Link encyclopedia

Going to try to keep this updated.

Microsoft

Powershell

• Powershell 101
• Learn Windows PowerShell in a Month of Lunches (Youtube) - Companion videos to the famous book
• p3nt4/PowerShdll - Run PowerShell with dlls only. Does not require access to powershell.exe as it uses powershell automation dlls.
• nullbind/Powershellery - GetSPN and other things

Empire

• Empire 101 - Empire Introduction from official documentation

Powerview

• Powerview repository - contains documentation and how to use Powerview
• PowerView-3.0-tricks.ps1 - Powerview tips and tricks from HarmJ0y

Bloodhound

• Bloodhound node info - Bloodhound Node info explanations
• Lay of the land with bloodhound - General Bloodhound usage guide article

Mimikatz

• Lazykats - Mass Mimikatz with AV bypass (questionable)
• Direct link to Invoke-Mimikatz.ps1
• Auto dumping domain credentials
• eladshamir/Internal-Monologue - Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS

Enumeration

• Invoke-Portscan.ps1 - Invoke-Portscan is a module from Powersploit that can perform port scans similar to Nmap straight from Powershell.
• Walking back local admins - Finding local admins in AD

Kerberos

• HarmJ0y - roasting-as-reps - Article about Kerberos preauthentication
• HarmJ0y/ASREPRoast - Project that retrieves crackable hashes from KRB5 AS-REP responses for users without kerberoast preauthentication enabled.

Tunneling

• SShuttle - SShuttle creates an SSH tunnel that works almost just like a VPN

Command and control (C2)

• SANS Pentest Blog - Using Amazon AWS EC2 for C2
• lukebaggett/dnscat2-powershell - Powershell implementation of dnscat2 client
• C2 with dnscat2 and powershell - dnscat2 can be used with powershell for working over DNS to hide C2 activity
• DNS tunneling - How DNS tunneling works

Exploit

• SharpShooter - SharpShooter can create payloads for many formats like HTA, JS and VBS
• DCShadow - DCShadow, attack technique to create a rogue domain controller

Mail

• Ruler - Ruler can interact with Exchange servers remotely

Breaking out of locked down environments

• Breaking Out of Citrix and other Restricted Desktop Environments
• Applocker Case study - Breaking out of Applocker using advanced techniques
• Bypass Applocker - List of most known Applocker bypass techniques
• Babushka Dolls or How To Bypass Application Whitelisting and Constrained Powershell

Defense

• MS - Securing privileged access - Reference material for securing admin access in AD
• MS - What is AD Red Forest - Red forest design is building an administrative AD environement built with security in mind
• Managing Applocker with Powershell
• SANS - Finding Empire C2 activity

Lab building

• The Eye - Official MSDN ISOs for all OSes
• Automatedlab/Automatedlab - Automatedlab is a project for building a lab environment automatically using Powershell.
• Building a lab with ESXI and Vagrant - Big article from this book about building a lab using ESXi
• Mini lab - Small article from this book about creating a small lab for practicing things like Responder

Other

• OSCP Survival Guide archived - contains a ton of useful commands for enumeration and exploitation