🔴 UNSAFE
🟠 CAUTION
🟢 SAFE
- Red Team Ops remain undetected and avoiding security triggers.
- Perform stealthy techniques that blends into normal activity, maintain a low profile.
- Leverage trusted processes and native tools living off the land.
- Reuse credentials tokens and tickets to impersonate legitimate users without knowing their passwords.
- Mimicking normal behavior to evade antivirus.
- Bypass endpoint defenses without alerting defenders.
-
Setup & Prepare Cobalt Strike
Cobalt Strike Primer Setup Lab 🕒 30 Minutes | Attacker Desktop | User: Attacker -
Malleable C2 Profile and payloads, ThreatCheck binaries.
Defence Evasion Lab 🕒 45 Minutes | Attacker, DC, Workstation, Web Server | User: pchilds -
Enumerate with provided credentials on workstation the AppLocker, UAC and Antivirus policies.
AppLocker Challenge 🕒 45 Minutes | Attacker, DC, Workstation | User: pchilds -
On initial workstation use elevated access and get SYSTEM beacon.
Initial Access Lab 🕒 45 Minutes | Attacker, DC, Workstation | User: pchilds -
Impersonate user on workstation using SYSTEM beacon.
User Impersonation Lab 🕒 30 Minutes | Attacker, DC, Workstation, Web Server | Users: pchilds, rsteel -
Jump as user and spawn beacon on next target.
Lateral Movement Lab 🕒 30 Minutes | Attacker, DC, Workstation, Web Server | Users: pchilds, rsteel -
Perform S4U technique on server to impersonate admin.
Constrained Delegation Kerberos Lab 🕒 30 Minutes | Attacker, Workstation, DC, Web Server, File Server | User: pchilds -
On server impersonate user by abusing SQL DB owner permissions with payload.
SQL Server Lab 🕒 45 Minutes (Attacker, Workstation, DC, SQL 1, SQL 2 | Users: pchilds, rsteel -
On server abuse SeImpersonatePrivilege and connect to localhost.
SQL Server Lab 🕒 45 Minutes (Attacker, Workstation, DC, SQL 1, SQL 2 | Users: pchilds, rsteel -
With Domain Child Trust use Golden ticket impersonation and spawn beacon.
Parent Child Trust Lab 🕒 30 minutes | Attacker, Dublin Workstation, Contoso DC, Dublin DC | User: DUBLIN\sguest -
On Domain Controller establish a DNS beacon for resilience.
Elevated Persistence Lab 🕒 30 Minutes | Attacker, DC, Workstation | User: pchilds -
On Domain Controller use Golden inter-realm trust key for impersonation to spawn beacon.
Inbound Trust Lab 🕒 30 minutes | Attacker, Contoso Workstation, Partner Jump Server, Contoso DC, Partner DC | User: PARTNER\vwebber -
Do Active Directory Discovery.
Discovery Lab 🕒 30 Minutes | Attacker, DC, Workstation | Users: pchilds, rsteel -
S4U Constrained Delegation initial ticket technique Allowed To Delegate To
Constrained Delegation Kerberos Lab 🕒 30 Minutes | Attacker, Workstation, DC, Web Server, File Server | User: pchilds -
Setup socks proxy to pivot to other network subnets.
SOCKS Lab 🕒 30 Minutes | Attacker, Workstation, DC | Users: pchilds, rsteel -
RBCD Write Property Allowed To Act On Behalf Of Other Identity
Kerberos Resource-Based Constrained Delegation Lab 🕒 30 Minutes | Attacker, Workstation, DC, File Server | User: pchilds -
Kerberos Constrained Delegation Service Name Substitution S4U alt service flag
Kerberos Service Name Substitution Lab 🕒 30 Minutes | Attacker, Workstation, DC, File Server, Web Server | Users: pchilds,rsteel -
S4U2self self coercion based TGT capture Kerberos S4U2self 🕒 30 Minutes | Attacker, Workstation, DC, Web Server | Users: pchilds,rsteel
-
Identify and exploit a Kerberos (mis)configuration, and move laterally to domain controller
Kerberos Challenge 🕒 60 Minutes 🖥️ Attacker, LON-WKSTN-1, LON-DC-1 | Users: pchilds, Administrator, Machine Account 3e7
- Persistence lab 🕒 30 Minutes 🖥️ Attacker, Workstation, DC | Users: pchilds
- Credential Access Challenge 🕒 30 Minutes 🖥️ Attacker, Workstation, DC | Users: pchilds
- Privilege Escalation lab 🕒 30 Minutes 🖥️ Attacker, Workstation, DC | Users: pchilds
- Kerberos Unconstrained Delegation Lab 🕒 30 Minutes 🖥️ Attacker, Workstation, DC, Web Server | Users: pchilds, dyork
- ESC1 Misconfigured Client Authentication Templates 🕒 30 Minutes 🖥️ Attacker, Workstation, DC, Certificate Authority | User: Administrator
- ESC8 NTLM Relay to ADCS HTTP Endpoints
- DPERSIST1 Golden Certificates
- Outbound Trust Lab
- Cobalt Strike Primer
- AppLocker
- Defence Evasion
- Initial Access
- Persistence
- Post-Exploitation
- Privilege Escalation
- Elevated Persistence
- Credential Access
- User Impersonation
- Discovery
- Lateral Movement
- Pivoting
- Kerberos
- Microsoft SQL Server
- Domain Dominance
- Active Directory Certificate Services ADCS
- Forest & Domain Trusts
- DRSAT use with MMC on non domain joined attacker desktop
- Certify
- Crystal-Kit Rasta-Mouse evasion primitives
- ThreadCheck- Artifact Kit
- Audit Windows Defender Application Control WDACTools
- .NET Marshal.Copy method called to copy Beacon shellcode
- native WriteProcessMemory API
- obfuscation Invoke-obfuscation script
- Beacon Memory - export raw Beacon DLL before obfuscations applied
- Beacon Command Behaviour - Beacon Object Files BOF custom command import
- Cobalt Strike User Guide - PowerShell_Command & _Compress
- Elevate Kit
- Cobalt Strike User Guide - beacon_exploit_register
- DLL side loading Payload Template
- Rasta Mouse - .NET Startup Hooks
- GadgetToJScript used to create JavaScript dropper out of a .NET assembly
- double click batch command file exploit
- GrimResource use crafted .msc file and unpatched XSS flaw trigger JavaScript code execution via mmc
- CyberChef with XML Payload running VBScript cmd.exe
- SharpUp GhostPack
- PowerSploit
- Ghidra
- IDA free
- dotPeek jetbrains decompiler
- dnSpy
- ysoserial
- ired.team notes
- Kerbeus-BOF Beacon Object Files for Kerberos abuse
- BOFHound parse output from ldapsearch and pyldapsearch into BloodHound-compatible JSON files
- pyldapsearch
- ldapsearch
- Cloud AzureHound
- RustHound-CE
- LOLBAS - Living Off The Land Binaries, Scripts and Libraries
- BOF Version of SCShell for Cobalt Strike instead of psExec
- OPSEC Consideration for Beacon Commands
- PowerUpSQL
- SQLRecon
- SQL-BOF
- go sqlcmd
- HeidiSQL
- SSMS
🇿🇦 22May2026 🇿🇦