rule-references.txt

https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1
https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/
https://nmap.org/
https://twitter.com/jas502n/status/1321416053050667009?s=20
https://www.gnu.org/software/wget/manual/wget.html
https://twitter.com/Cyb3rWard0g/status/1381642789369286662
https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax
https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution
https://twitter.com/wugeej/status/1369476795255320580
https://www.secureworks.com/blog/ransomware-as-a-distraction
https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
https://github.com/LOLBAS-Project/LOLBAS/issues/243
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
https://twitter.com/gentilkiwi/status/1003236624925413376
https://www.cobaltstrike.com/help-windows-executable
https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2
https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/
https://twitter.com/dez_/status/986614411711442944
https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/
https://github.com/bugch3ck/SharpLdapWhoami
https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776
https://twitter.com/wdormann/status/1679184475677130755
https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/
https://lolbas-project.github.io/lolbas/Binaries/Atbroker/
https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html
https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs
https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf
https://seclists.org/fulldisclosure/2023/Jan/1
https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md
https://awakesecurity.com/blog/threat-hunting-for-paexec/
https://winaero.com/enable-openssh-server-windows-10/
https://lolbas-project.github.io/lolbas/Libraries/Setupapi/
https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION
https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content
https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
https://redcanary.com/blog/intelligence-insights-april-2022/
https://twitter.com/Alh4zr3d/status/1566489367232651264
https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/
https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek
https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
https://twitter.com/orange_8361/status/1518970259868626944
https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738
https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server
http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html
https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html
https://thedfirreport.com/2020/06/21/snatch-ransomware/
https://github.com/wunderwuzzi23/firefox-cookiemonster
https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx
https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649
https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388
https://blog.aquasec.com/container-security-tnt-container-attack
https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp
https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
https://github.com/bats3c/EvtMute
https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html
https://www.reddit.com/r/sysadmin/comments/13wxuej/comment/jmhdg55/
https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html
https://lolbas-project.github.io/lolbas/Binaries/Wsreset/
https://twitter.com/DidierStevens/status/1217533958096924676
https://www.joeware.net/freetools/tools/adfind/
https://lolbas-project.github.io/lolbas/Binaries/Regedit/
https://en.wikipedia.org/wiki/Nohup
https://nullsec.us/windows-event-log-audit-cve/
https://rules.sonarsource.com/java/RSPEC-2755
https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/
https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308
https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01
https://nvd.nist.gov/vuln/detail/cve-2021-34527
https://gist.github.com/Capybara/6228955
https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
https://windows-internals.com/faxing-your-way-to-system/
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib
https://twitter.com/Max_Mal_/status/1633863678909874176
https://github.com/OTRF/detection-hackathon-apt29/issues/1
https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer
https://www.mandiant.com/resources/blog/wannacry-ransomware-campaign
https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
https://pentestlab.blog/2017/04/13/hot-potato/
https://github.com/3proxy/3proxy
https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
https://gtfobins.github.io/gtfobins/vim/
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633
https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16
https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html
https://isc.sans.edu/diary/More+Data+Exfiltration/25698
https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0
https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html
https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/
https://github.com/HuskyHacks/ShadowSteal
https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html
https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
https://medium.com/@mvelazco/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45
https://ss64.com/osx/dscl.html
https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/
https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/
https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
https://github.com/tevora-threat/SharpView/
https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md
https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76
https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/
https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/
https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone
https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe
https://twitter.com/vxunderground/status/1423336151860002816?s=20
https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
https://adsecurity.org/?p=1772
https://github.com/EddieIvan01/iox
https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
https://github.com/FireFart/hivenightmare
https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html
https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html
https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115
https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc
https://twitter.com/shutingrz/status/1469255861394866177?s=21
https://github.com/GhostPack/Certify
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation
https://github.com/mandiant/SharPersist
https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml
https://github.com/tccontre/Reg-Restore-Persistence-Mole
https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump
https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/
https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update
https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/
https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide
https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/
https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15
https://persistence-info.github.io/Data/diskcleanuphandler.html
https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task
https://tools.ietf.org/html/rfc2929#section-2.1
https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/
https://blog.xpnsec.com/exploring-mimikatz-part-1/
https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63
https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md
https://twitter.com/0gtweet/status/1457676633809330184
https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/
https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea
https://twitter.com/mttaggart/status/1511804863293784064
https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
https://www.manpagez.com/man/8/firmwarepasswd/
https://linuxhint.com/uninstall-debian-packages/
https://github.com/Hackndo/lsassy
https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC
https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
https://github.com/antonioCoco/RogueWinRM
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream
https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos
https://docs.microsoft.com/en-us/sysinternals/downloads/psservice
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab
https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer
https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md
https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html
https://github.com/ly4k/Certipy
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in
https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
https://linux.die.net/man/1/import
https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
https://thedfirreport.com/2022/09/26/bumblebee-round-two/
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444
https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
https://isc.sans.edu/diary/22264
https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services
https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
https://twitter.com/Yasser_Elsnbary/status/1553804135354564608
https://github.com/LOLBAS-Project/LOLBAS/pull/239
https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
https://ss64.com/nt/for.html
https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access
https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts
https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control
https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe
https://twitter.com/egre55/status/1087685529016193025
https://twitter.com/_felamos/status/1179811992841797632
https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/
https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760
https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md
http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
https://github.com/boku7/injectAmsiBypass
https://labs.withsecure.com/publications/fin7-target-veeam-servers
https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/
https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html
https://twitter.com/SBousseaden/status/1211636381086339073
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html
https://atomicredteam.io/defense-evasion/T1220/
https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
https://www.virustotal.com/gui/file/7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117/community
https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer
https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823
https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html
http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
https://twitter.com/cglyer/status/1182391019633029120
https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py
https://redcanary.com/blog/intelligence-insights-november-2021/
https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726
https://github.com/fox-it/LDAPFragger
https://twitter.com/RedDrip7/status/1506480588827467785
https://github.com/decoder-it/LocalPotato
https://twitter.com/Oddvarmoe/status/1270633613449723905
https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection
https://www.revshells.com/
https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic
https://github.com/sleventyeleven/linuxprivchecker/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md
https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/
https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/
https://github.com/dagwieers/vsftpd/
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#service-principal-assigned-to-a-role
https://emkc.org/s/RJjuLa
https://lolbas-project.github.io/lolbas/Binaries/Certutil/
https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall
https://blog.lexfo.fr/Forensics-xortigate-notice.html
https://adepts.of0x.cc/netsh-portproxy-code/
https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/
https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/
https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml
https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior
https://twitter.com/shantanukhande/status/1229348874298388484
https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
https://pentestlab.blog/2017/03/31/insecure-registry-permissions/
https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2
https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html
https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90
https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/
https://lolbas-project.github.io/lolbas/Binaries/Ilasm/
https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md
https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf
https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/
https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1
https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware
https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml
https://github.com/NetSPI/PowerUpSQL
https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html
https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci
https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html
https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps
https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation
https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats
https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup
https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46
https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon
https://securelist.com/apt-slingshot/84312/
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/
https://twitter.com/nas_bench/status/1537563834478645252
https://twitter.com/httpvoid0x2f/status/1532924261035384832
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address
https://www.echotrail.io/insights/search/mshta.exe
https://www.echotrail.io/insights/search/defaultpack.exe
https://mobile.twitter.com/0gtweet/status/1564131230941122561
https://github.com/Yaxser/Backstab
https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
https://github.com/last-byte/PersistenceSniper
https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content
https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395
https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend
https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets
https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
https://ss64.com/nt/logman.html
https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/
https://git.libssh.org/projects/libssh.git/tree/src/curve25519.c#n420
https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html
https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
https://github.com/S12cybersecurity/RDPCredentialStealer/blob/1b8947cdd065a06c1b62e80967d3c7af895fcfed/APIHookInjectorBin/APIHookInjectorBin/Inject.h#L25
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory
https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW
https://codewhitesec.blogspot.com/2018/07/lethalhta.html
https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
https://www.packetlabs.net/posts/clipboard-data-security/
https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md
https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole
https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/
https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/
https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5
https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3
https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml
https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/
https://twitter.com/nas_bench/status/1618021838407495681
https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments
https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb
https://posts.specterops.io/covenant-v0-5-eee0507b85ba
https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter
https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection
https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html
https://twitter.com/0gtweet/status/1477925112561209344
https://attack.mitre.org/software/S0404/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/
https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml
https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
https://github.com/Porchetta-Industries/CrackMapExec
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.003/T1547.003.md
https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html
https://github.com/CsEnox/EventViewer-UACBypass
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699
https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c
https://www.secura.com/blog/zero-logon
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
https://www.echotrail.io/insights/search/wermgr.exe
https://github.com/harleyQu1nn/AggressorScripts
https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/
https://github.com/calebstewart/CVE-2021-1675
https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
https://twitter.com/chadtilbury/status/1275851297770610688
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll
https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1070.008/T1070.008.md
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent
https://twitter.com/0gtweet/status/1182516740955226112
https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/
https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
https://github.com/med0x2e/vba2clr
https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts
https://kb.cert.org/vuls/id/843464
https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
https://pentestlab.blog/tag/ntds-dit/
https://www.secureworks.com/research/shadowpad-malware-analysis
https://lolbas-project.github.io/lolbas/Binaries/Ssh/
https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)
https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/
https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting
https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution
https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
https://lolbas-project.github.io/lolbas/Binaries/Jsc/
https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows
https://dzone.com/articles/remote-debugging-java-applications-with-jdwp
https://twitter.com/Cyb3rWard0g/status/1453123054243024897
http://guides.rubyonrails.org/action_controller_overview.html
https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md
https://www.gpg4win.de/documentation.html
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos
https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/
https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md
https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute
https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md
https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
https://linux.die.net/man/1/chage
https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup
https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects
https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
https://github.com/Neo23x0/auditd
https://redcanary.com/threat-detection-report/threats/cobalt-strike/
https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
https://o365blog.com/post/hybridhealthagent/
https://www.zoocoup.org/casper/jamf_cheatsheet.pdf
https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf
https://github.com/danielbohannon/Invoke-Obfuscation
https://twitter.com/n1nj4sec/status/1421190238081277959
https://f5.pm/go-59627.html
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit
https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57
https://nxlog.co/documentation/nxlog-user-guide/applocker.html
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md
https://lolbas-project.github.io/lolbas/Binaries/Rpcping/
https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
https://twitter.com/mrd0x/status/1460597833917251595
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183
https://twitter.com/harr0ey/status/991670870384021504
https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
https://github.com/fatedier/frp
https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md
https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html
https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows
https://cloud.google.com/kubernetes-engine/docs
http://powershellhelp.space/commands/set-netfirewallrule-psv5.php
https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp
https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
https://nvd.nist.gov/vuln/detail/cve-2021-1675
https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png
https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
https://github.com/GhostPack/SafetyKatz
https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/
https://corelight.com/blog/detecting-cve-2021-42292
https://lolbas-project.github.io/lolbas/Binaries/Regini/
https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/
https://www.powershellgallery.com/packages/DSInternals
https://github.com/JoelGMSec/PSAsyncShell
https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d
https://github.com/bats3c/ADCSPwn
https://twitter.com/splinter_code/status/1420546784250769408
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script
https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support
https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file
https://github.com/LOLBAS-Project/LOLBAS/pull/211/files
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md
https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/
https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html
https://lolbas-project.github.io/lolbas/Binaries/Extrac32/
https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies
https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process
https://twitter.com/mrd0x/status/1478116126005641220
https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf
https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp
https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell
https://digital.nhs.uk/cyber-alerts/2018/cc-2825
https://redcanary.com/blog/mac-application-bundles/
https://github.com/mdsecactivebreach/CACTUSTORCH
https://twitter.com/cyb3rops/status/1168863899531132929
https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html
https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.006/T1036.006.md
https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
https://pentestlab.blog/2020/07/06/indirect-command-execution/
https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md
https://persistence-info.github.io/Data/aedebug.html
https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw
https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/
https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf
https://github.com/vanhauser-thc/thc-hydra
https://developer.okta.com/docs/reference/api/event-types/
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role
https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings
https://github.com/payloadbox/sql-injection-payload-list
https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/
https://developer.okta.com/docs/reference/api/system-log/
https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
https://github.com/sensepost/ruler
https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection
https://github.com/Neo23x0/Raccine
https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/
https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md
https://twitter.com/matthewdunwoody/status/1352356685982146562
https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
https://github.com/hieuminhnv/CVE-2022-21587-POC
https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507
https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass
https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/
https://github.com/darrenmartyn/VisualDoor
https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/
https://jpcertcc.github.io/ToolAnalysisResultSheet
https://sysdig.com/blog/mitre-defense-evasion-falco
https://twitter.com/GelosSnake/status/934900723426439170
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine
https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
https://www.d7xtech.com/free-software/runx/
https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/
https://thedfirreport.com/2020/05/08/adfind-recon/
https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/
https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace
https://twitter.com/0gtweet/status/1465282548494487554
https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/
https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md
https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png
https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt
https://twitter.com/_vivami/status/1347925307643355138
https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html
https://firewalld.org/documentation/man-pages/firewall-cmd.html
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3
https://twitter.com/neonprimetime/status/1435584010202255375
https://artkond.com/2017/03/23/pivoting-guide/
https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more
https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx
https://github.com/codewhitesec/SysmonEnte/
https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm
http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier
https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/
https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete
https://redcanary.com/blog/raspberry-robin/
https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r
https://twitter.com/NinjaParanoid/status/1516442028963659777
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles
https://www.mandiant.com/resources/russian-targeting-gov-business
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/
https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files
https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation
http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/
https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe
https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743
https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36
https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/
https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html
https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml
https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2
https://lolbas-project.github.io/lolbas/Binaries/Bash/
https://seclists.org/fulldisclosure/2020/Mar/45
https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
https://www.roboform.com/
https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29
https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
https://github.com/carlospolop/PEASS-ng
https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps
https://docs.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-
https://objective-see.org/blog/blog_0x68.html
https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
https://www.hybrid-analysis.com/sample/ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8?environmentId=110
https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html
https://www.hvs-consulting.de/lazarus-report/
https://unicode-explorer.com/c/202E
https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/
https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/
https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
https://thedfirreport.com/2021/12/13/diavol-ransomware/
https://blog.alyac.co.kr/1901
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29
https://twitter.com/harr0ey/status/989617817849876488
https://twitter.com/sudo_sudoka/status/1323951871078223874
https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
https://twitter.com/Moriarty_Meng/status/984380793383370752
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md
http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2
https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/22H2/W10_22H2_Pro_20230321_19045.2728/WEPExplorer/LsaSrv.xml
https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634
http://addbalance.com/word/startup.htm
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture
https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml
https://linux.die.net/man/1/truncate
https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/
https://lolbas-project.github.io/lolbas/Binaries/Winget/
https://twitter.com/mvelazco/status/1410291741241102338
https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f
https://threadreaderapp.com/thread/1533879688141086720.html
https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders
https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/
https://aboutdfir.com/the-key-to-identify-psexec/
https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell
https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800
https://www.localpotato.com/localpotato_html/LocalPotato.html
https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html
https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml
https://github.com/SigmaHQ/sigma/pull/4467
https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html
https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
https://vms.drweb.fr/virus/?i=24144899
https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
https://github.com/samratashok/ADModule
https://persistence-info.github.io/Data/recyclebin.html
https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm
https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/
https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8
https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
https://github.com/BloodHoundAD/SharpHound
https://twitter.com/BleepinComputer/status/1372218235949617161
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120
https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package
https://github.com/zcgonvh/NTDSDumpEx
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md
https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
https://www.manpagez.com/man/8/PlistBuddy/
https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product
https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md
https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
https://blog.talosintelligence.com/2017/05/wannacry.html
https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340
https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/
https://adsecurity.org/?p=1714
https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile
https://taggart-tech.com/quasar-electron/
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
https://bidouillesecurity.com/disable-windows-defender-in-powershell/
https://twitter.com/Z3Jpa29z/status/1317545798981324801
https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md
https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
https://research.checkpoint.com/2020/apache-guacamole-rce/
https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
https://persistence-info.github.io/Data/autodialdll.html
https://brightsec.com/blog/sql-injection-payloads/
https://bunnyinside.com/?term=f71e8cb9c76a
https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html
https://deviceatlas.com/blog/list-of-user-agent-strings#desktop
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos
https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks
https://core.telegram.org/bots/faq
https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html
https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638
https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html
https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
https://github.com/LOLBAS-Project/LOLBAS/pull/238/files
https://labs.watchtowr.com/xortigate-or-cve-2023-27997/
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964
https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
https://linux.die.net/man/8/groupdel
https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed
https://twitter.com/Sam0x90/status/1552011547974696960
http://www.sqlinjection.net/errors
https://blogs.blackberry.com/
https://github.com/Arno0x/PowerShellScripts/blob/a6b7d5490fbf0b20f91195838f3a11156724b4f7/proxyTunnel.ps1
https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows
https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/
https://redcanary.com/blog/intelligence-insights-october-2021/
https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html
https://twitter.com/hakluke/status/1587733971814977537/photo/1
https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web
https://twitter.com/subTee/status/1216465628946563073
https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-observed-exploitation-of-oracle-e-business-suite-vulnerability/
https://twitter.com/ShadowChasing1/status/1552595370961944576
https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks
https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe
https://twitter.com/ptswarm/status/1445376079548624899
https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password
https://github.com/ly4k/SpoolFool
https://github.com/Wh04m1001/IDiagnosticProfileUAC
https://docs.aws.amazon.com/cli/latest/reference/securityhub/
https://github.com/elastic/detection-rules/pull/1267
http://www.botopedia.org/search?searchword=scan&searchphrase=all
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
https://github.com/FortyNorthSecurity/WMImplant
http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp
https://www.uptycs.com/blog/lolbins-are-no-laughing-matter
https://lolbas-project.github.io/lolbas/Binaries/Msiexec/
https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit
https://twitter.com/_nullbind/status/1204923340810543109
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter
https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
https://antgarsil.github.io/posts/velocity/
https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html
https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/
https://www.poolwatch.io/coin/monero
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md
https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md
https://twitter.com/_xpn_/status/1268712093928378368
https://sourceforge.net/projects/mouselock/
https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/
https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
https://ngrok.com/
https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html
https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/
https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/
https://twitter.com/_xpn_/status/1491557187168178176
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python
https://twitter.com/_felamos/status/1204705548668555264
https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7
https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
https://github.com/zcgonvh/EfsPotato
https://www.mandiant.com/resources/blog/iranian-threat-group-updates-ttps-in-spear-phishing-campaign
https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/
https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/
https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616
https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md
https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social
https://blog.skyplabs.net/posts/container-detection/
https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md
https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1
https://www.echotrail.io/insights/search/wusa.exe/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store
https://gtfobins.github.io/gtfobins/wget/
https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)
https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries
https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml
https://github.com/looCiprian/GC2-sheet
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-forwarding
https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/
https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md
https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks
https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime
https://any-api.com/googleapis_com/compute/docs/vpnTunnels
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges
https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3
https://twitter.com/nas_bench/status/1535663791362519040
https://dmaasland.github.io/posts/citrix.html
https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d
https://docs.microsoft.com/en-us/windows/win32/shell/launch
https://msrc.microsoft.com/update-guide/vulnerability/ADV170021
https://twitter.com/jonasLyk/status/1555914501802921984
https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
https://twitter.com/WhichbufferArda/status/1543900539280293889
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service
https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
https://docs.python.org/3/using/cmdline.html#cmdoption-c
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm
https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py
https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md
https://twitter.com/Al1ex4/status/1382981479727128580
https://www.qualys.com/2021/05/04/21nails/21nails.txt
https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/
https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/
https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3
https://twitter.com/_st0pp3r_/status/1583914244344799235
https://github.com/boku7/spawn
https://github.com/OTRF/detection-hackathon-apt29
https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md
https://twitter.com/blackorbird/status/1140519090961825792
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note
https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0
https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5
https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/
https://lolbas-project.github.io/lolbas/Binaries/Setres/
https://github.com/p0dalirius/LDAPmonitor
https://www.pureid.io/dumping-abusing-windows-credentials-part-1/
https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/
https://twitter.com/malmoeb/status/1525901219247845376
https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml
https://twitter.com/duff22b/status/1280166329660497920
https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation
https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps
https://securelist.com/muddywater/88059/
https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/
https://thewover.github.io/Introducing-Donut/
https://github.com/krmaxwell/dns-exfiltration
https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf
https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/
https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anonymous-ip-address
https://twitter.com/cyb3rops/status/1063072865992523776
https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting
https://twitter.com/Oddvarmoe/status/1641712700605513729
https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
https://mr0range.com/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22
https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html
https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/
https://www.ietf.org/rfc/rfc2821.txt
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone
https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/
https://man.openbsd.org/ssh_config#LocalCommand
https://nvd.nist.gov/vuln/detail/CVE-2023-2283
https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords
https://twitter.com/SBousseaden/status/1410545674773467140
https://github.com/00derp/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml
https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
https://twitter.com/timbmsft/status/900724491076214784
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md
https://twitter.com/SBousseaden/status/1183745981189427200
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell
https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md
https://twitter.com/gN3mes1s/status/1222095371175911424
https://github.com/Azure/Azure-Sentinel/blob/a02ce85c96f162de6f8cc06f07a53b6525f0ff7f/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml
https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/
https://twitter.com/malwrhunterteam/status/1235135745611960321
https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
https://github.com/GossiTheDog/HiveNightmare
https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
https://twitter.com/mrd0x/status/1461041276514623491
https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md
https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.md
https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log
https://www.yeahhub.com/list-installed-programs-version-path-windows/
https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception
https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/
https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet
https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
https://man7.org/linux/man-pages/man1/ncat.1.html
https://github.com/pimps/JNDI-Exploit-Kit
https://ss64.com/nt/syntax-redirection.html
https://www.poweradmin.com/paexec/
https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task
https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
https://github.com/GhostPack/Seatbelt
https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/
https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#new-country
https://github.com/sensepost/reGeorg
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
https://www.activecyber.us/activelabs/windows-uac-bypass
https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
https://github.com/sensepost/ruler/issues/47
https://any-api.com/amazonaws_com/eks/docs/API_Description
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension
https://twitter.com/SBousseaden/status/1581300963650187264?
https://twitter.com/RonnyTNL/status/1436334640617373699?s=20
https://www.scythe.io/library/threat-emulation-qakbot
https://twitter.com/Wietze/status/1542107456507203586
https://twitter.com/ankit_anubhav/status/1518835408502620162
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry
https://twitter.com/pabraeken/status/990717080805789697
https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04
https://twitter.com/JohnLaTwC/status/1082851155481288706
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md
https://github.com/pathtofile/bad-bpf
https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md
https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua
https://hijacklibs.net/
https://www.joesandbox.com/analysis/790122/0/html
https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
https://twitter.com/mrd0x/status/1480785527901204481
https://twitter.com/oroneequalsone/status/1568432028361830402
https://cobalt.io/blog/kerberoast-attack-techniques
https://github.com/Maka8ka/NGLite
https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete
https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/
https://positive.security/blog/ms-officecmd-rce
https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/
https://github.com/gtworek/PSBits/tree/master/SIP
https://threatpost.com/microsoft-petitpotam-poc/168163/
https://book.hacktricks.xyz/pentesting-web/file-inclusion
https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1
https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid
https://pbs.twimg.com/media/EF3yLGoWkAEGeLa?format=jpg
https://xmrig.com/docs/miner/command-line-options
https://twitter.com/mattifestation/status/1326228491302563846
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
https://github.com/skelsec/pypykatz
https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
https://twitter.com/tifkin_/status/1321916444557365248
https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d
https://lolbas-project.github.io/lolbas/Libraries/Desk/
https://ss64.com/osx/osacompile.html
https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/
https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
https://github.com/pr0xylife/Qakbot/
https://github.com/mvelazc0/PurpleSharp
https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild
https://twitter.com/aboul3la/status/1286012324722155525
https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/
https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20
https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/
https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2
https://labs.withsecure.com/publications/detecting-onenote-abuse
https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
https://linuxhint.com/uninstall_yum_package/
https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core
https://twitter.com/johnlatwc/status/1408062131321270282?s=12
https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md
https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files
https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc
https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics
https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell
https://github.com/shantanu561993/SharpChisel
http://resources.netsupportsoftware.com/resources/manualpdfs/nsm_manual_uk.pdf
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/assoc
https://twitter.com/0gtweet/status/1281103918693482496
https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d
https://www.justice.gov/file/1080281/download
https://twitter.com/kagancapar/status/1515219358234161153
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
https://github.com/cloudflare/cloudflared
https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405
https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
https://lab52.io/blog/2344-2/
https://twitter.com/neonprimetime/status/1436376497980428318
https://twitter.com/h4x0r_dz/status/1445401960371429381
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1
https://twitter.com/SBousseaden/status/1090588499517079552
https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0
https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS
https://github.com/hfiref0x/UACME
https://www.sygnia.co/golden-saml-advisory
https://github.com/Dec0ne/KrbRelayUp
https://twitter.com/EmericNasi/status/1623224526220804098
https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
https://github.com/Wh04m1001/SysmonEoP
https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01
https://redcanary.com/threat-detection-report/
https://github.com/Shellntel/scripts/
https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/
https://github.com/jpillora/chisel/
https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html
https://unit42.paloaltonetworks.com/bluesky-ransomware/
https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/
https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html
https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs
https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles
https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
https://twitter.com/bohops/status/1583916360404729857
https://twitter.com/0gtweet/status/1359039665232306183?s=21
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files
https://twitter.com/nas_bench/status/1537896324837781506
https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
https://support.anydesk.com/Automatic_Deployment
https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass
https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-
https://twitter.com/deviouspolack/status/832535435960209408
https://www.youtube.com/watch?v=DLtJTxMWZ2o
https://twitter.com/Purp1eW0lf/status/1616144561965002752
https://kb.vmware.com/s/article/85717
http://www.securityfocus.com/infocus/1633
https://github.com/Ridter/cve-2020-0688
https://youtu.be/5mqid-7zp8k?t=2481
https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
https://twitter.com/SBousseaden/status/1207671369963646976
https://man7.org/linux/man-pages/man8/kmod.8.html
https://twitter.com/_dirkjan/status/1309214379003588608
https://lolbas-project.github.io/lolbas/Binaries/Unregmp2/
https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b
https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/
https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo
https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/
https://car.mitre.org/wiki/CAR-2013-05-002
https://redcanary.com/blog/right-to-left-override/
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
https://twitter.com/wdormann/status/1478011052130459653?s=20
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell
https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100
https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/
https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/
https://github.com/OTRF/detection-hackathon-apt29/issues/14
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.001/T1553.001.md
https://twitter.com/mattifestation/status/986280382042595328
https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md
https://github.com/Wh04m1001/CVE-2023-36874
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec
https://twitter.com/Hexacorn/status/1224848930795552769
https://twitter.com/aceresponder/status/1636116096506818562
https://twitter.com/bh4b3sh/status/1303674603819081728
https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/
https://twitter.com/gN3mes1s/status/941315826107510784
https://twitter.com/menasec1/status/1111556090137903104
https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634
https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/
https://github.com/LOLBAS-Project/LOLBAS/pull/239/files
https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/
https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
https://twitter.com/Gal_B1t/status/1062971006078345217
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md
https://github.com/adrecon/AzureADRecon
https://learn.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallrule?view=windowsserver2022-ps
https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html
https://twitter.com/am0nsec/status/1412232114980982787
https://bad-jubies.github.io/RCE-NOW-WHAT/
https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md
https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
https://isc.sans.edu/diary/25686
https://attack.mitre.org/techniques/T1064
https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md
https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries
https://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations
https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk
https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
https://www.computerhope.com/unix/unohup.htm
https://github.com/FireFart/hivenightmare/
https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md
https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm
https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html
https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft
https://github.com/antonioCoco/JuicyPotatoNG
https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html
https://attackerkb.com/topics/Bkij5kK1qK/cve-2022-21587/rapid7-analysis
https://threathunterplaybook.com/hunts/windows/190625-RegKeyAccessSyskey/notebook.html
https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
https://twitter.com/gN3mes1s/status/1222095963789111296
https://alternativeto.net/news/2023/5/cybercriminals-use-wordpad-vulnerability-to-spread-qbot-malware/
https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/
https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
https://infosecwriteups.com/amsi-bypass-new-way-2023-d506345944e9
https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7
https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst
https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
https://github.com/kavika13/RemCom
https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/
https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md
https://perishablepress.com/blacklist/ua-2013.txt
https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html
https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845
https://learn.microsoft.com/en-us/windows/wsl/install-on-server
https://twitter.com/rikvduijn/status/853251879320662017
https://redmimicry.com
https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a
https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html
https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)
https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap
https://breakdev.org/pwndrop/
https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg
https://lolbas-project.github.io/lolbas/Binaries/Wsreset
https://www.mandiant.com/resources/evolution-of-fin7
https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
https://blog.yoroi.company/research/ursnif-long-live-the-steganography/
https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection
https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna
https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb
https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html
https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md
https://linux.die.net/man/1/bash
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
https://pypi.org/project/scapy/
https://www.advanced-port-scanner.com/
https://twitter.com/wdormann/status/1347958161609809921
https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/
https://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance
https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md
https://twitter.com/200_okay_/status/1194765831911215104
https://blog.alsid.eu/dcshadow-explained-4510f52fc19d
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)
https://twitter.com/christophetd/status/1164506034720952320
https://content.fireeye.com/apt-41/rpt-apt41
https://unit42.paloaltonetworks.com/ransomware-families/
https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965
https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698
https://man7.org/linux/man-pages/man8/ld.so.8.html
https://twitter.com/PhilipTsukerman/status/992021361106268161
https://twitter.com/nas_bench/status/1534916659676422152
https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/
https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html
https://twitter.com/mgreen27/status/1558223256704122882
https://twitter.com/oulusoyum/status/1191329746069655553
https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/
https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/
https://persistence-info.github.io/Data/userinitmprlogonscript.html
https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/
https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar
https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/
https://attack.mitre.org/techniques/T1090/
https://labs.f-secure.com/blog/scheduled-task-tampering/
https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e
https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181
https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/
https://github.com/BloodHoundAD/BloodHound
https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9
https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
https://linuxhint.com/view-tomcat-logs-windows/
https://twitter.com/matthieugarin/status/1183970598210412546
https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07
https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
https://twitter.com/nas_bench/status/1537919885031772161
https://lolbas-project.github.io/lolbas/Binaries/Forfiles/
https://twitter.com/cyb3rops/status/1552932770464292864
https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/
https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location
https://www.openwall.com/lists/oss-security/2019/10/14/1
https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection
https://blog.reconinfosec.com/emergence-of-akira-ransomware-group
https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
https://github.com/winsiderss/systeminformer
https://twitter.com/cglyer/status/1355171195654709249
https://github.com/mitre-attack/bzar#indicators-for-attck-execution
https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66
https://github.com/LandGrey/CVE-2018-2894
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd
https://twitter.com/Moti_B/status/1008587936735035392
https://twitter.com/pyn3rd/status/1020620932967223296
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
https://github.com/matterpreter/DefenderCheck
https://twitter.com/SBousseaden/status/1490608838701166596
https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services
https://twitter.com/nas_bench/status/1433344116071583746
https://github.com/Gui774ume/ebpfkit
https://twitter.com/duzvik/status/1269671601852813320
https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility
https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt
https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
https://github.com/topotam/PetitPotam
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib
https://github.com/ohpe/juicy-potato
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN
https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01
https://www.makeuseof.com/how-to-install-and-use-doas/
https://persistence-info.github.io/Data/htmlhelpauthor.html
https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html
https://support.citrix.com/article/CTX267679
https://twitter.com/ber_m1ng/status/1397948048135778309
https://kubernetes.io/docs/concepts/workloads/controllers/job/
https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network
https://twitter.com/0gtweet/status/1476286368385019906
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
https://githubmemory.com/repo/FunctFan/JNDIExploit
https://redcanary.com/blog/child-processes/
https://twitter.com/inversecos/status/1494174785621819397
https://adsecurity.org/?p=3466
https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html
https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b
https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/
https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows
https://www.blumira.com/cve-2023-2283/
https://twitter.com/cyb3rops/status/1562072617552678912
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43
https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
https://twitter.com/SBousseaden/status/1387530414185664538
https://github.com/Gerenios/AADInternals
https://github.com/murataydemir/CVE-2021-27905
https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
https://github.com/mgeeky/Stracciatella
https://twitter.com/JohnLaTwC/status/835149808817991680
https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml
https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/
https://dtm.uk/wuauclt/
https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
https://twitter.com/filip_dragovic/status/1590104354727436290
https://github.com/defaultnamehere/cookie_crimes/
https://twitter.com/Hexacorn/status/776122138063409152
https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/
https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
https://lolbas-project.github.io/lolbas/Binaries/Wmic/
https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
https://nmap.org/ncat/
https://twitter.com/j0nh4t/status/1429049506021138437
https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
https://github.com/rapid7/metasploit-framework/pull/17407
https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
https://twitter.com/KevTheHermit/status/1410203844064301056
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)
https://msdn.microsoft.com/en-us/library/cc220234.aspx
https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg
https://github.com/HiwinCN/HTran
https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
http://edgeguides.rubyonrails.org/security.html
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname
https://twitter.com/vysecurity/status/873181705024266241
https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment
https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/
https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/
https://www.fortiguard.com/threat-signal-report/4718?s=09
https://learn.microsoft.com/en-us/windows/win32/shell/csidl
https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/
https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1
https://book.hacktricks.xyz/shells/shells/linux
https://lolbas-project.github.io/lolbas/Binaries/Pcalua/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md
https://persistence-info.github.io/Data/mpnotify.html
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt
https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file
https://www.dfirnotes.net/portproxy_detection/
https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd
https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6
https://twitter.com/dottor_morte/status/1544652325570191361
https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html
https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview
https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/ba-p/3887947
https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors
https://ss64.com/osx/dsenableroot.html
https://twitter.com/gN3mes1s/status/1222088214581825540
https://github.com/kagancapar/CVE-2022-29072
https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2
https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/
https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf
https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/
https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/
https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect
https://labs.withsecure.com/publications/fin7-target-veeam-servers/jcr:content/root/responsivegrid/responsivegrid/responsivegrid/image_253944286.img.png/1682500394900.png
https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py
https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/
https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-consent
https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
https://twitter.com/nas_bench/status/1535981653239255040
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount
https://twitter.com/momika233/status/1626464189261942786
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)
https://twitter.com/0gtweet/status/1583356502340870144
https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html
https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp
https://github.com/M2Team/Privexec/
https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html
https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9
https://github.com/quarkslab/quarkspwdump
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
https://twitter.com/SBousseaden/status/1387743867663958021
https://twitter.com/nas_bench/status/1618021415852335105
https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49
https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/
https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427
https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/
https://github.com/vu-ls/Crassus
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
https://twitter.com/sblmsrsn/status/1445758411803480072?s=20
https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
https://github.com/surya-dev-singh/AmsiBypass-OpenSession
https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42
https://github.com/gtworek/PSBits/blob/e97cbbb173b31cbc4d37244d3412de0a114dacfb/NoDLP/bin2wav.ps1
https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller
https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all
https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles
https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise
https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large
https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/
https://www.virustotal.com/gui/search/metadata%253ACube0x0/files
https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc
https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al
https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/
https://twitter.com/SecurityJosh/status/1283027365770276866
https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html
https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/
http://www.gmer.net/
https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/
https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#leaked-credentials
https://twitter.com/D1rkMtr/status/1611471891193298944?s=20
https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies
https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/
https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
https://www.lexjansen.com/sesug/1993/SESUG93035.pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-2---process-discovery---tasklist
https://github.com/S12cybersecurity/RDPCredentialStealer
https://twitter.com/0gtweet/status/1638069413717975046
https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363
https://twitter.com/lefterispan/status/1286259016436514816
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes
https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack
https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md
https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py
https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process
https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins
https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf
https://redcanary.com/blog/misbehaving-rats/
https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior
https://reaqta.com/2017/11/short-journey-darkvnc/
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini
https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/
https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo
https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content
https://lolbas-project.github.io/lolbas/Binaries/Cmstp/
https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat
https://objective-see.org/blog/blog_0x4B.html
https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
https://youtu.be/7aemGhaE9ds?t=641
https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
https://twitter.com/elliotkillick/status/1449812843772227588
https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
https://en.wikipedia.org/wiki/HTML_Application
https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md
https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231
https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa
https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings
https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/
https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/
https://github.com/electron/rcedit
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/
https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen
https://twitter.com/nas_bench/status/1550836225652686848
https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml
https://github.com/arget13/DDexec
https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html
https://github.com/Arno0x/DNSExfiltrator
https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/
https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2
https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048
https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/
https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/
https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382
https://forensafe.com/blogs/typedpaths.html
https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465
https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings
https://twitter.com/crep1x/status/1635034100213112833
https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
https://github.com/netero1010/TrustedPath-UACBypass-BOF
https://github.com/github/securitylab/tree/1786eaae7f90d87ce633c46bbaa0691d2f9bf449/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283
https://twitter.com/breakersall/status/1533493587828260866
https://github.com/Neo23x0/Raccine#the-process
https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/
https://github.com/deepinstinct/Lsass-Shtinkering
https://t.co/ezOTGy1a1G
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md
https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml
https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil
https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local
https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
https://attack.mitre.org/groups/G0010/
https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html
https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
https://lolbas-project.github.io/lolbas/Binaries/Vbc/
https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/
https://docs.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor
https://redmimicry.com/posts/redmimicry-winnti/
https://securelist.com/my-name-is-dtrack/93338/
https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/
https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/
http://www.powertheshell.com/ntfsstreams/
https://pentestlaboratories.com/2021/12/08/process-ghosting/
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf
https://github.com/GhostPack/KeeThief
https://twitter.com/SBousseaden/status/1541920424635912196
https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest
https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html
https://twitter.com/malmoeb/status/1511760068743766026
https://github.com/SigmaHQ/sigma/pull/3946
https://twitter.com/Moti_B/status/909449115477659651
https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/
https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15
https://twitter.com/malmoeb/status/1535142803075960832
https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e
https://twitter.com/Flangvik/status/1283054508084473861
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute
https://twitter.com/cglyer/status/1182389676876980224
https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
https://twitter.com/mrd0x/status/1479094189048713219
https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332
https://twitter.com/SwiftOnSecurity/status/1455897435063074824
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
https://steflan-security.com/windows-privilege-escalation-credential-harvesting/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall
https://www.python.org/dev/peps/pep-0249/#exceptions
https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html
https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC
https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/
https://research.kudelskisecurity.com/2023/06/12/cve-2023-27997-fortigate-ssl-vpn/
https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated
https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html
https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties
https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control
https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml
https://nvd.nist.gov/vuln/detail/CVE-2021-26084
https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
https://github.com/nsacyber/Event-Forwarding-Guidance/tree/6e92d622fa33da911f79e7633da4263d632f9624/Events
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html
https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
https://twitter.com/DrunkBinary/status/1063075530180886529
https://twitter.com/frack113/status/1555830623633375232
https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
https://forensicitguy.github.io/agenttesla-vba-certutil-download/
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1
https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry
https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html
https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml
https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html
https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41
https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml
https://github.com/cube0x0/KrbRelay
https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps
https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/
https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/
https://github.com/danielbohannon/Invoke-DOSfuscation
https://man7.org/linux/man-pages/man8/getcap.8.html
https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e
https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement
https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode
https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3
https://twitter.com/SBousseaden/status/1195284233729777665
https://twitter.com/0gtweet/status/1354766164166115331
https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling
https://twitter.com/jonasLyk/status/1347900440000811010
https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/
https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/
https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c
https://learn.microsoft.com/en-us/powershell/module/netsecurity/show-netfirewallrule?view=windowsserver2022-ps
https://github.com/denandz/KeeFarce
https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
https://www.mandiant.com/resources/blog/infected-usb-steal-secrets
https://twitter.com/ForensicITGuy/status/1334734244120309760
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g
https://reaqta.com/2017/12/mavinject-microsoft-injector/
https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic
https://www.spamhaus.org/statistics/tlds/
https://sec.okta.com/fastpassphishingdetection
https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/
https://lolbas-project.github.io/lolbas/Binaries/Verclsid/
https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
https://www.epicturla.com/blog/sysinturla
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command
https://twitter.com/0gtweet/status/1560732860935729152
https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE
https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/
https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165
https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3
https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/
https://abuse.io/lockergoga.txt
https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery
https://twitter.com/mrd0x/status/1511415432888131586
https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server
https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension
https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml
https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior
https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/
https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md
https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html
https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70
https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy
https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist
https://docs.microsoft.com/en-us/azure/dns/dns-zones-records
https://github.com/LOLBAS-Project/LOLBAS/pull/264
https://infosec.exchange/@sbousseaden/109542254124022664
https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml
https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism
https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml
https://www.cisecurity.org/controls/cis-controls-list/
https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services
https://twitter.com/cyb3rops/status/972186477512839170
https://twitter.com/MalwareJake/status/870349480356454401
https://www.glitch-cat.com/p/green-lambert-and-attack
https://www.passcape.com/windows_password_recovery_dpapi_credhist
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699
https://twitter.com/pfiatde/status/1681977680688738305
https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html
https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
https://lolbas-project.github.io
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md
https://redcanary.com/blog/rclone-mega-extortion/
https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/
https://teamhydra.blog/2020/08/25/bypassing-credential-guard/
https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/
https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html
https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/
https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
https://lolbas-project.github.io/lolbas/Scripts/Pubprn/
https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml
https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl
http://pastebin.com/FtygZ1cg
https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html
https://twitter.com/AdamTheAnalyst/status/1134394070045003776
https://persistence-info.github.io/Data/hhctrl.html
https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/
https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/
https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler
https://github.com/Kevin-Robertson/Powermad
https://redcanary.com/blog/lateral-movement-winrm-wmi/
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57
https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md
https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md
https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository
https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
https://support.f5.com/csp/article/K52145254
https://twitter.com/neu5ron/status/1438987292971053057?s=20
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
https://techgenix.com/malicious-powershell-scripts-evade-detection/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon
https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html
https://linux.die.net/man/8/insmod
https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md
https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019
https://www.tarlogic.com/blog/cve-2023-27363-foxit-reader/
https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject
https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
https://twitter.com/SBousseaden/status/1483810148602814466
https://github.com/mttaggart/OffensiveNotion
https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile
https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/
https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/
https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr
https://docs.spring.io/spring-security/site/docs/current/api/overview-tree.html
https://github.com/nettitude/Invoke-PowerThIEf
https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/
https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035
https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/
https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100
https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12
https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/
https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure
https://github.com/bohops/WSMan-WinRM
https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/
https://twitter.com/JohnLaTwC/status/1004895028995477505
https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html
https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
https://www.exploit-db.com/exploits/47297
https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
https://twitter.com/SBousseaden/status/1189469425482829824
https://zero2auto.com/2020/05/19/netwalker-re/
https://twitter.com/HunterPlaybook/status/1301207718355759107
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2
https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766
https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/
https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html
https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html
https://www.securonix.com/blog/cve-2022-26809-remote-procedure-call-runtime-remote-code-execution-vulnerability-and-coverage/
https://twitter.com/med0x2e/status/1520402518685200384
https://github.com/DarkCoderSc/PowerRunAsSystem/
https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/
https://decoded.avast.io/martinchlumecky/png-steganography/
https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
https://github.com/vnhacker1337/CVE-2022-27925-PoC
https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0
https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations
https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry
https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md
https://msrc.microsoft.com/update-guide/vulnerability/ADV210003
https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/
https://attack.mitre.org/software/S0108/
https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/
https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/
https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm
https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior
https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
https://www.autoitscript.com/site/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
https://twitter.com/eral4m/status/1451112385041911809
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging
http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/
https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/
https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md
https://www.shellhacks.com/clear-history-powershell/
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#new-owner
https://github.com/Neo23x0/auditd/blob/master/audit.rules
https://github.com/lclevy/firepwd
https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/
https://www.exploit-db.com/exploits/47696
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
https://twitter.com/anfam17/status/1607477672057208835
https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
https://ss64.com/ps/foreach-object.html
https://www.youtube.com/watch?v=ro2QuZTIMBM
https://www.qurium.org/alerts/targeted-malware-against-crph/
https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html
https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
https://twitter.com/blackarrowsec/status/1463805700602224645?s=12
https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages
https://github.com/nknorg/nkn-sdk-go
https://github.com/S3cur3Th1sSh1t/SharpImpersonation
https://twitter.com/sbousseaden/status/1523383197513379841
https://twitter.com/nas_bench/status/1539679555908141061
https://twitter.com/rbmaslen/status/1321859647091970051
https://www.php.net/manual/en/features.commandline.php
https://twitter.com/AdamTheAnalyst/status/1483497517119590403
https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88
https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/
https://twitter.com/CyberRaiju/status/1251492025678983169
https://github.com/HyperSine/how-does-MobaXterm-encrypt-password
https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
https://www.youtube.com/watch?v=ebmW42YYveI
https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/
https://access.redhat.com/security/cve/cve-2019-14287
https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
https://twitter.com/malmoeb/status/1560536653709598721
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2
https://twitter.com/Alh4zr3d/status/1580925761996828672
https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/
https://thedfirreport.com/2023/03/06/2022-year-in-review/
https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/
https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
https://twitter.com/SBousseaden/status/1184067445612535811
https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1
https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/
https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive
https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/
https://youtu.be/n2dFlSaBBKo
https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners
https://twitter.com/JohnLaTwC/status/1415295021041979392
https://twitter.com/Hexacorn/status/885258886428725250
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46
https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
https://securelist.com/schroedingers-petya/78870/
https://twitter.com/GossiTheDog/status/1429175908905127938
https://twitter.com/davisrichardg/status/1616518800584704028
https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html
https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
https://lolbas-project.github.io/lolbas/Binaries/Teams/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object
https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
https://www.exploit-db.com/exploits/19525
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20
https://persistence-info.github.io/Data/powershellprofile.html
https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/
https://gtfobins.github.io/gtfobins/rvim/
https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-5.1
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
https://blooteem.com/march-2022
https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/
https://nwgat.ninja/getting-system-information-with-wmic-on-windows/
https://curl.se/docs/manpage.html
https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update
https://twitter.com/kmkz_security/status/1220694202301976576
https://twitter.com/eral4m/status/1479080793003671557
https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#
https://developers.onelogin.com/api-docs/1/events/event-resource/
https://lolbas-project.github.io/lolbas/Binaries/Certreq/
https://github.com/payloadbox/xss-payload-list
https://tools.thehacker.recipes/mimikatz/modules
https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
https://www.localpotato.com/
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
https://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/
https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell
https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md
https://www.rarlab.com/vuln_rev3_names.html
https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html
https://twitter.com/countuponsec/status/910969424215232518
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process
https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/
https://www.joesandbox.com/analysis/443736/0/html
https://github.com/p0shkatz/Get-ADS/blob/1c3a3562e713c254edce1995a7d9879c687c7473/Get-ADS.ps1
https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
https://github.com/OTRF/detection-hackathon-apt29/issues/16
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md
https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1570/T1570.md
https://persistence-info.github.io/Data/wpbbin.html
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire
https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions
https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
https://redcanary.com/blog/ebpf-malware/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz
https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
https://github.com/eset/malware-ioc/tree/master/oceanlotus
https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps
https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr
https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html
https://github.com/SigmaHQ/sigma/issues/1009
https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/
https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html
https://twitter.com/yorickkoster/status/1279709009151434754
https://pentestlab.blog/2017/03/30/weak-service-permissions/
https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md
https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321
https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/
https://linux.die.net/man/1/xwd
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing
https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html
https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior
https://blog.harmj0y.net/redteaming/another-word-on-delegation/
https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
https://www.virusradar.com/en/Win32_Kasidet.AD/description
https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html
https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data
https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/
https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html
https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/
https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains
https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence
https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows
http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt
https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg
https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence
https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry
https://twitter.com/an0n_r0/status/1474698356635193346?s=12
http://www.irongeek.com/homoglyph-attack-generator.php
https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
https://ss64.com/bash/rar.html
https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/
https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf
https://mez0.cc/posts/cobaltstrike-powershell-exec/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md
https://attack.mitre.org/techniques/T1105/
https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730
https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76
https://reqrypt.org/windivert-doc.html
https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
https://twitter.com/mrd0x/status/1465058133303246867
https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content
https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#atypical-travel
https://github.com/MythicAgents/typhon/
https://github.com/RiccardoAncarani/TaskShell/
https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import
https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/
https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md
https://twitter.com/0gtweet/status/1468548924600459267
https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey
https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1
https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md
https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/
https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command
https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611
https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html
https://twitter.com/SBousseaden/status/1278977301745741825
https://www.exploit-db.com/exploits/39161
https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43
https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/
https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz
https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
https://old.zeek.org/zeekweek2019/slides/bzar.pdf
https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH
https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
https://twitter.com/cyb3rops/status/1460978167628406785
https://twitter.com/0xrawsec/status/1002478725605273600?s=21
https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz
https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv
https://lolbas-project.github.io/lolbas/Binaries/Rasautou/
https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown
https://www.sans.org/blog/wmic-for-incident-response/
https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml
https://redcanary.com/blog/yellow-cockatoo/
https://www.cisa.gov/uscert/ncas/alerts/aa20-259a
https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/
https://rclone.org/
https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65
https://persistence-info.github.io/Data/ifilters.html
https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672
https://persistence-info.github.io/Data/windowsterminalprofile.html
https://twitter.com/pabraeken/status/995837734379032576
https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
https://twitter.com/mariuszbit/status/1531631015139102720
https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign
https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
https://twitter.com/EricaZelic/status/1614075109827874817
https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915
https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION
https://github.com/Immersive-Labs-Sec/nimbuspwn
https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html
https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing
https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
https://www.pdq.com/pdq-deploy/
https://ss64.com/osx/sysadminctl.html
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/
https://lolbas-project.github.io/lolbas/Binaries/Replace/
https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/
https://loldrivers.io/
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7
https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0
https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
https://lolbas-project.github.io/lolbas/Binaries/Regasm/
https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp
https://asec.ahnlab.com/en/39828/
https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/
https://blog.hackvens.fr/articles/CoercedPotato.html
https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/
https://processhacker.sourceforge.io/
https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
https://cyber.wtf/2021/11/15/guess-whos-back/
https://lolbas-project.github.io/lolbas/Binaries/Scriptrunner/
https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md
https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt
https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py
https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a
https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/
https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/
https://www.echotrail.io/insights/search/regsvr32.exe
https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml
https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe
https://twitter.com/cyb3rops/status/1617108657166061568?s=20
https://o365blog.com/aadinternals/
https://github.com/BloodHoundAD/AzureHound
https://twitter.com/NathanMcNulty/status/1569497348841287681
https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html
https://twitter.com/_st0pp3r_/status/1560072680887525378
https://twitter.com/vxunderground/status/1423336151860002816
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/
https://github.com/elastic/detection-rules/pull/1213
https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf
https://twitter.com/_st0pp3r_/status/1583914515996897281
https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies
https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/
https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern
https://twitter.com/neu5ron/status/1346245602502443009
https://twitter.com/sblmsrsn/status/1456613494783160325?s=20
https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml
https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa
https://twitter.com/Hexacorn/status/991447379864932352
https://twitter.com/wdormann/status/1486161836961579020
https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
https://guides.lib.umich.edu/c.php?g=282942&p=1885348
https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_network.html
https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins
https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
https://adsecurity.org/?p=2604
https://lolbas-project.github.io/lolbas/Binaries/Ieexec/
https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/
https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4
https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass
https://twitter.com/jamieantisocial/status/1304520651248668673
https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md
https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
https://liberty-shell.com/sec/2020/02/25/shim-persistence/
https://redcanary.com/blog/intelligence-insights-december-2021
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809
https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
https://www.yang99.top/index.php/archives/82/
https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/
https://www.cobaltstrike.com/help-opsec
https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
https://twitter.com/r00tbsd/status/1679042071477338114/photo/1
https://twitter.com/PythonResponder/status/1385064506049630211
https://networkraptor.blogspot.com/2015/01/user-agent-strings.html
https://linux.die.net/man/1/dd
https://man7.org/linux/man-pages/man7/bpf-helpers.7.html
https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
https://www.py2exe.org/
https://twitter.com/malmoeb/status/1550483085472432128
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization
https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml
https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf
https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee
https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/
https://blog.lexfo.fr/xortigate-cve-2023-27997.html
http://woshub.com/how-to-clear-rdp-connections-history/
https://github.com/mitre-attack/bzar#indicators-for-attck-persistence
https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback
https://github.com/besimorhino/powercat
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script
https://www.trustedsec.com/blog/making-smb-accessible-with-ntlmquic/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html
https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps
https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol
https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
https://isc.sans.edu/diary/26734
https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
https://twitter.com/ReaQta/status/1222548288731217921
https://twitter.com/MsftSecIntel/status/1257324139515269121
https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f
https://github.com/SigmaHQ/sigma/issues/253
https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md
https://twitter.com/splinter_code/status/1483815103279603714
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md
https://www.tecmint.com/different-types-of-linux-shells/
https://twitter.com/malmoeb/status/1570814999370801158
https://github.com/ORCx41/DeleteShadowCopies
https://www.varonis.com/blog/investigate-ntlm-brute-force
https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/
https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423
https://www.vmware.com/security/advisories/VMSA-2021-0002.html
https://twitter.com/cyberwar_15/status/1187287262054076416
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/
https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
https://persistence-info.github.io/Data/lsaaextension.html
https://github.com/TheD1rkMtr/AMSI_patch
https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html
https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner
https://twitter.com/parzel2/status/1665726454489915395
https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps
https://www.zerodayinitiative.com/advisories/ZDI-21-1308/
https://www.advanced-ip-scanner.com/
https://twitter.com/pabraeken/status/998627081360695297
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd
https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ
https://github.com/OTRF/detection-hackathon-apt29/issues/6
https://www.virustotal.com/gui/domain/paste.ee/relations
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy
https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py
https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/
https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/
https://en.wikipedia.org/wiki/Hangul_(word_processor)
https://twitter.com/harr0ey/status/992008180904419328
https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
https://github.com/RiccardoAncarani/LiquidSnake
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-7.3
https://www.us-cert.gov/ncas/alerts/TA17-117A
https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/
http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html
https://docs.djangoproject.com/en/1.11/ref/exceptions/
https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script
https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6
https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html
https://steemit.com/utopian-io/@ah101/uac-bypassing-utility
https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
https://youtu.be/zSihR3lTf7g
https://www.teamviewer.com/en-us/
https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
https://www.x86matthew.com/view_post?id=embed_exe_lnk
https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos
https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7
https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/
https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool
https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/
https://blogs.jpcert.or.jp/en/2022/07/yamabot.html
https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
https://github.com/cube0x0/CVE-2021-1675
https://twitter.com/hexacorn/status/1448037865435320323
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d
https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685
https://twitter.com/M_haggis/status/1699056847154725107
https://systeminformer.sourceforge.io/
https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/
https://twitter.com/bryon_/status/975835709587075072
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher
https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv
https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm
https://linux.die.net/man/1/xclip
https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html
https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
https://github.com/YfryTchsGD/Log4jAttackSurface
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml
https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346
https://twitter.com/menasec1/status/1106899890377052160
https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1
https://thedfirreport.com/2020/10/08/ryuks-return
https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
https://twitter.com/FlemmingRiis/status/1217147415482060800
http://www.xuetr.com/
https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843
https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
https://lolbas-project.github.io/lolbas/Binaries/Extexport/
https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/
https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/
https://github.com/OTRF/detection-hackathon-apt29/issues/12
https://ss64.com/nt/mklink.html
https://threathunterplaybook.com/hunts/windows/180719-DLLProcessInjectionCreateRemoteThread/notebook.html
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.002/T1564.002.md
https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
https://twitter.com/Hexacorn/status/885570278637678592
https://ss64.com/nt/cmd.html
https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
https://twitter.com/WindowsDocs/status/1620078135080325122
https://linuxize.com/post/how-to-delete-group-in-linux/
https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows
https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
https://github.com/dsnezhkov/TruffleSnout
https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection
https://twitter.com/bohops/status/1276357235954909188?s=12
https://cloud.google.com/storage/docs/json_api/v1/buckets
https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242
https://twitter.com/1ZRR4H/status/1534259727059787783
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-credentials
https://github.com/diego-treitos/linux-smart-enumeration
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management
https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py
https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md
https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/
https://www.google.com/search?q=%22reg.exe+save%22+sam
https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
https://learn.microsoft.com/en-us/windows/package-manager/winget/source
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
https://www.radmin.fr/
https://threathunterplaybook.com/library/windows/active_directory_replication.html
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/
https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml
https://twitter.com/1kwpeter/status/1397816101455765504
https://twitter.com/SBousseaden/status/1464566846594691073?s=20
https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md
https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191
https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/
https://twitter.com/OTR_Community/status/1371053369071132675
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture
https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178
https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50
https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/
https://access.redhat.com/articles/4409591#audit-record-types-2
https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx
https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
https://twitter.com/MichalKoczwara/status/1553634816016498688
https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100
https://cloud.google.com/dns/docs/reference/v1/managedZones
https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/
https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
https://www.zerodayinitiative.com/advisories/ZDI-23-491/
https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/
https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/
https://github.com/PowerShellMafia/PowerSploit
http://blog.sevagas.com/?Hacking-around-HTA-files
https://github.com/apache/spark/pull/36315/files
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7
https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md
https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
https://persistence-info.github.io/Data/wer_debugger.html
https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
https://twitter.com/nas_bench/status/1534957360032120833
https://lolbas-project.github.io/lolbas/Binaries/Msdt/
https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/
https://github.com/codewhitesec/HandleKatz
https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
https://github.com/xmrig/xmrig/tree/master/bin/WinRing0
https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf
https://blog.viettelcybersecurity.com/saml-show-stopper/
https://twitter.com/pabraeken/status/991335019833708544
https://adsecurity.org/?p=3458
https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples
https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/
https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08
https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup
https://twitter.com/d4rksystem/status/1357010969264873472
https://github.com/sqlmapproject/sqlmap
https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html
https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913
https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/
https://www.jpcert.or.jp/english/pub/sr/ir_research.html
https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q
https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/
https://securityxploded.com/
https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml
https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1
https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker
https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632
https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/
https://twitter.com/ORCA6665/status/1496478087244095491
https://gtfobins.github.io/gtfobins/apt/
https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval
https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics
https://car.mitre.org/wiki/CAR-2016-04-005
https://threathunterplaybook.com/hunts/windows/190725-SAMRegistryHiveHandleRequest/notebook.html
https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml
https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md
https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory
https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1
https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll
https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA
https://github.com/malcomvetter/CSExec
https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647
https://twitter.com/Kostastsale/status/1565257924204986369
https://twitter.com/forensicitguy/status/1513538712986079238
https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
https://redcanary.com/blog/applescript/
https://www.fortypoundhead.com/showcontent.asp?artid=24022
https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/
https://twitter.com/DissectMalware/status/1062879286749773824
https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11
https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware
https://www.mandiant.com/resources/telegram-malware-iranian-espionage
https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b
https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html
https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186
https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh
https://github.com/BC-SECURITY/Empire
https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html
https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html
https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior
https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/
https://twitter.com/0xBoku/status/1679200664013135872
https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png
https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options
https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
https://man7.org/linux/man-pages/man1/passwd.1.html
https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior
https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/
https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset
https://twitter.com/nas_bench/status/1535322182863179776
https://lolbas-project.github.io/lolbas/Binaries/Ftp/
https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
https://twitter.com/hackerfantastic/status/1616455335203438592?s=20
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#password-spray
https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml
https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh
https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12
https://twitter.com/mrd0x/status/1511489821247684615
https://github.com/byt3bl33d3r/CrackMapExec
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/
https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN
https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA
https://redcanary.com/blog/blue-mockingbird-cryptominer/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741
https://adsecurity.org/?p=2398
https://twitter.com/SBousseaden/status/1167417096374050817
https://github.com/Azure/Azure-Sentinel/pull/3059
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
https://www.softwaretestinghelp.com/how-to-use-ngrok/
https://lolbas-project.github.io/lolbas/Binaries/Rundll32
https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult
https://github.com/HarmJ0y/DAMP
https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
https://github.com/elastic/detection-rules/pull/1145/files
https://twitter.com/countuponsec/status/910977826853068800
https://twitter.com/cyb3rops/status/1514217991034097664
https://github.com/Ekultek/BlueKeep
https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/
https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2
https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry
https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone
https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user
https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
https://github.com/cube0x0/CVE-2021-36934
https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html
https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
https://attack.mitre.org/techniques/T1021/001/
https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
https://securelist.com/apt-luminousmoth/103332/
https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN
https://twitter.com/_JohnHammond/status/1531672601067675648
https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps
https://twitter.com/mrd0x/status/1463526834918854661
https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
https://github.com/gtworek/PSBits/tree/master/IFilter
https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7
https://twitter.com/cglyer/status/1183756892952248325
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy
https://nodejs.org/api/cli.html
https://www.nextron-systems.com/?s=antivirus
https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add
https://twitter.com/bigmacjpg/status/1349727699863011328?s=12
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown
https://research.splunk.com/endpoint/linux_doas_tool_execution/
https://github.com/byt3bl33d3r/SILENTTRINITY
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile
https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html
https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py
https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip
https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926
https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior
https://vk9-sec.com/hfs-code-execution-cve-2014-6287/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md
https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar
https://github.com/kavika13/RemCom/
https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify
https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit
https://adsecurity.org/?p=2288
https://twitter.com/killamjr/status/1179034907932315648
https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom
https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html
https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
https://twitter.com/bl4sty/status/1445462677824761878
https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#token-issuer-anomaly
https://github.com/hackvens/CoercedPotato
https://www.intrinsec.com/apt27-analysis/
https://github.com/Neo23x0/DLLRunner
https://thedfirreport.com/2020/10/08/ryuks-return/
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt
https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
https://threathunterplaybook.com/hunts/windows/170105-LSASSMemoryReadAccess/notebook.html
https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml
https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#impossible-travel
https://o365blog.com/post/aadbackdoor/
https://twitter.com/Carlos_Perez/status/883455096645931008
https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/
https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a
https://twitter.com/Hexacorn/status/885553465417756673
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md
https://twitter.com/gentilkiwi/status/861641945944391680
https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/
https://learn.microsoft.com/en-us/windows/win32/api/winevt/
https://twitter.com/_0xf4n9x_/status/1572052954538192901
https://gtfobins.github.io/gtfobins/vimdiff/
http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code
https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/
https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/
https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
https://nvd.nist.gov/vuln/detail/CVE-2021-41773
https://asec.ahnlab.com/en/38156/
https://github.com/OTRF/detection-hackathon-apt29/issues/8
https://www.anquanke.com/post/id/226029
https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity
https://github.com/tyranid/DotNetToJScript
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md
https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us
https://lolbas-project.github.io/lolbas/Binaries/Runonce/
http://woshub.com/manage-windows-firewall-powershell/
https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
https://github.com/samratashok/nishang
https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/
https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html
https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/
https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html
https://mrd0x.com/stealing-tokens-from-office-applications/
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
https://dirkjanm.io/a-different-way-of-abusing-zerologon/
https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp
https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing
https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html
https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control
https://lolbas-project.github.io/lolbas/Binaries/Diantz/
https://twitter.com/0gtweet/status/1666716511988330499
https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
https://gtfobins.github.io/gtfobins/nohup/
https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS
https://twitter.com/kleiton0x7e/status/1600567316810551296
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy
https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf
https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign
https://github.com/mttaggart/quasar
https://github.com/GhostPack/Rubeus
https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
https://ss64.com/osx/dseditgroup.html
https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
https://alamot.github.io/reverse_shells/
https://ss64.com/nt/dsacls.html
https://github.com/OTRF/detection-hackathon-apt29/issues/7
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md
https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection
https://twitter.com/M_haggis/status/900741347035889665
https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
https://support.citrix.com/article/CTX267027
https://www.virustotal.com/gui/file/fab408536aa37c4abc8be97ab9c1f86cb33b63923d423fdc2859eb9d63fa8ea0/community
https://twitter.com/ClearskySec/status/960924755355369472
https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/
https://github.com/rootm0s/WinPwnage
https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html
https://github.com/ehang-io/nps
https://linux.die.net/man/8/pam_tty_audit
https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml
https://lolbas-project.github.io/lolbas/Binaries/Certoc/
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-user-activity
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/
https://research.splunk.com/endpoint/linux_doas_conf_file_creation/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script
https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
https://lolbas-project.github.io/lolbas/Binaries/Findstr/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso
https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps
https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/
https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html
https://lolbas-project.github.io/lolbas/Scripts/Winrm/
https://twitter.com/INIT_3/status/1410662463641731075
https://twitter.com/nas_bench/status/1626648985824788480
https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/
https://twitter.com/fuzzyf10w/status/1410202370835898371
https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h
https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md
https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py
https://twitter.com/malmoeb/status/1616702107242971144
https://twitter.com/tccontre18/status/1480950986650832903
https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html
https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
https://attack.mitre.org/datasources/DS0005/
https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4
https://swarm.ptsecurity.com/unauth-rce-vmware
https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2
https://github.com/elastic/detection-rules/pull/1214
https://twitter.com/Hexacorn/status/1420053502554951689
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns-exe.html
https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/
https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled
https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/
https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
https://github.com/p3nt4/PowerShdll
https://github.com/Tylous/ZipExec
https://lolbas-project.github.io/lolbas/Binaries/Psr/
https://twitter.com/gN3mes1s/status/1206874118282448897
https://persistence-info.github.io/Data/amsi.html
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests
https://learn.microsoft.com/en-us/sysinternals/downloads/livekd
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address
https://github.com/payloadbox/ssti-payloads
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1
https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA
https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html
https://decoded.avast.io/martinchlumecky/png-steganography
https://linux.die.net/man/8/userdel
https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md
https://github.com/OTRF/detection-hackathon-apt29/issues/9
https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-token
https://twitter.com/d1r4c/status/1279042657508081664
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell
https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/
https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
https://twitter.com/JohnLaTwC/status/1223292479270600706
https://github.com/WiredPulse/Invoke-HiveNightmare
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/
https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install
https://blog.assetnote.io/2021/11/02/sitecore-rce/
https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter
https://www.remoteutilities.com/support/kb/host-service-won-t-start/
https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/
https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019
https://twitter.com/cube0x0/status/1418920190759378944
https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md
https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
https://www.virustotal.com/gui/file/fa71eee906a7849ba3f4bab74edb577bd1f1f8397ca428591b4a9872ce1f1e9b/behavior
https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi
https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0
https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/
https://twitter.com/filip_dragovic/status/1590052248260055041
https://github.com/projectdiscovery/nuclei-templates
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784
https://www.zscaler.com/blogs/security-research/steal-it-campaign
https://twitter.com/0gtweet/status/1206692239839289344
https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md
https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md
https://redcanary.com/threat-detection-report/threats/dridex/
https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process
https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries
https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
https://bczyz1.github.io/2021/01/30/psexec.html
https://twitter.com/mattifestation/status/1196390321783025666
https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html
https://twitter.com/pyn3rd/status/1351696768065409026
https://twitter.com/felixw3000/status/853354851128025088
https://github.com/gabe-k/themebleed
https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management
https://github.com/helpsystems/nanodump
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
https://powersploit.readthedocs.io/en/stable/Recon/README
https://www.autohotkey.com/download/
https://bpftrace.org/
https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/
https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
http://managed670.rssing.com/chan-5590147/all_p1.html
https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=58
https://github.com/cube0x0
https://www.trustedsec.com/blog/critical-outlook-vulnerability-in-depth-technical-analysis-and-recommendations-cve-2023-23397/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md
https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/
https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt
https://twitter.com/craiu/status/1167358457344925696
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-1---system-service-discovery
https://github.com/Azure/SimuLand
https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
https://github.com/GhostPack/SharpUp
https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100
https://twitter.com/vysecurity/status/885545634958385153
https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/
https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html
https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html
https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
https://twitter.com/pabraeken/status/993497996179492864
https://twitter.com/bohops/status/994405551751815170
https://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/
https://twitter.com/MaD_c4t/status/1623414582382567424
https://twitter.com/JohnLaTwC/status/837743453039534080
https://github.com/frgnca/AudioDeviceCmdlets
https://github.com/h3v0x/CVE-2021-26084_Confluence
https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps
https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/
https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/
https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/
https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs
https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/116309e7121bc8b0e66e4166c06f7b818e1d3629.pdf
https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1082/T1082.md
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm
https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__backdoor_users_keys/main.py
https://github.com/OTRF/detection-hackathon-apt29/issues/17
https://twitter.com/0gtweet/status/1474899714290208777?s=12
https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py
https://windows-internals.com/printdemon-cve-2020-1048/
https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36
https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/
https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18
https://blog.talosintelligence.com/ipfs-abuse/
https://twitter.com/j00sean/status/1537750439701225472
https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/
https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf
https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/
https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling
https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware
https://twitter.com/ffforward/status/1481672378639912960
http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
https://github.com/hacksysteam/HackSysExtremeVulnerableDriver
https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection
https://twitter.com/0gtweet/status/1299071304805560321?s=21
https://kb.eventtracker.com/evtpass/evtpages/EventId_6004_Microsoft-Windows-DNS-Server-Service_65410.asp
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade
https://redcanary.com/blog/email-forwarding-rules/
https://github.com/kleiton0x00/RedditC2
https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md
https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
https://twitter.com/StopMalvertisin/status/1648604148848549888
https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/
https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/
https://github.com/GossiTheDog/SystemNightmare
https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
https://twitter.com/0gtweet/status/1628720819537936386
https://twitter.com/CyberRaiju/status/1273597319322058752
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules
https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
https://www.rapid7.com/blog/post/2023/01/19/etr-exploitation-of-control-web-panel-cve-2022-44877/
https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang
https://adsecurity.org/?p=2277
https://persistence-info.github.io/Data/naturallanguage6.html
https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile
https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts
https://github.com/lijiejie/IIS_shortname_Scanner
https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
https://securelist.com/operation-triangulation/109842/
https://twitter.com/pabraeken/status/990758590020452353
https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/
https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo
https://twitter.com/VakninHai/status/1517027824984547329
https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=8
https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79
https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/
https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/
https://github.com/sensepost/impersonate
https://twitter.com/bohops/status/980659399495741441
https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md
https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu
https://github.com/hlldz/Invoke-Phant0m
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md
https://twitter.com/MalwareJake/status/1410421967463731200
https://securelist.com/the-epic-turla-operation/65545/
https://twitter.com/dez_/status/1560101453150257154
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md
https://twitter.com/0gtweet/status/1526833181831200770
https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/
https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/
https://twitter.com/sec715/status/1373472323538362371
https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts
https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
https://vanmieghem.io/stealth-outlook-persistence/
https://malpedia.caad.fkie.fraunhofer.de/actor/anthropoid_spider
https://github.com/adrecon/ADRecon
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently
https://github.com/zeronetworks/rpcfirewall
https://twitter.com/SBousseaden/status/1451237393017839616
https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623
https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3
https://o365blog.com/post/adfs/
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts
https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/
http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow
https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist
https://adsecurity.org/?p=2921
https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2
https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474
https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
https://twitter.com/cyb3rops/status/1186631731543236608
https://github.com/Rhynorater/CVE-2018-15473-Exploit
https://redcanary.com/blog/blackbyte-ransomware/
https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/
https://hashcat.net/wiki/doku.php?id=hashcat
https://github.com/S3cur3Th1sSh1t/WinPwn
https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
https://twitter.com/mrd0x/status/1460815932402679809
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md
https://www.arxiv-vanity.com/papers/2008.04676/
https://www.nirsoft.net/utils/nircmd.html
https://twitter.com/m417z/status/1566674631788007425
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md
https://github.com/corelight/CVE-2021-1675
https://redmimicry.com/posts/redmimicry-winnti/#dropper
https://twitter.com/GossiTheDog/status/1392965209132871683?s=20
https://twitter.com/max_mal_/status/1542461200797163522
https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine
https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html
https://twitter.com/subTee/status/891298217907830785
https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/
https://github.com/swagkarna/Defeat-Defender-V1.2.0
https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md
https://twitter.com/nas_bench/status/1535431474429808642
https://twitter.com/sbousseaden/status/1531653369546301440
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task
https://ngrok.com/docs
https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/
https://twitter.com/SecurePeacock/status/1486054048390332423?s=20
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html
https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
https://twitter.com/eral4m/status/1479106975967240209
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md
https://twitter.com/SBousseaden/status/1429530155291193354?s=20
https://twitter.com/jseerden/status/1247985304667066373/photo/1
https://support.citrix.com/article/CTX276688
https://github.com/search?q=CVE-2021-36934
https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/
https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting
https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations
https://attack.mitre.org/matrices/enterprise/cloud/
https://www.mandiant.com/resources/blog/accellion-fta-exploited-for-data-theft-and-extortion
https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat
https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware
https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/
https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92
https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64
https://twitter.com/mpgn_x64/status/1216787131210829826
https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN
https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0
https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/
https://github.com/tangxiaofeng7/apache-log4j-poc
https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe
https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/
https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources
https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v
https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/
https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md
https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html
https://gtfobins.github.io/gtfobins/apt-get/
https://securelist.com/faq-the-projectsauron-apt/75533/
https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2
https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing
https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions
https://twitter.com/nas_bench/status/1534915321856917506
https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/
https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe
https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16
https://www.echotrail.io/insights/search/msbuild.exe
https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22
https://attack.mitre.org/techniques/T1548/001/
https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
https://www.nirsoft.net/utils/nircmd2.html#using
https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md
https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916
https://mn3m.info/posts/suid-vs-capabilities/
https://twitter.com/vysecurity/status/977198418354491392
https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in
https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return
https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters
https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes
https://twitter.com/Oddvarmoe/status/993383596244258816
https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md
https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/
https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md
https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1
https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2
https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek
https://twitter.com/nas_bench/status/1535322445439180803
https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a
https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
https://github.com/p3nt4/PowerShdll/blob/62cfa172fb4e1f7f4ac00ca942685baeb88ff356/README.md
https://www.tenable.com/security/research/tra-2021-13
https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html
https://securelist.com/chafer-used-remexi-malware/89538/
https://github.com/fireeye/DueDLLigence
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33
https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md
https://www.exploit-db.com/exploits/37525
https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
https://github.com/SigmaHQ/sigma/issues/3742
https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/
https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319
https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/
https://twitter.com/nao_sec/status/1530196847679401984
https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate
https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml
https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html
https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
https://twitter.com/stvemillertime/status/1024707932447854592
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md
https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
https://www.echotrail.io/insights/search/ilasm.exe
https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
https://redcanary.com/blog/clipping-silver-sparrows-wings/
https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/
https://persistence-info.github.io/Data/codesigning.html
https://ss64.com/nt/netsh.html
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md
https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials
https://github.com/Hackplayers/evil-winrm
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task
https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
https://portswigger.net/web-security/cross-site-scripting/contexts
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf
https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97
https://github.com/binderlabs/DirCreate2System
https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx
https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/
https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/
https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors
https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/
https://github.com/advisories/GHSA-7g5f-wrx8-5ccf
https://imagemagick.org/
https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
https://www.virustotal.com/gui/file/d5661009c461a8b20e1ad22f48609cc84dd90aee9182e026659dde4d46aaf25e/relations
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows
https://github.com/CCob/MirrorDump
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md
https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md
https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets
https://www.us-cert.gov/ncas/alerts/TA17-293A
https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e
https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml
https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques
https://github.com/0xf4n9x/CVE-2022-46169
https://github.com/tennc/webshell
https://twitter.com/VM_vivisector/status/1217190929330655232
https://www.infosecademy.com/netcat-reverse-shells/
https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
https://twitter.com/mattifestation/status/899646620148539397
https://research.splunk.com/endpoint/windows_possible_credential_dumping/
https://redcanary.com/threat-detection-report/threats/qbot/
https://github.com/cw1997/NATBypass
https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html
https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/
https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md
https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma
https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-browser
https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus
https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate
https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py
https://gtfobins.github.io/gtfobins/ssh/
https://twitter.com/SBousseaden/status/1139811587760562176
https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/
https://lolbas-project.github.io/lolbas/Binaries/Msedge/
https://github.com/huntresslabs/threat-intel/blob/main/2023/2023-04/20-PaperCut/win_susp_papercut_code_execution.yml
https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile
https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope
http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east
https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/
https://www.mandiant.com/resources/blog/lnk-between-browsers
https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
https://youtu.be/5mqid-7zp8k?t=2231
https://github.com/redcanaryco/atomic-red-team/blob/cd3690b100a495885c407282d0c94c85f48a8a2e/atomics/T1218.011/T1218.011.md
https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/
https://github.com/connormcgarr/LittleCorporal
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32
https://docs.microsoft.com/en-us/sysinternals/downloads/pssuspend
https://lolbas-project.github.io/lolbas/Binaries/Print/
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
https://www.youtube.com/watch?v=Ie831jF0bb0
https://twitter.com/nas_bench/status/1535322450858233858
https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md
https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/
https://twitter.com/bopin2020/status/1366400799199272960
https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/
https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/
https://xz.aliyun.com/t/12175
https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
https://github.com/Kevin-Robertson/Inveigh
https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md
https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml
https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
https://twitter.com/wdormann/status/1547583317410607110
https://medium.com/@blueteamops/shimcache-flush-89daff28d15e
https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc
https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
https://nsudo.m2team.org/en-us/
https://redcanary.com/blog/chromeloader/
https://h.43z.one/ipconverter/
https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
https://technet.microsoft.com/en-us/library/security/4022344
https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html
https://pentestlab.blog/2020/02/24/parent-pid-spoofing/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules
https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/
https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION
https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/
https://twitter.com/0gtweet/status/1564968845726580736
https://www.microsoft.com/en-us/security/blog/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
https://twitter.com/notwhickey/status/1333900137232523264
https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files
https://github.com/outflanknl/Dumpert
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows
https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb
https://securelist.com/locked-out/68960/
https://man.openbsd.org/ssh_config#ProxyCommand
https://blog.f-secure.com/analysis-of-lockergoga-ransomware/
https://developers.onelogin.com/api-docs/1/events/event-resource
https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization
https://twitter.com/xorJosh/status/1598646907802451969
https://adsecurity.org/?p=2053
https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html
https://www.offensive-security.com/metasploit-unleashed/timestomp/
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
https://github.com/redcanaryco/atomic-red-team/blob/a78b9ed805ab9ea2e422e1aa7741e9407d82d7b1/atomics/T1560.001/T1560.001.md
https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8
https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
https://github.com/win3zz/CVE-2023-25157
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-8---windows-machineguid-discovery
http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish
https://twitter.com/JAMESWT_MHT/status/1699042827261391247
https://twitter.com/mrd0x/status/1478234484881436672?s=12
https://goo.gl/PsqrhT
https://twitter.com/pythonresponder/status/1385064506049630211?s=21
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd
https://twitter.com/menasec1/status/1104489274387451904
https://twitter.com/pabraeken/status/993298228840992768
https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
https://twitter.com/JohnLaTwC/status/850381440629981184
https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04
https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/
https://twitter.com/_JohnHammond/status/1588155401752788994
https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A
https://www.google.com/search?q=procdump+lsass
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md
https://twitter.com/t3ft3lb/status/1656194831830401024
https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09
https://github.com/search?q=CVE-2021-43798
https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/
https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20
https://twitter.com/jhencinski/status/1102695118455349248
https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md
https://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
https://twitter.com/SBousseaden/status/1096148422984384514
https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw
https://twitter.com/gbti_sa/status/1249653895900602375?lang=en
https://twitter.com/vanitasnk/status/1437329511142420483?s=21
https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer
https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw
https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/
https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/
https://twitter.com/pabraeken/status/999090532839313408
https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19
https://twitter.com/_st0pp3r_/status/1583922009842802689
https://twitter.com/sbousseaden/status/1555200155351228419
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A
https://web.archive.org/web/20200226212615/https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf
https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md
https://twitter.com/bohops/status/948061991012327424
https://twitter.com/cyb3rops/status/1659175181695287297
https://twitter.com/Max_Mal_/status/1661322732456353792
https://twitter.com/jackcr/status/807385668833968128
https://github.com/snovvcrash/DInjector
https://twitter.com/sbousseaden/status/1429401053229891590?s=12
https://twitter.com/Oddvarmoe/status/985518877076541440
https://twitter.com/M_haggis/status/1032799638213066752
https://twitter.com/0gtweet/status/1674399582162153472
https://www.joesandbox.com/analysis/476188/1/iochtml
https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20
https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/
https://twitter.com/ItsReallyNick/status/1094080242686312448
https://twitter.com/SBousseaden/status/1101431884540710913
https://twitter.com/eral4m/status/1480468728324231172?s=20
https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
https://twitter.com/GadixCRK/status/1369313704869834753?s=20
https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd
https://twitter.com/ScumBots/status/1610626724257046529
https://twitter.com/WhichbufferArda/status/1658829954182774784
https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html
https://github.com/djhohnstein/polarbearrepo/blob/f26d3e008093cc5c835e92a7165170baf6713d43/bearlpe/polarbear/polarbear/exploit.cpp
https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf
https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf
https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74
https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2
https://twitter.com/x86matthew/status/1505476263464607744?s=12
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine
https://twitter.com/bohops/status/1635288066909966338
https://twitter.com/bohops/status/1477717351017680899?s=12
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md
https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive
https://twitter.com/mrd0x/status/1481630810495139841?s=12
https://twitter.com/Kostastsale/status/1700965142828290260
https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw
https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf
https://github.com/LOLBAS-Project/LOLBAS/pull/147
https://twitter.com/sbousseaden/status/1282441816986484737?s=12
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md
https://twitter.com/wdormann/status/1590434950335320065
https://web.archive.org/web/20200329173843/https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation
https://web.archive.org/web/20210901184449/https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html
https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1
https://github.com/audibleblink/xordump
https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf
https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md
https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/
https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection
https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md
https://github.com/jpalanco/alienvault-ossim/blob/f74359c0c027e42560924b5cff25cdf121e5505a/os-sim/agent/src/ParserUtil.py#L951
https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64
https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba
https://www.trustedsec.com/july-2015/malicious-htas/
https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md
https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap
https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml
https://github.com/WickdDavid/CVE-2021-26814/blob/6a17355a10ec4db771d0f112cbe031e418d829d5/PoC.py
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
https://github.com/AlsidOfficial/WSUSpendu/
https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045
https://github.com/klinix5/InstallerFileTakeOver
https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)
https://web.archive.org/web/20220419045003/https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for.html
https://web.archive.org/web/20200618080300/https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf
https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md
https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/
https://learn.microsoft.com/en-us/powershell/module/smbshare/new-smbmapping?view=windowsserver2022-ps
https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464
https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
https://streamable.com/q2dsji
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
https://web.archive.org/web/20200226212615/https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
https://github.com/zerosum0x0/CVE-2019-0708
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download
https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml
https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r
https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md
https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1
https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md
https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]
https://web.archive.org/web/20210126045316/https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
https://github.com/elastic/detection-rules/issues/1371
https://web.archive.org/web/20200302083912/https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf
https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
https://github.com/D1rkMtr/UnhookingPatch
https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html
https://twitter.com/hFireF0X/status/897640081053364225
https://www.mdeditor.tw/pl/pgRt
https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03
https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430
https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py
https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command
https://github.com/LOLBAS-Project/LOLBAS/pull/180
https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26
https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/
https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008
https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g
https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650
https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw
https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html
https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866
https://www.sans.org/webcasts/119395
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html
https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry
https://github.com/hhlxf/PrintNightmare
https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19
https://github.com/1337Rin/Swag-PSO
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md
https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427
https://github.com/afwu/PrintNightmare
https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/
https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D
https://www.ampliasecurity.com/research/windows-credentials-editor/
https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection
https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md
https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md
https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp
https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver
https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983
https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md
https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176
https://twitter.com/luc4m/status/1073181154126254080
https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py
https://www.joesandbox.com/analysis/465533/0/html
https://www.cyberbit.com/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/
https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2
https://wikileaks.org/vault7/#Pandemic
https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe
https://twitter.com/mrd0x/status/1475085452784844803?s=12
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh
https://kb.acronis.com/content/60892
https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf
https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html
https://twitter.com/vysecurity/status/974806438316072960
https://web.archive.org/web/20220815065318/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html
https://twitter.com/_JohnHammond/status/1708910264261980634
https://github.com/Pennyw0rth/NetExec/
https://thehackernews.com/2023/10/experts-warn-of-severe-flaws-affecting.html
https://linux.die.net/man/1/wget
https://github.com/1N3/Sn1per
https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
https://github.com/Tib3rius/AutoRecon
https://github.com/pr0xylife/DarkGate/tree/main
https://github.com/HavocFramework/Havoc
https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1
https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf
https://ipfyx.fr/post/visual-studio-code-tunnel/
https://github.com/t3l3machus/hoaxshell
https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md
https://twitter.com/fr0s7_/status/1712780207105404948
https://code.visualstudio.com/docs/remote/tunnels
https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/
https://www.virustotal.com/gui/file/288fc4f954f98d724e6fab32a89477943df5c0e9662cb199a19b90ae0c63aebe/detection
https://badoption.eu/blog/2023/01/31/code_c2.html
https://github.com/t3l3machus/Villain
https://www.thestack.technology/security-experts-call-for-incident-response-exercises-after-mass-cisco-device-exploitation/
https://www.virustotal.com/gui/file/94816439312563db982cd038cf77cbc5ef4c7003e3edee86e2b0f99e675ed4ed/behavior
https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts
https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/
https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html
https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
https://ss64.com/nt/regsvr32.html
https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery
https://github.com/Ne0nd0g/merlin
https://github.com/projectdiscovery/naabu
https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
https://dataconomy.com/2023/10/23/okta-data-breach/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-2---security-software-discovery---powershell
https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver
https://github.com/win3zz/CVE-2023-43261
https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82
https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware
https://github.security.telekom.com/2023/08/darkgate-loader.html
https://vulncheck.com/blog/real-world-cve-2023-43261
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt
https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
https://www.virustotal.com/gui/file/b6e8910fb9b3bb1fcddefd35ff0ed8624930d30d6977e11808c8330415685a62
https://www.virustotal.com/gui/file/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242
https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/
https://github.com/0xorOne/nuclei-templates/blob/2fef4270ec6e5573d0a1732cb18bcfc4b1580a88/http/cves/2023/CVE-2023-46747.yaml
https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516
https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
https://github.com/AliBrTab/CVE-2023-46747-POC/tree/main
https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html
https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/
https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment
https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf
https://www.crowdstrike.com/blog/windows-restart-manager-part-2/
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista
https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html
https://www.swascan.com/cactus-ransomware-malware-analysis/
https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
https://blog.hrncirik.net/cve-2023-46214-analysis
https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60
https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
https://github.com/ForceFledgling/CVE-2023-22518
https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158
https://squiblydoo.blog/2023/11/07/october-2023-solarmarker/
https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966
https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922
https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0
https://github.com/vletoux/pingcastle
https://cydefops.com/vscode-data-exfiltration
https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html
https://advisory.splunk.com/advisories/SVD-2023-1104
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012
https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/
https://github.com/nathan31337/Splunk-RCE-poc/
http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1
https://github.com/deepinstinct/NoFilter
https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
https://github.com/outflanknl/NetshHelperBeacon
https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document
https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md
https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt
https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh
https://ss64.com/osx/csrutil.html
https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior
https://github.com/cloudflare/cloudflared/releases
https://github.com/poweradminllc/PAExec
https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation
https://ss64.com/mac/system_profiler.html
https://www.virustotal.com/gui/file/d72af640b71b8e3eca3eba660dd7c7f029ff8852bcacaa379e7b6c57cf4d9b44
https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior
https://pentestlab.blog/tag/sharpmove/
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732
https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/
https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior
https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior
https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior
https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
https://notebook.community/Cyb3rWard0g/HELK/docker/helk-jupyter/notebooks/sigma/proxy_ursnif_malware
https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior
https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode
https://www.virustotal.com/gui/file/39102fb7bb6a74a9c8cb6d46419f9015b381199ea8524c1376672b30fffd69d2
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742107(v=ws.11)
https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior
https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf
https://linux.die.net/man/8/useradd
https://www.bleepingcomputer.com/news/security/fortinet-says-ssl-vpn-pre-auth-rce-bug-is-exploited-in-attacks/
https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-log-files-for-aws-config.html
https://ss64.com/nt/net-service.html
https://cloud.google.com/binary-authorization
https://hatching.io/blog/powershell-analysis/
https://www.pingcastle.com/documentation/scanner/
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5038
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior
https://redcanary.com/blog/gootloader/
https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_22.12.2023.txt
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected
https://web.archive.org/web/20200219102749/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf
https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3
https://en.wikipedia.org/wiki/IExpress
https://www.crowdstrike.com/blog/windows-restart-manager-part-1/
https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html
https://tria.ge/231004-tp8k6sch9t/behavioral2
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html
https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf
https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html
https://www.manageengine.com/products/desktop-central/os-imaging-deployment/media-is-write-protected.html
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706
https://web.archive.org/web/20171113231705/https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296
https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
https://objective-see.org/blog/blog_0x62.html
https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/
https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt
https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog
https://github.com/netero1010/EDRSilencer
https://www.virustotal.com/gui/file/56db0c4842a63234ab7fe2dda6eeb63aa7bb68f9a456985b519122f74dea37e2/behavior
https://github.com/NetSPI/aws_consoler
https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450
https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm
https://confluence.atlassian.com/adminjiraserver0811/importing-and-exporting-data-1019391889.html
https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md
https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/
https://twitter.com/bohops/status/1740022869198037480
https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001
https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
https://github.com/pr0xylife/Pikabot
https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_06.12.2023.txt
https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/
https://confluence.atlassian.com/bitbucketserver/users-and-groups-776640439.html
https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_30.10.2023.txt
https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/about-secret-scanning
https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157
https://github.com/yarrick/iodine
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected
https://www.intrinsec.com/akira_ransomware/
https://github.com/byt3bl33d3r/CrackMapExec/
https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8
https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper
https://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html
https://cydefops.com/devtunnels-unleashed
https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699
https://github.com/fortra/nanodump
https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf
https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0
https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/
https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac
https://duo.com/docs/adminapi#logs
https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html
https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction/
https://support.atlassian.com/security-and-access-policies/docs/export-user-accounts
https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/
https://www.protect.airbus.com/blog/uncovering-cyber-intruders-netscan/
https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis
https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior
https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry
https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior
https://www.x86matthew.com/view_post?id=create_svc_rpc
https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1803/W10_1803_Pro_19700101_17134.1/WEPExplorer/Application%20Popup.xml#L36
https://www.elastic.co/guide/en/security/current/kubernetes-suspicious-self-subject-review.html
https://twitter.com/DissectMalware/status/998797808907046913
https://mrd0x.com/sentinelone-persistence-via-menu-context/
https://lab52.io/blog/winter-vivern-all-summer/
https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/
https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true
https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
https://security.paloaltonetworks.com/CVE-2024-3400
https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f
https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af
https://regex101.com/r/RugQYK/1
https://twitter.com/ReneFreingruber/status/1172244989335810049
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd348773(v=ws.10)
https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html
https://twitter.com/cyb3rops/status/1096842275437625346
https://github.com/iagox86/dnscat2
https://github.com/redcanaryco/atomic-red-team/blob/58496ee3306e6e42a7054d36a94e6eb561ee3081/atomics/T1070.008/T1070.008.md#atomic-test-4---copy-and-modify-mailbox-data-on-windows
https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl
https://github.com/xuanxuan0/DripLoader
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected
https://www.cve.org/CVERecord?id=CVE-2024-1708
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/
https://lolbas-project.github.io/lolbas/Binaries/Wlrmdr/
https://github.com/EmpireProject/PSInject
https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign
https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/
https://www.linkedin.com/pulse/exploit-available-dangerous-ms-office-rce-vuln-called-thebenygreen-
https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html
https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md
https://darkdefender.medium.com/windows-10-mail-app-forensics-39025f5418d2
https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html
https://blog.router-switch.com/2013/11/show-running-config/
https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence
https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
https://github.com/redcanaryco/atomic-red-team/blob/1fed40dc7e48f16ed44dcdd9c73b9222a70cca85/atomics/T1553.001/T1553.001.md
https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry
https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md
https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior
https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/
https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarily/
https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/stop-service?view=powershell-7.4
https://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md
https://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo
https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/
https://lolbas-project.github.io/lolbas/Binaries/Tar/
https://github.com/AlessandroZ/LaZagne/tree/master
https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170
https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html
https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp
https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/
https://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.pdf
https://www.phpied.com/make-your-javascript-a-windows-exe/
https://docs.python.org/3/library/site.html
https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-stopped-due-to-risk-based-consent
https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/
https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container/
https://portmap.io/
https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/
https://github.com/wavestone-cdt/EDRSandblast
https://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.4
https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662
https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf
https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2
https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab
https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5140
https://github.com/LOLBAS-Project/LOLBAS/pull/151
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32
https://github.com/RhinoSecurityLabs/CVEs/blob/15cf4d86c83daa57b59eaa2542a0ed47ad3dc32d/CVE-2024-1212/CVE-2024-1212.py
https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kdc-event-16-27-des-encryption-disabled
https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob
https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)
https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts
https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker
https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2
https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy
https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax
https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6416
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
https://docs.github.com/en/migrations
https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps
https://security.padok.fr/en/blog/kubernetes-webhook-attackers
https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701
https://github.com/Voyag3r-Security/CVE-2023-1389/blob/4ecada7335b17bf543c0e33b2c9fb6b6215c09ae/archer-rev-shell.py
https://asec.ahnlab.com/en/58878/
https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules
https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus
https://learn.microsoft.com/en-us/sysinternals/downloads/psservice
https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete
https://tria.ge/240301-rk34sagf5x/behavioral2
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import
https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy
https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties
https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d
https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-administrator-roles
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2
https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-consent
https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
https://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
https://twitter.com/DTCERT/status/1712785426895839339
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip
https://help.duo.com/s/article/6327?language=en_US
https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/
https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html
https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html
https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)
https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware
https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html
https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity
https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38
https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf
https://www.loobins.io/binaries/sysctl/#
https://web.archive.org/web/20200530031708/https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua
https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32
https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf
https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini
https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
https://www.ammyy.com/en/admin_features.html
https://blog.sekoia.io/darkgate-internals/
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4
https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983
https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities
https://github.com/amjcyber/EDRNoiseMaker
https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/
https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html
https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change
https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly
https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content
https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections
https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings
https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001
https://www.elastic.co/security-labs/operation-bleeding-bear
https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps
https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)
https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/
https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/
https://gtfobins.github.io/gtfobins/nice/#shell
https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_via_system_manager.toml
https://res.armor.com/resources/threat-intelligence/astaroth-banking-trojan/
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624
https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487