# offensive security - [Red Team Infrastructure](/hackersnotes/offensive-security/red-team-infrastructure.md) - [HTTP Forwarders / Relays](/hackersnotes/offensive-security/red-team-infrastructure/http-forwarders-relays.md): Concealing attacking hosts through with redirectors/traffic forwarders using iptables or socat - [SMTP Forwarders / Relays](/hackersnotes/offensive-security/red-team-infrastructure/smtp-forwarders-relays.md) - [Phishing with Modlishka Reverse HTTP Proxy](/hackersnotes/offensive-security/red-team-infrastructure/phishing-with-modlishka-reverse-http-proxy.md) - [Automating Red Team Infrastructure with Terraform](/hackersnotes/offensive-security/red-team-infrastructure/automating-red-team-infrastructure-with-terraform.md) - [Cobalt Strike 101](/hackersnotes/offensive-security/red-team-infrastructure/cobalt-strike-101.md) - [Powershell Empire 101](/hackersnotes/offensive-security/red-team-infrastructure/powershell-empire-101.md): Exploring key concepts of the Powershell Empire - [Spiderfoot 101 with Kali using Docker](/hackersnotes/offensive-security/red-team-infrastructure/spiderfoot-101-with-kali-using-docker.md) - [MITRE ATT\&CK](/hackersnotes/offensive-security/mitre-att-and-ck.md) - [Initial Access](/hackersnotes/offensive-security/initial-access.md) - [Phishing Methodology](/hackersnotes/offensive-security/initial-access/phishing-methodology.md) - [Password Spraying](/hackersnotes/offensive-security/initial-access/password-spraying.md) - [Phishing-with-Ms-office](/hackersnotes/offensive-security/initial-access/phishing-with-ms-office.md) - [Phishing: XLM / Macro 4.0](/hackersnotes/offensive-security/initial-access/phishing-with-ms-office/phishing-xlm-macro-4.0.md) - [T1173: Phishing - DDE](/hackersnotes/offensive-security/initial-access/phishing-with-ms-office/t1173-phishing-dde.md): Dynamic Data Exchange code - executing code in Microsoft Office documents. - [T1137: Phishing - Office Macros](/hackersnotes/offensive-security/initial-access/phishing-with-ms-office/t1137-phishing-office-macros.md): Code execution with VBA Macros - [Phishing: OLE + LNK](/hackersnotes/offensive-security/initial-access/phishing-with-ms-office/phishing-ole-+-lnk.md): Code execution with embedded Internet Explorer Object - [Phishing: Embedded Internet Explorer](/hackersnotes/offensive-security/initial-access/phishing-with-ms-office/phishing-embedded-internet-explorer.md): Code execution with embedded Internet Explorer Object - [Phishing: .SLK Excel](/hackersnotes/offensive-security/initial-access/phishing-with-ms-office/phishing-.slk-excel.md) - [Phishing: Replacing Embedded Video](/hackersnotes/offensive-security/initial-access/phishing-with-ms-office/phishing-replacing-embedded-video.md): with Bogus Payload - [Inject Macros from a Remote Dotm Template](/hackersnotes/offensive-security/initial-access/phishing-with-ms-office/inject-macros-from-a-remote-dotm-template.md) - [Bypassing Parent Child / Ancestry Detections](/hackersnotes/offensive-security/initial-access/phishing-with-ms-office/bypassing-parent-child-ancestry-detections.md) - [Phishing: Embedded HTML Forms](/hackersnotes/offensive-security/initial-access/phishing-with-ms-office/phishing-embedded-html-forms.md) - [Phishing with GoPhish and DigitalOcean](/hackersnotes/offensive-security/initial-access/phishing-with-gophish-and-digitalocean.md): This lab is dedicated to exploring one of the phishing frameworks GoPhish. I will be installing and configuring GoPhish on a DigitalOcean VPS running Ubuntu Linux distribution. - [Forced Authentication](/hackersnotes/offensive-security/initial-access/forced-authentication.md) - [NetNTLMv2 hash stealing using Outlook](/hackersnotes/offensive-security/initial-access/netntlmv2-hash-stealing-using-outlook.md) - [Code Execution](/hackersnotes/offensive-security/code-execution.md) - [regsvr32](/hackersnotes/offensive-security/code-execution/regsvr32.md): regsvr32 (squiblydoo) code execution - bypass application whitelisting. - [MSHTA](/hackersnotes/offensive-security/code-execution/mshta.md): MSHTA code execution - bypass application whitelisting. - [Control Panel Item](/hackersnotes/offensive-security/code-execution/control-panel-item.md): Control Panel Item code execution - bypass application whitelisting. - [Executing Code as a Control Panel](/hackersnotes/offensive-security/code-execution/executing-code-as-a-control-panel.md): Item through an Exported Cplapplet Function - [Code Execution through Control Panel Add-ins](/hackersnotes/offensive-security/code-execution/code-execution-through-control-panel-add-ins.md) - [CMSTP](/hackersnotes/offensive-security/code-execution/cmstp.md): CMSTP code execution - bypass application whitelisting. - [InstallUtil](/hackersnotes/offensive-security/code-execution/installutil.md) - [Using MSBuild to Execute Shellcode in C#](/hackersnotes/offensive-security/code-execution/using-msbuild-to-execute-shellcode-in-c.md) - [Forfiles Indirect Command Execution](/hackersnotes/offensive-security/code-execution/forfiles-indirect-command-execution.md): Defense Evasion - [Application Whitelisting Bypass with WMIC and XSL](/hackersnotes/offensive-security/code-execution/application-whitelisting-bypass-with-wmic-and-xsl.md) - [Powershell Without Powershell.exe](/hackersnotes/offensive-security/code-execution/powershell-without-powershell.exe.md) - [Powershell Constrained Language Mode Bypass](/hackersnotes/offensive-security/code-execution/powershell-constrained-language-mode-bypass.md) - [Forcing Iexplore.exe](/hackersnotes/offensive-security/code-execution/forcing-iexplore.exe.md): To Load a Malicious DLL via COM Abuse - [Pubprn.vbs Signed Script Code Execution](/hackersnotes/offensive-security/code-execution/pubprn.vbs-signed-script-code-execution.md): Signed Script Proxy Execution - bypass application whitelisting using pubprn.vbs - [Code & Process Injection](/hackersnotes/offensive-security/code-and-process-injection.md) - [CreateRemoteThread Shellcode Injection](/hackersnotes/offensive-security/code-and-process-injection/createremotethread-shellcode-injection.md): Injecting shellcode into a local process. - [DLL Injection](/hackersnotes/offensive-security/code-and-process-injection/dll-injection.md) - [Reflective DLL Injection](/hackersnotes/offensive-security/code-and-process-injection/reflective-dll-injection.md) - [Shellcode Reflective DLL Injection](/hackersnotes/offensive-security/code-and-process-injection/shellcode-reflective-dll-injection.md) - [Process Doppelganging](/hackersnotes/offensive-security/code-and-process-injection/process-doppelganging.md) - [Loading and Executing Shellcode From PE Resources](/hackersnotes/offensive-security/code-and-process-injection/loading-and-executing-shellcode-from-pe-resources.md) - [Process Hollowing and Portable Executable Relocations](/hackersnotes/offensive-security/code-and-process-injection/process-hollowing-and-portable-executable-relocations.md) - [APC Queue Code Injection](/hackersnotes/offensive-security/code-and-process-injection/apc-queue-code-injection.md) - [Early Bird APC Queue Code Injection](/hackersnotes/offensive-security/code-and-process-injection/early-bird-apc-queue-code-injection.md) - [Shellcode Execution in a Local Process](/hackersnotes/offensive-security/code-and-process-injection/shellcode-execution-in-a-local-process.md): with QueueUserAPC and NtTestAlert - [Shellcode Execution through Fibers](/hackersnotes/offensive-security/code-and-process-injection/shellcode-execution-through-fibers.md) - [Shellcode Execution via CreateThreadpoolWait](/hackersnotes/offensive-security/code-and-process-injection/shellcode-execution-via-createthreadpoolwait.md) - [Local Shellcode Execution without Windows APIs](/hackersnotes/offensive-security/code-and-process-injection/local-shellcode-execution-without-windows-apis.md) - [Injecting to Remote Process via Thread Hijacking](/hackersnotes/offensive-security/code-and-process-injection/injecting-to-remote-process-via-thread-hijacking.md) - [SetWindowHookEx Code Injection](/hackersnotes/offensive-security/code-and-process-injection/setwindowhookex-code-injection.md) - [Finding Kernel32 Base and Function Addresses in Shellcode](/hackersnotes/offensive-security/code-and-process-injection/finding-kernel32-base-and-function-addresses-in-shellcode.md) - [Executing Shellcode with Inline Assembly in C/C++](/hackersnotes/offensive-security/code-and-process-injection/executing-shellcode-with-inline-assembly-in-c-c++.md) - [Writing Custom Shellcode Encoders and Decoders](/hackersnotes/offensive-security/code-and-process-injection/writing-custom-shellcode-encoders-and-decoders.md) - [Backdooring PE Files with Shellcode](/hackersnotes/offensive-security/code-and-process-injection/backdooring-pe-files-with-shellcode.md) - [NtCreateSection + NtMapViewOfSection Code Injection](/hackersnotes/offensive-security/code-and-process-injection/ntcreatesection-+-ntmapviewofsection-code-injection.md) - [AddressOfEntryPoint Code Injection without VirtualAllocEx RWX](/hackersnotes/offensive-security/code-and-process-injection/addressofentrypoint-code-injection-without-virtualallocex-rwx.md) - [Module Stomping for Shellcode Injection](/hackersnotes/offensive-security/code-and-process-injection/module-stomping-for-shellcode-injection.md): Code Injection - [PE Injection: Executing PEs inside Remote Processes](/hackersnotes/offensive-security/code-and-process-injection/pe-injection-executing-pes-inside-remote-processes.md): Code Injection - [API Monitoring and Hooking for Offensive Tooling](/hackersnotes/offensive-security/code-and-process-injection/api-monitoring-and-hooking-for-offensive-tooling.md) - [Windows API Hooking](/hackersnotes/offensive-security/code-and-process-injection/windows-api-hooking.md) - [Import Address Table (IAT) Hooking](/hackersnotes/offensive-security/code-and-process-injection/import-address-table-iat-hooking.md) - [DLL Injection via a Custom .NET Garbage Collector](/hackersnotes/offensive-security/code-and-process-injection/dll-injection-via-a-custom-.net-garbage-collector.md) - [Writing and Compiling Shellcode in C](/hackersnotes/offensive-security/code-and-process-injection/writing-and-compiling-shellcode-in-c.md) - [Injecting .NET Assembly to an Unmanaged Process](/hackersnotes/offensive-security/code-and-process-injection/injecting-.net-assembly-to-an-unmanaged-process.md) - [binary-exploitation](/hackersnotes/offensive-security/code-and-process-injection/binary-exploitation.md) - [32-bit Stack-based Buffer Overflow](/hackersnotes/offensive-security/code-and-process-injection/binary-exploitation/32-bit-stack-based-buffer-overflow.md) - [64-bit Stack-based Buffer Overflow](/hackersnotes/offensive-security/code-and-process-injection/binary-exploitation/64-bit-stack-based-buffer-overflow.md) - [Return-to-libc / ret2libc](/hackersnotes/offensive-security/code-and-process-injection/binary-exploitation/return-to-libc-ret2libc.md) - [ROP Chaining: Return Oriented Programming](/hackersnotes/offensive-security/code-and-process-injection/binary-exploitation/rop-chaining-return-oriented-programming.md) - [SEH Based Buffer Overflow](/hackersnotes/offensive-security/code-and-process-injection/binary-exploitation/seh-based-buffer-overflow.md) - [Format String Bug](/hackersnotes/offensive-security/code-and-process-injection/binary-exploitation/format-string-bug.md) - [Defense Evasion](/hackersnotes/offensive-security/defense-evasion.md) - [AV Bypass with Metasploit Templates and Custom Binaries](/hackersnotes/offensive-security/defense-evasion/av-bypass-with-metasploit-templates-and-custom-binaries.md) - [Evading Windows Defender with 1 Byte Change](/hackersnotes/offensive-security/defense-evasion/evading-windows-defender-with-1-byte-change.md) - [Bypassing Windows Defender: One TCP Socket Away From Meterpreter and Beacon Sessions](/hackersnotes/offensive-security/defense-evasion/bypassing-windows-defender-one-tcp-socket-away-from-meterpreter-and-beacon-sessions.md) - [Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs](/hackersnotes/offensive-security/defense-evasion/bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis.md): EDR / AV Evasion - [Windows API Hashing in Malware](/hackersnotes/offensive-security/defense-evasion/windows-api-hashing-in-malware.md) - [Detecting Hooked Syscalls](/hackersnotes/offensive-security/defense-evasion/detecting-hooked-syscalls.md) - [Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs](/hackersnotes/offensive-security/defense-evasion/calling-syscalls-directly-from-visual-studio-to-bypass-avs-edrs.md) - [Retrieving ntdll Syscall Stubs from Disk at Run-time](/hackersnotes/offensive-security/defense-evasion/retrieving-ntdll-syscall-stubs-from-disk-at-run-time.md) - [Full DLL Unhooking with C++](/hackersnotes/offensive-security/defense-evasion/full-dll-unhooking-with-c++.md) - [Enumerating RWX Protected Memory Regions for Code Injection](/hackersnotes/offensive-security/defense-evasion/enumerating-rwx-protected-memory-regions-for-code-injection.md) - [Disabling Windows Event Logs by Suspending EventLog Service Threads](/hackersnotes/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads.md) - [Obfuscated Powershell Invocations](/hackersnotes/offensive-security/defense-evasion/obfuscated-powershell-invocations.md) - [Masquerading Processes in Userland via \_PEB](/hackersnotes/offensive-security/defense-evasion/masquerading-processes-in-userland-via-_peb.md): Understanding how malicious binaries can maquerade as any other legitimate Windows binary from the userland. - [Commandline Obfusaction](/hackersnotes/offensive-security/defense-evasion/commandline-obfusaction.md) - [File Smuggling with HTML and JavaScript](/hackersnotes/offensive-security/defense-evasion/file-smuggling-with-html-and-javascript.md) - [Timestomping](/hackersnotes/offensive-security/defense-evasion/timestomping.md) - [Alternate Data Streams](/hackersnotes/offensive-security/defense-evasion/alternate-data-streams.md) - [Hidden Files](/hackersnotes/offensive-security/defense-evasion/hidden-files.md): Defense Evasion, Persistence - [Encode/Decode Data with Certutil](/hackersnotes/offensive-security/defense-evasion/encode-decode-data-with-certutil.md): Defense Evasion - [Downloading Files with Certutil](/hackersnotes/offensive-security/defense-evasion/downloading-files-with-certutil.md): Downloading additional files to the victim system using native OS binary. - [Packed Binaries](/hackersnotes/offensive-security/defense-evasion/packed-binaries.md): Defense Evasion, Code Obfuscation - [Unloading Sysmon Driver](/hackersnotes/offensive-security/defense-evasion/unloading-sysmon-driver.md) - [Bypassing IDS Signatures with Simple Reverse Shells](/hackersnotes/offensive-security/defense-evasion/bypassing-ids-signatures-with-simple-reverse-shells.md) - [Preventing 3rd Party DLLs from Injecting into your Malware](/hackersnotes/offensive-security/defense-evasion/preventing-3rd-party-dlls-from-injecting-into-your-malware.md) - [ProcessDynamicCodePolicy: Arbitrary Code Guard (ACG)](/hackersnotes/offensive-security/defense-evasion/processdynamiccodepolicy-arbitrary-code-guard-acg.md) - [Parent Process ID (PPID) Spoofing](/hackersnotes/offensive-security/defense-evasion/parent-process-id-ppid-spoofing.md) - [Executing C# Assemblies from Jscript and wscript with DotNetToJscript](/hackersnotes/offensive-security/defense-evasion/executing-c-assemblies-from-jscript-and-wscript-with-dotnettojscript.md) - [Enumeration and Discovery](/hackersnotes/offensive-security/enumeration-and-discovery.md) - [Windows Event IDs and Others for Situational Awareness](/hackersnotes/offensive-security/enumeration-and-discovery/windows-event-ids-and-others-for-situational-awareness.md) - [Enumerating COM Objects and their Methods](/hackersnotes/offensive-security/enumeration-and-discovery/enumerating-com-objects-and-their-methods.md) - [Enumerating Users without net, Services without sc and Scheduled Tasks without schtasks](/hackersnotes/offensive-security/enumeration-and-discovery/enumerating-users-without-net-services-without-sc-and-scheduled-tasks-without-schtasks.md) - [Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging](/hackersnotes/offensive-security/enumeration-and-discovery/enumerating-windows-domains-with-rpcclient-through-socksproxy-bypassing-command-line-logging.md) - [Dump Global Address List (GAL) from OWA](/hackersnotes/offensive-security/enumeration-and-discovery/dump-global-address-list-gal-from-owa.md) - [Application Window Discovery](/hackersnotes/offensive-security/enumeration-and-discovery/application-window-discovery.md) - [Account Discovery & Enumeration](/hackersnotes/offensive-security/enumeration-and-discovery/account-discovery-and-enumeration.md) - [Using COM to Enumerate Hostname, Username, Domain, Network Drives](/hackersnotes/offensive-security/enumeration-and-discovery/using-com-to-enumerate-hostname-username-domain-network-drives.md) - [Detecting Sysmon on the Victim Host](/hackersnotes/offensive-security/enumeration-and-discovery/detecting-sysmon-on-the-victim-host.md) - [Privilege Escalation](/hackersnotes/offensive-security/privilege-escalation.md) - [Primary Access Token Manipulation](/hackersnotes/offensive-security/privilege-escalation/primary-access-token-manipulation.md) - [Windows NamedPipes 101 + Privilege Escalation](/hackersnotes/offensive-security/privilege-escalation/windows-namedpipes-101-+-privilege-escalation.md) - [DLL Hijacking](/hackersnotes/offensive-security/privilege-escalation/dll-hijacking.md) - [WebShells](/hackersnotes/offensive-security/privilege-escalation/webshells.md) - [Image File Execution Options Injection](/hackersnotes/offensive-security/privilege-escalation/image-file-execution-options-injection.md) - [Unquoted Service Paths](/hackersnotes/offensive-security/privilege-escalation/unquoted-service-paths.md) - [Pass The Hash: Privilege Escalation with Invoke-WMIExec](/hackersnotes/offensive-security/privilege-escalation/pass-the-hash-privilege-escalation-with-invoke-wmiexec.md) - [Environment Variable $Path Interception](/hackersnotes/offensive-security/privilege-escalation/environment-variable-usdpath-interception.md) - [Weak Service Permissions](/hackersnotes/offensive-security/privilege-escalation/weak-service-permissions.md) - [Credential Access & Dumping](/hackersnotes/offensive-security/credential-access-and-dumping.md) - [Dumping Credentials from Lsass Process Memory with Mimikatz](/hackersnotes/offensive-security/credential-access-and-dumping/dumping-credentials-from-lsass-process-memory-with-mimikatz.md) - [Dumping Lsass Without Mimikatz](/hackersnotes/offensive-security/credential-access-and-dumping/dumping-lsass-without-mimikatz.md) - [Dumping Lsass without Mimikatz with MiniDumpWriteDump](/hackersnotes/offensive-security/credential-access-and-dumping/dumping-lsass-without-mimikatz-with-minidumpwritedump.md): Evasion, Credential Dumping - [Dumping Hashes from SAM via Registry](/hackersnotes/offensive-security/credential-access-and-dumping/dumping-hashes-from-sam-via-registry.md): Security Accounts Manager (SAM) credential dumping with living off the land binary. - [Dumping SAM via esentutl.exe](/hackersnotes/offensive-security/credential-access-and-dumping/dumping-sam-via-esentutl.exe.md) - [Dumping LSA Secrets](/hackersnotes/offensive-security/credential-access-and-dumping/dumping-lsa-secrets.md) - [Dumping and Cracking mscash - Cached Domain Credentials](/hackersnotes/offensive-security/credential-access-and-dumping/dumping-and-cracking-mscash-cached-domain-credentials.md) - [Dumping Domain Controller Hashes Locally and Remotely](/hackersnotes/offensive-security/credential-access-and-dumping/dumping-domain-controller-hashes-locally-and-remotely.md): Dumping NTDS.dit with Active Directory users hashes - [Dumping Domain Controller Hashes via wmic and Vssadmin Shadow Copy](/hackersnotes/offensive-security/credential-access-and-dumping/dumping-domain-controller-hashes-via-wmic-and-vssadmin-shadow-copy.md) - [Network vs Interactive Logons](/hackersnotes/offensive-security/credential-access-and-dumping/network-vs-interactive-logons.md) - [Reading DPAPI Encrypted Secrets with Mimikatz and C++](/hackersnotes/offensive-security/credential-access-and-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++.md) - [Credentials in Registry](/hackersnotes/offensive-security/credential-access-and-dumping/credentials-in-registry.md) - [Password Filter](/hackersnotes/offensive-security/credential-access-and-dumping/password-filter.md) - [Forcing WDigest to Store Credentials in Plaintext](/hackersnotes/offensive-security/credential-access-and-dumping/forcing-wdigest-to-store-credentials-in-plaintext.md) - [Dumping Delegated Default Kerberos and NTLM Credentials w/o Touching Lsass](/hackersnotes/offensive-security/credential-access-and-dumping/dumping-delegated-default-kerberos-and-ntlm-credentials-w-o-touching-lsass.md) - [Intercepting Logon Credentials via Custom Security Support Provider and Authentication Packages](/hackersnotes/offensive-security/credential-access-and-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-packages.md) - [Pulling Web Application Passwords by Hooking HTML Input Fields](/hackersnotes/offensive-security/credential-access-and-dumping/pulling-web-application-passwords-by-hooking-html-input-fields.md) - [Intercepting Logon Credentials by Hooking msv1\_0!SpAcceptCredentials](/hackersnotes/offensive-security/credential-access-and-dumping/intercepting-logon-credentials-by-hooking-msv1_0-spacceptcredentials.md) - [Credentials Collection via CredUIPromptForCredentials](/hackersnotes/offensive-security/credential-access-and-dumping/credentials-collection-via-creduipromptforcredentials.md) - [Lateral Movement](/hackersnotes/offensive-security/lateral-movement.md) - [WinRM for Lateral Movement](/hackersnotes/offensive-security/lateral-movement/winrm-for-lateral-movement.md) - [WinRS for Lateral Movement](/hackersnotes/offensive-security/lateral-movement/winrs-for-lateral-movement.md) - [WMI for Lateral Movement](/hackersnotes/offensive-security/lateral-movement/wmi-for-lateral-movement.md) - [RDP Hijacking for Lateral Movement with tscon](/hackersnotes/offensive-security/lateral-movement/rdp-hijacking-for-lateral-movement-with-tscon.md) - [Shared Webroot](/hackersnotes/offensive-security/lateral-movement/shared-webroot.md) - [Lateral Movement via DCOM](/hackersnotes/offensive-security/lateral-movement/lateral-movement-via-dcom.md) - [WMI + MSI Lateral Movement](/hackersnotes/offensive-security/lateral-movement/wmi-+-msi-lateral-movement.md): WMI lateral movement with .msi packages - [Lateral Movement via Service Configuration Manager](/hackersnotes/offensive-security/lateral-movement/lateral-movement-via-service-configuration-manager.md) - [Lateral Movement via SMB Relaying](/hackersnotes/offensive-security/lateral-movement/lateral-movement-via-smb-relaying.md) - [WMI + NewScheduledTaskAction Lateral Movement](/hackersnotes/offensive-security/lateral-movement/wmi-+-newscheduledtaskaction-lateral-movement.md) - [WMI + PowerShell Desired State Configuration Lateral Movement](/hackersnotes/offensive-security/lateral-movement/wmi-+-powershell-desired-state-configuration-lateral-movement.md) - [Simple TCP Relaying with NetCat](/hackersnotes/offensive-security/lateral-movement/simple-tcp-relaying-with-netcat.md) - [Empire Shells with NetNLTMv2 Relaying](/hackersnotes/offensive-security/lateral-movement/empire-shells-with-netnltmv2-relaying.md) - [Lateral Movement with Psexec](/hackersnotes/offensive-security/lateral-movement/lateral-movement-with-psexec.md) - [From Beacon to Interactive RDP Session](/hackersnotes/offensive-security/lateral-movement/from-beacon-to-interactive-rdp-session.md): Lateral Movement, Tunnelling, Firewall Evasion - [SSH Tunnelling / Port Forwarding](/hackersnotes/offensive-security/lateral-movement/ssh-tunnelling-port-forwarding.md) - [Lateral Movement via WMI Event Subscription](/hackersnotes/offensive-security/lateral-movement/lateral-movement-via-wmi-event-subscription.md) - [Lateral Movement via DLL Hijacking](/hackersnotes/offensive-security/lateral-movement/lateral-movement-via-dll-hijacking.md) - [Lateral Movement over headless RDP with SharpRDP](/hackersnotes/offensive-security/lateral-movement/lateral-movement-over-headless-rdp-with-sharprdp.md) - [Man-in-the-Browser via Chrome Extension](/hackersnotes/offensive-security/lateral-movement/man-in-the-browser-via-chrome-extension.md) - [ShadowMove: Lateral Movement by Duplicating Existing Sockets](/hackersnotes/offensive-security/lateral-movement/shadowmove-lateral-movement-by-duplicating-existing-sockets.md) - [Persistence](/hackersnotes/offensive-security/persistence.md) - [DLL Proxying for Persistence](/hackersnotes/offensive-security/persistence/dll-proxying-for-persistence.md) - [Schtask](/hackersnotes/offensive-security/persistence/schtask.md): Code execution, privilege escalation, lateral movement and persitence. - [Service Execution](/hackersnotes/offensive-security/persistence/service-execution.md) - [Sticky Keys](/hackersnotes/offensive-security/persistence/sticky-keys.md): Sticky keys backdoor. - [Create Account](/hackersnotes/offensive-security/persistence/create-account.md): Persistence - [AddMonitor()](/hackersnotes/offensive-security/persistence/addmonitor.md) - [NetSh Helper DLL](/hackersnotes/offensive-security/persistence/netsh-helper-dll.md) - [Abusing-windows-managent-instrumentation](/hackersnotes/offensive-security/persistence/abusing-windows-managent-instrumentation.md) - [WMI as a Data Storage](/hackersnotes/offensive-security/persistence/abusing-windows-managent-instrumentation/wmi-as-a-data-storage.md): Exploring WMI as a data storage for persistence by leveraging WMI classes and their properties. - [Windows Logon Helper](/hackersnotes/offensive-security/persistence/windows-logon-helper.md) - [Hijacking Default File Extension](/hackersnotes/offensive-security/persistence/hijacking-default-file-extension.md) - [Persisting in svchost.exe with a Service DLL](/hackersnotes/offensive-security/persistence/persisting-in-svchost.exe-with-a-service-dll.md) - [Modifying .lnk Shortcuts](/hackersnotes/offensive-security/persistence/modifying-.lnk-shortcuts.md) - [Screensaver Hijack](/hackersnotes/offensive-security/persistence/screensaver-hijack.md) - [Application Shimming](/hackersnotes/offensive-security/persistence/application-shimming.md): Persistence, Privilege Escalation - [BITS Jobs](/hackersnotes/offensive-security/persistence/bits-jobs.md) - [COM Hijacking](/hackersnotes/offensive-security/persistence/com-hijacking.md) - [SIP & Trust Provider Hijacking](/hackersnotes/offensive-security/persistence/sip-and-trust-provider-hijacking.md) - [Hijacking Time Providers](/hackersnotes/offensive-security/persistence/hijacking-time-providers.md): Persistence - [Installing Root Certificate](/hackersnotes/offensive-security/persistence/installing-root-certificate.md) - [Powershell Profile Persistence](/hackersnotes/offensive-security/persistence/powershell-profile-persistence.md) - [RID Hijacking](/hackersnotes/offensive-security/persistence/rid-hijacking.md) - [Word Library Add-Ins](/hackersnotes/offensive-security/persistence/word-library-add-ins.md) - [Office Templates](/hackersnotes/offensive-security/persistence/office-templates.md) - [Exfiltration](/hackersnotes/offensive-security/exfiltration.md) - [Powershell Payload Delivery via DNS using Invoke-PowerCloud](/hackersnotes/offensive-security/exfiltration/powershell-payload-delivery-via-dns-using-invoke-powercloud.md): This lab demos a tool or rather a Powershell script I have written to do what the title says.