marcosValle/awesome-windows-red-team
GitHub: marcosValle/awesome-windows-red-team
一个精心整理的 Windows 红队攻防资源列表,涵盖书籍、课程、工具及各类攻击技术的参考资料。
Stars: 603 | Forks: 103
# Awesome Windows Red Team [](https://awesome.re)
## 目录
* [书籍](#books)
* [课程](#courses)
* [系统架构](#system-architecture)
* [Active Directory](#active-directory)
* [Kerberos](#kerberos)
* [Lssass SAM NTLM GPO](#lssass-sam-ntlm-gpo)
* [WinAPI](#winapi)
* [横向移动](#lateral-movement)
* [Pass the Hash](#pass-the-hash)
* [Pass the Ticket](#pass-the-ticket)
* [LLMNR/NBT-NS 毒化](#llmnr-nbtns-poisoning)
* [权限提升](#privilege-escalation)
* [UAC 绕过](#uac-bypass)
* [Token 模拟](#token-impersonation)
* [防御规避](#defense-evasion)
* [AV 规避](#av)
* [AMSI](#amsi)
* [数据窃取](#exfiltration)
* [PowerShell](#powershell)
* [网络钓鱼](#phishing)
* [恶意文档](#maldocs)
* [宏](#macros)
* [DDE](#dde)
* [HTA](#hta)
* [工具](#tools)
## 书籍
* [Windows Internals, 第七版, 第 1 部分](https://www.amazon.com.br/Windows-Internals-Book-User-Mode/dp/0735684189?tag=goog0ef-20&smid=A1ZZFT5FULY4LN)
* [Windows Internals, 第六版, 第 1 部分](https://www.amazon.com.br/Windows-Internals-Part-Developer-Reference-ebook/dp/B00JDMPHIG?tag=goog0ef-20&smid=A18CNA8NWQSYHH)
* [Windows Internals, 第六版, 第 2 部分](https://www.amazon.com/Windows-Internals-Part-Developer-Reference/dp/0735665877)
* [如何像 PORNSTAR 一样黑客攻击:一步步入侵 BANK 的过程](https://www.amazon.com/How-Hack-Like-PORNSTAR-breaking-ebook/dp/B01MTDLGQQ)
* [Windows® via C/C++ (开发者参考) (英文版)](https://www.amazon.com.br/Windows%C2%AE-via-Developer-Reference-English-ebook/dp/B00JDMQK9G/ref=sr_1_1?__mk_pt_BR=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=Windows%C2%AE+via+C%2FC%2B%2B+%28Developer+Reference%29+%28English+Edition%29&qid=1582123720&s=digital-text&sr=1-1)
* [The Hacker Playbook 3:渗透测试实用指南](https://www.amazon.com/Hacker-Playbook-Practical-Penetration-Testing-ebook/dp/B07CSPFYZ2)
## 课程
* [Professor Messer 的 CompTIA SY0-501 Security+ 课程](http://www.professormesser.com/security-plus/sy0-501/sy0-501-training-course/)
* [使用 Kali 进行渗透测试 (PWK) 在线安全培训课程](https://www.offensive-security.com/information-security-training/penetration-testing-training-kali-linux/)
* [Offensive Security 认证专家](https://www.offensive-security.com/information-security-certifications/osce-offensive-security-certified-expert/)
* [高级 Windows 利用:实战渗透测试培训](https://www.offensive-security.com/information-security-training/advanced-windows-exploitation/)
* [Windows API 利用指南:进程、Token 和内存读写](https://www.pentesteracademy.com/course?id=31)
* [渗透测试人员的 PowerShell - Pentester Academy](https://www.pentesteracademy.com/course?id=21)
* [WMI 攻击与防御 - Pentester Academy](https://www.pentesteracademy.com/course?id=34)
* [Windows 红队实验室 - Pentester Academy](https://www.pentesteracademy.com/redteamlab)
## 系统架构
### Active Directory
* [ADsecurity.org](https://adsecurity.org/)
* [DerbyCon4 - 如何像 Boss 一样保障 Windows 安全并进行系统管理](https://www.youtube.com/watch?v=jKpaaDKVovk&t=0s&list=PLz8yKJBzAxrslURpq0TcmLl7JS-sRNmog&index=79)
* [DEFCON 20:60秒内被攻陷:从网络访客到 Windows 域管理员](https://www.youtube.com/watch?v=nHU3ujyw_sQ)
* [BH2015 - 红队对抗蓝队:现代 Active Directory 攻击、检测与防护](https://www.youtube.com/watch?v=b6GUXerE9Ac)
* [BH2016 - 超越 MCSE:面向安全专业人员的 Active Directory](https://www.youtube.com/watch?v=2w1cesS7pGY)
* [BH2017 - 规避 Microsoft ATA 以掌控 Active Directory ](https://www.youtube.com/watch?v=bHkv63-1GBY)
* [DEFCON 26 - 利用 Active Directory 管理员的安全漏洞](https://www.youtube.com/watch?v=WaGgofGnWaI)
* [BH2017 - 袖藏玄机:设计 Active Directory DACL 后门](https://www.youtube.com/watch?v=ys1LZ1MzIxE)
* [DerbyCon7 - 按下按钮成为域管理员来建造死星(又名:我差点如何让自己被自动化取代)](https://www.youtube.com/watch?v=kGoc_apljpU)
* [DerbyCon4 - 在后渗透阶段滥用 Active Directory](https://www.youtube.com/watch?v=sTU-70dD-Ok&t=0s&list=PLz8yKJBzAxrslURpq0TcmLl7JS-sRNmog&index=12)
### Kerberos
* [Kerberos (I):Kerberos 是如何工作的?– 理论](https://www.tarlogic.com/en/blog/how-kerberos-works/?amp&__twitter_impression=true)
* [保护特权域账户:深度解析网络身份验证](https://digital-forensics.sans.org/blog/2012/09/18/protecting-privileged-domain-accounts-network-authentication-in-depth)
* [针对通信协议的基础攻击 – 重放攻击与反射攻击](https://steemit.com/education/@edwardthomson/basic-attacks-on-communication-protocols-replay-and-reflection-attacks)
* [MicroNugget:Kerberos 是如何工作的?](https://www.youtube.com/watch?v=kp5d8Yv3-0c)
* [MIT 6.858 2014年秋季 第13讲:Kerberos](https://www.youtube.com/watch?v=bcWxLl8x33c)
* [DerbyCon4 - Et tu Kerberos (还有你吗,Kerberos)](https://www.youtube.com/watch?v=RIRQQCM4wz8&t=0s&list=PLz8yKJBzAxrslURpq0TcmLl7JS-sRNmog&index=14)
* [DerbyCon7 - 来自地底的回归:红队 Kerberos 的未来](https://www.youtube.com/watch?v=E_BNhuGmJwM&t=0s&index=2&list=PLNhlcxQZJSm-PKUZTYe1C94ymf0omysM3)
* [BH2014 - 滥用 Microsoft Kerberos:抱歉,你们根本不懂它](https://www.youtube.com/watch?v=lJQn06QLwEw)
* [DerbyCon4 - 攻击 Microsoft Kerberos:踢开冥界的看门狗](https://www.youtube.com/watch?v=PUyhlN-E5MU&t=0s&list=PLz8yKJBzAxrslURpq0TcmLl7JS-sRNmog&index=57)
* [Kerberos 遭遇瞄准:黄金票据、白银票据、MITM 等等](https://digital-forensics.sans.org/blog/2014/11/24/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-more)
* [攻击者如何利用 Kerberos 白银票据破坏系统](https://adsecurity.org/?p=2011)
### Lssass SAM NTLM GPO
* [无需触碰 LSASS 获取 NTLM Hash:“Internal Monologue”攻击](https://www.andreafortuna.org/dfir/retrieving-ntlm-hashes-without-touching-lsass-the-internal-monologue-attack/)
* [ATT&CK - 凭据转储](https://attack.mitre.org/wiki/Technique/T1003)
* [BH2002 - 破解 NTLMv2 身份验证](https://www.youtube.com/watch?v=x4c8J70kHKc)
* [DerbyCon7 - 使用组策略保护 Windows 安全 ](https://www.youtube.com/watch?v=Upeaa2rgozk&t=0s&index=66&list=PLNhlcxQZJSm-PKUZTYe1C94ymf0omysM3)
* [滥用 GPO 权限](https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/)
* [针对性的 Kerberoasting](https://www.harmj0y.net/blog/activedirectory/targeted-kerberoasting/)
### WinAPI
* [DerbyCon4 - 让 Windows 自娱自乐:渗透测试人员的 Windows API 滥用指南](https://www.youtube.com/watch?v=xll_RXQX_Is&index=7&list=PLNhlcxQZJSm8o9c_2_iDDTV6tCPdMp5dg&t=0s)
## 横向移动
### Pass the Hash
* [ATT&CK - Pass the Hash](https://attack.mitre.org/wiki/Technique/T1075)
* [BH2013 - Pass the Hash 及其他凭据窃取与重用:防止横向移动...](https://www.youtube.com/watch?v=xxwIh2pvbyw&t=345s)
* [BH2013 - Pass the Hash 2:管理员的复仇](https://www.youtube.com/watch?v=A5xntvKaRlk)
* [从 Pass-the-Hash 到 Pass-the-Ticket 毫不费力](https://resources.infosecinstitute.com/pass-hash-pass-ticket-no-pain/#gref)
* [Pass-the-Hash 已死:LocalAccountTokenFilterPolicy 万岁](http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/)
### Pass the Ticket
* [ATT&CK - Pass the Ticket](https://attack.mitre.org/wiki/Technique/T1097)
### LLMNR/NBT-NS 毒化
* [一场 SMB 中继赛跑 – 如何利用 LLMNR 和 SMB 消息签名以获取利益与乐趣](https://www.blackhillsinfosec.com/an-smb-relay-race-how-to-exploit-llmnr-and-smb-message-signing-for-fun-and-profit/)
## 权限提升
* [升级!实用的 Windows 权限提升 - Andrew Smith](https://www.youtube.com/watch?v=PC_iMqiuIRQ)
* [Windows 权限提升演示文稿](https://www.youtube.com/watch?v=mcJ3aRSqGSo)
* [Windows 内核利用](https://github.com/SecWiki/windows-kernel-exploits)
* [DEF CON 22 - Kallenberg 和 Kovah - Windows 8/UEFI 系统上的极端权限提升](https://www.youtube.com/watch?v=d6VCri6sPnY)
* [DEF CON 25 - Morten Schenk - 将 Windows 10 内核利用提升到新高度](https://www.youtube.com/watch?v=Gu_5kkErQ6Y)
* [DerbyCon7 - 并非安全边界:绕过用户帐户控制](https://www.youtube.com/watch?v=c8LgqtATAnE&t=0s&index=21&list=PLNhlcxQZJSm-PKUZTYe1C94ymf0omysM3)
### Token 模拟
* [Incógnito 的乐趣](HTTPS://offensive-security.com/metasploit-unleashed/fun-incognito/)
* [Rotten Potato](https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/)
## 防御规避
### AV
* [DerbyCon3 - 防病毒规避经验教训](https://www.youtube.com/watch?v=ycgaekqAkpA)
* [DerbyCon7 - T110 现代规避技术](https://www.youtube.com/watch?v=xcA2riLyHtQ)
* [DerbyCon7 - 规避 Autoruns](https://www.youtube.com/watch?v=AEmuhCwFL5I)
* [用于规避、绕过和禁用 MS 的红队技术](https://www.youtube.com/watch?v=2HNuzUuVyv0)
* [如何绕过防病毒软件以运行 Mimikatz](https://www.blackhillsinfosec.com/bypass-anti-virus-run-mimikatz/)
* [AV 规避 - 混淆 Mimikatz](https://www.youtube.com/watch?v=9pwMCHlNma4)
* [让 PowerShell Empire 绕过 Windows Defender](https://www.blackhillsinfosec.com/getting-powershell-empire-past-windows-defender/)
### AMSI
* [Windows Defender ATP 机器学习和 AMSI:挖掘“就地取材”的基于脚本的攻击 ](https://www.microsoft.com/security/blog/2017/12/04/windows-defender-atp-machine-learning-and-amsi-unearthing-script-based-attacks-that-live-off-the-land/)
* [反恶意软件扫描接口 (AMSI) — 关于规避的红队分析] (https://iwantmore.pizza/posts/amsi.html)
### LAPS
* [本地管理员密码解决方案](https://docs.microsoft.com/en-us/previous-versions/mt227395(v=msdn.10))
* [对 Microsoft LAPS 的恶意利用](https://akijosberryblog.wordpress.com/2019/01/01/malicious-use-of-microsoft-laps/)
### AppLocker 和应用程序白名单
* [什么是 AppLocker?](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker)
* [如何使用 REGSVR32 规避应用程序白名单](https://www.blackhillsinfosec.com/evade-application-whitelisting-using-regsvr32/)
* [UltimateAppLockerByPassList](https://github.com/api0cradle/UltimateAppLockerByPassList)
## 数据窃取
* [滥用 Windows Management Instrumentation (WMI)](https://www.youtube.com/watch?v=0SjMgnGwpq8)
* [DEF CON 23 - 专家组 - WhyMI so Sexy:WMI 攻击 - 实时防御与高级取证](https://www.youtube.com/watch?v=xBd6p-Lz3kE)
* [DerbyCon3 - Living Off The Land:Windows 后渗透测试的极简指南](https://www.youtube.com/watch?v=j-r6UonEkUw)
## PowerShell
* [DEF CON 18 - David Kennedy "ReL1K" 和 Josh Kelley - Powershell...omfg](https://www.youtube.com/watch?v=q5pA49C7QJg)
* [DEF CON 22 - 调查 PowerShell 攻击](https://www.youtube.com/watch?v=EcOf1s90vsg)
* [DerbyCon2016 - 106 PowerShell 秘密与战术 Ben0xA](https://www.youtube.com/watch?v=mPPv6_adTyg)
* [Daniel Bohannon – Invoke-Obfuscation:PowerShell 混淆](https://www.youtube.com/watch?v=uE8IAxM_BhE)
* [BH2017 - Revoke-Obfuscation:运用科学进行 PowerShell 混淆检测(及规避)](https://www.youtube.com/watch?v=x97ejtv56xw)
## 网络钓鱼
### 恶意文档
* [使用恶意文档进行网络钓鱼](https://www.n00py.io/2017/04/phishing-with-maldocs/)
* [使用 Empire 进行网络钓鱼](https://enigma0x3.net/2016/03/15/phishing-with-empire/)
### 宏
* [使用宏和 Powershell 进行网络钓鱼](https://www.securitysift.com/phishing-with-macros-and-powershell/)
### DDE
* [关于动态数据交换](https://docs.microsoft.com/en-us/windows/desktop/dataxchg/about-dynamic-data-exchange)
* [滥用 Microsoft Office DDE](https://www.securitysift.com/abusing-microsoft-office-dde/)
* [Microsoft Office 动态数据交换(DDE)攻击](https://resources.infosecinstitute.com/microsoft-office-dynamic-data-exchangedde-attacks/#gref)
* [Office-DDE-Payloads](https://github.com/0xdeadbeefJERKY/Office-DDE-Payloads)
### HTA
* [利用 HTA 文件进行黑客攻击](http://blog.sevagas.com/?Hacking-around-HTA-files)
## 工具
* [Mimikatz](https://github.com/gentilkiwi/mimikatz)
* [BloodHound](https://github.com/BloodHoundAD/BloodHound)
* [Empire](https://github.com/EmpireProject/Empire)
* [Nishang](https://github.com/samratashok/nishang)
* [Responder](https://github.com/SpiderLabs/Responder)
* [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)
* [PSExec](https://www.toshellandback.com/2017/02/11/psexec/)
### 对手模拟
* [Cobalt Strike](https://www.cobaltstrike.com/)
* [Darkmoon](https://github.com/ASCIT31/Dark-Moon)
* [Red Team Automation - RTA](https://github.com/endgameinc/RTA)
* [CALDERA](https://github.com/mitre/caldera)
* [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)
* [Metta](https://github.com/uber-common/metta)
# 其他 Awesome 列表和资源
* [Awesome Red Teaming](https://github.com/yeyintminthuhtut/Awesome-Red-Teaming)
* [红队工具包](https://github.com/infosecn1nja/Red-Teaming-Toolkit)
* [红队基础设施 Wiki](https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki)
* [Awesome Pentest](https://github.com/Muhammd/Awesome-Pentest)
* [红队实验](https://ired.team/)
# 贡献
随时欢迎您的贡献!请先查看贡献指南。
如果您对这个带有主观见解的列表有任何疑问,请随时在 Twitter 上联系我 @\_mvalle\_,或者在 GitHub 上提交一个 issue。
标签:AI合规, Conpot, DNS 反向解析, HTTP, Modbus, Terraform 安全, Web报告查看器, Windows安全, 协议分析, 数据展示, 权限提升, 模拟器, 横向移动, 红队, 编程规范, 防御加固