📓
Red Team Notes
  • Introduction
  • Red Team Notes 2.0
  • Red Team
  • Initial Access
    • Spear Phishing Links
      • HTA Files
      • Binaries
      • PDF Files
      • SET(Social-Engineering Toolkit)
    • Spear Phishing Attachments
      • Macros
      • Dynamic Data Exchange
      • SCR Files
      • LNK Files
    • (+) Links and Attachments
  • Execution
    • Component Object Model and Distributed COM
    • MSHTA
    • PowerShell
    • Rundll32
    • Scheduled Tasks
    • Scripting
    • Trusted Developer Utilities
      • MSBuild
      • Regsvr32
    • Windows Remote Management
    • Windows Management Instrumentation (WMI)
  • Persistence
    • Scheduled Tasks
    • Create Account
    • DLL Search Order Hijacking
    • Hooking
    • Logon Scripts
    • Modify Existing Service
    • New Service
    • Path Interception
    • Registry Keys / StartUp Folder
    • ShortCut Modification
  • Privesc
    • Access Token Manipulation
    • DLL Search Order Hijacking
    • Exploitation for Privesc
    • File System Permissions Weakness
    • Always Install Elevated
  • Defense Evasion
  • Credential Access
    • Credential Dumping
    • Kerberoasting
    • LLMNR/NBT-NS Poisoning and Relay
  • Discovery
  • Lateral Movement
    • Pass the Ticket
    • Pass the Hash
    • Remote Desktops
    • Internal Spearphishing
    • Windows Admin Shares
    • Component Object Model and Distributed COM
    • Windows Remote Management
  • Collection
  • Command and Control
  • Exfiltration
  • Impact
  • Active Directory
    • Introduction
      • Kerberos
      • LDAP
    • Enumeration
    • Attacks
      • Unconstrained Delegation
      • Constrained Delegation
      • DCSync
      • Kerberoasting
      • Silver Tickets
      • Golden Tickets
  • Detection
    • Detection
    • Initial Access
    • Execution
      • MSHTA (Detection)
  • Resources & References
    • References & Resources
Powered by GitBook
On this page

Was this helpful?

  1. Detection

Execution

The adversary is trying to run malicious code

In this category we are aware that we need to Execute our Code, for whatever purpose it can be. Reverse Shell, Enumeration, Privesc, etc. But in this section we are a Hunter (Blue Team) and we are searching for our Prey (Red Team) again, what is left behind, what processes are created so they can reach their goal, what can we find so we know that they were here. This also helps us in to be more Opsec Safe Red Team can learn from here on what they are leaving behind and how can they avoid it in any way.

Will focus in the common techniques explained in the Offensive Section:

  • MSHTA

  • PowerShell

  • RunDLL32

  • Scheduled Tasks

  • Scripting

  • Trusted Developer Utilities

    • MSBuild

    • Regsvr32

  • WinRm

  • WMIC

  • Etc

PreviousInitial AccessNextMSHTA (Detection)

Last updated 4 years ago

Was this helpful?