ATT&CK Framework mapping
By default, all lab scenarios have been categorized by Tactic:
- Initial Access (TA001)
- Execution (TA002)
- Persistence (TA003)
- Privilege Escalation (TA004)
- Defense Evasion (TA005)
- Credential Access (TA006)
- Discovery (TA007)
- Lateral Movement (TA008)
- Collection (TA009)
- Command and Control (TA0011)
- Exfiltration (TA0010)
- Impact (TA0040)
- Breach and Attack Simulations
- Forensics
Red vs Blue Hands-On Labs Index
v1.0.1.2021
- LOLbins / one-liners for bind & reverse shells, download/upload, file compression tricks
- AD and Network Enumeration
- AD Kerberos password spraying and brute-forcing
- Windows Integrity Levels
- Evil-WinRM pivoting + Ghostpack enumeration
- Bypass UAC over Koadic C3
- Dump lsass at scale
- AD Credential Dumping using Impacket's secretsdump
- Dumping DC Hashes via wmic and Vssadmin Shadow Copy
- PPID spoofing and command argument spoofing
- DLL Hijacking against MSDTC service for persistence
- OCI DLL Hijacking
- Windows Process Injection / Hollowing Techniques
- Windows CMSTP + Rundll Network Connection
- Windows MSBuild In-memory Code Execution
- Windows MSHTA + Windows Script Component
- Windows Bitsadmin
- Windows New Firewall Rule
- Windows Sharpshooter + Metasploit Framework + SMB Named Pipe Pivoting
- Windows Schtasks Persistence
- Windows Application Shimming Persistence
- Windows Winlogon Helper DLL Persistence
- AD Skeleton Key Persistence
- Pass The Hash over dcomexec / psexec / wmiexec / smbexec
- Evading Sysmon and Windows Event Logging
- SMB named pipes for lateral movement
- RDP no-GUI Remote Command Execution
- Ask for Windows passwords from Powershell
- Shad0w beacons
- Donuts, donuts, anyone?
- ADS NTFS
- The power of SharpDPAPI
- Windows Pcap driver installation
- AD Silver and Golden tickets
- AD Kerberoasting / DCsync / DCShadow
- Linux ELF in-memory code execution for running network events
- Linux syscall faulting for C2 agent execution
- Injecting an ELF file into a remote Linux process
- Linux GDB Shared Library Injection
- Linux sshd Injection + password extraction
- Linux Apache rootkit + command execution over HTTP
- Linux kernel space rootkits and backdoors vs LKRG
- Invoking Linux Reverse shell from kernel space in response to ICMP
- Hidden channel over ICMP!
- Customize dnscat2, tunnel, and exfiltrate data over DNS
- In-memory DNS AAAA implant for Linux
- DNS AXFR Payload Delivery
- DNS Fast-flux domains
- DNS dictionary and random characters DGA
- HTTP2 Exfiltration and DNS over HTTPS C2
- DLP validation through data exfiltration using multiple network channels at once
- Playing with LDAP as payload delivery channel / hidden storage
- Tunneling traffic into internal networks
- Mutual TLS / SSL C2 communication
- SNI-based TLS data exfiltration
- Stageless and staged payloads in different formats + whitelist bypassing + armoring + sandbox detection
- C2 and data exfiltration over clouds (Dropbox, Google Drive, Slack, Discord)
- NTLM Multi-relaying and command execution + BadPDF
- HTTP exfiltration and covert channels based on UA, cookies / encrypted cookies, WebDAV, WebSockets
- Clone, armor, and phish popular websites and use them for covert channel
- Playing “QUIC” exfil game
- Local network scanning from the pwned OS/browser through XSS
- Looping, port forwarding, pivoting, and routing tricks through Covenant / Meterpreter / Empire and other C2 Frameworks
- Pivot and pwn over HTTP Socks Proxy Tunneling
- Web categorization | Domain fronting for SharpChisel
- Pwn remote docker host over DNS rebinding
- Octopus AES-256 Encrypted C2
- Playing with PoshC2 post-exploitation modules
- Slow exfil - sending data in small "chunks"
- Port Knocking
- Punching holes in your NAT
- Youtube-based command delivery and execution
- Google Translator as a C2 Proxy
- Auditing and exfiltrating data against layer 7 inspection rules on NG-firewalls
- Network/exfiltration modules of Nishang, PowerSploit, Powercat, Empire
- The world of web shells
- Network hops chaining and hiding behind open proxies.
- TOR network traffic simulations
- P2P network traffic simulations
- Network flooding
- DHCP Starvation
- Text-based steganography and hiding data in images
- SSH tunneling tips and tricks
- Network and OS artifacts for upgrading the shells and changing the transport on the fly
- Request throttling, behavior tuning, and profile customization of beacon/shell connections
- Breach and Attack Simulation Frameworks and toolkits
- Memory Forensics
- Infection Monkey Automated Adversary Simulations
- Network Flight Simulator
- Purple Team ATT&CK Automation
- Atomic Red Team Simulations
- Falco vs Linux / docker auditing
- Playing with CME + atsvc
- NTP Exfiltration vs Moloch
- Hello my PupyRAT, Grat2 C2 & NinjaC2