# Offensive Bookmark

This page will contain my bookmark for offensive tools, briefly categorized based on [MITRE ATT&CK Enterprise Matrix](https://attack.mitre.org/matrices/enterprise/). Some links and sections on [README.md](README.md) will be relocated to this page if it's related to offensive tactics and techniques. Some tools can be categorized in more than one category. But because the current bookmark model doesn't support 1-to-many mapping, I will decide a tool's category based on its ultimate goal. - [Reconnaissance/Discovery](#reconnaissancediscovery) - [Execution](#execution) - [Manipulating Binary's Internal](#manipulating-binarys-internal) - [Payload Generation](#payload-generation) - [Persistence](#persistence) - [Privilege Escalation](#privilege-escalation) - [Defense Evasion](#defense-evasion) - [Credential Access](#credential-access) - [Lateral Movement](#lateral-movement) - [Command & Control](#command--control) - [Exfiltration](#exfiltration) ## Reconnaissance/Discovery
Link Description
dev-2null/ADCollector A lightweight tool to quickly extract valuable information from the Active Directory environment for both attacking and defending.
dirkjanm/ROADtools The Azure AD exploration framework.
djhohnstein/SharpShares Enumerate all network shares in the current domain. Also, can resolve names to IP addresses.
GhostPack/Seatbelt Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
jaredhaight/scout A .NET assembly for performing recon against hosts on a network
mdsecactivebreach/sitrep SitRep is intended to provide a lightweight, extensible host triage alternative.
NetSPI/goddi goddi (go dump domain info) dumps Active Directory domain information
outflanknl/Recon-AD Recon-AD, an AD recon tool based on ADSI and reflective DLL’s
rasta-mouse/Watson Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilitiesEnumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities
stufus/reconerator C# Targeted Attack Reconnissance Tools
sud0woodo/DCOMrade Powershell script for enumerating vulnerable DCOM Applications
tevora-threat/SharpView C# implementation of harmj0y's PowerView
TonyPhipps/Meerkat A collection of PowerShell modules designed for artifact gathering and reconnaisance of Windows-based endpoints.
## Execution
Link Description
api0cradle/LOLBAS Living Off The Land Binaries and Scripts (and now also Libraries)
bohops/GhostBuild GhostBuild is a collection of simple MSBuild launchers for various GhostPack/.NET projects
cobbr/SharpSploit SharpSploit is a .NET post-exploitation library written in C#
checkymander/Zolom C# Executable with embedded Python that can be used reflectively to run python code on systems without Python installed
Cn33liz/p0wnedShell p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET)
Flangvik/SharpCollection Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines.
FuzzySecurity/PowerShell-Suite There are great tools and resources online to accomplish most any task in PowerShell, sometimes however, there is a need to script together a util for a specific purpose or to bridge an ontological gap. This is a collection of PowerShell utilities I put together either for fun or because I had a narrow application in mind.
jhalon/SharpCall Simple PoC demonstrating syscall execution in C#
mgeeky/Stracciatella OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI, Constrained Language Mode and Script Block Logging disabled at startup
Mr-Un1k0d3r/RedTeamCSharpScripts C# Script used for Red Team. These binaries can be used by Cobalt Strike execute-assembly or as standalone executable.
nccgroup/GTFOBLookup Offline command line lookup utility for GTFOBins
NYAN-x-CAT/Csharp-Loader Download a .NET payload and run it on memory
rasta-mouse/MiscTools Miscellaneous Tools
sh4hin/GoPurple Yet another shellcode runner consists of different techniques for evaluating detection capabilities of endpoint security solutions
### Manipulating Binary's Internal
Link Description
Cybellum/DoubleAgent DoubleAgent is a new Zero-Day technique for injecting code and maintaining persistence on a machine (i.e. auto-run).
Flangvik/SharpDllProxy Retrieves exported functions from a legitimate DLL and generates a proxy DLL source code/template for DLL proxy loading or sideloading
jonatan1024/clrinject Injects C# EXE or DLL Assembly into every CLR runtime and AppDomain of another process.
monoxgas/sRDI Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode
stephenfewer/ReflectiveDLLInjection Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process
slyd0g/UrbanBishopLocal A port of FuzzySecurity's UrbanBishop project for inline shellcode execution. The execution vector uses a delegate vs an APC on a suspended threat at ntdll!RtlExitUserThread in UrbanBishop
### Payload Generation
Link Description
BC-SECURITY/Empire Empire is a PowerShell and Python post-exploitation agent.
l373/GIVINGSTORM Infection vector that bypasses AV, IDS, and IPS. (For now...)
mdsecactivebreach/SharpShooter SharpShooter is a payload creation framework for the retrieval and execution of arbitrary CSharp source code.
Plazmaz/LNKUp Generates malicious LNK file payloads for data exfiltration
sevagas/macro_pack macro_pack is a tool used to automatize obfuscation and generation of MS Office documents for pentest, demo, and social engineering assessments. The goal of macro_pack is to simplify antimalware bypass and automatize the process from vba generation to final Office document generation.
TheWover/donut Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters
trustedsec/unicorn Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
## Persistence
Link Description
fireeye/SharPersist Windows persistence toolkit written in C#.
## Privilege Escalation
Link Description
0xbadjuju/Tokenvator A tool to elevate privilege with Windows Tokens
411Hall/JAWS JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7.
hlldz/dazzleUP A tool that detects the privilege escalation vulnerabilities caused by misconfigurations and missing updates in the Windows operating systems.
## Defense Evasion
Link Description
api0cradle/UltimateAppLockerByPassList The goal of this repository is to document the most common techniques to bypass AppLocker.
danielbohannon/Invoke-DOSfuscation Cmd.exe Command Obfuscation Generator & Detection Test Harness
hlldz/Invoke-Phant0m Windows Event Log Killer
huntresslabs/evading-autoruns Slides and reference material from Evading Autoruns presentation at DerbyCon 7 (September 2017)
mdsecactivebreach/Chameleon Chameleon: A tool for evading Proxy categorisation
nccgroup/demiguise HTA encryption tool for RedTeams
OmerYa/Invisi-Shell Hide your Powershell script in plain sight. Bypass all Powershell security features
peewpw/Invoke-PSImage Embeds a PowerShell script in the pixels of a PNG file and generates a oneliner to execute
secretsquirrel/SigThief Stealing Signatures and Making One Invalid Signature at a Time
## Credential Access
Link Description
Arvanaghi/SessionGopher SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.
DanMcInerney/icebreaker Gets plaintext Active Directory credentials if you're on the internal network but outside the AD environment
eladshamir/Internal-Monologue Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS
FSecureLABS/physmem2profit Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical memory remotely
Kevin-Robertson/Inveigh Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool
nidem/kerberoast Kerberoast is a series of tools for attacking MS Kerberos implementations. Below is a brief overview of what each tool does.
peewpw/Invoke-WCMDump PowerShell Script to Dump Windows Credentials from the Credential Manager
putterpanda/mimikittenz A post-exploitation powershell tool for extracting juicy info from memory.
## Lateral Movement
Link Description
360-Linton-Lab/WMIHACKER A Bypass Anti-virus Software Lateral Movement Command Execution Tool
byt3bl33d3r/CrackMapExec A swiss army knife for pentesting networks
cobbr/SharpSploit SharpSploit is a .NET post-exploitation library written in C#
DefensiveOrigins/PlumHound Bloodhound for Blue and Purple Teams
Mr-Un1k0d3r/SCShell Fileless lateral movement tool that relies on ChangeServiceConfigA to run command
ScorpionesLabs/DVS D(COM) V(ulnerability) S(canner) AKA Devious swiss army knife - Lateral movement using DCOM Objects
## Command & Control
Link Description
3xpl01tc0d3r/Callidus It is developed using .net core framework in C# language. Allows operators to leverage O365 services for establishing command & control communication channel. It usages Microsoft Graph APIs for communicating with O365 services.
byt3bl33d3r/SILENTTRINITY An asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR
cobbr/Covenant Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.
fbkcs/ThunderDNS This tool can forward TCP traffic over DNS protocol. Non-compile clients + socks5 support.
Ne0nd0g/merlin Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.
Project Prismatica Project Prismatica is a focused framework for Command and Control that is dedicated to extensibility.
sensepost/goDoH godoh - A DNS-over-HTTPS C2
SpiderLabs/DoHC2 DoHC2 allows the ExternalC2 library from Ryan Hanson (https://github.com/ryhanson/ExternalC2) to be leveraged for command and control (C2) via DNS over HTTPS (DoH).
## Exfiltration
Link Description
evilsocket/sg1 A wanna be swiss army knife for data encryption, exfiltration and covert communication.
hackerschoice/gsockethackerschoice/gsocket Global Socket. Moving data from here to there. Securely, Fast and trough NAT/Firewalls
pentestpartners/PTP-RAT Exfiltrate data over screen interfaces. For more information.
sensepost/DET DET (is provided AS IS), is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time.
SySS-Research/Seth Perform a MitM attack and extract clear text credentials from RDP connections
vp777/procrustes A bash script that automates the exfiltration of data over dns in case we have a blind command execution on a server where all outbound connections except DNS are blocked.