# offensive security

- [Red Team Infrastructure](https://www.ired.team/offensive-security/red-team-infrastructure.md)
- [HTTP Forwarders / Relays](https://www.ired.team/offensive-security/red-team-infrastructure/redirectors-forwarders.md): Concealing attacking hosts through with redirectors/traffic forwarders using iptables or socat
- [SMTP Forwarders / Relays](https://www.ired.team/offensive-security/red-team-infrastructure/smtp.md): SMTP Redirector + Stripping Email Headers
- [Phishing with Modlishka Reverse HTTP Proxy](https://www.ired.team/offensive-security/red-team-infrastructure/how-to-setup-modliska-reverse-http-proxy-for-phishing.md)
- [Automating Red Team Infrastructure with Terraform](https://www.ired.team/offensive-security/red-team-infrastructure/automating-red-team-infrastructure-with-terraform.md)
- [Cobalt Strike 101](https://www.ired.team/offensive-security/red-team-infrastructure/cobalt-strike-101-installation-and-interesting-commands.md)
- [Powershell Empire 101](https://www.ired.team/offensive-security/red-team-infrastructure/powershell-empire-101.md): Exploring key concepts of the Powershell Empire
- [Spiderfoot 101 with Kali using Docker](https://www.ired.team/offensive-security/red-team-infrastructure/spiderfoot-101-with-kali-using-docker.md)
- [Initial Access](https://www.ired.team/offensive-security/initial-access.md)
- [Password Spraying Outlook Web Access: Remote Shell](https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell.md)
- [Phishing with MS Office](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office.md)
- [Phishing: XLM / Macro 4.0](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-xlm-macro-4.0.md)
- [T1173: Phishing - DDE](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/t1173-dde.md): Dynamic Data Exchange code - executing code in Microsoft Office documents.
- [T1137: Phishing - Office Macros](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/t1137-office-vba-macros.md): Code execution with VBA Macros
- [Phishing: OLE + LNK](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-ole-+-lnk.md): Phishing, Initial Access using embedded OLE + LNK objects
- [Phishing: Embedded Internet Explorer](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-embedded-internet-explorer.md): Code execution with embedded Internet Explorer Object
- [Phishing: .SLK Excel](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-.slk-excel.md)
- [Phishing: Replacing Embedded Video with Bogus Payload](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-replacing-embedded-video-with-bogus-payload.md)
- [Inject Macros from a Remote Dotm Template](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/inject-macros-from-a-remote-dotm-template-docx-with-macros.md)
- [Bypassing Parent Child / Ancestry Detections](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/bypassing-malicious-macro-detections-by-defeating-child-parent-process-relationships.md)
- [Phishing: Embedded HTML Forms](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-embedded-html-forms.md): Code execution with embedded HTML Form Objects
- [Phishing with GoPhish and DigitalOcean](https://www.ired.team/offensive-security/initial-access/phishing-with-gophish-and-digitalocean.md)
- [Forced Authentication](https://www.ired.team/offensive-security/initial-access/t1187-forced-authentication.md): Credential Access, Stealing hashes
- [NetNTLMv2 hash stealing using Outlook](https://www.ired.team/offensive-security/initial-access/netntlmv2-hash-stealing-using-outlook.md)
- [Code Execution](https://www.ired.team/offensive-security/code-execution.md)
- [regsvr32](https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo.md): regsvr32 (squiblydoo) code execution - bypass application whitelisting.
- [MSHTA](https://www.ired.team/offensive-security/code-execution/t1170-mshta-code-execution.md): MSHTA code execution - bypass application whitelisting.
- [Control Panel Item](https://www.ired.team/offensive-security/code-execution/t1196-control-panel-item-code-execution.md): Control Panel Item code execution - bypass application whitelisting.
- [Executing Code as a Control Panel Item through an Exported Cplapplet Function](https://www.ired.team/offensive-security/code-execution/executing-code-in-control-panel-item-through-an-exported-cplapplet-function.md)
- [Code Execution through Control Panel Add-ins](https://www.ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins.md)
- [CMSTP](https://www.ired.team/offensive-security/code-execution/t1191-cmstp-code-execution.md): CMSTP code execution - bypass application whitelisting.
- [InstallUtil](https://www.ired.team/offensive-security/code-execution/t1118-installutil.md): InstallUtil code execution - bypass application whitelisting.
- [Using MSBuild to Execute Shellcode in C#](https://www.ired.team/offensive-security/code-execution/using-msbuild-to-execute-shellcode-in-c.md)
- [Forfiles Indirect Command Execution](https://www.ired.team/offensive-security/code-execution/t1202-forfiles-indirect-command-execution.md): Defense Evasion
- [Application Whitelisting Bypass with WMIC and XSL](https://www.ired.team/offensive-security/code-execution/application-whitelisting-bypass-with-wmic-and-xsl.md)
- [Powershell Without Powershell.exe](https://www.ired.team/offensive-security/code-execution/powershell-without-powershell.md)
- [Powershell Constrained Language Mode Bypass](https://www.ired.team/offensive-security/code-execution/powershell-constrained-language-mode-bypass.md): Understanding ConstrainedLanguageMode
- [Forcing Iexplore.exe to Load a Malicious DLL via COM Abuse](https://www.ired.team/offensive-security/code-execution/forcing-iexplore.exe-to-load-a-malicious-dll-via-com-abuse.md)
- [pubprn.vbs Signed Script Code Execution](https://www.ired.team/offensive-security/code-execution/t1216-signed-script-ce.md): Signed Script Proxy Execution - bypass application whitelisting using pubprn.vbs
- [Code & Process Injection](https://www.ired.team/offensive-security/code-injection-process-injection.md)
- [CreateRemoteThread Shellcode Injection](https://www.ired.team/offensive-security/code-injection-process-injection/process-injection.md): Injecting shellcode into a local process.
- [DLL Injection](https://www.ired.team/offensive-security/code-injection-process-injection/dll-injection.md): Injecting DLL into a remote process.
- [Reflective DLL Injection](https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection.md): Loading DLL from memory
- [Shellcode Reflective DLL Injection](https://www.ired.team/offensive-security/code-injection-process-injection/reflective-shellcode-dll-injection.md)
- [Process Doppelganging](https://www.ired.team/offensive-security/code-injection-process-injection/process-doppelganging.md)
- [Loading and Executing Shellcode From PE Resources](https://www.ired.team/offensive-security/code-injection-process-injection/loading-and-executing-shellcode-from-portable-executable-resources.md)
- [Process Hollowing and Portable Executable Relocations](https://www.ired.team/offensive-security/code-injection-process-injection/process-hollowing-and-pe-image-relocations.md): Code injection, evasion
- [APC Queue Code Injection](https://www.ired.team/offensive-security/code-injection-process-injection/apc-queue-code-injection.md)
- [Early Bird APC Queue Code Injection](https://www.ired.team/offensive-security/code-injection-process-injection/early-bird-apc-queue-code-injection.md)
- [Shellcode Execution in a Local Process with QueueUserAPC and NtTestAlert](https://www.ired.team/offensive-security/code-injection-process-injection/shellcode-execution-in-a-local-process-with-queueuserapc-and-nttestalert.md)
- [Shellcode Execution through Fibers](https://www.ired.team/offensive-security/code-injection-process-injection/executing-shellcode-with-createfiber.md)
- [Shellcode Execution via CreateThreadpoolWait](https://www.ired.team/offensive-security/code-injection-process-injection/shellcode-execution-via-createthreadpoolwait.md)
- [Local Shellcode Execution without Windows APIs](https://www.ired.team/offensive-security/code-injection-process-injection/local-shellcode-execution-without-windows-apis.md)
- [Injecting to Remote Process via Thread Hijacking](https://www.ired.team/offensive-security/code-injection-process-injection/injecting-to-remote-process-via-thread-hijacking.md)
- [SetWindowHookEx Code Injection](https://www.ired.team/offensive-security/code-injection-process-injection/setwindowhookex-code-injection.md)
- [Finding Kernel32 Base and Function Addresses in Shellcode](https://www.ired.team/offensive-security/code-injection-process-injection/finding-kernel32-base-and-function-addresses-in-shellcode.md)
- [Executing Shellcode with Inline Assembly in C/C++](https://www.ired.team/offensive-security/code-injection-process-injection/executing-shellcode-with-inline-assembly-in-c-c++.md)
- [Writing Custom Shellcode Encoders and Decoders](https://www.ired.team/offensive-security/code-injection-process-injection/writing-custom-shellcode-encoders-and-decoders.md)
- [Backdooring PE Files with Shellcode](https://www.ired.team/offensive-security/code-injection-process-injection/backdooring-portable-executables-pe-with-shellcode.md)
- [NtCreateSection + NtMapViewOfSection Code Injection](https://www.ired.team/offensive-security/code-injection-process-injection/ntcreatesection-+-ntmapviewofsection-code-injection.md)
- [AddressOfEntryPoint Code Injection without VirtualAllocEx RWX](https://www.ired.team/offensive-security/code-injection-process-injection/addressofentrypoint-code-injection-without-virtualallocex-rwx.md): Code Injection
- [Module Stomping for Shellcode Injection](https://www.ired.team/offensive-security/code-injection-process-injection/modulestomping-dll-hollowing-shellcode-injection.md): Code Injection
- [PE Injection: Executing PEs inside Remote Processes](https://www.ired.team/offensive-security/code-injection-process-injection/pe-injection-executing-pes-inside-remote-processes.md): Code Injection
- [API Monitoring and Hooking for Offensive Tooling](https://www.ired.team/offensive-security/code-injection-process-injection/api-monitoring-and-hooking-for-offensive-tooling.md)
- [Windows API Hooking](https://www.ired.team/offensive-security/code-injection-process-injection/how-to-hook-windows-api-using-c++.md)
- [Import Adress Table (IAT) Hooking](https://www.ired.team/offensive-security/code-injection-process-injection/import-adress-table-iat-hooking.md)
- [DLL Injection via a Custom .NET Garbage Collector](https://www.ired.team/offensive-security/code-injection-process-injection/injecting-dll-via-custom-.net-garbage-collector-environment-variable-complus_gcname.md)
- [Writing and Compiling Shellcode in C](https://www.ired.team/offensive-security/code-injection-process-injection/writing-and-compiling-shellcode-in-c.md)
- [Injecting .NET Assembly to an Unmanaged Process](https://www.ired.team/offensive-security/code-injection-process-injection/injecting-and-executing-.net-assemblies-to-unmanaged-process.md)
- [Binary Exploitation](https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation.md)
- [32-bit Stack-based Buffer Overflow](https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/stack-based-buffer-overflow.md)
- [64-bit Stack-based Buffer Overflow](https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/64-bit-stack-based-buffer-overflow.md)
- [Return-to-libc / ret2libc](https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/return-to-libc-ret2libc.md)
- [ROP Chaining: Return Oriented Programming](https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/rop-chaining-return-oriented-programming.md)
- [SEH Based Buffer Overflow](https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/seh-based-buffer-overflow.md)
- [Format String Bug](https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/format-string-bug.md)
- [Defense Evasion](https://www.ired.team/offensive-security/defense-evasion.md)
- [AV Bypass with Metasploit Templates and Custom Binaries](https://www.ired.team/offensive-security/defense-evasion/av-bypass-with-metasploit-templates.md)
- [Evading Windows Defender with 1 Byte Change](https://www.ired.team/offensive-security/defense-evasion/evading-windows-defender-using-classic-c-shellcode-launcher-with-1-byte-change.md)
- [Bypassing Windows Defender: One TCP Socket Away From Meterpreter and Beacon Sessions](https://www.ired.team/offensive-security/defense-evasion/bypassing-windows-defender-one-tcp-socket-away-from-meterpreter-and-cobalt-strike-beacon.md)
- [Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs](https://www.ired.team/offensive-security/defense-evasion/bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis.md): EDR / AV Evasion
- [Windows API Hashing in Malware](https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware.md): Evasion
- [Detecting Hooked Syscalls](https://www.ired.team/offensive-security/defense-evasion/detecting-hooked-syscall-functions.md)
- [Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs](https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs.md)
- [Retrieving ntdll Syscall Stubs from Disk at Run-time](https://www.ired.team/offensive-security/defense-evasion/retrieving-ntdll-syscall-stubs-at-run-time.md)
- [Full DLL Unhooking with C++](https://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++.md): EDR evasion
- [Enumerating RWX Protected Memory Regions for Code Injection](https://www.ired.team/offensive-security/defense-evasion/finding-all-rwx-protected-memory-regions.md): Code Injection, Defense Evasion
- [Disabling Windows Event Logs by Suspending EventLog Service Threads](https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads.md)
- [Obfuscated Powershell Invocations](https://www.ired.team/offensive-security/defense-evasion/t1027-obfuscated-powershell-invocations.md): Defense Evasion
- [Masquerading Processes in Userland via \_PEB](https://www.ired.team/offensive-security/defense-evasion/masquerading-processes-in-userland-through-_peb.md): Understanding how malicious binaries can maquerade as any other legitimate Windows binary from the userland.
- [Commandline Obfusaction](https://www.ired.team/offensive-security/defense-evasion/commandline-obfusaction.md): Commandline obfuscation
- [File Smuggling with HTML and JavaScript](https://www.ired.team/offensive-security/defense-evasion/file-smuggling-with-html-and-javascript.md)
- [Timestomping](https://www.ired.team/offensive-security/defense-evasion/t1099-timestomping.md): Defense Evasion
- [Alternate Data Streams](https://www.ired.team/offensive-security/defense-evasion/t1096-alternate-data-streams.md)
- [Hidden Files](https://www.ired.team/offensive-security/defense-evasion/t1158-hidden-files.md): Defense Evasion, Persistence
- [Encode/Decode Data with Certutil](https://www.ired.team/offensive-security/defense-evasion/t1140-encode-decode-data-with-certutil.md): Defense Evasion
- [Downloading Files with Certutil](https://www.ired.team/offensive-security/defense-evasion/downloading-file-with-certutil.md): Downloading additional files to the victim system using native OS binary.
- [Packed Binaries](https://www.ired.team/offensive-security/defense-evasion/t1045-software-packing-upx.md): Defense Evasion, Code Obfuscation
- [Unloading Sysmon Driver](https://www.ired.team/offensive-security/defense-evasion/unloading-sysmon-driver.md): Unload sysmon driver which causes the system to stop recording sysmon event logs.
- [Bypassing IDS Signatures with Simple Reverse Shells](https://www.ired.team/offensive-security/defense-evasion/bypassing-ids-signatures-with-simple-reverse-shells.md)
- [Preventing 3rd Party DLLs from Injecting into your Malware](https://www.ired.team/offensive-security/defense-evasion/preventing-3rd-party-dlls-from-injecting-into-your-processes.md)
- [ProcessDynamicCodePolicy: Arbitrary Code Guard (ACG)](https://www.ired.team/offensive-security/defense-evasion/acg-arbitrary-code-guard-processdynamiccodepolicy.md)
- [Parent Process ID (PPID) Spoofing](https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing.md)
- [Executing C# Assemblies from Jscript and wscript with DotNetToJscript](https://www.ired.team/offensive-security/defense-evasion/executing-csharp-assemblies-from-jscript-and-wscript-with-dotnettojscript.md)
- [Enumeration and Discovery](https://www.ired.team/offensive-security/enumeration-and-discovery.md)
- [Windows Event IDs and Others for Situational Awareness](https://www.ired.team/offensive-security/enumeration-and-discovery/windows-event-ids-for-situational-awareness.md)
- [Enumerating COM Objects and their Methods](https://www.ired.team/offensive-security/enumeration-and-discovery/enumerating-com-objects-and-their-methods.md)
- [Enumerating Users without net, Services without sc and Scheduled Tasks without schtasks](https://www.ired.team/offensive-security/enumeration-and-discovery/enumerating-users-without-net-services-without-sc-and-scheduled-tasks-without-schtasks.md)
- [Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging](https://www.ired.team/offensive-security/enumeration-and-discovery/enumerating-windows-domains-using-rpcclient-through-socksproxy-bypassing-command-line-logging.md)
- [Dump Global Address List (GAL) from OWA](https://www.ired.team/offensive-security/enumeration-and-discovery/dumping-gal-global-address-list-from-outlook-web-application.md)
- [Application Window Discovery](https://www.ired.team/offensive-security/enumeration-and-discovery/t1010-application-window-discovery.md): Discovery
- [Account Discovery & Enumeration](https://www.ired.team/offensive-security/enumeration-and-discovery/t1087-account-discovery.md): Discovery
- [Using COM to Enumerate Hostname, Username, Domain, Network Drives](https://www.ired.team/offensive-security/enumeration-and-discovery/using-com-to-enumerate-hostname-username-domain-network-drives.md)
- [Detecting Sysmon on the Victim Host](https://www.ired.team/offensive-security/enumeration-and-discovery/detecting-sysmon-on-the-victim-host.md): Exploring ways to detect Sysmon presence on the victim system
- [Privilege Escalation](https://www.ired.team/offensive-security/privilege-escalation.md)
- [Primary Access Token Manipulation](https://www.ired.team/offensive-security/privilege-escalation/t1134-access-token-manipulation.md): Defense Evasion, Privilege Escalation by stealing an re-using security access tokens.
- [Windows NamedPipes 101 + Privilege Escalation](https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation.md)
- [DLL Hijacking](https://www.ired.team/offensive-security/privilege-escalation/t1038-dll-hijacking.md): DLL Search Order Hijacking for privilege escalation, code execution, etc.
- [WebShells](https://www.ired.team/offensive-security/privilege-escalation/t1108-redundant-access.md): Redundant Access - Webshells for evading defenses and persistence.
- [Image File Execution Options Injection](https://www.ired.team/offensive-security/privilege-escalation/t1183-image-file-execution-options-injection.md): Defense Evasion, Persistence, Privilege Escalation
- [Unquoted Service Paths](https://www.ired.team/offensive-security/privilege-escalation/unquoted-service-paths.md)
- [Pass The Hash: Privilege Escalation with Invoke-WMIExec](https://www.ired.team/offensive-security/privilege-escalation/pass-the-hash-privilege-escalation-with-invoke-wmiexec.md)
- [Environment Variable $Path Interception](https://www.ired.team/offensive-security/privilege-escalation/environment-variable-path-interception.md)
- [Weak Service Permissions](https://www.ired.team/offensive-security/privilege-escalation/weak-service-permissions.md)
- [Credential Access & Dumping](https://www.ired.team/offensive-security/credential-access-and-credential-dumping.md)
- [Dumping Credentials from Lsass Process Memory with Mimikatz](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-credentials-from-lsass.exe-process-memory.md): Local Security Authority (LSA) credential dumping with in-memory Mimikatz using powershell.
- [Dumping Lsass Without Mimikatz](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz.md)
- [Dumping Lsass without Mimikatz with MiniDumpWriteDump](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass.md): Evasion, Credential Dumping
- [Dumping Hashes from SAM via Registry](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-hashes-from-sam-registry.md): Security Accounts Manager (SAM) credential dumping with living off the land binary.
- [Dumping SAM via esentutl.exe](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-sam-via-esentutl.exe.md)
- [Dumping LSA Secrets](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets.md)
- [Dumping and Cracking mscash - Cached Domain Credentials](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials.md)
- [Dumping Domain Controller Hashes Locally and Remotely](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration.md): Dumping NTDS.dit with Active Directory users hashes
- [Dumping Domain Controller Hashes via wmic and Vssadmin Shadow Copy](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-domain-controller-hashes-via-wmic-and-shadow-copy-using-vssadmin.md)
- [Network vs Interactive Logons](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/network-vs-interactive-logons.md): This lab explores/compares when credentials are susceptible to credential dumping.
- [Reading DPAPI Encrypted Secrets with Mimikatz and C++](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++.md)
- [Credentials in Registry](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/t1214-credentials-in-registry.md): Internal recon, hunting for passwords in Windows registry
- [Password Filter](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/t1174-password-filter-dll.md): Credential Access
- [Forcing WDigest to Store Credentials in Plaintext](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/forcing-wdigest-to-store-credentials-in-plaintext.md)
- [Dumping Delegated Default Kerberos and NTLM Credentials w/o Touching Lsass](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-delegated-default-kerberos-and-ntlm-credentials-without-touching-lsass.md)
- [Intercepting Logon Credentials via Custom Security Support Provider and Authentication Packages](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package.md): Credential Access, Persistence
- [Pulling Web Application Passwords by Hooking HTML Input Fields](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/stealing-web-application-credentials-by-hooking-input-fields.md): Credential Access, Keylogger
- [Intercepting Logon Credentials by Hooking msv1\_0!SpAcceptCredentials](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-by-hooking-msv1_0-spacceptcredentials.md): Hooking, Credential Stealing
- [Credentials Collection via CredUIPromptForCredentials](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/credentials-collection-via-creduipromptforcredentials.md)
- [Lateral Movement](https://www.ired.team/offensive-security/lateral-movement.md)
- [WinRM for Lateral Movement](https://www.ired.team/offensive-security/lateral-movement/t1028-winrm-for-lateral-movement.md): PowerShell remoting for lateral movement.
- [WinRS for Lateral Movement](https://www.ired.team/offensive-security/lateral-movement/winrs-for-lateral-movement.md)
- [WMI for Lateral Movement](https://www.ired.team/offensive-security/lateral-movement/t1047-wmi-for-lateral-movement.md): Windows Management Instrumentation for code execution, lateral movement.
- [RDP Hijacking for Lateral Movement with tscon](https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement.md): This lab explores a technique that allows a SYSTEM account to move laterally through the network using RDP without the need for credentials.
- [Shared Webroot](https://www.ired.team/offensive-security/lateral-movement/t1051-shared-webroot.md): Lateral Movement
- [Lateral Movement via DCOM](https://www.ired.team/offensive-security/lateral-movement/t1175-distributed-component-object-model.md): Lateral Movement via Distributed Component Object Model
- [WMI + MSI Lateral Movement](https://www.ired.team/offensive-security/lateral-movement/wmi-+-msi-lateral-movement.md): WMI lateral movement with .msi packages
- [Lateral Movement via Service Configuration Manager](https://www.ired.team/offensive-security/lateral-movement/lateral-movement-abusing-service-configuration-manager.md)
- [Lateral Movement via SMB Relaying](https://www.ired.team/offensive-security/lateral-movement/lateral-movement-via-smb-relaying-by-abusing-lack-of-smb-signing.md)
- [WMI + NewScheduledTaskAction Lateral Movement](https://www.ired.team/offensive-security/lateral-movement/wmi-via-newscheduledtask.md)
- [WMI + PowerShell Desired State Configuration Lateral Movement](https://www.ired.team/offensive-security/lateral-movement/wmi-+-powershell-desired-state-configuration-lateral-movement.md): Lateral Movment, Privilege Escalation
- [Simple TCP Relaying with NetCat](https://www.ired.team/offensive-security/lateral-movement/simple-tcp-relaying-with-netcat.md)
- [Empire Shells with NetNLTMv2 Relaying](https://www.ired.team/offensive-security/lateral-movement/empire-shells-with-netnltmv2-relaying.md)
- [Lateral Movement with Psexec](https://www.ired.team/offensive-security/lateral-movement/lateral-movement-with-psexec.md)
- [From Beacon to Interactive RDP Session](https://www.ired.team/offensive-security/lateral-movement/from-beacon-to-interactive-remote-desktop-rdp-session.md): Lateral Movement, Tunnelling, Firewall Evasion
- [SSH Tunnelling / Port Forwarding](https://www.ired.team/offensive-security/lateral-movement/ssh-tunnelling-port-forwarding.md): Exploring SSH tunneling
- [Lateral Movement via WMI Event Subscription](https://www.ired.team/offensive-security/lateral-movement/lateral-movement-via-wmi-events.md)
- [Lateral Movement via DLL Hijacking](https://www.ired.team/offensive-security/lateral-movement/lateral-movement-via-dll-hijacking.md)
- [Lateral Movement over headless RDP with SharpRDP](https://www.ired.team/offensive-security/lateral-movement/lateral-movement-over-headless-rdp-with-sharprdp.md)
- [Man-in-the-Browser via Chrome Extension](https://www.ired.team/offensive-security/lateral-movement/man-in-the-browser-via-chrome-extension.md)
- [ShadowMove: Lateral Movement by Duplicating Existing Sockets](https://www.ired.team/offensive-security/lateral-movement/shadowmove-lateral-movement-by-stealing-duplicating-existing-connected-sockets.md)
- [Persistence](https://www.ired.team/offensive-security/persistence.md)
- [DLL Proxying for Persistence](https://www.ired.team/offensive-security/persistence/dll-proxying-for-persistence.md)
- [Schtask](https://www.ired.team/offensive-security/persistence/t1053-schtask.md): Code execution, privilege escalation, lateral movement and persitence.
- [Service Execution](https://www.ired.team/offensive-security/persistence/t1035-service-execution.md): Code Execution, Privilege Escalation
- [Sticky Keys](https://www.ired.team/offensive-security/persistence/t1015-sethc.md): Sticky keys backdoor.
- [Create Account](https://www.ired.team/offensive-security/persistence/t1136-create-account.md): Persistence
- [AddMonitor()](https://www.ired.team/offensive-security/persistence/t1013-addmonitor.md): Persistence, Privilege Escalation
- [NetSh Helper DLL](https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll.md): Persistence, code execution using netsh helper arbitrary libraries.
- [Abusing Windows Managent Instrumentation](https://www.ired.team/offensive-security/persistence/t1084-abusing-windows-managent-instrumentation.md): Persistence, Privilege Escalation
- [WMI as a Data Storage](https://www.ired.team/offensive-security/persistence/t1084-abusing-windows-managent-instrumentation/wmi-data-storage.md): Exploring WMI as a data storage for persistence by leveraging WMI classes and their properties.
- [Windows Logon Helper](https://www.ired.team/offensive-security/persistence/windows-logon-helper.md)
- [Hijacking Default File Extension](https://www.ired.team/offensive-security/persistence/hijacking-default-file-extension.md)
- [Persisting in svchost.exe with a Service DLL](https://www.ired.team/offensive-security/persistence/persisting-in-svchost.exe-with-a-service-dll-servicemain.md)
- [Modifying .lnk Shortcuts](https://www.ired.team/offensive-security/persistence/modifying-.lnk-shortcuts.md)
- [Screensaver Hijack](https://www.ired.team/offensive-security/persistence/t1180-screensaver-hijack.md): Hijacking screensaver for persistence.
- [Application Shimming](https://www.ired.team/offensive-security/persistence/t1138-application-shimming.md): Persistence, Privilege Escalation
- [BITS Jobs](https://www.ired.team/offensive-security/persistence/t1197-bits-jobs.md): File upload to the compromised system.
- [COM Hijacking](https://www.ired.team/offensive-security/persistence/t1122-com-hijacking.md): UAC Bypass/Defense Evasion, Persistence
- [SIP & Trust Provider Hijacking](https://www.ired.team/offensive-security/persistence/t1198-trust-provider-hijacking.md): Defense Evasion, Persistence, Whitelisting Bypass
- [Hijacking Time Providers](https://www.ired.team/offensive-security/persistence/t1209-hijacking-time-providers.md): Persistence
- [Installing Root Certificate](https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate.md): Defense Evasion
- [Powershell Profile Persistence](https://www.ired.team/offensive-security/persistence/powershell-profile-persistence.md)
- [RID Hijacking](https://www.ired.team/offensive-security/persistence/rid-hijacking.md)
- [Word Library Add-Ins](https://www.ired.team/offensive-security/persistence/word-library-add-ins.md)
- [Office Templates](https://www.ired.team/offensive-security/persistence/office-templates.md)
- [Exfiltration](https://www.ired.team/offensive-security/exfiltration.md)
- [Powershell Payload Delivery via DNS using Invoke-PowerCloud](https://www.ired.team/offensive-security/exfiltration/payload-delivery-via-dns-using-invoke-powercloud.md): This lab demos a tool or rather a Powershell script I have written to do what the title says.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.ired.team/offensive-security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.