# Red Team Notes ## Red Team Notes - [Introduction](https://dmcxblue.gitbook.io/red-team-notes/master.md): Red Team notes - [Red Team Notes 2.0](https://dmcxblue.gitbook.io/red-team-notes/red-team-notes-2.0.md): Updates Notes!! - [Red Team](https://dmcxblue.gitbook.io/red-team-notes/red-team.md): The offensive side - [Initial Access](https://dmcxblue.gitbook.io/red-team-notes/initial-acces.md): The adversary is trying to get into your network. - [Spear Phishing Links](https://dmcxblue.gitbook.io/red-team-notes/initial-acces/spear-phishing-links.md): The use of Links attached to the email or sent in plain text to confuse the victim on to clicking and avoiding Email providers scanners. - [HTA Files](https://dmcxblue.gitbook.io/red-team-notes/initial-acces/spear-phishing-links/tools.md): Microsoft HTML Applications (HTA) - [Binaries](https://dmcxblue.gitbook.io/red-team-notes/initial-acces/spear-phishing-links/binaries.md): The use of binaries has highly decreased but this is still a good example on how User's download EXE files and give access to attackers - [PDF Files](https://dmcxblue.gitbook.io/red-team-notes/initial-acces/spear-phishing-links/pdf.md): These will just be simple PDF files with a link on the Document, I will add a Link that when click will send the user to a controlled server - [SET(Social-Engineering Toolkit)](https://dmcxblue.gitbook.io/red-team-notes/initial-acces/spear-phishing-links/set-social-engineering-toolkit.md): A social engineering framework frequently used for the gather of credentials or user execution access. I am using this Framework to automate most of the job to setup a Phishing Page - [Spear Phishing Attachments](https://dmcxblue.gitbook.io/red-team-notes/initial-acces/spear-phishing.md): The use of attaching a malicious file onto an Email. - [Macros](https://dmcxblue.gitbook.io/red-team-notes/initial-acces/spear-phishing/macros.md): Macro are series of instructions to automate tasks a scripting language helping adversaries to automate various attacks. - [Dynamic Data Exchange](https://dmcxblue.gitbook.io/red-team-notes/initial-acces/spear-phishing/macroless.md): ID: T1173 Tactic: Execution - [SCR Files](https://dmcxblue.gitbook.io/red-team-notes/initial-acces/spear-phishing/scr-files.md): SCR files are screensaver files use by Windows for energy saving purposes. I will create simply binaries and changing the extension from EXE to SCR. - [LNK Files](https://dmcxblue.gitbook.io/red-team-notes/initial-acces/spear-phishing/lnk-files.md): Also known as Shortcuts - [(+) Links and Attachments](https://dmcxblue.gitbook.io/red-team-notes/initial-acces/untitled-3.md): An approach to better understand this technique at a deeper level - [Execution](https://dmcxblue.gitbook.io/red-team-notes/execution.md): The adversary is trying to run malicious code. - [Component Object Model and Distributed COM](https://dmcxblue.gitbook.io/red-team-notes/execution/com.md): ID: T1175 Tactic: Lateral Movement, Execution - [MSHTA](https://dmcxblue.gitbook.io/red-team-notes/execution/mshta.md): Microsoft HTML Applications - [PowerShell](https://dmcxblue.gitbook.io/red-team-notes/execution/powershell.md): PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. - [Rundll32](https://dmcxblue.gitbook.io/red-team-notes/execution/untitled.md): This program can be called to execute an arbitrary binary. This can be taking in as an advantage to avoid triggering security tools. - [Scheduled Tasks](https://dmcxblue.gitbook.io/red-team-notes/execution/scheduled-tasks.md): ID: T1053 Tactic: Execution, Persistence, Privilege Escalation - [Scripting](https://dmcxblue.gitbook.io/red-team-notes/execution/untitled-1.md): ID: T1064 Tactic: Defense Evasion, Execution - [Trusted Developer Utilities](https://dmcxblue.gitbook.io/red-team-notes/execution/trusted-developer-utilities.md): ID: T1127 Tactic: Defense Evasion, Execution - [MSBuild](https://dmcxblue.gitbook.io/red-team-notes/execution/trusted-developer-utilities/msbuild.md): A trusted Windows signed binary. - [Regsvr32](https://dmcxblue.gitbook.io/red-team-notes/execution/trusted-developer-utilities/regsvr32.md): ID: T1117 Tactic: Defense Evasion, Execution - [Windows Remote Management](https://dmcxblue.gitbook.io/red-team-notes/execution/windows-remote-management.md): ID: T1028 Tactic: Execution, Lateral Movement - [Windows Management Instrumentation (WMI)](https://dmcxblue.gitbook.io/red-team-notes/execution/windows-management-instrumentation-wmi.md): ID: T1047 Tactic: Execution - [Persistence](https://dmcxblue.gitbook.io/red-team-notes/persistence.md): The adversary is trying to maintain their foothold - [Scheduled Tasks](https://dmcxblue.gitbook.io/red-team-notes/persistence/scheduled-tasks.md): ID: T1053 Tactic: Execution, Persistence, Privilege Escalation - [Create Account](https://dmcxblue.gitbook.io/red-team-notes/persistence/create-account.md): ID: T1136 Tactic: Persistence - [DLL Search Order Hijacking](https://dmcxblue.gitbook.io/red-team-notes/persistence/dll-search-order-hijacking.md): ID: T1038 Tactic: Persistence, Privilege Escalation, Defense Evasion - [Hooking](https://dmcxblue.gitbook.io/red-team-notes/persistence/hooking.md): ID: T1179 Tactic: Persistence, Privilege Escalation, Credential Access - [Logon Scripts](https://dmcxblue.gitbook.io/red-team-notes/persistence/logon-scripts.md): ID: T1037 Tactic: Lateral Movement, Persistence - [Modify Existing Service](https://dmcxblue.gitbook.io/red-team-notes/persistence/modify-existing-service.md): ID: T1031 Tactic: Persistence - [New Service](https://dmcxblue.gitbook.io/red-team-notes/persistence/new-service.md): ID: T1050 Tactic: Persistence, Privilege Escalation - [Path Interception](https://dmcxblue.gitbook.io/red-team-notes/persistence/path-interception.md): ID: T1034 Tactic: Persistence, Privilege Escalation - [Registry Keys / StartUp Folder](https://dmcxblue.gitbook.io/red-team-notes/persistence/registry-keys-startup-folder.md): ID: T1060 Tactic: Persistence - [ShortCut Modification](https://dmcxblue.gitbook.io/red-team-notes/persistence/shortcut-modification.md): ID: T1023 Tactic: Persistence - [Privesc](https://dmcxblue.gitbook.io/red-team-notes/privesc.md): The adversary is trying to gain higher-level permissions. - [Access Token Manipulation](https://dmcxblue.gitbook.io/red-team-notes/privesc/access-token-manipulation.md): ID: T1134 Tactic: Defense Evasion, Privilege Escalation - [DLL Search Order Hijacking](https://dmcxblue.gitbook.io/red-team-notes/privesc/dll-search-order-hijacking.md) - [Exploitation for Privesc](https://dmcxblue.gitbook.io/red-team-notes/privesc/exploitation-for-privesc.md): ID: T1068 Tactic: Privilege Escalation - [File System Permissions Weakness](https://dmcxblue.gitbook.io/red-team-notes/privesc/file-system-permissions-weakness.md): ID: T1044 Tactic: Persistence, Privilege Escalation - [Always Install Elevated](https://dmcxblue.gitbook.io/red-team-notes/privesc/unquoted-service-path.md): A functionality that allows a regular user to install MSI files with high privileges. - [Defense Evasion](https://dmcxblue.gitbook.io/red-team-notes/untitled.md): The adversary is trying to avoid being detected. - [Credential Access](https://dmcxblue.gitbook.io/red-team-notes/untitled-1.md): The adversary is trying to steal account names and passwords. - [Credential Dumping](https://dmcxblue.gitbook.io/red-team-notes/untitled-1/credential-dumping.md): ID: T1003 Tactic: Credential Access - [Kerberoasting](https://dmcxblue.gitbook.io/red-team-notes/untitled-1/kerberoasting.md): ID: T1208 Tactic: Credential Access - [LLMNR/NBT-NS Poisoning and Relay](https://dmcxblue.gitbook.io/red-team-notes/untitled-1/llmnr-nbt-ns-poisoning-and-relay.md): ID: T1171 Tactic: Credential Access - [Discovery](https://dmcxblue.gitbook.io/red-team-notes/untitled-2.md): The adversary is trying to figure out your environment. - [Lateral Movement](https://dmcxblue.gitbook.io/red-team-notes/lateral-movement.md): The adversary is trying to move through your environment - [Pass the Ticket](https://dmcxblue.gitbook.io/red-team-notes/lateral-movement/pass-the-ticket.md): ID: T1097 Tactic: Lateral Movement - [Pass the Hash](https://dmcxblue.gitbook.io/red-team-notes/lateral-movement/pass-the-hash.md): ID: T1075 Tactic: Lateral Movement - [Remote Desktops](https://dmcxblue.gitbook.io/red-team-notes/lateral-movement/remote-desktops.md): ID: T1076 Tactic: Lateral Movement - [Internal Spearphishing](https://dmcxblue.gitbook.io/red-team-notes/lateral-movement/internal-spearphishing.md): ID: T1534 Tactic: Lateral Movement - [Windows Admin Shares](https://dmcxblue.gitbook.io/red-team-notes/lateral-movement/untitled.md): ID: T1077 Tactic: Lateral Movement - [Component Object Model and Distributed COM](https://dmcxblue.gitbook.io/red-team-notes/lateral-movement/component-object-model-and-distributed-com.md): ID: T1175 Tactic: Lateral Movement, Execution - [Windows Remote Management](https://dmcxblue.gitbook.io/red-team-notes/lateral-movement/windows-remote-management.md): ID: T1028 Tactic: Execution, Lateral Movement - [Collection](https://dmcxblue.gitbook.io/red-team-notes/collection.md) - [Command and Control](https://dmcxblue.gitbook.io/red-team-notes/command-and-control.md) - [Exfiltration](https://dmcxblue.gitbook.io/red-team-notes/exfiltration.md) - [Impact](https://dmcxblue.gitbook.io/red-team-notes/impact.md) - [Introduction](https://dmcxblue.gitbook.io/red-team-notes/active-directory/introduction.md) - [Kerberos](https://dmcxblue.gitbook.io/red-team-notes/active-directory/introduction/kerberos.md): A computer-network authentication protocol that works on the basis of tickets. - [LDAP](https://dmcxblue.gitbook.io/red-team-notes/active-directory/introduction/ldap.md): Lightweight Directory Access Protocol - [Enumeration](https://dmcxblue.gitbook.io/red-team-notes/active-directory/enumeration.md): Techniques used to Discover interesting stuff in the Active Directory. - [Attacks](https://dmcxblue.gitbook.io/red-team-notes/active-directory/untitled.md): Some Techniques used to gain any form of Access, Code Execution, Privesc, Persistence or Info in General. - [Unconstrained Delegation](https://dmcxblue.gitbook.io/red-team-notes/active-directory/untitled/untitled-3.md) - [Constrained Delegation](https://dmcxblue.gitbook.io/red-team-notes/active-directory/untitled/untitled-2.md) - [DCSync](https://dmcxblue.gitbook.io/red-team-notes/active-directory/untitled/untitled-1.md) - [Kerberoasting](https://dmcxblue.gitbook.io/red-team-notes/active-directory/untitled/untitled.md) - [Silver Tickets](https://dmcxblue.gitbook.io/red-team-notes/active-directory/untitled/silver-tickets.md) - [Golden Tickets](https://dmcxblue.gitbook.io/red-team-notes/active-directory/untitled/golden-tickets.md) - [Detection](https://dmcxblue.gitbook.io/red-team-notes/detection/untitled.md): Blue Team (Sort Of) - [Initial Access](https://dmcxblue.gitbook.io/red-team-notes/detection/initial-access.md): The Adversary is trying to gain access to your Network - [Execution](https://dmcxblue.gitbook.io/red-team-notes/detection/execution.md): The adversary is trying to run malicious code - [MSHTA (Detection)](https://dmcxblue.gitbook.io/red-team-notes/detection/execution/mshta-detection.md): Microsoft HTML Application - [References & Resources](https://dmcxblue.gitbook.io/red-team-notes/resources-and-references/untitled.md): Some of the places I looked for and want to see in the future. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on a page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes/master.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.