Windows

This article provides an introduction to PowerShell scripting, including basic concepts and syntax, specific code examples for pen testing and red teaming tasks, and the language’s pros and cons compared to other programming languages in the field.

Mythic is a powerful, open-source post-exploitation framework that offers red teamers and pen testers an extensible and customizable platform with numerous modules, agents, and C2 profiles to enhance their engagements and achieve objectives in various target environments.

SharpSocks is a powerful .NET-based proxy tool for red teaming and network penetration testing that enables encrypted communications, protocol obfuscation, and access to internal resources, providing professional hackers with stealth and persistence in their engagements.

This article provides a comprehensive guide to using Covenant, a powerful command and control framework for red teaming and post-exploitation operations.

This comprehensive guide explores Nishang, a collection of PowerShell scripts designed for penetration testing and red teaming, covering PowerShell basics, Nishang modules, advanced techniques, real-world applications, and modern evasion methods.

A deep-dive into PsExec for offensive work. How it works under the hood, how to leverage pass-the-hash with Impacket, service-name evasion, and the forensic footprint it leaves so you know when to reach for it and when to reach for something else.

A deep-dive into sc.exe for offensive work. Weaponize the Windows Service Control Manager for remote code execution, persist via service failure actions, exploit weak service ACLs, and load kernel drivers.

A deep-dive into Wmic for offensive work. Interrogate system internals, move laterally, find security software, abuse XSL transforms for code execution, and understand the forensic footprint WMI leaves behind.

A guide to Active Directory reconnaissance with built-in tooling. Discover privileged accounts, identify service accounts, spot unconstrained delegation, and operate when RSAT isn’t installed.

A comprehensive deep-dive into advanced Windows command-line tools. Learn how to leverage modern binaries like curl and tar, abuse legacy tools for download and execution, and perform stealthy data theft and persistence without triggering alerts.

How Pass-the-Hash actually works against RDP — what makes it normally fail, why Restricted Admin Mode flips that around, the correct xfreerdp syntax, RDP-over-SOCKS tuning, and the Logon Type 3 anomaly that gives the technique away.

A working guide to network tunneling for offensive ops — iptables NAT, every flavor of SSH forwarding (including reverse SOCKS and ProxyJump), Windows netsh portproxy, socat, and the modern compiled tools that have largely replaced everything else (Chisel and Ligolo-ng).

A walkthrough of Impacket’s SMB tooling for offensive work — smbclient.py, smbserver.py, secretsdump.py, and ntlmrelayx.py. Covers Pass-the-Hash, hash capture via UNC paths, DCSync, and cross-protocol NTLM relay.

This article explores how Red Team members can use alternate data streams on Windows NTFS to hide data, with specific examples and cautionary considerations.

A comprehensive guide to mastering port scanning on both Linux and Windows, covering standard tools like Nmap, stealthy built-in techniques, and modern PowerShell-based enumeration.