/C++](https://www.ired.team/offensive-security/code-injection-process-injection/executing-shellcode-with-inline-assembly-in-c-c++.md)
- [Writing Custom Shellcode Encoders and Decoders](https://www.ired.team/offensive-security/code-injection-process-injection/writing-custom-shellcode-encoders-and-decoders.md)
- [Backdooring PE Files with Shellcode](https://www.ired.team/offensive-security/code-injection-process-injection/backdooring-portable-executables-pe-with-shellcode.md)
- [NtCreateSection + NtMapViewOfSection Code Injection](https://www.ired.team/offensive-security/code-injection-process-injection/ntcreatesection-+-ntmapviewofsection-code-injection.md)
- [AddressOfEntryPoint Code Injection without VirtualAllocEx RWX](https://www.ired.team/offensive-security/code-injection-process-injection/addressofentrypoint-code-injection-without-virtualallocex-rwx.md): Code Injection
- [Module Stomping for Shellcode Injection](https://www.ired.team/offensive-security/code-injection-process-injection/modulestomping-dll-hollowing-shellcode-injection.md): Code Injection
- [PE Injection: Executing PEs inside Remote Processes](https://www.ired.team/offensive-security/code-injection-process-injection/pe-injection-executing-pes-inside-remote-processes.md): Code Injection
- [API Monitoring and Hooking for Offensive Tooling](https://www.ired.team/offensive-security/code-injection-process-injection/api-monitoring-and-hooking-for-offensive-tooling.md)
- [Windows API Hooking](https://www.ired.team/offensive-security/code-injection-process-injection/how-to-hook-windows-api-using-c++.md)
- [Import Adress Table (IAT) Hooking](https://www.ired.team/offensive-security/code-injection-process-injection/import-adress-table-iat-hooking.md)
- [DLL Injection via a Custom .NET Garbage Collector](https://www.ired.team/offensive-security/code-injection-process-injection/injecting-dll-via-custom-.net-garbage-collector-environment-variable-complus_gcname.md)
- [Writing and Compiling Shellcode in C](https://www.ired.team/offensive-security/code-injection-process-injection/writing-and-compiling-shellcode-in-c.md)
- [Injecting .NET Assembly to an Unmanaged Process](https://www.ired.team/offensive-security/code-injection-process-injection/injecting-and-executing-.net-assemblies-to-unmanaged-process.md)
- [Binary Exploitation](https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation.md)
- [32-bit Stack-based Buffer Overflow](https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/stack-based-buffer-overflow.md)
- [64-bit Stack-based Buffer Overflow](https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/64-bit-stack-based-buffer-overflow.md)
- [Return-to-libc / ret2libc](https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/return-to-libc-ret2libc.md)
- [ROP Chaining: Return Oriented Programming](https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/rop-chaining-return-oriented-programming.md)
- [SEH Based Buffer Overflow](https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/seh-based-buffer-overflow.md)
- [Format String Bug](https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/format-string-bug.md)
- [Defense Evasion](https://www.ired.team/offensive-security/defense-evasion.md)
- [AV Bypass with Metasploit Templates and Custom Binaries](https://www.ired.team/offensive-security/defense-evasion/av-bypass-with-metasploit-templates.md)
- [Evading Windows Defender with 1 Byte Change](https://www.ired.team/offensive-security/defense-evasion/evading-windows-defender-using-classic-c-shellcode-launcher-with-1-byte-change.md)
- [Bypassing Windows Defender: One TCP Socket Away From Meterpreter and Beacon Sessions](https://www.ired.team/offensive-security/defense-evasion/bypassing-windows-defender-one-tcp-socket-away-from-meterpreter-and-cobalt-strike-beacon.md)
- [Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs](https://www.ired.team/offensive-security/defense-evasion/bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis.md): EDR / AV Evasion
- [Windows API Hashing in Malware](https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware.md): Evasion
- [Detecting Hooked Syscalls](https://www.ired.team/offensive-security/defense-evasion/detecting-hooked-syscall-functions.md)
- [Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs](https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs.md)
- [Retrieving ntdll Syscall Stubs from Disk at Run-time](https://www.ired.team/offensive-security/defense-evasion/retrieving-ntdll-syscall-stubs-at-run-time.md)
- [Full DLL Unhooking with C++](https://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++.md): EDR evasion
- [Enumerating RWX Protected Memory Regions for Code Injection](https://www.ired.team/offensive-security/defense-evasion/finding-all-rwx-protected-memory-regions.md): Code Injection, Defense Evasion
- [Disabling Windows Event Logs by Suspending EventLog Service Threads](https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads.md)
- [Obfuscated Powershell Invocations](https://www.ired.team/offensive-security/defense-evasion/t1027-obfuscated-powershell-invocations.md): Defense Evasion
- [Masquerading Processes in Userland via \_PEB](https://www.ired.team/offensive-security/defense-evasion/masquerading-processes-in-userland-through-_peb.md): Understanding how malicious binaries can maquerade as any other legitimate Windows binary from the userland.
- [Commandline Obfusaction](https://www.ired.team/offensive-security/defense-evasion/commandline-obfusaction.md): Commandline obfuscation
- [File Smuggling with HTML and JavaScript](https://www.ired.team/offensive-security/defense-evasion/file-smuggling-with-html-and-javascript.md)
- [Timestomping](https://www.ired.team/offensive-security/defense-evasion/t1099-timestomping.md): Defense Evasion
- [Alternate Data Streams](https://www.ired.team/offensive-security/defense-evasion/t1096-alternate-data-streams.md)
- [Hidden Files](https://www.ired.team/offensive-security/defense-evasion/t1158-hidden-files.md): Defense Evasion, Persistence
- [Encode/Decode Data with Certutil](https://www.ired.team/offensive-security/defense-evasion/t1140-encode-decode-data-with-certutil.md): Defense Evasion
- [Downloading Files with Certutil](https://www.ired.team/offensive-security/defense-evasion/downloading-file-with-certutil.md): Downloading additional files to the victim system using native OS binary.
- [Packed Binaries](https://www.ired.team/offensive-security/defense-evasion/t1045-software-packing-upx.md): Defense Evasion, Code Obfuscation
- [Unloading Sysmon Driver](https://www.ired.team/offensive-security/defense-evasion/unloading-sysmon-driver.md): Unload sysmon driver which causes the system to stop recording sysmon event logs.
- [Bypassing IDS Signatures with Simple Reverse Shells](https://www.ired.team/offensive-security/defense-evasion/bypassing-ids-signatures-with-simple-reverse-shells.md)
- [Preventing 3rd Party DLLs from Injecting into your Malware](https://www.ired.team/offensive-security/defense-evasion/preventing-3rd-party-dlls-from-injecting-into-your-processes.md)
- [ProcessDynamicCodePolicy: Arbitrary Code Guard (ACG)](https://www.ired.team/offensive-security/defense-evasion/acg-arbitrary-code-guard-processdynamiccodepolicy.md)
- [Parent Process ID (PPID) Spoofing](https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing.md)
- [Executing C# Assemblies from Jscript and wscript with DotNetToJscript](https://www.ired.team/offensive-security/defense-evasion/executing-csharp-assemblies-from-jscript-and-wscript-with-dotnettojscript.md)
- [Enumeration and Discovery](https://www.ired.team/offensive-security/enumeration-and-discovery.md)
- [Windows Event IDs and Others for Situational Awareness](https://www.ired.team/offensive-security/enumeration-and-discovery/windows-event-ids-for-situational-awareness.md)
- [Enumerating COM Objects and their Methods](https://www.ired.team/offensive-security/enumeration-and-discovery/enumerating-com-objects-and-their-methods.md)
- [Enumerating Users without net, Services without sc and Scheduled Tasks without schtasks](https://www.ired.team/offensive-security/enumeration-and-discovery/enumerating-users-without-net-services-without-sc-and-scheduled-tasks-without-schtasks.md)
- [Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging](https://www.ired.team/offensive-security/enumeration-and-discovery/enumerating-windows-domains-using-rpcclient-through-socksproxy-bypassing-command-line-logging.md)
- [Dump Global Address List (GAL) from OWA](https://www.ired.team/offensive-security/enumeration-and-discovery/dumping-gal-global-address-list-from-outlook-web-application.md)
- [Application Window Discovery](https://www.ired.team/offensive-security/enumeration-and-discovery/t1010-application-window-discovery.md): Discovery
- [Account Discovery & Enumeration](https://www.ired.team/offensive-security/enumeration-and-discovery/t1087-account-discovery.md): Discovery
- [Using COM to Enumerate Hostname, Username, Domain, Network Drives](https://www.ired.team/offensive-security/enumeration-and-discovery/using-com-to-enumerate-hostname-username-domain-network-drives.md)
- [Detecting Sysmon on the Victim Host](https://www.ired.team/offensive-security/enumeration-and-discovery/detecting-sysmon-on-the-victim-host.md): Exploring ways to detect Sysmon presence on the victim system
- [Privilege Escalation](https://www.ired.team/offensive-security/privilege-escalation.md)
- [Primary Access Token Manipulation](https://www.ired.team/offensive-security/privilege-escalation/t1134-access-token-manipulation.md): Defense Evasion, Privilege Escalation by stealing an re-using security access tokens.
- [Windows NamedPipes 101 + Privilege Escalation](https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation.md)
- [DLL Hijacking](https://www.ired.team/offensive-security/privilege-escalation/t1038-dll-hijacking.md): DLL Search Order Hijacking for privilege escalation, code execution, etc.
- [WebShells](https://www.ired.team/offensive-security/privilege-escalation/t1108-redundant-access.md): Redundant Access - Webshells for evading defenses and persistence.
- [Image File Execution Options Injection](https://www.ired.team/offensive-security/privilege-escalation/t1183-image-file-execution-options-injection.md): Defense Evasion, Persistence, Privilege Escalation
- [Unquoted Service Paths](https://www.ired.team/offensive-security/privilege-escalation/unquoted-service-paths.md)
- [Pass The Hash: Privilege Escalation with Invoke-WMIExec](https://www.ired.team/offensive-security/privilege-escalation/pass-the-hash-privilege-escalation-with-invoke-wmiexec.md)
- [Environment Variable $Path Interception](https://www.ired.team/offensive-security/privilege-escalation/environment-variable-path-interception.md)
- [Weak Service Permissions](https://www.ired.team/offensive-security/privilege-escalation/weak-service-permissions.md)
- [Credential Access & Dumping](https://www.ired.team/offensive-security/credential-access-and-credential-dumping.md)
- [Dumping Credentials from Lsass Process Memory with Mimikatz](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-credentials-from-lsass.exe-process-memory.md): Local Security Authority (LSA) credential dumping with in-memory Mimikatz using powershell.
- [Dumping Lsass Without Mimikatz](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz.md)
- [Dumping Lsass without Mimikatz with MiniDumpWriteDump](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass.md): Evasion, Credential Dumping
- [Dumping Hashes from SAM via Registry](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-hashes-from-sam-registry.md): Security Accounts Manager (SAM) credential dumping with living off the land binary.
- [Dumping SAM via esentutl.exe](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-sam-via-esentutl.exe.md)
- [Dumping LSA Secrets](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets.md)
- [Dumping and Cracking mscash - Cached Domain Credentials](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials.md)
- [Dumping Domain Controller Hashes Locally and Remotely](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration.md): Dumping NTDS.dit with Active Directory users hashes
- [Dumping Domain Controller Hashes via wmic and Vssadmin Shadow Copy](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-domain-controller-hashes-via-wmic-and-shadow-copy-using-vssadmin.md)
- [Network vs Interactive Logons](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/network-vs-interactive-logons.md): This lab explores/compares when credentials are susceptible to credential dumping.
- [Reading DPAPI Encrypted Secrets with Mimikatz and C++](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++.md)
- [Credentials in Registry](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/t1214-credentials-in-registry.md): Internal recon, hunting for passwords in Windows registry
- [Password Filter](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/t1174-password-filter-dll.md): Credential Access
- [Forcing WDigest to Store Credentials in Plaintext](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/forcing-wdigest-to-store-credentials-in-plaintext.md)
- [Dumping Delegated Default Kerberos and NTLM Credentials w/o Touching Lsass](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-delegated-default-kerberos-and-ntlm-credentials-without-touching-lsass.md)
- [Intercepting Logon Credentials via Custom Security Support Provider and Authentication Packages](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package.md): Credential Access, Persistence
- [Pulling Web Application Passwords by Hooking HTML Input Fields](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/stealing-web-application-credentials-by-hooking-input-fields.md): Credential Access, Keylogger
- [Intercepting Logon Credentials by Hooking msv1\_0!SpAcceptCredentials](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-by-hooking-msv1_0-spacceptcredentials.md): Hooking, Credential Stealing
- [Credentials Collection via CredUIPromptForCredentials](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/credentials-collection-via-creduipromptforcredentials.md)
- [Lateral Movement](https://www.ired.team/offensive-security/lateral-movement.md)
- [WinRM for Lateral Movement](https://www.ired.team/offensive-security/lateral-movement/t1028-winrm-for-lateral-movement.md): PowerShell remoting for lateral movement.
- [WinRS for Lateral Movement](https://www.ired.team/offensive-security/lateral-movement/winrs-for-lateral-movement.md)
- [WMI for Lateral Movement](https://www.ired.team/offensive-security/lateral-movement/t1047-wmi-for-lateral-movement.md): Windows Management Instrumentation for code execution, lateral movement.
- [RDP Hijacking for Lateral Movement with tscon](https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement.md): This lab explores a technique that allows a SYSTEM account to move laterally through the network using RDP without the need for credentials.
- [Shared Webroot](https://www.ired.team/offensive-security/lateral-movement/t1051-shared-webroot.md): Lateral Movement
- [Lateral Movement via DCOM](https://www.ired.team/offensive-security/lateral-movement/t1175-distributed-component-object-model.md): Lateral Movement via Distributed Component Object Model
- [WMI + MSI Lateral Movement](https://www.ired.team/offensive-security/lateral-movement/wmi-+-msi-lateral-movement.md): WMI lateral movement with .msi packages
- [Lateral Movement via Service Configuration Manager](https://www.ired.team/offensive-security/lateral-movement/lateral-movement-abusing-service-configuration-manager.md)
- [Lateral Movement via SMB Relaying](https://www.ired.team/offensive-security/lateral-movement/lateral-movement-via-smb-relaying-by-abusing-lack-of-smb-signing.md)
- [WMI + NewScheduledTaskAction Lateral Movement](https://www.ired.team/offensive-security/lateral-movement/wmi-via-newscheduledtask.md)
- [WMI + PowerShell Desired State Configuration Lateral Movement](https://www.ired.team/offensive-security/lateral-movement/wmi-+-powershell-desired-state-configuration-lateral-movement.md): Lateral Movment, Privilege Escalation
- [Simple TCP Relaying with NetCat](https://www.ired.team/offensive-security/lateral-movement/simple-tcp-relaying-with-netcat.md)
- [Empire Shells with NetNLTMv2 Relaying](https://www.ired.team/offensive-security/lateral-movement/empire-shells-with-netnltmv2-relaying.md)
- [Lateral Movement with Psexec](https://www.ired.team/offensive-security/lateral-movement/lateral-movement-with-psexec.md)
- [From Beacon to Interactive RDP Session](https://www.ired.team/offensive-security/lateral-movement/from-beacon-to-interactive-remote-desktop-rdp-session.md): Lateral Movement, Tunnelling, Firewall Evasion
- [SSH Tunnelling / Port Forwarding](https://www.ired.team/offensive-security/lateral-movement/ssh-tunnelling-port-forwarding.md): Exploring SSH tunneling
- [Lateral Movement via WMI Event Subscription](https://www.ired.team/offensive-security/lateral-movement/lateral-movement-via-wmi-events.md)
- [Lateral Movement via DLL Hijacking](https://www.ired.team/offensive-security/lateral-movement/lateral-movement-via-dll-hijacking.md)
- [Lateral Movement over headless RDP with SharpRDP](https://www.ired.team/offensive-security/lateral-movement/lateral-movement-over-headless-rdp-with-sharprdp.md)
- [Man-in-the-Browser via Chrome Extension](https://www.ired.team/offensive-security/lateral-movement/man-in-the-browser-via-chrome-extension.md)
- [ShadowMove: Lateral Movement by Duplicating Existing Sockets](https://www.ired.team/offensive-security/lateral-movement/shadowmove-lateral-movement-by-stealing-duplicating-existing-connected-sockets.md)
- [Persistence](https://www.ired.team/offensive-security/persistence.md)
- [DLL Proxying for Persistence](https://www.ired.team/offensive-security/persistence/dll-proxying-for-persistence.md)
- [Schtask](https://www.ired.team/offensive-security/persistence/t1053-schtask.md): Code execution, privilege escalation, lateral movement and persitence.
- [Service Execution](https://www.ired.team/offensive-security/persistence/t1035-service-execution.md): Code Execution, Privilege Escalation
- [Sticky Keys](https://www.ired.team/offensive-security/persistence/t1015-sethc.md): Sticky keys backdoor.
- [Create Account](https://www.ired.team/offensive-security/persistence/t1136-create-account.md): Persistence
- [AddMonitor()](https://www.ired.team/offensive-security/persistence/t1013-addmonitor.md): Persistence, Privilege Escalation
- [NetSh Helper DLL](https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll.md): Persistence, code execution using netsh helper arbitrary libraries.
- [Abusing Windows Managent Instrumentation](https://www.ired.team/offensive-security/persistence/t1084-abusing-windows-managent-instrumentation.md): Persistence, Privilege Escalation
- [WMI as a Data Storage](https://www.ired.team/offensive-security/persistence/t1084-abusing-windows-managent-instrumentation/wmi-data-storage.md): Exploring WMI as a data storage for persistence by leveraging WMI classes and their properties.
- [Windows Logon Helper](https://www.ired.team/offensive-security/persistence/windows-logon-helper.md)
- [Hijacking Default File Extension](https://www.ired.team/offensive-security/persistence/hijacking-default-file-extension.md)
- [Persisting in svchost.exe with a Service DLL](https://www.ired.team/offensive-security/persistence/persisting-in-svchost.exe-with-a-service-dll-servicemain.md)
- [Modifying .lnk Shortcuts](https://www.ired.team/offensive-security/persistence/modifying-.lnk-shortcuts.md)
- [Screensaver Hijack](https://www.ired.team/offensive-security/persistence/t1180-screensaver-hijack.md): Hijacking screensaver for persistence.
- [Application Shimming](https://www.ired.team/offensive-security/persistence/t1138-application-shimming.md): Persistence, Privilege Escalation
- [BITS Jobs](https://www.ired.team/offensive-security/persistence/t1197-bits-jobs.md): File upload to the compromised system.
- [COM Hijacking](https://www.ired.team/offensive-security/persistence/t1122-com-hijacking.md): UAC Bypass/Defense Evasion, Persistence
- [SIP & Trust Provider Hijacking](https://www.ired.team/offensive-security/persistence/t1198-trust-provider-hijacking.md): Defense Evasion, Persistence, Whitelisting Bypass
- [Hijacking Time Providers](https://www.ired.team/offensive-security/persistence/t1209-hijacking-time-providers.md): Persistence
- [Installing Root Certificate](https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate.md): Defense Evasion
- [Powershell Profile Persistence](https://www.ired.team/offensive-security/persistence/powershell-profile-persistence.md)
- [RID Hijacking](https://www.ired.team/offensive-security/persistence/rid-hijacking.md)
- [Word Library Add-Ins](https://www.ired.team/offensive-security/persistence/word-library-add-ins.md)
- [Office Templates](https://www.ired.team/offensive-security/persistence/office-templates.md)
- [Exfiltration](https://www.ired.team/offensive-security/exfiltration.md)
- [Powershell Payload Delivery via DNS using Invoke-PowerCloud](https://www.ired.team/offensive-security/exfiltration/payload-delivery-via-dns-using-invoke-powercloud.md): This lab demos a tool or rather a Powershell script I have written to do what the title says.
