Payload builder
AES encrypted payload
XOR protected encryption key
Remote mapping injection via direct syscalls (Hell's Gate)
Payload staging via remote webserver
Brute-force key decryption during runtime
API hashing
Delayed execution via API Hammering
Self-deletion if debugger is detected
IAT Camouflage

ابزار KrbRelay و KrbRealayUp
تکنیک CertifiedDCOM
اکسپلویت SilverPotato

TREVORproxy has two modes of operation: a Subnet Proxy and an SSH Proxy:

Subnet Proxy mode uses the AnyIP feature of the Linux kernel to assign an entire subnet to your network interface, and give every connection a random source IP address from that subnet.
E.g. if your cloud provider gives you a /64 IPv6 range, you can send your traffic from over eighteen quintillion (18,446,744,073,709,551,616) unique IP addresses.
SSH Proxy mode combines iptables with SSH's SOCKS proxy feature (ssh -D) to round-robin packets through remote systems (cloud VMs, etc.)

NOTE: TREVORproxy is not intended as a DoS tool, as it does not "spoof" packets. It is a fully-functioning SOCKS proxy, meaning that it is designed to accept return traffic.

adb shell am start -n com.shopify.mobile/com.shopify.mobile.lib.app.DeepLinkActivity -d 'https://www.shopify.com/admin/products'

Intent intent = new Intent();
intent.setClassName("com.shopify.mobile", "com.shopify.mobile.lib.app.DeepLinkActivity");
intent.setData(Uri.parse("https://www.shopify.com/admin/products")); 
startActivity(intent);

HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services

To prevent shadowing altogether, using application whitelisting, it is possible to block the RdpSaUacHelper.exe, RdpSaProxy.exe and RdpSa.exe processes from launching
In the group policy, one can explicitly set the Shadow setting to require the user’s consent before shadowing or controlling the session so the backdoor is less effective; this assumes that an attacker at a later moment does not have sufficient privileges anymore to set the Shadow key in the registry to the value of their liking
The WINSTATION_SHADOW permission can be removed from all entries in the Win32_TSAccount WMI class, although an attacker with administrative permissions can provide themselves this permission again

There is a low detection surface:
statically: because the code profile is so short and it is hard to apply a signature on any part of the common .NET functionality used
dynmically: because of the lack of hooked win32 API calls
Because we are modifying JIT/IL memory which is hard for AV/EDR to monitor or has not been monitored at this point by a lot of vendors
! For some security products, modify method M to pass in empty argument string c.
! For CSHARP example, private static int M(string c, string s) { c = ""; return 1; }
! For POWERSHELL example, class TrollAMSI{static [int] M([string]$c, [string]$s){ $c = ""; return 1}}
! Refer to TrollAMSIdotnet for amsi bypass for Assembly.Load()
Benefits
No P/Invoke or win32 API calls used such as VirtualProtect hence more opsec safe
No amsi.dll patching or byte patching for that matter

STATIC: obfuscate "AmsiUtils" and "ScanContent" maybe?
DYNAMIC: Nothing much really. Note that Add-Type method will leave disk artifacts, whereas hosting the compiled DLL on a webserver and using Load() is completely in memory

Parameters
DC - domain controller FQDN.
Formatlist - output in list instead of table.
ExcludelastLogonTimestamp - exclude lastLogonTimestamp events from output
DumpAllObjects - dump all active directory before start. In case of changes It will show you all previous values. But in large domains use it on your own risk (time and resource consuming).
Short - in output will be only AttributeName, AttributeValue, LastOriginChangeTime and Explanation.
Output - create XML file with all output.
ExcludeObjectGUID - exclude Active Directory object with specific GUID.
Sleep - time interval between requests for USN number. By default - 30 seconds.
USN - specify started USN.
DisplayXML - display previous captured XML file.

How to use
Domain computer
Just run module in powershell session from domain user. For better performance use domain controller FQDN instead of IP address.

Non-domain computer
Start powershell session with domain user with runas. Check that domain controller accessible. For better performance use domain controller FQDN instead of IP address.

Performs automatic checks and identifies vulnerabilities
Enables login via Windows Integrated Authentication as well as SQL Authentication
Quickly activates XP_cmdshell if the permission exists (locally as well as on Linked Servers)
Convenient execution of system commands via XP_cmdshell (locally as well as on single/double Linked Servers)
Convenient execution of SQL commands (locally as well as on Linked Servers)
Fast triggering of NTLM requests via XP_dirtree
Custom Stored Procedure - for executing OS commands (locally)
Automatically checks and enables RPC OUT (if RPC OUT is disabled for Linked Servers, stored procedures such as xp_cmdshell on Linked Servers are not usable)
Automatic dumping of MSSQL user hashes