{"version":1,"pages":[{"id":"-Lx2b82dcILEOb33zeHp","title":"Introduction","pathname":"/red-team-notes","siteSpaceId":"sitesp_GEmbn","description":"Red Team notes"},{"id":"-MRlW0GgDri9a95N_dgf","title":"Red Team Notes 2.0","pathname":"/red-team-notes/red-team-notes-2.0","siteSpaceId":"sitesp_GEmbn","description":"Updates Notes!!"},{"id":"-M-AvBfU3CoQvxzbTy6D","title":"Red Team","pathname":"/red-team-notes/red-team","siteSpaceId":"sitesp_GEmbn","description":"The offensive side"},{"id":"-Lx2cVymNFIfq-qsOnnd","title":"Initial Access","pathname":"/red-team-notes/initial-acces","siteSpaceId":"sitesp_GEmbn","description":"The adversary is trying to get into your network."},{"id":"-Lx3XpBcn50c9IY0oQwP","title":"Spear Phishing Links","pathname":"/red-team-notes/initial-acces/spear-phishing-links","siteSpaceId":"sitesp_GEmbn","description":"The use of Links attached to the email or sent in plain text to confuse the victim on to clicking and avoiding Email providers scanners.","breadcrumbs":[{"label":"Initial Access"}]},{"id":"-Lx2p-pSGDkk3509rL6w","title":"HTA Files","pathname":"/red-team-notes/initial-acces/spear-phishing-links/tools","siteSpaceId":"sitesp_GEmbn","description":"Microsoft HTML Applications (HTA)","breadcrumbs":[{"label":"Initial Access"},{"label":"Spear Phishing Links"}]},{"id":"-Lx7uyG9BEqyVjjqA8dJ","title":"Binaries","pathname":"/red-team-notes/initial-acces/spear-phishing-links/binaries","siteSpaceId":"sitesp_GEmbn","description":"The use of binaries has highly decreased but this is still a good example on how User's download EXE files and give access to attackers","breadcrumbs":[{"label":"Initial Access"},{"label":"Spear Phishing Links"}]},{"id":"-Lx7Hz5zYf-d7x-Gso9-","title":"PDF Files","pathname":"/red-team-notes/initial-acces/spear-phishing-links/pdf","siteSpaceId":"sitesp_GEmbn","description":"These will just be simple PDF files with a link on the Document, I will add a Link that when click will send the user to a controlled server","breadcrumbs":[{"label":"Initial Access"},{"label":"Spear Phishing Links"}]},{"id":"-Lx3Y1C69rE7xMpUqQ48","title":"SET(Social-Engineering Toolkit)","pathname":"/red-team-notes/initial-acces/spear-phishing-links/set-social-engineering-toolkit","siteSpaceId":"sitesp_GEmbn","description":"A social engineering framework frequently used for the gather of credentials or user execution access. I am using this Framework to automate most of the job to setup a Phishing Page","breadcrumbs":[{"label":"Initial Access"},{"label":"Spear Phishing Links"}]},{"id":"-Lx2cs-pnxxqksTDIQEI","title":"Spear Phishing Attachments","pathname":"/red-team-notes/initial-acces/spear-phishing","siteSpaceId":"sitesp_GEmbn","description":"The use of attaching a malicious file onto an Email.","breadcrumbs":[{"label":"Initial Access"}]},{"id":"-LxARwCVwoFwsmbGP5LQ","title":"Macros","pathname":"/red-team-notes/initial-acces/spear-phishing/macros","siteSpaceId":"sitesp_GEmbn","description":"Macro are series of instructions to automate tasks a scripting language helping adversaries to automate various attacks.","breadcrumbs":[{"label":"Initial Access"},{"label":"Spear Phishing Attachments"}]},{"id":"-M0dByYRhY8wbXyvxh2R","title":"Dynamic Data Exchange","pathname":"/red-team-notes/initial-acces/spear-phishing/macroless","siteSpaceId":"sitesp_GEmbn","description":"ID: T1173 Tactic: Execution","breadcrumbs":[{"label":"Initial Access"},{"label":"Spear Phishing Attachments"}]},{"id":"-Lx9njcCSwiimPAUR9tO","title":"SCR Files","pathname":"/red-team-notes/initial-acces/spear-phishing/scr-files","siteSpaceId":"sitesp_GEmbn","description":"SCR files are screensaver files use by Windows for energy saving purposes. I will create simply binaries and changing the extension from EXE to SCR.","breadcrumbs":[{"label":"Initial Access"},{"label":"Spear Phishing Attachments"}]},{"id":"-Lyeom5haug6avL1wKL4","title":"LNK Files","pathname":"/red-team-notes/initial-acces/spear-phishing/lnk-files","siteSpaceId":"sitesp_GEmbn","description":"Also known as Shortcuts","breadcrumbs":[{"label":"Initial Access"},{"label":"Spear Phishing Attachments"}]},{"id":"-M5hoT0KpdTEfR8LcBQO","title":"(+) Links and Attachments","pathname":"/red-team-notes/initial-acces/untitled-3","siteSpaceId":"sitesp_GEmbn","description":"An approach to better understand this technique at a deeper level","breadcrumbs":[{"label":"Initial Access"}]},{"id":"-LxDMFhmhBrwNib5umjw","title":"Execution","pathname":"/red-team-notes/execution","siteSpaceId":"sitesp_GEmbn","description":"The adversary is trying to run malicious code."},{"id":"-LxDOcDvVeLF3Bp3CjOw","title":"Component Object Model and Distributed COM","pathname":"/red-team-notes/execution/com","siteSpaceId":"sitesp_GEmbn","description":"ID: T1175 Tactic: Lateral Movement, Execution","breadcrumbs":[{"label":"Execution"}]},{"id":"-LxE5a7PX3kV4ZuQ-SFz","title":"MSHTA","pathname":"/red-team-notes/execution/mshta","siteSpaceId":"sitesp_GEmbn","description":"Microsoft HTML Applications","breadcrumbs":[{"label":"Execution"}]},{"id":"-LxKeuPWco4RhDKRCIfg","title":"PowerShell","pathname":"/red-team-notes/execution/powershell","siteSpaceId":"sitesp_GEmbn","description":"PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.","breadcrumbs":[{"label":"Execution"}]},{"id":"-LxOC5Wr51j5plED1yqK","title":"Rundll32","pathname":"/red-team-notes/execution/untitled","siteSpaceId":"sitesp_GEmbn","description":"This program can be called to execute an arbitrary binary. This can be taking in as an advantage to avoid triggering security tools.","breadcrumbs":[{"label":"Execution"}]},{"id":"-LxTEpMXmL10yRjNVIs2","title":"Scheduled Tasks","pathname":"/red-team-notes/execution/scheduled-tasks","siteSpaceId":"sitesp_GEmbn","description":"ID: T1053 Tactic: Execution, Persistence, Privilege Escalation","breadcrumbs":[{"label":"Execution"}]},{"id":"-LxTSmJwqlTgPeyhSZUg","title":"Scripting","pathname":"/red-team-notes/execution/untitled-1","siteSpaceId":"sitesp_GEmbn","description":"ID: T1064 Tactic: Defense Evasion, Execution","breadcrumbs":[{"label":"Execution"}]},{"id":"-LxU86evCXHe9Ve5NVVE","title":"Trusted Developer Utilities","pathname":"/red-team-notes/execution/trusted-developer-utilities","siteSpaceId":"sitesp_GEmbn","description":"ID: T1127 Tactic: Defense Evasion, Execution","breadcrumbs":[{"label":"Execution"}]},{"id":"-LxXvHJTZXWzky2_dTdt","title":"MSBuild","pathname":"/red-team-notes/execution/trusted-developer-utilities/msbuild","siteSpaceId":"sitesp_GEmbn","description":"A trusted Windows signed binary.","breadcrumbs":[{"label":"Execution"},{"label":"Trusted Developer Utilities"}]},{"id":"-M-HP6z1t-HH2G7ArUPn","title":"Regsvr32","pathname":"/red-team-notes/execution/trusted-developer-utilities/regsvr32","siteSpaceId":"sitesp_GEmbn","description":"ID: T1117 Tactic: Defense Evasion, Execution","breadcrumbs":[{"label":"Execution"},{"label":"Trusted Developer Utilities"}]},{"id":"-M-IqKo--IGrMYYnrxGl","title":"Windows Remote Management","pathname":"/red-team-notes/execution/windows-remote-management","siteSpaceId":"sitesp_GEmbn","description":"ID: T1028 Tactic: Execution, Lateral Movement","breadcrumbs":[{"label":"Execution"}]},{"id":"-LxZMpUYAdgAIU5EhvVr","title":"Windows Management Instrumentation (WMI)","pathname":"/red-team-notes/execution/windows-management-instrumentation-wmi","siteSpaceId":"sitesp_GEmbn","description":"ID: T1047 Tactic: Execution","breadcrumbs":[{"label":"Execution"}]},{"id":"-LxcSyI0xhmR0HfO2hvH","title":"Persistence","pathname":"/red-team-notes/persistence","siteSpaceId":"sitesp_GEmbn","description":"The adversary is trying to maintain their foothold"},{"id":"-M04IFwTtPgDTkRfO44Z","title":"Scheduled Tasks","pathname":"/red-team-notes/persistence/scheduled-tasks","siteSpaceId":"sitesp_GEmbn","description":"ID: T1053 Tactic: Execution, Persistence, Privilege Escalation","breadcrumbs":[{"label":"Persistence"}]},{"id":"-LxcTuRlV7ZTEKqIc11m","title":"Create Account","pathname":"/red-team-notes/persistence/create-account","siteSpaceId":"sitesp_GEmbn","description":"ID: T1136 Tactic: Persistence","breadcrumbs":[{"label":"Persistence"}]},{"id":"-LxceCrSXOLnQbQTiSo6","title":"DLL Search Order Hijacking","pathname":"/red-team-notes/persistence/dll-search-order-hijacking","siteSpaceId":"sitesp_GEmbn","description":"ID: T1038 Tactic: Persistence, Privilege Escalation, Defense Evasion","breadcrumbs":[{"label":"Persistence"}]},{"id":"-LxhoKuA31oAe9BXL5R7","title":"Hooking","pathname":"/red-team-notes/persistence/hooking","siteSpaceId":"sitesp_GEmbn","description":"ID: T1179 Tactic: Persistence, Privilege Escalation, Credential Access","breadcrumbs":[{"label":"Persistence"}]},{"id":"-Lxm7LsweDQDFxfkyZA2","title":"Logon Scripts","pathname":"/red-team-notes/persistence/logon-scripts","siteSpaceId":"sitesp_GEmbn","description":"ID: T1037 Tactic: Lateral Movement, Persistence","breadcrumbs":[{"label":"Persistence"}]},{"id":"-LxtCFkcbZ3eHCpBo1J1","title":"Modify Existing Service","pathname":"/red-team-notes/persistence/modify-existing-service","siteSpaceId":"sitesp_GEmbn","description":"ID: T1031 Tactic: Persistence","breadcrumbs":[{"label":"Persistence"}]},{"id":"-LyRG2xTxpdStL06wpCN","title":"New Service","pathname":"/red-team-notes/persistence/new-service","siteSpaceId":"sitesp_GEmbn","description":"ID: T1050 Tactic: Persistence, Privilege Escalation","breadcrumbs":[{"label":"Persistence"}]},{"id":"-LyRNosmELt81nS5AC12","title":"Path Interception","pathname":"/red-team-notes/persistence/path-interception","siteSpaceId":"sitesp_GEmbn","description":"ID: T1034 Tactic: Persistence, Privilege Escalation","breadcrumbs":[{"label":"Persistence"}]},{"id":"-LxnMuIP_O4HZf1fQiYh","title":"Registry Keys / StartUp Folder","pathname":"/red-team-notes/persistence/registry-keys-startup-folder","siteSpaceId":"sitesp_GEmbn","description":"ID: T1060 Tactic: Persistence","breadcrumbs":[{"label":"Persistence"}]},{"id":"-LyVug6KMEhRHiCjA_HO","title":"ShortCut Modification","pathname":"/red-team-notes/persistence/shortcut-modification","siteSpaceId":"sitesp_GEmbn","description":"ID: T1023 Tactic: Persistence","breadcrumbs":[{"label":"Persistence"}]},{"id":"-LyW-zg1G5hGQGGaHPQP","title":"Privesc","pathname":"/red-team-notes/privesc","siteSpaceId":"sitesp_GEmbn","description":"The adversary is trying to gain higher-level permissions."},{"id":"-Ly_KLlFWp9GTHaVydOL","title":"Access Token Manipulation","pathname":"/red-team-notes/privesc/access-token-manipulation","siteSpaceId":"sitesp_GEmbn","description":"ID: T1134 Tactic: Defense Evasion, Privilege Escalation","breadcrumbs":[{"label":"Privesc"}]},{"id":"-LyfIL7SB3AUzD52ETTr","title":"DLL Search Order Hijacking","pathname":"/red-team-notes/privesc/dll-search-order-hijacking","siteSpaceId":"sitesp_GEmbn","description":"","breadcrumbs":[{"label":"Privesc"}]},{"id":"-LyfFDvUNql-bXG57ZIG","title":"Exploitation for Privesc","pathname":"/red-team-notes/privesc/exploitation-for-privesc","siteSpaceId":"sitesp_GEmbn","description":"ID: T1068 Tactic: Privilege Escalation","breadcrumbs":[{"label":"Privesc"}]},{"id":"-Lyfb_OkVTjAeOGo_U7-","title":"File System Permissions Weakness","pathname":"/red-team-notes/privesc/file-system-permissions-weakness","siteSpaceId":"sitesp_GEmbn","description":"ID: T1044 Tactic: Persistence, Privilege Escalation","breadcrumbs":[{"label":"Privesc"}]},{"id":"-LzT_pE2u3CmnBFqOThm","title":"Always Install Elevated","pathname":"/red-team-notes/privesc/unquoted-service-path","siteSpaceId":"sitesp_GEmbn","description":"A functionality that allows a regular user to install MSI files with high privileges.","breadcrumbs":[{"label":"Privesc"}]},{"id":"-LyodGhtHuJ3MAGMYMqw","title":"Defense Evasion","pathname":"/red-team-notes/untitled","siteSpaceId":"sitesp_GEmbn","description":"The adversary is trying to avoid being detected."},{"id":"-LyodIClMN4yCPUSkjAo","title":"Credential Access","pathname":"/red-team-notes/untitled-1","siteSpaceId":"sitesp_GEmbn","description":"The adversary is trying to steal account names and passwords."},{"id":"-LzYbVHWUPR81HEh-p8f","title":"Credential Dumping","pathname":"/red-team-notes/untitled-1/credential-dumping","siteSpaceId":"sitesp_GEmbn","description":"ID: T1003 Tactic: Credential Access","breadcrumbs":[{"label":"Credential Access"}]},{"id":"-Lzcj5MaRTLIeoIq2jkb","title":"Kerberoasting","pathname":"/red-team-notes/untitled-1/kerberoasting","siteSpaceId":"sitesp_GEmbn","description":"ID: T1208 Tactic: Credential Access","breadcrumbs":[{"label":"Credential Access"}]},{"id":"-LzhZKG_LFPNwwe7YV3c","title":"LLMNR/NBT-NS Poisoning and Relay","pathname":"/red-team-notes/untitled-1/llmnr-nbt-ns-poisoning-and-relay","siteSpaceId":"sitesp_GEmbn","description":"ID: T1171 Tactic: Credential Access","breadcrumbs":[{"label":"Credential Access"}]},{"id":"-LyodIlWBy3IaZ81UQ4q","title":"Discovery","pathname":"/red-team-notes/untitled-2","siteSpaceId":"sitesp_GEmbn","description":"The adversary is trying to figure out your environment."},{"id":"-Lyod5Mg9Wc2J5AqwXZ8","title":"Lateral Movement","pathname":"/red-team-notes/lateral-movement","siteSpaceId":"sitesp_GEmbn","description":"The adversary is trying to move through your environment"},{"id":"-LzEfeWV2fNgavGS-Bfq","title":"Pass the Ticket","pathname":"/red-team-notes/lateral-movement/pass-the-ticket","siteSpaceId":"sitesp_GEmbn","description":"ID: T1097 Tactic: Lateral Movement","breadcrumbs":[{"label":"Lateral Movement"}]},{"id":"-Lz8OD6YjGOJaRS9QvhZ","title":"Pass the Hash","pathname":"/red-team-notes/lateral-movement/pass-the-hash","siteSpaceId":"sitesp_GEmbn","description":"ID: T1075 Tactic: Lateral Movement","breadcrumbs":[{"label":"Lateral Movement"}]},{"id":"-LypOmINJDpkVOC7G-4Q","title":"Remote Desktops","pathname":"/red-team-notes/lateral-movement/remote-desktops","siteSpaceId":"sitesp_GEmbn","description":"ID: T1076 Tactic: Lateral Movement","breadcrumbs":[{"label":"Lateral Movement"}]},{"id":"-Lyog2dpEFnWNj9IuayP","title":"Internal Spearphishing","pathname":"/red-team-notes/lateral-movement/internal-spearphishing","siteSpaceId":"sitesp_GEmbn","description":"ID: T1534 Tactic: Lateral Movement","breadcrumbs":[{"label":"Lateral Movement"}]},{"id":"-Lyp7pTaBh7QzP-wTgWg","title":"Windows Admin Shares","pathname":"/red-team-notes/lateral-movement/untitled","siteSpaceId":"sitesp_GEmbn","description":"ID: T1077 Tactic: Lateral Movement","breadcrumbs":[{"label":"Lateral Movement"}]},{"id":"-M-Io0air0wrm0s43RVL","title":"Component Object Model and Distributed COM","pathname":"/red-team-notes/lateral-movement/component-object-model-and-distributed-com","siteSpaceId":"sitesp_GEmbn","description":"ID: T1175 Tactic: Lateral Movement, Execution","breadcrumbs":[{"label":"Lateral Movement"}]},{"id":"-M-IqBOLn0J8y_GCi5yc","title":"Windows Remote Management","pathname":"/red-team-notes/lateral-movement/windows-remote-management","siteSpaceId":"sitesp_GEmbn","description":"ID: T1028 Tactic: Execution, Lateral Movement","breadcrumbs":[{"label":"Lateral Movement"}]},{"id":"-Lzx1WLCTs7KqdYmXDzA","title":"Collection","pathname":"/red-team-notes/collection","siteSpaceId":"sitesp_GEmbn","description":""},{"id":"-Lzx1YkgwVQdeHKvTtTC","title":"Command and Control","pathname":"/red-team-notes/command-and-control","siteSpaceId":"sitesp_GEmbn","description":""},{"id":"-Lzx1ZCqXcQ74L5bklge","title":"Exfiltration","pathname":"/red-team-notes/exfiltration","siteSpaceId":"sitesp_GEmbn","description":""},{"id":"-Lzx1fNK-Ei7tA_OJB3Z","title":"Impact","pathname":"/red-team-notes/impact","siteSpaceId":"sitesp_GEmbn","description":""},{"id":"-Lzx1uKqjsyR2jNcklr8","title":"Introduction","pathname":"/red-team-notes/active-directory/introduction","siteSpaceId":"sitesp_GEmbn","description":"","breadcrumbs":[{"label":"Active Directory"}]},{"id":"-M-pjov9J4BYedHTz684","title":"Kerberos","pathname":"/red-team-notes/active-directory/introduction/kerberos","siteSpaceId":"sitesp_GEmbn","description":"A computer-network authentication protocol that works on the basis of tickets.","breadcrumbs":[{"label":"Active Directory"},{"label":"Introduction"}]},{"id":"-M-uDIK67xRrM30uRFme","title":"LDAP","pathname":"/red-team-notes/active-directory/introduction/ldap","siteSpaceId":"sitesp_GEmbn","description":"Lightweight Directory Access Protocol","breadcrumbs":[{"label":"Active Directory"},{"label":"Introduction"}]},{"id":"-Lzx7CfLXDvyYSxH6_Ab","title":"Enumeration","pathname":"/red-team-notes/active-directory/enumeration","siteSpaceId":"sitesp_GEmbn","description":"Techniques used to Discover interesting stuff in the Active Directory.","breadcrumbs":[{"label":"Active Directory"}]},{"id":"-LzxO2sKONjyNslcMkfV","title":"Attacks","pathname":"/red-team-notes/active-directory/untitled","siteSpaceId":"sitesp_GEmbn","description":"Some Techniques used to gain any form of Access, Code Execution, Privesc, Persistence or Info in General.","breadcrumbs":[{"label":"Active Directory"}]},{"id":"-M-XB9lAKc6ss2cON29j","title":"Unconstrained Delegation","pathname":"/red-team-notes/active-directory/untitled/untitled-3","siteSpaceId":"sitesp_GEmbn","description":"","breadcrumbs":[{"label":"Active Directory"},{"label":"Attacks"}]},{"id":"-M-XB9438jjzFAc4y7vg","title":"Constrained Delegation","pathname":"/red-team-notes/active-directory/untitled/untitled-2","siteSpaceId":"sitesp_GEmbn","description":"","breadcrumbs":[{"label":"Active Directory"},{"label":"Attacks"}]},{"id":"-M-XB828jGWONIysaUiY","title":"DCSync","pathname":"/red-team-notes/active-directory/untitled/untitled-1","siteSpaceId":"sitesp_GEmbn","description":"","breadcrumbs":[{"label":"Active Directory"},{"label":"Attacks"}]},{"id":"-M-XB6uvC5U-eFZyyROd","title":"Kerberoasting","pathname":"/red-team-notes/active-directory/untitled/untitled","siteSpaceId":"sitesp_GEmbn","description":"","breadcrumbs":[{"label":"Active Directory"},{"label":"Attacks"}]},{"id":"-M1mMjQNk2XIkKO_bqrb","title":"Silver Tickets","pathname":"/red-team-notes/active-directory/untitled/silver-tickets","siteSpaceId":"sitesp_GEmbn","description":"","breadcrumbs":[{"label":"Active Directory"},{"label":"Attacks"}]},{"id":"-M1mP474pCJsqr3fIGRC","title":"Golden Tickets","pathname":"/red-team-notes/active-directory/untitled/golden-tickets","siteSpaceId":"sitesp_GEmbn","description":"","breadcrumbs":[{"label":"Active Directory"},{"label":"Attacks"}]},{"id":"-M-WT6YRy9a3LiFC2wlK","title":"Detection","pathname":"/red-team-notes/detection/untitled","siteSpaceId":"sitesp_GEmbn","description":"Blue Team (Sort Of)","breadcrumbs":[{"label":"Detection"}]},{"id":"-M7G7SIpH1HBwEXcEQpP","title":"Initial Access","pathname":"/red-team-notes/detection/initial-access","siteSpaceId":"sitesp_GEmbn","description":"The Adversary is trying to gain access to your Network","breadcrumbs":[{"label":"Detection"}]},{"id":"-M7JfTFhP9-K31g-hAbd","title":"Execution","pathname":"/red-team-notes/detection/execution","siteSpaceId":"sitesp_GEmbn","description":"The adversary is trying to run malicious code","breadcrumbs":[{"label":"Detection"}]},{"id":"-M7LGpeyY39YTLf3-_Lc","title":"MSHTA (Detection)","pathname":"/red-team-notes/detection/execution/mshta-detection","siteSpaceId":"sitesp_GEmbn","description":"Microsoft HTML Application","breadcrumbs":[{"label":"Detection"},{"label":"Execution"}]},{"id":"-M34LELNKPhxAZjld6W-","title":"References & Resources","pathname":"/red-team-notes/resources-and-references/untitled","siteSpaceId":"sitesp_GEmbn","description":"Some of the places I looked for and want to see in the future.","breadcrumbs":[{"label":"Resources & References"}]}]}