Prominent Windows exploits

Vulnerability	Description
`MS08-067`	MS08-067
was a critical patch pushed out to many different Windows revisions due
to an SMB flaw. This flaw made it extremely easy to infiltrate a
Windows host. It was so efficient that the Conficker worm was using it
to infect every vulnerable host it came across. Even Stuxnet took
advantage of this vulnerability.
`Eternal Blue`	MS17-010
is an exploit leaked in the Shadow Brokers dump from the NSA. This
exploit was most notably used in the WannaCry ransomware and NotPetya
cyber attacks. This attack took advantage of a flaw in the SMB v1
protocol allowing for code execution. EternalBlue is believed to have
infected upwards of 200,000 hosts just in 2017 and is still a common way
to find access into a vulnerable Windows host.
`PrintNightmare`	A
remote code execution vulnerability in the Windows Print Spooler. With
valid credentials for that host or a low privilege shell, you can
install a printer, add a driver that runs for you, and grants you
system-level access to the host. This vulnerability has been ravaging
companies through 2021. 0xdf wrote an awesome post on it here.
`BlueKeep`	CVE
2019-0708 is a vulnerability in Microsoft's RDP protocol that allows
for Remote Code Execution. This vulnerability took advantage of a
miss-called channel to gain code execution, affecting every Windows
revision from Windows 2000 to Server 2008 R2.
`Sigred`	CVE
2020-1350 utilized a flaw in how DNS reads SIG resource records. It is a
bit more complicated than the other exploits on this list, but if done
correctly, it will give the attacker Domain Admin privileges since it
will affect the domain's DNS server which is commonly the primary Domain
Controller.
`SeriousSam`	CVE 2021-36934 exploits an issue with the way Windows handles permission on the `C:\\Windows\\system32\\config`
folder. Before fixing the issue, non-elevated users have access to the
SAM database, among other files. This is not a huge issue since the
files can't be accessed while in use by the pc, but this gets dangerous
when looking at volume shadow copy backups. These same privilege
mistakes exist on the backup files as well, allowing an attacker to read
the SAM database, dumping credentials.
`Zerologon`	CVE
2020-1472 is a critical vulnerability that exploits a cryptographic
flaw in Microsoft’s Active Directory Netlogon Remote Protocol (MS-NRPC).
It allows users to log on to servers using NT LAN Manager (NTLM) and
even send account changes via the protocol. The attack can be a bit
complex, but it is trivial to execute since an attacker would have to
make around 256 guesses at a computer account password before finding
what they need. This can happen in a matter of a few seconds.

Payload generation

Resource	Description
`MSFVenom & Metasploit-Framework`	Source
MSF is an extremely versatile tool for any pentester's toolkit. It
serves as a way to enumerate hosts, generate payloads, utilize public
and custom exploits, and perform post-exploitation actions once on the
host. Think of it as a swiss-army knife.
`Payloads All The Things`	Source Here, you can find many different resources and cheat sheets for payload generation and general methodology.
`Mythic C2 Framework`	Source
The Mythic C2 framework is an alternative option to Metasploit as a
Command and Control Framework and toolbox for unique payload generation.
`Nishang`	Source
Nishang is a framework collection of Offensive PowerShell implants and
scripts. It includes many utilities that can be useful to any pentester.
`Darkarmour`	Source Darkarmour is a tool to generate and utilize obfuscated binaries for use against Windows hosts.

Payload transfer and execution

Impacket: Impacket is a toolset built in Python that provides us with a way to interact with network protocols directly. Some of the most exciting tools we care about in Impacket deal with psexec, smbclient, wmi, Kerberos, and the ability to stand up an SMB server.
Payloads All The Things: is a great resource to find quick oneliners to help transfer files across hosts expediently.
SMB: SMB can provide an easy to exploit route to transfer files between hosts. This can be especially useful when the victim hosts are domain joined and utilize shares to host data. We, as attackers, can use these SMB file shares along with C$ and admin$ to host and transfer our payloads and even exfiltrate data over the links.
Remote execution via MSF: Built into many of the exploit modules in Metasploit is a function that will build, stage, and execute the payloads automatically.
Other Protocols: When looking at a host, protocols such as FTP, TFTP, HTTP/S, and more can provide you with a way to upload files to the host. Enumerate and pay attention to the functions that are open and available for use.