Tech Solvency / Red Team

Architecture/ecosystem

Red Teaming Through Mistakes (Tim MalcomVetter)
Penetration Testing vs. Red Teaming: PCI Edition (Tim MalcomVetter)
10 Red Teaming Lessons Learned Over 20 Years
Millennium Challenge 2002
Inside the UAE's Secret Hacking Team of American Mercenaries / and Deep Pockets, Deep Cover
How to build an internal red team

Recon

Subdomain enumeration
Zen - find emails of Github users
inteltechniques.com - OSINT buffet
kbd-audio - tools for capturing and analyzing keyboard input paired with microphone capture (via @feross)
emtunc/SlackPirate - Slack enumeration and extraction tool
NotMedit/markvulnerable.py - mark boxes as vulnerable in Bloodhound to enhance attack-path generation

Nmap range of ports lower than the top X ports (top 100-150, etc.): (@bonsaiviking tweet):

 # Scan the N most popular ports 
 # *after* the M most popular ports.
 #
 nmap --top-ports N --exclude-ports \
 $(nmap -v -oG - --top-ports M \
 | awk -F'[;)]' '/Ports/{print $2}')

OWASP Amass - network mapping of attack surfaces and external asset discovery
Finding Privilege Escalation Vulnerabilities in Windows using Process Monitor (Will Dormann, CERT/CC)

Credentials acquisition and usage

Mimikatz saved-credentials howto
subdoc injector
MimkatzCollider (Mimikatz + HashClash)
nndefaccts - drop-in replacement for http-default-accounts NSE script, significantly expanded
Capture NTLM Hashes using PDF (Bad-Pdf) (Raj Chandel)

Inventory and classification

EyeWitness - take screenshots of websites, get server headers, identify default creds if possible
"C:\Windows\System32\rundll32.exe" dsquery.dll,OpenQueryWindow

Microsoft/AD

A Red Teamer’s Guide to GPOs and OUs
A guide to Attacking Domain Trusts (harmj0y)
How to Pwn an Enterprise in 2017 (johnnyxmas)
password spraying - a few passwords, many users (stays under the lockout threshold per user)
SprayingToolkit (Black Hills)
Metasploit DCsync and hashhdump from Powershell
SMB hash hijacking and user tracking in MS Outlook (NCC Group)
icebreaker - Gets plaintext Active Directory credentials if you're on the internal network but outside the AD environment
Scanning for Active Directory Privileges & Privileged Accounts (Sean Metcalf)
Evasive VBA — Advanced Maldoc Techniques (@bigmacjpg / @haroldogden / @OrOneEqualsOne)
From DNSAdmins to Domain Admin, When DNSAdmins is More than Just DNS Administration
Windows Privilege Escalation Guide (absolomb)
Attack Red Forest: Attack and Defend Microsoft Enhanced Security Administrative Environment (Hao Wang & Yothin Rodanant)
Active Directory Kill Chain Attack and Defense
Red Teaming Toolkit
Adversary Tactics: PowerShell (SpectreOps)
A Red-Teamer's Guide to GPOs and OUs (wald0)
Active Directory Attacks (swisskey)

Local exploitation

Ctrl-Inject
GTFOBins - a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions
Practical DMA attack on Windows 10 (Fist0urs)
Pentester’s Windows NTFS tricks collection
BYOL (Bring Your Own Land) - FireEye
Bypassing CSP with DNS prefetching
PCILeech - Direct Memory Access (DMA) attack software
Using your BMC as a DMA device: plugging PCILeech to HPE iLO 4
Tenable POCs (actually a mix of local / web / remote)

Web exploitation

20+ polyglot (local mirror)
Tenable POCs (actually a mix of local / web / remote)

Remote exploitation

DNS rebinding: @brandondorsey, Daniel Miessler
pwncat - netcat on steroids
Tenable POCs (actually a mix of local / web / remote)

Mobile

Needle: open source, modular framework to streamline the process of conducting security assessments of iOS apps (mwrlabs)

Broad-scale exploitation

EternalGlue (NCCgroup) - uses defanged NotPetya to simulate internal ransomware spread
Lesley Carhart on Cobalt Strike

Pivoting and lateral movement

A Red Teamer's guide to pivoting (Artem Kondratenko)

Evasion

AVSignSeek - determine where the AV signature is located in a binary/payload
Detect MITM - based on Caddy's MITM detection
NetCat via PowerShell
Hiding bash history (digininja)
Bypassing Network Restrictions Through RDP Tunneling (FireEye)

Learning/training/self-bootstrapping

Career Cheatsheet (Trail of Bits)

Infrastructure

Red Team Infrastructure Wiki

Meta/lists

n00py/ReadingList - grab bag of offense
Red Team Tips (Vincent Yiu)
Red Teaming Toolkit (infosecn1nja)
Preparing for a Read Team Exercise
Red Team Gut Check (Tim MalcomVetter)