Resources

Authors to look into

1. Will Schroeder (@harmj0y)
2. Sean Metcalf (@PyroTek3)
3. Benjamin Delpy (@gentilkiwi)
4. Andy Robbins (@_wald0)
5. Rohan Vazarkar (@CptJesus)
6. Michael Grafnetter
7. Dirk-jan Mollema (@_dirkjan)
8. Lee Christensen (@tifkin_)
9. Matthew Graeber (@mattifestation)
10. Ryan Hausknecht (@haus3c)
11. Joe Bialek (@JosephBialek)
12. Elad Shamir (@elad_shamir)
13. Marcello Salvati (@byt3bl33d3r)
14. Nathan Kirby
15. Timothy Medin (@TimMedin)
16. Alva ‘Skip’ Duckwall (@passingthehash)
17. Nabeel Ahmed (@nabeel_noman)
18. Jean-Francois Maes (SANS workshop)
19.  Alex Ionescu,
20. Pavel Yosifovich,
21. and Yarden Shafir

Websites to look into

1. https://adsecurity.org/?page_id=2532
2. https://harmj0y.medium.com/
3. https://www.darkreading.com/author/andy-robbins
4. https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse
5. https://book.hacktricks.xyz/windows-hardening/active-directory-methodology
6. https://github.com/geeksniper/active-directory-pentest
7. https://adam-toscher.medium.com/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa
8. https://medium.com/@Dmitriy_Area51/active-directory-penetration-testing-d9180bff24a1
9. https://zer1t0.gitlab.io/posts/attacking_ad/
10. https://www.hub.trimarcsecurity.com/posts/categories/active-directory
11. https://posts.specterops.io/
12. https://en.hackndo.com/
13. https://dirkjanm.io/
14. https://m365internals.com/2021/04/27/practical-compromise-recovery-guidance-for-active-directory/
15. https://practical365.com/active-directory/
16. https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#references

Mindmap

1. https://mayfly277.github.io/posts/Upgrade-Active-Directory-mindmap-v2022_11/

LABS Local

1. https://github.com/Orange-Cyberdefense/GOAD

During Pentesting

1. https://wadcoms.github.io/

Exchange

• Splunk Attack Range – https://github.com/splunk/attack_range
• Orange Cyberdefense GOADv2 – https://github.com/Orange-Cyberdefense/GOAD
• Deploy GOADv2 on Proxmox – https://mayfly277.github.io/categories/proxmox/
• DetectionLab project – https://www.detectionlab.network/
• Active Directory kill chain diagram – https://github.com/infosecn1nja/AD-Attack-Defense
• Red team infrastructure wiki – https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki
• EDR bypass team – https://dispatch.redteams.fyi/red-team-edr-bypass-team/
• Assume breach model – https://www.redsiege.com/wp-content/uploads/2019/09/AssumedBreach-ABM.pdf
• Mind map to assess the security of Exchange Server – https://github.com/Orange-Cyberdefense/arsenal/blob/master/mindmap/Pentesting_MS_Exchange_Server_on_the_Perimeter.png
• MailSniper – https://github.com/dafthack/MailSniper
• NameMash – https://gist.github.com/superkojiman/11076951#file-namemash-py
• EmailAddressMangler – https://github.com/dafthack/EmailAddressMangler
• OABurl extraction script by snovvcrash – https://gist.github.com/snovvcrash/4e76aaf2a8750922f546eed81aa51438#file-oaburl-py
• Attacking Exchange web interfaces – https://swarm.ptsecurity.com/attacking-ms-exchange-web-interfaces/
• PEAS: Python 2 library and application to run commands on Exchange Server – https://github.com/snovvcrash/peas
• MWR ActiveSync exfiltration research – https://labs.withsecure.com/publications/accessing-internal-fileshares-through-exchange-activesync
• ProxyLogon vulnerability discovery – https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-1-ProxyLogon/
• Hunting ProxyLogon – https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
• Blog post from a vulnerability researcher who discovered ProxyOracle – https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-2-ProxyOracle/
• A full write-up about ProxyShell is available on the ZDI blog post here – https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell
• Blog post by Palo Alto covering the ProxyNotShell vulnerability – https://unit42.paloaltonetworks.com/proxynotshell-cve-2022-41040-cve-2022-41082/
• ProxyRelay author covers details of the vulnerability – https://devco.re/blog/2022/10/19/a-new-attack-surface-on-MS-exchange-part-4-ProxyRelay/
• Write-up about ProxyNotRelay, which is a combination of ProxyRelay and ProxyNotShell – https://rw.md/2022/11/09/ProxyNotRelay.html
• Vulnerability CVE-2020-0688 leads to remote code execution on Exchange Server – https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys
• Ysoserial.net – https://github.com/pwntester/ysoserial.net
• Original research about the PrivExchange vulnerability – https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
• PrivExchange – https://github.com/dirkjanm/privexchange/
• Compromise workstations through Outlook mail rules – https://sensepost.com/blog/2016/mapi-over-http-and-mailrule-pwnage/
• Ruler tool – https://github.com/sensepost/ruler
• Microsoft bulletin KB3191938 – https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-outlook-2013-june-13-2017-d52f7b9a-488c-dd5a-0d43-da5832eaac5f
• Outlook Forms to achieve persistence – https://sensepost.com/blog/2017/outlook-forms-and-shells/
• Microsoft bulletin KB4011091 – https://support.microsoft.com/en-us/office/custom-form-script-is-now-disabled-by-default-bd8ea308-733f-4728-bfcc-d7cce0120e94
• Outlook home page functionality abuse – https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
• Microsoft bulletin KB15599094 – https://learn.microsoft.com/en-us/mem/configmgr/hotfix/2207/15599094