Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.
https://github.com/alphaSeclab/windows-security

Resources About Windows Security. 1100+ Open Source Tools. 3300+ Blog Post and Videos.
https://github.com/alphaSeclab/windows-security
amsi applocker dll pe powershell sysinternal uac windows-defender windows-security
Last synced: 3 months ago
JSON representation
Resources About Windows Security. 1100+ Open Source Tools. 3300+ Blog Post and Videos.
Host: GitHub
URL: https://github.com/alphaSeclab/windows-security
Owner: alphaSeclab
Created: 2020-02-20T02:11:21.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2020-02-20T02:32:00.000Z (over 4 years ago)
Last Synced: 2024-01-29T03:59:02.022Z (5 months ago)
Topics: amsi, applocker, dll, pe, powershell, sysinternal, uac, windows-defender, windows-security
Homepage:
Size: 422 KB
Stars: 457
Watchers: 20
Forks: 115
Open Issues: 0
Metadata Files:
- Readme: Readme.md
- Changelog: history/Windows_20200220102341.json
Lists

awesome-hacking-lists - windows-security - Resources About Windows Security. 1100+ Open Source Tools. 3300+ Blog Post and Videos. (Others (1002))
awesome-hacking-lists - windows-security - Resources About Windows Security. 1100+ Open Source Tools. 3300+ Blog Post and Videos. (Others)
awesome-hacking-lists - alphaSeclab/windows-security - Resources About Windows Security. 1100+ Open Source Tools. 3300+ Blog Post and Videos. (Others)
README

        # [所有收集类项目](https://github.com/alphaSeclab/all-my-collection-repos)

# Windows

- 跟Windows安全有关的资源收集。当前包括的工具个数1100+，并根据功能进行了粗糙的分类。部分工具添加了中文描述。当前包括文章数3300+。

- 此页只包含部分内容. [查看完整版](https://github.com/alphaSeclab/windows-security/blob/master/Readme_full.md)

- [English Version](https://github.com/alphaSeclab/windows-security/blob/master/Readme_en.md)

# 目录

- [PowerShell](#686597a4cff20c60a8e86116cde645fb)

    - [PowerSploit](#c65ce176ec6f9bbce520d5b97f4067db) ->  [(4)工具](#65a67d0db02390cee295385191ee5ee0) [(12)文章](#0ab243d6d9d07fd24d8aa9a44ea03e89)

    - [PSAttack](#7a02de4887610ec52c49e64b95fe1580) ->  [(3)工具](#65edc029f91b76eab19a2adb39966d55) [(3)文章](#5f6fc3b3e1eac08f477163970696725e)

    - [其他](#f00255b09a7cea498b2672c2c7447a04) ->  [(5)工具](#882141dceab035af73809b75c83477f1) [(7)文章](#06d2309e0637f481cdfac132c86142b3)

- [DLL](#89f963773ee87e2af6f9170ee60a7fb2)

    - [新添加](#4dcfd9135aa5321b7fa65a88155256f9) ->  [(107)工具](#9753a9d52e19c69dc119bf03e9d7c3d2) [(152)文章](#b05f4c5cdfe64e1dde2a3c8556e85827)

    - [DLL注入](#3b4617e54405a32290224b729ff9f2b3) ->  [(67)工具](#b0d50ee42d53b1f88b32988d34787137) [(69)文章](#1a0b0dab4cdbab08bbdc759bab70dbb6)

    - [DLL劫持](#f39e40e340f61ae168b67424baac5cc6) ->  [(18)工具](#c9cdcc6f4acbeda6c8ac8f4a1ba1ea6b) [(60)文章](#01e95333e07439ac8326253aa8950b4f)

    - [DLL旁加载](#7f17d2efd0021063bd713a1b9ee2f46e) ->  [(18)文章](#ec3149509e7612fb1a2126948f141bc0)

- [PE](#620af0d32e6ac1f4a3e97385d4d3efc0)

    - [PE解析](#c9d6674c5ab3d9adb7fd295acb7ba7cf) ->  [(1)工具](#3cb6b6d0c5f183fc7beed42c26733e39) [(3)文章](#f644a8855d53c26fb4f9799d2733c8c8)

    - [工具](#574db8bbaafbee72eeb30e28e2799458) ->  [(66)工具](#c364a31b0a48b1a528f728def1d3ca05)

    - [文章](#7e890d391fa32df27beb1377a371518b) ->  [(131)文章](#bba6a2ee17956c3bd688c16acac5e502)

- [.NET](#b8c834b16722c108f8c30f1b0190f0a1)

    - [工具](#d90b60dc79837e06d8ba2a7ee1f109d3)

        - [(36) 新添加](#6b8b4bf156e5f973cf0485d45a94f4c4)

        - [(5) dnspy](#e26e6693fc840e27099c4363598e02cc)

    - [(56) 文章](#2612f712f9363ad0d71fc054c4829396)

- [登录与认证](#5dc38e490615f91e67ffb2f668c5088a)

    - [Mimikatz](#360af8f1497fcc2dfd2e32f2b636d718) ->  [(13)工具](#17f92a061cc661a040c094c1b3fd32e3) [(128)文章](#c9617bf44965290de6f7b645c15328ea)

    - [NTLM](#37557d58c549b4988bf0bb0ada5de975) ->  [(36)工具](#6c8194db98591f8f68b790975663bc5a) [(128)文章](#f07067c1b70f9c002838e2f4ab25da7d)

    - [Kerberos](#20f86e3e6a4aa7dc1e5a1e3071e0d500) ->  [(28)工具](#fbc6987a538d971f3d85b790fbf0c1e1) [(71)文章](#3a746419a4bc22b8a6425b81b6bd4593)

    - [Pass-The-Hash](#2e1fd273eb428694a94396509754acb5) ->  [(1)工具](#3efc90b9ae87a405e231900020ea33ed) [(52)文章](#5cbd82fde4af3da6516b88c52d2c357a)

    - [Pass-The-Ticket](#af48434aafea8db423a9bacef64b1620) ->  [(3)文章](#e335ccf1622ee0d95b75a4cbb0af5a32)

    - [winglogon.exe](#fe064b8a783e94169307579efcfc5349) ->  [(1)工具](#1e77e9449ab3be5cd9977aa55991c897) [(6)文章](#6d3a0fcab4e6b1199600072b17f941b0)

    - [LLMNR](#9813233777717d99ef29e2fe63abfefb) ->  [(5)工具](#7658d2242abc5b8c24e80a77b3a89321) [(18)文章](#e4227d4373c3aec808349a26c979c522)

    - [NetBIOS](#d6fd46f65ce1fe687a92a2da9551d7a9) ->  [(2)工具](#e41f70bc9d7ba0f1430bed63e2d9aece) [(17)文章](#ce06393f8c683c74ea341a9ef2b48938)

    - [其他](#cd40abc5c7d4b2907b770e53a60ee3ec) ->  [(2)工具](#e522f8282206b84cd670cbb658e4bd75)

- [安全防护](#cbdc1e0b908c8f2df368db8bbc65926f)

    - [UAC](#40fd1488e4a26ebf908f44fdcedd9675) ->  [(41)工具](#02517eda8c2519c564a19219e97d6237) [(139)文章](#90d7d5feb7fd506dc8fd6ee0d7e98285)

    - [AppLocker](#184bbacd8b9e08c30cc9ffcee9513f44) ->  [(13)工具](#8f1876dff78e80b60d00de25994276d9) [(98)文章](#286317d6d7c1a0578d8f5db940201320)

    - [Data Execution Prevention(DEP)](#fa89526db1f9373c57ea4ffa1ac8c39f) ->  [(1)工具](#10252fd90a09cb32b4e82497aa79f037) [(68)文章](#5ff9992a2474eb75e2a1b5860d5b87dc)

    - [Patch Guard(PG)](#edd6035c85e4ddf47939cc0e21505089) ->  [(2)工具](#928f69b989fa9e8ec3436e361f646eac) [(24)文章](#998ed9d8013051b3c7b21b89d189d509)

    - [Driver Signature Enforcement(DSE)](#9820fc65cd69d9d295a81cfd90be12fe) ->  [(11)工具](#18cbac58652453abbe2ff1aed187d370) [(11)文章](#b2d4a9c239c773d20bd4363a4a4c5d83)

    - [Windows Defender](#000972b0f2afd58a699bdceabfc21249) ->  [(15)工具](#3296552ba5a3a76e4e1b1c0e1164adde) [(155)文章](#a61cee92890da1a569289b5c1daafb6e)

    - [Antimalware Scan Interface(AMSI)](#04b9831a450074392140722cd14df668) ->  [(11)工具](#93e309abead4f559486dc29f539869de) [(62)文章](#15a5d4f48f2cd80986bd504c561d4a89)

    - [Address Space Layout Randomization(ASLR)](#b1324e23dc1b1314c3674203af4cb147) ->  [(12)工具](#92a9071fd688be4888c2fbd493ae2d26) [(124)文章](#530581a7d5ef7c27b168a7f86ff642af)

    - [Control Flow Guard](#6fc6d2a82e58d5a0daa258dd87190fe5) ->  [(4)工具](#5e156e74fbac1a857251ad7349fa55fe)

    - [Control Integrity Guard](#87d619895642fc563b2b31154ade189a) -> 

    - [其他](#d1798993715e3e3a240884b7ff04b45d) -> 

- [MS1X](#7571369f732a6a16dfe727626709f702) ->  [(46)工具](#a00506bcb946ba1c14c0747407dd2570) [(7)文章](#e08e4392157e48200f68d6e16e31c524)

- [系统机制](#73aa875eba0a61328cda48b6d2b96135)

    - [RDP](#d8eb297358353fd465b9b6914327fc0c)

        - [(53) 工具](#f8078be0204bcc6c4b88b389d5e169d7)

        - [(70) 文章](#789aa51ac9d9c559e587cbd6ae85af8a)

        - [(141) 文章_0](#4ece6a5ac5b1176456fe44100a8b18d7)

    - [SMB](#2ccd7ff9d95435e841f8c667dda1338e) ->  [(61)工具](#1d122fd6dda9ebbd4ee460facbaf1d4d) [(51)文章](#3832aa4bcf779dc33fed9dcd71129a59)

    - [Windows Management Instrumentation(WMI)](#25c0e7fba8e6523c9e60eaea718db391) ->  [(37)工具](#a44289a4715b50988ac7cbfc1fca0a92) [(144)文章](#78882a933dbf22785891fe26ea95feb1)

    - [Event Tracing for Windows(ETW)](#ac43a3ce5a889d8b18cf22acb6c31a72) ->  [(40)工具](#0af4bd8ca0fd27c9381a2d1fa8b71a1f) [(66)文章](#11c4c804569626c1eb02140ba557bb85)

    - [Lsass](#fe0ba7bd911de751b4cc28c9e1a6cb28) ->  [(7)工具](#94693a3207198ec3c995deb0f38cc22c) [(22)文章](#b8904d923ae77cf3c230ee1e07717572)

    - [BitLocker](#5aa94d550d4ead20c77cb4c609378a40) ->  [(10)工具](#624af4702d96b0df8f89e6142815f034) [(50)文章](#734243fcb4f539b563072a725e24b75f)

    - [NTFS](#645dbf50d2f476c438e48af8c9bcd78c) ->  [(21)工具](#64624c6440889198d1c69ab40f1a5cf3) [(73)文章](#a976da792a1490b26da931174e05ee8f)

    - [SSDT](#b16c5b961088f60a61567d28844e9224) ->  [(11)工具](#59abc34487b51ce7a5383d3f37308eac) [(57)文章](#6d2a886ff4abcae02d0968c17d4adfe2)

    - [Windows Registry](#23d474a347ac76b1ba3a1f5b178d5db9) ->  [(12)工具](#7e46b2cafccc94889e3ac2722bf6b321) [(18)文章](#bc2ad2bfa13e8f6877934465ea611bf8)

    - [Component Object Model(COM)](#9f0ddf6e87cbaabd865deebde52699d4) ->  [(1)工具](#77b9b279c18b90c20f672b68cc946da1)

    - [Distributed Component Object Model(DCOM)](#798eea99c85b0c02ecbde54172e9e11b) ->  [(10)工具](#424a04890b93f5642ee2f69e394c9be8) [(35)文章](#b496048006faecf5545e9eb75072e718)

    - [Dynamic Data Exchange(DDE)](#9c0d0ea748ac8de5396932422c6cce10) ->  [(5)文章](#5ff2332e36459054c8bf3ccd30480a1a)

    - [Compiled HTML Help(CHM)](#b05deb0cee0274fb02b27dd33edb80d1) ->  [(4)文章](#a68ed31e2457d7ec9143428d05a8a755)

    - [WinSxS](#cd351af78b7ca5139f3ae343ecb0dd9c) ->  [(1)工具](#1db8c6803d4c2abbdedc18aee7f85c8d)

    - [WoW64](#01210feb166b95c19ba9ac374f06a291) ->  [(9)工具](#eb82daa5fe43dfd74bc02c47e2c4afe8) [(28)文章](#c6ca09f3f8597935d70aaf695629dc3a)

    - [Background Intelligent Transfer Service(BITS)](#0f805859001b5b52d63a7172bd44cdf6) ->  [(2)工具](#b2f8f87055fddd1cf1c2c11401ad4e04)

    - [Batch Script(.bat)](#a658066df321965f221208dd00abe422) ->  [(12)工具](#b1c6b964c60022c9dcd4ff69072dbda5) [(11)文章](#af21157c602c6800e744db567fd3e43c)

    - [DACL](#bf6cc44eeb15bfccaf0bf3750be50e2b) ->  [(2)工具](#e7f9728a252a6e224e64a49da24b7312) [(6)文章](#04794a1f53e595fb81288e7f9a3ac1d4)

    - [WebDAV](#84f437e82aae8bfcecd2694e04fcf8aa) ->  [(11)工具](#eb4696a47c7673522fd42c2a6e7cd8a7) [(26)文章](#869dec888564b2d2d13708bebbcc3f74)

    - [Group Policy Object(GPO)](#9c71937ab7d82876aac2c54c150791cc) ->  [(1)工具](#578d958b7bb54c88abdf496c6e30647b) [(4)文章](#c468de52ae51e1caca7a00483464dd72)

    - [AppInit/AppCert](#6b68cefbacf54a6f75ca2f9018117a33) ->  [(4)文章](#296d6cf1fb87b343a3084344c76d59ac)

    - [InstallUtil](#8f547f4f2f1e71c746324e72861c43f1) ->  [(1)文章](#b05e41c16bfafb2f11a5cab1d79b9460)

    - [Image File Execution Option(IFEO)](#70f540d5729edd9eaf458082acdb22bc) ->  [(5)文章](#16ffb3bcd11332055eb2adab920dff34)

    - [Mshta](#3dc4542422de4f6e2a8ea5d4f36e2481) ->  [(6)文章](#ec9ec7966300b8a41b394dd5cfbed4c7)

    - [Microsoft HTML Application(HTA)](#8722d46369d07d677ad27d467c45e174) ->  [(1)文章](#77e8c723a9f3e2b1df9b7778947c3400)

    - [NetShell](#7d3e42507cd5aef335800a1ad2ef81f2) ->  [(2)工具](#8be076273c1e4f30dc40065080573125) [(1)文章](#bb3384e6aeb99870a31bc93c01f6a76e)

    - [VBScript](#4dad410f6466bbb44dd8f722a98b4542) ->  [(9)工具](#cb35c6d81a6e143b6a70680e8ef9e02d) [(59)文章](#8d9d82756a32f13fcba26616b4f9aaf0)

    - [VBA](#ded9537532637d9e8cf34103b8074bb9) ->  [(16)工具](#80b5cac54622fc99de46e2de95f2d187) [(76)文章](#24e894db7a4d419a9b186cd5546fdcd2)

    - [Security Service Provider(SSP)](#fdaecf463cde0ace2baf674360118a19) ->  [(8)文章](#ca71d3c8c759ef191253380e005213c0)

    - [Scheduled Task](#cbe7925b4695d3f5e9f72f432a6530dc) ->  [(6)工具](#f52a95e272df2e86c388e0dd076c4c6f) [(9)文章](#85a4495e6c53b1f5de50d3cf42de1084)

    - [Windows Remote Management(WinRM)](#0f90a8ce54f7bff9128b404dbab3d314) ->  [(9)工具](#a0fe36873097f6dff84cdd7b3fe52fb2) [(16)文章](#c754ad3133666a921f924a0366fda9e0)

    - [Control Panel](#567c09f34e35410dc959657beb4da4d3) ->  [(1)工具](#2f0c44bd470537ea2924f941129ec965) [(12)文章](#62bd550f94a11d68207c58a1753479cc)

    - [Windows Shortcut File](#6bdc12478a16b13a33c7ecd353f967b1) ->  [(8)工具](#4a28a030e4074a0d09d31f9cadf7378f) [(18)文章](#29bf70714f8426a6f7804e277cb7b378)

    - [Windows Explorer](#09220acd8a80f802a330028acfd6454d) ->  [(27)工具](#70a08a1d4ae425b9c2e2e336b832754a) [(4)文章](#97b6c206893c0d72beebd5c122542933)

    - [Application Shim](#4305fed600ce259233802ea6c6626887) ->  [(7)文章](#10b9816b4775f22260658eef1d41860a)

    - [Squiblydoo](#061272d088606ae0778a04b31f3c0e46) ->  [(2)文章](#1bd9e5df8902faae521e1dff195f2dbc)

    - [Open Office XML](#29ae3a9557d3c14f79aad2303e6bb828) ->  [(1)工具](#177dd1d296e82b2dfad2cdcb2a37be2d)

    - [其他](#1c2073da678b183d1872ee62c568e7f5) -> 

- [各类软件](#928770b6fa4ff230a685448ae6573e52)

    - [MS Internet Explorer](#9bb54db4c51a3d146863d4ce1d36c498) ->  [(32)工具](#d1119ba6c8e896a186d925ccac371d59)

    - [MS Edge](#9003b6891f28795af6a0f11622ed813b) ->  [(19)工具](#ea3a3225108e179d9afe0b6e017dde52) [(51)文章](#0019e616c7579c7151faf531b4a0c771)

    - [MS Office](#63479a46662292ab817171322fecfcf4) ->  [(17)工具](#40ce3b16876770b8c0bf0e67c0abf1e8) [(190)文章](#0e7bba8c1c7a86374dad4962cb4bfd9f)

    - [EMET](#979c4f76c79c7e7a453727c7d6ecd539) ->  [(3)工具](#9d5a8c1da43df3879057ee7f1cd48c4e) [(118)文章](#c968b8e10a7f96dfdbea90a85e86c02c)

    - [psexec](#98f74e5f893a0c326ef336619bc515c4) ->  [(3)工具](#336e94749dba45c45e97e436673d38a0) [(42)文章](#0d2c5f807488fe1e68d9a968d04d2b56)

    - [Nltest](#4a17ea9f0555ae7c61b9762fd789b23c) -> 

    - [CMSTP.exe](#5c1479af60b597303b2a885e92c1e384) -> 

    - [Rundll32](#cc6df9989a20eb5dd533f032daeca9b3) ->  [(1)工具](#1e1be483a674d3e6330b31f0f11dadb5) [(12)文章](#68b21ccc26f1f7877ae8e70a907e67ce)

    - [Regsvr32](#3ebe3d66a05d92aed5459ed72f1e3678) ->  [(2)工具](#c739394b21b3aad9293b747d7d141956) [(4)文章](#fdd93367db93bf20c10b5dbb6f6e1b0f)

    - [Regasm](#70d731a999b1cd69d565e35c98540ec9) -> 

    - [Regsvcs](#b2008a3c57c0e58f8ea1d03f583eb1c1) -> 

    - [svchost](#c8596ed2e3d35337492ccffcd5a87027) ->  [(1)工具](#1928a187378080b11b7119305b61aad5) [(6)文章](#45a0356bc132fc320e96e8bbb5b340f9)

    - [MSBuild](#666aceb7939a7ba06d77a71a2baffeee) ->  [(6)工具](#0f3c4b5cdc69b98c87e175ef7bb76396) [(14)文章](#1e5138d2ba592b1886ed23b8d22d2e07)

    - [csrss.exe](#6f70488efd1c03c94c309fb6e1e7f28a) ->  [(21)文章](#9abd04f5352aa1714ccef5012cc33c6c)

    - [其他exe](#65a0235ddaea9da80145fa441eb0af2a) ->  [(23)文章](#eceb5b79694c803399b0de795fffc296)

- [SysInternalSuite](#d7a63740447f820c26b938b5bc391ef3)

    - [Sysmon](#0fed6a96b28f339611e7b111b8f42c23) ->  [(36)工具](#d48f038b58dc921660be221b4e302f70) [(144)文章](#2c8cb7fdf765b9d930569f7c64042d62)

    - [Procmon](#dbc42caf465566897ecbb644fed1f271) ->  [(4)工具](#518d80dfb8e9dda028d18ace1d3f3981) [(18)文章](#af06263e9a92f6036dc5d4c4b28b9d8c)

    - [Autoruns](#7da65659e7e463379d32be654003662c) ->  [(7)工具](#c206afa40ed90711b49a572feb1e0c5b) [(17)文章](#23c49d681177101f0f7d15fcd15f2124)

    - [ProcessExplorer](#fdae9f5a384a5c230e577ac972be2de4) ->  [(14)文章](#1b24c5ac9ca199d0397380f902868c73)

    - [其他](#836a3b7a9763957991fce4355439ad06) ->  [(5)工具](#17fd6ceec67d0beed0bf54b117218123) [(20)文章](#ed25f17a9dd8092131cf45121e24aa68)

- [工具](#b478e9a9a324c963da11437d18f04998)

    - [(84) 新添加的](#f9fad1d4d1f0e871a174f67f63f319d8)

    - [(5) Environment&&环境&&配置](#6d2fe834b7662ecdd48c17163f732daf)

    - [(8) 内核&&驱动](#c3cda3278305549f4c21df25cbf638a4)

    - [(3) 注册表](#920b69cea1fc334bbc21a957dd0d9f6f)

    - [(4) 系统调用](#d295182c016bd9c2d5479fe0e98a75df)

    - [(13) 其他](#1afda3039b4ab9a3a1f60b179ccb3e76)

- [文章](#3939f5e83ca091402022cb58e0349ab8)

    - [(8) 新添加](#8e1344cae6e5f9a33e4e5718a012e292)

# PowerShell

***

## PowerSploit

### 工具

- [**6448**星][9d] [PS] [powershellmafia/powersploit](https://github.com/PowerShellMafia/PowerSploit) PowerSploit - A PowerShell Post-Exploitation Framework

- [**346**星][1y] [C#] [ghostpack/sharpdump](https://github.com/ghostpack/sharpdump) SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality.

- [**213**星][3m] [Py] [the-useless-one/pywerview](https://github.com/the-useless-one/pywerview) A (partial) Python rewriting of PowerSploit's PowerView

### 文章

- 2018.12 [aliyun] [Reel—在HackTheBox上的一次BloodHound & PowerSploit 活动目录渗透](https://xz.aliyun.com/t/3516)

- 2018.11 [bugbountywriteup] [Reel — A BloodHound & PowerSploit Active Directory HackTheBox Walkthrough](https://medium.com/p/3745269b1a16)

- 2018.02 [hackers] [PowerSploit, Part 1: How to Control Nearly any Windows System with Powersploit](https://www.hackers-arise.com/single-post/2018/02/24/PowerSploit-Part-1-How-to-Control-Nearly-any-Windows-System-with-Powersploit)

- 2017.11 [mediaservice] [A patch for PowerSploit’s Invoke-Shellcode.ps1](https://techblog.mediaservice.net/2017/11/a-patch-for-powersploits-invoke-shellcode-ps1/)

- 2017.06 [stealthbits] [Exploiting Weak Active Directory Permissions with PowerSploit](https://blog.stealthbits.com/exploiting-weak-active-directory-permissions-with-powersploit/)

- 2017.04 [freebuf] [说说Powersploit在内网渗透中的使用](http://www.freebuf.com/sectool/131275.html)

- 2017.03 [jpcert] [Malware Leveraging PowerSploit](https://blogs.jpcert.or.jp/en/2017/03/malware-leveraging-powersploit.html)

- 2016.01 [sans] [toolsmith #112: Red vs Blue - PowerSploit vs PowerForensics](https://isc.sans.edu/forums/diary/toolsmith+112+Red+vs+Blue+PowerSploit+vs+PowerForensics/20579/)

- 2016.01 [holisticinfosec] [toolsmith #112: Red vs Blue - PowerSploit vs PowerForensics](https://holisticinfosec.blogspot.com/2016/01/toolsmith-112-red-vs-blue-powersploit.html)

- 2015.05 [leonjza] [jenkins to meterpreter toying with powersploit](https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter-toying-with-powersploit/)

- 2013.04 [freebuf] [PowerSploit+Metasploit=Shells](http://www.freebuf.com/articles/system/8130.html)

- 2012.05 [freebuf] [Post Exploitation工具 – PowerSploit](http://www.freebuf.com/sectool/2514.html)

***

## PSAttack

### 工具

### 文章

- 2017.07 [freebuf] [PSAttack：一个包含所有的渗透测试用例的攻击型Powershell脚本框架](http://www.freebuf.com/sectool/139910.html)

- 2017.07 [4hou] [PSattack：一个渗透测试中使用的万能框架](http://www.4hou.com/info/news/6149.html)

- 2016.11 [BSidesCHS] [BSidesCHS 2016: "Adding PowerShell to your Arsenal with PSAttack" - Jared Haight](https://www.youtube.com/watch?v=sHAujy9R70M)

***

## 其他

### 工具

- [**216**星][23d] [PS] [mkellerman/invoke-commandas](https://github.com/mkellerman/invoke-commandas) Invoke Command As System/Interactive/GMSA/User on Local/Remote machine & returns PSObjects.

### 文章

- 2020.01 [4sysops] [Invoke-Command: Compensating for slow responding computers](https://4sysops.com/archives/invoke-command-compensating-for-slow-responding-computers/)

- 2019.12 [4sysops] [Invoke-Command: Connecting to computers requiring different credentials](https://4sysops.com/archives/invoke-command-connecting-to-computers-requiring-different-credentials/)

- 2019.12 [4sysops] [Invoke-Command: Dealing with offline computers](https://4sysops.com/archives/invoke-command-dealing-with-offline-computers/)

- 2019.01 [sans] [Start-Process PowerShell - Get Forensic Artifact](https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1492181107.pdf)

- 2018.12 [4sysops] [Running PowerShell remotely as SYSTEM with Invoke-CommandAs](https://4sysops.com/archives/running-powershell-remotely-as-system-with-invoke-commandas/)

- 2013.12 [mikefrobbins] [PowerShell Remoting Error When Trying to use Invoke-Command Against a Domain Controller](http://mikefrobbins.com/2013/12/04/powershell-remoting-error-when-trying-to-use-invoke-command-against-a-domain-controller/)

- 2013.01 [mikefrobbins] [PowerShell Remoting Insanity with AppAssure and the Invoke-Command Cmdlet](http://mikefrobbins.com/2013/01/31/powershell-remoting-insanity-with-appassure-and-the-invoke-command-cmdlet/)

# DLL

***

## 新添加

### 工具

- [**2064**星][10d] [C#] [lucasg/dependencies](https://github.com/lucasg/dependencies) A rewrite of the old legacy software "depends.exe" in C# for Windows devs to troubleshoot dll load dependencies issues.

- [**1393**星][12m] [C] [fancycode/memorymodule](https://github.com/fancycode/memorymodule) Library to load a DLL from memory.

- [**1232**星][10d] [C#] [perfare/il2cppdumper](https://github.com/perfare/il2cppdumper) Restore dll from Unity il2cpp binary file (except code)

- [**810**星][10d] [C#] [terminals-origin/terminals](https://github.com/terminals-origin/terminals) Terminals is a secure, multi tab terminal services/remote desktop client. It uses Terminal Services ActiveX Client (mstscax.dll). The project started from the need of controlling multiple connections simultaneously. It is a complete replacement for the mstsc.exe (Terminal Services) client. This is official source moved from Codeplex.

- [**396**星][8m] [C++] [hasherezade/dll_to_exe](https://github.com/hasherezade/dll_to_exe) Converts a DLL into EXE

- [**385**星][19d] [C#] [3f/dllexport](https://github.com/3f/dllexport) .NET DllExport

    - 重复区段: [.NET->工具->新添加](#6b8b4bf156e5f973cf0485d45a94f4c4) |

- [**371**星][12d] [PS] [netspi/pesecurity](https://github.com/NetSPI/PESecurity) PowerShell module to check if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH, StrongNaming, and Authenticode.

- [**255**星][16d] [C++] [wbenny/detoursnt](https://github.com/wbenny/detoursnt) Detours with just single dependency - NTDLL

- [**236**星][21d] [C#] [erfg12/memory.dll](https://github.com/erfg12/memory.dll) C# Hacking library for making PC game trainers.

- [**234**星][1y] [C#] [misaka-mikoto-tech/monohook](https://github.com/Misaka-Mikoto-Tech/MonoHook) hook C# method at runtime without modify dll file (such as UnityEditor.dll)

- [**220**星][2m] [C++] [chuyu-team/mint](https://github.com/Chuyu-Team/MINT) Contains the definitions for the Windows Internal UserMode API from ntdll.dll, samlib.dll and winsta.dll.

- [**203**星][10d] [C++] [s1lentq/regamedll_cs](https://github.com/s1lentq/regamedll_cs) a result of reverse engineering of original library mod HLDS (build 6153beta) using DWARF debug info embedded into linux version of HLDS, cs.so

### 文章

- 2016.12 [sensepost] [Rattler:Identifying and Exploiting DLL Preloading Vulnerabilities](https://sensepost.com/blog/2016/rattleridentifying-and-exploiting-dll-preloading-vulnerabilities/)

- 2012.10 [netspi] [Testing Applications for DLL Preloading Vulnerabilities](https://blog.netspi.com/testing-applications-for-dll-preloading-vulnerabilities/)

- 2010.08 [microsoft] [More information about the DLL Preloading remote attack vector](https://msrc-blog.microsoft.com/2010/08/23/more-information-about-the-dll-preloading-remote-attack-vector/)

- 2009.09 [evilcodecave] [DllExportComparer](https://evilcodecave.wordpress.com/2009/09/04/dllexportcomparer/)

- 2009.07 [pediy] [[原创]dll下载器分析](https://bbs.pediy.com/thread-94312.htm)

- 2009.07 [addxorrol] [Poking around MSVIDCTL.DLL](http://addxorrol.blogspot.com/2009/07/poking-around-msvidctldll.html)

- 2009.07 [rapid7] [IE DirectShow (msvidctl.dll) MPEG-2 Metasploit Exploit](https://blog.rapid7.com/2009/07/07/ie-directshow-msvidctldll-mpeg-2-metasploit-exploit/)

- 2009.07 [sans] [0-day in Microsoft DirectShow (msvidctl.dll) used in drive-by attacks](https://isc.sans.edu/forums/diary/0day+in+Microsoft+DirectShow+msvidctldll+used+in+driveby+attacks/6733/)

- 2009.07 [vexillium] [DllMain and its uncovered possibilites](http://j00ru.vexillium.org/?p=80)

- 2009.07 [vexillium] [DllMain and its uncovered possibilites](https://j00ru.vexillium.org/2009/07/dllmain-and-its-uncovered-possibilites/)

- 2009.06 [pediy] [[原创]使用GCC创建 Windows NT 下的内核DLL](https://bbs.pediy.com/thread-92537.htm)

- 2009.06 [pediy] [[Anti Virus专题]1.7 - 打造DLL内存加载引擎.](https://bbs.pediy.com/thread-90441.htm)

- 2009.05 [pediy] [[原创]dll 全局api hook 一例(附代码)](https://bbs.pediy.com/thread-90109.htm)

- 2009.05 [pediy] [[原创]Fengyue's DLL-Game.exe 加壳流程简单分析](https://bbs.pediy.com/thread-89706.htm)

- 2009.05 [travisgoodspeed] [FET Firmware from MSP430.DLL](http://travisgoodspeed.blogspot.com/2009/05/fet-firmware-from-msp430dll.html)

- 2009.05 [pediy] [[原创]暴风影音2009(Config.dll)ActiveX远程栈溢出漏洞](https://bbs.pediy.com/thread-87617.htm)

- 2009.05 [pediy] [[原创]暴风影音2009(mps.dll)ActiveX远程栈溢出漏洞](https://bbs.pediy.com/thread-87616.htm)

- 2009.04 [pediy] [[求助]windows mobile dll的一个问题](https://bbs.pediy.com/thread-86211.htm)

- 2009.04 [pediy] [不需要依赖dllmain触发的CE注入代码](https://bbs.pediy.com/thread-85899.htm)

- 2009.03 [pediy] [[原创]用DELPHI编写DLL插件为Windows记事本增加各种功能](https://bbs.pediy.com/thread-84730.htm)

***

## DLL注入

### 工具

- [**994**星][1m] [C] [fdiskyou/injectallthethings](https://github.com/fdiskyou/injectallthethings) Seven different DLL injection techniques in one single project.

- [**747**星][7m] [C++] [darthton/xenos](https://github.com/darthton/xenos) Windows DLL 注入器

- [**635**星][3m] [PS] [monoxgas/srdi](https://github.com/monoxgas/srdi) Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode

### 文章

- 2019.06 [aliyun] [Windows 10 Task Scheduler服务DLL注入漏洞分析](https://xz.aliyun.com/t/5286)

- 2018.10 [pediy] [[原创]代替创建用户线程使用ShellCode注入DLL的小技巧](https://bbs.pediy.com/thread-247515.htm)

- 2018.10 [4hou] [如何利用DLL注入绕过Win10勒索软件保护](http://www.4hou.com/technology/13923.html)

- 2018.10 [0x00sec] [Reflective Dll Injection - Any Way to check If a process is already injected?](https://0x00sec.org/t/reflective-dll-injection-any-way-to-check-if-a-process-is-already-injected/8980/)

- 2018.09 [pediy] [[原创]win10_arm64 驱动注入dll 到 arm32程序](https://bbs.pediy.com/thread-247032.htm)

- 2018.08 [freebuf] [sRDI：一款通过Shellcode实现反射型DLL注入的强大工具](http://www.freebuf.com/sectool/181426.html)

- 2018.07 [4hou] [注入系列——DLL注入](http://www.4hou.com/technology/12703.html)

- 2018.06 [0x00sec] [Reflective DLL Injection - AV detects at runtime](https://0x00sec.org/t/reflective-dll-injection-av-detects-at-runtime/7307/)

- 2018.06 [qq] [【游戏漏洞】注入DLL显示游戏窗口](http://gslab.qq.com/article-508-1.html)

- 2017.12 [secist] [Mavinject | Dll Injected](http://www.secist.com/archives/5912.html)

- 2017.12 [secvul] [SSM终结dll注入](https://secvul.com/topics/951.html)

- 2017.10 [nsfocus] [【干货分享】Sandbox技术之DLL注入](http://blog.nsfocus.net/sandbox-technology-dll-injection/)

- 2017.10 [freebuf] [DLL注入新姿势：反射式DLL注入研究](http://www.freebuf.com/articles/system/151161.html)

- 2017.10 [pediy] [[原创]通过Wannacry分析内核shellcode注入dll技术](https://bbs.pediy.com/thread-221756.htm)

- 2017.09 [360] [Dll注入新姿势：SetThreadContext注入](https://www.anquanke.com/post/id/86786/)

- 2017.08 [silentbreaksecurity] [sRDI – Shellcode Reflective DLL Injection](https://silentbreaksecurity.com/srdi-shellcode-reflective-dll-injection/)

- 2017.08 [360] [DLL注入那些事](https://www.anquanke.com/post/id/86671/)

- 2017.08 [freebuf] [系统安全攻防战：DLL注入技术详解](http://www.freebuf.com/articles/system/143640.html)

- 2017.08 [pediy] [[翻译]多种DLL注入技术原理介绍](https://bbs.pediy.com/thread-220405.htm)

- 2017.07 [0x00sec] [Reflective DLL Injection](https://0x00sec.org/t/reflective-dll-injection/3080/)

***

## DLL劫持

### 工具

- [**441**星][9m] [Pascal] [mojtabatajik/robber](https://github.com/mojtabatajik/robber) 查找易于发生DLL劫持的可执行文件

- [**327**星][1y] [C++] [anhkgg/superdllhijack](https://github.com/anhkgg/superdllhijack) 一种通用Dll劫持技术，不再需要手工导出Dll的函数接口了

### 文章

- 2019.06 [4hou] [戴尔预装的SupportAssist组件存在DLL劫持漏洞，全球超过1亿台设备面临网络攻击风险](https://www.4hou.com/vulnerable/18764.html)

- 2019.05 [4hou] [《Lateral Movement — SCM and DLL Hijacking Primer》的利用扩展](https://www.4hou.com/technology/18008.html)

- 2019.04 [3gstudent] [《Lateral Movement — SCM and DLL Hijacking Primer》的利用扩展](https://3gstudent.github.io/3gstudent.github.io/Lateral-Movement-SCM-and-DLL-Hijacking-Primer-%E7%9A%84%E5%88%A9%E7%94%A8%E6%89%A9%E5%B1%95/)

- 2019.04 [3gstudent] [《Lateral Movement — SCM and DLL Hijacking Primer》的利用扩展](https://3gstudent.github.io/3gstudent.github.io/Lateral-Movement-SCM-and-DLL-Hijacking-Primer-%E7%9A%84%E5%88%A9%E7%94%A8%E6%89%A9%E5%B1%95/)

- 2019.04 [specterops] [Lateral Movement — SCM and Dll Hijacking Primer](https://medium.com/p/d2f61e8ab992)

- 2019.01 [sans] [DLL Hijacking Like a Boss!](https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1493862085.pdf)

- 2018.11 [t00ls] [一种通用DLL劫持技术研究](https://www.t00ls.net/articles-48756.html)

- 2018.11 [pediy] [[原创]一种通用DLL劫持技术研究](https://bbs.pediy.com/thread-248050.htm)

- 2018.09 [DoktorCranium] [Understanding how DLL Hijacking works](https://www.youtube.com/watch?v=XADSrZEJdXY)

- 2018.09 [astr0baby] [Understanding how DLL Hijacking works](https://astr0baby.wordpress.com/2018/09/08/understanding-how-dll-hijacking-works/)

- 2018.08 [parsiya] [DVTA - Part 5 - Client-side Storage and DLL Hijacking](https://parsiya.net/blog/2018-08-25-dvta-part-5-client-side-storage-and-dll-hijacking/)

- 2018.08 [parsiya] [DVTA - Part 5 - Client-side Storage and DLL Hijacking](https://parsiya.net/blog/2018-08-25-dvta---part-5---client-side-storage-and-dll-hijacking/)

- 2018.06 [cybereason] [Attackers incriminate a signed Oracle process for DLL hijacking, running Mimikatz](https://www.cybereason.com/blog/oracle-mimikatz-dll-hijacking)

- 2018.05 [360] [独辟蹊径：如何通过URL文件实现DLL劫持](https://www.anquanke.com/post/id/145715/)

- 2018.05 [insert] [利用URL文件实现DLL劫持](https://insert-script.blogspot.com/2018/05/dll-hijacking-via-url-files.html)

- 2017.10 [cybereason] [Siofra, a free tool built by Cybereason researcher, exposes DLL hijacking vulnerabilities in Windows programs](https://www.cybereason.com/blog/blog-siofra-free-tool-exposes-dll-hijacking-vulnerabilities-in-windows)

- 2017.08 [securiteam] [SSD Advisory – Dashlane DLL Hijacking](https://blogs.securiteam.com/index.php/archives/3357)

- 2017.05 [4hou] [Windows 下的 7 种 DLL 劫持技术](http://www.4hou.com/technology/4945.html)

- 2017.05 [pediy] [[原创]让代码飞出一段钢琴曲（freepiano小助手）（全局键盘钩子+dll劫持）+有码](https://bbs.pediy.com/thread-217330.htm)

- 2017.03 [pentestlab] [DLL Hijacking](https://pentestlab.blog/2017/03/27/dll-hijacking/)

***

## DLL旁加载

### 文章

- 2016.04 [hackingarticles] [Hack Remote Windows PC using Office OLE multiple DLL side loading vulnerabilities](http://www.hackingarticles.in/hack-remote-windows-pc-using-office-ole-multiple-dll-side-loading-vulnerabilities/)

- 2015.12 [securify] [DLL side loading vulnerability in VMware Host Guest Client Redirector](https://securify.nl/en/advisory/SFY20151201/dll-side-loading-vulnerability-in-vmware-host-guest-client-redirector.html)

- 2015.11 [securify] [MapsUpdateTask Task DLL side loading vulnerability](https://securify.nl/en/advisory/SFY20151101/mapsupdatetask-task-dll-side-loading-vulnerability.html)

- 2015.11 [securify] [Shutdown UX DLL side loading vulnerability](https://securify.nl/en/advisory/SFY20151102/shutdown-ux-dll-side-loading-vulnerability.html)

- 2015.09 [securify] [HP ToComMsg DLL side loading vulnerability](https://securify.nl/en/advisory/SFY20150902/hp-tocommsg-dll-side-loading-vulnerability.html)

- 2015.09 [securify] [BDA MPEG2 Transport Information Filter DLL side loading vulnerability](https://securify.nl/en/advisory/SFY20150906/bda-mpeg2-transport-information-filter-dll-side-loading-vulnerability.html)

- 2015.09 [securify] [NPS Datastore server DLL side loading vulnerability](https://securify.nl/en/advisory/SFY20150905/nps-datastore-server-dll-side-loading-vulnerability.html)

- 2015.09 [securify] [Windows Mail Find People DLL side loading vulnerability](https://securify.nl/en/advisory/SFY20150904/windows-mail-find-people-dll-side-loading-vulnerability.html)

- 2015.09 [securify] [HP LaserJet Fax Preview DLL side loading vulnerability](https://securify.nl/en/advisory/SFY20150903/hp-laserjet-fax-preview-dll-side-loading-vulnerability.html)

- 2015.09 [securify] [LEADTOOLS ActiveX control multiple DLL side loading vulnerabilities](https://securify.nl/en/advisory/SFY20150901/leadtools-activex-control-multiple-dll-side-loading-vulnerabilities.html)

- 2015.08 [securify] [COM+ Services DLL side loading vulnerability](https://securify.nl/en/advisory/SFY20150801/com_-services-dll-side-loading-vulnerability.html)

- 2015.08 [securify] [Microsoft Visio multiple DLL side loading vulnerabilities](https://securify.nl/en/advisory/SFY20150804/microsoft-visio-multiple-dll-side-loading-vulnerabilities.html)

- 2015.08 [securify] [OLE DB Provider for Oracle multiple DLL side loading vulnerabilities](https://securify.nl/en/advisory/SFY20150806/ole-db-provider-for-oracle-multiple-dll-side-loading-vulnerabilities.html)

- 2015.08 [securify] [Shockwave Flash Object DLL side loading vulnerability](https://securify.nl/en/advisory/SFY20150802/shockwave-flash-object-dll-side-loading-vulnerability.html)

- 2015.08 [securify] [Windows Authentication UI DLL side loading vulnerability](https://securify.nl/en/advisory/SFY20150803/windows-authentication-ui-dll-side-loading-vulnerability.html)

- 2015.08 [securify] [Event Viewer Snapin multiple DLL side loading vulnerabilities](https://securify.nl/en/advisory/SFY20150805/event-viewer-snapin-multiple-dll-side-loading-vulnerabilities.html)

- 2015.06 [securify] [Cisco AnyConnect elevation of privileges via DLL side loading](https://securify.nl/en/advisory/SFY20150601/cisco-anyconnect-elevation-of-privileges-via-dll-side-loading.html)

- 2010.08 [microsoft] [An update on the DLL-preloading remote attack vector](https://msrc-blog.microsoft.com/2010/08/31/an-update-on-the-dll-preloading-remote-attack-vector/)

# PE

***

## PE解析

### 工具

- [**904**星][12d] [Py] [erocarrera/pefile](https://github.com/erocarrera/pefile) PE文件读取、解析工具，Python编写

        

        查看详情

        ## 特性

        - Inspecting headers

        - Analysis of sections' data

        - Retrieving embedded data

        - Reading strings from the resources

        - Warnings for suspicious and malformed values

        - Support to write to some of the fields and to other parts of the PE, so it's possible to do some basic butchering of PEs

        - Packer detection with PEiD’s signatures

        - PEiD signature generation

        

### 文章

- 2017.09 [] [Binary offsets, virtual addresses and pefile](https://5d4a.wordpress.com/2017/09/21/binary-offsets-virtual-addresses-and-pefile/)

- 2017.03 [] [67,000 cuts with python-pefile](https://0xec.blogspot.com/2017/03/67000-cuts-with-python-pefile.html)

- 2009.05 [pediy] [[原创]利用python+pefile库做PE格式文件的快速开发](https://bbs.pediy.com/thread-89838.htm)

***

## 工具

### 工具

- [**693**星][15d] [C] [thewover/donut](https://github.com/thewover/donut) 生成位置无关的shellcode（x86，x64或AMD64 + x86），该shellcode从内存中加载.NET程序集、PE文件和其他Windows有效负载，并使用参数运行它们

    - 重复区段: [.NET->工具->新添加](#6b8b4bf156e5f973cf0485d45a94f4c4) |

- [**407**星][2m] [Assembly] [hasherezade/pe_to_shellcode](https://github.com/hasherezade/pe_to_shellcode) Converts PE into a shellcode

- [**399**星][5m] [Jupyter Notebook] [endgameinc/ember](https://github.com/endgameinc/ember) 110万PE文件的数据集合, 可用于训练相关模型. PE文件信息主要包括: SHA256/histogram(直方图)/byteentropy(字节熵)/字符串/PE头信息/段信息/导入表/导出表

- [**372**星][1y] [Assembly] [egebalci/amber](https://github.com/egebalci/amber) 反射式PE加壳器，用于绕过安全产品和缓解措施

- [**342**星][7m] [C] [merces/pev](https://github.com/merces/pev) The PE file analysis toolkit

- [**328**星][2m] [VBA] [itm4n/vba-runpe](https://github.com/itm4n/vba-runpe) A VBA implementation of the RunPE technique or how to bypass application whitelisting.

- [**327**星][1m] [C++] [trailofbits/pe-parse](https://github.com/trailofbits/pe-parse) Principled, lightweight C/C++ PE parser

- [**318**星][20d] [C++] [hasherezade/libpeconv](https://github.com/hasherezade/libpeconv) 用于映射和取消映射PE 文件的库

- [**288**星][9m] [Java] [katjahahn/portex](https://github.com/katjahahn/portex) Java library to analyse Portable Executable files with a special focus on malware analysis and PE malformation robustness

***

## 文章

### 文章

- 2016.08 [3gstudent] [隐写技巧——在PE文件的数字证书中隐藏Payload](https://3gstudent.github.io/3gstudent.github.io/%E9%9A%90%E5%86%99%E6%8A%80%E5%B7%A7-%E5%9C%A8PE%E6%96%87%E4%BB%B6%E7%9A%84%E6%95%B0%E5%AD%97%E8%AF%81%E4%B9%A6%E4%B8%AD%E9%9A%90%E8%97%8FPayload/)

- 2016.08 [3gstudent] [隐写技巧——在PE文件的数字证书中隐藏Payload](https://3gstudent.github.io/3gstudent.github.io/%E9%9A%90%E5%86%99%E6%8A%80%E5%B7%A7-%E5%9C%A8PE%E6%96%87%E4%BB%B6%E7%9A%84%E6%95%B0%E5%AD%97%E8%AF%81%E4%B9%A6%E4%B8%AD%E9%9A%90%E8%97%8FPayload/)

- 2016.06 [pediy] [[原创]菜鸟对PEid 0.95 Cave 查找功能逆向](https://bbs.pediy.com/thread-211094.htm)

- 2016.06 [mzrst] [Professional PE Explorer – PPEE](https://www.mzrst.com/blog/2016/06/15/pe-explorer/)

- 2016.06 [pediy] [[翻译]Windows PE文件中的数字签名格式](https://bbs.pediy.com/thread-210709.htm)

- 2016.05 [sans] [CVE-2016-2208 Symantec Antivirus Engine Malformed PE Header Parser Memory Access Violation](https://isc.sans.edu/forums/diary/CVE20162208+Symantec+Antivirus+Engine+Malformed+PE+Header+Parser+Memory+Access+Violation/21069/)

- 2016.05 [freebuf] [Manalyze：PE文件的静态分析工具](http://www.freebuf.com/sectool/104378.html)

- 2016.04 [cyber] [Presenting PeNet: a native .NET library for analyzing PE Headers with PowerShell](https://cyber.wtf/2016/04/18/presenting-penet-a-native-net-library-for-analyzing-pe-headers-with-powershell/)

- 2016.02 [pediy] [[原创]64位CreateProcess逆向:(三)PE格式的解析与效验](https://bbs.pediy.com/thread-208101.htm)

- 2016.02 [360] [在windows环境下使用Volatility或PE Capture捕捉执行代码（PE/DLL/驱动恶意文件）](https://www.anquanke.com/post/id/83507/)

- 2015.12 [secureallthethings] [Add PE Code Signing to Backdoor Factory (BDF)](http://secureallthethings.blogspot.com/2015/12/add-pe-code-signing-to-backdoor-factory.html)

- 2015.12 [missmalware] [PE Import Analysis for Beginners and Lazy People](http://missmalware.com/2015/12/pe-import-analysis-for-beginners-and-lazy-people/)

- 2015.12 [pediy] [[原创]一个C++的PE文件操作类](https://bbs.pediy.com/thread-206304.htm)

- 2015.12 [pediy] [[原创]通过c++代码给PE文件添加一个区段](https://bbs.pediy.com/thread-206197.htm)

- 2015.11 [securityblog] [FileAlyzer – Analyze files – Read PE information](http://securityblog.gr/2963/filealyzer-analyze-files-read-pe-information/)

- 2015.11 [securityblog] [Read Portable Executable (PE) information](http://securityblog.gr/2960/read-portable-executable-pe-information/)

- 2015.11 [freebuf] [逆向工程（二）：从一个简单的实例来了解PE文件](http://www.freebuf.com/articles/system/86596.html)

- 2015.11 [pediy] [[原创][开源]LordPE框架设计之精简版](https://bbs.pediy.com/thread-206136.htm)

- 2015.11 [pediy] [[原创]手查PE重定向](https://bbs.pediy.com/thread-206072.htm)

- 2015.11 [pediy] [[原创][开源]Win32控制台解析PE文件](https://bbs.pediy.com/thread-206060.htm)

# .NET

***

## 工具

### 新添加

- [**9528**星][19d] [C#] [icsharpcode/ilspy](https://github.com/icsharpcode/ilspy) .NET Decompiler with support for PDB generation, ReadyToRun, Metadata (&more) - cross-platform!

- [**3824**星][2m] [C#] [0xd4d/de4dot](https://github.com/0xd4d/de4dot) .NET deobfuscator and unpacker.

- [**3278**星][9m] [JS] [sindresorhus/speed-test](https://github.com/sindresorhus/speed-test) Test your internet connection speed and ping using speedtest.net from the CLI

- [**2526**星][1y] [C#] [yck1509/confuserex](https://github.com/yck1509/confuserex) An open-source, free protector for .NET applications

- [**1811**星][1m] [C#] [sshnet/ssh.net](https://github.com/sshnet/ssh.net) SSH.NET is a Secure Shell (SSH) library for .NET, optimized for parallelism.

- [**1696**星][19d] [C#] [jbevain/cecil](https://github.com/jbevain/cecil) C#库, 探查/修改/生成 .NET App/库

- [**1535**星][12d] [C#] [steamre/steamkit](https://github.com/steamre/steamkit) SteamKit2 is a .NET library designed to interoperate with Valve's Steam network. It aims to provide a simple, yet extensible, interface to perform various actions on the network.

- [**1415**星][1y] [C++] [dotnet/llilc](https://github.com/dotnet/llilc) This repo contains LLILC, an LLVM based compiler for .NET Core. It includes a set of cross-platform .NET code generation tools that enables compilation of MSIL byte code to LLVM supported platforms.

- [**1147**星][9d] [C#] [cobbr/covenant](https://github.com/cobbr/covenant) Covenant is a collaborative .NET C2 framework for red teamers.

- [**1135**星][15d] [Boo] [byt3bl33d3r/silenttrinity](https://github.com/byt3bl33d3r/silenttrinity) An asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR

- [**923**星][12d] [C#] [pwntester/ysoserial.net](https://github.com/pwntester/ysoserial.net) 生成Payload，恶意利用不安全的 .NET 对象反序列化

- [**818**星][12d] [C#] [proxykit/proxykit](https://github.com/proxykit/proxykit) A toolkit to create code-first HTTP reverse proxies on ASP.NET Core

- [**788**星][2m] [C#] [cobbr/sharpsploit](https://github.com/cobbr/sharpsploit) SharpSploit is a .NET post-exploitation library written in C#

- [**728**星][3m] [C#] [obfuscar/obfuscar](https://github.com/obfuscar/obfuscar) Open source obfuscation tool for .NET assemblies

- [**693**星][15d] [C] [thewover/donut](https://github.com/thewover/donut) 生成位置无关的shellcode（x86，x64或AMD64 + x86），该shellcode从内存中加载.NET程序集、PE文件和其他Windows有效负载，并使用参数运行它们

    - 重复区段: [PE->工具->工具](#c364a31b0a48b1a528f728def1d3ca05) |

- [**634**星][12d] [HTML] [foxzilla/pxer](https://github.com/foxzilla/pxer) 人人可用的P站爬虫

- [**577**星][10d] [C#] [dabutvin/imgbot](https://github.com/dabutvin/imgbot) An Azure Function solution to crawl through all of your image files in GitHub and losslessly compress them. This will make the file size go down, but leave the dimensions and quality untouched. Once it's done, ImgBot will open a pull request for you to review and merge. [email protected]

- [**546**星][24d] [C#] [crosire/scripthookvdotnet](https://github.com/crosire/scripthookvdotnet) An ASI plugin for Grand Theft Auto V, which allows running scripts written in any .NET language in-game.

- [**536**星][11d] [Go] [timothyye/godns](https://github.com/timothyye/godns) A dynamic DNS client tool, supports AliDNS, Cloudflare, Google Domains, DNSPod, HE.net & DuckDNS, written in Go.

- [**494**星][28d] [C#] [paulbartrum/jurassic](https://github.com/paulbartrum/jurassic) A .NET library to parse and execute JavaScript code.

- [**493**星][1m] [C#] [chmorgan/sharppcap](https://github.com/chmorgan/sharppcap) 用于捕获数据包的跨平台 (Windows, Mac, Linux)库，.NET编写

- [**486**星][28d] [C#] [tyranid/oleviewdotnet](https://github.com/tyranid/oleviewdotnet) OLE/COM查看和检测工具，.NET语言编写

- [**424**星][7m] [Java] [nccgroup/freddy](https://github.com/nccgroup/freddy) 自动识别 Java/.NET 应用程序中的反序列化漏洞

- [**386**星][14d] [C#] [addictedcs/soundfingerprinting](https://github.com/addictedcs/soundfingerprinting) .NET中的音频指纹识别。完全用C＃编写的高效的声音指纹识别算法。

- [**385**星][19d] [C#] [3f/dllexport](https://github.com/3f/dllexport) .NET DllExport

    - 重复区段: [DLL->新添加->工具](#9753a9d52e19c69dc119bf03e9d7c3d2) |

- [**383**星][2m] [C#] [security-code-scan/security-code-scan](https://github.com/security-code-scan/security-code-scan) Vulnerability Patterns Detector for C# and VB.NET

- [**373**星][9d] [C#] [sonarsource/sonar-dotnet](https://github.com/sonarsource/sonar-dotnet) 用于C＃和VB.NET语言的静态代码分析器，用作SonarQube和SonarCloud平台的扩展。

- [**366**星][10m] [JS] [nikolayit/openjudgesystem](https://github.com/nikolayit/openjudgesystem) An open source system for online algorithm competitions for Windows, written in ASP.NET MVC

- [**357**星][10d] [C#] [tmoonlight/nsmartproxy](https://github.com/tmoonlight/nsmartproxy) 内网穿透工具。采用.NET CORE的全异步模式打造

- [**334**星][10d] [Java] [wiglenet/wigle-wifi-wardriving](https://github.com/wiglenet/wigle-wifi-wardriving) Nethugging client for Android, from wigle.net

- [**320**星][1m] [C#] [azuread/azure-activedirectory-library-for-dotnet](https://github.com/azuread/azure-activedirectory-library-for-dotnet) ADAL authentication libraries for .net

- [**316**星][10d] [C#] [dahall/vanara](https://github.com/dahall/vanara) A set of .NET libraries for Windows implementing PInvoke calls to many native Windows APIs with supporting wrappers.

### dnspy

- [**13163**星][24d] [C#] [0xd4d/dnspy](https://github.com/0xd4d/dnspy) .NET debugger and assembly editor

***

## 文章

- 2011.11 [pcsxcetrasupport3] [Converting VB Script To VB.Net](https://pcsxcetrasupport3.wordpress.com/2011/11/12/converting-vb-script-to-vb-net/)

- 2011.10 [pediy] [[原创]小小菜鸟爆破IphoneBackupextractor V3.08(.net)](https://bbs.pediy.com/thread-141900.htm)

- 2011.06 [pediy] [[原创][.net]修復不能使用的115网盘地址解析工具](https://bbs.pediy.com/thread-136059.htm)

- 2011.02 [pediy] [[原创]新发现一个简单有效的.net程序破解方法（可破隐藏IL级别的保护）](https://bbs.pediy.com/thread-129272.htm)

- 2010.12 [lowleveldesign] [Writing a .net debugger (part 4) – breakpoints](https://lowleveldesign.org/2010/12/01/writing-a-net-debugger-part-4-breakpoints/)

- 2010.11 [pelock] [.netshrink v2.0](https://www.pelock.com/blog/2010/11/30/netshrink-v2-0/)

- 2010.11 [lowleveldesign] [Writing a .net debugger (part 3) – symbol and source files](https://lowleveldesign.org/2010/11/08/writing-a-net-debugger-part-3-symbol-and-source-files/)

- 2010.11 [sans] [DNSSEC Progress for .com and .net](https://isc.sans.edu/forums/diary/DNSSEC+Progress+for+com+and+net/9883/)

- 2010.10 [lowleveldesign] [Writing a .net debugger (part 2) – handling events and creating wrappers](https://lowleveldesign.org/2010/10/22/writing-a-net-debugger-part-2-handling-events-and-creating-wrappers/)

- 2010.10 [lowleveldesign] [Writing a .net debugger (part 1) – starting the debugging session](https://lowleveldesign.org/2010/10/11/writing-a-net-debugger-part-1-starting-the-debugging-session/)

- 2010.05 [pediy] [[原创].Net内存程序集的DUMP(ProFile篇)](https://bbs.pediy.com/thread-113697.htm)

- 2010.01 [pediy] [[原创].net逆向学习总结系列[2.24更新:.net逆向学习总结002(1)]](https://bbs.pediy.com/thread-104845.htm)

- 2008.06 [pediy] [[原创]请求加精！绕过.Net 2.0强名称验证，解决混合代码无法反编译的问题。](https://bbs.pediy.com/thread-66392.htm)

- 2007.12 [pediy] [[翻译]Win32asm tutorial (Asm.yeah.net)](https://bbs.pediy.com/thread-55784.htm)

- 2007.10 [pediy] [[翻译]].Net 下的保护和逆向工程](https://bbs.pediy.com/thread-52738.htm)

- 2007.07 [pediy] [[原创].Net 2.0 通用反射脱壳机完整版](https://bbs.pediy.com/thread-47729.htm)

- 2007.07 [pediy] [[原创].Net 反射脱壳机核心源代码](https://bbs.pediy.com/thread-47330.htm)

- 2007.05 [pediy] [[原创].net jokeme 2](https://bbs.pediy.com/thread-44933.htm)

- 2007.04 [pediy] [BSPR .net1.1保护壳 内部测试](https://bbs.pediy.com/thread-42077.htm)

- 2007.03 [pediy] [[原创].net的joke me](https://bbs.pediy.com/thread-41424.htm)

# 登录与认证

***

## Mimikatz

### 工具

- [**9161**星][11d] [C] [gentilkiwi/mimikatz](https://github.com/gentilkiwi/mimikatz) A little tool to play with Windows security

- [**802**星][10d] [Py] [skelsec/pypykatz](https://github.com/skelsec/pypykatz) 纯Python实现的Mimikatz

- [**264**星][6m] [C] [portcullislabs/linikatz](https://github.com/portcullislabs/linikatz) UNIX版本的Mimikatz

- [**210**星][2m] [C#] [ghostpack/sharpdpapi](https://github.com/ghostpack/sharpdpapi) SharpDPAPI is a C# port of some Mimikatz DPAPI functionality.

### 文章

- 2020.01 [matterpreter] [Mimidrv In Depth: Exploring Mimikatz’s Kernel Driver](https://posts.specterops.io/mimidrv-in-depth-4d273d19e148)

- 2019.12 [LoiLiangYang] [Access Windows 10 Password with Empire and Mimikatz (Cybersecurity)](https://www.youtube.com/watch?v=saF9epFwzPE)

- 2019.12 [specterops] [Mimidrv In Depth: Exploring Mimikatz’s Kernel Driver](https://medium.com/p/4d273d19e148)

- 2019.11 [sentinelone] [What is Mimikatz? (And Why Is It So Dangerous?)](https://www.sentinelone.com/blog/what-is-mimikatz-and-why-is-it-so-dangerous/)

- 2019.10 [securestate] [No More Mimikatz](https://warroom.rsmus.com/no-more-mimikatz/)

- 2019.07 [4hou] [探索Mimikatz神器之SSP](https://www.4hou.com/system/18912.html)

- 2019.07 [markmotig] [NetKatz, Mimikatz to Hex and Defender groans but shrugs](https://medium.com/p/157fe8d67bdf)

- 2019.07 [4hou] [探索 Mimikatz 神器之 WDigest](https://www.4hou.com/system/18874.html)

- 2019.06 [4hou] [Mimikatz中SSP的使用](https://www.4hou.com/technology/18813.html)

- 2019.06 [4hou] [Mimikatz中sekurlsa::wdigest的实现](https://www.4hou.com/technology/18811.html)

- 2019.06 [HackerSploit] [PowerShell Empire Complete Tutorial For Beginners - Mimikatz & Privilege Escalation](https://www.youtube.com/watch?v=52xkWbDMUUM)

- 2019.06 [vulnerablelife] [Defending Windows Domain Against Mimikatz Attacks](https://vulnerablelife.wordpress.com/2019/06/15/defending-windows-domain-against-mimikatz-attacks/)

- 2019.06 [360] [深入分析Mimikatz：WDigest](https://www.anquanke.com/post/id/180126/)

- 2019.06 [3gstudent] [Mimikatz中SSP的使用](https://3gstudent.github.io/3gstudent.github.io/Mimikatz%E4%B8%ADSSP%E7%9A%84%E4%BD%BF%E7%94%A8/)

- 2019.06 [360] [深入分析Mimikatz：SSP](https://www.anquanke.com/post/id/180001/)

- 2019.06 [xpnsec] [Exploring Mimikatz - Part 2 - SSP](https://blog.xpnsec.com/exploring-mimikatz-part-2/)

- 2019.06 [3gstudent] [Mimikatz中sekurlsa::wdigest的实现](https://3gstudent.github.io/3gstudent.github.io/Mimikatz%E4%B8%ADsekurlsa-wdigest%E7%9A%84%E5%AE%9E%E7%8E%B0/)

- 2019.05 [malcomvetter] [Choose Your Own Red Team Adventure: Mimikatz](https://medium.com/p/58b4d7b856c9)

- 2019.05 [xpnsec] [Exploring Mimikatz - Part 1 - WDigest](https://blog.xpnsec.com/exploring-mimikatz-part-1/)

- 2019.04 [crowdstrike] [Mimikatz in the Wild: Bypassing Signature-Based Detections Using the “AK47 of Cyber”](https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/)

***

## NTLM

### 工具

- [**3097**星][5m] [Py] [spiderlabs/responder](https://github.com/spiderlabs/responder) LLMNR/NBT-NS/MDNS投毒，内置HTTP/SMB/MSSQL/FTP/LDAP认证服务器, 支持NTLMv1/NTLMv2/LMv2

- [**1887**星][1m] [Py] [lgandx/responder](https://github.com/lgandx/responder) LLMNR, NBT-NS, MDNS 投毒工具， 内置 HTTP/SMB/MSSQL/FTP/LDAP 流氓认证服务器，支持 NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP和基础 HTTP认证

- [**781**星][1m] [Py] [lgandx/pcredz](https://github.com/lgandx/pcredz) This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.

- [**744**星][1y] [C#] [eladshamir/internal-monologue](https://github.com/eladshamir/internal-monologue) 在不接触LSASS的情况下提取NTLM hash

- [**676**星][1y] [Py] [deepzec/bad-pdf](https://github.com/deepzec/bad-pdf) create malicious PDF file to steal NTLM(NTLMv1/NTLMv2) Hashes from windows machines

- [**256**星][2m] [Py] [evilmog/ntlmv1-multi](https://github.com/evilmog/ntlmv1-multi) 修改NTLMv1/NTLMv1-ESS/MSCHAPv1 Hask, 使其可以在hashcat中用DES模式14000破解

- [**252**星][14d] [PS] [notmedic/netntlmtosilverticket](https://github.com/notmedic/netntlmtosilverticket) SpoolSample -> Responder w/NetNTLM Downgrade -> NetNTLMv1 -> NTLM -> Kerberos Silver Ticket

- [**250**星][11d] [Ruby] [urbanesec/zackattack](https://github.com/urbanesec/ZackAttack) Unveiled at DEF CON 20, NTLM Relaying to ALL THE THINGS!

### 文章

- 2019.11 [4hou] [NTLM 中继攻击的几种非主流玩法](https://www.4hou.com/system/21543.html)

- 2019.10 [4hou] [NTLM攻击两例](https://www.4hou.com/info/news/21163.html)

- 2019.09 [pentestlab] [Microsoft Exchange – NTLM Relay](https://pentestlab.blog/2019/09/09/microsoft-exchange-ntlm-relay/)

- 2019.08 [vulnerability0lab] [Windows 10 Net NTLMv2 Credentials Steal with Excel](https://www.youtube.com/watch?v=z5Ki2G579-Y)

- 2019.06 [freebuf] [CVE-2019-1040 Windows NTLM篡改漏洞分析](https://www.freebuf.com/vuls/206169.html)

- 2019.06 [technicalsyn] [Eternalrelayx.py — Non-Admin NTLM Relaying & ETERNALBLUE Exploitation](https://medium.com/p/dab9e2b97337)

- 2019.06 [tencent] [Windows NTLM认证(CVE-2019-1040)漏洞预警](https://s.tencent.com/research/bsafe/738.html)

- 2019.06 [4hou] [微软NTLM协议曝出巨大漏洞，现有安全保护措施也无用！](https://www.4hou.com/vulnerable/18512.html)

- 2019.06 [preempt] [Security Advisory: Critical Vulnerabilities in NTLM Allow Remote Code Execution and Cloud Resources Compromise](https://blog.preempt.com/security-advisory-critical-vulnerabilities-in-ntlm)

- 2019.03 [nsfocus] [【M01N】资源约束委派和NTLM Relaying的组合拳接管域内任意主机系统权限](http://blog.nsfocus.net/combination-resource-constrained-delegation-ntlm-relaying-takes-privileges-host-system-domain/)

- 2019.03 [4hou] [结合NTLM中继和Kerberos委派实现域成员机器的提权](https://www.4hou.com/technology/16626.html)

- 2019.03 [venus] [利用 Exchange SSRF 漏洞和 NTLM 中继沦陷域控](https://paper.seebug.org/833/)

- 2019.03 [knownsec] [利用 Exchange SSRF 漏洞和 NTLM 中继沦陷域控](http://blog.knownsec.com/2019/03/%e5%88%a9%e7%94%a8-exchange-ssrf-%e6%bc%8f%e6%b4%9e%e5%92%8c-ntlm-%e4%b8%ad%e7%bb%a7%e6%b2%a6%e9%99%b7%e5%9f%9f%e6%8e%a7/)

- 2019.01 [sans] [Relaying Exchange?s NTLM authentication to domain admin (and more)](https://isc.sans.edu/forums/diary/Relaying+Exchanges+NTLM+authentication+to+domain+admin+and+more/24578/)

- 2019.01 [ironcastle] [CERT/CC Reports Microsoft Exchange 2013 and Newer are Vulnerable to NTLM Relay Attacks](https://www.ironcastle.net/certcc-reports-microsoft-exchange-2013-and-newer-are-vulnerable-to-ntlm-relay-attacks/)

- 2019.01 [evi1cg] [Remote NTLM relaying through CS](https://evi1cg.me/archives/Remote_NTLM_relaying_through_CS.html)

- 2019.01 [freebuf] [Windows环境中使用Responder获取NTLMv2哈希并利用](https://www.freebuf.com/articles/system/194549.html)

- 2019.01 [4hou] [通过web应用中的文件下载漏洞窃取NTLMv2哈希](http://www.4hou.com/system/15391.html)

- 2018.12 [hitbsecconf] [#HITB2018DXB D2T2: NTLM Relay Is Dead, Long Live NTLM Relay - Jianing Wang and Junyu Zhou](https://www.youtube.com/watch?v=gyR3RQEpfxU)

- 2018.12 [ZeroNights] [Jianing Wang, Junyu Zhou - Ntlm Relay Reloaded: Attack methods you do not know](https://www.youtube.com/watch?v=BrSS_0a0vzQ)

***

## Kerberos

### 工具

- [**728**星][19d] [C#] [ghostpack/rubeus](https://github.com/ghostpack/rubeus) 原始Kerberos交互和滥用，C＃编写

- [**617**星][3m] [C] [gentilkiwi/kekeo](https://github.com/gentilkiwi/kekeo) 玩弄 Windows Kerberos 的工具箱

- [**593**星][7m] [Py] [nidem/kerberoast](https://github.com/nidem/kerberoast) 一系列用于攻击MS Kerberos实现的工具

- [**376**星][12d] [Go] [jcmturner/gokrb5](https://github.com/jcmturner/gokrb5) Pure Go Kerberos library for clients and services

- [**354**星][2m] [Go] [ropnop/kerbrute](https://github.com/ropnop/kerbrute) A tool to perform Kerberos pre-auth bruteforcing

- [**236**星][27d] [Py] [dirkjanm/krbrelayx](https://github.com/dirkjanm/krbrelayx) Kerberos unconstrained delegation abuse toolkit

### 文章

- 2020.02 [aliyun] [域渗透——Kerberos委派攻击](https://xz.aliyun.com/t/7217)

- 2020.01 [stealthbits] [What is Kerberos Delegation? An Overview of Kerberos Delegation](https://blog.stealthbits.com/what-is-kerberos-delegation-an-overview-of-kerberos-delegation/)

- 2020.01 [3gstudent] [渗透技巧——通过Kerberos pre-auth进行用户枚举和口令爆破](https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E9%80%9A%E8%BF%87Kerberos-pre-auth%E8%BF%9B%E8%A1%8C%E7%94%A8%E6%88%B7%E6%9E%9A%E4%B8%BE%E5%92%8C%E5%8F%A3%E4%BB%A4%E7%88%86%E7%A0%B4/)

- 2019.10 [4hou] [Kerberos中继攻击：滥用无约束委派（下）](https://www.4hou.com/web/19303.html)

- 2019.09 [4hou] [Kerberos中继攻击：滥用无约束委派（上）](https://www.4hou.com/web/19302.html)

- 2019.07 [4hou] [Kerberos 委派攻击原理之 S4U2 利用详解](https://www.4hou.com/system/18825.html)

- 2019.06 [stealthbits] [What is the Kerberos PAC?](https://blog.stealthbits.com/what-is-the-kerberos-pac/)

- 2019.05 [andreafortuna] [Some thoughts about Kerberos Golden Tickets](https://www.andreafortuna.org/2019/05/29/some-thoughts-about-kerberos-silver-tickets/)

- 2019.05 [improsec] [The mind-blowing Kerberos "Use Any Authentication Protocol" Delegation](https://improsec.com/tech-blog/the-mind-blowing-kerberos-use-any-authentication-protocol-delegation)

- 2019.05 [aliyun] [Kerberos Security](https://xz.aliyun.com/t/5004)

- 2019.03 [freebuf] [Kerberos协议探索系列之委派篇](https://www.freebuf.com/articles/system/198381.html)

- 2019.03 [tarlogic] [Kerberos (I): How does Kerberos work? – Theory](https://www.tarlogic.com/en/blog/how-kerberos-works/)

- 2019.03 [360] [Kerberos协议探索系列之委派篇](https://www.anquanke.com/post/id/173477/)

- 2019.03 [ironcastle] [Special Webcast:  Purple Kerberos: Current attack strategies & defenses – March 11, 2019 1:00pm US/Eastern](https://www.ironcastle.net/special-webcast-purple-kerberos-current-attack-strategies-defenses-march-11-2019-100pm-us-eastern/)

- 2019.03 [freebuf] [Kerberos协议探索系列之票据篇](https://www.freebuf.com/articles/system/197160.html)

- 2019.03 [360] [Kerberos协议探索系列之票据篇](https://www.anquanke.com/post/id/172900/)

- 2019.03 [freebuf] [Kerberos协议探索系列之扫描与爆破篇](https://www.freebuf.com/articles/system/196434.html)

- 2019.02 [360] [Kerberos协议探索系列之扫描与爆破篇](https://www.anquanke.com/post/id/171552/)

- 2019.01 [f5] [Troubleshooting Kerberos Constrained Delegation: Strong Encryption Types Allowed for Kerberos](https://devcentral.f5.com/articles/troubleshooting-kerberos-constrained-delegation-strong-encryption-types-allowed-for-kerberos-33250)

- 2019.01 [sans] [Attacking Kerberos](https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1493862736.pdf)

***

## Pass-The-Hash

### 工具

### 文章

- 2020.01 [aliyun] [深入研究Pass-the-Hash攻击与防御](https://xz.aliyun.com/t/7051)

- 2019.08 [infosecinstitute] [MITRE ATT&CK vulnerability spotlight: Pass-the-hash](https://resources.infosecinstitute.com/mitre-attck-spotlight-pass-the-hash/)

- 2019.04 [4hou] [高级域渗透技术之传递哈希已死-LocalAccountTokenFilterPolicy万岁](https://www.4hou.com/technology/17668.html)

- 2019.03 [freebuf] [如何检测Pass-the-Hash攻击？](https://www.freebuf.com/articles/system/197660.html)

- 2019.03 [tevora] [About Windows Process/Thread Tokens and Pass The Hash](https://threat.tevora.com/windows-process-and-thread-tokens-primer/)

- 2019.02 [stealthbits] [How to Detect Overpass-the-Hash Attacks](https://blog.stealthbits.com/how-to-detect-overpass-the-hash-attacks/)

- 2019.02 [swordshield] [Phantom Users: Deception and Pass the Hash Attacks](https://www.swordshield.com/blog/phantom-users-deception-and-pass-the-hash-attacks/)

- 2019.02 [swordshield] [Phantom Users: Deception and Pass the Hash Attacks](https://www.swordshield.com/blog/deception-and-pass-the-hash/)

- 2019.02 [stealthbits] [How to Detect Pass-the-Hash Attacks](https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/)

- 2018.08 [stealthbits] [Deploying Pass-the-Hash Honeypots](https://blog.stealthbits.com/deploying-pass-the-hash-honeypots/)

- 2018.07 [stealthbits] [使用蜜罐检测 Pass-the-Hash 攻击](https://blog.stealthbits.com/detecting-pass-the-hash-honeypots/)

- 2018.05 [3gstudent] [渗透技巧——Pass the Hash with Remote Desktop](https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-Pass-the-Hash-with-Remote-Desktop/)

- 2018.05 [3gstudent] [渗透技巧——Pass the Hash with Remote Desktop](https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-Pass-the-Hash-with-Remote-Desktop/)

- 2018.02 [4hou] [如何用WINDOWS事件查看器检测传递哈希](http://www.4hou.com/system/10273.html)

- 2017.12 [3gstudent] [域渗透——Pass The Hash的实现](https://3gstudent.github.io/3gstudent.github.io/%E5%9F%9F%E6%B8%97%E9%80%8F-Pass-The-Hash%E7%9A%84%E5%AE%9E%E7%8E%B0/)

- 2017.12 [3gstudent] [域渗透——Pass The Hash的实现](https://3gstudent.github.io/3gstudent.github.io/%E5%9F%9F%E6%B8%97%E9%80%8F-Pass-The-Hash%E7%9A%84%E5%AE%9E%E7%8E%B0/)

- 2017.12 [aliyun] [域渗透——Pass The Hash的实现](https://xz.aliyun.com/t/1802)

- 2017.08 [labofapenetrationtester] [Week of Evading Microsoft ATA - Day 2 - Overpass-the-hash and Golden Ticket](http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day2.html)

- 2017.06 [decoder] [From Pass-the-Hash to Pass-the-Ticket with no pain](https://decoder.cloud/2017/06/30/from-pass-the-hash-to-pass-the-ticket-with-no-pain/)

- 2017.06 [wikidsystems] [Defeating pass-the-hash attacks with two-factor authentication](https://www.wikidsystems.com/blog/defeating-pass-the-hash-attacks-with-two-factor-authentication/)

***

## Pass-The-Ticket

### 文章

- 2019.02 [stealthbits] [How to Detect Pass-the-Ticket Attacks](https://blog.stealthbits.com/detect-pass-the-ticket-attacks)

- 2017.05 [4hou] [如何通过SSH隧道实现 Windows Pass the Ticket攻击？](http://www.4hou.com/technology/4974.html)

- 2017.05 [bluescreenofjeff] [如何利用 SSH 隧道进行域渗透（Passthe Ticket）](https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/)

***

## winglogon.exe

### 工具

### 文章

- 2020.01 [pentestlab] [Persistence – Winlogon Helper DLL](https://pentestlab.blog/2020/01/14/persistence-winlogon-helper-dll/)

- 2019.09 [specterops] [Understanding and Defending Against Access Token Theft: Finding Alternatives to winlogon.exe](https://medium.com/p/80696c8a73b)

- 2016.11 [hexacorn] [The Archaeologologogology #2 – the romantic view as seen through the winlogon.exe’s window…](http://www.hexacorn.com/blog/2016/11/27/the-archaeologologogology-2-the-romantic-view-as-seen-through-the-winlogon-exes-window/)

- 2016.05 [malwarebytes] [Tech support scammers using Winlogon](https://blog.malwarebytes.com/cybercrime/2016/05/tech-support-scammers-using-winlogon/)

- 2010.11 [redplait] [winlogon.exe RPC interfaces](http://redplait.blogspot.com/2010/11/winlogonexe-rpc-interfaces.html)

- 2009.05 [pediy] [[推荐]汇编实现注入winlogon.exe屏蔽Ctrl+Alt+Del 附lib库 源码和例子](https://bbs.pediy.com/thread-87864.htm)

***

## LLMNR

### 工具

- [**1072**星][6m] [PS] [kevin-robertson/inveigh](https://github.com/kevin-robertson/inveigh) Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool

- [**258**星][6m] [C#] [kevin-robertson/inveighzero](https://github.com/kevin-robertson/inveighzero) Windows C# LLMNR/mDNS/NBNS/DNS spoofer/man-in-the-middle tool

### 文章

- 2019.08 [bugbountywriteup] [LLMNR Poisoning and WPAD Spoofing](https://medium.com/p/69bfd8d8c504)

- 2019.04 [blackhillsinfosec] [An SMB Relay Race – How To Exploit LLMNR and SMB Message Signing for Fun and Profit](https://www.blackhillsinfosec.com/an-smb-relay-race-how-to-exploit-llmnr-and-smb-message-signing-for-fun-and-profit/)

- 2018.12 [4hou] [内网渗透技术之超越LLMNR/NBNS欺骗的ADIDNS欺骗攻击](http://www.4hou.com/penetration/15309.html)

- 2018.07 [netspi] [不只是 LLMNR/NBNS 欺骗: 攻击集成了 Active Directory 的 DNS](https://blog.netspi.com/exploiting-adidns/)

- 2018.06 [blackhillsinfosec] [How to Disable LLMNR & Why You Want To](https://www.blackhillsinfosec.com/how-to-disable-llmnr-why-you-want-to/)

- 2018.05 [freebuf] [利用LLMNR结合PDF文件获取PC Hashes](http://www.freebuf.com/articles/network/171634.html)

- 2017.11 [aliyun] [利用 LLMNR 名称解析缺陷劫持内网指定主机会话](https://xz.aliyun.com/t/1679)

- 2017.04 [n0where] [Windows PowerShell LLMNR/NBNS spoofer: Inveigh](https://n0where.net/windows-powershell-llmnrnbns-spoofer-inveigh)

- 2017.03 [n0where] [LLMNR NBT-NS MDNS Poisoner: Responder](https://n0where.net/llmnr-nbt-ns-mdns-poisoner-responder)

- 2017.02 [360] [渗透测试中的LLMNR/NBT-NS欺骗攻击](https://www.anquanke.com/post/id/85503/)

- 2017.01 [polaris] [LLMNR&WPAD介绍以及渗透测试中的利用](http://polaris-lab.com/index.php/archives/139/)

- 2016.12 [pentest] [What is LLMNR & WPAD and How to Abuse Them During Pentest ?](https://pentest.blog/what-is-llmnr-wpad-and-how-to-abuse-them-during-pentest/)

- 2016.11 [n0where] [LLMNR, NBT-NS and MDNS Responder for Windows](https://n0where.net/llmnr-nbt-ns-and-mdns-responder-for-windows)

- 2016.06 [] [LLMNR and NBT-NS Poisoning Using Responder](https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/)

- 2016.03 [360] [Inveigh：Windows Powershell版的LLMNR/NBNS 协议欺骗/中间人工具](https://www.anquanke.com/post/id/83671/)

- 2016.02 [securityblog] [LLMNR NBT-NS and MDNS poisoner](http://securityblog.gr/3249/llmnr-nbt-ns-and-mdns-poisoner/)

- 2015.12 [toolswatch] [Inveigh Beta Windows PowerShell LLMNR/NBNS Spoofer](http://www.toolswatch.org/2015/12/inveigh-beta-windows-powershell-llmnrnbns-spoofer/)

- 2015.09 [gracefulsecurity] [Stealing Accounts: LLMNR and NBT-NS Spoofing](https://www.gracefulsecurity.com/stealing-accounts-llmnr-and-nbt-ns-poisoning/)

***

## NetBIOS

### 工具

### 文章

- 2019.01 [infosecaddicts] [Enumerating NetBIOS services](https://infosecaddicts.com/enumerating-netbios-services/)

- 2018.10 [HackerSploit] [NetBIOS And SMB Enumeration - Nbtstat & smbclient](https://www.youtube.com/watch?v=sXqT95eIAjo)

- 2017.09 [hackingarticles] [NetBIOS and SMB Penetration Testing on Windows](http://www.hackingarticles.in/netbios-and-smb-penetration-testing-on-windows/)

- 2016.09 [rapid7] [Sonar NetBIOS Name Service Study](https://blog.rapid7.com/2016/09/06/sonar-netbios-name-service-study/)

- 2015.10 [akamai] [NetBIOS, RPC Portmap and Sentinel Reflection DDoS Attacks](https://blogs.akamai.com/2015/10/netbios-rpc-portmap-and-sentinel-reflection-ddos-attacks.html)

- 2015.09 [darknet] [Remote Network Penetration via NetBios Hack/Hacking](https://www.darknet.org.uk/2006/09/remote-network-penetration-via-netbios-hackhacking/)

- 2015.08 [agrrrdog] [NetBIOS spoofing for attacks on browser](http://agrrrdog.blogspot.com/2015/08/netbios-spoofing-for-attacks-on-browser.html)

- 2014.08 [sans] [All Samba 4.x.x are vulnerable to a remote code execution vulnerability in the nmbd NetBIOS name services daemon](https://isc.sans.edu/forums/diary/All+Samba+4xx+are+vulnerable+to+a+remote+code+execution+vulnerability+in+the+nmbd+NetBIOS+name+services+daemon/18471/)

- 2013.04 [securityblog] [Disable NetBIOS NULL Sessions](http://securityblog.gr/1841/disable-netbios-null-sessions/)

- 2012.08 [pentestlab] [Scanning NetBIOS](https://pentestlab.blog/2012/08/19/scanning-netbios/)

- 2012.08 [freebuf] [使用NetBios Spoofing技术渗透内网](http://www.freebuf.com/articles/5238.html)

- 2012.05 [sans] [Windows Firewall Bypass Vulnerability and NetBIOS NS](https://isc.sans.edu/forums/diary/Windows+Firewall+Bypass+Vulnerability+and+NetBIOS+NS/13156/)

- 2012.04 [securityblog] [NetBIOS name enumeration](http://securityblog.gr/656/netbios-name-enumeration/)

- 2012.01 [sans] [Is it time to get rid of NetBIOS?](https://isc.sans.edu/forums/diary/Is+it+time+to+get+rid+of+NetBIOS/12454/)

- 2011.02 [toolswatch] [Netbios Share Scanner updated to v0.3](http://www.toolswatch.org/2011/02/netbios-share-scanner-updated-to-v0-3/)

- 2011.01 [toolswatch] [Netbios Share Scanner v0.2 released](http://www.toolswatch.org/2011/01/netbios-share-scanner-v0-2-released/)

- 2008.08 [skullsecurity] [nbtool 0.02 released! (also, a primer on NetBIOS)](https://blog.skullsecurity.org/2008/nbtool-002-released-also-a-primer-on-netbios)

***

## 其他

### 工具

# 安全防护

***

## UAC

### 工具

- [**2500**星][2m] [C] [hfiref0x/uacme](https://github.com/hfiref0x/uacme) Defeating Windows User Account Control

- [**2458**星][9d] [PS] [k8gege/k8tools](https://github.com/k8gege/k8tools) K8工具合集(内网渗透/提权工具/远程溢出/漏洞利用/扫描工具/密码破解/免杀工具/Exploit/APT/0day/Shellcode/Payload/priviledge/BypassUAC/OverFlow/WebShell/PenTest) Web GetShell Exploit(Struts2/Zimbra/Weblogic/Tomcat/Apache/Jboss/DotNetNuke/zabbix)

- [**1859**星][17d] [JS] [coreybutler/node-windows](https://github.com/coreybutler/node-windows) Windows support for Node.JS scripts (daemons, eventlog, UAC, etc).

- [**1742**星][1m] [Py] [rootm0s/winpwnage](https://github.com/rootm0s/winpwnage) UAC bypass, Elevate, Persistence and Execution methods

### 文章

- 2020.01 [morphisec] [Trickbot Trojan Leveraging a New Windows 10 UAC Bypass](https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass)

- 2019.11 [4hou] [CVE-2019-1388： Windows UAC权限提升漏洞](https://www.4hou.com/info/news/21710.html)

- 2019.10 [freebuf] [UAC绕过初探](https://www.freebuf.com/articles/system/216337.html)

- 2019.09 [4sysops] [Security options in Windows Server 2016: Accounts and UAC](https://4sysops.com/archives/security-options-in-windows-server-2016-accounts-and-uac/)

- 2019.09 [heynowyouseeme] [windows 10 GUI UAC bypass ( netplwiz.exe )](https://heynowyouseeme.blogspot.com/2019/09/windows-10-gui-uac-bypass-netplwizexe.html)

- 2019.08 [heynowyouseeme] [Windows 10 LPE (UAC Bypass) in Windows Store (WSReset.exe)](https://heynowyouseeme.blogspot.com/2019/08/windows-10-lpe-uac-bypass-in-windows.html)

- 2019.08 [freebuf] [SneakyEXE：一款嵌入式UAC绕过工具](https://www.freebuf.com/sectool/209097.html)

- 2019.04 [markmotig] [Brute Forcing Admin Passwords with UAC](https://medium.com/p/e711c551ad7e)

- 2019.03 [4hou] [通过模拟可信目录绕过UAC的利用分析](https://www.4hou.com/technology/16713.html)

- 2019.03 [aliyun] [如何滥用Access Tokens UIAccess绕过UAC](https://xz.aliyun.com/t/4126)

- 2019.02 [3gstudent] [通过模拟可信目录绕过UAC的利用分析](https://3gstudent.github.io/3gstudent.github.io/%E9%80%9A%E8%BF%87%E6%A8%A1%E6%8B%9F%E5%8F%AF%E4%BF%A1%E7%9B%AE%E5%BD%95%E7%BB%95%E8%BF%87UAC%E7%9A%84%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90/)

- 2019.02 [3gstudent] [通过模拟可信目录绕过UAC的利用分析](https://3gstudent.github.io/3gstudent.github.io/%E9%80%9A%E8%BF%87%E6%A8%A1%E6%8B%9F%E5%8F%AF%E4%BF%A1%E7%9B%AE%E5%BD%95%E7%BB%95%E8%BF%87UAC%E7%9A%84%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90/)

- 2019.02 [sans] [UAC is not all that bad really](https://isc.sans.edu/forums/diary/UAC+is+not+all+that+bad+really/24620/)

- 2019.01 [fuzzysecurity] [Anatomy of UAC Attacks](http://fuzzysecurity.com/tutorials/27.html)

- 2019.01 [sevagas] [Yet another sdclt UAC bypass](https://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)

- 2018.11 [4hou] [利用metasploit绕过UAC的5种方式](http://www.4hou.com/system/13707.html)

- 2018.11 [tenable] [UAC Bypass by Mocking Trusted Directories](https://medium.com/p/24a96675f6e)

- 2018.10 [0x000x00] [How to bypass UAC in newer Windows versions](https://0x00-0x00.github.io/research/2018/10/31/How-to-bypass-UAC-in-newer-Windows-versions.html)

- 2018.10 [tyranidslair] [Farewell to the Token Stealing UAC Bypass](https://tyranidslair.blogspot.com/2018/10/farewell-to-token-stealing-uac-bypass.html)

- 2018.10 [tyranidslair] [Farewell to the Token Stealing UAC Bypass](https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html)

***

## AppLocker

### 工具

- [**947**星][23d] [PS] [api0cradle/ultimateapplockerbypasslist](https://github.com/api0cradle/ultimateapplockerbypasslist) The goal of this repository is to document the most common techniques to bypass AppLocker.

### 文章

- 2019.11 [tyranidslair] [The Internals of AppLocker - Part 4 - Blocking DLL Loading](https://tyranidslair.blogspot.com/2019/11/the-internals-of-applocker-part-4.html)

- 2019.11 [tyranidslair] [The Internals of AppLocker - Part 4 - Blocking DLL Loading](https://www.tiraniddo.dev/2019/11/the-internals-of-applocker-part-4.html)

- 2019.11 [tyranidslair] [The Internals of AppLocker - Part 3 - Access Tokens and Access Checking](https://tyranidslair.blogspot.com/2019/11/the-internals-of-applocker-part-3.html)

- 2019.11 [tyranidslair] [The Internals of AppLocker - Part 3 - Access Tokens and Access Checking](https://www.tiraniddo.dev/2019/11/the-internals-of-applocker-part-3.html)

- 2019.11 [tyranidslair] [The Internals of AppLocker - Part 2 - Blocking Process Creation](https://tyranidslair.blogspot.com/2019/11/the-internals-of-applocker-part-2.html)

- 2019.11 [tyranidslair] [The Internals of AppLocker - Part 2 - Blocking Process Creation](https://www.tiraniddo.dev/2019/11/the-internals-of-applocker-part-2.html)

- 2019.11 [tyranidslair] [The Internals of AppLocker - Part 1 - Overview and Setup](https://tyranidslair.blogspot.com/2019/11/the-internals-of-applocker-part-1.html)

- 2019.11 [tyranidslair] [The Internals of AppLocker - Part 1 - Overview and Setup](https://www.tiraniddo.dev/2019/11/the-internals-of-applocker-part-1.html)

- 2019.09 [blackhillsinfosec] [Getting Started With AppLocker](https://www.blackhillsinfosec.com/getting-started-with-applocker/)

- 2019.08 [p0w3rsh3ll] [How to delete a single Applocker rule](https://p0w3rsh3ll.wordpress.com/2019/08/02/how-to-delete-a-single-applocker-rule/)

- 2019.05 [oddvar] [A small discovery about AppLocker](https://oddvar.moe/2019/05/29/a-small-discovery-about-applocker/)

- 2019.04 [4hou] [通过regsrv32.exe绕过Applocker应用程序白名单的多种方法](https://www.4hou.com/web/17354.html)

- 2019.03 [4sysops] [Application whitelisting: Software Restriction Policies vs. AppLocker vs. Windows Defender Application Control](https://4sysops.com/archives/application-whitelisting-software-restriction-policies-vs-applocker-vs-windows-defender-application-control/)

- 2019.03 [4hou] [逃避手段再开花——从一个能逃避AppLocker和AMSI检测的Office文档讲起](https://www.4hou.com/system/16916.html)

- 2019.03 [yoroi] [The Document that Eluded AppLocker and AMSI](https://blog.yoroi.company/research/the-document-that-eluded-applocker-and-amsi/)

- 2019.03 [p0w3rsh3ll] [Applocker and PowerShell: how do they tightly work together?](https://p0w3rsh3ll.wordpress.com/2019/03/07/applocker-and-powershell-how-do-they-tightly-work-together/)

- 2019.02 [4hou] [如何以管理员身份绕过AppLocker](http://www.4hou.com/web/16213.html)

- 2019.02 [oddvar] [Bypassing AppLocker as an admin](https://oddvar.moe/2019/02/01/bypassing-applocker-as-an-admin/)

- 2019.01 [hackingarticles] [Windows Applocker Policy – A Beginner’s Guide](https://www.hackingarticles.in/windows-applocker-policy-a-beginners-guide/)

- 2019.01 [t00ls] [投稿文章：Bypass Applocker + 免杀执行任意 shellcode [ csc + installUtil ]](https://www.t00ls.net/articles-49443.html)

***

## Data Execution Prevention(DEP)

### 工具

### 文章

- 2019.11 [aliyun] [ARM EXP 开发 - 绕过 DEP 执行 mprotect()](https://xz.aliyun.com/t/6750)

- 2019.07 [codingvision] [Bypassing ASLR and DEP - Getting Shells with pwntools](https://codingvision.net/security/bypassing-aslr-dep-getting-shells-with-pwntools)

- 2019.01 [fuzzysecurity] [MS13-009 Use-After-Free IE8 (DEP)](http://fuzzysecurity.com/exploits/20.html)

- 2019.01 [fuzzysecurity] [BlazeVideo HDTV Player 6.6 Professional SEH&DEP&ASLR](http://fuzzysecurity.com/exploits/11.html)

- 2019.01 [fuzzysecurity] [NCMedia Sound Editor Pro v7.5.1 SEH&DEP&ASLR](http://fuzzysecurity.com/exploits/16.html)

- 2019.01 [fuzzysecurity] [ALLMediaServer 0.8 SEH&DEP&ASLR](http://fuzzysecurity.com/exploits/15.html)

- 2018.12 [360] [CoolPlayer bypass DEP(CVE-2008-3408)分析](https://www.anquanke.com/post/id/167424/)

- 2018.09 [duo] [Weak Apple DEP Authentication Leaves Enterprises Vulnerable to Social Engineering Attacks and Rogue Devices](https://duo.com/blog/weak-apple-dep-authentication-leaves-enterprises-vulnerable-to-social-engineering-attacks-and-rogue-devices)

- 2018.09 [3or] [ARM Exploitation - Defeating DEP - executing mprotect()](https://blog.3or.de/arm-exploitation-defeating-dep-executing-mprotect.html)

- 2018.09 [3or] [ARM Exploitation - Defeating DEP - execute system()](https://blog.3or.de/arm-exploitation-defeating-dep-execute-system.html)

- 2018.06 [pediy] [[原创]Easy MPEG to DVD Burner 1.7.11 SEH + DEP Bypass Local Buffer Overflow](https://bbs.pediy.com/thread-228537.htm)

- 2018.05 [pediy] [[翻译]DEP缓解技术(一)](https://bbs.pediy.com/thread-226625.htm)

- 2017.12 [360] [利用缓解技术：数据执行保护（DEP）](https://www.anquanke.com/post/id/91266/)

- 2017.12 [0x00sec] [Exploit Mitigation Techniques - Data Execution Prevention (DEP)](https://0x00sec.org/t/exploit-mitigation-techniques-data-execution-prevention-dep/4634/)

- 2017.10 [freebuf] [在64位系统中使用ROP+Return-to-dl-resolve来绕过ASLR+DEP](http://www.freebuf.com/articles/system/149364.html)

- 2017.10 [freebuf] [如何在32位系统中使用ROP+Return-to-dl来绕过ASLR+DEP](http://www.freebuf.com/articles/system/149214.html)

- 2017.08 [pediy] [[原创]利用Ret2Libc挑战DEP——利用ZwSetInformationProcess](https://bbs.pediy.com/thread-220346.htm)

- 2017.06 [360] [ropasaurusrex:ROP入门教程——DEP（下）](https://www.anquanke.com/post/id/86197/)

- 2017.06 [360] [ropasaurusrex:ROP入门教程——DEP（上）](https://www.anquanke.com/post/id/86196/)

- 2017.05 [myonlinesecurity] [fake clothing order Berhanu (PURCHASE DEPARTMENT) using winace files delivers Loki bot](https://myonlinesecurity.co.uk/fake-clothing-order-berhanu-purchase-department-using-winace-files-delivers-loki-bot/)

***

## Patch Guard(PG)

### 工具

- [**551**星][11m] [C] [hfiref0x/upgdsed](https://github.com/hfiref0x/upgdsed) 通用PG和DSE禁用工具

### 文章

- 2019.04 [OffensiveCon] [OffensiveCon19 - Luc Reginato - Updated Analysis of PatchGuard on Windows RS4](https://www.youtube.com/watch?v=ifWdeFHXj7s)

- 2019.03 [tetrane] [Updated Analysis of PatchGuard on Microsoft Windows 10 RS4](https://blog.tetrane.com/2019/Analysis-Windows-PatchGuard.html)

- 2018.10 [aliyun] [搞定PatchGuard：利用KPTI绕过内核修改保护](https://xz.aliyun.com/t/3072)

- 2018.10 [ensilo] [Melting Down PatchGuard: Leveraging KPTI to Bypass Kernel Patch Protection](https://blog.ensilo.com/meltdown-patchguard)

- 2018.09 [pediy] [[原创]PatchGuard自效验粗略分析](https://bbs.pediy.com/thread-246730.htm)

- 2015.06 [alex] [What are Little PatchGuards Made Of?](http://www.alex-ionescu.com/?p=290)

- 2015.01 [ptsecurity] [Windows 8.1 Kernel Patch Protection — PatchGuard](http://blog.ptsecurity.ru/2015/01/windows-81-kernel-patch-protection.html)

- 2014.07 [mcafee] [Malicious Utility Can Defeat Windows PatchGuard](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-utility-can-defeat-windows-patchguard/)

- 2014.07 [mcafee] [Malicious Utility Can Defeat Windows PatchGuard](https://securingtomorrow.mcafee.com/mcafee-labs/malicious-utility-can-defeat-windows-patchguard/)

- 2014.03 [mcafee] [Analyzing the Uroburos PatchGuard Bypass](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analyzing-uroburos-patchguard-bypass/)

- 2014.03 [mcafee] [Analyzing the Uroburos PatchGuard Bypass](https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-uroburos-patchguard-bypass/)

- 2013.02 [pediy] [[原创]DisablePatchGuard.sys](https://bbs.pediy.com/thread-162477.htm)

- 2012.11 [pediy] [[讨论]让PatchGuard变狗屎的那些方法~](https://bbs.pediy.com/thread-158157.htm)

- 2011.06 [picturoku] [Patchguard red flags](http://picturoku.blogspot.com/2011/06/patchguard-red-flags.html)

- 2009.12 [immunityinc] [PatchGuard](https://www.immunityinc.com/downloads/h2hc.pdf)

- 2007.01 [alex] [Windows Vista 64-bit Driver Signing/PatchGuard Workaround](http://www.alex-ionescu.com/?p=23)

- 2007.01 [pediy] [[转帖]Bypassing PatchGuard on Windows x64](https://bbs.pediy.com/thread-37428.htm)

- 2006.10 [microsoft] [The Final Word – Jim Allchin Letter Clarifies Patchguard on Vista](https://cloudblogs.microsoft.com/microsoftsecure/2006/10/24/the-final-word-jim-allchin-letter-clarifies-patchguard-on-vista/)

- 2006.10 [infosecblog] [MS caves on Vista Patchguard? Not so fast](https://www.infosecblog.org/2006/10/ms-caves-on-vista-patchguard-not-so-fast/)

- 2006.08 [microsoft] [Interview with Patchguard Architect Forrest Foltz (Windows Vista x64 Security – Patchguard follow up)](https://cloudblogs.microsoft.com/microsoftsecure/2006/08/16/interview-with-patchguard-architect-forrest-foltz-windows-vista-x64-security-patchguard-follow-up/)

***

## Driver Signature Enforcement(DSE)

### 工具

- [**723**星][10m] [C] [hfiref0x/tdl](https://github.com/hfiref0x/tdl) Driver loader for bypassing Windows x64 Driver Signature Enforcement

- [**369**星][11d] [C] [mattiwatti/efiguard](https://github.com/mattiwatti/efiguard) Disable PatchGuard and DSE at boot time

- [**322**星][5m] [C] [9176324/shark](https://github.com/9176324/shark) Turn off PatchGuard in real time for win7 (7600) ~ win10 (18950).

- [**274**星][9d] [C++] [can1357/byepg](https://github.com/can1357/byepg) Defeating Patchguard universally for Windows 8, Windows 8.1 and all versions of Windows 10 regardless of HVCI

### 文章

- 2014.05 [pediy] [[分享]抄抄改改过win7,win8,win8.1 x64的强制签名(DSE)](https://bbs.pediy.com/thread-187699.htm)

- 2013.01 [colinpoflynn] [Windows 7 64-bit Disable Driver Signature Enforcement](https://www.youtube.com/watch?v=k4RwaI4mn6Y)

- 2012.12 [vexillium] [Defeating Windows Driver Signature Enforcement #3: The Ultimate Encounter](http://j00ru.vexillium.org/?p=1455)

- 2012.12 [vexillium] [Defeating Windows Driver Signature Enforcement #3: The Ultimate Encounter](https://j00ru.vexillium.org/2012/12/defeating-windows-driver-signature-enforcement-part-3-the-ultimate-encounter/)

- 2012.11 [vexillium] [Defeating Windows Driver Signature Enforcement #2: CSRSS and thread desktops](http://j00ru.vexillium.org/?p=1393)

- 2012.11 [vexillium] [Defeating Windows Driver Signature Enforcement #2: CSRSS and thread desktops](https://j00ru.vexillium.org/2012/11/defeating-windows-driver-signature-enforcement-part-2-csrss-and-thread-desktops/)

- 2012.11 [vexillium] [Defeating Windows Driver Signature Enforcement #1: default drivers](http://j00ru.vexillium.org/?p=1169)

- 2012.11 [vexillium] [Defeating Windows Driver Signature Enforcement #1: default drivers](https://j00ru.vexillium.org/2012/11/defeating-windows-driver-signature-enforcement-part-1-default-drivers/)

- 2010.06 [vexillium] [A quick insight into the Driver Signature Enforcement](http://j00ru.vexillium.org/?p=377)

- 2010.06 [vexillium] [A quick insight into the Driver Signature Enforcement](https://j00ru.vexillium.org/2010/06/insight-into-the-driver-signature-enforcement/)

- 2006.03 [] [Showdown: MIIS vs. DSE](http://360tek.blogspot.com/2006/03/showdown-miis-vs-dse.html)

***

## Windows Defender

### 工具

- [**424**星][10d] [C#] [matterpreter/defendercheck](https://github.com/matterpreter/defendercheck) Identifies the bytes that Microsoft Defender flags on.

### 文章

- 2020.02 [eforensicsmag] [[CQLabs] Windows Defender Exploit Guard under the hood |by Artur Wojtkowski](https://eforensicsmag.com/cqlabs-windows-defender-exploit-guard-under-the-hood-by-artur-wojtkowski/)

- 2019.12 [p0w3rsh3ll] [Quick post: Review Windows Defender notifications](https://p0w3rsh3ll.wordpress.com/2019/12/29/quick-post-review-windows-defender-notifications/)

- 2019.12 [4hou] [评估一个新的安全数据源的有效性: Windows Defender 漏洞利用防护（上）](https://www.4hou.com/system/22277.html)

- 2019.12 [Enderman] [Can Windows Defender protect your computer against malware?](https://www.youtube.com/watch?v=ErxcY9wjr14)

- 2019.12 [illuminati] [Starlink: “Sorry this application cannot run in a Virtual Machine” while running with Windows Defender Application Guard enabled.](https://illuminati.services/2019/12/07/starlink-sorry-this-application-cannot-run-under-a-virtual-machine/)

- 2019.11 [vishal] [Disable Defender in Win10](https://medium.com/p/cf9514711fdf)

- 2019.10 [palantir] [Assessing the effectiveness of a new security data source: Windows Defender Exploit Guard](https://medium.com/p/860b69db2ad2)

- 2019.10 [HackersOnBoard] [Windows Offender Reverse Engineering Windows Defender's Antivirus Emulator](https://www.youtube.com/watch?v=LvW68czaEGs)

- 2019.09 [ATTTechChannel] [9/13/19 GootKit Malware Bypasses Windows Defender | AT&T ThreatTraq](https://www.youtube.com/watch?v=gCvSxzF4x1M)

- 2019.09 [aliyun] [Playing with Windows Defender](https://xz.aliyun.com/t/6216)

- 2019.07 [microsoft] [How Windows Defender Antivirus integrates hardware-based system integrity for informed, extensive endpoint protection](https://www.microsoft.com/security/blog/2019/07/31/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection/)

- 2019.06 [goet] [Analyzing your Microsoft Defender ATP data in real-time in ELK using the new streaming API](https://medium.com/p/c435d2943605)

- 2019.06 [goet] [Protect yourself against #BlueKeep using Azure Sentinel and Defender ATP.](https://medium.com/p/d308f566d5cf)

- 2019.05 [eli] [Using PowerShell in Windows Defender](https://www.peerlyst.com/posts/using-powershell-in-windows-defender-eli-shlomo)

- 2019.05 [morphisec] [Morphisec + WINDOWS Defender AV: Advanced Threat Protection Made Easy](https://blog.morphisec.com/morphisec-microsoft-defender-av)

- 2019.04 [contextis] [Windows Defender Functionality](https://www.contextis.com/en/blog/windows-defender-functionality)

- 2019.04 [rce4fun] [Circumventing Windows Defender ATP's user-mode APC Injection sensor from Kernel-mode](http://rce4fun.blogspot.com/2019/04/circumventing-windows-defender-atps.html)

- 2019.03 [freebuf] [良心开发者，微软安全防护套件Windows Defender ATP将登陆Mac OS平台](https://www.freebuf.com/news/199117.html)

- 2019.03 [4hou] [攻击者如何使用修改后的Empire绕过Windows Defender](https://www.4hou.com/system/16541.html)

- 2019.03 [freebuf] [修改Empire绕过Windows Defender](https://www.freebuf.com/articles/system/197558.html)

***

## Antimalware Scan Interface(AMSI)

### 工具

- [**322**星][9d] [C#] [hackplayers/salsa-tools](https://github.com/hackplayers/salsa-tools) Salsa Tools - ShellReverse TCP/UDP/ICMP/DNS/SSL/BINDTCP/Shellcode/SILENTTRINITY and AV bypass, AMSI patched

### 文章

- 2020.01 [ionize] [Detecting AMSI Bypass](https://ionize.com.au/detecting-amsi-bypass/)

- 2019.11 [two06] [AMSI as a Service — Automating AV Evasion](https://medium.com/p/2e2f54397ff9)

- 2019.11 [thecyberbutler] [Yet another update to bypass AMSI in VBA](https://medium.com/p/19ddf9065c04)

- 2019.11 [freebuf] [如何识别并分析反恶意软件扫描接口(AMSI)组件](https://www.freebuf.com/articles/terminal/216921.html)

- 2019.10 [binarydefense] [Binary Defense MDR Integrates Microsoft Antimalware Scan Interface Interoperability (AMSI) - Binary Defense](https://www.binarydefense.com/binary-defense-mdr-integrates-microsoft-antimalware-scan-interface-interoperability-amsi/)

- 2019.10 [mattifestation] [Antimalware Scan Interface Detection Optics Analysis Methodology: Identification and Analysis of AMSI for WMI](https://posts.specterops.io/antimalware-scan-interface-detection-optics-analysis-methodology-858c37c38383)

- 2019.10 [4hou] [看我如何一步步将基于堆的 AMSI 绕过做到接近完美](https://www.4hou.com/system/20700.html)

- 2019.10 [specterops] [Antimalware Scan Interface Detection Optics Analysis Methodology](https://medium.com/p/858c37c38383)

- 2019.09 [byte] [Adventures in the Wonderful World of AMSI.](https://medium.com/p/25d235eb749c)

- 2019.08 [4hou] [绕过AMSI的全套操作过程](https://www.4hou.com/web/18619.html)

- 2019.08 [mcafee] [McAfee AMSI Integration Protects Against Malicious Scripts](https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-amsi-integration-protects-against-malicious-scripts/)

- 2019.08 [mcafee] [McAfee AMSI Integration Protects Against Malicious Scripts](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-amsi-integration-protects-against-malicious-scripts/)

- 2019.07 [codewhitesec] [Heap-based AMSI bypass for MS Excel VBA and others](https://codewhitesec.blogspot.com/2019/07/heap-based-amsi-bypass-in-vba.html)

- 2019.07 [f] [Hunting for AMSI bypasses](https://blog.f-secure.com/hunting-for-amsi-bypasses/)

- 2019.06 [360] [如何绕过AMSI](https://www.anquanke.com/post/id/180281/)

- 2019.06 [contextis] [AMSI Bypass](https://www.contextis.com/en/blog/amsi-bypass)

- 2019.06 [aliyun] [How Red Teams Bypass AMSI and WLDP for .NET Dynamic Code](https://xz.aliyun.com/t/5351)

- 2019.06 [360] [如何绕过AMSI及WLDP](https://www.anquanke.com/post/id/179832/)

- 2019.05 [benoit] [Alternative AMSI bypass](https://medium.com/p/554dc61d70b1)

- 2019.04 [4hou] [如何绕过AMSI for VBA](https://www.4hou.com/technology/17638.html)

***

## Address Space Layout Randomization(ASLR)

### 工具

- [**901**星][2m] [Roff] [slimm609/checksec.sh](https://github.com/slimm609/checksec.sh) 检查可执行文件(PIE, RELRO, PaX, Canaries, ASLR, Fortify Source)属性的 bash 脚本

- [**371**星][12d] [PS] [netspi/pesecurity](https://github.com/netspi/pesecurity) 检查PE(EXE/DLL)编译选项是否有：ASLR, DEP, SafeSEH, StrongNaming, Authenticode。PowerShell模块

### 文章

- 2019.12 [johnlatwc] [Early Security Stories — ASLR](https://medium.com/p/4c6bafe0dda1)

- 2019.10 [HackersOnBoard] [Black Hat USA 2016 Breaking Kernel Address Space Layout Randomization KASLR With Intel TSX](https://www.youtube.com/watch?v=K8nt67X1ahk)

- 2019.06 [arxiv] [[1906.10478] From IP ID to Device ID and KASLR Bypass (Extended Version)](https://arxiv.org/abs/1906.10478)

- 2019.06 [securityevaluators] [ASUSWRT RCE via Buffer Overflow, ASLR Bypass](https://blog.securityevaluators.com/asuswrt-buffer-overflow-format-string-aslr-bypass-2bbf9736fe46)

- 2019.06 [openanalysis] [Disable ASLR for Easier Malware Debugging With x64dbg and IDA Pro](https://oalabs.openanalysis.net/2019/06/12/disable-aslr-for-easier-malware-debugging/)

- 2019.06 [OALabs] [Disable ASLR For Easier Malware Debugging With x64dbg and IDA Pro](https://www.youtube.com/watch?v=DGX7oZvdmT0)

- 2019.04 [4hou] [利用ASLR薄弱点：Chrome沙箱逃逸漏洞分析](https://www.4hou.com/system/17424.html)

- 2019.03 [offensive] [Development of a new Windows 10 KASLR Bypass (in One WinDBG Command)](https://www.offensive-security.com/vulndev/development-of-a-new-windows-10-kaslr-bypass-in-one-windbg-command/)

- 2019.03 [notsoshant] [Windows Exploitation: ASLR Bypass (MS07–017)](https://medium.com/p/8760378e3e84)

- 2019.02 [rce4fun] [VirtualProtectEx to bypass ASLR : A specific case study](http://rce4fun.blogspot.com/2019/02/virtualprotectex-to-bypass-aslr.html)

- 2019.01 [aliyun] [静态链接可执行文件的ASLR保护机制](https://xz.aliyun.com/t/3752)

- 2018.11 [pediy] [[原创] CVE-2014-0322 IE与Flash结合利用 绕过ASLR+DEP](https://bbs.pediy.com/thread-248057.htm)

- 2018.11 [pediy] [[原创]CVE-2012-1889 Win7 通过GUID加载dll库绕过ASLR+DEP](https://bbs.pediy.com/thread-247975.htm)

- 2018.11 [securityevaluators] [ASUSWRT Buffer Overflow, Format String ASLR Bypass](https://medium.com/p/2bbf9736fe46)

- 2018.10 [osandamalith] [PE Sec Info – A Simple Tool to Manipulate ASLR and DEP Flags](https://osandamalith.com/2018/10/24/pe-sec-info-a-simple-tool-to-manipulate-aslr-and-dep-flags/)

- 2018.08 [cmu] [When "ASLR" Is Not Really ASLR - The Case of Incorrect Assumptions and Bad Defaults](https://insights.sei.cmu.edu/cert/2018/08/when-aslr-is-not-really-aslr---the-case-of-incorrect-assumptions-and-bad-defaults.html)

- 2018.06 [teamultimate] [Return to PLT, GOT to bypass ASLR remotely](https://teamultimate.in/return-to-plt-got-to-bypass-aslr-remote/)

- 2018.06 [teamultimate] [Format String Exploits: Defeating Stack Canary, NX and ASLR Remotely on 64 bit](https://teamultimate.in/format-string-defeating-stack-canary-nx-aslr-remote/)

- 2018.06 [nul] [Linux ASLR的一些实验 （1）](http://www.nul.pw/2018/06/09/263.html)

- 2018.05 [pediy] [[翻译]绕过 ASLR + NX 第一部分](https://bbs.pediy.com/thread-226637.htm)

***

## Control Flow Guard

### 工具

***

## Control Integrity Guard

***

## 其他

# MS1X

***

## 工具

- [**345**星][4m] [Py] [3ndg4me/autoblue-ms17-010](https://github.com/3ndg4me/autoblue-ms17-010) This is just an semi-automated fully working, no-bs, non-metasploit version of the public exploit code for MS17-010

- [**254**星][17d] [Py] [mez-0/ms17-010-python](https://github.com/mez-0/MS17-010-Python) MS17-010: Python and Meterpreter

***

## 文章

- 2020.02 [LoiLiangYang] [Exploiting Windows 10 with MS17_010_PSEXEC](https://www.youtube.com/watch?v=7-3k7AGTHPQ)

- 2010.04 [g] [MS10-020](http://g-laurent.blogspot.com/2010/04/ms10-020.html)

- 2010.04 [sans] [MS10-021:  Encountering A Failed WinXP Update](https://isc.sans.edu/forums/diary/MS10021+Encountering+A+Failed+WinXP+Update/8644/)

- 2010.03 [sans] [OOB Update for Internet Explorer MS10-018](https://isc.sans.edu/forums/diary/OOB+Update+for+Internet+Explorer+MS10018/8533/)

- 2010.02 [sans] [MS10-015 may cause Windows XP to blue screen (but only if you have malware on it)](https://isc.sans.edu/forums/diary/MS10015+may+cause+Windows+XP+to+blue+screen+but+only+if+you+have+malware+on+it/8266/)

- 2010.02 [g] [More details on MS10-006](http://g-laurent.blogspot.com/2010/02/more-details-on-ms10-006.html)

- 1970.01 [] [[MS15-010 / CVE-2015-0057] Exploitation](http://0day5.com/archives/3631/)

# 系统机制

***

## RDP

### 工具

- [**6407**星][1y] [Pascal] [stascorp/rdpwrap](https://github.com/stascorp/rdpwrap) RDP Wrapper Library

- [**3800**星][9d] [C] [freerdp/freerdp](https://github.com/freerdp/freerdp) FreeRDP is a free remote desktop protocol library and clients

- [**1655**星][21d] [C] [neutrinolabs/xrdp](https://github.com/neutrinolabs/xrdp) xrdp: an open source RDP server

- [**1083**星][9d] [C] [zerosum0x0/cve-2019-0708](https://github.com/zerosum0x0/cve-2019-0708) Scanner PoC for CVE-2019-0708 RDP RCE vuln

- [**996**星][1m] [Py] [syss-research/seth](https://github.com/syss-research/seth) Perform a MitM attack and extract clear text credentials from RDP connections

- [**911**星][13d] [Py] [jimmy201602/webterminal](https://github.com/jimmy201602/webterminal) ssh rdp vnc telnet sftp bastion/jump web putty xshell terminal jumpserver audit realtime monitor rz/sz 堡垒机 云桌面 linux devops sftp websocket file management rz/sz otp 自动化运维 审计 录像 文件管理 sftp上传 实时监控 录像回放 网页版rz/sz上传下载/动态口令 django

- [**764**星][10d] [C] [rdesktop/rdesktop](https://github.com/rdesktop/rdesktop) rdesktop is an open source UNIX client for connecting to Windows Remote Desktop Services, capably of natively speaking Remote Desktop Protocol (RDP) in order to present the user's Windows desktop. rdesktop is known to work with Windows server version ranging from NT 4 terminal server to Windows 2012 R2.

- [**692**星][13d] [C] [robertdavidgraham/rdpscan](https://github.com/robertdavidgraham/rdpscan) A quick scanner for the CVE-2019-0708 "BlueKeep" vulnerability.

- [**433**星][9d] [C++] [0x09al/rdpthief](https://github.com/0x09al/rdpthief) Extracting Clear Text Passwords from mstsc.exe using API Hooking.

- [**378**星][15d] [C#] [beckzhu/simpleremote](https://github.com/beckzhu/simpleremote) 远程管理工具。轻量级、选项卡式、免费、开源的远程连接管理工具，支持RDP、SSH、Telnet协议

- [**376**星][13d] [Py] [gosecure/pyrdp](https://github.com/gosecure/pyrdp) RDP man-in-the-middle (mitm) and library for Python 3 with the ability to watch connections live or after the fact

- [**339**星][21d] [PS] [joelgmsec/autordpwn](https://github.com/joelgmsec/autordpwn) The Shadow Attack Framework

- [**296**星][9d] [Py] [xfreed0m/rdpassspray](https://github.com/xfreed0m/rdpassspray) Python3 tool to perform password spraying using RDP

- [**283**星][8m] [Py] [k8gege/cve-2019-0708](https://github.com/k8gege/cve-2019-0708) 3389远程桌面代码执行漏洞CVE-2019-0708批量检测工具(Rdpscan Bluekeep Check)

### 文章

- 2019.05 [fortinet] [CVE-2019-0708 – Remote Desktop Protocol and Remote Code Execution #Bluekeep](https://www.fortinet.com/blog/threat-research/cve-20190708-remote-desktop-protocol-and-code-execution-bluekeep.html)

- 2018.07 [mcafee] [Organizations Leave Backdoors Open to Cheap Remote Desktop Protocol Attacks](https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/organizations-leave-backdoors-open-to-cheap-remote-desktop-protocol-attacks/)

- 2018.04 [fireeye] [Establishing a Baseline for Remote Desktop Protocol](http://www.fireeye.com/blog/threat-research/2018/04/establishing-a-baseline-for-remote-desktop-protocol.html)

- 2017.12 [blackmoreops] [Hacking remote desktop protocol using rdpy](https://www.blackmoreops.com/2017/12/12/hacking-remote-desktop-protocol-using-rdpy/)

- 2017.11 [esecurityplanet] [Flood of Attacks Spread Ransomware via Remote Desktop Protocol](https://www.esecurityplanet.com/threats/new-attacks-spread-ransomware-via-remote-desktop-protocol.html)

- 2017.03 [4hou] [如何悄无声息的对RDP和远程会话进行劫持？](http://www.4hou.com/info/news/3898.html)

- 2017.03 [korznikov] [Windows全平台会话劫持](http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html)

- 2017.02 [trendmicro] [Brute Force RDP Attacks Plant CRYSIS Ransomware](https://blog.trendmicro.com/trendlabs-security-intelligence/brute-force-rdp-attacks-plant-crysis-ransomware/)

- 2016.12 [sensepost] [XRDP: Exploiting Unauthenticated X Windows Sessions](https://sensepost.com/blog/2016/xrdp-exploiting-unauthenticated-x-windows-sessions/)

- 2016.11 [digi] [Windows RDP client, show login page](https://digi.ninja/blog/rdp_show_login_page.php)

- 2016.11 [webroot] [RDP Attacks: What You Need to Know and How to Protect Yourself](https://www.webroot.com/blog/2016/11/23/remote-desktop-protocol-attacks-need-know/)

- 2016.11 [whereisk0shl] [Cain RDP缓冲区溢出漏洞（CVE-2008-5405）](http://whereisk0shl.top/post/2016-11-05)

- 2016.08 [id] [Anti-1C, RDP-WinRAR](http://id-ransomware.blogspot.com/2017/11/anti-1c-ransomware.html)

- 2016.07 [freebuf] [RDP连接降级攻击以及规避方法解析](http://www.freebuf.com/articles/system/108346.html)

- 2016.06 [duo] [Protecting Remote Access to Your Computer: RDP Attacks and Server Credentials for Sale](https://duo.com/blog/protecting-remote-access-to-your-computer-rdp-attacks-and-server-credentials-for-sale)

- 2016.05 [willgenovese] [SSH Tunneling RDP Using Putty](http://willgenovese.com/ssh-tunneling-rdp-using-putty/)

- 2016.05 [fox] [Ransomware deployments after brute force RDP attack](https://blog.fox-it.com/2016/05/02/ransomware-deployments-after-brute-force-rdp-attack/)

- 2016.04 [portcullis] [Downgrading RDP connections and how to avoid it](https://labs.portcullis.co.uk/blog/downgrading-rdp-connections-and-how-to-avoid-it/)

- 2016.04 [contextis] [RDP Replay Code Release](https://www.contextis.com/blog/rdp-replay-code-release)

- 2016.01 [securestate] [Scripting RDP for Pillaging and Potato](https://warroom.securestate.com/scripting-rdp/)

### 文章_0

- 2019.12 [welivesecurity] [It’s time to disconnect RDP from the internet | WeLiveSecurity](https://www.welivesecurity.com/2019/12/17/bluekeep-time-disconnect-rdp-internet/)

- 2019.12 [4hou] [预警！Windows BlueKeep RDP来了！](https://www.4hou.com/system/22078.html)

- 2019.12 [talosintelligence] [Microsoft Remote Desktop Services (RDP8) license negotiation denial-of-service vulnerability](https://talosintelligence.com/vulnerability_reports/TALOS-2019-0901)

- 2019.12 [talosintelligence] [Microsoft Remote Desktop Services (RDP7) Windows XP Multiple Information Leak Vulnerabilities](https://talosintelligence.com/vulnerability_reports/TALOS-2019-0895)

- 2019.12 [talosintelligence] [Vulnerability Spotlight: Two vulnerabilities in RDP for Windows 7, XP](https://blog.talosintelligence.com/2019/12/vuln-spotlight-RDP-Dec-19.html)

- 2019.12 [4hou] [Reverse RDP攻击：Hyper-V Connection](https://www.4hou.com/technology/19747.html)

- 2019.11 [freebuf] [RDP远程漏洞（CVE-2019-0708）被发现野外利用来挖矿](https://www.freebuf.com/articles/system/218963.html)

- 2019.11 [venus] [通过RDP反向攻击mstsc](https://paper.seebug.org/1074/)

- 2019.11 [rapid7] [Securing RDP Vulnerabilities: Learnings from Bluekeep and DejaBlue](https://blog.rapid7.com/2019/11/07/the-anatomy-of-rdp-exploits-lessons-learned-from-bluekeep-and-dejablue/)

- 2019.11 [fortinet] [BlueKeep RDP Attacks are Starting – Patch CVE-2019-0708 Now](https://www.fortinet.com/blog/threat-research/bluekeep-rdp-attacks-starting-patch-now.html)

- 2019.09 [venus] [RDP 登录日志取证与清除](https://paper.seebug.org/1043/)

- 2019.09 [aliyun] [RDP登录日志取证与清除](https://xz.aliyun.com/t/6421)

- 2019.09 [webroot] [Cyber News Rundown: TFlower Ransomware Exploiting RDP](https://www.webroot.com/blog/2019/09/20/cyber-news-rundown-tflower-ransomware-exploiting-rdp/)

- 2019.09 [freebuf] [Seth：执行MitM攻击并从RDP连接中提取明文凭证](https://www.freebuf.com/sectool/212918.html)

- 2019.09 [hakin9] [PyRDP - Python 3 Remote Desktop Protocol (RDP) Man-in-the-Middle (MITM) and library](https://hakin9.org/pyrdp-python-3-remote-desktop-protocol-rdp-man-in-the-middle-mitm-and-library/)

- 2019.09 [4hou] [RDP漏洞或引发大规模蠕虫爆发，用户可用阿里云免费检测服务，请尽快修复](https://www.4hou.com/info/news/20231.html)

- 2019.09 [4sysops] [Azure Redeploy: If RDP or application access to an Azure VM fails](https://4sysops.com/archives/azure-redeploy-if-rdp-or-application-access-to-an-azure-vm-fails/)

- 2019.09 [tencent] [腾讯安全发布高危预警：Crysis勒索病毒利用RDP爆破攻击加剧](https://s.tencent.com/research/report/796.html)

- 2019.08 [malwaretech] [DejaBlue: Analyzing a RDP Heap Overflow](https://www.malwaretech.com/2019/08/dejablue-analyzing-a-rdp-heap-overflow.html)

- 2019.08 [freebuf] [微软RDP远程代码执行漏洞（CVE-2019-0708）分析集锦](https://www.freebuf.com/vuls/205380.html)

***

## SMB

### 工具

- [**1215**星][1m] [C#] [k8gege/ladon](https://github.com/k8gege/ladon) 用于大型网络渗透的多线程插件化综合扫描神器

- [**820**星][1y] [PS] [kevin-robertson/invoke-thehash](https://github.com/kevin-robertson/invoke-thehash) 执行 pass the hash WMI 和 SMB 任务的PowerShell函数

- [**767**星][2m] [Py] [shawndevans/smbmap](https://github.com/shawndevans/smbmap) SMB枚举

- [**388**星][12d] [C] [zerosum0x0/smbdoor](https://github.com/zerosum0x0/smbdoor) Windows kernel backdoor via registering a malicious SMB handler

- [**355**星][3m] [Py] [m8r0wn/nullinux](https://github.com/m8r0wn/nullinux) SMB null 会话识别和枚举工具

- [**348**星][11m] [Py] [skorov/ridrelay](https://github.com/skorov/ridrelay) 通过使用具有低priv的SMB中继来枚举您没有信誉的域上的用户名。

- [**322**星][8m] [C#] [raikia/credninja](https://github.com/raikia/credninja) A multithreaded tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB, plus now with a user hunter

- [**255**星][19d] [PS] [p3nt4/invoke-piper](https://github.com/p3nt4/Invoke-Piper) Forward local or remote tcp ports through SMB pipes.

- [**225**星][3m] [Py] [m4ll0k/smbrute](https://github.com/m4ll0k/smbrute) SMB Protocol Bruteforce

- [**210**星][3m] [Py] [miketeo/pysmb](https://github.com/miketeo/pysmb) pysmb is an experimental SMB/CIFS library written in Python. It implements the client-side SMB/CIFS protocol (SMB1 and SMB2) which allows your Python application to access and transfer files to/from SMB/CIFS shared folders like your Windows file sharing and Samba folders.

### 文章

- 2013.12 [trendmicro] [FBI details major trends in cyber attacks against SMB’s](http://blog.trendmicro.com/fbi-details-major-trends-cyber-attacks-smbs/)

- 2013.11 [sophos] [Ponemon Institute: Management uncertainty, lack of security expertise put SMBs at risk](https://news.sophos.com/en-us/2013/11/19/ponemon-institute-management-uncertainty-lack-of-security-expertise-put-smbs-at-risk/)

- 2013.10 [thomasmaurer] [EMC – SMB 3.0 is the Future of Storage](https://www.thomasmaurer.ch/2013/10/emc-smb-3-0-is-the-future-of-storage/)

- 2013.07 [pediy] [[原创]实验：SMB抓包破解windows登陆密码](https://bbs.pediy.com/thread-176189.htm)

- 2013.06 [microsoft] [Cloud Trust Study: Top of the hill Security, Privacy and Reliability benefits for SMBs in Germany](https://cloudblogs.microsoft.com/microsoftsecure/2013/06/13/cloud-trust-study-top-of-the-hill-security-privacy-and-reliability-benefits-for-smbs-in-germany/)

- 2013.06 [intercepter] [Актуальность атаки SMBRelay в современных Windows сетях](http://intercepter-ng.blogspot.com/2013/06/smbrelay-windows.html)

- 2013.06 [microsoft] [Cloud Trust Study: SMBs in France echo Security, Privacy and Reliability Benefits of Cloud Computing](https://cloudblogs.microsoft.com/microsoftsecure/2013/06/12/cloud-trust-study-smbs-in-france-echo-security-privacy-and-reliability-benefits-of-cloud-computing/)

- 2013.06 [microsoft] [Blue Skies in London: Cloud Security, Privacy and Reliability Perceptions of SMBs in the U.K](https://cloudblogs.microsoft.com/microsoftsecure/2013/06/11/blue-skies-in-london-cloud-security-privacy-and-reliability-perceptions-of-smbs-in-the-u-k/)

- 2013.04 [microsoft] [SMB CTO Reports on Security Management and Green IT with the Cloud](https://cloudblogs.microsoft.com/microsoftsecure/2013/04/23/smb-cto-reports-on-security-management-and-green-it-with-the-cloud/)

- 2013.01 [trendmicro] [2013 Security Predictions: What Should Small and Medium Businesses (SMB) Look Out For?](https://blog.trendmicro.com/trendlabs-security-intelligence/2013-security-predictions-what-should-small-and-medium-businesses-smb-look-out-for/)

- 2013.01 [trendmicro] [Securing Your First Server: What SMBs Need to Know](http://blog.trendmicro.com/securing-your-first-server-what-smbs-need-to-know/)

- 2012.12 [netspi] [Executing SMB Relay Attacks via SQL Server using Metasploit](https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/)

- 2012.12 [bogner] [SMBX: Where is my smb.conf](https://bogner.sh/2012/12/smbx-where-is-my-smb-conf/)

- 2012.12 [trendmicro] [Mobile Security for the SMB: Mac vs. Android Threats](http://blog.trendmicro.com/mobile-security-for-the-smb-mac-vs-android-threats/)

- 2012.11 [] [SMB ATTACK 绕过安全软件的访问](http://www.91ri.org/4783.html)

- 2012.10 [trendmicro] [How the Cloud is Affecting SMB Channel Partners](http://blog.trendmicro.com/how-the-cloud-is-affecting-smb-channel-partners/)

- 2012.08 [welivesecurity] [The Cloud for SMBs: 7 tips for safer cloud computing](https://www.welivesecurity.com/2012/08/24/the-cloud-for-smbs-7-tips-for-safer-cloud-computing/)

- 2012.06 [freebuf] [利用Metasploit进行SMB版本的扫描](http://www.freebuf.com/articles/3948.html)

- 2012.05 [microsoft] [Cloud Security Benefits for SMBs in Hong Kong](https://cloudblogs.microsoft.com/microsoftsecure/2012/05/24/cloud-security-benefits-for-smbs-in-hong-kong/)

- 2012.05 [microsoft] [Cloud Security Benefits for SMBs in Asia](https://cloudblogs.microsoft.com/microsoftsecure/2012/05/24/cloud-security-benefits-for-smbs-in-asia/)

***

## Windows Management Instrumentation(WMI)

### 工具

- [**708**星][12d] [Go] [martinlindhe/wmi_exporter](https://github.com/martinlindhe/wmi_exporter) Prometheus exporter for Windows machines using WMI

- [**706**星][1y] [PS] [arvanaghi/sessiongopher](https://github.com/Arvanaghi/SessionGopher) 使用WMI为远程访问工具（如WinSCP，PuTTY，SuperPuTTY，FileZilla和Microsoft远程桌面）提取保存的会话信息。PowerShell编写

- [**610**星][1y] [PS] [fortynorthsecurity/wmimplant](https://github.com/FortyNorthSecurity/WMImplant) This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImplant is WMI based.

- [**265**星][9d] [JS] [pandorafms/pandorafms](https://github.com/pandorafms/pandorafms) Pandora FMS is a flexible and highly scalable monitoring system ready for big environments. It uses agents (Linux, Windows, AIX, HP-UX, Solaris and BSD systems) and can do both local and remote network monitoring (SNMP v3, TCP checks, WMI, etc).

- [**259**星][1m] [Go] [stackexchange/wmi](https://github.com/stackexchange/wmi) WMI for Go

- [**251**星][1y] [C#] [0xbadjuju/wheresmyimplant](https://github.com/0xbadjuju/wheresmyimplant) A Bring Your Own Land Toolkit that Doubles as a WMI Provider

### 文章

- 2020.02 [darkoperator] [Getting DNS Client Cached Entries with CIM/WMI](https://www.darkoperator.com/blog/2020/1/14/getting-dns-client-cached-entries-with-cimwmi)

- 2020.01 [pentestlab] [Persistence – WMI Event Subscription](https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/)

- 2019.12 [randomascii] [O(n^2), again, now in WMI](https://randomascii.wordpress.com/2019/12/08/on2-again-now-in-wmi/)

- 2019.11 [4hou] [新型入侵技术：使用WMI编译的“.bmf”文件和CertUtil进行混淆执行](https://www.4hou.com/technology/21376.html)

- 2019.10 [4hou] [反恶意软件扫描接口检测分析方法论: 用于 WMI 的 AMSI 识别与分析](https://www.4hou.com/system/20714.html)

- 2019.09 [4hou] [GhostMiner：无文件加密货币挖矿机武器化WMI对象](https://www.4hou.com/info/news/20505.html)

- 2019.09 [trendmicro] [Fileless Cryptocurrency-Miner GhostMiner Weaponizes WMI Objects, Kills Other Cryptocurrency-Mining Payloads](https://blog.trendmicro.com/trendlabs-security-intelligence/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads/)

- 2019.06 [lazywinadmin] [PowerShell - Joining WMI Classes in a query](https://lazywinadmin.com/2019/06/wmi_inner_join.html)

- 2019.05 [mdsec] [Persistence: “the continued or prolonged existence of something”: Part 3 – WMI Event Subscription](https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-3-wmi-event-subscription/)

- 2019.04 [carbonblack] [CB TAU Threat Intelligence Notification: Emotet Utilizing WMI to Launch PowerShell Encoded Code](https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/)

- 2019.04 [rsa] [Detecting Lateral Movement in RSA NetWitness: WMI](https://community.rsa.com/community/products/netwitness/blog/2019/04/09/detecting-lateral-movement-in-rsa-netwitness-wmi)

- 2019.03 [robtlee73] [Investigating WMI Attacks](https://www.youtube.com/watch?v=aBQ1vEjK6v4)

- 2019.03 [ironcastle] [Special Webcast: Investigating WMI Attacks – March 7, 2019 3:30pm US/Eastern](https://www.ironcastle.net/special-webcast-investigating-wmi-attacks-march-7-2019-330pm-us-eastern/)

- 2019.02 [sans] [Investigating WMI Attacks](https://digital-forensics.sans.org/blog/2019/02/09/investigating-wmi-attacks)

- 2019.01 [fuzzysecurity] [wmic_info.bat](http://fuzzysecurity.com/scripts/13.html)

- 2019.01 [hackingarticles] [Bypass Application Whitelisting using wmic.exe (Multiple Methods)](https://www.hackingarticles.in/bypass-application-whitelisting-using-wmic-exe-multiple-methods/)

- 2019.01 [4hou] [如何检测并清除WMI持久化后门](http://www.4hou.com/technology/14024.html)

- 2019.01 [sans] [Theres Something About WMI](https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1492184420.pdf)

- 2019.01 [sans] [There's Something About WMI](https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1492187258.pdf)

- 2019.01 [sans] [SIEMple Simon Met a WMIman](https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1496762148.pdf)

***

## Event Tracing for Windows(ETW)

### 工具

- [**1303**星][12d] [JS] [jpcertcc/logontracer](https://github.com/jpcertcc/logontracer) 通过可视化和分析Windows事件日志来调查恶意的Windows登录

- [**885**星][16d] [C++] [google/uiforetw](https://github.com/google/uiforetw) User interface for recording and managing ETW traces

- [**673**星][12m] [Roff] [palantir/windows-event-forwarding](https://github.com/palantir/windows-event-forwarding) 使用 Windows 事件转发实现网络事件监测和防御

- [**655**星][9d] [PS] [sbousseaden/evtx-attack-samples](https://github.com/sbousseaden/evtx-attack-samples) 与特定攻击和利用后渗透技术相关的Windows事件样例

- [**566**星][30d] [PS] [sans-blue-team/deepbluecli](https://github.com/sans-blue-team/deepbluecli) a PowerShell Module for Threat Hunting via Windows Event Logs

- [**505**星][11m] [C#] [lowleveldesign/wtrace](https://github.com/lowleveldesign/wtrace) Command line tracing tool for Windows, based on ETW.

- [**466**星][15d] [PS] [nsacyber/event-forwarding-guidance](https://github.com/nsacyber/Event-Forwarding-Guidance) 帮助管理员使用Windows事件转发（WEF）收集与安全相关的Windows事件日志

- [**401**星][12m] [Py] [williballenthin/python-evtx](https://github.com/williballenthin/python-evtx) 纯Python编写的Windows事件日志解析器

- [**318**星][3m] [C#] [zodiacon/procmonx](https://github.com/zodiacon/procmonx) 通过Windows事件日志获取与Process Monitor显示的相同的信息，无需内核驱动

- [**295**星][11d] [C#] [fireeye/silketw](https://github.com/fireeye/silketw) flexible C# wrappers for ETW

- [**290**星][12m] [C#] [nsacyber/windows-event-log-messages](https://github.com/nsacyber/Windows-Event-Log-Messages) 检索Windows二进制文件中嵌入的Windows事件日志消息的定义，并以discoverable的格式提供它们

- [**268**星][5m] [C++] [gametechdev/presentmon](https://github.com/gametechdev/presentmon) Tool for collection and processing of ETW events related to DXGI presentation.

- [**261**星][10d] [C++] [microsoft/krabsetw](https://github.com/microsoft/krabsetw) KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.

### 文章

- 2020.02 [vanimpe] [Parse stored Windows Event logs with Security Onion](https://www.vanimpe.eu/2020/02/12/parse-stored-windows-event-logs-with-security-onion/)

- 2020.01 [X13Cubed] [CVEs in Windows Event Logs? What You Need to Know](https://www.youtube.com/watch?v=ebmW42YYveI)

- 2020.01 [randomascii] [Bulk ETW Trace Analysis in C#](https://randomascii.wordpress.com/2020/01/05/bulk-etw-trace-analysis-in-c/)

- 2019.12 [Cooper] [EventList, Matching Windows Event Log IDs With MITRE ATT&CK - Miriam Wiesner](https://www.youtube.com/watch?v=l5PpbOmopyA)

- 2019.09 [adventuresincyberchallenges] [Powershell Encoded Payload In Clear Text in Windows Event Log 4688](https://adventuresincyberchallenges.blogspot.com/2019/09/powershell-encoded-payload-in-clear.html)

- 2019.09 [Cyb3rWard0g] [Threat Hunting with ETW events and HELK — Part 2: Shipping ETW events to HELK ⚒](https://medium.com/p/16837116d2f5)

- 2019.09 [Cyb3rWard0g] [Threat Hunting with ETW events and HELK — Part 1: Installing SilkETW 🏄‍♀🏄](https://medium.com/p/6eb74815e4a0)

- 2019.06 [fox] [Export corrupts Windows Event Log files](https://blog.fox-it.com/2019/06/04/export-corrupts-windows-event-log-files/)

- 2019.05 [freebuf] [SilkETW：一款针对Windows事件追踪的自定义C#封装工具](https://www.freebuf.com/sectool/203531.html)

- 2019.04 [4sysops] [Forward Windows events to a Syslog server with free SolarWinds Event Log Forwarder for Windows](https://4sysops.com/archives/forward-windows-events-to-a-syslog-server-with-free-solarwinds-event-log-forwarder-for-windows/)

- 2019.02 [360] [ETW注册表监控windows内核实现原理](https://www.anquanke.com/post/id/171298/)

- 2019.01 [sans] [Rocking Your Windows EventID with ELK Stack](https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1492181323.pdf)

- 2019.01 [sans] [Threat Hunting via Windows Event Logs](https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1524493093.pdf)

- 2019.01 [sans] [Hunting for Lateral Movement Using Windows Event Log](https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1536265369.pdf)

- 2018.12 [palantir] [Tampering with Windows Event Tracing: Background, Offense, and Defense](https://medium.com/p/4be7ac62ac63)

- 2018.12 [sophos] [Hunting for threats with Intercept X and the Windows Event Collector](https://news.sophos.com/en-us/2018/12/03/hunting-for-threats-with-intercept-x-and-the-windows-event-collector/)

- 2018.08 [4sysops] [Query multiple Windows event logs with PowerShell](https://4sysops.com/archives/query-multiple-windows-event-logs-with-powershell/)

- 2018.07 [criteo] [Grab ETW Session, Providers and Events](http://labs.criteo.com/2018/07/grab-etw-session-providers-and-events/)

- 2018.07 [3gstudent] [Windows Event Viewer Log (EVT)单条日志清除（三）——删除当前系统指定指定时间段evt日志记录](https://3gstudent.github.io/3gstudent.github.io/Windows-Event-Viewer-Log-(EVT)%E5%8D%95%E6%9D%A1%E6%97%A5%E5%BF%97%E6%B8%85%E9%99%A4-%E4%B8%89-%E5%88%A0%E9%99%A4%E5%BD%93%E5%89%8D%E7%B3%BB%E7%BB%9F%E6%8C%87%E5%AE%9A%E6%8C%87%E5%AE%9A%E6%97%B6%E9%97%B4%E6%AE%B5evt%E6%97%A5%E5%BF%97%E8%AE%B0%E5%BD%95/)

- 2018.07 [3gstudent] [Windows Event Viewer Log (EVT)单条日志清除（三）——删除当前系统指定指定时间段evt日志记录](https://3gstudent.github.io/3gstudent.github.io/Windows-Event-Viewer-Log-(EVT)%E5%8D%95%E6%9D%A1%E6%97%A5%E5%BF%97%E6%B8%85%E9%99%A4-%E4%B8%89-%E5%88%A0%E9%99%A4%E5%BD%93%E5%89%8D%E7%B3%BB%E7%BB%9F%E6%8C%87%E5%AE%9A%E6%8C%87%E5%AE%9A%E6%97%B6%E9%97%B4%E6%AE%B5evt%E6%97%A5%E5%BF%97%E8%AE%B0%E5%BD%95/)

***

## Lsass

### 工具

- [**489**星][20d] [Py] [hackndo/lsassy](https://github.com/hackndo/lsassy) Extract credentials from lsass remotely

- [**356**星][11d] [Py] [aas-n/spraykatz](https://github.com/aas-n/spraykatz) Credentials gathering tool automating remote procdump and parse of lsass process.

- [**315**星][13d] [C] [outflanknl/dumpert](https://github.com/outflanknl/dumpert) LSASS memory dumper using direct system calls and API unhooking.

### 文章

- 2020.02 [freebuf] [Lsassy：如何远程从lsaas中提取用户凭证](https://www.freebuf.com/sectool/226170.html)

- 2020.01 [rsa] [Using RSA NetWitness to Detect Credential Harvesting: lsassy](https://community.rsa.com/community/products/netwitness/blog/2020/01/06/using-rsa-netwitness-to-detect-credential-harvesting-lsassy)

- 2019.12 [jimwilbur] [Defender Quarantines Lsass Dumps](https://www.wilbursecurity.com/2019/12/defender-quarantines-lsass-dumps/)

- 2019.12 [4hou] [绕过WDATP获取LSASS进程数据](https://www.4hou.com/web/22071.html)

- 2019.07 [markmotig] [Some ways to dump LSASS.exe](https://medium.com/p/c4a75fdc49bf)

- 2019.05 [osandamalith] [Shellcode to Dump the Lsass Process](https://osandamalith.com/2019/05/11/shellcode-to-dump-the-lsass-process/)

- 2019.01 [astr0baby] [AndrewSpecial – stealthy  lsass.exe memory dumping](https://astr0baby.wordpress.com/2019/01/21/andrewspecial-stealthy-lsass-exe-memory-dumping/)

- 2018.01 [stealthbits] [Market Trends: Announcing StealthINTERCEPT 5.0 General Availability – With Enterprise Password Enforcer & LSASS Guardian™](https://blog.stealthbits.com/market-trends-announcing-stealthintercept-5-0-general-availability-with-enterprise-password-enforcer/)

- 2017.10 [360] [绕过LSASS的SACL审计](https://www.anquanke.com/post/id/87107/)

- 2017.10 [tyranidslair] [Bypassing SACL Auditing on LSASS](https://tyranidslair.blogspot.com/2017/10/bypassing-sacl-auditing-on-lsass.html)

- 2017.10 [tyranidslair] [Bypassing SACL Auditing on LSASS](https://www.tiraniddo.dev/2017/10/bypassing-sacl-auditing-on-lsass.html)

- 2017.01 [360] [MS16-137：LSASS远程拒绝服务漏洞分析](https://www.anquanke.com/post/id/85324/)

- 2016.11 [g] [MS16-137: LSASS Remote Memory Corruption Advisory](http://g-laurent.blogspot.com/2016/11/ms16-137-lsass-remote-memory-corruption.html)

- 2016.02 [govolution] [Memdumps, Volatility, Mimikatz, VMs – Part 1: Mimikatz & lsass.exe Dump](https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-part-1-mimikatz-lsass-exe-dump/)

- 2011.12 [pentestmonkey] [mimikatz: Tool To Recover Cleartext Passwords From Lsass](http://pentestmonkey.net/blog/mimikatz-tool-to-recover-cleartext-passwords-from-lsass)

- 2008.03 [pediy] [[原创]磁碟机病毒(com\lsass.exe、smss.exe、dnsq.dll)新变种之anti方式及感染EXE文件方式跟踪](https://bbs.pediy.com/thread-61461.htm)

- 2006.09 [sans] [CA eTrust Antivirus [was] flagging lsass.e x e](https://isc.sans.edu/forums/diary/CA+eTrust+Antivirus+was+flagging+lsasse+x+e/1665/)

- 2005.03 [sans] [Yahoo Messenger worm?; exploited.lsass.cc bot traffic](https://isc.sans.edu/forums/diary/Yahoo+Messenger+worm+exploitedlsasscc+bot+traffic/485/)

- 2004.05 [sans] [-UPDATE- Sasser Worm , Week in Review; LSASS Exploit Analysis; SANSFIRE 2004](https://isc.sans.edu/forums/diary/UPDATE+Sasser+Worm+Week+in+Review+LSASS+Exploit+Analysis+SANSFIRE+2004/181/)

- 2004.04 [sans] [PhatBot exploiting LSASS?](https://isc.sans.edu/forums/diary/PhatBot+exploiting+LSASS/178/)

***

## BitLocker

### 工具

- [**772**星][3m] [C] [aorimn/dislocker](https://github.com/aorimn/dislocker) FUSE driver to read/write Windows' BitLocker-ed volumes under Linux / Mac OSX

- [**347**星][1y] [C] [e-ago/bitcracker](https://github.com/e-ago/bitcracker) BitLocker密码破解器

### 文章

- 2020.01 [4sysops] [Store and Retrieve BitLocker Recovery Keys from Active Directory](https://4sysops.com/archives/store-and-retrieve-bitlocker-recovery-keys-from-active-directory/)

- 2019.10 [4sysops] [Specops Key Recovery: Self-service for unlocking BitLocker-encrypted devices](https://4sysops.com/archives/specops-key-recovery-self-service-for-unlocking-bitlocker-encrypted-devices/)

- 2019.09 [codeinsecurity] [Recovering BitLocker when the BCD has been modified](https://codeinsecurity.wordpress.com/2019/09/23/recovering-bitlocker-when-the-bcd-has-been-modified/)

- 2019.06 [security] [[PL] Co to jest BitLocker oraz TPM? Jak działa szyfrowanie dysków?](https://security.szurek.pl/co-to-jest-bitlocker-oraz-tpm-jak-dziala-szyfrowanie-dyskow.html)

- 2019.06 [KacperSzurek] [Co to jest BitLocker oraz TPM? Jak działa szyfrowanie dysków?](https://www.youtube.com/watch?v=HdZIuSKn8gU)

- 2019.04 [4hou] [如何从TPM中提取BitLocker私钥](https://www.4hou.com/web/16812.html)

- 2019.02 [4sysops] [Find BitLocker recovery passwords in Active Directory with PowerShell](https://4sysops.com/archives/find-bitlocker-recovery-passwords-in-active-directory-with-powershell/)

- 2019.01 [arxiv] [[1901.01337] BitCracker: BitLocker meets GPUs](https://arxiv.org/abs/1901.01337)

- 2018.12 [360] [基于Win7的Bitlocker加密分析及实战思路](https://www.anquanke.com/post/id/167329/)

- 2018.11 [contextis] [Hardware Encryption Weaknesses and BitLocker](https://www.contextis.com/en/blog/hardware-encryption-weaknesses-and-bitlocker)

- 2018.11 [contextis] [Hardware Encryption Weaknesses and BitLocker](https://www.contextis.com/en/blog/hardware-enctyption-weaknesses-and-bitlocker)

- 2018.05 [irq5] [Crypto-Erasing BitLocker Drives](http://irq5.io/2018/05/10/crypto-erasing-bitlocker-drives/)

- 2018.04 [NetworkHeros] [How to Recover BitLocker Corrupted Drive (100% Guarantee)](https://www.youtube.com/watch?v=jbMnficpEm0)

- 2018.01 [elcomsoft] [How to Instantly Access BitLocker, TrueCrypt, PGP and FileVault 2 Volumes](https://blog.elcomsoft.com/2018/01/how-to-instantly-access-bitlocker-truecrypt-pgp-and-filevault-2-volumes/)

- 2017.10 [deepsec] [DeepSec 2017 Talk: BitCracker – BitLocker Meets GPUs – Elena Agostini](http://blog.deepsec.net/deepsec-2017-talk-bitcracker-bitlocker-meets-gpus-elena-agostini/)

- 2017.09 [n0where] [Open Source BitLocker Password Cracking Tool: BitCracker](https://n0where.net/open-source-bitlocker-password-cracking-tool-bitcracker)

- 2017.09 [4hou] [“密码找回”功能暗藏杀机，可绕过Windows auth &BitLocker](http://www.4hou.com/system/7570.html)

- 2017.09 [freebuf] [利用忘记密码功能绕过Windows auth & BitLocker](http://www.freebuf.com/articles/web/145994.html)

- 2017.09 [gameofpwnz] [Dislocker USB with Bitlocker (LAB)](https://gameofpwnz.com/?p=536)

- 2017.09 [gameofpwnz] [Dislocker: Recovering Data from Drive with BitLocker – Requires Bitlocker Recovery Key or Password](https://gameofpwnz.com/?p=521)

***

## NTFS

### 工具

- [**582**星][1y] [mtivadar/windows10_ntfs_crash_dos](https://github.com/mtivadar/windows10_ntfs_crash_dos) Windows NTFS文件系统崩溃漏洞PoC

- [**270**星][17d] [Py] [dkovar/analyzemft](https://github.com/dkovar/analyzemft) fully parse the MFT file from an NTFS filesystem and present the results as accurately as possible in multiple format

- [**234**星][21d] [C] [pbatard/uefi-ntfs](https://github.com/pbatard/uefi-ntfs) UEFI:NTFS - Boot NTFS partitions from UEFI

### 文章

- 2019.08 [X13Cubed] [NTFS Journal Forensics](https://www.youtube.com/watch?v=1mwiShxREm8)

- 2019.03 [4sysops] [FolderSecurityViewer: Analyze and report on effective NTFS permissions](https://4sysops.com/archives/foldersecurityviewer-analyze-and-report-on-effective-ntfs-permissions/)

- 2019.03 [4hou] [Windows NTFS文件系统目录大小写敏感导致的安全问题](https://www.4hou.com/system/16271.html)

- 2019.02 [4hou] [渗透技巧——Windows下NTFS文件的USN Journal](http://www.4hou.com/technology/16265.html)

- 2019.02 [tyranidslair] [NTFS Case Sensitivity on Windows](https://tyranidslair.blogspot.com/2019/02/ntfs-case-sensitivity-on-windows.html)

- 2019.02 [tyranidslair] [NTFS Case Sensitivity on Windows](https://www.tiraniddo.dev/2019/02/ntfs-case-sensitivity-on-windows.html)

- 2019.01 [4hou] [渗透技巧——Windows下NTFS文件的时间属性](http://www.4hou.com/technology/15877.html)

- 2019.01 [3gstudent] [渗透技巧——Windows下NTFS文件的USN Journal](https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-Windows%E4%B8%8BNTFS%E6%96%87%E4%BB%B6%E7%9A%84USN-Journal/)

- 2019.01 [3gstudent] [渗透技巧——Windows下NTFS文件的USN Journal](https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-Windows%E4%B8%8BNTFS%E6%96%87%E4%BB%B6%E7%9A%84USN-Journal/)

- 2019.01 [sans] [Forgotten but Not Gone:  Gathering NTFS Artifacts of Detection](https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1544032916.pdf)

- 2019.01 [sans] [Forgotten But Not Gone: Gathering NTFS Artifacts of Deletion](https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1555082102.pdf)

- 2018.12 [3gstudent] [渗透技巧——Windows下NTFS文件的时间属性](https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-Windows%E4%B8%8BNTFS%E6%96%87%E4%BB%B6%E7%9A%84%E6%97%B6%E9%97%B4%E5%B1%9E%E6%80%A7/)

- 2018.12 [3gstudent] [渗透技巧——Windows下NTFS文件的时间属性](https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-Windows%E4%B8%8BNTFS%E6%96%87%E4%BB%B6%E7%9A%84%E6%97%B6%E9%97%B4%E5%B1%9E%E6%80%A7/)

- 2018.10 [osr] [NTFS Status Debugging](https://www.osr.com/blog/2018/10/17/ntfs-status-debugging/)

- 2018.09 [] [NTFS Object IDs in EnCase – Part 3](https://4n6ir.com/2018/09/28/ntfs-object-ids-in-encase-part-3/)

- 2018.09 [] [NTFS Object IDs in X-Ways](https://4n6ir.com/2018/09/25/ntfs-object-ids-in-x-ways/)

- 2018.09 [] [NTFS Object IDs in EnCase – Part 2](https://4n6ir.com/2018/09/24/ntfs-object-ids-in-encase-part-2/)

- 2018.09 [] [NTFS Object IDs in EnCase](https://4n6ir.com/2018/09/20/ntfs-object-ids-in-encase/)

- 2018.09 [secjuice] [Hiding In Plain Sight With NTFS Steganography](https://www.secjuice.com/ntfs-steganography-hiding-in-plain-sight/)

- 2018.08 [pediy] [[翻译]渗透测试的WINDOWS NTFS技巧集合](https://bbs.pediy.com/thread-246089.htm)

***

## SSDT

### 工具

### 文章

- 2018.12 [pediy] [[原创]过用户层HOOK 驱动层SSDT HOOK (之进程保护篇）](https://bbs.pediy.com/thread-248583.htm)

- 2018.11 [pediy] [[分享][原创]Win7 x86 SSDT Inline Hook](https://bbs.pediy.com/thread-247983.htm)

- 2018.04 [pediy] [[原创]ROOTKIT 核心技术——利用 NT!_MDL（内存描述符链表）突破 SSDT（系统服务描述符表）的只读访问限制 PART I](https://bbs.pediy.com/thread-225998.htm)

- 2017.05 [pediy] [[分享]发布一个 遍历shadowssdt函数名_驱动源码](https://bbs.pediy.com/thread-217807.htm)

- 2016.05 [pediy] [[原创]关于Win7 x64 Shadow SSDT 的探索和 Inline HOOK](https://bbs.pediy.com/thread-210481.htm)

- 2015.12 [insinuator] [Investigating Memory Analysis Tools – SSDT Hooking via Pointer Replacement](https://insinuator.net/2015/12/investigating-memory-analysis-tools-ssdt-hooking-via-pointer-replacement/)

- 2015.09 [pediy] [[原创]旧代码分享：绕过卡巴斯基主动防御，加载驱动，unhook所有SSDT&Shadow SSDT](https://bbs.pediy.com/thread-204492.htm)

- 2015.09 [pediy] [原创 普及X64 ssdtshadow inline HOOK](https://bbs.pediy.com/thread-204323.htm)

- 2015.08 [lightless] [基于SSDT的注册表主防系统](https://lightless.me/archives/SSDT-Registry-Defend.html)

- 2015.06 [pediy] [[原创]发个xp~win10_x86/x64全兼容的ShadowSSDT获取函数](https://bbs.pediy.com/thread-201130.htm)

- 2015.05 [pediy] [[原创]SSDT InlineHook学习笔记](https://bbs.pediy.com/thread-200431.htm)

- 2014.05 [pediy] [[分享]新手学内核第二篇 Shadow SSDT](https://bbs.pediy.com/thread-187755.htm)

- 2013.12 [pediy] [[原创]SSDT Hook 详细过程](https://bbs.pediy.com/thread-183132.htm)

- 2013.12 [pediy] [[原创]Win8 32位中SSDT Shadow Hook的实现方法](https://bbs.pediy.com/thread-182355.htm)

- 2013.08 [pediy] [[原创]浅谈系列之-Add New SSDT 长夜漫漫-看流星](https://bbs.pediy.com/thread-177094.htm)

- 2013.08 [pediy] [[原创]Win32Asm 驱动学习笔记《 HOOK SSDT》](https://bbs.pediy.com/thread-176717.htm)

- 2013.08 [pediy] [[原创]新手学ssdt_hook](https://bbs.pediy.com/thread-176477.htm)

- 2013.06 [pediy] [[原创]一份简单的内核通用HOOK 带使用例子(带简单SSDT恢复)~](https://bbs.pediy.com/thread-174170.htm)

- 2013.04 [pediy] [[原创]简单调用任意未导出SSDT函数方法](https://bbs.pediy.com/thread-167515.htm)

- 2012.07 [pediy] [[原创]汇编与驱动-绕过SSDT保护进程](https://bbs.pediy.com/thread-153211.htm)

***

## Windows Registry

### 工具

### 文章

- 2020.01 [4sysops] [Audit changes in the Windows registry](https://4sysops.com/archives/audit-changes-in-the-windows-registry/)

- 2019.08 [hackerhurricane] [The Windows Registry Auditing Cheat Sheet update!  Aug 2019, v2.5](http://hackerhurricane.blogspot.com/2019/08/the-windows-registry-auditing-cheat.html)

- 2019.03 [hecfblog] [Daily Blog #640: Regipy - A new python windows registry forensics library](https://www.hecfblog.com/2019/03/daily-blog-640-regipy-new-python.html)

- 2019.01 [fireeye] [Digging Up the Past: Windows Registry Forensics Revisited](https://www.fireeye.com/blog/threat-research/2019/01/digging-up-the-past-windows-registry-forensics-revisited.html)

- 2019.01 [sans] [Plumbing the Depths - Windows Registry Internals](https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1492180849.pdf)

- 2018.03 [hackers] [Digital Forensics, Part 5: Analyzing the Windows Registry for Evidence](https://www.hackers-arise.com/single-post/2016/10/21/Digital-Forensics-Part-5-Analyzing-the-Windows-Registry-for-Evidence)

- 2018.02 [ZeroNights] [[Defensive Track]Maxim Suhanov - In depth forensic analysis of Windows registry files](https://www.youtube.com/watch?v=24fwhj40WGQ)

- 2017.04 [redcanary] [Windows Registry Attacks: Knowledge Is the Best Defense](https://redcanary.com/blog/windows-registry-attacks-threat-detection/)

- 2017.02 [alienvault] [Are Windows Registry Fixers Safe?](https://www.alienvault.com/blogs/security-essentials/should-windows-users-beware-of-registry-fixers)

- 2016.04 [windowsir] [Windows Registry Forensics, 2E](http://windowsir.blogspot.com/2016/04/windows-registry-forensics-2e.html)

- 2014.08 [trendmicro] [POWELIKS: Malware Hides In Windows Registry](https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/)

- 2013.09 [cylance] [Windows Registry Persistence, Part 2: The Run Keys and Search-Order](https://www.cylance.com/en_us/blog/windows-registry-persistence-part-2-the-run-keys-and-search-order.html)

- 2013.08 [cylance] [Windows Registry Persistence, Part 1: Introduction, Attack Phases and Windows Services](https://www.cylance.com/en_us/blog/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services.html)

- 2009.07 [windowsir] [Windows Registry Forensic Analysis](http://windowsir.blogspot.com/2009/07/windows-registry-forensic-analysis.html)

- 2009.05 [moyix] [Comprehensive New Resource on the Windows Registry](http://moyix.blogspot.com/2009/05/comprehensive-new-resource-on-windows.html)

- 2008.02 [moyix] [CredDump: Extract Credentials from Windows Registry Hives](http://moyix.blogspot.com/2008/02/creddump-extract-credentials-from.html)

- 2005.09 [windowsir] [The Windows Registry as a Forensic Resource](http://windowsir.blogspot.com/2005/09/windows-registry-as-forensic-resource.html)

- 2005.08 [sans] [Updated Windows Registry Concealment Info;Symantec AV Vulnerability](https://isc.sans.edu/forums/diary/Updated+Windows+Registry+Concealment+InfoSymantec+AV+Vulnerability/637/)

***

## Component Object Model(COM)

### 工具

***

## Distributed Component Object Model(DCOM)

### 工具

- [**225**星][10d] [PS] [outflanknl/excel4-dcom](https://github.com/outflanknl/excel4-dcom) PowerShell and Cobalt Strike scripts for lateral movement using Excel 4.0 / XLM macros via DCOM (direct shellcode injection in Excel.exe)

- [**207**星][1y] [PS] [sud0woodo/dcomrade](https://github.com/sud0woodo/dcomrade) Powershell script for enumerating vulnerable DCOM Applications

### 文章

- 2019.03 [freebuf] [DCOMrade：一款枚举DCOM应用漏洞的PowerSHell脚本](https://www.freebuf.com/sectool/197710.html)

- 2018.12 [n0where] [Powershell Script for Enumerating Vulnerable DCOM Applications: DCOMrade](https://n0where.net/powershell-script-for-enumerating-vulnerable-dcom-applications-dcomrade)

- 2018.12 [360] [CVE-2015-2370之DCOM DCE/RPC协议原理详细分析](https://www.anquanke.com/post/id/167057/)

- 2018.12 [pediy] [[原创]CVE-2015-2370之DCOM DCE/RPC协议原理详细分析](https://bbs.pediy.com/thread-248128.htm)

- 2018.07 [360] [LethalHTA 一种结合DCOM和HTA的新型横向渗透技术](https://www.anquanke.com/post/id/151286/)

- 2018.07 [codewhitesec] [LethalHTA - A new lateral movement technique using DCOM and HTA](https://codewhitesec.blogspot.com/2018/07/lethalhta.html)

- 2018.06 [4hou] [另一种滥用DCOM的内网渗透技术](http://www.4hou.com/penetration/12155.html)

- 2018.05 [360] [如何滥用DCOM实现横向渗透](https://www.anquanke.com/post/id/107097/)

- 2018.05 [pediy] [[翻译] 利用“导出函数和DCOM接口”执行穿透指令、实现横向渗透](https://bbs.pediy.com/thread-226540.htm)

- 2018.04 [bohops] [利用DCOM实现远程Payload执行和横向渗透](https://bohops.com/2018/04/28/abusing-dcom-for-yet-another-lateral-movement-technique/)

- 2018.03 [DoktorCranium] [VAX msrpc dcom ms03 026](https://www.youtube.com/watch?v=S32xkMGPw1M)

- 2018.03 [360] [如何利用导出函数和暴露的DCOM接口来实现横向渗透](https://www.anquanke.com/post/id/101648/)

- 2018.03 [bohops] [利用DLL的导出函数和暴露的DCOM接口实现内网渗透](https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/)

- 2018.01 [cybereason] [New lateral movement techniques abuse DCOM technology](https://www.cybereason.com/blog/dcom-lateral-movement-techniques)

- 2017.11 [cybereason] [结合 Excel DDE 和 DCOM实现内网渗透](https://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom)

- 2017.10 [4hou] [域渗透——利用DCOM在远程系统执行程序](http://www.4hou.com/technology/7713.html)

- 2017.09 [aliyun] [无视Office宏安全设置，利用EXCEL.APPLICATION和DCOM渗透内网](https://xz.aliyun.com/t/1010)

- 2017.09 [4hou] [无视Office宏安全设置，利用EXCEL.APPLICATION和DCOM渗透内网](http://www.4hou.com/system/7816.html)

- 2017.09 [3gstudent] [域渗透——利用DCOM在远程系统执行程序](https://3gstudent.github.io/3gstudent.github.io/%E5%9F%9F%E6%B8%97%E9%80%8F-%E5%88%A9%E7%94%A8DCOM%E5%9C%A8%E8%BF%9C%E7%A8%8B%E7%B3%BB%E7%BB%9F%E6%89%A7%E8%A1%8C%E7%A8%8B%E5%BA%8F/)

- 2017.09 [3gstudent] [域渗透——利用DCOM在远程系统执行程序](https://3gstudent.github.io/3gstudent.github.io/%E5%9F%9F%E6%B8%97%E9%80%8F-%E5%88%A9%E7%94%A8DCOM%E5%9C%A8%E8%BF%9C%E7%A8%8B%E7%B3%BB%E7%BB%9F%E6%89%A7%E8%A1%8C%E7%A8%8B%E5%BA%8F/)

***

## Dynamic Data Exchange(DDE)

### 文章

- 2017.11 [fortinet] [Cybercriminals Exploiting Microsoft’s Vulnerable Dynamic Data Exchange Protocol](https://www.fortinet.com/blog/threat-research/cybercriminals-exploiting-microsoft-s-vulnerable-dynamic-data-exchange-protocol.html)

- 2017.10 [mcafee] [Code Execution Technique Takes Advantage of Dynamic Data Exchange](https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/code-execution-technique-takes-advantage-of-dynamic-data-exchange/)

- 2017.10 [mcafee] [Code Execution Technique Takes Advantage of Dynamic Data Exchange](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/code-execution-technique-takes-advantage-of-dynamic-data-exchange/)

- 2017.10 [mcafee] [Code Execution Technique Takes Advantage of Dynamic Data Exchange](https://securingtomorrow.mcafee.com/mcafee-labs/code-execution-technique-takes-advantage-of-dynamic-data-exchange/)

- 2017.10 [homjxi0e] [execute Commands And Coding in MSFT  Word Via Exploiting application dynamic data exchange //DDE//](https://homjxi0e.wordpress.com/2017/10/15/execute-commands-and-coding-in-msft-word-via-exploiting-application-dynamic-data-exchange-dde/)

***

## Compiled HTML Help(CHM)

### 文章

- 2015.05 [checkpoint] [The Microsoft Help File (.chm) May Enslave You | Check Point Software Blog](https://blog.checkpoint.com/2015/05/12/the-microsoft-help-file-chm-may-enslave-you/)

- 2015.03 [brashconcepts] [New CryptoWall Attack: Block .CHM Extensions](http://brashconcepts.com/new-cryptowall-attack-block-chm-extensions/)

- 2015.03 [freebuf] [.Chm格式帮助文件作盾，CryptoWall勒索软件卷土重来](http://www.freebuf.com/news/60537.html)

- 2009.06 [pediy] [[原创]关于“IDA Pro 5.4 中文帮助手册.chm”在IDA打开文件时按F1出现错误的解决方法](https://bbs.pediy.com/thread-92503.htm)

***

## WinSxS

### 工具

***

## WoW64

### 工具

### 文章

- 2019.10 [hexacorn] [IsWow64Process2](http://www.hexacorn.com/blog/2019/10/26/iswow64process2/)

- 2019.07 [subTee] [System32||Syswow64\Tasks\Tasks.dll](https://medium.com/p/d5b1a8ac7e50)

- 2019.04 [corelan] [Windows 10 egghunter (wow64) and more](https://www.corelan.be/index.php/2019/04/23/windows-10-egghunter/)

- 2019.04 [fsx30] [Hooking Heaven’s Gate — a WOW64 hooking technique](https://medium.com/p/5235e1aeed73)

- 2019.01 [sans] [The WOW Effect - or how Microsoft's WOW64 technology unintentionally fools IT Security analysts](https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1493925774.pdf)

- 2018.11 [aliyun] [Hook深度研究:监视WOW64程序在系统中的执行情况](https://xz.aliyun.com/t/3311)

- 2018.03 [sentinelone] [深度Hook: 监控Wow64程序的Native执行. Part 3](https://www.sentinelone.com/blog/deep-hooks-monitoring-native-execution-wow64-applications-part-3/)

- 2018.03 [sentinelone] [深度Hook: 监控WOW64应用程序的Native执行 Part 2](https://www.sentinelone.com/blog/deep-hooks-monitoring-native-execution-wow64-applications-part-2/)

- 2017.09 [pediy] [[分享][原创]汇编里看Wow64的原理（浅谈32位程序是怎样在windows 64上运行的？）](https://bbs.pediy.com/thread-221236.htm)

- 2016.09 [sogeti] [Deep-Dive in WoW64](http://esec-lab.sogeti.com/posts/2016/09/12/deep-dive-wow64.html)

- 2016.08 [x64dbg] [64bit Debugging and the WoW64 File System Redirection](https://x64dbg.com/blog/2016/08/27/supporting-wow64-debugging.html)

- 2016.07 [corelan] [Windows 10 x86/wow64 Userland heap](https://www.corelan.be/index.php/2016/07/05/windows-10-x86wow64-userland-heap/)

- 2015.12 [rewolf] [wow64ext v1.0.0.8](http://blog.rewolf.pl/blog/?p=1484)

- 2015.11 [modexp] [DLL/PIC Injection on Windows from Wow64 process](https://modexp.wordpress.com/2015/11/19/dllpic-injection-on-windows-from-wow64-process/)

- 2015.11 [tekwizz123] [Some Observations On Duo Security's "WoW64 and So Can You" Paper](http://tekwizz123.blogspot.com/2015/11/some-observations-on-duo-securitys.html)

- 2015.11 [duo] [WoW64 and So Can You](https://duo.com/blog/wow64-and-so-can-you)

- 2015.08 [nul] [6.1.7600 (Win7 SP0) WinTrustVerify在关闭Wow64FsRedirection之后会出问题](http://www.nul.pw/2015/08/04/101.html)

- 2015.06 [rewolf] [wow64ext v1.0.0.7](http://blog.rewolf.pl/blog/?p=1394)

- 2015.06 [codereversing] [Syscall Hooking Under WoW64: Implementation (2/2)](http://www.codereversing.com/blog/archives/246)

- 2015.06 [rewolf] [WoW64 internals: Unexpected behaviour of NtQueryDirectoryObject](http://blog.rewolf.pl/blog/?p=1273)

***

## Background Intelligent Transfer Service(BITS)

### 工具

***

## Batch Script(.bat)

### 工具

- [**268**星][9m] [Batchfile] [diogo-fernan/ir-rescue](https://github.com/diogo-fernan/ir-rescue) A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.

- [**216**星][9d] [PS] [enjoiz/privesc](https://github.com/enjoiz/privesc) Windows batch script that finds misconfiguration issues which can lead to privilege escalation.

### 文章

- 2019.07 [markmotig] [Write, Compile and Run a C# program in a single batch file](https://medium.com/p/ba1206f9208d)

- 2018.07 [sans] [Windows Batch File Deobfuscation](https://isc.sans.edu/forums/diary/Windows+Batch+File+Deobfuscation/23916/)

- 2018.07 [lallouslab] [Batchography: Parsing INI files from a Batch file](http://lallouslab.net/2018/07/23/batchography-parsing-ini-files-from-a-batch-file/)

- 2018.06 [ironcastle] [Malicious Post-Exploitation Batch File, (Tue, Jun 5th)](https://www.ironcastle.net/malicious-post-exploitation-batch-file-tue-jun-5th/)

- 2018.06 [sans] [Malicious Post-Exploitation Batch File](https://isc.sans.edu/forums/diary/Malicious+PostExploitation+Batch+File/23735/)

- 2018.01 [HACKTRONIAN] [Create Dangerous Viruses - Batch File (.bat) & Executable File (.exe)](https://www.youtube.com/watch?v=PXZuZY4tcCs)

- 2017.08 [fossmint] [KRename – A Powerful Batch File Renamer for Linux](https://www.fossmint.com/krename-batch-file-renamer-for-linux/)

- 2016.01 [sentinelone] [XRTN: More batch script-based Ransomware](https://www.sentinelone.com/blog/xrtn-more-batch-script-based-ransomware/)

- 2014.02 [dfstream] [USB Device Tracking Batch Script](https://df-stream.com/2014/02/usb-device-tracking-batch-scrip/)

- 2012.03 [securityblog] [Start or Stop Windows Service using batch file](http://securityblog.gr/577/start-or-stop-windows-service-using-batch-file/)

- 2008.08 [securitythinkingcap] [Pipe Dream: Data migration with batch files](https://securitythinkingcap.com/pipe-dream/)

***

## DACL

### 工具

- [**333**星][11d] [PS] [canix1/adaclscanner](https://github.com/canix1/adaclscanner) Repo for ADACLScan.ps1 - Your number one script for ACL's in Active Directory

### 文章

- 2019.10 [HackersOnBoard] [Black Hat USA 2017 An ACE Up the Sleeve Designing Active Directory DACL Backdoors](https://www.youtube.com/watch?v=sHMo2QJmpE0)

- 2019.04 [nsfocus] [【M01N】CVE-2019-0841 DACL权限覆盖本地提权漏洞攻击分析](http://blog.nsfocus.net/cve-2019-0841-dacl/)

- 2019.04 [aliyun] [CVE-2019-0841：Windows DACL权限覆写权限提升漏洞](https://xz.aliyun.com/t/4784)

- 2017.08 [stealthbits] [From Botnets to DACL Backdoors: A Journey through Modern Active Directory Attacks – Part I](https://blog.stealthbits.com/from-botnets-to-dacl-backdoors-a-journey-through-modern-active-directory-attacks-part-i)

- 2014.04 [secureidentity] [ACL, DACL, SACL and the ACE](https://secureidentity.se/acl-dacl-sacl-and-the-ace/)

- 2013.11 [freebuf] [枚举和分析Windows DACLs工具 – WindowsDACLEnumProject](http://www.freebuf.com/sectool/16251.html)

***

## WebDAV

### 工具

- [**465**星][23d] [C++] [winscp/winscp](https://github.com/winscp/winscp) WinSCP is a popular free SFTP and FTP client for Windows, a powerful file manager that will improve your productivity. It supports also Amazon S3, FTPS, SCP and WebDAV protocols. Power users can automate WinSCP using .NET assembly.

- [**373**星][2m] [Py] [mar10/wsgidav](https://github.com/mar10/wsgidav) A generic and extendable WebDAV server based on WSGI

### 文章

- 2019.06 [n00py] [Understanding UNC paths, SMB, and WebDAV](https://www.n00py.io/2019/06/understanding-unc-paths-smb-and-webdav/)

- 2019.04 [hackingarticles] [Command & Control: WebDav C2](https://www.hackingarticles.in/command-control-webdav-c2/)

- 2019.02 [sans] [Scanning for WebDAV PROPFIND Exploiting CVE-2017-7269](https://isc.sans.edu/forums/diary/Scanning+for+WebDAV+PROPFIND+Exploiting+CVE20177269/24600/)

- 2018.06 [trustedsec] [How to Set Up a Quick, Simple WebDAV Server for Remote File Sharing](https://www.trustedsec.com/2018/06/how-to-set-up-a-quick-simple-webdav-server-for-remote-file-sharing/)

- 2017.09 [360] [利用WebDAV特性建立隐蔽后门](https://www.anquanke.com/post/id/86894/)

- 2017.09 [pentestlab] [Command and Control – WebDAV](https://pentestlab.blog/2017/09/12/command-and-control-webdav/)

- 2017.09 [arno0x0x] [Using WebDAV features as a covert channel](https://arno0x0x.wordpress.com/2017/09/07/using-webdav-features-as-a-covert-channel/)

- 2017.03 [aliyun] [IIS 6.0 WebDAV远程代码执行漏洞分析—【CVE-2017-7269】](https://xz.aliyun.com/t/213)

- 2016.11 [blackhillsinfosec] [Deploying a WebDAV Server](https://www.blackhillsinfosec.com/deploying-a-webdav-server/)

- 2016.08 [hackingarticles] [Get Admin Access of Remote Windows PC using MS16-016 mrxdav.sys WebDav Escalation](http://www.hackingarticles.in/get-admin-access-remote-windows-pc-using-ms16-016-mrxdav-sys-webdav-escalation/)

- 2016.03 [freebuf] [微软“WebDAV”提权漏洞（cve-2016-0051）初探](http://www.freebuf.com/vuls/98486.html)

- 2016.02 [avfisher] [WebDAV本地提权漏洞（CVE-2016-0051/MS16-016）之交互式提权EXP](http://avfisher.win/archives/410)

- 2016.02 [360] [WebDAV本地提权漏洞（CVE-2016-0051）POC & EXP](https://www.anquanke.com/post/id/83483/)

- 2016.02 [freebuf] [Windows最新“WebDAV”提权漏洞介绍（MS16-016）](http://www.freebuf.com/vuls/95950.html)

- 2011.07 [firebitsbr] [DAVTest: Teste rápido e exploits para WebDAV Servers](https://firebitsbr.wordpress.com/2011/07/13/769/)

- 2010.07 [sans] [LNK vulnerability now with Metasploit module implementing the WebDAV method](https://isc.sans.edu/forums/diary/LNK+vulnerability+now+with+Metasploit+module+implementing+the+WebDAV+method/9199/)

- 2009.05 [holisticinfosec] [WebTuff checks for WebDAV vulnerability](https://holisticinfosec.blogspot.com/2009/05/webtuff-checks-for-webdav-vulnerability.html)

- 2009.05 [sans] [IIS admins, help finding WebDAV remotely using nmap](https://isc.sans.edu/forums/diary/IIS+admins+help+finding+WebDAV+remotely+using+nmap/6436/)

- 2009.05 [skullsecurity] [WebDAV Detection, Vulnerability Checking and Exploitation](https://blog.skullsecurity.org/2009/webdav-detection-vulnerability-checking-and-exploitation)

- 2009.05 [microsoft] [Answers to the IIS WebDAV authentication bypass questions](https://msrc-blog.microsoft.com/2009/05/20/answers-to-the-iis-webdav-authentication-bypass-questions/)

***

## Group Policy Object(GPO)

### 工具

- [**246**星][16d] [C#] [fsecurelabs/sharpgpoabuse](https://github.com/FSecureLABS/SharpGPOAbuse) take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.

### 文章

- 2019.04 [stealthbits] [How to Backup and Recover Group Policy Objects](https://blog.stealthbits.com/how-to-backup-and-recover-group-policy-objects/)

- 2016.07 [stealthbits] [Comprehensive Auditing and Protection For Group Policy Objects](https://blog.stealthbits.com/comprehensive-auditing-protection-group-policy-objects)

- 2015.03 [darkoperator] [Updating Group Policy Objects Remotely](https://www.darkoperator.com/blog/2015/3/9/updating-group-policy-objects-remotely)

- 2013.08 [jaapbrasser] [Active Directory Friday: Query Group Policy Objects in Active Directory](https://www.jaapbrasser.com/active-directory-friday-query-group-policy-objects-in-active-directory/)

***

## AppInit/AppCert

### 文章

- 2020.01 [pentestlab] [Persistence – AppInit DLLs](https://pentestlab.blog/2020/01/07/persistence-appinit-dlls/)

- 2017.03 [toddcullumresearch] [Inline Hook of a System Call via AppInit_DLLs Part 2– The Hook](https://toddcullumresearch.com/2017/03/29/inline-hook-of-a-system-call-via-appinit_dlls-part-2-the-hook/)

- 2017.03 [toddcullumresearch] [Inline Hook of a System Call via AppInit_DLLs Part 1 – Decryption of XOR Cipher](https://toddcullumresearch.com/2017/03/26/inline-hook-of-a-system-call-via-appinit_dlls/)

- 2016.05 [pediy] [[原创]AppInit注入的那些事](https://bbs.pediy.com/thread-210371.htm)

***

## InstallUtil

### 文章

- 2017.08 [tyranidslair] [DG on Windows 10 S: Abusing InstallUtil](https://www.tiraniddo.dev/2017/08/dg-on-windows-10-s-abusing-installutil.html)

***

## Image File Execution Option(IFEO)

### 文章

- 2020.01 [pentestlab] [Persistence – Image File Execution Options Injection](https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)

- 2018.07 [360] [隐蔽后门——Image File Execution Options新玩法](https://www.anquanke.com/post/id/151425/)

- 2015.12 [malwarebytes] [An Introduction to Image File Execution Options](https://blog.malwarebytes.com/101/2015/12/an-introduction-to-image-file-execution-options/)

- 2012.09 [] [通过IFEO劫持提权](http://www.91ri.org/4224.html)

- 2008.02 [sans] [Abusing Image File Execution Options](https://isc.sans.edu/forums/diary/Abusing+Image+File+Execution+Options/4039/)

***

## Mshta

### 文章

- 2019.07 [mcafee] [What Is Mshta, How Can It Be Used and How to Protect Against It](https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/what-is-mshta-how-can-it-be-used-and-how-to-protect-against-it/)

- 2019.07 [mcafee] [What Is Mshta, How Can It Be Used and How to Protect Against It](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/what-is-mshta-how-can-it-be-used-and-how-to-protect-against-it/)

- 2019.01 [hackingarticles] [Bypass Application Whitelisting using mshta.exe (Multiple Methods)](https://www.hackingarticles.in/bypass-application-whitelisting-using-mshta-exe-multiple-methods/)

- 2017.12 [freebuf] [浅谈一下mshta在CVE-2017-11882里的命令构造](http://www.freebuf.com/articles/web/155304.html)

- 2017.11 [conscioushacker] [Application Whitelisting Bypass: mshta.exe](https://blog.conscioushacker.io/index.php/2017/11/17/application-whitelisting-bypass-mshta-exe/)

- 2016.06 [evi1cg] [Exec Commands Via Mshta.exe](https://evi1cg.me/archives/Exec_Commands_Via_Mshta.html)

***

## Microsoft HTML Application(HTA)

### 文章

- 2015.08 [redcanary] [Microsoft HTML Application (HTA) Abuse, Part Deux](https://redcanary.com/blog/microsoft-html-application-hta-abuse-part-deux/)

***

## NetShell

### 工具

### 文章

- 2016.09 [360] [使用Netshell执行恶意DLL并实现对目标主机的持久化攻击](https://www.anquanke.com/post/id/84648/)

***

## VBScript

### 工具

- [**1615**星][12d] [Py] [zerosum0x0/koadic](https://github.com/zerosum0x0/koadic) 类似于Meterpreter、Powershell Empire 的post-exploitation rootkit，区别在于其大多数操作都是由 Windows 脚本主机 JScript/VBScript 执行

### 文章

- 2019.12 [aliyun] [基于VBSCRIPT下16进制木马的IE浏览器BYPASS](https://xz.aliyun.com/t/6886)

- 2019.11 [trustedsec] [Finding and Identifying JScript/VBScript Callable COM Objects](https://www.trustedsec.com/blog/finding-and-identifying-jscript-vbscript-callable-com-objects/)

- 2019.10 [hexacorn] [Rundll32 with a vbscript: protocol](http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/)

- 2019.10 [Kaspersky] [Exploit Prevention: VBScript Memory Corruption in IE](https://www.youtube.com/watch?v=sfqqTu1z_4w)

- 2019.04 [trendmicro] [Analysis: Abuse of Custom Actions in Windows Installer MSI to Run Malicious JavaScript, VBScript, and PowerShell Scripts](https://blog.trendmicro.com/trendlabs-security-intelligence/analysis-abuse-of-custom-actions-in-windows-installer-msi-to-run-malicious-javascript-vbscript-and-powershell-scripts/)

- 2019.04 [4hou] [VBScript引擎堆溢出远程代码执行漏洞分析（CVE-2019-0666）](https://www.4hou.com/vulnerable/17250.html)

- 2019.02 [360] [VBScript in 2018](https://www.anquanke.com/post/id/170727/)

- 2019.01 [pediy] [IE VBScript 漏洞之CVE-2018-8174](https://bbs.pediy.com/thread-248930.htm)

- 2019.01 [pediy] [IE VBScript 漏洞之CVE-2014-6332](https://bbs.pediy.com/thread-248925.htm)

- 2018.12 [googleprojectzero] [ProjectZero关于VBScript安全性的探讨](https://googleprojectzero.blogspot.com/2018/12/on-vbscript.html)

- 2018.12 [freebuf] [Windows VBScript引擎远程执行代码漏洞之CVE-2018-8373分析与复现](https://www.freebuf.com/vuls/190601.html)

- 2018.11 [360] [Windows VBScript引擎远程执行代码漏洞 之CVE-2018-8373分析与复现](https://www.anquanke.com/post/id/166581/)

- 2018.11 [4hou] [Windows VBScript引擎远程执行代码漏洞之CVE-2018-8373分析与复现](http://www.4hou.com/vulnerable/14733.html)

- 2018.11 [360] [VBScript引擎远程代码执行漏洞之CVE-2018-8174分析与利用（更新）](https://www.anquanke.com/post/id/164493/)

- 2018.11 [4hou] [Windows VBScript引擎远程执行代码漏洞之CVE-2018-8174分析与利用](http://www.4hou.com/vulnerable/14529.html)

- 2018.11 [360] [Windows VBScript引擎RCE漏洞之CVE-2018-8174分析与利用](https://www.anquanke.com/post/id/163841/)

- 2018.09 [paloaltonetworks] [Traps Prevents In-The-Wild VBScript Zero-Day Exploit in Internet](https://unit42.paloaltonetworks.com/unit42-traps-prevents-wild-vbscript-zero-day-exploit-internet-explorer/)

- 2018.08 [aliyun] [CVE-2018-8373：VBScript引擎UAF漏洞](https://xz.aliyun.com/t/2588)

- 2018.08 [trendmicro] [Use-after-free (UAF) Vulnerability CVE-2018-8373 in VBScript Engine Affects Internet Explorer to Run Shellcode](https://blog.trendmicro.com/trendlabs-security-intelligence/use-after-free-uaf-vulnerability-cve-2018-8373-in-vbscript-engine-affects-internet-explorer-to-run-shellcode/)

- 2018.07 [360] [Analysis of the new exploitable issues with CVE-2018-8174 patch and VBScript zero-day vulnerability](https://blog.360totalsecurity.com/en/analysis-of-the-new-exploitable-issues-with-cve-2018-8174-patch-and-vbscript-zero-day-exploit/)

***

## VBA

### 工具

- [**565**星][2m] [Py] [decalage2/vipermonkey](https://github.com/decalage2/vipermonkey) A VBA parser and emulation engine to analyze malicious macros.

- [**262**星][7m] [Py] [bontchev/pcodedmp](https://github.com/bontchev/pcodedmp) A VBA p-code disassembler

- [**226**星][8m] [Py] [malwarecantfly/vba2graph](https://github.com/malwarecantfly/vba2graph) Generate call graphs from VBA code, for easier analysis of malicious documents.

### 文章

- 2019.10 [marcoramilli] [Frequent VBA Macros used in Office Malware](https://marcoramilli.com/2019/10/01/frequent-vba-macros-used-in-office-malware/)

- 2019.06 [freebuf] [Matlab加上VBA编程，表格就能画画了](https://www.freebuf.com/geek/206650.html)

- 2019.06 [beny] [Weaponization: Howto Fully Undetectable Empire Powershell MS macro (VBA obfuscation & Stomping)](https://www.peerlyst.com/posts/weaponization-howto-fully-undetectable-empire-powershell-ms-macro-vba-obfuscation-and-stomping-beny-bertin)

- 2019.05 [malcomvetter] [Choose Your Own Red Team Adventure: Processes from VBA Macro](https://medium.com/p/50d1a07a8c8b)

- 2019.05 [sans] [VBA Office Document: Which Version?](https://isc.sans.edu/forums/diary/VBA+Office+Document+Which+Version/24902/)

- 2019.04 [pcsxcetrasupport3] [A look at Stomped VBA code and the P-Code in a Word Document](https://pcsxcetrasupport3.wordpress.com/2019/04/25/a-look-at-stomped-vba-code-and-the-p-code-in-a-word-document/)

- 2019.02 [lucasg] [Discovering Nvidia NvBackend endpoint](http://lucasg.github.io/2019/02/01/Discovering-Nvidia-NvBackend-endpoint/)

- 2019.01 [pcsxcetrasupport3] [A deeper look into a wild VBA Macro](https://pcsxcetrasupport3.wordpress.com/2019/01/26/a-deeper-look-into-a-wild-vba-macro/)

- 2018.12 [freebuf] [Vba2Graph：一款通过VBA代码分析恶意软件的强大工具（带GUI）](https://www.freebuf.com/sectool/191430.html)

- 2018.12 [DoktorCranium] [NetBSD evbarm Pinebook video test](https://www.youtube.com/watch?v=6Fv5D4Pl2SY)

- 2018.11 [ironcastle] [ViperMonkey: VBA maldoc deobfuscation, (Mon, Nov 26th)](https://www.ironcastle.net/vipermonkey-vba-maldoc-deobfuscation-mon-nov-26th/)

- 2018.11 [sans] [ViperMonkey: VBA maldoc deobfuscation](https://isc.sans.edu/forums/diary/ViperMonkey+VBA+maldoc+deobfuscation/24346/)

- 2018.11 [vkremez] [Let's Learn: In-Depth Review of FIN7 VBA Macro & Lightweight JavaScript Backdoor](https://www.vkremez.com/2018/11/in-depth-review-of-fin7-vba-macro.html)

- 2018.11 [hexacorn] [使用VBA/VBS分析Word文档](http://www.hexacorn.com/blog/2018/11/16/analyzing-word-documents-via-vba-vbs/)

- 2018.10 [aliyun] [攻击者是如何隐藏恶意VBA 代码行为的](https://xz.aliyun.com/t/2898)

- 2018.08 [ColinHardy] [Analysing Obfuscated VBA - Extracting indicators from a Trickbot downloader](https://www.youtube.com/watch?v=auB7mkwfHrk)

- 2018.05 [scrt] [Insomni’hack 2018 – vba03-strikeBack writeup](https://blog.scrt.ch/2018/05/04/insomnihack-2018-vba03-strikeback-writeup/)

- 2018.04 [dist67] [VBA Maldoc: Form-Embedded PE File](https://www.youtube.com/watch?v=sLz_O2h8i74)

- 2018.04 [virusbulletin] [New paper: Powering the distribution of Tesla stealer with PowerShell and VBA macros](https://www.virusbulletin.com/blog/2018/04/new-paper-powering-distribution-tesla-stealer-powershell-and-vba-macros/)

- 2018.04 [pentestingexperts] [ViperMonkey v0.06 released: A VBA parser and emulation engine to analyze malicious macros](http://www.pentestingexperts.com/vipermonkey-v0-06-released-a-vba-parser-and-emulation-engine-to-analyze-malicious-macros/)

***

## Security Service Provider(SSP)

### 文章

- 2018.05 [ensilo] [Customers Say It Best - Managed Security Service Provider](https://blog.ensilo.com/managed-security-service-provider)

- 2018.05 [infosecinstitute] [What is the DoD CSSP (Cyber Security Service Provider)?](http://resources.infosecinstitute.com/dod-cssp-cyber-security-service-provider/)

- 2018.03 [nettitude] [Building a secure future – Cyber security service provider Nettitude joins the Lloyd’s Register group](https://blog.nettitude.com/nettitude-joins-the-lloyds-register-group)

- 2017.09 [trustlook] [Trustlook Selected as 10 Best Security Service Providers of 2017](https://blog.trustlook.com/2017/09/05/trustlook-selected-as-10-best-security-service-providers-of-2017/)

- 2017.09 [trustlook] [Trustlook Selected as 10 Best Security Service Providers of 2017](https://blog.trustlook.com/trustlook-selected-as-10-best-security-service-providers-of-2017/)

- 2017.05 [fortinet] [Trends Affecting Managed Security Service Providers](https://www.fortinet.com/blog/industry-trends/trends-affecting-managed-security-service-providers.html)

- 2017.03 [fortinet] [Managed Security Service Providers, Choosing the Right Security Vendor](https://www.fortinet.com/blog/industry-trends/managed-security-service-providers-choosing-the-right-security-vendor.html)

- 2016.07 [fortinet] [Security Trends: Managed Security Service Providers](https://www.fortinet.com/blog/industry-trends/security-trends-managed-security-service-providers.html)

***

## Scheduled Task

### 工具

- [**432**星][1m] [Py] [sibson/redbeat](https://github.com/sibson/redbeat) RedBeat is a Celery Beat Scheduler that stores the scheduled tasks and runtime metadata in Redis.

- [**385**星][1m] [C#] [dahall/taskscheduler](https://github.com/dahall/taskscheduler) Provides a .NET wrapper for the Windows Task Scheduler. It aggregates the multiple versions, provides an editor and allows for localization.

### 文章

- 2019.11 [aliyun] [持久化研究-Scheduled Tasks](https://xz.aliyun.com/t/6822)

- 2019.09 [markmotig] [Command prompt with System rights using Schtasks, Ncat and Metame](https://medium.com/p/d2d333a710aa)

- 2019.06 [zerodayinitiative] [Exploiting the Windows Task Scheduler Through CVE-2019-1069](https://www.zerodayinitiative.com/blog/2019/6/11/exploiting-the-windows-task-scheduler-through-cve-2019-1069)

- 2018.05 [ironcastle] [Adding Persistence Via Scheduled Tasks, (Mon, May 7th)](https://www.ironcastle.net/adding-persistence-via-scheduled-tasks-mon-may-7th/)

- 2018.05 [sans] [Adding Persistence Via Scheduled Tasks](https://isc.sans.edu/forums/diary/Adding+Persistence+Via+Scheduled+Tasks/23633/)

- 2016.05 [enigma0x3] [Userland Persistence with Scheduled Tasks and COM Handler Hijacking](https://enigma0x3.net/2016/05/25/userland-persistence-with-scheduled-tasks-and-com-handler-hijacking/)

- 2015.04 [jaapbrasser] [New article on PowerShell Magazine: Retrieve scheduled tasks using Schedule.Service COMObject](https://www.jaapbrasser.com/new-article-on-powershell-magazine-retrieve-scheduled-tasks-using-schedule-service-comobject/)

- 2015.03 [malwarebytes] [Scheduled Tasks](https://blog.malwarebytes.com/cybercrime/2015/03/scheduled-tasks/)

- 2013.02 [mikefrobbins] [Use PowerShell to Create a Scheduled Task that Uses PowerShell to Pause and Resume AppAssure Core Replication](http://mikefrobbins.com/2013/02/07/use-powershell-to-create-a-scheduled-task-that-uses-powershell-to-pause-and-resume-appassure-core-replication/)

***

## Windows Remote Management(WinRM)

### 工具

- [**708**星][13d] [Ruby] [hackplayers/evil-winrm](https://github.com/hackplayers/evil-winrm) 用户Hacking/渗透的终极WinRM shell

- [**238**星][10d] [Go] [masterzen/winrm](https://github.com/masterzen/winrm) Windows远程命令执行，命令行工具+库，Go编写

### 文章

- 2019.11 [hakin9] [Evil-WinRM: The ultimate WinRM shell for hacking/pentesting](https://hakin9.org/evil-winrm-the-ultimate-winrm-shell-for-hacking-pentesting/)

- 2019.08 [freebuf] [evil-winrm：Windows远程管理（WinRM）Shell终极版](https://www.freebuf.com/sectool/210479.html)

- 2018.07 [freebuf] [利用Winrm.vbs绕过白名单限制执行任意代码](http://www.freebuf.com/articles/system/178035.html)

- 2018.07 [4hou] [如何使用winrm.vbs绕过应用白名单执行任意未签名代码](http://www.4hou.com/technology/12587.html)

- 2018.07 [360] [使用 winrm.vbs 绕过应用白名单执行任意未签名代码](https://www.anquanke.com/post/id/151711/)

- 2018.07 [aliyun] [利用winrm.vbs绕过应用程序白名单执行任意未签名代码](https://xz.aliyun.com/t/2444)

- 2018.07 [mattifestation] [Application Whitelisting Bypass and Arbitrary Unsigned Code Execution Technique in winrm.vbs](https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404)

- 2018.06 [specterops] [Application Whitelisting Bypass and Arbitrary Unsigned Code Execution Technique in winrm.vbs](https://medium.com/p/c8c24fb40404)

- 2018.05 [pentestlab] [利用Windows远程管理服务实现横向渗透](https://pentestlab.blog/2018/05/15/lateral-movement-winrm/)

- 2017.09 [trustedsec] [Using WinRM Through Meterpreter](https://www.trustedsec.com/2017/09/using-winrm-meterpreter/)

- 2015.03 [darkoperator] [WinRM SSL Certificate Deployment via GPO](https://www.darkoperator.com/blog/2015/3/24/bdvjiiw1ybzfdjulc5pprgpkm8os0b)

- 2014.12 [rsa] [Detecting APT Using Anomalous Windows Remote Management Methods and Dynamic RPC Endpoint Mapping](https://community.rsa.com/community/products/netwitness/blog/2014/12/22/detecting-apt-using-anomalous-windows-remote-management-methods-and-dynamic-rpc-endpoint-mapping)

- 2014.07 [jaapbrasser] [Setting up PowerShell Remoting using winrm quickconfig or Enable-PSRemoting fails](https://www.jaapbrasser.com/setting-up-powershell-remoting-using-winrm-quickconfig-or-enable-psremoting-fails/)

- 2013.03 [rapid7] [Whiteboard Wednesday - Abusing Windows Remote Management with Metasploit](https://blog.rapid7.com/2013/03/06/whiteboard-wednesday-abusing-windows-remote-management-with-metasploit/)

- 2012.11 [rapid7] [Abusing Windows Remote Management (WinRM) with Metasploit](https://blog.rapid7.com/2012/11/08/abusing-windows-remote-management-winrm-with-metasploit/)

- 2012.10 [netspi] [Exploiting Trusted Hosts in WinRM](https://blog.netspi.com/exploiting-trusted-hosts-in-winrm/)

***

## Control Panel

### 工具

### 文章

- 2019.01 [cofense] [Phishing Campaigns are Manipulating the Windows Control Panel Extension to Deliver Banking Trojans](https://cofense.com/phishing-campaigns-manipulating-windows-control-panel-extension-deliver-banking-trojans/)

- 2016.12 [8090] [win10控制面板在哪_Win10控制面板打不开怎么解决](http://www.8090-sec.com/archives/5711)

- 2016.08 [mcafee] [‘Cat-Loving’ Mobile Ransomware Operates With Control Panel](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cat-loving-mobile-ransomware-operates-control-panel/)

- 2016.08 [mcafee] [‘Cat-Loving’ Mobile Ransomware Operates With Control Panel](https://securingtomorrow.mcafee.com/mcafee-labs/cat-loving-mobile-ransomware-operates-control-panel/)

- 2015.06 [jaapbrasser] [Open Master Control Panel using PowerShell](https://www.jaapbrasser.com/open-master-control-panel-using-powershell/)

- 2014.03 [trendmicro] [Anatomy of a Control Panel Malware Attack, Part 2](https://blog.trendmicro.com/trendlabs-security-intelligence/anatomy-of-a-control-panel-malware-attack-part-2/)

- 2014.03 [trendmicro] [Anatomy of a Control Panel Malware Attack, Part 1](https://blog.trendmicro.com/trendlabs-security-intelligence/anatomy-of-a-control-panel-malware-attack-part-1/)

- 2013.12 [] [LNMP ftp控制面板安装程式未删除的漏洞](http://0day5.com/archives/913/)

- 2013.06 [securityblog] [Enable or Disable Control Panel](http://securityblog.gr/2358/enable-or-disable-control-panel/)

- 2013.06 [sans] [Control Panel Forensics: Evidence of Time Manipulation and Moreâ¦](https://digital-forensics.sans.org/blog/2013/06/05/control-panel-forensics-evidence-of-time-manipulation-and-more)

- 2012.03 [leehong2005] [Control Panel Applet 实现](https://blog.csdn.net/leehong2005/article/details/7334916)

- 2011.10 [mikedoszhang] [Remove useless item form the Control Panel\All Control Panel Items](https://mikedoszhang.blogspot.com/2011/10/remove-useless-item-form-control.html)

***

## Windows Shortcut File

### 工具

### 文章

- 2017.07 [sans] [Another .lnk File](https://isc.sans.edu/forums/diary/Another+lnk+File/22640/)

- 2017.07 [sans] [Office maldoc + .lnk](https://isc.sans.edu/forums/diary/Office+maldoc+lnk/22618/)

- 2017.04 [nviso] [如何从Word文档中提取.LNK文件，以及如何分析](https://blog.nviso.be/2017/04/04/tracking-threat-actors-through-lnk-files/)

- 2017.03 [sentinelone] [Understanding The State of .LNK Files](https://www.sentinelone.com/blog/windows-shortcut-file-lnk-sneaking-malware/)

- 2017.03 [nviso] [恶意文档内嵌的.LNK下载者分析](https://blog.nviso.be/2017/03/24/lnk-downloader-and-bitsadmin-exe-in-malicious-office-document/)

- 2017.02 [myonlinesecurity] [various subject emails downloading .lnk files using PowerShell to download various malwares](https://myonlinesecurity.co.uk/various-subject-emails-downloading-lnk-files-using-powershell-to-download-various-malwares/)

- 2016.10 [willgenovese] [tricky.lnk – Unicode Text Spoofing](http://willgenovese.com/tricky-lnk-unicode-text-spoofing/)

- 2016.10 [microsoft] [The new .LNK between spam and Locky infection](https://cloudblogs.microsoft.com/microsoftsecure/2016/10/19/the-new-lnk-between-spam-and-locky-infection/)

- 2016.10 [microsoft] [The new .LNK between spam and Locky infection](https://www.microsoft.com/security/blog/2016/10/19/the-new-lnk-between-spam-and-locky-infection/)

- 2016.06 [onready] [Hijacking Windows hotkeys with .lnk file or Old horse raids](https://onready.me/hijacking_hotkey_or_old_horse_raids.html)

- 2016.06 [onready] [Embedding reverse shell in .lnk file or Old horse attacks](https://onready.me/old_horse_attacks.html)

- 2016.02 [sans] [Analyzis of a Malicious .lnk File with an Embedded Payload](https://isc.sans.edu/forums/diary/Analyzis+of+a+Malicious+lnk+File+with+an+Embedded+Payload/20763/)

- 2016.02 [onready] [DOCX on fire: .lnk in docx](https://onready.me/lnk_in_docx.html)

- 2010.07 [sans] [autorun.inf and .lnk Malware (NOT 'Vulnerability in Windows Shell Could Allow Remote Code Execution' 2286198)](https://isc.sans.edu/forums/diary/autoruninf+and+lnk+Malware+NOT+Vulnerability+in+Windows+Shell+Could+Allow+Remote+Code+Execution+2286198/9229/)

- 2010.07 [sans] [Update on .LNK vulnerability](https://isc.sans.edu/forums/diary/Update+on+LNK+vulnerability/9217/)

- 2010.04 [pediy] [[原创]windows平台.lnk文件感染技术研究](https://bbs.pediy.com/thread-110426.htm)

***

## Windows Explorer

### 工具

### 文章

- 2018.08 [insert] [Leaking Environment Variables in Windows Explorer via .URL or desktop.ini files](https://insert-script.blogspot.com/2018/08/leaking-environment-variables-in_20.html)

- 2013.06 [securityblog] [Refresh all opened Windows Explorer windows](http://securityblog.gr/1646/refresh-all-opened-windows-explorer-windows/)

- 2010.08 [rebootuser] [Mount a VMware vmdk (virtual disk) in Windows Explorer](https://www.rebootuser.com/?p=185)

- 2006.08 [sans] [MS06-045: Windows Explorer Remote Code Excution Vulnerability](https://isc.sans.edu/forums/diary/MS06045+Windows+Explorer+Remote+Code+Excution+Vulnerability/1563/)

***

## Application Shim

### 文章

- 2020.01 [hackingarticles] [Windows Persistence using Application Shimming](https://www.hackingarticles.in/windows-persistence-using-application-shimming/)

- 2019.06 [hshrzd] [Application shimming vs Import Table recovery](https://hshrzd.wordpress.com/2019/06/27/application-shimming-vs-import-table-recovery/)

- 2018.11 [andreafortuna] [Process Injection and Persistence using Application Shimming](https://www.andreafortuna.org/dfir/malware-analysis/process-injection-and-persistence-using-application-shimming/)

- 2018.03 [countercept] [Hunting for Application Shim Databases](https://countercept.com/our-thinking/hunting-for-application-shim-databases/)

- 2018.03 [countercept] [Hunting for Application Shim Databases](https://countercept.com/blog/hunting-for-application-shim-databases/)

- 2018.02 [redcanary] [Detecting Application Shimming: A Story About Continuous Improvement](https://redcanary.com/blog/detecting-application-shimming/)

- 2016.08 [blacksunhackers] [Post Exploitation Persistence With Application Shims (Intro)](http://blacksunhackers.club/2016/08/post-exploitation-persistence-with-application-shims-intro/)

***

## Squiblydoo

### 文章

- 2019.03 [myonlinesecurity] [Trickbot via fake Efax message using Squiblydoo, Active X, macro and abusing pastebin](https://myonlinesecurity.co.uk/trickbot-via-fake-efax-message-using-squiblydoo-active-x-macro-and-abusing-pastebin/)

- 2016.04 [rsa] [Detection of Squiblydoo COM+ Whitelist Bypassing with ECAT](https://community.rsa.com/community/products/netwitness/blog/2016/04/26/detection-of-com-whitelist-bypassing-with-ecat)

***

## Open Office XML

### 工具

***

## 其他

# 各类软件

***

## MS Internet Explorer

### 工具

***

## MS Edge

### 工具

- [**8097**星][2m] [JS] [microsoft/chakracore](https://github.com/microsoft/chakracore) ChakraCore is the core part of the Chakra JavaScript engine that powers Microsoft Edge

- [**2356**星][1y] [microsoftedge/msedge](https://github.com/microsoftedge/msedge) Microsoft Edge

- [**217**星][4m] [Go] [improbable-eng/kedge](https://github.com/improbable-eng/kedge) kEdge - Kubernetes Edge Proxy for gRPC and HTTP Microservices

### 文章

- 2020.02 [4sysops] [Deploy and manage Microsoft Edge using WSUS and GPOs](https://4sysops.com/archives/deploy-and-manage-microsoft-edge-using-wsus-and-gpos/)

- 2019.09 [4hou] [Microsoft Edge浏览器的Universal XSS漏洞分析（CVE-2019-1030）](https://www.4hou.com/info/news/20307.html)

- 2019.09 [aliyun] [Microsoft Edge - Universal XSS](https://xz.aliyun.com/t/6279)

- 2019.08 [microsoft] [Announcing the Microsoft Edge Insider Bounty](https://msrc-blog.microsoft.com/2019/08/20/announcing-the-microsoft-edge-insider-channels-bounty/)

- 2019.07 [4sysops] [Hands-on review of Microsoft Edge (Chromium) business features: GPO support, IE mode, offline installer](https://4sysops.com/archives/hands-on-review-of-microsoft-edge-chromium-business-features-gpo-support-ie-mode-offline-installer/)

- 2019.06 [payatu] [Microsoft Edge Extensions Host Permission Bypass (CVE-2019-0678)](https://payatu.com/microsoft-edge-extensions-host-permission-bypass-cve-2019-0678/)

- 2019.06 [payatu] [microsoft edge extensions host-permission bypass (cve-2019-0678)](https://payatu.com/blog/Nikhil-Mittal/microsoft-edge-extensions-host-permission-bypass-cve-2019-0678)

- 2019.05 [exodusintel] [Pwn2Own 2019: Microsoft Edge Sandbox Escape (CVE-2019-0938). Part 2](https://blog.exodusintel.com/2019/05/27/pwn2own-2019-microsoft-edge-sandbox-escape-cve-2019-0938-part-2/)

- 2019.05 [exodusintel] [Pwn2Own 2019: Microsoft Edge Renderer Exploitation (CVE-2019-0940). Part 1](https://blog.exodusintel.com/2019/05/19/pwn2own-2019-microsoft-edge-renderer-exploitation-cve-2019-9999-part-1/)

- 2019.05 [freebuf] [Microsoft Edge和IE浏览器同源策略绕过漏洞分析](https://www.freebuf.com/vuls/200131.html)

- 2019.04 [] [Microsoft Edge Uses a Secret Trick And Breaks Internet Explorer's Security](https://blog.0patch.com/2019/04/microsoft-edge-uses-secret-trick-and.html)

- 2019.04 [topsec] [天融信关于Microsoft Edge和IE浏览器同源策略绕过漏洞分析](http://blog.topsec.com.cn/%e5%a4%a9%e8%9e%8d%e4%bf%a1%e5%85%b3%e4%ba%8emicrosoft-edge%e5%92%8cie%e6%b5%8f%e8%a7%88%e5%99%a8%e5%90%8c%e6%ba%90%e7%ad%96%e7%95%a5%e7%bb%95%e8%bf%87%e6%bc%8f%e6%b4%9e%e5%88%86%e6%9e%90/)

- 2019.04 [venus] [关于 Microsoft Edge 和 IE 浏览器同源策略绕过漏洞分析](https://paper.seebug.org/883/)

- 2019.04 [trendmicro] [Microsoft Edge and Internet Explorer Zero-Days Allow Access to Confidential Session Data](https://blog.trendmicro.com/trendlabs-security-intelligence/microsoft-edge-and-internet-explorer-zero-days-allow-access-to-confidential-session-data/)

- 2019.03 [aliyun] [深入分析Microsoft Edge Chakra JIT类型混淆漏洞的利用方式](https://xz.aliyun.com/t/4475)

- 2019.03 [360] [Microsoft Edge CVE-2019-0539 漏洞分析与利用](https://www.anquanke.com/post/id/173475/)

- 2019.02 [4hou] [Microsoft Edge Chakra JIT类型混淆漏洞分析（CVE-2019-0539）](http://www.4hou.com/vulnerable/16211.html)

- 2019.02 [trendmicro] [Announcing Trend Micro Security for Microsoft Edge](https://blog.trendmicro.com/announcing-trend-micro-security-for-microsoft-edge/)

- 2018.12 [4hou] [在Microsoft Edge中实现DOM树](http://www.4hou.com/web/15072.html)

- 2018.10 [fortinet] [An Analysis of Microsoft Edge Chakra JavascriptArray TypeId Handling Memory Corruption (CVE-2018-8467)](https://www.fortinet.com/blog/threat-research/an-analysis-of-microsoft-edge-chakra-javascriptarray-typeid-hand.html)

***

## MS Office

### 工具

- [**1731**星][1m] [JS] [ziv-barber/officegen](https://github.com/ziv-barber/officegen) Standalone Office Open XML files (Microsoft Office 2007 and later) generator for Word (docx), PowerPoint (pptx) and Excell (xlsx) in javascript. The output is a stream.

- [**1066**星][20d] [Rich Text Format] [decalage2/oletools](https://github.com/decalage2/oletools)  python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.

- [**750**星][9d] [C#] [outflanknl/evilclippy](https://github.com/outflanknl/evilclippy) A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows.

- [**407**星][2m] [YARA] [guelfoweb/peframe](https://github.com/guelfoweb/peframe) PEframe is a open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.

### 文章

- 2020.02 [talosintelligence] [Microsoft Office Excel Ordinal43 code execution vulnerability](https://talosintelligence.com/vulnerability_reports/TALOS-2019-0968)

- 2019.11 [talosintelligence] [Microsoft Office Excel WorksheetOptions Code Execution Vulnerability](https://talosintelligence.com/vulnerability_reports/TALOS-2019-0886)

- 2019.10 [Kaspersky] [Exploit Prevention: Microsoft Office Memory Corruption](https://www.youtube.com/watch?v=7J6tLrkK81Y)

- 2019.09 [zerodayinitiative] [CVE-2019-0801: Microsoft Office Uri Hyperlink Hijinks](https://www.zerodayinitiative.com/blog/2019/9/24/cve-2019-0801-microsoft-office-uri-hyperlink-hijinks)

- 2019.08 [freebuf] [CVE-2018-0798：Microsoft office 公式编辑器 Matrix record 栈溢出漏洞分析](https://www.freebuf.com/vuls/210945.html)

- 2019.08 [trendmicro] [Asruex Backdoor Variant Infects Word Documents and PDFs Through Old MS Office and Adobe Vulnerabilities](https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/)

- 2019.06 [NullByte] [Crack Password-Protected Microsoft Office Files [Tutorial]](https://www.youtube.com/watch?v=m0E8PlTIx-c)

- 2019.05 [nviso] [Detecting and Analyzing Microsoft Office Online Video](https://blog.nviso.be/2019/05/29/detecting-and-analyzing-microsoft-office-online-video/)

- 2019.05 [mdsec] [Persistence: “the continued or prolonged existence of something”: Part 1 – Microsoft Office](https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-1-microsoft-office/)

- 2019.05 [freebuf] [揭秘如何使用跨平台的EvilClippy创建恶意MS Office文档](https://www.freebuf.com/articles/terminal/202408.html)

- 2019.04 [kaspersky] [Microsoft Office and its vulnerabilities](https://www.kaspersky.com/blog/ms-office-vulnerabilities-sas-2019/26415/)

- 2019.04 [TROOPERScon] [TR19: MS Office file format sorcery](https://www.youtube.com/watch?v=iXvvQ5XML7g)

- 2019.02 [myonlinesecurity] [Formbook via fake invoice using Microsoft Office Equation Editor exploits](https://myonlinesecurity.co.uk/formbook-via-fake-invoice-using-microsoft-office-equation-editor-exploits/)

- 2019.01 [myonlinesecurity] [Azorult via fake inquiry email using Microsoft Office Equation Editor exploits](https://myonlinesecurity.co.uk/azorult-via-fake-inquiry-email-using-microsoft-office-equation-editor-exploits/)

- 2019.01 [fuzzysecurity] [Microsoft Office 2003 Home/Pro 0day](http://fuzzysecurity.com/exploits/3.html)

- 2018.12 [proofpoint] [LCG工具包: 复杂的恶意Microsoft Office文档构建器](https://www.proofpoint.com/us/threat-insight/post/lcg-kit-sophisticated-builder-malicious-microsoft-office-documents)

- 2018.10 [checkpoint] [Microsoft Office Vulnerability Found, Check Point Research To The Rescue | Check Point Software Blog](https://blog.checkpoint.com/2018/10/30/microsoft-office-vulnerability-found-check-point-research-to-the-rescue/)

- 2018.10 [4hou] [通过Microsoft Office和YouTube视频传递恶意软件的PoC攻击](http://www.4hou.com/info/news/14256.html)

- 2018.10 [stationx] [Malware payloads latest: Microsoft Office macros remain the most frequently used delivery method](https://www.stationx.net/malware-payloads-latest-microsoft-office-macros-remain-the-most-frequently-used-delivery-method/)

- 2018.09 [sans] [Dissecting Malicious MS Office Docs](https://isc.sans.edu/forums/diary/Dissecting+Malicious+MS+Office+Docs/24108/)

***

## EMET

### 工具

### 文章

- 2019.10 [HackersOnBoard] [Black Hat USA 2016 Using EMET to Disable EMET](https://www.youtube.com/watch?v=2Q6umFQuaik)

- 2018.08 [cmu] [Life Beyond Microsoft EMET](https://insights.sei.cmu.edu/cert/2018/08/life-beyond-microsoft-emet.html)

- 2018.03 [4hou] [Windows 10 RS3中的EMET ASR功能优劣分析](http://www.4hou.com/system/10347.html)

- 2018.01 [mattifestation] [The EMET Attack Surface Reduction Replacement in Windows 10 RS3: The Good, the Bad, and the Ugly](https://posts.specterops.io/the-emet-attack-surface-reduction-replacement-in-windows-10-rs3-the-good-the-bad-and-the-ugly-34d5a253f3df)

- 2018.01 [mattifestation] [The EMET Attack Surface Reduction Replacement in Windows 10 RS3: The Good, the Bad, and the Ugly](https://medium.com/p/34d5a253f3df)

- 2017.08 [rootedconmadrid] [PABLO SAN EMETERIO - Inteligencia privada, más allá de STIX [Rooted CON 2017 - ENG]](https://www.youtube.com/watch?v=M65axe7VZ8o)

- 2017.08 [rootedconmadrid] [PABLO SAN EMETERIO - Inteligencia privada, más allá de STIX [Rooted CON 2017 - ESP]](https://www.youtube.com/watch?v=u-scok-1xqk)

- 2017.04 [ropchain] [一个写操作，解除EMET 5.52的武装！](https://blog.ropchain.com/2017/04/03/disarming-emet-5-52/)

- 2017.03 [grandstreamdreams] [Enhanced Mitigation Experience Toolkit (EMET) 5.5/5.52 Uninstall Error 2738](http://grandstreamdreams.blogspot.com/2017/03/enhanced-mitigation-experience-toolkit.html)

- 2017.03 [pediy] [[翻译]野外的 CVE-2015-2545 逃逸了 EMET](https://bbs.pediy.com/thread-216046.htm)

- 2017.03 [pediy] [[翻译]EPS文件利用如何逃逸 EMET(CVE-2015-2545) —— 一次技术探索](https://bbs.pediy.com/thread-216045.htm)

- 2017.01 [microsoft] [EMET 5.52 update is now available](https://msrc-blog.microsoft.com/2017/01/12/emet-5-52-update-is-now-available/)

- 2016.11 [sophos] [Moving beyond EMET, Part 2](https://news.sophos.com/en-us/2016/11/30/moving-beyond-emet-part-2/)

- 2016.11 [dist67] [EMET vs Hancitor Maldoc](https://www.youtube.com/watch?v=hyQ7UN5VSuQ)

- 2016.11 [dist67] [VBA Shellcode To Test EMET](https://www.youtube.com/watch?v=ACmcFanE658)

- 2016.11 [cmu] [Windows 10 Cannot Protect Insecure Applications Like EMET Can](https://insights.sei.cmu.edu/cert/2016/11/windows-10-cannot-protect-insecure-applications-like-emet-can.html)

- 2016.11 [morphisec] [EMET Refuses to Die](http://blog.morphisec.com/emet-refuses-to-die)

- 2016.11 [sans] [VBA Shellcode and EMET](https://isc.sans.edu/forums/diary/VBA+Shellcode+and+EMET/21705/)

- 2016.11 [microsoft] [Bringing EMET protections into Windows 10](https://cloudblogs.microsoft.com/microsoftsecure/2016/11/03/bringing-emet-protections-into-windows-10/)

- 2016.11 [microsoft] [Moving Beyond EMET](https://msrc-blog.microsoft.com/2016/11/03/beyond-emet/)

***

## psexec

### 工具

- [**264**星][14d] [C++] [poweradminllc/paexec](https://github.com/poweradminllc/paexec) Remote execution, like PsExec

### 文章

- 2019.10 [freebuf] [GlobeImposter2.0再出新变种，疑似利用PsExec内网传播](https://www.freebuf.com/articles/system/214849.html)

- 2019.09 [4hou] [GlobeImposter2.0再出新变种，疑似利用PsExec内网传播](https://www.4hou.com/system/20431.html)

- 2019.04 [trendmicro] [Account With Admin Privileges Abused to Install BitPaymer Ransomware via PsExec](https://blog.trendmicro.com/trendlabs-security-intelligence/account-with-admin-privileges-abused-to-install-bitpaymer-ransomware-via-psexec/)

- 2018.11 [redcanary] [Threat Hunting for PsExec, Open-Source Clones, and Other Lateral Movement Tools](https://www.redcanary.com/blog/threat-hunting-psexec-lateral-movement/)

- 2018.11 [countercept] [Endpoint Detection of Remote Service Creation and PsExec](https://countercept.com/blog/endpoint-detection-of-remote-service-creation-and-psexec/)

- 2018.11 [countercept] [Endpoint Detection of Remote Service Creation and PsExec](https://countercept.com/our-thinking/endpoint-detection-of-remote-service-creation-and-psexec/)

- 2018.11 [cybertriage] [使用PsExec登陆远程系统可能导致密码泄漏](https://www.cybertriage.com/2018/robust-use-of-psexec-that-doesnt-reveal-password-hashes/)

- 2018.09 [contextis] [Lateral movement: A deep look into PsExec](https://www.contextis.com/blog/lateral-movement-a-deep-look-into-psexec)

- 2018.09 [contextis] [Lateral movement: A deep look into PsExec](https://www.contextis.com/en/blog/lateral-movement-a-deep-look-into-psexec)

- 2018.04 [hexacorn] [A quick note about PSExecutionPolicyPreference](http://www.hexacorn.com/blog/2018/04/06/a-quick-note-about-psexecutionpolicypreference/)

- 2018.01 [venus] [老牌工具 PsExec 一个琐碎的细节](https://paper.seebug.org/503/)

- 2017.12 [hexacorn] [PsExec going places…](http://www.hexacorn.com/blog/2017/12/25/psexec-going-places/)

- 2017.12 [pediy] [[原创]PsExec 在当前会话下启动系统权限进程原理](https://bbs.pediy.com/thread-223197.htm)

- 2017.06 [guyrleech] [Petya：禁止 psexec 远程执行](https://guyrleech.wordpress.com/2017/06/28/petya-disabling-remote-execution-of-psexec/)

- 2017.06 [guyrleech] [Petya: easily disabling access to psexec](https://guyrleech.wordpress.com/2017/06/28/petya-easily-disabling-access-to-psexec/)

- 2017.06 [rastamouse] [PsExec Much?](https://rastamouse.me/2017/06/psexec-much/)

- 2017.05 [govolution] [Write your own metasploit psexec service](https://govolution.wordpress.com/2017/05/27/write-your-own-metasploit-psexec-service/)

- 2017.05 [moxia] [【技术分享】丢掉PSEXEC来横向渗透](http://www.moxia.org/Blog.php/index.php/archives/184)

- 2017.03 [rapid7] [Combining Responder and PsExec for Internal Penetration Tests](https://blog.rapid7.com/2017/03/21/combining-responder-and-psexec-for-internal-penetration-tests/)

- 2017.03 [mindpointgroup] [Lateral Movement with PSExec](https://www.mindpointgroup.com/blog/lateral-movement-with-psexec/)

***

## Nltest

***

## CMSTP.exe

***

## Rundll32

### 工具

### 文章

- 2020.01 [reegun] [Curl.exe is the new rundll32.exe — LOLbin](https://medium.com/p/3f79c5f35983)

- 2019.09 [hexacorn] [RunDll32 — API calling](http://www.hexacorn.com/blog/2019/09/28/rundll32-api-calling/)

- 2019.01 [hackingarticles] [Bypass Application Whitelisting using rundll32.exe (Multiple Methods)](https://www.hackingarticles.in/bypass-application-whitelisting-using-rundll32-exe-multiple-methods/)

- 2018.11 [hexacorn] [advpack.dll ! DelNodeRunDLL32 and its flags](http://www.hexacorn.com/blog/2018/11/24/advpack-dll-delnoderundll32-and-its-flags/)

- 2018.11 [aliyun] [如何利用RunDLL32调用.NET Assembly](https://xz.aliyun.com/t/3172)

- 2018.11 [xpnsec] [使.NET程序集导出静态函数, 并使用RunDLL32加载](https://blog.xpnsec.com/rundll32-your-dotnet/)

- 2018.03 [3gstudent] [关于利用rundll32执行程序的分析](https://3gstudent.github.io/3gstudent.github.io/%E5%85%B3%E4%BA%8E%E5%88%A9%E7%94%A8rundll32%E6%89%A7%E8%A1%8C%E7%A8%8B%E5%BA%8F%E7%9A%84%E5%88%86%E6%9E%90/)

- 2018.03 [3gstudent] [关于利用rundll32执行程序的分析](https://3gstudent.github.io/3gstudent.github.io/%E5%85%B3%E4%BA%8E%E5%88%A9%E7%94%A8rundll32%E6%89%A7%E8%A1%8C%E7%A8%8B%E5%BA%8F%E7%9A%84%E5%88%86%E6%9E%90/)

- 2018.03 [aliyun] [关于利用rundll32执行程序的分析](https://xz.aliyun.com/t/2188)

- 2018.01 [freebuf] [命令行下的“蒙面歌王”rundll32.exe](http://www.freebuf.com/sectool/160696.html)

- 2016.07 [cobaltstrike] [Why is rundll32.exe connecting to the internet?](https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/)

- 2014.02 [attackdebris] [rundll32 lockdown testing goodness](https://www.attackdebris.com/?p=143)

***

## Regsvr32

### 工具

### 文章

- 2017.11 [conscioushacker] [Application Whitelisting Bypass: regsvr32.exe](https://blog.conscioushacker.io/index.php/2017/11/17/application-whitelisting-bypass-regsvr32-exe/)

- 2017.05 [blackhillsinfosec] [How to Evade Application Whitelisting Using REGSVR32](https://www.blackhillsinfosec.com/evade-application-whitelisting-using-regsvr32/)

- 2016.07 [hackingarticles] [Hack Remote Windows PC using Regsvr32.exe (.sct) Application Whitelisting Bypass Server](http://www.hackingarticles.in/hack-remote-windows-pc-using-regsvr32-exe-sct-application-whitelisting-bypass-server/)

- 2013.09 [dustri] [regsvr32 returns 0x80070005](https://dustri.org/b/regsvr32-returns-0x80070005.html)

***

## Regasm

***

## Regsvcs

***

## svchost

### 工具

### 文章

- 2017.12 [hexacorn] [svchost.exe -> explorer.exe on win10](http://www.hexacorn.com/blog/2017/12/07/svchost-exe-explorer-exe-on-win10/)

- 2015.12 [hexacorn] [The typographical and homomorphic abuse of svchost.exe, and other popular file names](http://www.hexacorn.com/blog/2015/12/18/the-typographical-and-homomorphic-abuse-of-svchost-exe-and-other-popular-file-names/)

- 2013.12 [myonlinesecurity] [XP SP3 Svchost causes high (100%) CPU usage when updating](https://myonlinesecurity.co.uk/xp-sp3-svchost-causes-high-100-cpu-usage-when-updating/)

- 2013.11 [myonlinesecurity] [Windows XP update locks machines with SVCHOST redlined at 100%: Fix it with KB 2879017 | Microsoft windows – InfoWorld](https://myonlinesecurity.co.uk/windows-xp-update-locks-machines-with-svchost-redlined-at-100-fix-it-with-kb-2879017-microsoft-windows-infoworld/)

- 2013.07 [hexacorn] [The typographical and homomorphic abuse of svchost.exe](http://www.hexacorn.com/blog/2013/07/04/the-typographical-and-homomorphic-abuse-of-svchost-exe/)

- 2011.01 [pediy] [[原创]svchost进程的浅析](https://bbs.pediy.com/thread-127798.htm)

***

## MSBuild

### 工具

- [**4136**星][7d] [C#] [microsoft/msbuild](https://github.com/microsoft/msbuild) The Microsoft Build Engine (MSBuild) is the build platform for .NET and Visual Studio.

- [**728**星][9m] [Py] [mr-un1k0d3r/powerlessshell](https://github.com/mr-un1k0d3r/powerlessshell) 依靠MSBuild.exe远程执行PowerShell脚本和命令

- [**226**星][7m] [Py] [infosecn1nja/maliciousmacromsbuild](https://github.com/infosecn1nja/maliciousmacromsbuild) Generates Malicious Macro and Execute Powershell or Shellcode via MSBuild Application Whitelisting Bypass.

### 文章

- 2019.06 [rastamouse] [TikiSpawn & MSBuild](https://rastamouse.me/2019/06/tikispawn-msbuild/)

- 2019.01 [hackingarticles] [Bypass Application Whitelisting using msbuild.exe (Multiple Methods)](https://www.hackingarticles.in/bypass-application-whitelisting-using-msbuild-exe-multiple-methods/)

- 2017.11 [freebuf] [海莲花团伙利用MSBuild机制免杀样本分析](http://www.freebuf.com/articles/system/154947.html)

- 2017.11 [360] [海莲花团伙利用MSBuild机制免杀样本分析](https://www.anquanke.com/post/id/87299/)

- 2017.11 [venus] [海莲花团伙利用MSBuild机制免杀样本分析](https://paper.seebug.org/462/)

- 2017.11 [conscioushacker] [Application Whitelisting Bypass: msbuild.exe](https://blog.conscioushacker.io/index.php/2017/11/17/application-whitelisting-bypass-msbuild-exe/)

- 2017.01 [codepool] [Using MSBuild for DLL configuration files, transformations and output to referencing projects.](http://codepool.me/msbuild-config-files-for-dlls/)

- 2016.10 [] [Use MSBuild To Do More（渗透中MSBuild的应用技巧）](http://www.91ri.org/16436.html)

- 2016.09 [360] [Use MSBuild To Do More（渗透中MSBuild的应用技巧）](https://www.anquanke.com/post/id/84597/)

- 2016.09 [3gstudent] [Use MSBuild To Do More](https://3gstudent.github.io/3gstudent.github.io/Use-MSBuild-To-Do-More/)

- 2016.09 [sysprogs] [10 Reasons to Try Out MSBuild for your VisualGDB Projects](https://sysprogs.com/w/10-reasons-to-try-out-msbuild-for-your-visualgdb-projects/)

- 2013.09 [redplait] [msbuild 4.0 debugger](http://redplait.blogspot.com/2013/09/msbuild-40-debugger.html)

- 2013.09 [redplait] [clang and msbuild integration](http://redplait.blogspot.com/2013/09/clang-and-msbuild-integration.html)

- 2013.01 [lowleveldesign] [MSBuild: MSB3275 warning, GAC and .NET version](https://lowleveldesign.org/2013/01/05/msb3275-gac-net-version/)

***

## csrss.exe

### 文章

- 2018.03 [pediy] [[原创]驱动注入用户线程之跨session通知csrss之真正解决](https://bbs.pediy.com/thread-225047.htm)

- 2015.08 [pediy] [[原创]纯C++编写Win32/X64通用Shellcode注入csrss进程.](https://bbs.pediy.com/thread-203140.htm)

- 2012.05 [pediy] [[原创]Csrss进程剖析](https://bbs.pediy.com/thread-150284.htm)

- 2011.08 [vexillium] [0-day Windows XP SP3 Denial of Service (CSRSS Crash #1)](http://j00ru.vexillium.org/?p=971)

- 2011.08 [vexillium] [0-day Windows XP SP3 Denial of Service (CSRSS Crash)](https://j00ru.vexillium.org/2011/08/0-day-windows-xp-sp3-denial-of-service-csrss-crash/)

- 2011.07 [vexillium] [CVE-2011-1281: A story of a Windows CSRSS Privilege Escalation vulnerability](http://j00ru.vexillium.org/?p=893)

- 2011.07 [vexillium] [CVE-2011-1281: A story of a Windows CSRSS Privilege Escalation vulnerability](https://j00ru.vexillium.org/2011/07/cve-2011-1281-a-story-of-a-windows-csrss-privilege-escalation-vulnerability/)

- 2010.07 [vexillium] [Windows CSRSS Write Up: Inter-process Communication (part 2/3)](http://j00ru.vexillium.org/?p=527)

- 2010.07 [vexillium] [Windows CSRSS Write Up: Inter-process Communication (part 2/3)](https://j00ru.vexillium.org/2010/07/windows-csrss-write-up-inter-process-communication-part-2/)

- 2010.07 [vexillium] [Windows CSRSS Write Up: Inter-process Communication (part 1/3)](http://j00ru.vexillium.org/?p=502)

- 2010.07 [vexillium] [Windows CSRSS Write Up: Inter-process Communication (part 1/3)](https://j00ru.vexillium.org/2010/07/windows-csrss-write-up-inter-process-communication-part-1/)

- 2010.07 [vexillium] [Windows CSRSS Write Up: the basics (part 1/1)](http://j00ru.vexillium.org/?p=492)

- 2010.07 [vexillium] [Windows CSRSS write up: the basics](https://j00ru.vexillium.org/2010/07/windows-csrss-write-up-the-basics/)

- 2010.05 [pediy] [[原创]详解进程创建中与csrss的通信流程](https://bbs.pediy.com/thread-113079.htm)

- 2010.05 [coldwind] [Windows CSRSS cross-version API Table](http://gynvael.coldwind.pl/?id=311)

- 2010.05 [vexillium] [Windows CSRSS cross-version API Table](http://j00ru.vexillium.org/?p=349)

- 2010.05 [vexillium] [Windows CSRSS cross-version API Table](https://j00ru.vexillium.org/2010/05/windows-csrss-cross-version-api-table/)

- 2010.02 [coldwind] [Microsoft Windows CSRSS Local Privilege Elevation Vulnerability](http://gynvael.coldwind.pl/?id=284)

- 2009.05 [pediy] [[原创]CsrssWalker学习笔记(附源代码)](https://bbs.pediy.com/thread-89708.htm)

- 2009.03 [pediy] [[原创]CsrssVuln.exe源代码及分析](https://bbs.pediy.com/thread-85015.htm)

***

## 其他exe

### 文章

- 2019.05 [hexacorn] [msiexec.exe as a LOLBIN](http://www.hexacorn.com/blog/2019/05/29/msiexec-exe-as-a-lolbin/)

- 2019.04 [talosintelligence] [Shimo VPN helper tool RunVpncScript privilege escalation vulnerability](https://talosintelligence.com/vulnerability_reports/TALOS-2018-0677)

- 2019.01 [hackingarticles] [Bypass Application Whitelisting  using msiexec.exe (Multiple Methods)](https://www.hackingarticles.in/bypass-application-whitelisting-using-msiexec-exe-multiple-methods/)

- 2018.09 [redcanary] [Detecting MSXSL Abuse in the Wild](https://www.redcanary.com/blog/detecting-msxsl-attacks/)

- 2018.07 [4hou] [mavinject.exe的新用法](http://www.4hou.com/technology/12276.html)

- 2018.05 [mattifestation] [mavinject.exe Functionality Deconstructed](https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e)

- 2018.05 [mattifestation] [mavinject.exe Functionality Deconstructed](https://medium.com/p/c29ab2cf5c0e)

- 2018.04 [hexacorn] [Curious case of the conhost.exe and condrv.sys](http://www.hexacorn.com/blog/2018/04/01/curious-case-of-the-conhost-exe-and-condrv-sys/)

- 2018.03 [reaqta] [Spear-phishing campaign leveraging on MSXSL](https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/)

- 2018.02 [4hou] [LokiBot变种正在使用msiexec.exe安装后门](http://www.4hou.com/info/10373.html)

- 2018.02 [360] [借助Windows Installer的msiexec.exe实现LokiBot恶意软件感染](https://www.anquanke.com/post/id/98190/)

- 2018.02 [trendmicro] [Attack Using Windows Installer msiexec.exe leads to LokiBot](https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/)

- 2017.12 [reaqta] [From False Positive to True Positive: the story of Mavinject.exe, the Microsoft Injector](https://reaqta.com/2017/12/mavinject-microsoft-injector/)

- 2017.01 [4hou] [渗透测试中的msiexec](http://www.4hou.com/technology/2742.html)

- 2016.12 [3gstudent] [渗透测试中的msiexec](https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B8%AD%E7%9A%84msiexec/)

- 2016.12 [3gstudent] [渗透测试中的msiexec](https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B8%AD%E7%9A%84msiexec/)

- 2016.12 [4hou] [PowerShell技巧——借助kd.exe隐藏进程](http://www.4hou.com/info/news/1979.html)

- 2016.12 [nettitude] [Fun with Windows binaries – application whitelist bypass using msiexec](https://labs.nettitude.com/blog/fun-with-windows-binaries-application-whitelist-bypass-using-msiexec/)

- 2016.12 [3gstudent] [Powershell tricks::Hide Process by kd.exe](https://3gstudent.github.io/3gstudent.github.io/Powershell-tricks-Hide-Process-by-kd.exe/)

- 2016.11 [3gstudent] [Study Notes of using dnx.exe / rcsi.exe to bypass Decvice Guard UMCI](https://3gstudent.github.io/3gstudent.github.io/Study-Notes-of-using-dnx.exe-&-rcsi.exe-to-bypass-Decvice-Guard-UMCI/)

# SysInternalSuite

***

## Sysmon

### 工具

- [**2177**星][1m] [swiftonsecurity/sysmon-config](https://github.com/swiftonsecurity/sysmon-config) Sysmon configuration file template with default high-quality event tracing

- [**715**星][23d] [PS] [olafhartong/sysmon-modular](https://github.com/olafhartong/sysmon-modular) sysmon配置模块收集

- [**667**星][2m] [nshalabi/sysmontools](https://github.com/nshalabi/sysmontools) Utilities for Sysmon

- [**546**星][12d] [mhaggis/sysmon-dfir](https://github.com/mhaggis/sysmon-dfir) Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.

- [**455**星][1y] [Batchfile] [ion-storm/sysmon-config](https://github.com/ion-storm/sysmon-config) Advanced Sysmon configuration, Installer & Auto Updater with high-quality event tracing

- [**246**星][13d] [CSS] [trustedsec/sysmoncommunityguide](https://github.com/trustedsec/sysmoncommunityguide) TrustedSec Sysinternals Sysmon Community Guide

### 文章

- 2020.01 [bugbountywriteup] [Unloading the Sysmon Minifilter Driver](https://medium.com/p/86f4541fa55a)

- 2019.12 [] [How to Test Bro-Sysmon](https://engineering.salesforce.com/test-out-bro-sysmon-a6fad1c8bb88)

- 2019.12 [vanimpe] [Use Sysmon DNS data for incident response](https://www.vanimpe.eu/2019/12/02/use-sysmon-dns-data-for-incident-response/)

- 2019.11 [4hou] [你不知道的威胁狩猎技巧：Windows API 与 Sysmon 事件的映射](https://www.4hou.com/system/21461.html)

- 2019.10 [HackersOnBoard] [Subverting Sysmon Application of a Formalized Security Product Evasion Methodology](https://www.youtube.com/watch?v=7eor4Gq1YXE)

- 2019.09 [sans] [Parsing Sysmon Events for IR Indicators](https://digital-forensics.sans.org/blog/2019/09/25/parsing-sysmon-events-for-ir-indicators)

- 2019.09 [blackhillsinfosec] [Getting Started With Sysmon](https://www.blackhillsinfosec.com/getting-started-with-sysmon/)

- 2019.09 [osandamalith] [Unloading the Sysmon Minifilter Driver](https://osandamalith.com/2019/09/22/unloading-the-sysmon-minifilter-driver/)

- 2019.09 [matterpreter] [Shhmon — Silencing Sysmon via Driver Unload](https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650)

- 2019.09 [specterops] [Shhmon — Silencing Sysmon via Driver Unload](https://medium.com/p/682b5be57650)

- 2019.09 [4hou] [如何逃逸Sysmon工具对DNS的监控](https://www.4hou.com/web/18660.html)

- 2019.09 [olafhartong] [Sysmon 10.4 release](https://medium.com/p/7f7480300dff)

- 2019.09 [blackhillsinfosec] [Webcast: Windows logging, Sysmon, and ELK](https://www.blackhillsinfosec.com/webcast-windows-logging-sysmon-and-elk/)

- 2019.08 [blackhillsinfosec] [Webcast: Implementing Sysmon and Applocker](https://www.blackhillsinfosec.com/webcast-implementing-sysmon-and-applocker/)

- 2019.07 [eforensicsmag] [Using Sysmon and ETW For So Much More | By David Kennedy](https://eforensicsmag.com/using-sysmon-and-etw-for-so-much-more-by-david-kennedy/)

- 2019.06 [nosecurecode] [Sysmon in a Box](https://nosecurecode.com/2019/06/29/sysmon-in-a-box/)

- 2019.06 [binarydefense] [Using Sysmon and ETW For So Much More - Binary Defense](https://www.binarydefense.com/using-sysmon-and-etw-for-so-much-more/)

- 2019.06 [360] [如何规避Sysmon DNS监控](https://www.anquanke.com/post/id/180418/)

- 2019.06 [SecurityWeekly] [Sysmon DNS Logging, Gravwell - PSW #608](https://www.youtube.com/watch?v=e_E6F1G6b88)

- 2019.06 [xpnsec] [Evading Sysmon DNS Monitoring](https://blog.xpnsec.com/evading-sysmon-dns-monitoring/)

***

## Procmon

### 工具

### 文章

- 2019.03 [eforensicsmag] [DYNAMIC MALWARE ANALYSIS – PROCESS MONITOR AND EXPLORER | By Prasanna B Mundas](https://eforensicsmag.com/dynamic-malware-analysis-process-monitor-and-explorer-by-prasanna-b-mundas/)

- 2018.10 [hexacorn] [Process monitoring/Process cmd line monitoring – data sources](http://www.hexacorn.com/blog/2018/10/27/process-monitoring-process-cmd-line-monitoring-data-sources/)

- 2018.10 [guyrleech] [Dynamically Creating Process Monitor Filters](https://guyrleech.wordpress.com/2018/10/01/dynamically-creating-process-monitor-filters/)

- 2018.02 [appsecconsulting] [PCI Time-Based Requirements as a Starting Point for Business-As-Usual Process Monitoring](https://appsecconsulting.com/blog/pci-time-based-requirements-as-a-starting-point-for-business-as-usual-proce)

- 2017.07 [arxiv] [[1707.03821] Process Monitoring on Sequences of System Call Count Vectors](https://arxiv.org/abs/1707.03821)

- 2017.06 [lowleveldesign] [How to decode managed stack frames in procmon traces](https://lowleveldesign.org/2017/06/23/how-to-decode-managed-stack-frames-in-procmon-traces/)

- 2017.02 [lowleveldesign] [When procmon trace is not enough](https://lowleveldesign.org/2017/02/20/when-procmon-trace-is-not-enough/)

- 2017.02 [guyrleech] [When even Process Monitor isn’t enough](https://guyrleech.wordpress.com/2017/02/13/when-even-process-monitor-isnt-enough/)

- 2016.09 [dist67] [Malware: Process Explorer &  Procmon](https://www.youtube.com/watch?v=vq12OCVm2-o)

- 2015.06 [guyrleech] [Advanced Procmon Part 2 – Filtering inclusions](https://guyrleech.wordpress.com/2015/06/22/advanced-procmon-part-2-filtering-inclusions/)

- 2015.02 [vimeo] [Innuendo keylogger process monitor](https://vimeo.com/119460494)

- 2014.12 [guyrleech] [Advanced Procmon Part 1 – Filtering exclusions](https://guyrleech.wordpress.com/2014/12/25/advanced-procmon-part-1-filtering-exclusions/)

- 2014.07 [toolswatch] [[New Tool] El Jefe v2.1 – Windows Process Monitoring Released](http://www.toolswatch.org/2014/07/new-tool-el-jefe-v2-1-windows-process-monitoring-released/)

- 2012.04 [toolswatch] [Process Monitor v3.0 Released](http://www.toolswatch.org/2012/04/process-monitor-v3-0-released/)

- 2011.08 [zeltser] [Process Monitor Filters for Malware Analysis and Forensics](https://zeltser.com/process-monitor-filters-for-malware-analysis/)

- 2011.04 [toolswatch] [(Windows SysInternals) Process Monitor v2.95 released](http://www.toolswatch.org/2011/04/windows-sysinternals-process-monitor-v2-95-released/)

- 2011.01 [toolswatch] [(Windows SysInternals) Process Monitor v2.94 released](http://www.toolswatch.org/2011/01/windows-sysinternals-process-monitor-v2-94-released/)

- 2010.09 [pediy] [[翻译]Process Monitor中文手册](https://bbs.pediy.com/thread-120303.htm)

***

## Autoruns

### 工具

### 文章

- 2019.05 [jdferrell3] [Scheduled Task command with space “hides” the file from Autoruns](https://medium.com/p/1c7bfe38a67c)

- 2019.04 [sans] [Offline Autoruns Revisited - Auditing Malware Persistence](https://digital-forensics.sans.org/blog/2019/04/29/offline-autoruns-revisited)

- 2019.04 [jdferrell3] [Autoruns fails to resolve file path for a scheduled task with a space in the file path](https://medium.com/p/ddd871b32f17)

- 2018.12 [hexacorn] [I fought the Autoruns, and Autoruns won…](http://www.hexacorn.com/blog/2018/12/16/i-fought-the-autoruns-and-autoruns-won/)

- 2018.07 [KyleHanslovan] [RE: Evading Autoruns PoCs on Windows 10](https://medium.com/p/dd810d7e8a3f)

- 2018.07 [sans] [Using AutorunsToWinEventLog ](https://isc.sans.edu/forums/diary/Using+AutorunsToWinEventLog/23840/)

- 2018.04 [oddvar] [利用Image File Execution Options中的GlobalFlags实现驻留, 绕过Autoruns.exe检测](https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/)

- 2018.03 [oddvar] [利用RunOnceEx实现驻留, 能够躲避Autoruns.exe监测](https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/)

- 2018.01 [p0w3rsh3ll] [AutoRuns module compatible with PowerShell Core 6.0](https://p0w3rsh3ll.wordpress.com/2018/01/19/autoruns-module-compatible-with-powershell-core-6-0/)

- 2017.11 [360] [那些“躲避”微软autoruns工具的方法](https://www.anquanke.com/post/id/87176/)

- 2017.10 [conscioushacker] [Evading Microsoft’s AutoRuns](https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/)

- 2016.09 [defensivedepth] [Integrating Autoruns with Security Onion](https://defensivedepth.com/2016/09/10/integrating-autoruns-with-security-onion/)

- 2015.07 [sans] [Autoruns and VirusTotal](https://isc.sans.edu/forums/diary/Autoruns+and+VirusTotal/19933/)

- 2012.11 [sketchymoose] [Autoruns](https://sketchymoose.blogspot.com/2012/11/autoruns.html)

- 2010.06 [sans] [Autoruns and Dead Computer Forensics](https://digital-forensics.sans.org/blog/2010/06/28/autoruns-dead-forensics)

***

## ProcessExplorer

### 文章

- 2018.09 [notsoshant] [A small introduction to Process Explorer](https://medium.com/p/458db20eee9a)

- 2017.12 [hasherezade] [Experiment: ProcessExplorer vs my "lil_calc"](https://www.youtube.com/watch?v=S3iCZ3BKkLk)

- 2016.05 [malwarebytes] [Process Explorer: part two](https://blog.malwarebytes.com/101/2016/05/process-explorer-part-2/)

- 2016.05 [malwarebytes] [Process Explorer: an introduction](https://blog.malwarebytes.com/101/2016/05/process-explorer-an-introduction/)

- 2015.07 [sans] [Process Explorer and VirusTotal](https://isc.sans.edu/forums/diary/Process+Explorer+and+VirusTotal/19931/)

- 2014.01 [virusbulletin] [VirusTotal support integrated into new version of Process Explorer](https://www.virusbulletin.com/blog/2014/01/virustotal-support-integrated-new-version-process-explorer/)

- 2014.01 [malwarebytes] [Process Explorer Now Including VirusTotal Support](https://blog.malwarebytes.com/cybercrime/2014/01/process-explorer-now-including-virustotal-support/)

- 2013.12 [dist67] [Using Process Explorer's Find Window's Process](https://www.youtube.com/watch?v=kAksKTD9v70)

- 2013.01 [securityblog] [Process Explorer](http://securityblog.gr/1582/process-explorer/)

- 2012.06 [toolswatch] [Process Explorer v15.2 Released](http://www.toolswatch.org/2012/06/process-explorer-v15-2-released/)

- 2011.12 [toolswatch] [Process Explorer v15.1 Released](http://www.toolswatch.org/2011/12/process-explorer-v15-1-released/)

- 2011.05 [toolswatch] [(Windows SysInternals) Process Explorer v14.11 released](http://www.toolswatch.org/2011/05/windows-sysinternals-process-explorer-v14-11-released/)

- 2011.03 [toolswatch] [(Windows SysInternals) Process Explorer v14.1 released](http://www.toolswatch.org/2011/03/windows-sysinternals-process-explorer-v14-1-released/)

- 2005.08 [sans] [Slow Sunday; CA Message Queuing Vulns; Process Explorer Vuln; Infocon: Green Redux](https://isc.sans.edu/forums/diary/Slow+Sunday+CA+Message+Queuing+Vulns+Process+Explorer+Vuln+Infocon+Green+Redux/633/)

***

## 其他

### 工具

### 文章

- 2019.11 [code610] [Sysinternals Suite - quick review for Windows 10](https://code610.blogspot.com/2019/11/sysinternals-suite-quick-review-for.html)

- 2018.01 [hexacorn] [Yet another way to hide from Sysinternals’ tools, part 1.5](http://www.hexacorn.com/blog/2018/01/19/yet-another-way-to-hide-from-sysinternals-tools-part-1-5/)

- 2018.01 [hexacorn] [利用"环境变量"躲避 Sysinternals 工具检测的另类方式. Autoruns/ProcessExplorer 均无法检测到使用此方式设置的自启动项](http://www.hexacorn.com/blog/2018/01/04/yet-another-way-to-hide-from-sysinternals-tools/)

- 2017.10 [360] [如何利用SysInternals Suite来隐藏你的进程](https://www.anquanke.com/post/id/87004/)

- 2017.08 [chrislazari] [Removing Crypto-Mining Malware from Windows using SysInternals Tools](https://chrislazari.com/removing-crypto-mining-malware-windows-using-sysinternals/)

- 2016.11 [hackers] [Digital Forensics, Part 8: Live Analysis with sysinternals](https://www.hackers-arise.com/single-post/2016/11/29/Digital-Forensics-Part-7-Live-Analysis-with-sysinternals)

- 2015.11 [holisticinfosec] [toolsmith #110: Sysinternals vs Kryptic](https://holisticinfosec.blogspot.com/2015/11/toolsmith110-sysinternals-vs-kryptic.html)

- 2014.11 [hexacorn] [Sysinternals’  Eulagoogoolizer](http://www.hexacorn.com/blog/2014/11/30/sysinternals-eulagoogoolizer/)

- 2014.07 [lowleveldesign] [Collect .NET applications traces with sysinternals tools](https://lowleveldesign.org/2014/07/30/collect-net-applications-traces-with-sysinternals-tools/)

- 2011.04 [toolswatch] [New Sysinternals Suite Available](http://www.toolswatch.org/2011/04/new-sysinternals-suite-available/)

- 2011.04 [pediy] [[翻译]The Case of the Sysinternals-Blocking Malware——虚拟桌面程序来协助你手动杀毒](https://bbs.pediy.com/thread-131934.htm)

- 2011.04 [toolswatch] [Analyzing a Stuxnet Infection with the Sysinternals Tools, Part 1](http://www.toolswatch.org/2011/04/analyzing-a-stuxnet-infection-with-the-sysinternals-tools-part-1/)

- 2011.03 [toolswatch] [(Windows SysInternals) VMMap v3.03 released](http://www.toolswatch.org/2011/03/windows-sysinternals-vmmap-v3-03-released/)

- 2011.03 [toolswatch] [(Windows SysInternals) ProcDump v3.03 released](http://www.toolswatch.org/2011/03/windows-sysinternals-procdump-v3-03-released/)

- 2009.12 [sans] [Updates to Sysinternals Toolkit](https://isc.sans.edu/forums/diary/Updates+to+Sysinternals+Toolkit/7675/)

- 2009.09 [sans] [Sysinternals Tools Updates](https://isc.sans.edu/forums/diary/Sysinternals+Tools+Updates/7153/)

- 2009.05 [sans] [Sysinternals Updates 3 Applications](https://isc.sans.edu/forums/diary/Sysinternals+Updates+3+Applications/6373/)

- 2008.10 [sans] [Updates to SysInternals tools!](https://isc.sans.edu/forums/diary/Updates+to+SysInternals+tools/5198/)

- 2008.07 [pediy] [[原创]Sysinternal出品工具TcpView的驱动逆向源代码](https://bbs.pediy.com/thread-69543.htm)

- 2006.07 [sans] [Winternals/SysInternals acquired by Microsoft](https://isc.sans.edu/forums/diary/WinternalsSysInternals+acquired+by+Microsoft/1493/)

# 工具

***

## 新添加的

- [**9553**星][9d] [PS] [lukesampson/scoop](https://github.com/lukesampson/scoop) A command-line installer for Windows.

- [**4868**星][10m] [Py] [10se1ucgo/disablewintracking](https://github.com/10se1ucgo/disablewintracking) Uses some known methods that attempt to minimize tracking in Windows 10

- [**3648**星][9d] [C#] [kohsuke/winsw](https://github.com/kohsuke/winsw) A wrapper executable that can be used to host any executable as an Windows service, in a liberal license

- [**3409**星][1m] [C] [microsoft/windows-driver-samples](https://github.com/microsoft/windows-driver-samples) This repo contains driver samples prepared for use with Microsoft Visual Studio and the Windows Driver Kit (WDK). It contains both Universal Windows Driver and desktop-only driver samples.

- [**3222**星][9d] [C++] [0xz0f/z0fcourse_reverseengineering](https://github.com/0xz0f/z0fcourse_reverseengineering) Reverse engineering focusing on x64 Windows.

- [**2132**星][2m] [C++] [darthton/blackbone](https://github.com/darthton/blackbone) Windows memory hacking library

- [**2052**星][1m] [C++] [mhammond/pywin32](https://github.com/mhammond/pywin32) Python for Windows (pywin32) Extensions

- [**700**星][9d] [PS] [farag2/windows-10-setup-script](https://github.com/farag2/windows-10-setup-script) Windows 10 1903/1909 自动化配置脚本

- [**666**星][28d] [C] [virtio-win/kvm-guest-drivers-windows](https://github.com/virtio-win/kvm-guest-drivers-windows) KVM / QEMU Windows来宾驱动程序

- [**628**星][3m] [C] [mrexodia/titanhide](https://github.com/mrexodia/titanhide) 用于隐藏某些进程调试器的驱动程序

- [**278**星][1y] [Py] [hakril/pythonforwindows](https://github.com/hakril/pythonforwindows) 简化Python与Windows操作系统交互的库

- [**216**星][5m] [adguardteam/adguardforwindows](https://github.com/adguardteam/adguardforwindows) Windows系统范围的AdBlocker

***

## Environment&&环境&&配置

- [**1530**星][1y] [PS] [joefitzgerald/packer-windows](https://github.com/joefitzgerald/packer-windows) 使用Packer创建Vagrant boxes的模板

- [**1368**星][3m] [Go] [securitywithoutborders/hardentools](https://github.com/securitywithoutborders/hardentools) 禁用许多有危险的Windows功能

- [**1167**星][11d] [HTML] [nsacyber/windows-secure-host-baseline](https://github.com/nsacyber/Windows-Secure-Host-Baseline) Windows 10和Windows Server 2016 DoD 安全主机基准设置的配置指南

- [**1054**星][9d] [adolfintel/windows10-privacy](https://github.com/adolfintel/windows10-privacy) Win10隐私指南

- [**545**星][11d] [PS] [stefanscherer/packer-windows](https://github.com/stefanscherer/packer-windows) Windows Packer 模板：Win10, Server 2016, 1709, 1803, 1809, 2019, 1903, Insider with Docker

***

## 内核&&驱动

- [**943**星][11m] [C] [microsoft/windows-driver-frameworks](https://github.com/microsoft/windows-driver-frameworks) Windows驱动框架(WDF)

- [**891**星][1m] [axtmueller/windows-kernel-explorer](https://github.com/axtmueller/windows-kernel-explorer) Windows内核研究工具

- [**515**星][7m] [Py] [rabbitstack/fibratus](https://github.com/rabbitstack/fibratus) Windows内核探索和跟踪工具

- [**496**星][3m] [C] [jkornev/hidden](https://github.com/jkornev/hidden) Windows驱动，带用户模式接口：隐藏文件系统和注册表对象、保护进程等

- [**288**星][9d] [PS] [microsoftdocs/windows-driver-docs](https://github.com/MicrosoftDocs/windows-driver-docs) 官方Windows驱动程序工具包文档

***

## 注册表

- [**521**星][9d] [Batchfile] [chef-koch/regtweaks](https://github.com/chef-koch/regtweaks) Windows注册表调整（Win 7-Win 10）

- [**293**星][2m] [Py] [williballenthin/python-registry](https://github.com/williballenthin/python-registry) 用于对Windows NT注册表文件进行纯读取访问的Python库

***

## 系统调用

- [**757**星][4m] [HTML] [j00ru/windows-syscalls](https://github.com/j00ru/windows-syscalls) Windows 系统调用表(NT/2000/XP/2003/Vista/2008/7/2012/8/10)

- [**349**星][20d] [C] [hfiref0x/syscalltables](https://github.com/hfiref0x/syscalltables) Windows NT x64系统调用表

***

## 其他

- [**1007**星][12d] [C++] [henrypp/simplewall](https://github.com/henrypp/simplewall) 为Windows 过滤平台提供的配置界面

- [**981**星][5m] [C] [basil00/divert](https://github.com/basil00/divert) 用户模式数据包拦截库，适用于Win 7/8/10

- [**742**星][4m] [Py] [diyan/pywinrm](https://github.com/diyan/pywinrm) Python实现的WinRM客户端

- [**605**星][21d] [C] [hfiref0x/winobjex64](https://github.com/hfiref0x/winobjex64) Windows对象浏览器. x64

- [**475**星][2m] [C#] [microsoft/dbgshell](https://github.com/microsoft/dbgshell) PowerShell编写的Windows调试器引擎前端

- [**428**星][12d] [C] [samba-team/samba](https://github.com/samba-team/samba) 适用于Linux和Unix的标准Windows interoperability程序套件

- [**412**星][2m] [Jupyter Notebook] [microsoft/windowsdefenderatp-hunting-queries](https://github.com/microsoft/windowsdefenderatp-hunting-queries) 在MS Defender ATP中进行高级查询的示例

- [**396**星][16d] [C#] [microsoft/binskim](https://github.com/microsoft/binskim) 二进制静态分析工具，可为PE和ELF二进制格式提供安全性和正确性分析

- [**377**星][2m] [Ruby] [winrb/winrm](https://github.com/winrb/winrm) 在Windows中使用WinRM的功能调用原生对象的SOAP库。Ruby编写

# 文章

***

## 新添加

- 2018.11 [vimeo] [INNUENDO Telemetry Gathering and Incidence Response](https://vimeo.com/299067524)

- 2018.01 [4sysops] [Search Active Directory with the PowerShell cmdlet Get‑ADComputer](https://4sysops.com/archives/search-active-directory-with-the-powershell-cmdlet-get%e2%80%91adcomputer/)

- 2017.06 [faiz] [#CloudComputing : #Security, #Vulnerabilities, #Privacy, #Storage, #Multicloud Overview SERIES #1](https://www.peerlyst.com/posts/cloudcomputing-security-vulnerabilities-privacy-storage-multicloud-overview-series-1-faiz-a-shaikh-mba-mle-sm-cisa-itsm)

- 2017.03 [paloaltonetworks] [Pulling Back the Curtains on EncodedCommand PowerShel](https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/)

- 2017.02 [vexillium] [Windows Kernel Local Denial-of-Service #2: win32k!NtDCompositionBeginFrame (Windows 8-10)](http://j00ru.vexillium.org/?p=3151)

- 2017.02 [vexillium] [Windows Kernel Local Denial-of-Service #2: win32k!NtDCompositionBeginFrame (Windows 8-10)](https://j00ru.vexillium.org/2017/02/windows-kernel-local-denial-of-service-2/)

- 2017.01 [trustedsec] [Circumventing EncodedCommand and IEX Detection in PowerShell](https://www.trustedsec.com/2017/01/circumventing-encodedcommand-detection-powershell/)

- 2013.11 [mikefrobbins] [Windows 8.1 RSAT PowerShell Cmdlets Get-ADUser & Get-ADComputer : One or more Properties are Invalid](http://mikefrobbins.com/2013/11/07/windows-8-1-rsat-powershell-cmdlets-get-aduser-get-adcomputer-one-or-more-properties-are-invalid/)

# 贡献

内容为系统自动导出, 有任何问题请提issue