WDAC Policy Removal + SSRF domains

Methodology and Resources/Active Directory Attack.md

@@ -4414,3 +4414,4 @@ CME          10.XXX.XXX.XXX:445 HOSTNAME-01   [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
 * [S4U2self abuse - TheHackerRecipes](https://www.thehacker.recipes/ad/movement/kerberos/delegations/s4u2self-abuse)
 * [Abusing Kerberos S4U2self for local privilege escalation - cfalta](https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/)
 * [External Trusts Are Evil - 14 March 2023 - Charlie Clark (@exploitph)](https://exploit.ph/external-trusts-are-evil.html)
+* [Certificates and Pwnage and Patches, Oh My! - Will Schroeder - Nov 9, 2022](https://posts.specterops.io/certificates-and-pwnage-and-patches-oh-my-8ae0f4304c1d)

Methodology and Resources/Windows - Defenses.md

@@ -307,7 +307,10 @@ Also known as `WDAC/UMCI/Device Guard`.
     DeviceGuardCodeIntegrityPolicyEnforcementStatus         : EnforcementMode
     DeviceGuardUserModeCodeIntegrityPolicyEnforcementStatus : EnforcementMode
     ```
-
+* Remove WDAC policies using CiTool.exe (Windows 11 2022 Update)
+    ```ps1
+    $ CiTool.exe -rp "{PolicyId GUID}" -json
+    ```
 * Device Guard policy location: `C:\Windows\System32\CodeIntegrity\CiPolicies\Active\{PolicyId GUID}.cip`
 * Device Guard example policies: `C:\Windows\System32\CodeIntegrity\ExamplePolicies\`
 * WDAC utilities: [mattifestation/WDACTools](https://github.com/mattifestation/WDACTools), a PowerShell module to facilitate building, configuring, deploying, and auditing Windows Defender Application Control (WDAC) policies
@@ -384,3 +387,4 @@ You can check if it is done decrypting using this command: `manage-bde -status`
 * [DISABLING AV WITH PROCESS SUSPENSION - March 24, 2023 - By Christopher Paschen ](https://www.trustedsec.com/blog/disabling-av-with-process-suspension/)
 * [Disabling Event Tracing For Windows - UNPROTECT PROJECT - Tuesday 19 April 2022](https://unprotect.it/technique/disabling-event-tracing-for-windows-etw/)
 * [ETW: Event Tracing for Windows 101 - ired.team](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/etw-event-tracing-for-windows-101)
+* [Remove Windows Defender Application Control (WDAC) policies - Microsoft - 12/09/2022](https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies)

Server Side Request Forgery/README.md

@@ -110,11 +110,13 @@ http://0000::1:3128/ Squid
 
 ### Bypass localhost with a domain redirection
 
-
+| Domain                       | Redirect to |
-* `spoofed.[BURP_COLLABORATOR]` such as `spoofed.redacted.oastify.com`
+|------------------------------|-------------|
-* `localtest.me` redirect to `::1`
+| localtest.me                 | `::1`       |
-* `company.127.0.0.1.nip.io` redirect to `127.0.0.1`
+| localh.st                    | `127.0.0.1` |
-* `bugbounty.dod.network` redirect to `127.0.0.2`
+| spoofed.[BURP_COLLABORATOR]  | `127.0.0.1` |
+| spoofed.redacted.oastify.com | `127.0.0.1` |
+| company.127.0.0.1.nip.io     | `127.0.0.1` |
 
 The service nip.io is awesome for that, it will convert any ip address as a dns.
 

XSS Injection/README.md

@@ -62,7 +62,7 @@
     - [Bypass "<" and ">" using ＜ and ＞](#bypass--and--using--and-)
     - [Bypass ";" using another character](#bypass--using-another-character)
     - [Bypass using HTML encoding](#bypass-using-html-encoding)
-    - [Bypass using Katana](#bypass-using-katana)
+    - [Bypass using Katakana](#bypass-using-katakana)
     - [Bypass using Cuneiform](#bypass-using-cuneiform)
     - [Bypass using Lontara](#bypass-using-lontara)
     - [Bypass using ECMAScript6](#bypass-using-ecmascript6)
@@ -967,7 +967,7 @@ Unicode Character U+FF1C and U+FF1E
 ></script><svg onload=%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B(document.domain)>
 ```
 
-### Bypass using Katana
+### Bypass using Katakana
 
 Using the [Katakana](https://github.com/aemkei/katakana.js) library.