| Link | Description |
| dev-2null/ADCollector | A lightweight tool to quickly extract valuable information from the Active Directory environment for both attacking and defending. |
| GhostPack/Seatbelt | Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. |
| NetSPI/goddi | goddi (go dump domain info) dumps Active Directory domain information |
| outflanknl/Recon-AD | Recon-AD, an AD recon tool based on ADSI and reflective DLL’s |
| sud0woodo/DCOMrade | Powershell script for enumerating vulnerable DCOM Applications |
| Link | Description |
| api0cradle/LOLBAS | Living Off The Land Binaries and Scripts (and now also Libraries) |
| bohops/GhostBuild | GhostBuild is a collection of simple MSBuild launchers for various GhostPack/.NET projects |
| Cn33liz/p0wnedShell | p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET) |
| FuzzySecurity/PowerShell-Suite | There are great tools and resources online to accomplish most any task in PowerShell, sometimes however, there is a need to script together a util for a specific purpose or to bridge an ontological gap. This is a collection of PowerShell utilities I put together either for fun or because I had a narrow application in mind. |
| nccgroup/GTFOBLookup | Offline command line lookup utility for GTFOBins |
| Link | Description |
| Cybellum/DoubleAgent | DoubleAgent is a new Zero-Day technique for injecting code and maintaining persistence on a machine (i.e. auto-run). |
| jonatan1024/clrinject | Injects C# EXE or DLL Assembly into every CLR runtime and AppDomain of another process. |
| monoxgas/sRDI | Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode |
| stephenfewer/ReflectiveDLLInjection | Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process |
| slyd0g/UrbanBishopLocal | A port of FuzzySecurity's UrbanBishop project for inline shellcode execution. The execution vector uses a delegate vs an APC on a suspended threat at ntdll!RtlExitUserThread in UrbanBishop |
| Link | Description |
| BC-SECURITY/Empire | Empire is a PowerShell and Python post-exploitation agent. |
| mdsecactivebreach/SharpShooter | SharpShooter is a payload creation framework for the retrieval and execution of arbitrary CSharp source code. |
| Plazmaz/LNKUp | Generates malicious LNK file payloads for data exfiltration |
| sevagas/macro_pack | macro_pack is a tool used to automatize obfuscation and generation of MS Office documents for pentest, demo, and social engineering assessments. The goal of macro_pack is to simplify antimalware bypass and automatize the process from vba generation to final Office document generation. |
| trustedsec/unicorn | Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18. |
| Link | Description |
| fireeye/SharPersist | Windows persistence toolkit written in C#. |
| Link | Description |
| 0xbadjuju/Tokenvator | A tool to elevate privilege with Windows Tokens |
| 411Hall/JAWS | JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7. |
| hlldz/dazzleUP | A tool that detects the privilege escalation vulnerabilities caused by misconfigurations and missing updates in the Windows operating systems. |
| Link | Description |
| api0cradle/UltimateAppLockerByPassList | The goal of this repository is to document the most common techniques to bypass AppLocker. |
| danielbohannon/Invoke-DOSfuscation | Cmd.exe Command Obfuscation Generator & Detection Test Harness |
| hlldz/Invoke-Phant0m | Windows Event Log Killer |
| huntresslabs/evading-autoruns | Slides and reference material from Evading Autoruns presentation at DerbyCon 7 (September 2017) |
| mdsecactivebreach/Chameleon | Chameleon: A tool for evading Proxy categorisation |
| nccgroup/demiguise | HTA encryption tool for RedTeams |
| OmerYa/Invisi-Shell | Hide your Powershell script in plain sight. Bypass all Powershell security features |
| peewpw/Invoke-PSImage | Embeds a PowerShell script in the pixels of a PNG file and generates a oneliner to execute |
| secretsquirrel/SigThief | Stealing Signatures and Making One Invalid Signature at a Time |
| Link | Description |
| Arvanaghi/SessionGopher | SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally. |
| DanMcInerney/icebreaker | Gets plaintext Active Directory credentials if you're on the internal network but outside the AD environment |
| eladshamir/Internal-Monologue | Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS |
| FSecureLABS/physmem2profit | Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical memory remotely |
| Kevin-Robertson/Inveigh | Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool |
| nidem/kerberoast | Kerberoast is a series of tools for attacking MS Kerberos implementations. Below is a brief overview of what each tool does. |
| peewpw/Invoke-WCMDump | PowerShell Script to Dump Windows Credentials from the Credential Manager |
| putterpanda/mimikittenz | A post-exploitation powershell tool for extracting juicy info from memory. |
| Link | Description |
| byt3bl33d3r/CrackMapExec | A swiss army knife for pentesting networks |
| cobbr/SharpSploit | SharpSploit is a .NET post-exploitation library written in C# |
| DefensiveOrigins/PlumHound | Bloodhound for Blue and Purple Teams |
| ScorpionesLabs/DVS | D(COM) V(ulnerability) S(canner) AKA Devious swiss army knife - Lateral movement using DCOM Objects |
| Link | Description |
| 3xpl01tc0d3r/Callidus | It is developed using .net core framework in C# language. Allows operators to leverage O365 services for establishing command & control communication channel. It usages Microsoft Graph APIs for communicating with O365 services. |
| byt3bl33d3r/SILENTTRINITY | An asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR |
| cobbr/Covenant | Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. |
| fbkcs/ThunderDNS | This tool can forward TCP traffic over DNS protocol. Non-compile clients + socks5 support. |
| Ne0nd0g/merlin | Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang. |
| Project Prismatica | Project Prismatica is a focused framework for Command and Control that is dedicated to extensibility. |
| sensepost/goDoH | godoh - A DNS-over-HTTPS C2 |
| SpiderLabs/DoHC2 | DoHC2 allows the ExternalC2 library from Ryan Hanson (https://github.com/ryhanson/ExternalC2) to be leveraged for command and control (C2) via DNS over HTTPS (DoH). |
| Link | Description |
| evilsocket/sg1 | A wanna be swiss army knife for data encryption, exfiltration and covert communication. |
| hackerschoice/gsockethackerschoice/gsocket | Global Socket. Moving data from here to there. Securely, Fast and trough NAT/Firewalls |
| pentestpartners/PTP-RAT | Exfiltrate data over screen interfaces. For more information. |
| sensepost/DET | DET (is provided AS IS), is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time. |
| SySS-Research/Seth | Perform a MitM attack and extract clear text credentials from RDP connections |
| vp777/procrustes | A bash script that automates the exfiltration of data over dns in case we have a blind command execution on a server where all outbound connections except DNS are blocked. |