Credits : Telegram Channels , it is not my own , I just clubbed it up for future research

Windows Pentesting Resources  :

The blog/site/website notes were kept in one line above.In future i will update it for red teaming and other stuff.Thanks

Page Initiated by Blueberry.@bbinfosec.

Fun with LDAP, Kerberos (and MSRPC) in AD Environments

From XML External Entity to NTLM Domain Hashes

Windows Privilege Escalation Guide

Windows oneliners to download remote payload and execute arbitrary code

Passing the hash with native RDP client (mstsc.exe)

Escalating privileges with ACLs in Active Directory

Automation Framework for the Atomic Red Team

Skip Cracking Responder Hashes and Relay Them

Exchange-AD-Privesc. Repository of Exchange privilege escalations to Active Directory

This repository provides a few techniques and scripts regarding the impact of Microsoft Exchange deployment on Active Directory security.

WMIC.EXE Whitelisting Bypass - Hacking with Style, Stylesheets

Hiding Metasploit Shellcode to Evade Windows Defender

Unofficial Guide to Mimikatz & Command Reference

Gathering AD Data with the Active Directory PowerShell Module

Detecting hypervisor presence on windows 10

Domain user Enumeration Tool

Blue Cloud of Death: Red Teaming Azure

Ring +3 Malwares: Few tricks

Kerberos Party Tricks: Weaponizing Kerberos Protocol Flaws

Executing Commands and Bypassing AppLocker with PowerShell Diagnostic Scripts

Microsoft's User Account Control feature, introduced in Windows Vista, has been a topic of interest to many in the security community. Since UAC was designed to force user approval for administrative actions, attackers (and red teamers) encounter UAC on nearly every engagement. As a result, bypassing this control is a task that an actor often has to overcome, despite its lack of formal designation as a security boundary. This talk highlights what UAC is, previous work by others, research methodology, and details several technical UAC bypasses developed by the author.

Windows Userland Persistence Fundamentals

DLL Hijacking via URL files

DLL Hijacking via URL files

Enumerating remote access policies through GPO


DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain.

5 Ways to Find Systems Running Domain Admin Processes

How to bypass GPO Policy restriction for Powershell usage

ADAPE - Active Directory Assessment and Privilege Escalation Script

Kerberoasting, exploiting unpatched systems – a day in the life of a Red Teamer

Understanding and Evading Get-InjectedThread

PowerLessShell rely on MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe. You can also execute raw shellcode using the same approach.

Dumping Clear-Text Credentials

Office365 ActiveSync Username Enumeration

his script will attempt to list and get TGTs for those users that have the property

'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH).

For those users with such configuration, a John The Ripper output will be generated so

you can send it for cracking.

NBNS Spoofing

NTLMv1 Multitool

This tool modifies NTLMv1/NTLMv1-ESS/MSCHAPv2 hashes so they can be cracked with DES Mode 14000 in hashcat


This script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.

Dumping Active Directory Domain Info – with PowerUpSQL!

15 Ways to Bypass the PowerShell Execution Policy

Elevate, UAC bypass, persistence, privilege escalation, dll hijack techniques

Abusing DCOM For Yet Another Lateral Movement Technique


This is a PoC script for various methods to acheive authenticated remote code execution via WMI, without (at least directly) using the Win32_Process class. The type of technique is determined by the "Type" parameter.

[Kernel Exploitation] 7: Arbitrary Overwrite (Win7 x86)

Active Directory as a C2 (Command & Control)

Bypassing Device Guard with .NET Assembly Compilation Methods

DiskShadow: The Return of VSS Evasion, Persistence, and Active Directory Database Extraction

Jumping Network Segregation with RDP

PowerShell Shellcode Injection on Win 10 (v1803)

Empire Web v2 Launched, A Web Interface to Powershell empire.

Hidden Administrative Accounts: BloodHound to the Rescue

Extracting Service Account Passwords with Kerberoasting

MSDAT (Microsoft SQL Database Attacking Tool) is an open source penetration testing tool that tests the security of Microsoft SQL Databases remotely.


Netcat: The powershell version.

Windows Privilege Escalation Methods for Pentesters

Getting Domain Admin with Kerberos Unconstrained Delegation

Scanning for Active Directory Privileges & Privileged Accounts

Automated AD and Windows test lab deployments with Invoke-ADLabDeployer

Simplifying Password Spraying

A Password Spraying tool for Active Directory Credentials

Abusing SeLoadDriverPrivilege for privilege escalation

Exploring PowerShell AMSI and Logging Evasion

Weaponizing .SettingContent-ms Extensions for Code Execution

WMImplant Post-Exploitation – An Introduction

WMImplant Post-Exploitation – An Introduction

PowerShell: How to get a list of all installed Software on Remote Computers

Tokenvator: A Tool to Elevate Privilege using Windows Tokens

Disabling AMSI in JScript with One Simple Trick

Inveigh is a PowerShell LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.

A multithreaded tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB, plus now with a user hunter

PSScriptAnalyzer is a static code checker for Windows PowerShell modules and scripts. PSScriptAnalyzer checks the quality of Windows PowerShell code by running a set of rules. The rules are based on PowerShell best practices identified by PowerShell Team and the community. It generates DiagnosticResults (errors and warnings) to inform users about potential code defects and suggests possible solutions for improvements.

Bypassing SQL Server Logon Trigger Restrictions

Spoof SSDP replies to phish for NTLM hashes on a network. Creates a fake UPNP device, tricking users into visiting a malicious phishing page.

Incapacitating Windows Defender

Red Team Tales 0x01: From MSSQL to RCE

LethalHTA - A new lateral movement technique using DCOM and HTA

What is it that Makes a Microsoft Executable a Microsoft Executable? An Attacker’s and a Defender’s Perspective

Powershell script to Enumerate executables with auto-elevation enabled, handy for privilege escalation purposes.

Using a SCF File to gather Hashes

A Guide to Attacking Domain Trusts

RE: Evading Autoruns PoCs on Windows 10

Feature, not bug: DNSAdmin to DC compromise in one line

Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS

Domain Access With Write Access on the Domain NC Head

Extracting User Password Data with Mimikatz DCSync

Passing-the-Hash to NTLM Authenticated Web Applications

Application Whitelisting Bypass and Arbitrary Unsigned Code Execution Technique in winrm.vbs

Veil Payloads and Veil-Ordnance

Clear all your logs in linux/windows servers

Catch me if u can: Bypassing Memory Scanners with Cobalt Strike and Gargoyle

PowerShell module to check if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH, StrongNaming, and Authenticode.

Exploiting a Windows 10 PagedPool off-by-one overflow (WCTF 2018)

Anonymously Enumerating Azure File Resources

Weaponize PDF with embedding SettingContent-ms inside PDF.

Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe

Compromising a Azure Windows 2008 R2 SP1 VM

Microsoft LAPS Security & Active Directory LAPS Configuration Recon

PowerShell is definitely a "gateway drug" to C# - GhostPack is a collection of new security tools (currently C#), getting rid of the attention that powershell monitoring is getting

Pass the Hash with Kerberos


Domain Goodness – How I Learned to LOVE AD Explorer

Another way to get to a system shell – Assistive Technology

Robber : An open source tool for finding executables prone to DLL hijacking

safetyKatz: a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subtee's .NET PE Loader.

Stored passwords found all over the place after installing Windows in company networks

Security Fun: Bloodhound, MS16-072 and GPO Discoverability

Netsh DLL Helpers

Post Exploitation Using WMIC (System Command)

Updated PoC Mimikatz Loader for 2018



Notes on Windows Privilege Escalation

Domain Penetration Testing: Using BloodHound, Crackmapexec, & Mimikatz to get Domain Admin

Ultimate AppLocker ByPass List: The goal of this repository is to document the most common techniques to bypass AppLocker.

LDAP Injection Cheat Sheet, Attack Examples & Protection

PowerShell script which allows pausing\unpausing Win32/64 exes

ASP.NET resource files (.RESX) and deserialisation issues

Exploiting XXE Vulnerabilities in IIS/.NET

When "ASLR" Is Not Really ASLR - The Case of Incorrect Assumptions and Bad Defaults

Capturing NetNTLM Hashes with Office [DOT] XML Documents

pOWershell obFUsCation

Copying Files via WMI and PowerShell

Using WinRM Through Meterpreter

TBAL: an (accidental?) DPAPI Backdoor for local users



PowerShell Runspace Post Exploitation Toolkit


PowerShell oneliner to retrieve wdigest passwords from the memory

Golden Ticket Attack Execution Against AD-Integrated SSO providers

Windows Privilege Escalation Fundamentals

Disabling AMSI in JScript with One Simple Trick

Unstoppable Service:

A pattern for a self-installing Windows service in C# with the unstoppable attributes in C#.

Driver loader for bypassing Windows x64 Driver Signature Enforcement

Subverting Sysmon:

Application of a Formalized Security Product Evasion Methodology




An implementation of PSExec in C#

SMBetray: Backdooring and Breaking Signatures

ADRecon: Active Directory Recon Blackhat Arsenal 2018


A tool for generating COM Hijacking payload.

DEF CON 26 (2018) – Exploiting Active Directory Administrator Insecurities

From Workstation to Domain Admin: Why Secure Administration isn’t Secure and How to Fix it

Tools for instrumenting Windows Defender's mpengine.dll

Art of Anti Detection 1 – Introduction to AV & Detection Techniques

Ridrelay: Enumerate usernames on a domain where you have no creds by using SMB Relay with low priv.

Remotely Enumerate Anti-Virus Configurations

Juicy Potato (abusing the golden privileges)

Juicy Potato (abusing the golden privileges)

Hacking around HTA files

Koadic C3 COM Command & Control - JScript RAT

Phishing – Ask and ye shall receive

Windows Exploitation Tricks: Exploiting Arbitrary Object Directory Creation for Local Elevation of Privilege

Bypass in Microsoft AD FS Multi-Factor Authentication protocol (CVE-2018-8340):

Multi-Factor Mixup: Who Were You Again?

Reconerator: C# Targeted Attack Reconnissance Tools

DCShadow - Minimal permissions, Active Directory Deception, Shadowception and more

Skeleton Key Attack

Arbitrary, Unsigned Code Execution Vector in Microsoft.Workflow.Compiler.exe

SANS Webcast: PowerShell for PenTesting

Microsoft.Workflow.Compiler.exe Mimikatz Runner.


Use powershell to list the RDP Connections History of logged-in users or all users

A Universal Windows Bootkit

An analysis of the MBR bootkit referred to as “HDRoot"

Broadcast Name Resolution Poisoning / WPAD Attack Vector

.NET Deserialization To NTLM Hashes

Python tool to inject fake updates into unencrypted WSUS traffic

Remotely Modify Anti-Virus Configurations

Making The Perfect Injector: Abusing Windows Address Sanitization And CoW

Leaking Environment Variables in Windows Explorer via .URL or desktop.ini files

Extracting SSH Private Keys from Windows 10 ssh-agent

Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition)

CVE-2018-0952: Privilege Escalation Vulnerability in Windows Standard Collector Service

Operational Guidance for Offensive User DPAPI Abuse

Kerberoasting and SharpRoast output parsing!


This module is designed to be a platform to test an endpoints application whitelisting effectiveness by providing bypasses to solutions such as software restriction policies and applocker.

Clientside Exploitation - Tricks of the Trade 0x01 - Sharpshooter + SquibblyTwo

Privilege Escalation & Post-Exploitation Docs Escalation & Post-Exploitation.html

Task Scheduler ALPC exploit (unpatched) && PoC by SandboxEscaper

Remote NTLM relaying through meterpreter on Windows port 445

Microsoft.Workflow.Compiler.exe, Veil, and Cobalt Strike

Bypassing Workflows Protection Mechanisms - Remote Code Execution on SharePoint

Having Fun with ActiveX Controls in Microsoft Word

Invoke-AtomicTest - Automating MITRE ATT&CK with Atomic Red Team

AppLocker Bypass - CMSTP

Persistence using AdminSDHolder and SDProp

Red Teaming Microsoft: Part 1 – Active Directory Leaks via Azure

Walk-through Mimikatz sekurlsa module

windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems

Understanding how DLL Hijacking works

Playing with Relayed Credentials

DDE Downloaders, Excel Abuse, and a PowerShell Backdoor

A detailed technical explanation of CVE-2018-8120

A PowerShell example of the Windows zero day priv esc

You can't contain me! :: Analyzing and Exploiting an Elevation of Privilege Vulnerability in Docker for Windows

CVE-2018-8420 - Microsoft XML Core Services MSXML RCE through web browser PoC

Bypassing AppLocker Custom Rules

0x09AL Security blog

Bypassing AppLocker Custom Rules


Jonhnathan Jonhnathan Jonhnathan

w0rk3r's Windows Hacking Library

Exploiting STOPzilla AntiMalware Arbitrary Write Vulnerability using SeCreateTokenPrivilege

Jonhnathan Jonhnathan Jonhnathan

w0rk3r's Windows Hacking Library

How to add a module in Mimikatz?

Multiple Ways to Bypass UAC using Metasploit

Jonhnathan Jonhnathan Jonhnathan

w0rk3r's Windows Hacking Library

From OSINT to Internal: Gaining Domain Admin from Outside the Perimeter

Using Mimikatz From a JSP shell

Poking Around With 2 lsass Protection Options

Introducing SharpSploit: A C# Post-Exploitation Library

Faster Domain Escalation using LDAP

A Lesson in .NET Framework Versions

Command and Control Using Active Directory

L1TF (Foreshadow) VM guest to host memory read PoC

SMB hash hijacking & user tracking in MS Outlook

SharpBox is a C# tool for compressing, encrypting, and exfiltrating data to DropBox using the DropBox API

From Kekeo to Rubeus

Tokenvator: Release 2

AppLocker CLM Bypass via COM

Injdrv is a proof-of-concept Windows Driver for injecting DLL into user-mode processes using APC

Responder and Layer 2 Pivots

PowerShell: Documenting your environment by running systeminfo on all Domain-Computers

The power of backup operators

Abusing Windows Library Files for Persistence

Domain Controlller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest

invoke-Confusion .NET attacker of Powershell Remotely

Creating Persistence with DCShadow

Time Travel Debugging: finding Windows GDI flaws

Malicious use of Microsoft “Local Administrator Password Solution”

Tokenvator Wiki

ServiceFu: Harvesting Service Account Credentials Remotely

Operating Offensively Against Sysmon

Exploiting Regedit: Invisible Persistence & Binary Storage


Attacking Azure Environments with PowerShell

MicroBurst: A collection of scripts for assessing Microsoft Azure security Gaining a foothold in Active Directory in one command

Dan McInerney at SaintCon

[Tool] Icebreaker:

Gets plaintext Active Directory credentials if you're on the internal network but outside the AD environment

Leveraging WSUS – Part One

Powershell Payload Delivery via DNS using Invoke-PowerCloud

SharpAttack: A console for certain tasks on security assessments. It leverages .NET and the Windows API to perform its work( and cobbr_io SharpSploit). It contains commands for domain enumeration, code execution, and other fun things.

Living Off the Land