{"version":1,"pages":[{"id":"-LFEMnES_hDD6uXYn5_b","title":"What is ired.team notes?","pathname":"/","siteSpaceId":"sitesp_H55mt","description":"These are notes about all things focusing on, but not limited to, red teaming and offensive security."},{"id":"-LIbX1rKDr8M-w4nwvn5","title":"Pentesting Cheatsheets","pathname":"/offensive-security-experiments/offensive-security-cheetsheets","siteSpaceId":"sitesp_H55mt","description":"Convenient commands for your pentesting / red-teaming engagements, OSCP and CTFs.","breadcrumbs":[{"label":"Pinned"}]},{"id":"-LRXMZpYwI95MJfbl8_W","title":"SQL Injection & XSS Playground","pathname":"/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground","siteSpaceId":"sitesp_H55mt","description":"This is my playground for SQL injection and XSS","breadcrumbs":[{"label":"Pinned"},{"label":"Pentesting Cheatsheets"}]},{"id":"-LQDvVhWzBRgEPMkQOp9","title":"Active Directory & Kerberos Abuse","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse","siteSpaceId":"sitesp_H55mt","description":"A collection of techniques that exploit and abuse Active Directory, Kerberos authentication, Domain Controllers and similar matters.","breadcrumbs":[{"label":"Pinned"}]},{"id":"-LLfg1LOsscpDGK6tXqA","title":"From Domain Admin to Enterprise Admin","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain","siteSpaceId":"sitesp_H55mt","description":"Explore Parent-Child Domain Trust Relationships and abuse it for Privilege Escalation","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"-LKCozyIeG7HhE1Kbclh","title":"Kerberoasting","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting","siteSpaceId":"sitesp_H55mt","description":"Credential Access","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"-LKSfYCUiYIbxCKOOU-R","title":"Kerberos: Golden Tickets","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets","siteSpaceId":"sitesp_H55mt","description":"Persistence and Privilege Escalation with Golden Kerberots tickets","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"-LKO7wD7n3qqPpunNVTU","title":"Kerberos: Silver Tickets","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets","siteSpaceId":"sitesp_H55mt","description":"Credential Access","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"-L_nj9-hoOJBJWK8qWmS","title":"AS-REP Roasting","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"-LeCY_xvM7BY9Y-GR8PB","title":"Kerberoasting: Requesting RC4 Encrypted TGS when AES is Enabled","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/kerberoasting-requesting-rc4-encrypted-tgs-when-aes-is-enabled","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"-LQ12GSG5UbmwAD-NWo_","title":"Kerberos Unconstrained Delegation","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"-LmUhoLC1r1og_k1ipg5","title":"Kerberos Constrained Delegation","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"-Lar6VXoN3caufjSaI72","title":"Kerberos Resource-based Constrained Delegation: Computer Object Takeover","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"-LQBWU2YPR8dhIW8lDm1","title":"Domain Compromise via DC Print Server and Kerberos Delegation","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-dc-print-server-and-kerberos-delegation","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"-LJcPoQs4nW6B800HlRY","title":"DCShadow - Becoming a Rogue Domain Controller","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/t1207-creating-rogue-domain-controllers-with-dcshadow","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"-LYHcKlvPpvC2Ly98FpQ","title":"DCSync: Dump Password Hashes from Domain Controller","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"-LLuna_XpUO0Dk-_7iiM","title":"PowerView: Active Directory Enumeration","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-powerview","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"-LQimOasCuAaGC6hgChU","title":"Abusing Active Directory ACLs/ACEs","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"-LTx64XAYznr7BOWOADR","title":"Privileged Accounts and Token Privileges","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"-LR2gdzZCNg3Cgj7c7r3","title":"From DnsAdmins to SYSTEM to Domain Compromise","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"-LUuZg1TJz0Xm08zQnto","title":"Pass the Hash with Machine$ Accounts","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/pass-the-hash-with-machine-accounts","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"-LVFqUdx-vZn7YvmARjX","title":"BloodHound with Kali Linux: 101","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"-LUBPBdfruy9UKYPJZ7F","title":"Backdooring AdminSDHolder for Persistence","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"-LXnezlhfaF-ky_VJarY","title":"Active Directory Enumeration with AD Module without RSAT or Admin Privileges","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"-LaN7AYxitVAlWoQ1FPM","title":"Enumerating AD Object Permissions with dsacls","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions","siteSpaceId":"sitesp_H55mt","description":"Enumeration, living off the land","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"-LaS-K0Y6VjHlpJ2rP5o","title":"Active Directory Password Spraying","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"-MU2iuoaKISxlxvw1CRN","title":"Active Directory Lab with Hyper-V and PowerShell","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-lab-with-hyper-v-and-powershell","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"-Mfw1wkqsiSwkQpD0EbS","title":"ADCS + PetitPotam NTLM Relay: Obtaining krbtgt Hash with Domain Controller Machine Certificate","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/adcs-+-petitpotam-ntlm-relay-obtaining-krbtgt-hash-with-domain-controller-machine-certificate","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"ldlvRAhFVFMF8I3xeLFm","title":"From Misconfigured Certificate Template to Domain Admin","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/from-misconfigured-certificate-template-to-domain-admin","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"kTsbgYan5eFiLwYfRETs","title":"Shadow Credentials","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials","siteSpaceId":"sitesp_H55mt","description":"Persistence, lateral movement","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"WlwWTrM2fevyXC7VFpwn","title":"Abusing Trust Account$: Accessing Resources on a Trusted Domain from a Trusting Domain","pathname":"/offensive-security-experiments/active-directory-kerberos-abuse/abusing-trust-accountusd-accessing-resources-on-a-trusted-domain-from-a-trusting-domain","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"Pinned"},{"label":"Active Directory & Kerberos Abuse"}]},{"id":"-LNgY2plqmlX6wkEXrsR","title":"Red Team Infrastructure","pathname":"/offensive-security/red-team-infrastructure","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"}]},{"id":"-LNgYFqHmm9_uDZ_O6F0","title":"HTTP Forwarders / Relays","pathname":"/offensive-security/red-team-infrastructure/redirectors-forwarders","siteSpaceId":"sitesp_H55mt","description":"Concealing attacking hosts through with redirectors/traffic forwarders using iptables or socat","breadcrumbs":[{"label":"offensive security"},{"label":"Red Team Infrastructure"}]},{"id":"-LNpctyzwclo2482vGyZ","title":"SMTP Forwarders / Relays","pathname":"/offensive-security/red-team-infrastructure/smtp","siteSpaceId":"sitesp_H55mt","description":"SMTP Redirector + Stripping Email Headers","breadcrumbs":[{"label":"offensive security"},{"label":"Red Team Infrastructure"}]},{"id":"-LiFMhqy9UPy0zpJwK5_","title":"Phishing with Modlishka Reverse HTTP Proxy","pathname":"/offensive-security/red-team-infrastructure/how-to-setup-modliska-reverse-http-proxy-for-phishing","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Red Team Infrastructure"}]},{"id":"-LWNIq2ZU1JC_22t9JYC","title":"Automating Red Team Infrastructure with Terraform","pathname":"/offensive-security/red-team-infrastructure/automating-red-team-infrastructure-with-terraform","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Red Team Infrastructure"}]},{"id":"-LV_IIIg6Kwe5VO3GJnh","title":"Cobalt Strike 101","pathname":"/offensive-security/red-team-infrastructure/cobalt-strike-101-installation-and-interesting-commands","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Red Team Infrastructure"}]},{"id":"-LLPMw9awmFfsr8W9goW","title":"Powershell Empire 101","pathname":"/offensive-security/red-team-infrastructure/powershell-empire-101","siteSpaceId":"sitesp_H55mt","description":"Exploring key concepts of the Powershell Empire","breadcrumbs":[{"label":"offensive security"},{"label":"Red Team Infrastructure"}]},{"id":"-LTwF6xd0SnXq4UB0pZs","title":"Spiderfoot 101 with Kali using Docker","pathname":"/offensive-security/red-team-infrastructure/spiderfoot-101-with-kali-using-docker","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Red Team Infrastructure"}]},{"id":"-LemoC0LMyXFOq_Rcenz","title":"Initial Access","pathname":"/offensive-security/initial-access","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"}]},{"id":"-LUQ_w-pb0g3vLtLq7g4","title":"Password Spraying Outlook Web Access: Remote Shell","pathname":"/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Initial Access"}]},{"id":"-LLJzjAKr5QS_uggB9Dc","title":"Phishing with MS Office","pathname":"/offensive-security/initial-access/phishing-with-ms-office","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Initial Access"}]},{"id":"-LOIzhaAGMeIT9R5Hx14","title":"Phishing: XLM / Macro 4.0","pathname":"/offensive-security/initial-access/phishing-with-ms-office/phishing-xlm-macro-4.0","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Initial Access"},{"label":"Phishing with MS Office"}]},{"id":"-LHO9fuVVY3dYAJiTQD5","title":"T1173: Phishing - DDE","pathname":"/offensive-security/initial-access/phishing-with-ms-office/t1173-dde","siteSpaceId":"sitesp_H55mt","description":"Dynamic Data Exchange code - executing code in Microsoft Office documents.","breadcrumbs":[{"label":"offensive security"},{"label":"Initial Access"},{"label":"Phishing with MS Office"}]},{"id":"-LIgM-PiJulxM5ERD5LK","title":"T1137: Phishing - Office Macros","pathname":"/offensive-security/initial-access/phishing-with-ms-office/t1137-office-vba-macros","siteSpaceId":"sitesp_H55mt","description":"Code execution with VBA Macros","breadcrumbs":[{"label":"offensive security"},{"label":"Initial Access"},{"label":"Phishing with MS Office"}]},{"id":"-LKR31RRkdzJnwHm2wNI","title":"Phishing: OLE + LNK","pathname":"/offensive-security/initial-access/phishing-with-ms-office/phishing-ole-+-lnk","siteSpaceId":"sitesp_H55mt","description":"Phishing, Initial Access using embedded OLE + LNK objects","breadcrumbs":[{"label":"offensive security"},{"label":"Initial Access"},{"label":"Phishing with MS Office"}]},{"id":"-LLJxq6EPXXxsosNyR5V","title":"Phishing: Embedded Internet Explorer","pathname":"/offensive-security/initial-access/phishing-with-ms-office/phishing-embedded-internet-explorer","siteSpaceId":"sitesp_H55mt","description":"Code execution with embedded Internet Explorer Object","breadcrumbs":[{"label":"offensive security"},{"label":"Initial Access"},{"label":"Phishing with MS Office"}]},{"id":"-LOJRLkFNTskEZLZwauY","title":"Phishing: .SLK Excel","pathname":"/offensive-security/initial-access/phishing-with-ms-office/phishing-.slk-excel","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Initial Access"},{"label":"Phishing with MS Office"}]},{"id":"-LZyenU_f1mhlFoAmtsG","title":"Phishing: Replacing Embedded Video with Bogus Payload","pathname":"/offensive-security/initial-access/phishing-with-ms-office/phishing-replacing-embedded-video-with-bogus-payload","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Initial Access"},{"label":"Phishing with MS Office"}]},{"id":"-LaHVHLcLj1lnTOBbZHw","title":"Inject Macros from a Remote Dotm Template","pathname":"/offensive-security/initial-access/phishing-with-ms-office/inject-macros-from-a-remote-dotm-template-docx-with-macros","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Initial Access"},{"label":"Phishing with MS Office"}]},{"id":"-Lc310dfFFwJHmqBwHOj","title":"Bypassing Parent Child / Ancestry Detections","pathname":"/offensive-security/initial-access/phishing-with-ms-office/bypassing-malicious-macro-detections-by-defeating-child-parent-process-relationships","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Initial Access"},{"label":"Phishing with MS Office"}]},{"id":"-LLP-irjsjiGTk2pDoYA","title":"Phishing: Embedded HTML Forms","pathname":"/offensive-security/initial-access/phishing-with-ms-office/phishing-embedded-html-forms","siteSpaceId":"sitesp_H55mt","description":"Code execution with embedded HTML Form Objects","breadcrumbs":[{"label":"offensive security"},{"label":"Initial Access"},{"label":"Phishing with MS Office"}]},{"id":"-LVjba_Xoaaaq3TQtpS7","title":"Phishing with GoPhish and DigitalOcean","pathname":"/offensive-security/initial-access/phishing-with-gophish-and-digitalocean","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Initial Access"}]},{"id":"-LKByyrc1DYbnORq03RW","title":"Forced Authentication","pathname":"/offensive-security/initial-access/t1187-forced-authentication","siteSpaceId":"sitesp_H55mt","description":"Credential Access, Stealing hashes","breadcrumbs":[{"label":"offensive security"},{"label":"Initial Access"}]},{"id":"-LUpFUyzmITHR1o6QnJE","title":"NetNTLMv2 hash stealing using Outlook","pathname":"/offensive-security/initial-access/netntlmv2-hash-stealing-using-outlook","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Initial Access"}]},{"id":"-LemkcvJ7OF0-Y9lSs93","title":"Code Execution","pathname":"/offensive-security/code-execution","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"}]},{"id":"-LHFGga0Qxq6A7OngYKg","title":"regsvr32","pathname":"/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo","siteSpaceId":"sitesp_H55mt","description":"regsvr32 (squiblydoo) code execution - bypass application whitelisting.","breadcrumbs":[{"label":"offensive security"},{"label":"Code Execution"}]},{"id":"-LHK7Qf4t7aAaQjwgyb7","title":"MSHTA","pathname":"/offensive-security/code-execution/t1170-mshta-code-execution","siteSpaceId":"sitesp_H55mt","description":"MSHTA code execution - bypass application whitelisting.","breadcrumbs":[{"label":"offensive security"},{"label":"Code Execution"}]},{"id":"-LHIQpqk_7mNZI6DZ5tl","title":"Control Panel Item","pathname":"/offensive-security/code-execution/t1196-control-panel-item-code-execution","siteSpaceId":"sitesp_H55mt","description":"Control Panel Item code execution - bypass application whitelisting.","breadcrumbs":[{"label":"offensive security"},{"label":"Code Execution"}]},{"id":"-LrkAd3tOXDaFq3ympAe","title":"Executing Code as a Control Panel Item through an Exported Cplapplet Function","pathname":"/offensive-security/code-execution/executing-code-in-control-panel-item-through-an-exported-cplapplet-function","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code Execution"}]},{"id":"-MAH_N8Sj5zw-H3b5PS_","title":"Code Execution through Control Panel Add-ins","pathname":"/offensive-security/code-execution/code-execution-through-control-panel-add-ins","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code Execution"}]},{"id":"-LHKSjpVtMQkQYTC1eSi","title":"CMSTP","pathname":"/offensive-security/code-execution/t1191-cmstp-code-execution","siteSpaceId":"sitesp_H55mt","description":"CMSTP code execution - bypass application whitelisting.","breadcrumbs":[{"label":"offensive security"},{"label":"Code Execution"}]},{"id":"-LHUjPB_pXRGET0ZqKai","title":"InstallUtil","pathname":"/offensive-security/code-execution/t1118-installutil","siteSpaceId":"sitesp_H55mt","description":"InstallUtil code execution - bypass application whitelisting.","breadcrumbs":[{"label":"offensive security"},{"label":"Code Execution"}]},{"id":"-LbdtKFpbMroR2KD2-9I","title":"Using MSBuild to Execute Shellcode in C#","pathname":"/offensive-security/code-execution/using-msbuild-to-execute-shellcode-in-c","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code Execution"}]},{"id":"-LJyirr6YCobXKaj92V0","title":"Forfiles Indirect Command Execution","pathname":"/offensive-security/code-execution/t1202-forfiles-indirect-command-execution","siteSpaceId":"sitesp_H55mt","description":"Defense Evasion","breadcrumbs":[{"label":"offensive security"},{"label":"Code Execution"}]},{"id":"-Lc80_Dnpi7550j3vW2I","title":"Application Whitelisting Bypass with WMIC and XSL","pathname":"/offensive-security/code-execution/application-whitelisting-bypass-with-wmic-and-xsl","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code Execution"}]},{"id":"-LNKQquf7tlHhKwMca6K","title":"Powershell Without Powershell.exe","pathname":"/offensive-security/code-execution/powershell-without-powershell","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code Execution"}]},{"id":"-LM-F8DPok-vft4eUSTg","title":"Powershell Constrained Language Mode Bypass","pathname":"/offensive-security/code-execution/powershell-constrained-language-mode-bypass","siteSpaceId":"sitesp_H55mt","description":"Understanding ConstrainedLanguageMode","breadcrumbs":[{"label":"offensive security"},{"label":"Code Execution"}]},{"id":"-LhQoTHli00JecpIJAsq","title":"Forcing Iexplore.exe to Load a Malicious DLL via COM Abuse","pathname":"/offensive-security/code-execution/forcing-iexplore.exe-to-load-a-malicious-dll-via-com-abuse","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code Execution"}]},{"id":"-LI2NMcp3qFVvi5tn0nV","title":"pubprn.vbs Signed Script Code Execution","pathname":"/offensive-security/code-execution/t1216-signed-script-ce","siteSpaceId":"sitesp_H55mt","description":"Signed Script Proxy Execution - bypass application whitelisting using pubprn.vbs","breadcrumbs":[{"label":"offensive security"},{"label":"Code Execution"}]},{"id":"-LKvXy3W9rb6KuV2aeOC","title":"Code & Process Injection","pathname":"/offensive-security/code-injection-process-injection","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"}]},{"id":"-LKqR83s3Vd1-8GTii8U","title":"CreateRemoteThread Shellcode Injection","pathname":"/offensive-security/code-injection-process-injection/process-injection","siteSpaceId":"sitesp_H55mt","description":"Injecting shellcode into a local process.","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-LKvYH76muvbwrCDbpm3","title":"DLL Injection","pathname":"/offensive-security/code-injection-process-injection/dll-injection","siteSpaceId":"sitesp_H55mt","description":"Injecting DLL into a remote process.","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-LLPPq33pbjHi4YdTlQK","title":"Reflective DLL Injection","pathname":"/offensive-security/code-injection-process-injection/reflective-dll-injection","siteSpaceId":"sitesp_H55mt","description":"Loading DLL from memory","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-LjSc4DYPPhfH7Dh-WpK","title":"Shellcode Reflective DLL Injection","pathname":"/offensive-security/code-injection-process-injection/reflective-shellcode-dll-injection","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-LV3uXLKEhTcjrfm7zUW","title":"Process Doppelganging","pathname":"/offensive-security/code-injection-process-injection/process-doppelganging","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-LczTzCt4zDKh3v7z_jw","title":"Loading and Executing Shellcode From PE Resources","pathname":"/offensive-security/code-injection-process-injection/loading-and-executing-shellcode-from-portable-executable-resources","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-LdQG1QWNi2MPTtZPzw2","title":"Process Hollowing and Portable Executable Relocations","pathname":"/offensive-security/code-injection-process-injection/process-hollowing-and-pe-image-relocations","siteSpaceId":"sitesp_H55mt","description":"Code injection, evasion","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-LfnaRDQgb93k66YomoO","title":"APC Queue Code Injection","pathname":"/offensive-security/code-injection-process-injection/apc-queue-code-injection","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-LftJkw-763lmivg32H2","title":"Early Bird APC Queue Code Injection","pathname":"/offensive-security/code-injection-process-injection/early-bird-apc-queue-code-injection","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-LfuRweL6a29-BfpozLf","title":"Shellcode Execution in a Local Process with QueueUserAPC and NtTestAlert","pathname":"/offensive-security/code-injection-process-injection/shellcode-execution-in-a-local-process-with-queueuserapc-and-nttestalert","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-M8ese3EBEn5bzn81uA2","title":"Shellcode Execution through Fibers","pathname":"/offensive-security/code-injection-process-injection/executing-shellcode-with-createfiber","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-MByGhr82ACSoiLhqkA_","title":"Shellcode Execution via CreateThreadpoolWait","pathname":"/offensive-security/code-injection-process-injection/shellcode-execution-via-createthreadpoolwait","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-MFaTx1FfzSlfXiqDVp_","title":"Local Shellcode Execution without Windows APIs","pathname":"/offensive-security/code-injection-process-injection/local-shellcode-execution-without-windows-apis","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-MGEfrTYhLEfcUogfzjN","title":"Injecting to Remote Process via Thread Hijacking","pathname":"/offensive-security/code-injection-process-injection/injecting-to-remote-process-via-thread-hijacking","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-Lg-FAWlvn_Ho6QWCpZV","title":"SetWindowHookEx Code Injection","pathname":"/offensive-security/code-injection-process-injection/setwindowhookex-code-injection","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-LjkLzaZPCVEJFe4RBmb","title":"Finding Kernel32 Base and Function Addresses in Shellcode","pathname":"/offensive-security/code-injection-process-injection/finding-kernel32-base-and-function-addresses-in-shellcode","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-LksmeqnLlHriRVELlBM","title":"Executing Shellcode with Inline Assembly in C/C++","pathname":"/offensive-security/code-injection-process-injection/executing-shellcode-with-inline-assembly-in-c-c++","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-MLY1iPHOXeV86DfbQHT","title":"Writing Custom Shellcode Encoders and Decoders","pathname":"/offensive-security/code-injection-process-injection/writing-custom-shellcode-encoders-and-decoders","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-LkzNlxUxNf4L_re0exJ","title":"Backdooring PE Files with Shellcode","pathname":"/offensive-security/code-injection-process-injection/backdooring-portable-executables-pe-with-shellcode","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-Loq5hg2QLOHVycxfTSp","title":"NtCreateSection + NtMapViewOfSection Code Injection","pathname":"/offensive-security/code-injection-process-injection/ntcreatesection-+-ntmapviewofsection-code-injection","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-LqIP4qEC4-Nq3uBcg-C","title":"AddressOfEntryPoint Code Injection without VirtualAllocEx RWX","pathname":"/offensive-security/code-injection-process-injection/addressofentrypoint-code-injection-without-virtualallocex-rwx","siteSpaceId":"sitesp_H55mt","description":"Code Injection","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-LxNxZKjhtXb6ESApsb7","title":"Module Stomping for Shellcode Injection","pathname":"/offensive-security/code-injection-process-injection/modulestomping-dll-hollowing-shellcode-injection","siteSpaceId":"sitesp_H55mt","description":"Code Injection","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-LsX8vQgNOUVpsw76xUg","title":"PE Injection: Executing PEs inside Remote Processes","pathname":"/offensive-security/code-injection-process-injection/pe-injection-executing-pes-inside-remote-processes","siteSpaceId":"sitesp_H55mt","description":"Code Injection","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-LtoHB2ObjppAcd41Etu","title":"API Monitoring and Hooking for Offensive Tooling","pathname":"/offensive-security/code-injection-process-injection/api-monitoring-and-hooking-for-offensive-tooling","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-LicW5MarVn2ii36RFXQ","title":"Windows API Hooking","pathname":"/offensive-security/code-injection-process-injection/how-to-hook-windows-api-using-c++","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-Luj1qNf6lYTUZ1q0eYj","title":"Import Adress Table (IAT) Hooking","pathname":"/offensive-security/code-injection-process-injection/import-adress-table-iat-hooking","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-MAHK4FGu2dWe6fnfN0S","title":"DLL Injection via a Custom .NET Garbage Collector","pathname":"/offensive-security/code-injection-process-injection/injecting-dll-via-custom-.net-garbage-collector-environment-variable-complus_gcname","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-MMqZgjGa2P1sldmWz9t","title":"Writing and Compiling Shellcode in C","pathname":"/offensive-security/code-injection-process-injection/writing-and-compiling-shellcode-in-c","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-MAMnYQmMQx7Od9Ly8rw","title":"Injecting .NET Assembly to an Unmanaged Process","pathname":"/offensive-security/code-injection-process-injection/injecting-and-executing-.net-assemblies-to-unmanaged-process","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-MXGqQV78PSz5rMGEPAU","title":"Binary Exploitation","pathname":"/offensive-security/code-injection-process-injection/binary-exploitation","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"}]},{"id":"-MXGqWDEDWYaShWhb0tP","title":"32-bit Stack-based Buffer Overflow","pathname":"/offensive-security/code-injection-process-injection/binary-exploitation/stack-based-buffer-overflow","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"},{"label":"Binary Exploitation"}]},{"id":"-MY_xsts39C81oVBvNZy","title":"64-bit Stack-based Buffer Overflow","pathname":"/offensive-security/code-injection-process-injection/binary-exploitation/64-bit-stack-based-buffer-overflow","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"},{"label":"Binary Exploitation"}]},{"id":"-MY-bwf9FDYcQXu4dF-3","title":"Return-to-libc / ret2libc","pathname":"/offensive-security/code-injection-process-injection/binary-exploitation/return-to-libc-ret2libc","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"},{"label":"Binary Exploitation"}]},{"id":"-MaJoZYubr7zplb9RjBa","title":"ROP Chaining: Return Oriented Programming","pathname":"/offensive-security/code-injection-process-injection/binary-exploitation/rop-chaining-return-oriented-programming","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"},{"label":"Binary Exploitation"}]},{"id":"-MeRRXfqNUe3OWVK0Txm","title":"SEH Based Buffer Overflow","pathname":"/offensive-security/code-injection-process-injection/binary-exploitation/seh-based-buffer-overflow","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"},{"label":"Binary Exploitation"}]},{"id":"-Mkv9eTuFL4-DgkxShck","title":"Format String Bug","pathname":"/offensive-security/code-injection-process-injection/binary-exploitation/format-string-bug","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Code & Process Injection"},{"label":"Binary Exploitation"}]},{"id":"-LemmHClEEPSZKg3fDcW","title":"Defense Evasion","pathname":"/offensive-security/defense-evasion","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"}]},{"id":"-LN_HssyTvF25t5bsBBC","title":"AV Bypass with Metasploit Templates and Custom Binaries","pathname":"/offensive-security/defense-evasion/av-bypass-with-metasploit-templates","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-LVxH8QrPQPwtruDX9EO","title":"Evading Windows Defender with 1 Byte Change","pathname":"/offensive-security/defense-evasion/evading-windows-defender-using-classic-c-shellcode-launcher-with-1-byte-change","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-LeInUlD05GKEaz-PWCo","title":"Bypassing Windows Defender: One TCP Socket Away From Meterpreter and Beacon Sessions","pathname":"/offensive-security/defense-evasion/bypassing-windows-defender-one-tcp-socket-away-from-meterpreter-and-cobalt-strike-beacon","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-LdBAsK-V-UkZD6G7knF","title":"Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs","pathname":"/offensive-security/defense-evasion/bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis","siteSpaceId":"sitesp_H55mt","description":"EDR / AV Evasion","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-MNUin5BhMg0bkQVUZ1v","title":"Windows API Hashing in Malware","pathname":"/offensive-security/defense-evasion/windows-api-hashing-in-malware","siteSpaceId":"sitesp_H55mt","description":"Evasion","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-MOVRoExpeZbUGn7ZThg","title":"Detecting Hooked Syscalls","pathname":"/offensive-security/defense-evasion/detecting-hooked-syscall-functions","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-LjAqSVI10yo-MJuXTts","title":"Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs","pathname":"/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-M9Du3xsMjkf6kMQEgEV","title":"Retrieving ntdll Syscall Stubs from Disk at Run-time","pathname":"/offensive-security/defense-evasion/retrieving-ntdll-syscall-stubs-at-run-time","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-Lq3IBpNkZy79VOWub_s","title":"Full DLL Unhooking with C++","pathname":"/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++","siteSpaceId":"sitesp_H55mt","description":"EDR evasion","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-LtKuTSjJ_1lmj1YKZ4W","title":"Enumerating RWX Protected Memory Regions for Code Injection","pathname":"/offensive-security/defense-evasion/finding-all-rwx-protected-memory-regions","siteSpaceId":"sitesp_H55mt","description":"Code Injection, Defense Evasion","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-MGTW5wROOM-eZmaPLiD","title":"Disabling Windows Event Logs by Suspending EventLog Service Threads","pathname":"/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-LJzcBOt6NrpVZ6wTevz","title":"Obfuscated Powershell Invocations","pathname":"/offensive-security/defense-evasion/t1027-obfuscated-powershell-invocations","siteSpaceId":"sitesp_H55mt","description":"Defense Evasion","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-LPN_7JKwQQAQIkRZo_e","title":"Masquerading Processes in Userland via _PEB","pathname":"/offensive-security/defense-evasion/masquerading-processes-in-userland-through-_peb","siteSpaceId":"sitesp_H55mt","description":"Understanding how malicious binaries can maquerade as any other legitimate Windows binary from the userland.","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-LNUPFYqBVGOX_l6Sjeg","title":"Commandline Obfusaction","pathname":"/offensive-security/defense-evasion/commandline-obfusaction","siteSpaceId":"sitesp_H55mt","description":"Commandline obfuscation","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-LONJho_U93z7P3gRIOH","title":"File Smuggling with HTML and JavaScript","pathname":"/offensive-security/defense-evasion/file-smuggling-with-html-and-javascript","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-LK3jXdkQi3-SEaGpZXG","title":"Timestomping","pathname":"/offensive-security/defense-evasion/t1099-timestomping","siteSpaceId":"sitesp_H55mt","description":"Defense Evasion","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-LJzMblioskuQQ3Lg8tF","title":"Alternate Data Streams","pathname":"/offensive-security/defense-evasion/t1096-alternate-data-streams","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-LIRyjVC_PnqizzBOjbN","title":"Hidden Files","pathname":"/offensive-security/defense-evasion/t1158-hidden-files","siteSpaceId":"sitesp_H55mt","description":"Defense Evasion, Persistence","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-LJtUbUwSI9DIqiUB3VR","title":"Encode/Decode Data with Certutil","pathname":"/offensive-security/defense-evasion/t1140-encode-decode-data-with-certutil","siteSpaceId":"sitesp_H55mt","description":"Defense Evasion","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-LM8tesxCOSyWymw0IMM","title":"Downloading Files with Certutil","pathname":"/offensive-security/defense-evasion/downloading-file-with-certutil","siteSpaceId":"sitesp_H55mt","description":"Downloading additional files to the victim system using native OS binary.","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-LK3G43LKzKZOL9NjfW8","title":"Packed Binaries","pathname":"/offensive-security/defense-evasion/t1045-software-packing-upx","siteSpaceId":"sitesp_H55mt","description":"Defense Evasion, Code Obfuscation","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-LMEMZmcmnRPz_5XyjIi","title":"Unloading Sysmon Driver","pathname":"/offensive-security/defense-evasion/unloading-sysmon-driver","siteSpaceId":"sitesp_H55mt","description":"Unload sysmon driver which causes the system to stop recording sysmon event logs.","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-Lf9W-d6ERAQoFCrutOE","title":"Bypassing IDS Signatures with Simple Reverse Shells","pathname":"/offensive-security/defense-evasion/bypassing-ids-signatures-with-simple-reverse-shells","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-Lsfs3-nl_UIX3TSjMEn","title":"Preventing 3rd Party DLLs from Injecting into your Malware","pathname":"/offensive-security/defense-evasion/preventing-3rd-party-dlls-from-injecting-into-your-processes","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-M07upyi-iCgZEOXBGuS","title":"ProcessDynamicCodePolicy: Arbitrary Code Guard (ACG)","pathname":"/offensive-security/defense-evasion/acg-arbitrary-code-guard-processdynamiccodepolicy","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-M9JmW5OuHn4xCVIGgRX","title":"Parent Process ID (PPID) Spoofing","pathname":"/offensive-security/defense-evasion/parent-process-id-ppid-spoofing","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-LfF321mMZzS9wodiUqt","title":"Executing C# Assemblies from Jscript and wscript with DotNetToJscript","pathname":"/offensive-security/defense-evasion/executing-csharp-assemblies-from-jscript-and-wscript-with-dotnettojscript","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Defense Evasion"}]},{"id":"-Lemu0JzkVAUHn54t_yB","title":"Enumeration and Discovery","pathname":"/offensive-security/enumeration-and-discovery","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"}]},{"id":"-MBe8A97TVw6YYvChnO3","title":"Windows Event IDs and Others for Situational Awareness","pathname":"/offensive-security/enumeration-and-discovery/windows-event-ids-for-situational-awareness","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Enumeration and Discovery"}]},{"id":"-MBx0yPdhn92Ac0eqsym","title":"Enumerating COM Objects and their Methods","pathname":"/offensive-security/enumeration-and-discovery/enumerating-com-objects-and-their-methods","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Enumeration and Discovery"}]},{"id":"-Lf1MvOYeqmmNqzHia_V","title":"Enumerating Users without net, Services without sc and Scheduled Tasks without schtasks","pathname":"/offensive-security/enumeration-and-discovery/enumerating-users-without-net-services-without-sc-and-scheduled-tasks-without-schtasks","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Enumeration and Discovery"}]},{"id":"-LXun6QFFagIyPpb918F","title":"Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging","pathname":"/offensive-security/enumeration-and-discovery/enumerating-windows-domains-using-rpcclient-through-socksproxy-bypassing-command-line-logging","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Enumeration and Discovery"}]},{"id":"-LWHryefzBN3YN2VuE-E","title":"Dump Global Address List (GAL) from OWA","pathname":"/offensive-security/enumeration-and-discovery/dumping-gal-global-address-list-from-outlook-web-application","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Enumeration and Discovery"}]},{"id":"-LKaRDmtBYd6p0vGLeAH","title":"Application Window Discovery","pathname":"/offensive-security/enumeration-and-discovery/t1010-application-window-discovery","siteSpaceId":"sitesp_H55mt","description":"Discovery","breadcrumbs":[{"label":"offensive security"},{"label":"Enumeration and Discovery"}]},{"id":"-LKcViTu5QOt2iasnIUY","title":"Account Discovery & Enumeration","pathname":"/offensive-security/enumeration-and-discovery/t1087-account-discovery","siteSpaceId":"sitesp_H55mt","description":"Discovery","breadcrumbs":[{"label":"offensive security"},{"label":"Enumeration and Discovery"}]},{"id":"-LhgRaig1h1XcGG_z_So","title":"Using COM to Enumerate Hostname, Username, Domain, Network Drives","pathname":"/offensive-security/enumeration-and-discovery/using-com-to-enumerate-hostname-username-domain-network-drives","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Enumeration and Discovery"}]},{"id":"-LOOeDyzylFX32YMFh82","title":"Detecting Sysmon on the Victim Host","pathname":"/offensive-security/enumeration-and-discovery/detecting-sysmon-on-the-victim-host","siteSpaceId":"sitesp_H55mt","description":"Exploring ways to detect Sysmon presence on the victim system","breadcrumbs":[{"label":"offensive security"},{"label":"Enumeration and Discovery"}]},{"id":"-LemqM9QR1bLVECgRz4q","title":"Privilege Escalation","pathname":"/offensive-security/privilege-escalation","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"}]},{"id":"-LJVSic6K3nyHaqoCAs8","title":"Primary Access Token Manipulation","pathname":"/offensive-security/privilege-escalation/t1134-access-token-manipulation","siteSpaceId":"sitesp_H55mt","description":"Defense Evasion, Privilege Escalation by stealing an re-using security access tokens.","breadcrumbs":[{"label":"offensive security"},{"label":"Privilege Escalation"}]},{"id":"-Laeh7zy0tXWPgm17oDB","title":"Windows NamedPipes 101 + Privilege Escalation","pathname":"/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Privilege Escalation"}]},{"id":"-LIR_Wcv47HKYYe8CgMz","title":"DLL Hijacking","pathname":"/offensive-security/privilege-escalation/t1038-dll-hijacking","siteSpaceId":"sitesp_H55mt","description":"DLL Search Order Hijacking for privilege escalation, code execution, etc.","breadcrumbs":[{"label":"offensive security"},{"label":"Privilege Escalation"}]},{"id":"-LIlnbbdLpXpLHEG7Xrf","title":"WebShells","pathname":"/offensive-security/privilege-escalation/t1108-redundant-access","siteSpaceId":"sitesp_H55mt","description":"Redundant Access - Webshells for evading defenses and persistence.","breadcrumbs":[{"label":"offensive security"},{"label":"Privilege Escalation"}]},{"id":"-LJuFreF8ASzOzFFUEiP","title":"Image File Execution Options Injection","pathname":"/offensive-security/privilege-escalation/t1183-image-file-execution-options-injection","siteSpaceId":"sitesp_H55mt","description":"Defense Evasion, Persistence, Privilege Escalation","breadcrumbs":[{"label":"offensive security"},{"label":"Privilege Escalation"}]},{"id":"-LfM2ZWm6beDai4S8FJi","title":"Unquoted Service Paths","pathname":"/offensive-security/privilege-escalation/unquoted-service-paths","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Privilege Escalation"}]},{"id":"-LoLGFe4v5f5-Sok8ddK","title":"Pass The Hash: Privilege Escalation with Invoke-WMIExec","pathname":"/offensive-security/privilege-escalation/pass-the-hash-privilege-escalation-with-invoke-wmiexec","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Privilege Escalation"}]},{"id":"-M-6d3URvUy_JOsuqXZD","title":"Environment Variable $Path Interception","pathname":"/offensive-security/privilege-escalation/environment-variable-path-interception","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Privilege Escalation"}]},{"id":"-LfQqEE_yBFeaa-SaXXS","title":"Weak Service Permissions","pathname":"/offensive-security/privilege-escalation/weak-service-permissions","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Privilege Escalation"}]},{"id":"-LHdjwacPuor-NtYryP0","title":"Credential Access & Dumping","pathname":"/offensive-security/credential-access-and-credential-dumping","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"}]},{"id":"-LHwqaMfSgf3DBdxvLz7","title":"Dumping Credentials from Lsass Process Memory with Mimikatz","pathname":"/offensive-security/credential-access-and-credential-dumping/dumping-credentials-from-lsass.exe-process-memory","siteSpaceId":"sitesp_H55mt","description":"Local Security Authority (LSA) credential dumping with in-memory Mimikatz using powershell.","breadcrumbs":[{"label":"offensive security"},{"label":"Credential Access & Dumping"}]},{"id":"-L_nRKQXTiNQbjK4LX99","title":"Dumping Lsass Without Mimikatz","pathname":"/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Credential Access & Dumping"}]},{"id":"-LafIF6VCybVpgbjcbLd","title":"Dumping Lsass without Mimikatz with MiniDumpWriteDump","pathname":"/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass","siteSpaceId":"sitesp_H55mt","description":"Evasion, Credential Dumping","breadcrumbs":[{"label":"offensive security"},{"label":"Credential Access & Dumping"}]},{"id":"-LHwphNg8hoz_hcYJ6VM","title":"Dumping Hashes from SAM via Registry","pathname":"/offensive-security/credential-access-and-credential-dumping/dumping-hashes-from-sam-registry","siteSpaceId":"sitesp_H55mt","description":"Security Accounts Manager (SAM) credential dumping with living off the land binary.","breadcrumbs":[{"label":"offensive security"},{"label":"Credential Access & Dumping"}]},{"id":"-MHurk6SVMDerIzDA6Wk","title":"Dumping SAM via esentutl.exe","pathname":"/offensive-security/credential-access-and-credential-dumping/dumping-sam-via-esentutl.exe","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Credential Access & Dumping"}]},{"id":"-L_nYqmzLoem9QSl49ei","title":"Dumping LSA Secrets","pathname":"/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Credential Access & Dumping"}]},{"id":"-LXiqPfldWsdJbyI6Tkq","title":"Dumping and Cracking mscash - Cached Domain Credentials","pathname":"/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Credential Access & Dumping"}]},{"id":"-LHwpaPZnf94MyLpTb2z","title":"Dumping Domain Controller Hashes Locally and Remotely","pathname":"/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration","siteSpaceId":"sitesp_H55mt","description":"Dumping NTDS.dit with Active Directory users hashes","breadcrumbs":[{"label":"offensive security"},{"label":"Credential Access & Dumping"}]},{"id":"-LfaOk0YJhv6FUOyOxq1","title":"Dumping Domain Controller Hashes via wmic and Vssadmin Shadow Copy","pathname":"/offensive-security/credential-access-and-credential-dumping/dumping-domain-controller-hashes-via-wmic-and-shadow-copy-using-vssadmin","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Credential Access & Dumping"}]},{"id":"-LJdS7MbodzD-LoWO6yE","title":"Network vs Interactive Logons","pathname":"/offensive-security/credential-access-and-credential-dumping/network-vs-interactive-logons","siteSpaceId":"sitesp_H55mt","description":"This lab explores/compares when credentials are susceptible to credential dumping.","breadcrumbs":[{"label":"offensive security"},{"label":"Credential Access & Dumping"}]},{"id":"-LcLoGlRWajC4Etm_4E-","title":"Reading DPAPI Encrypted Secrets with Mimikatz and C++","pathname":"/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Credential Access & Dumping"}]},{"id":"-LK6yDG9Spv7FusJdXb3","title":"Credentials in Registry","pathname":"/offensive-security/credential-access-and-credential-dumping/t1214-credentials-in-registry","siteSpaceId":"sitesp_H55mt","description":"Internal recon, hunting for passwords in Windows registry","breadcrumbs":[{"label":"offensive security"},{"label":"Credential Access & Dumping"}]},{"id":"-LKYCsZ-ZZ620Y6zA9vi","title":"Password Filter","pathname":"/offensive-security/credential-access-and-credential-dumping/t1174-password-filter-dll","siteSpaceId":"sitesp_H55mt","description":"Credential Access","breadcrumbs":[{"label":"offensive security"},{"label":"Credential Access & Dumping"}]},{"id":"-Len3rATRjedA_38XpIX","title":"Forcing WDigest to Store Credentials in Plaintext","pathname":"/offensive-security/credential-access-and-credential-dumping/forcing-wdigest-to-store-credentials-in-plaintext","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Credential Access & Dumping"}]},{"id":"-LmprD9hkXiJaHPht0QP","title":"Dumping Delegated Default Kerberos and NTLM Credentials w/o Touching Lsass","pathname":"/offensive-security/credential-access-and-credential-dumping/dumping-delegated-default-kerberos-and-ntlm-credentials-without-touching-lsass","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Credential Access & Dumping"}]},{"id":"-LID351Ti8pZ9HkCm6bP","title":"Intercepting Logon Credentials via Custom Security Support Provider and Authentication Packages","pathname":"/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package","siteSpaceId":"sitesp_H55mt","description":"Credential Access, Persistence","breadcrumbs":[{"label":"offensive security"},{"label":"Credential Access & Dumping"}]},{"id":"-Ly0XGUrl2GWqA_xp_wV","title":"Pulling Web Application Passwords by Hooking HTML Input Fields","pathname":"/offensive-security/credential-access-and-credential-dumping/stealing-web-application-credentials-by-hooking-input-fields","siteSpaceId":"sitesp_H55mt","description":"Credential Access, Keylogger","breadcrumbs":[{"label":"offensive security"},{"label":"Credential Access & Dumping"}]},{"id":"-Lz8tf8jU17AgixqepZ4","title":"Intercepting Logon Credentials by Hooking msv1_0!SpAcceptCredentials","pathname":"/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-by-hooking-msv1_0-spacceptcredentials","siteSpaceId":"sitesp_H55mt","description":"Hooking, Credential Stealing","breadcrumbs":[{"label":"offensive security"},{"label":"Credential Access & Dumping"}]},{"id":"-M8qf-mGbgGIoZTZ8mSY","title":"Credentials Collection via CredUIPromptForCredentials","pathname":"/offensive-security/credential-access-and-credential-dumping/credentials-collection-via-creduipromptforcredentials","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Credential Access & Dumping"}]},{"id":"-LemlmTfu5EPmUB6o5H9","title":"Lateral Movement","pathname":"/offensive-security/lateral-movement","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"}]},{"id":"-LI0n-qxG8XLUt6hriRX","title":"WinRM for Lateral Movement","pathname":"/offensive-security/lateral-movement/t1028-winrm-for-lateral-movement","siteSpaceId":"sitesp_H55mt","description":"PowerShell remoting for lateral movement.","breadcrumbs":[{"label":"offensive security"},{"label":"Lateral Movement"}]},{"id":"-MMpwGGJXeL8Q51PX-nV","title":"WinRS for Lateral Movement","pathname":"/offensive-security/lateral-movement/winrs-for-lateral-movement","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Lateral Movement"}]},{"id":"-LI2Qg1xpoqw_cI1KhX7","title":"WMI for Lateral Movement","pathname":"/offensive-security/lateral-movement/t1047-wmi-for-lateral-movement","siteSpaceId":"sitesp_H55mt","description":"Windows Management Instrumentation for code execution, lateral movement.","breadcrumbs":[{"label":"offensive security"},{"label":"Lateral Movement"}]},{"id":"-LJhlmeo7Ht8QsCW33Gv","title":"RDP Hijacking for Lateral Movement with tscon","pathname":"/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement","siteSpaceId":"sitesp_H55mt","description":"This lab explores a technique that allows a SYSTEM account to move laterally through the network using RDP without the need for credentials.","breadcrumbs":[{"label":"offensive security"},{"label":"Lateral Movement"}]},{"id":"-LKla3XKg1Wv-qAcAemX","title":"Shared Webroot","pathname":"/offensive-security/lateral-movement/t1051-shared-webroot","siteSpaceId":"sitesp_H55mt","description":"Lateral Movement","breadcrumbs":[{"label":"offensive security"},{"label":"Lateral Movement"}]},{"id":"-LKfDrSJ9PSEqT8LTKDN","title":"Lateral Movement via DCOM","pathname":"/offensive-security/lateral-movement/t1175-distributed-component-object-model","siteSpaceId":"sitesp_H55mt","description":"Lateral Movement via Distributed Component Object Model","breadcrumbs":[{"label":"offensive security"},{"label":"Lateral Movement"}]},{"id":"-LPC8tynRHL1Pr8R7X7P","title":"WMI + MSI Lateral Movement","pathname":"/offensive-security/lateral-movement/wmi-+-msi-lateral-movement","siteSpaceId":"sitesp_H55mt","description":"WMI lateral movement with .msi packages","breadcrumbs":[{"label":"offensive security"},{"label":"Lateral Movement"}]},{"id":"-LttyKTODKAphDKBPzWE","title":"Lateral Movement via Service Configuration Manager","pathname":"/offensive-security/lateral-movement/lateral-movement-abusing-service-configuration-manager","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Lateral Movement"}]},{"id":"-LV0DkfVPPIKDFY4hjF-","title":"Lateral Movement via SMB Relaying","pathname":"/offensive-security/lateral-movement/lateral-movement-via-smb-relaying-by-abusing-lack-of-smb-signing","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Lateral Movement"}]},{"id":"-LPD5-7pp4K7_lHWS7Wh","title":"WMI + NewScheduledTaskAction Lateral Movement","pathname":"/offensive-security/lateral-movement/wmi-via-newscheduledtask","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Lateral Movement"}]},{"id":"-LQGFCI00Mk77EuEQA4c","title":"WMI + PowerShell Desired State Configuration Lateral Movement","pathname":"/offensive-security/lateral-movement/wmi-+-powershell-desired-state-configuration-lateral-movement","siteSpaceId":"sitesp_H55mt","description":"Lateral Movment, Privilege Escalation","breadcrumbs":[{"label":"offensive security"},{"label":"Lateral Movement"}]},{"id":"-LVwZfeM13ANyFNxPXGY","title":"Simple TCP Relaying with NetCat","pathname":"/offensive-security/lateral-movement/simple-tcp-relaying-with-netcat","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Lateral Movement"}]},{"id":"-LPrmUYfszaqY4fTKfUV","title":"Empire Shells with NetNLTMv2 Relaying","pathname":"/offensive-security/lateral-movement/empire-shells-with-netnltmv2-relaying","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Lateral Movement"}]},{"id":"-LfLp0GL0e7PHWsIgzAv","title":"Lateral Movement with Psexec","pathname":"/offensive-security/lateral-movement/lateral-movement-with-psexec","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Lateral Movement"}]},{"id":"-LoLY_k2y83R8dau-4se","title":"From Beacon to Interactive RDP Session","pathname":"/offensive-security/lateral-movement/from-beacon-to-interactive-remote-desktop-rdp-session","siteSpaceId":"sitesp_H55mt","description":"Lateral Movement, Tunnelling, Firewall Evasion","breadcrumbs":[{"label":"offensive security"},{"label":"Lateral Movement"}]},{"id":"-LODOi3hcUhTQ8O9CIN1","title":"SSH Tunnelling / Port Forwarding","pathname":"/offensive-security/lateral-movement/ssh-tunnelling-port-forwarding","siteSpaceId":"sitesp_H55mt","description":"Exploring SSH tunneling","breadcrumbs":[{"label":"offensive security"},{"label":"Lateral Movement"}]},{"id":"-MKAwBxnMjwzsD4iRAnZ","title":"Lateral Movement via WMI Event Subscription","pathname":"/offensive-security/lateral-movement/lateral-movement-via-wmi-events","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Lateral Movement"}]},{"id":"-MKfUkM9KLE5kthb35Xc","title":"Lateral Movement via DLL Hijacking","pathname":"/offensive-security/lateral-movement/lateral-movement-via-dll-hijacking","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Lateral Movement"}]},{"id":"-LzsICi5wuiK_eLmiBLu","title":"Lateral Movement over headless RDP with SharpRDP","pathname":"/offensive-security/lateral-movement/lateral-movement-over-headless-rdp-with-sharprdp","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Lateral Movement"}]},{"id":"-MjohvZu4Z0uRBn7ox5G","title":"Man-in-the-Browser via Chrome Extension","pathname":"/offensive-security/lateral-movement/man-in-the-browser-via-chrome-extension","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Lateral Movement"}]},{"id":"-MSNo60y7wzXGVrsXuyN","title":"ShadowMove: Lateral Movement by Duplicating Existing Sockets","pathname":"/offensive-security/lateral-movement/shadowmove-lateral-movement-by-stealing-duplicating-existing-connected-sockets","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Lateral Movement"}]},{"id":"-LempXdWfnQ_5bjGIvW0","title":"Persistence","pathname":"/offensive-security/persistence","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"}]},{"id":"-MImZcvjfJAkcHoI6lA3","title":"DLL Proxying for Persistence","pathname":"/offensive-security/persistence/dll-proxying-for-persistence","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Persistence"}]},{"id":"-LHxrWjOmD4bFtm_9jIQ","title":"Schtask","pathname":"/offensive-security/persistence/t1053-schtask","siteSpaceId":"sitesp_H55mt","description":"Code execution, privilege escalation, lateral movement and persitence.","breadcrumbs":[{"label":"offensive security"},{"label":"Persistence"}]},{"id":"-LHz4qdhTMwgKu6h_VlC","title":"Service Execution","pathname":"/offensive-security/persistence/t1035-service-execution","siteSpaceId":"sitesp_H55mt","description":"Code Execution, Privilege Escalation","breadcrumbs":[{"label":"offensive security"},{"label":"Persistence"}]},{"id":"-LI2jkT0Z1B5HWKlrPT0","title":"Sticky Keys","pathname":"/offensive-security/persistence/t1015-sethc","siteSpaceId":"sitesp_H55mt","description":"Sticky keys backdoor.","breadcrumbs":[{"label":"offensive security"},{"label":"Persistence"}]},{"id":"-LINTwQT9B1DQug-hgbN","title":"Create Account","pathname":"/offensive-security/persistence/t1136-create-account","siteSpaceId":"sitesp_H55mt","description":"Persistence","breadcrumbs":[{"label":"offensive security"},{"label":"Persistence"}]},{"id":"-LIlLp9moURtmOyyOzo5","title":"AddMonitor()","pathname":"/offensive-security/persistence/t1013-addmonitor","siteSpaceId":"sitesp_H55mt","description":"Persistence, Privilege Escalation","breadcrumbs":[{"label":"offensive security"},{"label":"Persistence"}]},{"id":"-LIbwe1yYjoT5uC0MjsW","title":"NetSh Helper DLL","pathname":"/offensive-security/persistence/t1128-netsh-helper-dll","siteSpaceId":"sitesp_H55mt","description":"Persistence, code execution using netsh helper arbitrary libraries.","breadcrumbs":[{"label":"offensive security"},{"label":"Persistence"}]},{"id":"-LJ4BGyYTQTU1CxdMpU3","title":"Abusing Windows Managent Instrumentation","pathname":"/offensive-security/persistence/t1084-abusing-windows-managent-instrumentation","siteSpaceId":"sitesp_H55mt","description":"Persistence, Privilege Escalation","breadcrumbs":[{"label":"offensive security"},{"label":"Persistence"}]},{"id":"-LJGCner4yac_yZnPQEz","title":"WMI as a Data Storage","pathname":"/offensive-security/persistence/t1084-abusing-windows-managent-instrumentation/wmi-data-storage","siteSpaceId":"sitesp_H55mt","description":"Exploring WMI as a data storage for persistence by leveraging WMI classes and their properties.","breadcrumbs":[{"label":"offensive security"},{"label":"Persistence"},{"label":"Abusing Windows Managent Instrumentation"}]},{"id":"-LytOiIFtLCfoQ04S-bH","title":"Windows Logon Helper","pathname":"/offensive-security/persistence/windows-logon-helper","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Persistence"}]},{"id":"-LytUhReJPz-1iwxpwT5","title":"Hijacking Default File Extension","pathname":"/offensive-security/persistence/hijacking-default-file-extension","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Persistence"}]},{"id":"-MH1P9945_sgvUtphP8a","title":"Persisting in svchost.exe with a Service DLL","pathname":"/offensive-security/persistence/persisting-in-svchost.exe-with-a-service-dll-servicemain","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Persistence"}]},{"id":"-LyyaxC7YRKnnb5f8Iu4","title":"Modifying .lnk Shortcuts","pathname":"/offensive-security/persistence/modifying-.lnk-shortcuts","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Persistence"}]},{"id":"-LJ3FLmRApVIZQ1pktZB","title":"Screensaver Hijack","pathname":"/offensive-security/persistence/t1180-screensaver-hijack","siteSpaceId":"sitesp_H55mt","description":"Hijacking screensaver for persistence.","breadcrumbs":[{"label":"offensive security"},{"label":"Persistence"}]},{"id":"-LI7pO9NHV3PFSFWwqzg","title":"Application Shimming","pathname":"/offensive-security/persistence/t1138-application-shimming","siteSpaceId":"sitesp_H55mt","description":"Persistence, Privilege Escalation","breadcrumbs":[{"label":"offensive security"},{"label":"Persistence"}]},{"id":"-LIIDbFyOm6lZzdu22IW","title":"BITS Jobs","pathname":"/offensive-security/persistence/t1197-bits-jobs","siteSpaceId":"sitesp_H55mt","description":"File upload to the compromised system.","breadcrumbs":[{"label":"offensive security"},{"label":"Persistence"}]},{"id":"-LINEixMlUkYFjuC4NSp","title":"COM Hijacking","pathname":"/offensive-security/persistence/t1122-com-hijacking","siteSpaceId":"sitesp_H55mt","description":"UAC Bypass/Defense Evasion, Persistence","breadcrumbs":[{"label":"offensive security"},{"label":"Persistence"}]},{"id":"-LImGBWiyqKH_OlmIpkl","title":"SIP & Trust Provider Hijacking","pathname":"/offensive-security/persistence/t1198-trust-provider-hijacking","siteSpaceId":"sitesp_H55mt","description":"Defense Evasion, Persistence, Whitelisting Bypass","breadcrumbs":[{"label":"offensive security"},{"label":"Persistence"}]},{"id":"-LJ3tbVwQgmBoNJKuglz","title":"Hijacking Time Providers","pathname":"/offensive-security/persistence/t1209-hijacking-time-providers","siteSpaceId":"sitesp_H55mt","description":"Persistence","breadcrumbs":[{"label":"offensive security"},{"label":"Persistence"}]},{"id":"-LJynOAVLQQ4d9EI1w3I","title":"Installing Root Certificate","pathname":"/offensive-security/persistence/t1130-install-root-certificate","siteSpaceId":"sitesp_H55mt","description":"Defense Evasion","breadcrumbs":[{"label":"offensive security"},{"label":"Persistence"}]},{"id":"-LsxaRySq81Og4-hB9KR","title":"Powershell Profile Persistence","pathname":"/offensive-security/persistence/powershell-profile-persistence","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Persistence"}]},{"id":"-M0DDH3fcOARZmc2lw2R","title":"RID Hijacking","pathname":"/offensive-security/persistence/rid-hijacking","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Persistence"}]},{"id":"-LhyomPXvbloSOjxyYbY","title":"Word Library Add-Ins","pathname":"/offensive-security/persistence/word-library-add-ins","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Persistence"}]},{"id":"-Li2x4eVJAHmarBK0w8W","title":"Office Templates","pathname":"/offensive-security/persistence/office-templates","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"},{"label":"Persistence"}]},{"id":"-LemwHtwVIh5iennN9q0","title":"Exfiltration","pathname":"/offensive-security/exfiltration","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"offensive security"}]},{"id":"-LOoZasHkdSQ-uF2uecp","title":"Powershell Payload Delivery via DNS using Invoke-PowerCloud","pathname":"/offensive-security/exfiltration/payload-delivery-via-dns-using-invoke-powercloud","siteSpaceId":"sitesp_H55mt","description":"This lab demos a tool or rather a Powershell script I have written to do what the title says.","breadcrumbs":[{"label":"offensive security"},{"label":"Exfiltration"}]},{"id":"-LuMsj61svMowD9bgJS2","title":"Internals","pathname":"/miscellaneous-reversing-forensics/windows-kernel-internals","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"reversing, forensics & misc"}]},{"id":"-LuMsnlHT_OIr-anMhZy","title":"Configuring Kernel Debugging Environment with kdnet and WinDBG Preview","pathname":"/miscellaneous-reversing-forensics/windows-kernel-internals/configuring-kernel-debugging-environment-with-kdnet-and-windbg-preview","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"reversing, forensics & misc"},{"label":"Internals"}]},{"id":"-M12jF2bdl-YrLAUyH48","title":"Compiling a Simple Kernel Driver, DbgPrint, DbgView","pathname":"/miscellaneous-reversing-forensics/windows-kernel-internals/compiling-first-kernel-driver-kdprint-dbgprint-and-debugview","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"reversing, forensics & misc"},{"label":"Internals"}]},{"id":"-LuNgdWu6OZwQ7Pe2uma","title":"Loading Windows Kernel Driver for Debugging","pathname":"/miscellaneous-reversing-forensics/windows-kernel-internals/loading-a-windows-kernel-driver-osr-driver-loader-debugging-with-source-code","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"reversing, forensics & misc"},{"label":"Internals"}]},{"id":"-M1rBMkWjOxXoCUHk8e1","title":"Subscribing to Process Creation, Thread Creation and Image Load Notifications from a Kernel Driver","pathname":"/miscellaneous-reversing-forensics/windows-kernel-internals/subscribing-to-process-creation-thread-creation-and-image-load-notifications-from-a-kernel-driver","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"reversing, forensics & misc"},{"label":"Internals"}]},{"id":"-MEgwyIqtcRI3IJJ1jRN","title":"Listing Open Handles and Finding Kernel Object Addresses","pathname":"/miscellaneous-reversing-forensics/windows-kernel-internals/get-all-open-handles-and-kernel-object-address-from-userland","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"reversing, forensics & misc"},{"label":"Internals"}]},{"id":"-M1RjVxhPRgoTJzBVTJE","title":"Sending Commands From Your Userland Program to Your Kernel Driver using IOCTL","pathname":"/miscellaneous-reversing-forensics/windows-kernel-internals/sending-commands-from-userland-to-your-kernel-driver-using-ioctl","siteSpaceId":"sitesp_H55mt","description":"Windows Driver Model (WDM)","breadcrumbs":[{"label":"reversing, forensics & misc"},{"label":"Internals"}]},{"id":"-M1LDRF5CKp0mkkX3PhU","title":"Windows Kernel Drivers 101","pathname":"/miscellaneous-reversing-forensics/windows-kernel-internals/windows-kernel-drivers-101","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"reversing, forensics & misc"},{"label":"Internals"}]},{"id":"-MCH_-lyLqUlElsf76Ao","title":"Windows x64 Calling Convention: Stack Frame","pathname":"/miscellaneous-reversing-forensics/windows-kernel-internals/windows-x64-calling-convention-stack-frame","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"reversing, forensics & misc"},{"label":"Internals"}]},{"id":"-MYa8hYmSTjGKBXbRzML","title":"Linux x64 Calling Convention: Stack Frame","pathname":"/miscellaneous-reversing-forensics/windows-kernel-internals/linux-x64-calling-convention-stack-frame","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"reversing, forensics & misc"},{"label":"Internals"}]},{"id":"-LuSFYRCyVrhXzos52JN","title":"System Service Descriptor Table - SSDT","pathname":"/miscellaneous-reversing-forensics/windows-kernel-internals/glimpse-into-ssdt-in-windows-x64-kernel","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"reversing, forensics & misc"},{"label":"Internals"}]},{"id":"-Lv7Utxmz1qVRdYtETLC","title":"Interrupt Descriptor Table - IDT","pathname":"/miscellaneous-reversing-forensics/windows-kernel-internals/interrupt-descriptor-table-idt","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"reversing, forensics & misc"},{"label":"Internals"}]},{"id":"-Lvvs9h-EEAeAB3PPFcz","title":"Token Abuse for Privilege Escalation in Kernel","pathname":"/miscellaneous-reversing-forensics/windows-kernel-internals/how-kernel-exploits-abuse-tokens-for-privilege-escalation","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"reversing, forensics & misc"},{"label":"Internals"}]},{"id":"-LxC-rMI8D9MsFMaGvVH","title":"Manipulating ActiveProcessLinks to Hide Processes in Userland","pathname":"/miscellaneous-reversing-forensics/windows-kernel-internals/manipulating-activeprocesslinks-to-unlink-processes-in-userland","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"reversing, forensics & misc"},{"label":"Internals"}]},{"id":"-M8dyAsfnnnGuxw4EgKH","title":"ETW: Event Tracing for Windows 101","pathname":"/miscellaneous-reversing-forensics/windows-kernel-internals/etw-event-tracing-for-windows-101","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"reversing, forensics & misc"},{"label":"Internals"}]},{"id":"-LNBmi8NufX_8xIk_JDg","title":"Exploring Injected Threads","pathname":"/miscellaneous-reversing-forensics/windows-kernel-internals/get-injectedthread","siteSpaceId":"sitesp_H55mt","description":"A short exploration of injected threads with Get-InjectedThreads.ps1 and WinDBG","breadcrumbs":[{"label":"reversing, forensics & misc"},{"label":"Internals"}]},{"id":"-LQPhLIg2HTVSIbKB2tQ","title":"Parsing PE File Headers with C++","pathname":"/miscellaneous-reversing-forensics/windows-kernel-internals/pe-file-header-parser-in-c++","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"reversing, forensics & misc"},{"label":"Internals"}]},{"id":"-MREjmfr1mG_yXiSo0bn","title":"Instrumenting Windows APIs with Frida","pathname":"/miscellaneous-reversing-forensics/windows-kernel-internals/instrumenting-windows-apis-with-frida","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"reversing, forensics & misc"},{"label":"Internals"}]},{"id":"-LL0z4oOoj0hSWOAg2-1","title":"Exploring Process Environment Block","pathname":"/miscellaneous-reversing-forensics/windows-kernel-internals/exploring-process-environment-block","siteSpaceId":"sitesp_H55mt","description":"Exploring a couple of interesting members of the PEB memory structure fields","breadcrumbs":[{"label":"reversing, forensics & misc"},{"label":"Internals"}]},{"id":"-MUEjlnCDAj0HNap4OB0","title":"Writing a Custom Bootloader","pathname":"/miscellaneous-reversing-forensics/windows-kernel-internals/writing-a-custom-bootloader","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"reversing, forensics & misc"},{"label":"Internals"}]},{"id":"-MPUK8Py3VAu9PEw0xUf","title":"Cloud","pathname":"/miscellaneous-reversing-forensics/cloud","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"reversing, forensics & misc"}]},{"id":"-MPUKPg2vx1lntTp_o2J","title":"AWS Accounts, Users, Groups, Roles, Policies","pathname":"/miscellaneous-reversing-forensics/cloud/aws-accounts-users-groups-roles-policies","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"reversing, forensics & misc"},{"label":"Cloud"}]},{"id":"-MQmoJI8fhnl6eazONhi","title":"Neo4j","pathname":"/miscellaneous-reversing-forensics/neo4j","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"reversing, forensics & misc"}]},{"id":"-LIaYNVnPdnc2eLOopZK","title":"Dump Virtual Box Memory","pathname":"/miscellaneous-reversing-forensics/dump-virtual-box-memory","siteSpaceId":"sitesp_H55mt","description":"A quick reminder of one of the ways of how to dump memory of a VM running on VirtualBox in Linux environment.","breadcrumbs":[{"label":"reversing, forensics & misc"}]},{"id":"-Lp50Ii81fxUsrZFuZvj","title":"AES Encryption Using Crypto++ .lib in Visual Studio C++","pathname":"/miscellaneous-reversing-forensics/aes-encryption-example-using-cryptopp-.lib-in-visual-studio-c++","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"reversing, forensics & misc"}]},{"id":"-LU53H-fK2xDz7aGpGBX","title":"Reversing Password Checking Routine","pathname":"/miscellaneous-reversing-forensics/reversing-password-checking-routine","siteSpaceId":"sitesp_H55mt","description":"","breadcrumbs":[{"label":"reversing, forensics & misc"}]}]}