ReddRadar
Topic: red-team
873 skills in this topic.
-
auth-coercion-relay
Forces remote systems to authenticate back to attacker-controlled listeners and relays captured authentication to escalate privileges or move laterally. Covers authentication coercion (PetitPotam, PrinterBug, DFSCoerce, ShadowCoerce, CheeseOunce), NTLM relay (ntlmrelayx to LDAP/SMB/AD CS/MSSQL), Kerberos relay (krbrelayx, mitm6), and name resolution poisoning (LLMNR/NBNS/WPAD via Responder).
blacklanternsecurity/red-run 126
-
credential-dumping
Extracts credentials from Active Directory: DCSync replication, NTDS.dit database extraction, SAM hive dump, Azure AD Connect (ADSync) credential extraction, LAPS passwords (legacy + Windows LAPS), gMSA passwords (KDS root key + GoldenGMSA), dMSA exploitation (BadSuccessor CVE-2025-21293), DSRM credentials, and EFS-encrypted file decryption.
blacklanternsecurity/red-run 126
-
gpo-abuse
Exploits Group Policy Objects for code execution, privilege escalation, and lateral movement in Active Directory. Covers GPO enumeration (GPOHound, BloodHound, PowerView), exploitation via immediate tasks, logon scripts, and registry modifications (SharpGPOAbuse, PowerGPOAbuse, pyGPOAbuse, GroupPolicyBackdoor), SYSVOL/NETLOGON logon script poisoning, and GPP password extraction.
blacklanternsecurity/red-run 126
-
kerberos-delegation
Exploits Kerberos delegation misconfigurations for privilege escalation and lateral movement in Active Directory. Covers Unconstrained Delegation (TGT harvesting via coercion), Constrained Delegation (S4U2Self + S4U2Proxy with SPN swapping), and Resource-Based Constrained Delegation (RBCD via writable machine accounts).
blacklanternsecurity/red-run 126
-
kerberos-roasting
Extracts and cracks Kerberos service tickets (Kerberoasting) and AS-REP hashes (AS-REP Roasting) for offline password recovery.
blacklanternsecurity/red-run 126
-
kerberos-ticket-forging
Forges Kerberos tickets for domain persistence and privilege escalation. Covers Golden Ticket (krbtgt hash → forged TGT), Silver Ticket (service hash → forged TGS), Diamond Ticket (decrypt/modify/re-encrypt legitimate TGT for stealth), Sapphire Ticket (U2U PAC swap), and Pass-the-Ticket injection.
blacklanternsecurity/red-run 126
-
pass-the-hash
Authenticates to AD services using NTLM hashes, AES keys, or Kerberos tickets without cracking passwords. Covers Pass-the-Hash, Over-Pass-the-Hash, Pass-the-Key, and Pass-the-Ticket for lateral movement.
blacklanternsecurity/red-run 126
-
sccm-exploitation
Enumerates and exploits Microsoft SCCM/MECM (System Center Configuration Manager / Microsoft Endpoint Configuration Manager) infrastructure for credential harvesting, lateral movement, and domain escalation. Covers SCCM enumeration (sccmhunter, SharpSCCM), Network Access Account (NAA) credential extraction (policy request, WMI DPAPI, WMI repository), management point NTLM relay to MSSQL (TAKEOVER1), client push relay (ELEVATE2), PXE boot media credential harvesting (CRED1), SCCM database credential extraction, application deployment for lateral movement, and SCCM share looting.
blacklanternsecurity/red-run 126
-
trust-attacks
Enumerates Active Directory trust relationships and exploits them for cross-domain and cross-forest privilege escalation. Covers trust enumeration (nltest, PowerView, BloodHound), SID history injection (child domain to forest root via golden/diamond ticket with extra SIDs), inter-realm TGT forging using trust keys, TGT delegation coercion capture (Rubeus monitor + SpoolSample/DFSCoerce across forest trusts with ENABLE_TGT_DELEGATION), cross-forest trust abuse (SID filtering bypass, RBCD, Kerberoasting via trust account), and PAM trust exploitation (shadow principals in bastion forests).
blacklanternsecurity/red-run 126
-
password-spraying
Performs password spraying against authentication services with lockout-safe techniques. Works against AD (SMB/Kerberos/LDAP), SSH, web login forms, OWA, and any service with username/password auth. Service-agnostic — the orchestrator passes target services and spray intensity tier.
blacklanternsecurity/red-run 126
-
red-run-ctf
Multi-phase penetration test orchestrator. Handles recon, assessment surface mapping, vulnerability chaining, and routes to technique skills for execution. Invoke via /red-run-ctf slash command only.
blacklanternsecurity/red-run 126
-
av-edr-evasion
Bypass antivirus and EDR detection for payload delivery during exploitation. Covers custom payload compilation (mingw C, Go), AMSI bypass, shellcode alternatives, and ETW patching. Route here when an agent reports a payload was quarantined, blocked, or detected by endpoint protection.
blacklanternsecurity/red-run 126
-
red-run-legacy
Legacy subagent-based orchestrator. Superseded by /red-run-ctf (agent teams). Use /red-run-legacy to invoke manually. Does not auto-trigger.
blacklanternsecurity/red-run 126
-
linux-cron-service-abuse
Exploit cron jobs, systemd timers/services, D-Bus services, and Unix sockets for privilege escalation.
blacklanternsecurity/red-run 126
-
linux-discovery
Linux local privilege escalation enumeration and attack surface mapping.
blacklanternsecurity/red-run 126
-
linux-file-path-abuse
Exploit writable critical files, NFS misconfigurations, shared library hijacking, and privileged group membership (docker, lxd, disk, adm, video, staff) for Linux privilege escalation. Use when a user belongs to a privileged group or has write access to sensitive files or paths.
blacklanternsecurity/red-run 126
-
linux-kernel-exploits
Exploit Linux kernel vulnerabilities and escape restricted shells for privilege escalation.
blacklanternsecurity/red-run 126
-
linux-sudo-suid-capabilities
Exploit sudo misconfigurations, SUID/SGID binaries, and Linux capabilities for privilege escalation.
blacklanternsecurity/red-run 126
-
windows-credential-harvesting
Harvest stored credentials from a Windows system for privilege escalation or lateral movement.
blacklanternsecurity/red-run 126
-
windows-discovery
Windows local privilege escalation enumeration and attack surface mapping.
blacklanternsecurity/red-run 126
-
windows-kernel-exploits
Exploit Windows kernel vulnerabilities, vulnerable drivers, and privileged file operations for local privilege escalation to SYSTEM.
blacklanternsecurity/red-run 126
-
windows-service-dll-abuse
Exploit Windows service misconfigurations and DLL hijacking for local privilege escalation.
blacklanternsecurity/red-run 126
-
windows-token-impersonation
Exploit Windows token privileges for local privilege escalation to SYSTEM.
blacklanternsecurity/red-run 126
-
windows-uac-bypass
Bypass Windows User Account Control to escalate from medium to high integrity.
blacklanternsecurity/red-run 126