2020-11-18 06:07:42 -05:00
# Offensive Bookmark <!-- omit in toc -->
< p align = "center" >
2020-11-18 10:49:01 -05:00
< img src = "cover.png" >
2020-11-18 06:07:42 -05:00
< / p >
2020-11-18 10:49:01 -05:00
< p align = "center" > < img src = "https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg" / > < a href = "https://github.com/pe3zx/my-infosec-awesome/actions" > < img src = "https://github.com/pe3zx/my-infosec-awesome/workflows/Ruby/badge.svg" / > < / a > < img src = "https://img.shields.io/github/last-commit/pe3zx/my-infosec-awesome.svg" / > < / p >
2020-11-18 06:07:42 -05:00
2020-11-18 10:49:01 -05:00
This page will contain my bookmark for offensive tools, briefly categorized based on [MITRE ATT& CK Enterprise
Matrix](https://attack.mitre.org/matrices/enterprise/). Some links and sections on [README.md ](README.md ) will be
relocated to this page if it's related to offensive tactics and techniques.
2020-11-18 06:07:42 -05:00
2020-11-18 10:49:01 -05:00
Some tools can be categorized in more than one category. But because the current bookmark model doesn't support
1-to-many mapping, I will decide a tool's category based on its ultimate goal.
2020-11-18 08:14:48 -05:00
2020-11-18 06:07:42 -05:00
- [Reconnaissance/Discovery ](#reconnaissancediscovery )
- [Execution ](#execution )
2020-11-18 10:49:01 -05:00
- [Manipulating Binary's Internal ](#manipulating-binarys-internal )
- [Payload Generation ](#payload-generation )
2020-11-18 06:07:42 -05:00
- [Persistence ](#persistence )
- [Privilege Escalation ](#privilege-escalation )
- [Defense Evasion ](#defense-evasion )
- [Credential Access ](#credential-access )
- [Lateral Movement ](#lateral-movement )
2020-12-01 02:14:57 -05:00
- [Collection ](#collection )
2020-11-18 06:07:42 -05:00
- [Command & Control ](#command--control )
- [Exfiltration ](#exfiltration )
## Reconnaissance/Discovery
< table >
< tr >
< td > < b > Link< / b > < / td >
< td > < b > Description< / b > < / td >
< / tr >
2020-11-18 08:40:23 -05:00
< tr >
2020-11-18 10:49:01 -05:00
< td > < a href = "https://github.com/danielbohannon/Invoke-CradleCrafter" > danielbohannon/Invoke-CradleCrafter< / a >
< / td >
2020-11-18 08:40:23 -05:00
< td > PowerShell Remote Download Cradle Generator & Obfuscator< / td >
< / tr >
2020-11-18 06:13:49 -05:00
< tr >
< td > < a href = "https://github.com/dev-2null/adcollector" > dev-2null/ADCollector< a > < / td >
2020-11-18 10:49:01 -05:00
< td > A lightweight tool to quickly extract valuable information from the Active Directory environment for both
attacking and defending.< / td >
2020-11-18 06:13:49 -05:00
< / tr >
2020-11-18 06:17:32 -05:00
< tr >
< td > < a href = "https://github.com/dirkjanm/ROADtools" > dirkjanm/ROADtools< / a > < / td >
< td > The Azure AD exploration framework.< / td >
< / tr >
2020-11-18 06:33:03 -05:00
< tr >
< td > < a href = "https://github.com/djhohnstein/SharpShares" > djhohnstein/SharpShares< / a > < / td >
< td > Enumerate all network shares in the current domain. Also, can resolve names to IP addresses.< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/GhostPack/Seatbelt" > GhostPack/Seatbelt< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant
from both offensive and defensive security perspectives.< / td >
2020-11-18 06:07:42 -05:00
< / tr >
2020-11-18 06:15:11 -05:00
< tr >
< td > < a href = "https://github.com/jaredhaight/scout" > jaredhaight/scout< / a > < / td >
< td > A .NET assembly for performing recon against hosts on a network< / td >
< / tr >
2020-11-18 06:20:03 -05:00
< tr >
< td > < a href = "https://github.com/mdsecactivebreach/sitrep" > mdsecactivebreach/sitrep< / a > < / td >
< td > SitRep is intended to provide a lightweight, extensible host triage alternative.< / td >
< / tr >
2021-01-10 04:34:14 -05:00
< tr >
< td > < a href = "https://github.com/mez-0/SharpShares" > mez-0/SharpShares< / a > < / td >
< td > .NET 4.0 Share Hunting and ACL Mapping< / td >
< / tr >
2020-12-06 11:29:50 -05:00
< tr >
< td > < a href = "https://github.com/nccgroup/Carnivore" > nccgroup/Carnivore< / a > < / td >
< td > Tool for assessing on-premises Microsoft servers authentication such as ADFS, Skype, Exchange, and RDWeb< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/NetSPI/goddi" > NetSPI/goddi< / a > < / td >
< td > goddi (go dump domain info) dumps Active Directory domain information< / td >
< / tr >
< tr >
< td > < a href = "https://github.com/outflanknl/Recon-AD" > outflanknl/Recon-AD< / a > < / td >
< td > Recon-AD, an AD recon tool based on ADSI and reflective DLL’ s< / td >
< / tr >
2020-11-18 06:18:11 -05:00
< tr >
< td > < a href = "https://github.com/rasta-mouse/Watson" > rasta-mouse/Watson< / a > < / td >
2021-01-10 04:38:11 -05:00
< td > Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilitiesEnumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities< / td >
2020-11-18 06:18:11 -05:00
< / tr >
2020-11-18 06:21:03 -05:00
< tr >
< td > < a href = "https://github.com/stufus/reconerator" > stufus/reconerator< / a > < / td >
< td > C# Targeted Attack Reconnissance Tools< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/sud0woodo/DCOMrade" > sud0woodo/DCOMrade< / a > < / td >
< td > Powershell script for enumerating vulnerable DCOM Applications< / td >
< / tr >
2020-11-18 06:18:56 -05:00
< tr >
< td > < a href = "https://github.com/tevora-threat/SharpView" > tevora-threat/SharpView< / a > < / td >
< td > C# implementation of harmj0y's PowerView< / td >
< / tr >
2020-11-18 06:16:21 -05:00
< tr >
< td > < a href = "https://github.com/TonyPhipps/Meerkat" > TonyPhipps/Meerkat< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > A collection of PowerShell modules designed for artifact gathering and reconnaisance of Windows-based
endpoints.< / td >
2020-11-18 06:16:21 -05:00
< / tr >
2020-11-18 06:07:42 -05:00
< / table >
## Execution
< table >
< tr >
< td > < b > Link< / b > < / td >
< td > < b > Description< / b > < / td >
< / tr >
2021-01-20 08:43:57 -05:00
< tr >
< td > < a href = "https://github.com/aeverj/NimShellCodeLoader" > aeverj/NimShellCodeLoader< / a > < / td >
< td > Nim编写Windows平台shellcode免杀加载器< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/api0cradle/LOLBAS" > api0cradle/LOLBAS< / a > < / td >
< td > Living Off The Land Binaries and Scripts (and now also Libraries)< / td >
< / tr >
< tr >
< td > < a href = "https://github.com/bohops/GhostBuild" > bohops/GhostBuild< / a > < / td >
< td > GhostBuild is a collection of simple MSBuild launchers for various GhostPack/.NET projects< / td >
< / tr >
2020-11-18 06:28:48 -05:00
< tr >
2020-11-27 02:52:23 -05:00
< td > < a href = "https://github.com/cdong1012/Crab-Runner" > cdong1012/Crab-Runner< / a > < / td >
< td > Shellcode runner in Rust< / td >
2020-11-18 06:28:48 -05:00
< / tr >
2020-11-18 08:23:28 -05:00
< tr >
< td > < a href = "https://github.com/checkymander/Zolom" > checkymander/Zolom< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > C# Executable with embedded Python that can be used reflectively to run python code on systems without
Python installed< / td >
2020-11-18 08:23:28 -05:00
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
2020-11-27 02:52:23 -05:00
< td > < a href = "https://github.com/cobbr/SharpSploit" > cobbr/SharpSploit< / a > < / td >
< td > SharpSploit is a .NET post-exploitation library written in C#< / td >
< / tr >
< tr >
2020-11-18 06:07:42 -05:00
< td > < a href = "https://github.com/Cn33liz/p0wnedShell" > Cn33liz/p0wnedShell< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe
but runs powershell commands and functions within a powershell runspace environment (.NET)< / td >
2020-11-18 06:07:42 -05:00
< / tr >
2021-01-17 08:27:24 -05:00
< tr >
< td > < a href = "https://github.com/cribdragg3r/Alaris" > cribdragg3r/Alaris< / a > < / td >
< td > A protective and Low Level Shellcode Loader the defeats modern EDR systems.< / td >
< / tr >
2021-02-02 00:50:21 -05:00
< tr >
< td > < a href = "https://github.com/DamonMohammadbagher/NativePayload_Tinjection" > DamonMohammadbagher/NativePayload_Tinjection< / a > < / td >
< td > Remote Thread Injection by C#< / td >
< / tr >
2020-11-18 09:09:58 -05:00
< tr >
< td > < a href = "https://github.com/D00MFist/Go4aRun" > D00MFist/Go4aRun< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > Shellcode runner in GO that incorporates shellcode encryption, remote process injection, block dlls, and
spoofed parent process< / td >
2020-11-18 09:09:58 -05:00
< / tr >
2020-11-27 02:54:48 -05:00
< tr >
< td > < a href = "https://github.com/dtrizna/easy-hollow" > dtrizna/easy-hollow< / a > < / td >
< td > Automated build for process hollowing shellcode loader. Build on top of TikiTorch and donut projects.< / td >
< / tr >
2020-11-18 08:14:48 -05:00
< tr >
< td > < a href = "https://github.com/Flangvik/SharpCollection" > Flangvik/SharpCollection< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > Nightly builds of common C# offensive tools, fresh from their respective master branches built and released
in a CDI fashion using Azure DevOps release pipelines.< / td >
2020-11-18 08:14:48 -05:00
< / tr >
2020-11-18 10:49:01 -05:00
< tr >
2020-11-18 06:07:42 -05:00
< td > < a href = "https://github.com/FuzzySecurity/PowerShell-Suite" > FuzzySecurity/PowerShell-Suite< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > There are great tools and resources online to accomplish most any task in PowerShell, sometimes however,
there is a need to script together a util for a specific purpose or to bridge an ontological gap. This is a
collection of PowerShell utilities I put together either for fun or because I had a narrow application in
mind.< / td >
2020-11-18 06:07:42 -05:00
< / tr >
2020-11-18 08:38:08 -05:00
< tr >
< td > < a href = "https://github.com/GhostPack/SharpWMI" > GhostPack/SharpWMI< / a > < / td >
< td > SharpWMI is a C# implementation of various WMI functionality.< / td >
< / tr >
2020-11-18 09:36:02 -05:00
< tr >
< td > < a href = "https://github.com/hausec/MaliciousClickOnceMSBuild" > hausec/MaliciousClickOnceMSBuild< / a > < / td >
< td > Basic C# Project that will take an MSBuild payload and run it with MSBuild via ClickOnce.< / td >
< / tr >
2021-01-24 11:57:53 -05:00
< tr >
< td > < a href = "https://github.com/JamesCooteUK/SharpSphere" > JamesCooteUK/SharpSphere< / a > < / td >
< td > .NET Project for Attacking vCenter< / td >
< / tr >
2020-11-18 06:30:44 -05:00
< tr >
< td > < a href = "https://github.com/jhalon/SharpCall" > jhalon/SharpCall< / a > < / td >
< td > Simple PoC demonstrating syscall execution in C#< / td >
< / tr >
2021-01-10 04:41:27 -05:00
< tr >
< td > < a href = "https://github.com/jfmaes/SharpZipRunner" > jfmaes/SharpZipRunner< / a > < / td >
< td > Executes position independent shellcode from an encrypted zip< / td >
< / tr >
2020-11-18 06:33:49 -05:00
< tr >
< td > < a href = "https://github.com/mgeeky/Stracciatella" > mgeeky/Stracciatella< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI, Constrained Language Mode and
Script Block Logging disabled at startup< / td >
2020-11-18 06:33:49 -05:00
< / tr >
2020-11-18 06:32:19 -05:00
< tr >
< td > < a href = "https://github.com/Mr-Un1k0d3r/RedTeamCSharpScripts" > Mr-Un1k0d3r/RedTeamCSharpScripts< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > C# Script used for Red Team. These binaries can be used by Cobalt Strike execute-assembly or as standalone
executable.< / td >
2020-11-18 06:32:19 -05:00
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/nccgroup/GTFOBLookup" > nccgroup/GTFOBLookup< / a > < / td >
< td > Offline command line lookup utility for GTFOBins< / td >
< / tr >
2020-11-18 08:27:21 -05:00
< tr >
< td > < a href = "https://github.com/NYAN-x-CAT/Csharp-Loader" > NYAN-x-CAT/Csharp-Loader< / a > < / td >
< td > Download a .NET payload and run it on memory< / td >
< / tr >
2020-11-18 06:30:03 -05:00
< tr >
< td > < a href = "https://github.com/rasta-mouse/MiscTools" > rasta-mouse/MiscTools< / a > < / td >
< td > Miscellaneous Tools< / td >
< / tr >
2020-11-18 10:03:40 -05:00
< tr >
< td > < a href = "https://gist.github.com/ropnop/fdd4e4ab537821eee5a1a751c044924f" > ropnop/go-sharp-loader.go< / a > < / td >
< td > Example Go program with multiple .NET Binaries embedded< / td >
< / tr >
2020-12-21 23:56:20 -05:00
< tr >
< td > < a href = "https://github.com/rvrsh3ll/NoMSBuild" > rvrsh3ll/NoMSBuild< / a > < / td >
< td > MSBuild without MSbuild.exe< / td >
< / tr >
2020-11-18 08:29:15 -05:00
< tr >
< td > < a href = "https://github.com/sh4hin/GoPurple" > sh4hin/GoPurple< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > Yet another shellcode runner consists of different techniques for evaluating detection capabilities of
endpoint security solutions< / td >
2020-11-18 08:29:15 -05:00
< / tr >
2020-11-18 06:07:42 -05:00
< / table >
### Manipulating Binary's Internal
< table >
< tr >
< td > < b > Link< / b > < / td >
< td > < b > Description< / b > < / td >
< / tr >
2021-01-14 03:21:43 -05:00
< tr >
< td > < a href = "https://github.com/ajpc500/NimlineWhispers" > ajpc500/NimlineWhispers< / a > < / td >
< td > A very proof-of-concept port of InlineWhispers for using syscalls in Nim projects.< / td >
< / tr >
2020-12-29 23:44:30 -05:00
< tr >
< td > < a href = "https://github.com/Akaion/Bleak" > Akaion/Bleak< / a > < / td >
< td > A Windows native DLL injection library that supports several methods of injection.< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/Cybellum/DoubleAgent" > Cybellum/DoubleAgent< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > DoubleAgent is a new Zero-Day technique for injecting code and maintaining persistence on a machine (i.e.
auto-run).< / td >
2020-11-18 06:07:42 -05:00
< / tr >
2021-02-02 00:52:58 -05:00
< tr >
< td > < a href = "https://github.com/DarthTon/Xenos" > DarthTon/Xenos< / a > < / td >
< td > Windows dll injector< / td >
< / tr >
2020-11-18 08:32:40 -05:00
< tr >
< td > < a href = "https://github.com/Flangvik/SharpDllProxy" > Flangvik/SharpDllProxy< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > Retrieves exported functions from a legitimate DLL and generates a proxy DLL source code/template for DLL
proxy loading or sideloading< / td >
2020-11-18 08:32:40 -05:00
< / tr >
2020-11-18 09:10:47 -05:00
< tr >
2020-11-18 10:49:01 -05:00
< td > < a href = "https://github.com/forrest-orr/phantom-dll-hollower-poc" > /forrest-orr/phantom-dll-hollower-poc< / a >
< / td >
2020-11-18 09:10:47 -05:00
< td > Phantom DLL hollowing PoC< / td >
< / tr >
2020-11-18 09:09:18 -05:00
< tr >
2020-11-18 10:49:01 -05:00
< td > < a href = "https://github.com/GoodstudyChina/APC-injection-x86-x64" > GoodstudyChina/APC-injection-x86-x64< / a >
< / td >
2020-11-18 09:09:18 -05:00
< td > injdrv is a proof-of-concept Windows Driver for injecting DLL into user-mode processes using APC.< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/jonatan1024/clrinject" > jonatan1024/clrinject< / a > < / td >
< td > Injects C# EXE or DLL Assembly into every CLR runtime and AppDomain of another process.< / td >
< / tr >
2020-11-18 09:03:57 -05:00
< tr >
< td > < a href = "https://github.com/jthuraisamy/SysWhispers" > jthuraisamy/SysWhispers< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls.
< / td >
2020-11-18 09:03:57 -05:00
< / tr >
2021-01-04 06:13:54 -05:00
< tr >
< td > < a href = "https://github.com/jthuraisamy/SysWhispers2" > jthuraisamy/SysWhispers2< / a > < / td >
< td > AV/EDR evasion via direct system calls.< / td >
< / tr >
2020-11-18 09:11:29 -05:00
< tr >
< td > < a href = "https://github.com/mobdk/Sigma" > mobdk/Sigma< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > Execute shellcode with ZwCreateSection, ZwMapViewOfSection, ZwOpenProcess, ZwMapViewOfSection and
ZwCreateThreadEx< / td >
2020-11-18 09:11:29 -05:00
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/monoxgas/sRDI" > monoxgas/sRDI< / a > < / td >
< td > Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode< / td >
< / tr >
2020-11-18 10:49:01 -05:00
< tr >
< td > < a href = "https://github.com/stephenfewer/ReflectiveDLLInjection" > stephenfewer/ReflectiveDLLInjection< / a >
< / td >
< td > Reflective DLL injection is a library injection technique in which the concept of reflective programming is
employed to perform the loading of a library from memory into a host process< / td >
2020-11-18 06:07:42 -05:00
< / tr >
< tr >
< td > < a href = "https://github.com/slyd0g/UrbanBishopLocal" > slyd0g/UrbanBishopLocal< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > A port of FuzzySecurity's UrbanBishop project for inline shellcode execution. The execution vector uses a
delegate vs an APC on a suspended threat at ntdll!RtlExitUserThread in UrbanBishop< / td >
2020-11-18 06:07:42 -05:00
< / tr >
2021-01-27 04:33:35 -05:00
< tr >
< td > < a href = "https://github.com/TheWover/GhostLoader" > TheWover/GhostLoader< / a > < / td >
< td > GhostLoader - AppDomainManager - Injection - 攻壳机动队< / td >
< / tr >
2020-11-18 09:07:14 -05:00
< tr >
< td > < a href = "https://github.com/r3nhat/XORedReflectiveDLL" > r3nhat/XORedReflectiveDLL< / a > < / td >
< td > Reflective DLL Injection with obfuscated (XOR) shellcode< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< / table >
### Payload Generation
< table >
< tr >
< td > < b > Link< / b > < / td >
< td > < b > Description< / b > < / td >
< / tr >
< tr >
< td > < a href = "https://github.com/BC-SECURITY/Empire/" > BC-SECURITY/Empire< / a > < / td >
< td > Empire is a PowerShell and Python post-exploitation agent.< / td >
< / tr >
2020-11-18 08:45:10 -05:00
< tr >
< td > < a href = "https://github.com/Binject/backdoorfactory" > Binject/backdoorfactory< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > A from-scratch rewrite of The Backdoor Factory - a MitM tool for inserting shellcode into all types of
binaries on the wire.< / td >
2020-11-18 08:45:10 -05:00
< / tr >
2020-11-18 08:47:11 -05:00
< tr >
< td > < a href = "https://github.com/BishopFox/sliver" > BishopFox/sliver< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > Sliver is a general purpose cross-platform implant framework that supports C2 over Mutual-TLS, HTTP(S), and
DNS. Implants are dynamically compiled with unique X.509 certificates signed by a per-instance certificate
authority generated when you first run the binary.< / td >
2020-11-18 08:47:11 -05:00
< / tr >
2020-11-18 09:02:42 -05:00
< tr >
< td > < a href = "https://github.com/cedowens/Mythic-Macro-Generator" > cedowens/Mythic-Macro-Generator< / a > < / td >
< td > Python3 script to generate a macro to launch a Mythic payload. Author: Cedric Owens< / td >
< / tr >
2020-11-18 08:49:11 -05:00
< tr >
2020-11-18 10:49:01 -05:00
< td > < a href = "https://github.com/damienvanrobaeys/PS1-To-EXE-Generator" > damienvanrobaeys/PS1-To-EXE-Generator< / a >
< / td >
2020-11-18 08:49:11 -05:00
< td > PS1 to EXE Generator: Create an EXE for your PS1 scripts< / td >
< / tr >
2020-12-27 06:49:39 -05:00
< tr >
< td > < a href = "https://github.com/forrest-orr/artifacts-kit" > forrest-orr/artifacts-kit< / a > < / td >
< td > Pseudo-malicious usermode memory artifact generator kit designed to easily mimic the footprints left by real malware on an infected Windows OS.< / td >
< / tr >
2020-11-18 08:56:08 -05:00
< tr >
< td > < a href = "https://github.com/FortyNorthSecurity/EXCELntDonut" > FortyNorthSecurity/EXCELntDonut< / a > < / td >
< td > Excel 4.0 (XLM) Macro Generator for injecting DLLs and EXEs into memory.< / td >
< / tr >
< tr >
< td > < a href = "https://github.com/FortyNorthSecurity/hot-manchego" > FortyNorthSecurity/hot-manchego< / a > < / td >
< td > Macro-Enabled Excel File Generator (.xlsm) using the EPPlus Library.< / td >
< / tr >
< tr >
< td > < a href = "https://github.com/gen0cide/gscript" > gen0cide/gscript< / a > < / td >
< td > framework to rapidly implement custom droppers for all three major operating systems< / td >
< / tr >
< tr >
< td > < a href = "https://github.com/glinares/InlineShapesPayload" > glinares/InlineShapesPayload< / a > < / td >
< td > VBA InlineShapes Payload Generator< / td >
< / tr >
2020-11-18 08:48:28 -05:00
< tr >
< td > < a href = "https://github.com/Greenwolf/ntlm_theft" > Greenwolf/ntlm_theft< / a > < / td >
< td > A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf)< / td >
< / tr >
2020-11-18 08:43:51 -05:00
< tr >
< td > < a href = "https://github.com/infosecn1nja/MaliciousMacroMSBuild" > infosecn1nja/MaliciousMacroMSBuild< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > Generates Malicious Macro and Execute Powershell or Shellcode via MSBuild Application Whitelisting Bypass.
< / td >
2020-11-18 08:43:51 -05:00
< / tr >
2020-11-18 08:31:28 -05:00
< tr >
< td > < a href = "https://github.com/l373/GIVINGSTORM" > l373/GIVINGSTORM< / a > < / td >
< td > Infection vector that bypasses AV, IDS, and IPS. (For now...)< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/mdsecactivebreach/SharpShooter" > mdsecactivebreach/SharpShooter< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > SharpShooter is a payload creation framework for the retrieval and execution of arbitrary CSharp source
code.< / td >
2020-11-18 06:07:42 -05:00
< / tr >
2020-11-18 08:42:19 -05:00
< tr >
< td > < a href = "https://github.com/michaelweber/Macrome" > michaelweber/Macrome< / a > < / td >
< td > Excel Macro Document Reader/Writer for Red Teamers & Analysts< / td >
< / tr >
2020-11-18 08:46:08 -05:00
< tr >
< td > < a href = "https://github.com/Mr-Un1k0d3r/MaliciousDLLGenerator" > Mr-Un1k0d3r/MaliciousDLLGenerator< / a > < / td >
< td > DLL Generator for side loading attack< / td >
< / tr >
2021-02-04 05:09:04 -05:00
< tr >
< td > < a href = "https://github.com/optiv/ScareCrow" > optiv/ScareCrow< / a > < / td >
< td > ScareCrow - Payload creation framework designed around EDR bypass.< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/Plazmaz/LNKUp" > Plazmaz/LNKUp< / a > < / td >
< td > Generates malicious LNK file payloads for data exfiltration< / td >
< / tr >
2020-11-18 08:41:12 -05:00
< tr >
< td > < a href = "https://github.com/redcanaryco/chain-reactor" > redcanaryco/chain-reactor< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > Chain Reactor is an open source framework for composing executables that simulate adversary behaviors and
techniques on Linux endpoints.< / td >
2020-11-18 08:41:12 -05:00
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/sevagas/macro_pack" > sevagas/macro_pack< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > macro_pack is a tool used to automatize obfuscation and generation of MS Office documents for pentest, demo,
and social engineering assessments. The goal of macro_pack is to simplify antimalware bypass and automatize
the process from vba generation to final Office document generation.< / td >
2020-11-18 06:07:42 -05:00
< / tr >
2020-12-15 10:19:46 -05:00
< tr >
< td > < a href = "https://github.com/s0lst1c3/dropengine" > s0lst1c3/dropengine< / a > < / td >
< td > DropEngine provides a malleable framework for creating shellcode runners, allowing operators to choose from a selection of components and combine them to create highly sophisticated payloads within seconds.DropEngine provides a malleable framework for creating shellcode runners, allowing operators to choose from a selection of components and combine them to create highly sophisticated payloads within seconds.DropEngine provides a malleable framework for creating shellcode runners, allowing operators to choose from a selection of components and combine them to create highly sophisticated payloads within seconds.< / td >
< / tr >
2020-11-18 08:33:39 -05:00
< tr >
< td > < a href = "https://github.com/TheWover/donut" > TheWover/donut< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and
other Windows payloads from memory and runs them with parameters< / td >
2020-11-18 08:33:39 -05:00
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https//github.com/trustedsec/unicorn" > trustedsec/unicorn< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory.
Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy
(TrustedSec) and Josh Kelly at Defcon 18.< / td >
2020-11-18 06:07:42 -05:00
< / tr >
< / table >
## Persistence
< table >
< tr >
< td > < b > Link< / b > < / td >
< td > < b > Description< / b > < / td >
< / tr >
2020-11-19 03:13:59 -05:00
< tr >
< td > < a href = "https://github.com/0xthirteen/SharpStay" > 0xthirteen/SharpStay< / a > < / td >
< td > .NET project for installing Persistence< / td >
< / tr >
2020-11-18 09:23:02 -05:00
< tr >
< td > < a href = "https://github.com/360-Linton-Lab/Telemetry" > 360-Linton-Lab/Telemetry< / a > < / td >
< td > TELEMETRY is a C# For Windows PERSISTENCE< / td >
< / tr >
2020-11-18 09:21:24 -05:00
< tr >
< td > < a href = "https://github.com/airzero24/PortMonitorPersist" > airzero24/PortMonitorPersist< / a > < / td >
< td > PoC for Port Monitor Persistence< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/fireeye/SharPersist" > fireeye/SharPersist< / a > < / td >
< td > Windows persistence toolkit written in C#.< / td >
< / tr >
2020-11-18 09:05:24 -05:00
< tr >
< td > < a href = "https://github.com/panagioto/SyscallHide" > panagioto/SyscallHide< / a > < / td >
< td > Create a Run registry key with direct system calls. Inspired by @Cneelis 's Dumpert and SharpHide.</ td >
< / tr >
2021-01-17 08:36:29 -05:00
< tr >
< td > < a href = "https://github.com/RedSection/printjacker" > RedSection/printjacker< / a > < / td >
< td > Hijack Printconfig.dll to execute shellcode< / td >
< / tr >
2020-11-18 09:01:56 -05:00
< tr >
< td > < a href = "https://github.com/slaeryan/MIDNIGHTTRAIN" > slaeryan/MIDNIGHTTRAIN< / a > < / td >
< td > Covert Stage-3 Persistence Framework< / td >
< / tr >
2021-01-13 02:38:26 -05:00
< tr >
< td > < a href = "https://github.com/vivami/OutlookParasite" > vivami/OutlookParasite< / a > < / td >
< td > Outlook persistence using VSTO add-ins< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< / table >
## Privilege Escalation
< table >
< tr >
< td > < b > Link< / b > < / td >
< td > < b > Description< / b > < / td >
< / tr >
< tr >
< td > < a href = "https://github.com/0xbadjuju/Tokenvator" > 0xbadjuju/Tokenvator< / a > < / td >
< td > A tool to elevate privilege with Windows Tokens< / td >
< / tr >
< tr >
< td > < a href = "https://github.com/411Hall/JAWS" > 411Hall/JAWS< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential
privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every
Windows version since Windows 7.< / td >
2020-11-18 06:07:42 -05:00
< / tr >
2020-11-18 09:22:11 -05:00
< tr >
< td > < a href = "https://github.com/antonioCoco/RogueWinRM" > antonioCoco/RogueWinRM< / a > < / td >
< td > Windows Local Privilege Escalation from Service Account to System< / td >
< / tr >
2021-01-10 04:38:11 -05:00
< tr >
< td > < a href = "https://github.com/antonioCoco/RunasCs" > antonioCoco/RunasCs< / a > < / td >
< td > RunasCs - Csharp and open version of windows builtin runas.exe< / td >
< / tr >
2020-11-18 09:31:43 -05:00
< tr >
2020-11-18 10:49:01 -05:00
< td > < a href = "https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite" > carlospolop/privilege-escalation-awesome-scripts-suite< / a >
< / td >
2020-11-18 09:31:43 -05:00
< td > PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)< / td >
< / tr >
2020-12-06 14:36:06 -05:00
< tr >
< td > < a href = "https://github.com/CCob/SweetPotato" > CCob/SweetPotato< / a > < / td >
< td > Local Service to SYSTEM privilege escalation from Windows 7 to Windows 10 / Server 2019< / td >
< / tr >
2021-01-02 04:23:43 -05:00
< tr >
< td > < a href = "https://github.com/GoSecure/WSuspicious" > GoSecure/WSuspicious< / a > < / td >
< td > WSuspicious - A tool to abuse insecure WSUS connections for privilege escalationsWSuspicious - A tool to abuse insecure WSUS connections for privilege escalations< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/hlldz/dazzleUP" > hlldz/dazzleUP< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > A tool that detects the privilege escalation vulnerabilities caused by misconfigurations and missing updates
in the Windows operating systems.< / td >
2020-11-18 06:07:42 -05:00
< / tr >
2020-11-18 09:34:35 -05:00
< tr >
< td > < a href = "https://github.com/itm4n/PrivescCheck" > itm4n/PrivescCheck< / a > < / td >
< td > Privilege Escalation Enumeration Script for Windows< / td >
< / tr >
2020-11-18 09:33:42 -05:00
< tr >
< td > < a href = "https://github.com/sailay1996/delete2SYSTEM" > sailay1996/delete2SYSTEM< / a > < / td >
< td > Weaponizing for Arbitrary Files/Directories Delete bugs to Get NT AUTHORITY\SYSTEM</ td >
< / tr >
2021-01-02 04:36:03 -05:00
< tr >
< td > < a href = "https://github.com/slyd0g/PrimaryTokenTheft" > slyd0g/PrimaryTokenTheft< / a > < / td >
< td > Steal a primary token and spawn cmd.exe using the stolen token< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< / table >
## Defense Evasion
< table >
< tr >
< td > < b > Link< / b > < / td >
< td > < b > Description< / b > < / td >
< / tr >
2020-11-18 10:04:20 -05:00
< tr >
< td > < a href = "https://github.com/89luca89/pakkero" > 89luca89/pakkero< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > Pakkero is a binary packer written in Go made for fun and educational purpose. Its main goal is to take in
input a program file (elf binary, script, even appimage) and compress it, protect it from tampering and
intrusion.< / td >
2020-11-18 10:04:20 -05:00
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
2020-11-18 10:49:01 -05:00
< td > < a href = "https://github.com/api0cradle/UltimateAppLockerByPassList" > api0cradle/UltimateAppLockerByPassList< / a >
< / td >
2020-11-18 06:07:42 -05:00
< td > The goal of this repository is to document the most common techniques to bypass AppLocker.< / td >
< / tr >
2020-11-19 03:11:37 -05:00
< tr >
< td > < a href = "https://github.com/Arvanaghi/CheckPlease" > Arvanaghi/CheckPlease< / a > < / td >
< td > Sandbox evasion modules written in PowerShell, Python, Go, Ruby, C, C#, Perl, and Rust.< / td >
< / tr >
2020-12-15 12:25:31 -05:00
< tr >
< td > < a href = "https://github.com/asaurusrex/DoppelGate" > asaurusrex/DoppelGate< / a > < / td >
< td > This project is designed to provide a method of extracting syscalls dynamically directly from on-disk ntdll. Userland hooks have become prevalent in many security products these days, and bypassing these hooks is a great way for red teamers/pentesters to bypass these defenses.< / td >
< / tr >
2020-11-24 09:19:01 -05:00
< tr >
< td > < a href = "https://github.com/bats3c/Ghost-In-The-Logs" > bats3c/Ghost-In-The-Logs< / a > < / td >
< td > Evade sysmon and windows event logginEvade sysmon and windows event loggingg< / td >
< / tr >
2020-12-21 02:11:26 -05:00
< tr >
< td > < a href = "https://github.com/BinaryScary/NET-Obfuscate" > BinaryScary/NET-Obfuscate< / a > < / td >
< td > Obfuscate ECMA CIL (.NET IL) assemblies to evade Windows Defender AMSI< / td >
< / tr >
2020-11-19 03:07:21 -05:00
< tr >
< td > < a href = "https://github.com/bhumic/PErmutator" > bhumic/PErmutator< / a > < / td >
< td > The goal of this project is to create a permutation engine for PE files. The engine should randomize the executable parts of the file.< / td >
< / tr >
2020-11-18 10:06:48 -05:00
< tr >
< td > < a href = "https://github.com/bohops/UltimateWDACBypassList" > bohops/UltimateWDACBypassList< / a > < / td >
< td > A centralized resource for previously documented WDAC bypass techniques< / td >
< / tr >
2020-11-18 09:14:35 -05:00
< tr >
2020-11-18 09:15:39 -05:00
< td > < a href = "https://github.com/br-sn/CheekyBlinder" > br-sn/CheekyBlinder< / a > < / td >
< td > Enumerating and removing kernel callbacks using signed vulnerable drivers< / td >
< / tr >
2020-11-29 10:48:31 -05:00
< tr >
< td > < a href = "https://github.com/c0de90e7/GhostWriting" > c0de90e7/GhostWriting< / a > < / td >
< td > GhostWriting Injection Technique.< / td >
< / tr >
2021-01-31 10:27:36 -05:00
< tr >
< td > < a href = "https://github.com/calebstewart/bypass-clm" > calebstewart/bypass-clm< / a > < / td >
< td > PowerShell Constrained Language Mode Bypass< / td >
< / tr >
2020-11-18 09:15:39 -05:00
< tr >
2020-11-18 09:14:35 -05:00
< td > < a href = "https://github.com/CCob/SharpBlock" > CCob/SharpBlock< / a > < / td >
< td > A method of bypassing EDR's active projection DLL's by preventing entry point execution.< / td >
< / tr >
2021-01-06 04:01:57 -05:00
< tr >
< td > < a href = "https://github.com/cnsimo/BypassUAC" > cnsimo/BypassUAC< / a > < / td >
< td > Use ICMLuaUtil to Bypass UAC!< / td >
< / tr >
2020-11-18 08:43:00 -05:00
< tr >
< td > < a href = "https://github.com/cwolff411/powerob" > cwolff411/powerob< / a > < / td >
< td > An on-the-fly Powershell script obfuscator meant for red team engagements. Built out of necessity.< / td >
< / tr >
2020-11-18 09:06:15 -05:00
< tr >
< td > < a href = "https://github.com/d00rt/ebfuscator" > d00rt/ebfuscator< / a > < / td >
< td > Ebfuscator: Abusing system errors for binary obfuscation< / td >
< / tr >
2020-11-18 08:50:17 -05:00
< tr >
2020-11-18 09:08:25 -05:00
< td > < a href = "https://github.com/d35ha/CallObfuscator" > d35ha/CallObfuscator< / a > < / td >
< td > Obfuscate specific windows apis with different apis< / td >
< / tr >
< tr >
< td > < a href = "https://github.com/danielbohannon/Invoke-DOSfuscation" > danielbohannon/Invoke-DOSfuscation< / a > < / td >
< td > Cmd.exe Command Obfuscation Generator & Detection Test Harness< / td >
< / tr >
2020-11-18 09:12:45 -05:00
< tr >
< td > < a href = "https://github.com/DarthTon/Polychaos" > DarthTon/Polychaos< / a > < / td >
< td > PE permutation library< / td >
< / tr >
2020-11-18 09:18:49 -05:00
< tr >
< td > < a href = "https://github.com/dsnezhkov/zombieant" > dsnezhkov/zombieant< / a > < / td >
< td > Zombie Ant Farm: Primitives and Offensive Tooling for Linux EDR evasion.< / td >
< / tr >
2020-11-18 10:07:31 -05:00
< tr >
< td > < a href = "https://github.com/EgeBalci/Amber" > EgeBalci/Amber< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > amber is a reflective PE packer for bypassing security products and mitigations. It can pack regularly
compiled PE files into reflective payloads that can load and execute itself like a shellcode.< / td >
2020-11-18 10:07:31 -05:00
< / tr >
2020-11-18 10:49:01 -05:00
< tr >
2020-11-18 08:50:17 -05:00
< td > < a href = "https://github.com/ffuf/pencode" > ffuf/pencode< / a > < / td >
< td > Complex payload encoder< / td >
< / tr >
2020-11-21 06:12:04 -05:00
< tr >
< td > < a href = "https://github.com/fireeye/OfficePurge" > fireeye/OfficePurge< / a > < / td >
< td > VBA purge your Office documents with OfficePurge. VBA purging removes P-code from module streams within Office documents.< / td >
< / tr >
2020-11-18 10:49:01 -05:00
< tr >
2020-11-18 06:07:42 -05:00
< td > < a href = "https://github.com/hlldz/Invoke-Phant0m" > hlldz/Invoke-Phant0m< / a > < / td >
< td > Windows Event Log Killer< / td >
< / tr >
< tr >
< td > < a href = "https://github.com/huntresslabs/evading-autoruns" > huntresslabs/evading-autoruns< / a > < / td >
< td > Slides and reference material from Evading Autoruns presentation at DerbyCon 7 (September 2017)< / td >
< / tr >
2020-11-18 10:08:34 -05:00
< tr >
< td > < a href = "https://github.com/jthuraisamy/TelemetrySourcerer" > jthuraisamy/TelemetrySourcerer< / a > < / td >
< td > Enumerate and disable common sources of telemetry used by AV/EDR.< / td >
< / tr >
2020-11-18 09:37:50 -05:00
< tr >
< td > < a href = "https://github.com/matterpreter/DefenderCheck" > matterpreter/DefenderCheck< / a > < / td >
< td > Identifies the bytes that Microsoft Defender flags on.< / td >
< / tr >
2020-12-08 12:51:22 -05:00
< tr >
< td > < a href = "https://github.com/matterpreter/SHAPESHIFTER" > matterpreter/SHAPESHIFTERmatterpreter/SHAPESHIFTER< / a > < / td >
< td > Companion PoC for the "Adventures in Dynamic Evasion" blog post< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/mdsecactivebreach/Chameleon" > mdsecactivebreach/Chameleon< / a > < / td >
< td > Chameleon: A tool for evading Proxy categorisation< / td >
< / tr >
2020-11-18 09:16:55 -05:00
< tr >
< td > < a href = "https://github.com/mdsecactivebreach/firewalker" > mdsecactivebreach/firewalker< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > This repo contains a simple library which can be used to add FireWalker hook bypass capabilities to existing
code< / td >
2020-11-18 09:16:55 -05:00
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/nccgroup/demiguise" > nccgroup/demiguise< / a > < / td >
< td > HTA encryption tool for RedTeams< / td >
< / tr >
2020-11-18 09:13:44 -05:00
< tr >
< td > < a href = "https://github.com/NotPrab/.NET-Obfuscator" > NotPrab/.NET-Obfuscator< / a > < / td >
< td > Lists of .NET Obfuscator (Free, Trial, Paid and Open Source )< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/OmerYa/Invisi-Shell" > OmerYa/Invisi-Shell< / a > < / td >
< td > Hide your Powershell script in plain sight. Bypass all Powershell security features< / td >
< / tr >
2020-11-18 10:02:34 -05:00
< tr >
< td > < a href = "https://github.com/OsandaMalith/PE2HTML" > OsandaMalith/PE2HTML< / a > < / td >
< td > Injects HTML/PHP/ASP to the PE< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/peewpw/Invoke-PSImage" > peewpw/Invoke-PSImage< / a > < / td >
< td > Embeds a PowerShell script in the pixels of a PNG file and generates a oneliner to execute< / td >
< / tr >
2021-01-02 04:01:32 -05:00
< tr >
< td > < a href = "https://github.com/phra/PEzor" > phra/PEzor< / a > < / td >
< td > Open-Source PE Packer< / td >
< / tr >
2020-11-18 10:05:06 -05:00
< tr >
< td > < a href = "https://github.com/PwnDexter/SharpEDRChecker" > PwnDexter/SharpEDRChecker< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > Checks running processes, process metadata, Dlls loaded into your current process and the each DLLs
metadata, common install directories, installed services and each service binaries metadata, installed
drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and
logging tools.< / td >
2020-11-18 10:05:06 -05:00
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/secretsquirrel/SigThief" > secretsquirrel/SigThief< / a > < / td >
< td > Stealing Signatures and Making One Invalid Signature at a Time< / td >
< / tr >
2020-11-18 10:05:54 -05:00
< tr >
< td > < a href = "https://github.com/slyd0g/SharpCrashEventLog" > slyd0g/SharpCrashEventLog< / a > < / td >
< td > C# port of LogServiceCrash< / td >
< / tr >
2020-11-18 08:35:31 -05:00
< tr >
< td > < a href = "https://github.com/the-xentropy/xencrypt" > the-xentropy/xencrypt< / a > < / td >
< td > A PowerShell script anti-virus evasion tool< / td >
< / tr >
2020-11-18 08:56:08 -05:00
< tr >
< td > < a href = "https://github.com/tokyoneon/chimera" > tokyoneon/chimera< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > Chimera is a (shiny and very hack-ish) PowerShell obfuscation script designed to bypass AMSI and commercial
antivirus solutions.< / td >
2020-11-18 08:56:08 -05:00
< / tr >
2021-02-02 00:47:40 -05:00
< tr >
< td > < a href = "https://github.com/xct/morbol" > xct/morbol< / a > < / td >
< td > Simple AV Evasion for PE Files< / td >
< / tr >
2021-01-31 10:47:52 -05:00
< tr >
< td > < a href = "https://github.com/zeroSteiner/crimson-forge" > zeroSteiner/crimson-forge< / a > < / td >
< td > Crimson Forge intends to provide sustainable evasion capabilities for native code on the x86 and AMD64 architectures. Crimson Forge intends to provide sustainable evasion capabilities for native code on the x86 and AMD64 architectures.< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< / table >
## Credential Access
< table >
< tr >
< td > < b > Link< / b > < / td >
< td > < b > Description< / b > < / td >
< / tr >
2020-11-18 08:34:37 -05:00
< tr >
< td > < a href = "https://github.com/aas-n/spraykatz" > aas-n/spraykatz< / a > < / td >
< td > Credentials gathering tool automating remote procdump and parse of lsass process.< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
2020-11-18 10:49:01 -05:00
< td > < a href = "https://github.com/Arvanaghi/SessionGopher" > Arvanaghi/SessionGopher< / a > < / td >
< td > SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access
tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or
locally.< / td >
< / tr >
2020-11-18 10:13:14 -05:00
< tr >
< td > < a href = "https://github.com/b4rtik/SharpKatz" > b4rtik/SharpKatz< / a > < / td >
< td > Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands< / td >
< / tr >
2020-11-18 10:12:22 -05:00
< tr >
< td > < a href = "https://github.com/b4rtik/SharpMiniDump" > b4rtik/SharpMiniDump< / a > < / td >
< td > Create a minidump of the LSASS process from memory< / td >
< / tr >
2020-11-29 10:45:10 -05:00
< tr >
< td > < a href = "https://github.com/blacklanternsecurity/TREVORspray" > blacklanternsecurity/TREVORspray< / a > < / td >
< td > A featureful round-robin SOCKS proxy and Python O365 sprayer based on MSOLSpray which uses the Microsoft Graph API< / td >
< / tr >
2021-01-02 04:37:34 -05:00
< tr >
< td > < a href = "https://github.com/byt3bl33d3r/SprayingToolkit" > byt3bl33d3r/SprayingToolkit< / a > < / td >
< td > Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient< / td >
< / tr >
2021-02-05 02:25:06 -05:00
< tr >
< td > < a href = "https://github.com/dafthack/MSOLSpray" > dafthack/MSOLSpray< / a > < / td >
< td > A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled.< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/DanMcInerney/icebreaker" > DanMcInerney/icebreaker< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > Gets plaintext Active Directory credentials if you're on the internal network but outside the AD environment
< / td >
2020-11-18 06:07:42 -05:00
< / tr >
< tr >
< td > < a href = "https://github.com/eladshamir/Internal-Monologue" > eladshamir/Internal-Monologue< / a > < / td >
< td > Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS< / td >
< / tr >
2020-11-18 10:11:32 -05:00
< tr >
< td > < a href = "https://github.com/Flangvik/BetterSafetyKatz" > Flangvik/BetterSafetyKatz< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > Fork of SafetyKatz that dynamically fetches the latest pre-compiled release of Mimikatz directly from
gentilkiwi GitHub repo, runtime patches signatures and uses SharpSploit DInvoke to PE-Load into memory.< / td >
2020-11-18 10:11:32 -05:00
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/FSecureLABS/physmem2profit" > FSecureLABS/physmem2profit < / a > < / td >
2020-11-18 10:49:01 -05:00
< td > Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical
memory remotely< / td >
2020-11-18 06:07:42 -05:00
< / tr >
2020-11-18 10:13:55 -05:00
< tr >
< td > < a href = "https://github.com/G0ldenGunSec/SharpSecDump" > G0ldenGunSec/SharpSecDump< / a > < / td >
< td > .Net port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py< / td >
< / tr >
2020-11-18 08:37:06 -05:00
< tr >
< td > < a href = "https://github.com/GhostPack/SafetyKatz" > GhostPack/SafetyKatz< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > SafetyKatz is a combination of slightly modified version of @gentilkiwi 's Mimikatz project and @subTee 's
.NET PE Loader< / td >
2020-11-18 08:37:06 -05:00
< / tr >
2020-11-18 08:36:28 -05:00
< tr >
< td > < a href = "https://github.com/GhostPack/SharpDump" > GhostPack/SharpDump< / a > < / td >
< td > SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality.< / td >
< / tr >
2020-11-18 08:39:12 -05:00
< tr >
< td > < a href = "https://github.com/GhostPack/Rubeus" > GhostPack/Rubeus< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > Rubeus is a C# toolset for raw Kerberos interaction and abusesRubeus is a C# toolset for raw Kerberos
interaction and abuses< / td >
2020-11-18 08:39:12 -05:00
< / tr >
2020-11-18 10:15:29 -05:00
< tr >
< td > < a href = "https://github.com/gitjdm/dumper2020" > gitjdm/dumper2020< / a > < / td >
< td > Yet another LSASS dumper< / td >
< / tr >
2020-11-18 10:16:48 -05:00
< tr >
< td > < a href = "https://github.com/Hackndo/lsassy" > Hackndo/lsassy< / a > < / td >
< td > Extract credentials from lsass remotely< / td >
< / tr >
2021-01-04 06:17:39 -05:00
< tr >
< td > < a href = "https://github.com/jfmaes/SharpHandler" > jfmaes/SharpHandler< / a > < / td >
< td > Duplicating handles to dump LSASS since 2021< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/Kevin-Robertson/Inveigh" > Kevin-Robertson/Inveigh< / td >
< td > Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool< / td >
< / tr >
< tr >
< td > < a href = "https://github.com/nidem/kerberoast" > nidem/kerberoast< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > Kerberoast is a series of tools for attacking MS Kerberos implementations. Below is a brief overview of what
each tool does.< / td >
2020-11-18 06:07:42 -05:00
< / tr >
2021-02-03 01:14:45 -05:00
< tr >
< td > < a href = "https://github.com/oxfemale/LogonCredentialsSteal" > oxfemale/LogonCredentialsSteal< / a > < / td >
< td > LOCAL AND REMOTE HOOK msv1_0!SpAcceptCredentials from LSASS.exe and DUMP DOMAIN/LOGIN/PASSWORD IN CLEARTEXT to text file.< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/peewpw/Invoke-WCMDump" > peewpw/Invoke-WCMDump< / a > < / td >
< td > PowerShell Script to Dump Windows Credentials from the Credential Manager< / td >
< / tr >
2021-01-27 06:21:02 -05:00
< tr >
< td > < a href = "https://github.com/PorLaCola25/TransactedSharpMiniDump" > PorLaCola25/TransactedSharpMiniDump< / a > < / td >
< td > Implementation of b4rtiks's SharpMiniDump using NTFS transactions to avoid writting the minidump to disk and exfiltrating it via HTTPS using sockets.< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/putterpanda/mimikittenz" > putterpanda/mimikittenz< / a > < / td >
< td > A post-exploitation powershell tool for extracting juicy info from memory.< / td >
< / tr >
2020-12-17 06:12:51 -05:00
< tr >
< td > < a href = "https://github.com/shantanu561993/SharpLoginPrompt" > shantanu561993/SharpLoginPrompt< / a > < / td >
< td > This Program creates a login prompt to gather username and password of the current user. This project allows red team to phish username and password of the current user without touching lsass and having adminitrator credentials on the system.< / td >
< / tr >
2020-11-18 10:16:15 -05:00
< tr >
< td > < a href = "https://github.com/skelsec/pypykatz" > skelsec/pypykatz< / a > < / td >
< td > Mimikatz implementation in pure Python< / td >
< / tr >
2020-11-18 10:10:46 -05:00
< tr >
< td > < a href = "https://github.com/SnaffCon/Snaffler" > SnaffCon/Snaffler< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > Snaffler is a tool for pentesters to help find delicious candy needles (creds mostly, but it's flexible) in
a bunch of horrible boring haystacks (a massive Windows/AD environment).< / td >
2020-11-18 10:10:46 -05:00
< / tr >
2020-11-24 09:23:16 -05:00
< tr >
< td > < a href = "https://github.com/uknowsec/SharpDecryptPwd" > uknowsec/SharpDecryptPwd< / a > < / td >
< td > 对密码已保存在 Windwos 系统上的部分程序进行解析,包括: Navicat,TeamViewer,FileZilla,WinSCP,Xmangager系列产品( Xshell,Xftp)。< / td >
< / tr >
2020-12-21 02:16:52 -05:00
< tr >
< td > < a href = "https://github.com/ustayready/SharpHose" > ustayready/SharpHose< / a > < / td >
< td > Asynchronous Password Spraying Tool in C# for Windows Environments< / td >
< / tr >
2020-11-18 10:09:48 -05:00
< tr >
2020-11-18 10:49:01 -05:00
< td > < a href = "https://github.com/Viralmaniar/Remote-Desktop-Caching-" > Viralmaniar/Remote-Desktop-Caching-< / a >
< / td >
< td > This tool allows one to recover old RDP (mstsc) session information in the form of broken PNG files. These
PNG files allows Red Team member to extract juicy information such as LAPS passwords or any sensitive
information on the screen.< / td >
2020-11-18 10:09:48 -05:00
< / tr >
2020-11-18 06:07:42 -05:00
< / table >
## Lateral Movement
< table >
< tr >
< td > < b > Link< / b > < / td >
< td > < b > Description< / b > < / td >
< / tr >
2021-02-04 04:44:27 -05:00
< tr >
< td > < a href = "https://github.com/0xcpu/winsmsd" > 0xcpu/winsmsd< / a > < / td >
< td > Windows (ShadowMove) Socket Duplication< / td >
< / tr >
2020-11-24 09:15:17 -05:00
< tr >
< td > < a href = "https://github.com/0xthirteen/SharpMove" > 0xthirteen/SharpMove< / a > < / td >
< td > .NET Project for performing Authenticated Remote Execution< / td >
< / tr >
2020-11-18 10:28:45 -05:00
< tr >
< td > < a href = "https://github.com/0xthirteen/SharpRDP" > 0xthirteen/SharpRDP< / a > < / td >
< td > Remote Desktop Protocol .NET Console Application for Authenticated Command Execution< / td >
< / tr >
2020-11-18 08:16:31 -05:00
< tr >
< td > < a href = "https://github.com/360-Linton-Lab/WMIHACKER" > 360-Linton-Lab/WMIHACKER< / a > < / td >
< td > A Bypass Anti-virus Software Lateral Movement Command Execution Tool< / td >
< / tr >
2020-11-18 10:31:36 -05:00
< tr >
< td > < a href = "https://github.com/bohops/WSMan-WinRM" > bohops/WSMan-WinRM< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > A collection of proof-of-concept source code and scripts for executing remote commands over WinRM using the
WSMan.Automation COM object< / td >
2020-11-18 10:31:36 -05:00
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/byt3bl33d3r/CrackMapExec" > byt3bl33d3r/CrackMapExec< / a > < / td >
< td > A swiss army knife for pentesting networks< / td >
< / tr >
2020-12-03 03:39:34 -05:00
< tr >
< td > < a href = "https://github.com/cube0x0/SharpMapExec" > cube0x0/SharpMapExec< / a > < / td >
< td > A sharpen version of CrackMapExec. This tool is made to simplify penetration testing of networks and to create a swiss army knife that is made for running on Windows which is often a requirement during insider threat simulation engagements.< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/cobbr/SharpSploit" > cobbr/SharpSploit< / a > < / td >
< td > SharpSploit is a .NET post-exploitation library written in C#< / td >
< / tr >
2021-01-06 04:03:22 -05:00
< tr >
< td > < a href = "https://github.com/cyberark/shimit" > cyberark/shimit< / a > < / td >
< td > A tool that implements the Golden SAML attack< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/DefensiveOrigins/PlumHound" > DefensiveOrigins/PlumHound< / a > < / td >
< td > Bloodhound for Blue and Purple Teams< / td >
< / tr >
2020-11-18 10:30:52 -05:00
< tr >
< td > < a href = "https://github.com/infosecn1nja/SharpDoor" > infosecn1nja/SharpDoor< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > SharpDoor is alternative RDPWrap written in C# to allowed multiple RDP (Remote Desktop) sessions by patching
termsrv.dll file.< / td >
2020-11-18 10:30:52 -05:00
< / tr >
2021-02-07 09:51:02 -05:00
< tr >
< td > < a href = "https://github.com/knavesec/Max" > knavesec/Max< / a > < / td >
< td > Maximizing BloodHound. Max is a good boy.< / td >
< / tr >
2020-11-18 06:27:26 -05:00
< tr >
< td > < a href = "https://github.com/Mr-Un1k0d3r/SCShell" > Mr-Un1k0d3r/SCShell< / a > < / td >
< td > Fileless lateral movement tool that relies on ChangeServiceConfigA to run command< / td >
< / tr >
2020-11-24 09:14:04 -05:00
< tr >
< td > < a href = "https://github.com/rvrsh3ll/SharpCOM" > rvrsh3ll/SharpCOM< / a > < / td >
< td > SharpCOM is a c# port of Invoke-DCOM< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/ScorpionesLabs/DVS" > ScorpionesLabs/DVS< / a > < / td >
< td > D(COM) V(ulnerability) S(canner) AKA Devious swiss army knife - Lateral movement using DCOM Objects< / td >
< / tr >
2020-11-18 10:29:59 -05:00
< tr >
< td > < a href = "https://github.com/tothi/rbcd-attack" > tothi/rbcd-attack< / a > < / td >
< td > Kerberos Resource-Based Constrained Delegation Attack from Outside using Impacket< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< / table >
2020-12-01 02:14:57 -05:00
## Collection
< table >
< tr >
< td > < b > Link< / b > < / td >
< td > < b > Description< / b > < / td >
< / tr >
< tr >
< td > < a href = "https://github.com/djhohnstein/SharpChromium" > djhohnstein/SharpChromium< / a > < / td >
< td > .NET 4.0 CLR Project to retrieve Chromium data, such as cookies, history and saved logins.< / td >
< / tr >
< / table >
2020-11-18 06:07:42 -05:00
## Command & Control
< table >
< tr >
< td > < b > Link< / b > < / td >
< td > < b > Description< / b > < / td >
< / tr >
< tr >
< td > < a href = "https://github.com/3xpl01tc0d3r/Callidus" > 3xpl01tc0d3r/Callidus< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > It is developed using .net core framework in C# language. Allows operators to leverage O365 services for
establishing command & control communication channel. It usages Microsoft Graph APIs for communicating with
O365 services.< / td >
2020-11-18 06:07:42 -05:00
< / tr >
2020-11-18 10:34:47 -05:00
< tr >
< td > < a href = "https://github.com/bats3c/shad0w" > bats3c/shad0w< / a > < / td >
< td > SHAD0W is a modular C2 framework designed to successfully operate on mature environments.< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/byt3bl33d3r/SILENTTRINITY" > byt3bl33d3r/SILENTTRINITY< / a > < / td >
< td > An asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR< / td >
< / tr >
2020-12-29 23:45:48 -05:00
< tr >
< td > < a href = "https://github.com/cedowens/C2_Cradle" > cedowens/C2_Cradle< / a > < / td >
< td > Tool to download, install, and run macOS capable command & control servers (i.e., C2s with macOS payloads/clients) as docker containers from a list of options. This is helpful for automating C2 server setup.< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/cobbr/Covenant" > cobbr/Covenant< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make
the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for
red teamers.< / td >
2020-11-18 06:07:42 -05:00
< / tr >
2020-11-18 10:35:51 -05:00
< tr >
< td > < a href = "https://github.com/DeimosC2/DeimosC2" > DeimosC2/DeimosC2< / a > < / td >
< td > DeimosC2 is a Golang command and control framework for post-exploitation.< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/fbkcs/ThunderDNS" > fbkcs/ThunderDNS< / a > < / td >
< td > This tool can forward TCP traffic over DNS protocol. Non-compile clients + socks5 support.< / td >
< / tr >
2020-11-18 10:34:05 -05:00
< tr >
< td > < a href = "https://github.com/mhaskar/Octopus" > mhaskar/Octopus< / a > < / td >
< td > Open source pre-operation C2 server based on python and powershell< / td >
< / tr >
2020-11-18 10:32:54 -05:00
< tr >
< td > < a href = "https://github.com/nettitude/SharpSocks" > nettitude/SharpSocks< / a > < / td >
< td > Tunnellable HTTP/HTTPS socks4a proxy written in C# and deployable via PowerShell< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/Ne0nd0g/merlin" > Ne0nd0g/merlin< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.
< / td >
2020-11-18 06:07:42 -05:00
< / tr >
2020-11-18 10:33:28 -05:00
< tr >
< td > < a href = "https://github.com/p3nt4/Nuages" > p3nt4/Nuages< / a > < / td >
< td > A modular C2 framework< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "http://prismatica.io/" > Project Prismatica< / a > < / td >
< td > Project Prismatica is a focused framework for Command and Control that is dedicated to extensibility.< / td >
< / tr >
2020-12-15 12:15:18 -05:00
< tr >
< td > < a href = "https://github.com/r3nhat/GRAT2" > r3nhat/GRAT2< / a > < / td >
< td > GRAT2 is a Command and Control (C2) tool written in python3 and the client in .NET 4.5< / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/sensepost/godoh" > sensepost/goDoH< / a > < / td >
< td > godoh - A DNS-over-HTTPS C2< / td >
< / tr >
< tr >
< td > < a href = "https://github.com/SpiderLabs/DoHC2" > SpiderLabs/DoHC2< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > DoHC2 allows the ExternalC2 library from Ryan Hanson (https://github.com/ryhanson/ExternalC2) to be
leveraged for command and control (C2) via DNS over HTTPS (DoH).< / td >
2020-11-18 06:07:42 -05:00
< / tr >
< / table >
## Exfiltration
< table >
< tr >
< td > < b > Link< / b > < / td >
< td > < b > Description< / b > < / td >
< / tr >
< tr >
< td > < a href = "https://github.com/evilsocket/sg1" > evilsocket/sg1< / a > < / td >
< td > A wanna be swiss army knife for data encryption, exfiltration and covert communication.< / td >
< / tr >
< tr >
2020-11-18 10:41:23 -05:00
< td > < a href = "https://github.com/hackerschoice/gsocket" > hackerschoice/gsocket< / a > < / td >
2020-11-18 06:07:42 -05:00
< td > Global Socket. Moving data from here to there. Securely, Fast and trough NAT/Firewalls< / td >
< / tr >
2020-11-18 10:41:23 -05:00
< tr >
< td > < a href = "https://github.com/hackerschoice/gs-transfer" > hackerschoice/gs-transfer< / a > < / td >
< td > Secure File Transfer via Global Socket Bounce Network< / td >
< / tr >
2020-11-18 10:36:45 -05:00
< tr >
< td > < a href = "https://github.com/m57/dnsteal" > m57/dnsteal< / a > < / td >
< td > DNS Exfiltration tool for stealthily sending files over DNS requests.< / td >
< / tr >
2020-11-18 10:41:23 -05:00
< tr >
2020-11-18 10:49:01 -05:00
< td > < a href = "https://github.com/mdsecactivebreach/RegistryStrikesBack" > mdsecactivebreach/RegistryStrikesBack< / a >
< / td >
< td > RegistryStrikesBack allows a red team operator to export valid .reg files for portions of the Windows
Registry via a .NET assembly that should run as a standard user. It can be useful in exfiltrating config
files such as to support actions like are described in the "Segmentation Vault" article on the MDSec Blog.
< / td >
2020-11-18 10:41:23 -05:00
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/pentestpartners/PTP-RAT" > pentestpartners/PTP-RAT< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > Exfiltrate data over screen interfaces. < a href = "https://www.pentestpartners.com/security-blog/exfiltration-by-encoding-data-in-pixel-colour-values/" > For
more information.< / a > < / td >
2020-11-18 06:07:42 -05:00
< / tr >
< tr >
< td > < a href = "https://github.com/sensepost/DET" > sensepost/DET< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > DET (is provided AS IS), is a proof of concept to perform Data Exfiltration using either single or multiple
channel(s) at the same time.< / td >
2020-11-18 06:07:42 -05:00
< / tr >
< tr >
< td > < a href = "https://github.com/SySS-Research/Seth" > SySS-Research/Seth< / a > < / td >
< td > Perform a MitM attack and extract clear text credentials from RDP connections< / td >
< / tr >
2020-11-18 10:38:50 -05:00
< tr >
< td > < a href = "https://github.com/veggiedefender/browsertunnel" > veggiedefender/browsertunnel< / a > < / td >
< td > < / td >
< / tr >
2020-11-18 06:07:42 -05:00
< tr >
< td > < a href = "https://github.com/vp777/procrustes" > vp777/procrustes< / a > < / td >
2020-11-18 10:49:01 -05:00
< td > A bash script that automates the exfiltration of data over dns in case we have a blind command execution on
a server where all outbound connections except DNS are blocked.< / td >
2020-11-18 06:07:42 -05:00
< / tr >
2020-11-19 03:07:21 -05:00
< / table >