Link |
Description |
danielbohannon/Invoke-CradleCrafter |
PowerShell Remote Download Cradle Generator & Obfuscator |
dev-2null/ADCollector |
A lightweight tool to quickly extract valuable information from the Active Directory environment for both attacking and defending. |
dirkjanm/ROADtools |
The Azure AD exploration framework. |
djhohnstein/SharpShares |
Enumerate all network shares in the current domain. Also, can resolve names to IP addresses. |
GhostPack/Seatbelt |
Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. |
jaredhaight/scout |
A .NET assembly for performing recon against hosts on a network |
mdsecactivebreach/sitrep |
SitRep is intended to provide a lightweight, extensible host triage alternative. |
NetSPI/goddi |
goddi (go dump domain info) dumps Active Directory domain information |
outflanknl/Recon-AD |
Recon-AD, an AD recon tool based on ADSI and reflective DLL’s |
rasta-mouse/Watson |
Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilitiesEnumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities |
stufus/reconerator |
C# Targeted Attack Reconnissance Tools |
sud0woodo/DCOMrade |
Powershell script for enumerating vulnerable DCOM Applications |
tevora-threat/SharpView |
C# implementation of harmj0y's PowerView |
TonyPhipps/Meerkat |
A collection of PowerShell modules designed for artifact gathering and reconnaisance of Windows-based endpoints. |
## Execution
Link |
Description |
api0cradle/LOLBAS |
Living Off The Land Binaries and Scripts (and now also Libraries) |
bohops/GhostBuild |
GhostBuild is a collection of simple MSBuild launchers for various GhostPack/.NET projects |
cobbr/SharpSploit |
SharpSploit is a .NET post-exploitation library written in C# |
checkymander/Zolom |
C# Executable with embedded Python that can be used reflectively to run python code on systems without Python installed |
Cn33liz/p0wnedShell |
p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET) |
D00MFist/Go4aRun |
Shellcode runner in GO that incorporates shellcode encryption, remote process injection, block dlls, and spoofed parent process |
Flangvik/SharpCollection |
Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines. |
FuzzySecurity/PowerShell-Suite |
There are great tools and resources online to accomplish most any task in PowerShell, sometimes however, there is a need to script together a util for a specific purpose or to bridge an ontological gap. This is a collection of PowerShell utilities I put together either for fun or because I had a narrow application in mind. |
GhostPack/SharpWMI |
SharpWMI is a C# implementation of various WMI functionality. |
hausec/MaliciousClickOnceMSBuild |
Basic C# Project that will take an MSBuild payload and run it with MSBuild via ClickOnce. |
jhalon/SharpCall |
Simple PoC demonstrating syscall execution in C# |
mgeeky/Stracciatella |
OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI, Constrained Language Mode and Script Block Logging disabled at startup |
Mr-Un1k0d3r/RedTeamCSharpScripts |
C# Script used for Red Team. These binaries can be used by Cobalt Strike execute-assembly or as standalone executable. |
nccgroup/GTFOBLookup |
Offline command line lookup utility for GTFOBins |
NYAN-x-CAT/Csharp-Loader |
Download a .NET payload and run it on memory |
rasta-mouse/MiscTools |
Miscellaneous Tools |
ropnop/go-sharp-loader.go |
Example Go program with multiple .NET Binaries embedded |
sh4hin/GoPurple |
Yet another shellcode runner consists of different techniques for evaluating detection capabilities of endpoint security solutions |
### Manipulating Binary's Internal
Link |
Description |
Cybellum/DoubleAgent |
DoubleAgent is a new Zero-Day technique for injecting code and maintaining persistence on a machine (i.e. auto-run). |
Flangvik/SharpDllProxy |
Retrieves exported functions from a legitimate DLL and generates a proxy DLL source code/template for DLL proxy loading or sideloading |
/forrest-orr/phantom-dll-hollower-poc |
Phantom DLL hollowing PoC |
GoodstudyChina/APC-injection-x86-x64 |
injdrv is a proof-of-concept Windows Driver for injecting DLL into user-mode processes using APC. |
jonatan1024/clrinject |
Injects C# EXE or DLL Assembly into every CLR runtime and AppDomain of another process. |
jthuraisamy/SysWhispers |
SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls. |
mobdk/Sigma |
Execute shellcode with ZwCreateSection, ZwMapViewOfSection, ZwOpenProcess, ZwMapViewOfSection and ZwCreateThreadEx |
monoxgas/sRDI |
Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode |
stephenfewer/ReflectiveDLLInjection |
Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process |
slyd0g/UrbanBishopLocal |
A port of FuzzySecurity's UrbanBishop project for inline shellcode execution. The execution vector uses a delegate vs an APC on a suspended threat at ntdll!RtlExitUserThread in UrbanBishop |
r3nhat/XORedReflectiveDLL |
Reflective DLL Injection with obfuscated (XOR) shellcode |
### Payload Generation
Link |
Description |
BC-SECURITY/Empire |
Empire is a PowerShell and Python post-exploitation agent. |
Binject/backdoorfactory |
A from-scratch rewrite of The Backdoor Factory - a MitM tool for inserting shellcode into all types of binaries on the wire. |
BishopFox/sliver |
Sliver is a general purpose cross-platform implant framework that supports C2 over Mutual-TLS, HTTP(S), and DNS. Implants are dynamically compiled with unique X.509 certificates signed by a per-instance certificate authority generated when you first run the binary. |
cedowens/Mythic-Macro-Generator |
Python3 script to generate a macro to launch a Mythic payload. Author: Cedric Owens |
damienvanrobaeys/PS1-To-EXE-Generator |
PS1 to EXE Generator: Create an EXE for your PS1 scripts |
FortyNorthSecurity/EXCELntDonut |
Excel 4.0 (XLM) Macro Generator for injecting DLLs and EXEs into memory. |
FortyNorthSecurity/hot-manchego |
Macro-Enabled Excel File Generator (.xlsm) using the EPPlus Library. |
gen0cide/gscript |
framework to rapidly implement custom droppers for all three major operating systems |
glinares/InlineShapesPayload |
VBA InlineShapes Payload Generator |
Greenwolf/ntlm_theft |
A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf) |
infosecn1nja/MaliciousMacroMSBuild |
Generates Malicious Macro and Execute Powershell or Shellcode via MSBuild Application Whitelisting Bypass. |
l373/GIVINGSTORM |
Infection vector that bypasses AV, IDS, and IPS. (For now...) |
mdsecactivebreach/SharpShooter |
SharpShooter is a payload creation framework for the retrieval and execution of arbitrary CSharp source code. |
michaelweber/Macrome |
Excel Macro Document Reader/Writer for Red Teamers & Analysts |
Mr-Un1k0d3r/MaliciousDLLGenerator |
DLL Generator for side loading attack |
Plazmaz/LNKUp |
Generates malicious LNK file payloads for data exfiltration |
redcanaryco/chain-reactor |
Chain Reactor is an open source framework for composing executables that simulate adversary behaviors and techniques on Linux endpoints. |
sevagas/macro_pack |
macro_pack is a tool used to automatize obfuscation and generation of MS Office documents for pentest, demo, and social engineering assessments. The goal of macro_pack is to simplify antimalware bypass and automatize the process from vba generation to final Office document generation. |
TheWover/donut |
Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters |
trustedsec/unicorn |
Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18. |
## Persistence
## Credential Access
Link |
Description |
aas-n/spraykatz |
Credentials gathering tool automating remote procdump and parse of lsass process. |
Arvanaghi/SessionGopher |
SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally. |
DanMcInerney/icebreaker |
Gets plaintext Active Directory credentials if you're on the internal network but outside the AD environment |
eladshamir/Internal-Monologue |
Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS |
FSecureLABS/physmem2profit |
Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical memory remotely |
GhostPack/SafetyKatz |
SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subTee's .NET PE Loader |
GhostPack/SharpDump |
SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality. |
GhostPack/Rubeus |
Rubeus is a C# toolset for raw Kerberos interaction and abusesRubeus is a C# toolset for raw Kerberos interaction and abuses |
Kevin-Robertson/Inveigh |
Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool |
nidem/kerberoast |
Kerberoast is a series of tools for attacking MS Kerberos implementations. Below is a brief overview of what each tool does. |
peewpw/Invoke-WCMDump |
PowerShell Script to Dump Windows Credentials from the Credential Manager |
putterpanda/mimikittenz |
A post-exploitation powershell tool for extracting juicy info from memory. |
## Lateral Movement
Link |
Description |
3xpl01tc0d3r/Callidus |
It is developed using .net core framework in C# language. Allows operators to leverage O365 services for establishing command & control communication channel. It usages Microsoft Graph APIs for communicating with O365 services. |
byt3bl33d3r/SILENTTRINITY |
An asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR |
cobbr/Covenant |
Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. |
fbkcs/ThunderDNS |
This tool can forward TCP traffic over DNS protocol. Non-compile clients + socks5 support. |
Ne0nd0g/merlin |
Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang. |
Project Prismatica |
Project Prismatica is a focused framework for Command and Control that is dedicated to extensibility. |
sensepost/goDoH |
godoh - A DNS-over-HTTPS C2 |
SpiderLabs/DoHC2 |
DoHC2 allows the ExternalC2 library from Ryan Hanson (https://github.com/ryhanson/ExternalC2) to be leveraged for command and control (C2) via DNS over HTTPS (DoH). |
## Exfiltration