marcosValle/awesome-windows-red-team

GitHub: marcosValle/awesome-windows-red-team

一个精心整理的 Windows 红队攻防资源列表,涵盖书籍、课程、工具及各类攻击技术的参考资料。

Stars: 603 | Forks: 103

# Awesome Windows Red Team [![Awesome](https://awesome.re/badge.svg)](https://awesome.re) ## 目录 * [书籍](#books) * [课程](#courses) * [系统架构](#system-architecture) * [Active Directory](#active-directory) * [Kerberos](#kerberos) * [Lssass SAM NTLM GPO](#lssass-sam-ntlm-gpo) * [WinAPI](#winapi) * [横向移动](#lateral-movement) * [Pass the Hash](#pass-the-hash) * [Pass the Ticket](#pass-the-ticket) * [LLMNR/NBT-NS 毒化](#llmnr-nbtns-poisoning) * [权限提升](#privilege-escalation) * [UAC 绕过](#uac-bypass) * [Token 模拟](#token-impersonation) * [防御规避](#defense-evasion) * [AV 规避](#av) * [AMSI](#amsi) * [数据窃取](#exfiltration) * [PowerShell](#powershell) * [网络钓鱼](#phishing) * [恶意文档](#maldocs) * [宏](#macros) * [DDE](#dde) * [HTA](#hta) * [工具](#tools) ## 书籍 * [Windows Internals, 第七版, 第 1 部分](https://www.amazon.com.br/Windows-Internals-Book-User-Mode/dp/0735684189?tag=goog0ef-20&smid=A1ZZFT5FULY4LN) * [Windows Internals, 第六版, 第 1 部分](https://www.amazon.com.br/Windows-Internals-Part-Developer-Reference-ebook/dp/B00JDMPHIG?tag=goog0ef-20&smid=A18CNA8NWQSYHH) * [Windows Internals, 第六版, 第 2 部分](https://www.amazon.com/Windows-Internals-Part-Developer-Reference/dp/0735665877) * [如何像 PORNSTAR 一样黑客攻击:一步步入侵 BANK 的过程](https://www.amazon.com/How-Hack-Like-PORNSTAR-breaking-ebook/dp/B01MTDLGQQ) * [Windows® via C/C++ (开发者参考) (英文版)](https://www.amazon.com.br/Windows%C2%AE-via-Developer-Reference-English-ebook/dp/B00JDMQK9G/ref=sr_1_1?__mk_pt_BR=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=Windows%C2%AE+via+C%2FC%2B%2B+%28Developer+Reference%29+%28English+Edition%29&qid=1582123720&s=digital-text&sr=1-1) * [The Hacker Playbook 3:渗透测试实用指南](https://www.amazon.com/Hacker-Playbook-Practical-Penetration-Testing-ebook/dp/B07CSPFYZ2) ## 课程 * [Professor Messer 的 CompTIA SY0-501 Security+ 课程](http://www.professormesser.com/security-plus/sy0-501/sy0-501-training-course/) * [使用 Kali 进行渗透测试 (PWK) 在线安全培训课程](https://www.offensive-security.com/information-security-training/penetration-testing-training-kali-linux/) * [Offensive Security 认证专家](https://www.offensive-security.com/information-security-certifications/osce-offensive-security-certified-expert/) * [高级 Windows 利用:实战渗透测试培训](https://www.offensive-security.com/information-security-training/advanced-windows-exploitation/) * [Windows API 利用指南:进程、Token 和内存读写](https://www.pentesteracademy.com/course?id=31) * [渗透测试人员的 PowerShell - Pentester Academy](https://www.pentesteracademy.com/course?id=21) * [WMI 攻击与防御 - Pentester Academy](https://www.pentesteracademy.com/course?id=34) * [Windows 红队实验室 - Pentester Academy](https://www.pentesteracademy.com/redteamlab) ## 系统架构 ### Active Directory * [ADsecurity.org](https://adsecurity.org/) * [DerbyCon4 - 如何像 Boss 一样保障 Windows 安全并进行系统管理](https://www.youtube.com/watch?v=jKpaaDKVovk&t=0s&list=PLz8yKJBzAxrslURpq0TcmLl7JS-sRNmog&index=79) * [DEFCON 20:60秒内被攻陷:从网络访客到 Windows 域管理员](https://www.youtube.com/watch?v=nHU3ujyw_sQ) * [BH2015 - 红队对抗蓝队:现代 Active Directory 攻击、检测与防护](https://www.youtube.com/watch?v=b6GUXerE9Ac) * [BH2016 - 超越 MCSE:面向安全专业人员的 Active Directory](https://www.youtube.com/watch?v=2w1cesS7pGY) * [BH2017 - 规避 Microsoft ATA 以掌控 Active Directory ](https://www.youtube.com/watch?v=bHkv63-1GBY) * [DEFCON 26 - 利用 Active Directory 管理员的安全漏洞](https://www.youtube.com/watch?v=WaGgofGnWaI) * [BH2017 - 袖藏玄机:设计 Active Directory DACL 后门](https://www.youtube.com/watch?v=ys1LZ1MzIxE) * [DerbyCon7 - 按下按钮成为域管理员来建造死星(又名:我差点如何让自己被自动化取代)](https://www.youtube.com/watch?v=kGoc_apljpU) * [DerbyCon4 - 在后渗透阶段滥用 Active Directory](https://www.youtube.com/watch?v=sTU-70dD-Ok&t=0s&list=PLz8yKJBzAxrslURpq0TcmLl7JS-sRNmog&index=12) ### Kerberos * [Kerberos (I):Kerberos 是如何工作的?– 理论](https://www.tarlogic.com/en/blog/how-kerberos-works/?amp&__twitter_impression=true) * [保护特权域账户:深度解析网络身份验证](https://digital-forensics.sans.org/blog/2012/09/18/protecting-privileged-domain-accounts-network-authentication-in-depth) * [针对通信协议的基础攻击 – 重放攻击与反射攻击](https://steemit.com/education/@edwardthomson/basic-attacks-on-communication-protocols-replay-and-reflection-attacks) * [MicroNugget:Kerberos 是如何工作的?](https://www.youtube.com/watch?v=kp5d8Yv3-0c) * [MIT 6.858 2014年秋季 第13讲:Kerberos](https://www.youtube.com/watch?v=bcWxLl8x33c) * [DerbyCon4 - Et tu Kerberos (还有你吗,Kerberos)](https://www.youtube.com/watch?v=RIRQQCM4wz8&t=0s&list=PLz8yKJBzAxrslURpq0TcmLl7JS-sRNmog&index=14) * [DerbyCon7 - 来自地底的回归:红队 Kerberos 的未来](https://www.youtube.com/watch?v=E_BNhuGmJwM&t=0s&index=2&list=PLNhlcxQZJSm-PKUZTYe1C94ymf0omysM3) * [BH2014 - 滥用 Microsoft Kerberos:抱歉,你们根本不懂它](https://www.youtube.com/watch?v=lJQn06QLwEw) * [DerbyCon4 - 攻击 Microsoft Kerberos:踢开冥界的看门狗](https://www.youtube.com/watch?v=PUyhlN-E5MU&t=0s&list=PLz8yKJBzAxrslURpq0TcmLl7JS-sRNmog&index=57) * [Kerberos 遭遇瞄准:黄金票据、白银票据、MITM 等等](https://digital-forensics.sans.org/blog/2014/11/24/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-more) * [攻击者如何利用 Kerberos 白银票据破坏系统](https://adsecurity.org/?p=2011) ### Lssass SAM NTLM GPO * [无需触碰 LSASS 获取 NTLM Hash:“Internal Monologue”攻击](https://www.andreafortuna.org/dfir/retrieving-ntlm-hashes-without-touching-lsass-the-internal-monologue-attack/) * [ATT&CK - 凭据转储](https://attack.mitre.org/wiki/Technique/T1003) * [BH2002 - 破解 NTLMv2 身份验证](https://www.youtube.com/watch?v=x4c8J70kHKc) * [DerbyCon7 - 使用组策略保护 Windows 安全 ](https://www.youtube.com/watch?v=Upeaa2rgozk&t=0s&index=66&list=PLNhlcxQZJSm-PKUZTYe1C94ymf0omysM3) * [滥用 GPO 权限](https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/) * [针对性的 Kerberoasting](https://www.harmj0y.net/blog/activedirectory/targeted-kerberoasting/) ### WinAPI * [DerbyCon4 - 让 Windows 自娱自乐:渗透测试人员的 Windows API 滥用指南](https://www.youtube.com/watch?v=xll_RXQX_Is&index=7&list=PLNhlcxQZJSm8o9c_2_iDDTV6tCPdMp5dg&t=0s) ## 横向移动 ### Pass the Hash * [ATT&CK - Pass the Hash](https://attack.mitre.org/wiki/Technique/T1075) * [BH2013 - Pass the Hash 及其他凭据窃取与重用:防止横向移动...](https://www.youtube.com/watch?v=xxwIh2pvbyw&t=345s) * [BH2013 - Pass the Hash 2:管理员的复仇](https://www.youtube.com/watch?v=A5xntvKaRlk) * [从 Pass-the-Hash 到 Pass-the-Ticket 毫不费力](https://resources.infosecinstitute.com/pass-hash-pass-ticket-no-pain/#gref) * [Pass-the-Hash 已死:LocalAccountTokenFilterPolicy 万岁](http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/) ### Pass the Ticket * [ATT&CK - Pass the Ticket](https://attack.mitre.org/wiki/Technique/T1097) ### LLMNR/NBT-NS 毒化 * [一场 SMB 中继赛跑 – 如何利用 LLMNR 和 SMB 消息签名以获取利益与乐趣](https://www.blackhillsinfosec.com/an-smb-relay-race-how-to-exploit-llmnr-and-smb-message-signing-for-fun-and-profit/) ## 权限提升 * [升级!实用的 Windows 权限提升 - Andrew Smith](https://www.youtube.com/watch?v=PC_iMqiuIRQ) * [Windows 权限提升演示文稿](https://www.youtube.com/watch?v=mcJ3aRSqGSo) * [Windows 内核利用](https://github.com/SecWiki/windows-kernel-exploits) * [DEF CON 22 - Kallenberg 和 Kovah - Windows 8/UEFI 系统上的极端权限提升](https://www.youtube.com/watch?v=d6VCri6sPnY) * [DEF CON 25 - Morten Schenk - 将 Windows 10 内核利用提升到新高度](https://www.youtube.com/watch?v=Gu_5kkErQ6Y) * [DerbyCon7 - 并非安全边界:绕过用户帐户控制](https://www.youtube.com/watch?v=c8LgqtATAnE&t=0s&index=21&list=PLNhlcxQZJSm-PKUZTYe1C94ymf0omysM3) ### Token 模拟 * [Incógnito 的乐趣](HTTPS://offensive-security.com/metasploit-unleashed/fun-incognito/) * [Rotten Potato](https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/) ## 防御规避 ### AV * [DerbyCon3 - 防病毒规避经验教训](https://www.youtube.com/watch?v=ycgaekqAkpA) * [DerbyCon7 - T110 现代规避技术](https://www.youtube.com/watch?v=xcA2riLyHtQ) * [DerbyCon7 - 规避 Autoruns](https://www.youtube.com/watch?v=AEmuhCwFL5I) * [用于规避、绕过和禁用 MS 的红队技术](https://www.youtube.com/watch?v=2HNuzUuVyv0) * [如何绕过防病毒软件以运行 Mimikatz](https://www.blackhillsinfosec.com/bypass-anti-virus-run-mimikatz/) * [AV 规避 - 混淆 Mimikatz](https://www.youtube.com/watch?v=9pwMCHlNma4) * [让 PowerShell Empire 绕过 Windows Defender](https://www.blackhillsinfosec.com/getting-powershell-empire-past-windows-defender/) ### AMSI * [Windows Defender ATP 机器学习和 AMSI:挖掘“就地取材”的基于脚本的攻击 ](https://www.microsoft.com/security/blog/2017/12/04/windows-defender-atp-machine-learning-and-amsi-unearthing-script-based-attacks-that-live-off-the-land/) * [反恶意软件扫描接口 (AMSI) — 关于规避的红队分析] (https://iwantmore.pizza/posts/amsi.html) ### LAPS * [本地管理员密码解决方案](https://docs.microsoft.com/en-us/previous-versions/mt227395(v=msdn.10)) * [对 Microsoft LAPS 的恶意利用](https://akijosberryblog.wordpress.com/2019/01/01/malicious-use-of-microsoft-laps/) ### AppLocker 和应用程序白名单 * [什么是 AppLocker?](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker) * [如何使用 REGSVR32 规避应用程序白名单](https://www.blackhillsinfosec.com/evade-application-whitelisting-using-regsvr32/) * [UltimateAppLockerByPassList](https://github.com/api0cradle/UltimateAppLockerByPassList) ## 数据窃取 * [滥用 Windows Management Instrumentation (WMI)](https://www.youtube.com/watch?v=0SjMgnGwpq8) * [DEF CON 23 - 专家组 - WhyMI so Sexy:WMI 攻击 - 实时防御与高级取证](https://www.youtube.com/watch?v=xBd6p-Lz3kE) * [DerbyCon3 - Living Off The Land:Windows 后渗透测试的极简指南](https://www.youtube.com/watch?v=j-r6UonEkUw) ## PowerShell * [DEF CON 18 - David Kennedy "ReL1K" 和 Josh Kelley - Powershell...omfg](https://www.youtube.com/watch?v=q5pA49C7QJg) * [DEF CON 22 - 调查 PowerShell 攻击](https://www.youtube.com/watch?v=EcOf1s90vsg) * [DerbyCon2016 - 106 PowerShell 秘密与战术 Ben0xA](https://www.youtube.com/watch?v=mPPv6_adTyg) * [Daniel Bohannon – Invoke-Obfuscation:PowerShell 混淆](https://www.youtube.com/watch?v=uE8IAxM_BhE) * [BH2017 - Revoke-Obfuscation:运用科学进行 PowerShell 混淆检测(及规避)](https://www.youtube.com/watch?v=x97ejtv56xw) ## 网络钓鱼 ### 恶意文档 * [使用恶意文档进行网络钓鱼](https://www.n00py.io/2017/04/phishing-with-maldocs/) * [使用 Empire 进行网络钓鱼](https://enigma0x3.net/2016/03/15/phishing-with-empire/) ### 宏 * [使用宏和 Powershell 进行网络钓鱼](https://www.securitysift.com/phishing-with-macros-and-powershell/) ### DDE * [关于动态数据交换](https://docs.microsoft.com/en-us/windows/desktop/dataxchg/about-dynamic-data-exchange) * [滥用 Microsoft Office DDE](https://www.securitysift.com/abusing-microsoft-office-dde/) * [Microsoft Office 动态数据交换(DDE)攻击](https://resources.infosecinstitute.com/microsoft-office-dynamic-data-exchangedde-attacks/#gref) * [Office-DDE-Payloads](https://github.com/0xdeadbeefJERKY/Office-DDE-Payloads) ### HTA * [利用 HTA 文件进行黑客攻击](http://blog.sevagas.com/?Hacking-around-HTA-files) ## 工具 * [Mimikatz](https://github.com/gentilkiwi/mimikatz) * [BloodHound](https://github.com/BloodHoundAD/BloodHound) * [Empire](https://github.com/EmpireProject/Empire) * [Nishang](https://github.com/samratashok/nishang) * [Responder](https://github.com/SpiderLabs/Responder) * [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec) * [PSExec](https://www.toshellandback.com/2017/02/11/psexec/) ### 对手模拟 * [Cobalt Strike](https://www.cobaltstrike.com/) * [Darkmoon](https://github.com/ASCIT31/Dark-Moon) * [Red Team Automation - RTA](https://github.com/endgameinc/RTA) * [CALDERA](https://github.com/mitre/caldera) * [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) * [Metta](https://github.com/uber-common/metta) # 其他 Awesome 列表和资源 * [Awesome Red Teaming](https://github.com/yeyintminthuhtut/Awesome-Red-Teaming) * [红队工具包](https://github.com/infosecn1nja/Red-Teaming-Toolkit) * [红队基础设施 Wiki](https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki) * [Awesome Pentest](https://github.com/Muhammd/Awesome-Pentest) * [红队实验](https://ired.team/) # 贡献 随时欢迎您的贡献!请先查看贡献指南。 如果您对这个带有主观见解的列表有任何疑问,请随时在 Twitter 上联系我 @\_mvalle\_,或者在 GitHub 上提交一个 issue。
标签:AI合规, Conpot, DNS 反向解析, HTTP, Modbus, Terraform 安全, Web报告查看器, Windows安全, 协议分析, 数据展示, 权限提升, 模拟器, 横向移动, 红队, 编程规范, 防御加固