Going to try to keep this updated.
- Powershell 101
- Learn Windows PowerShell in a Month of Lunches (Youtube) - Companion videos to the famous book
- p3nt4/PowerShdll - Run PowerShell with dlls only. Does not require access to powershell.exe as it uses powershell automation dlls.
- nullbind/Powershellery - GetSPN and other things
- Empire 101 - Empire Introduction from official documentation
- Powerview repository - contains documentation and how to use Powerview
- PowerView-3.0-tricks.ps1 - Powerview tips and tricks from HarmJ0y
- Bloodhound node info - Bloodhound Node info explanations
- Lay of the land with bloodhound - General Bloodhound usage guide article
- Lazykats - Mass Mimikatz with AV bypass (questionable)
- Direct link to Invoke-Mimikatz.ps1
- Auto dumping domain credentials
- eladshamir/Internal-Monologue - Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS
- Invoke-Portscan.ps1 - Invoke-Portscan is a module from Powersploit that can perform port scans similar to Nmap straight from Powershell.
- Walking back local admins - Finding local admins in AD
- HarmJ0y - roasting-as-reps - Article about Kerberos preauthentication
- HarmJ0y/ASREPRoast - Project that retrieves crackable hashes from KRB5 AS-REP responses for users without kerberoast preauthentication enabled.
- SShuttle - SShuttle creates an SSH tunnel that works almost just like a VPN
Command and control (C2)
- SANS Pentest Blog - Using Amazon AWS EC2 for C2
- lukebaggett/dnscat2-powershell - Powershell implementation of dnscat2 client
- C2 with dnscat2 and powershell - dnscat2 can be used with powershell for working over DNS to hide C2 activity
- DNS tunneling - How DNS tunneling works
- SharpShooter - SharpShooter can create payloads for many formats like HTA, JS and VBS
- DCShadow - DCShadow, attack technique to create a rogue domain controller
- Ruler - Ruler can interact with Exchange servers remotely
Breaking out of locked down environments
- Breaking Out of Citrix and other Restricted Desktop Environments
- Applocker Case study - Breaking out of Applocker using advanced techniques
- Bypass Applocker - List of most known Applocker bypass techniques
- Babushka Dolls or How To Bypass Application Whitelisting and Constrained Powershell
- MS - Securing privileged access - Reference material for securing admin access in AD
- MS - What is AD Red Forest - Red forest design is building an administrative AD environement built with security in mind
- Managing Applocker with Powershell
- SANS - Finding Empire C2 activity
- The Eye - Official MSDN ISOs for all OSes
- Automatedlab/Automatedlab - Automatedlab is a project for building a lab environment automatically using Powershell.
- Building a lab with ESXI and Vagrant - Big article from this book about building a lab using ESXi
- Mini lab - Small article from this book about creating a small lab for practicing things like Responder
- OSCP Survival Guide archived - contains a ton of useful commands for enumeration and exploitation