# Offensive Bookmark

This page will contain my bookmark for offensive tools, briefly categorized based on [MITRE ATT&CK Enterprise Matrix](https://attack.mitre.org/matrices/enterprise/). Some links and sections on [README.md](README.md) will be relocated to this page if it's related to offensive tactics and techniques. Some tools can be categorized in more than one category. But because the current bookmark model doesn't support 1-to-many mapping, I will decide a tool's category based on its ultimate goal. - [Reconnaissance/Discovery](#reconnaissancediscovery) - [Initial Access](#initial-access) - [Execution](#execution) - [Persistence](#persistence) - [Privilege Escalation](#privilege-escalation) - [Defense Evasion](#defense-evasion) - [Credential Access](#credential-access) - [Lateral Movement](#lateral-movement) - [Collection](#collection) - [Command & Control](#command--control) - [Exfiltration](#exfiltration) ## Reconnaissance/Discovery
Link Description
asaurusrex/Probatorum-EDR-Userland-Hook-Checker Project to check which Nt/Zw functions your local EDR is hooking
boku7/whereami Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.
chdav/SharpCGHunter Receive the status of Windows Defender Credential Guard on network hosts.
codingo/Reconnoitre A security tool for multithreaded information gathering and service enumeration whilst building directory structures to store results, along with writing out recommendations for further testing.
dev-2null/ADCollector A lightweight tool to quickly extract valuable information from the Active Directory environment for both attacking and defending.
dirkjanm/ROADtools The Azure AD exploration framework.
djhohnstein/SharpSearch Search files for extensions as well as text within.
djhohnstein/SharpShares Enumerate all network shares in the current domain. Also, can resolve names to IP addresses.
dsnezhkov/TruffleSnout Iterative AD discovery toolkit for offensive operations
EspressoCake/Process_Protection_Level_BOF A Syscall-only BOF file intended to grab process protection attributes, limited to a handful that Red Team operators and pentesters would commonly be interested in.
fashionproof/CheckSafeBoot I used this to see if an EDR is running in Safe Mode
GhostPack/Seatbelt Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
jaredhaight/scout A .NET assembly for performing recon against hosts on a network
lkarlslund/adalanche Active Directory ACL Visualizer - who's really Domain Admin?
mdsecactivebreach/sitrep SitRep is intended to provide a lightweight, extensible host triage alternative.
mez-0/SharpShares .NET 4.0 Share Hunting and ACL Mapping
Mr-Un1k0d3r/ADHuntTool official repo for the AdHuntTool (part of the old RedTeamCSharpScripts repo)
nccgroup/Carnivore Tool for assessing on-premises Microsoft servers authentication such as ADFS, Skype, Exchange, and RDWeb
NetSPI/goddi goddi (go dump domain info) dumps Active Directory domain information
optiv/Registry-Recon Cobalt Strike Aggressor Script that Performs System/AV/EDR Recon
outflanknl/Recon-AD Recon-AD, an AD recon tool based on ADSI and reflective DLL’s
rasta-mouse/Watson Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilitiesEnumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities
rvrsh3ll/SharpPrinter Discover Printers
s0lst1c3/SharpFinder Description: Searches for files matching specific criteria on readable shares within the domain.
S3cur3Th1sSh1t/Invoke-Sharpcradle Load C# Code from a Webserver straight to memory and execute it there.
sophoslabs/metasploit_gather_exchange Metasploit Post-Exploitation Gather module for Exchange Server
stufus/reconerator C# Targeted Attack Reconnissance Tools
sud0woodo/DCOMrade Powershell script for enumerating vulnerable DCOM Applications
T0pCyber/hawk Powershell Based tool for gathering information related to O365 intrusions and potential Breaches
tasox/LogRM LogRM is a post exploitation powershell script which it uses windows event logs to gather information about internal network
tevora-threat/SharpView C# implementation of harmj0y's PowerView
TonyPhipps/Meerkat A collection of PowerShell modules designed for artifact gathering and reconnaisance of Windows-based endpoints.
tomcarver16/ADSearch A tool to help query AD via the LDAP protocol
vletoux/SpoolerScanner Check if MS-RPRN is remotely available with powershell/c#
yogeshojha/rengine reNgine is a reconnaissance engine(framework) that does end-to-end reconnaissance with the help of highly configurable scan engines and does information gathering about the target web application. reNgine makes use of various open-source tools and makes a configurable pipeline of reconnaissance.
ZeroPointSecurity/Domain-Enumeration-Tool Perform Windows domain enumeration via LDAP
## Initial Access
Link Description
BeetleChunks/SpoolSploit A collection of Windows print spooler exploits containerized with other utilities for practical exploitation.
shelld3v/PwnVPN The best exploitation tool for SSL VPN 0day vulnerabilities
## Execution
Link Description
Accenture/CLRvoyance Managed assembly shellcode generation
aeverj/NimShellCodeLoader Nim编写Windows平台shellcode免杀加载器
airbus-cert/Invoke-BOF Load any Beacon Object File using Powershell!
ajpc500/NimlineWhispers A very proof-of-concept port of InlineWhispers for using syscalls in Nim projects.
Akaion/Bleak A Windows native DLL injection library that supports several methods of injection.
antonioCoco/SharPyShell SharPyShell - tiny and obfuscated ASP.NET webshell for C# web applications
api0cradle/LOLBAS Living Off The Land Binaries and Scripts (and now also Libraries)
ariary/fileless-xec Stealth dropper executing remote binaries without dropping them on disk .(HTTP3 support, ICMP support, invisible tracks, cross-platform,...)
b1tg/rust-windows-shellcode Windows shellcode development in Rust
bats3c/DarkLoadLibrary LoadLibrary for offensive operations
BC-SECURITY/Empire Empire is a PowerShell and Python post-exploitation agent.
BC-SECURITY/Offensive-VBA-and-XLS-Entanglement Offensive VBA and XLS Entanglement
Binject/backdoorfactory A from-scratch rewrite of The Backdoor Factory - a MitM tool for inserting shellcode into all types of binaries on the wire.
boku7/bof-spawnSuspendedProcess Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state
bohops/GhostBuild GhostBuild is a collection of simple MSBuild launchers for various GhostPack/.NET projects
bytecode77/living-off-the-land Fileless attack with persistence
ByteJunkies-co-uk/Metsubushi Generate droppers with encrypted payloads automatically.
capt-meelo/Beaconator A beacon generator using Cobalt Strike and PEzor.
cdong1012/Crab-Runner Shellcode runner in Rust
cedowens/Mythic-Macro-Generator Python3 script to generate a macro to launch a Mythic payload. Author: Cedric Owens
ChaitanyaHaritash/Callback_Shellcode_Injection POCs for Shellcode Injection via Callbacks
Ch0pin/AVIator AV|Ator is a backdoor generator utility, which uses cryptographic and injection techniques in order to bypass AV detection.
checkymander/Sharp-SMBExec SMBExec C# module
cobbr/SharpSploit SharpSploit is a .NET post-exploitation library written in C#
connormcgarr/LittleCorporal LittleCorporal: A C# Automated Maldoc Generator
Cn33liz/StarFighters A JavaScript and VBScript Based Empire Launcher, which runs within their own embedded PowerShell Host.
Cr4sh/KernelForge A library to develop kernel level Windows payloads for post HVCI era
cribdragg3r/Alaris A protective and Low Level Shellcode Loader the defeats modern EDR systems.
cube0x0/SharpeningCobaltStrike I realtime v35/40 dotnet compiler for your linux Cobalt Strike C2. New fresh compiled and obfuscated binary for each use
Cybellum/DoubleAgent DoubleAgent is a new Zero-Day technique for injecting code and maintaining persistence on a machine (i.e. auto-run).
cytopia/kusanagi Kusanagi is a bind and reverse shell payload generator with obfuscation and badchar support.
D00MFist/Go4aRun Shellcode runner in GO that incorporates shellcode encryption, remote process injection, block dlls, and spoofed parent process
damienvanrobaeys/PS1-To-EXE-Generator PS1 to EXE Generator: Create an EXE for your PS1 scripts
darkr4y/geacon Practice Go programming and implement CobaltStrike's Beacon in Go
D00MFist/Mystikal macOS Initial Access Payload Generator
dtrizna/easy-hollow Automated build for process hollowing shellcode loader. Build on top of TikiTorch and donut projects.
EddieIvan01/memexec A library for loading and executing PE (Portable Executable) from memory without ever touching the disk
EntySec/HatVenom HatVenom is a HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures.
erikgeiser/govenom govenom is a msfvenom-inspired cross-platform payload generator toolkit written in Go
EspressoCake/DLL-Hijack-Search-Order-BOF DLL Hijack Search Order Enumeration BOF
FalconForceTeam/BOF2shellcode POC tool to convert CobaltStrike BOF files to raw shellcode
FatCyclone/D-Pwn D/Invoke standalone shellcode runners
Flangvik/SharpCollection Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines.
forrest-orr/artifacts-kit Pseudo-malicious usermode memory artifact generator kit designed to easily mimic the footprints left by real malware on an infected Windows OS.
FortyNorthSecurity/CIMplant C# port of WMImplant which uses either CIM or WMI to query remote systems
FortyNorthSecurity/EDD Enumerate Domain Data is designed to be similar to PowerView but in .NET. PowerView is essentially the ultimate domain enumeration tool, and we wanted a .NET implementation that we worked on ourselves. This tool was largely put together by viewing implementations of different functionality across a wide range of existing projects and combining them into EDD.
FortyNorthSecurity/EXCELntDonut Excel 4.0 (XLM) Macro Generator for injecting DLLs and EXEs into memory.
FortyNorthSecurity/hot-manchego Macro-Enabled Excel File Generator (.xlsm) using the EPPlus Library.
frkngksl/Huan Encrypted PE Loader Generator
FuzzySecurity/PowerShell-Suite There are great tools and resources online to accomplish most any task in PowerShell, sometimes however, there is a need to script together a util for a specific purpose or to bridge an ontological gap. This is a collection of PowerShell utilities I put together either for fun or because I had a narrow application in mind.
gen0cide/gscript framework to rapidly implement custom droppers for all three major operating systems
GetRektBoy724/MeterPwrShell Automated Tool That Generate The Perfect Powershell Payload
GhostPack/SharpWMI SharpWMI is a C# implementation of various WMI functionality.
gigajew/WinXRunPE Two C# RunPE's capable of x86 and x64 injections
glinares/InlineShapesPayload VBA InlineShapes Payload Generator
gloxec/CrossC2 Generate CobaltStrike's cross-platform payload
hausec/MaliciousClickOnceMSBuild Basic C# Project that will take an MSBuild payload and run it with MSBuild via ClickOnce.
hasherezade/masm_shc A helper utility for creating shellcodes. Cleans MASM file generated by MSVC, gives refactoring hints.
JamesCooteUK/SharpSphere .NET Project for Attacking vCenter
jhalon/SharpCall Simple PoC demonstrating syscall execution in C#
jfmaes/Invoke-DLLClone Koppeling x Metatwin x LazySign
jfmaes/SharpLNKGen-UI UI for creating LNKs
jfmaes/SharpZipRunner Executes position independent shellcode from an encrypted zip
JohnWoodman/VBA-Macro-Projects This repository is a collection of my malicious VBA projects.
jonaslejon/malicious-pdf Generate a bunch of malicious pdf files with phone-home functionality. Can be used with Burp Collaborator
kkent030315/anycall x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration
knownsec/shellcodeloader ShellcodeLoader of windows can bypass AV.
Kudaes/DInvoke_rs Dynamically invoke arbitrary unmanaged code.
kyleavery/ThirdEye Weaponizing CLRvoyance for Post-Ex .NET Execution
lockedbyte/CVE-2021-40444 Malicious docx generator to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution)
mai1zhi2/SharpBeacon CobaltStrike Beacon written in .Net 4 用.net重写了stager及Beacon,其中包括正常上线、文件管理、进程管理、令牌管理、结合SysCall进行注入、原生端口转发、关ETW等一系列功能
MarkoH17/Spray365 Spray365 makes spraying Microsoft accounts (Office 365 / Azure AD) easy through its customizable two-step password spraying approach. The built-in execution plan features options that attempt to bypass Azure Smart Lockout and insecure conditional access policies.
maxlandon/wiregost Golang Implant & Post-Exploitation Framework
mdsecactivebreach/SharpShooter SharpShooter is a payload creation framework for the retrieval and execution of arbitrary CSharp source code.
med0x2e/GadgetToJScript A tool for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA based scripts.
memN0ps/RustSCRunner Shellcode Runner/Injector in Rust using NTDLL functions directly with the ntapi Library.
mgeeky/Stracciatella OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI, Constrained Language Mode and Script Block Logging disabled at startup
michaelweber/Macrome Excel Macro Document Reader/Writer for Red Teamers & Analysts
mobdk/Sigma Execute shellcode with ZwCreateSection, ZwMapViewOfSection, ZwOpenProcess, ZwMapViewOfSection and ZwCreateThreadEx
Mr-Un1k0d3r/RedTeamCSharpScripts C# Script used for Red Team. These binaries can be used by Cobalt Strike execute-assembly or as standalone executable.
mrexodia/AppInitHook Global user-mode hooking framework, based on AppInit_DLLs. The goal is to allow you to rapidly develop hooks to inject in an arbitrary process.
nccgroup/GTFOBLookup Offline command line lookup utility for GTFOBins
nnsee/fileless-elf-exec Execute ELF files without dropping them on disk
NVISOsecurity Marauders Map The Marauders Map is meant to be used on assessments where you have gained GUI access to an enviornment. The Marauders Map is a DLL written in C#, enriched by the DllExport project to export functions that can serve as an entrypoint of invocation for unmanaged code such as rundll32.
NYAN-x-CAT/Csharp-Loader Download a .NET payload and run it on memory
p3nt4/RunDLL.Net Execute .Net assemblies using Rundll32.exe
plackyhacker/Sys-Calls An example of using Syscalls in C# to get a meterpreter shell.
postrequest/xeca PowerShell payload generator
praetorian-inc/Matryoshka Matryoshka loader is a tool that red team operators can leverage to generate shellcode for Microsoft Office document phishing payloads.
Professor-plum/Reflective-Driver-Loader Reflective Kernel Driver injection is a injection technique base off Reflective DLL injection by Stephen Fewer.
pwn1sher/uuid-loader UUID based shellcode loader for your favorite C2
rasta-mouse/MiscTools Miscellaneous Tools
redcanaryco/chain-reactor Chain Reactor is an open source framework for composing executables that simulate adversary behaviors and techniques on Linux endpoints.
redcode-labs/Coldfire Golang malware development library
redcode-labs/GoSH Golang reverse/bind shell generator
redcode-labs/Neurax A framework for constructing self-spreading binaries
redcode-labs/REVENANT Volatile ELF payloads generator with Metasploit integrations for testing GNU/Linux ecosystems against low-level threats
redcode-labs/SNOWCRASH A polyglot payload generator
rek7/fireELF fireELF - Fileless Linux Malware Framework
Reverse Shell Generator Reverse Shell Generator
richkmeli/Richkware Framework for building Windows malware, written in C++
ropnop/go-sharp-loader.go Example Go program with multiple .NET Binaries embedded
rvrsh3ll/NoMSBuild MSBuild without MSbuild.exe
s0lst1c3/dropengine DropEngine provides a malleable framework for creating shellcode runners, allowing operators to choose from a selection of components and combine them to create highly sophisticated payloads within seconds.DropEngine provides a malleable framework for creating shellcode runners, allowing operators to choose from a selection of components and combine them to create highly sophisticated payloads within seconds.DropEngine provides a malleable framework for creating shellcode runners, allowing operators to choose from a selection of components and combine them to create highly sophisticated payloads within seconds.
sevagas/macro_pack macro_pack is a tool used to automatize obfuscation and generation of MS Office documents for pentest, demo, and social engineering assessments. The goal of macro_pack is to simplify antimalware bypass and automatize the process from vba generation to final Office document generation.
S3cur3Th1sSh1t/Invoke-SharpLoader Load encrypted and compressed C# Code from a remote Webserver or from a local file straight to memory and execute it there.
S3cur3Th1sSh1t/Nim_CBT_Shellcode CallBack-Techniques for Shellcode execution ported to Nim
S3cur3Th1sSh1t/OffensiveVBA This repo covers some code execution and AV Evasion methods for Macros in Office documents
S4R1N/AlternativeShellcodeExec Alternative Shellcode Execution Via Callbacks
scythe-io/memory-module-loader An implementation of a Windows loader that can load dynamic-linked libraries (DLLs) directly from memory
secdev-01/AllTheThingsExec Executes Blended Managed/Unmanged Exports
sh4hin/GoPurple Yet another shellcode runner consists of different techniques for evaluating detection capabilities of endpoint security solutions
SheLLVM/SheLLVM A collection of LLVM transform and analysis passes to write shellcode in regular C
snovvcrash/NimHollow Nim implementation of Process Hollowing using syscalls (for educational purposes)
snovvcrash/peas Modified version of PEAS client for offensive operations
STMSolutions/boobsnail BoobSnail allows generating Excel 4.0 XLM macro. Its purpose is to support the RedTeam and BlueTeam in XLM macro generation.
timwhitez/Doge-Loader 🐶Cobalt Strike Shellcode Loader by Golang
TheCruZ/kdmapper KDMapper is a simple tool that exploits iqvw64e.sys Intel driver to manually map non-signed drivers in memory
TheWover/donut Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters
threatexpress/cobaltstrike_payload_generator Quickly generate every payload type for each listener and optionally host via HTTP.
trickster0/OffensiveRust Rust Weaponization for Red Team Engagements.
trustedsec/unicorn Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
X-C3LL/xlsxPoisoN Just a PoC to turn xlsx (regular Excel files) into xlsm (Excel file with macro) and slipping inside a macro (vbaProject.bin)
xforcered/InlineExecute-Assembly InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module
xinbailu/DripLoader Evasive shellcode loader for bypassing event-based injection detection (PoC)
xinbailu/DripLoader-Ops a usable, cleaned-up version for script kiddies
xpn/NautilusProject A collection of weird ways to execute unmanaged code in .NET
V1V1/OffensiveAutoIt Offensive tooling notes and experiments in AutoIt v3
Yaxser/COFFLoader2 Load and execute COFF files and Cobalt Strike BOFs in-memory
yqcs/ZheTian ZheTian Powerful remote load and execute ShellCode tool
zerosum0x0/rcmd Runs a command in another process
## Persistence
Link Description
0xthirteen/SharpStay .NET project for installing Persistence
360-Linton-Lab/Telemetry TELEMETRY is a C# For Windows PERSISTENCE
airzero24/PortMonitorPersist PoC for Port Monitor Persistence
ben0xa/doucme This leverages the NetUserAdd Win32 API to create a new computer account. This is done by setting the usri1_priv of the USER_INFO_1 type to 0x1000. The primary goal is to avoid the normal detection of new user created events (4720).
CyborgSecurity/PoisonApple Command-line tool to perform various persistence mechanism techniques on macOS. This tool was designed to be used by threat hunters for cyber threat emulation purposes.
djhohnstein/SharpSC Simple .NET assembly to interact with services.
fireeye/SharPersist Windows persistence toolkit written in C#.
netero1010/ScheduleRunner A C# tool with more flexibility to customize scheduled task for both persistence and lateral movement in red team operation
o1mate/DLLProx Automatic DLL comment link generation and explaination of the DLL Proxying techniques
panagioto/SyscallHide Create a Run registry key with direct system calls. Inspired by @Cneelis's Dumpert and SharpHide.
RedSection/printjacker Hijack Printconfig.dll to execute shellcode
S4R1N/ZoomPersistence Zoom Persistence Aggressor and Handler
slaeryan/MIDNIGHTTRAIN Covert Stage-3 Persistence Framework
vivami/OutlookParasite Outlook persistence using VSTO add-ins
## Privilege Escalation
Link Description
0xbadjuju/Tokenvator A tool to elevate privilege with Windows Tokens
411Hall/JAWS JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7.
antonioCoco/RemotePotato0 Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin.
antonioCoco/RogueWinRM Windows Local Privilege Escalation from Service Account to System
antonioCoco/RunasCs RunasCs - Csharp and open version of windows builtin runas.exe
carlospolop/privilege-escalation-awesome-scripts-suite PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
CCob/SweetPotato Local Service to SYSTEM privilege escalation from Windows 7 to Windows 10 / Server 2019
CMatri/Gotato Generic impersonation and privilege escalation with Golang. Like GenericPotato both named pipes and HTTP are supported.
CravateRouge/bloodyAD BloodyAD is an Active Directory Privilege Escalation Framework
eladshamir/Whisker Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding "Shadow Credentials" to the target account.
eloypgz/certi Utility to play with ADCS, allows to request tickets and collect information about related objects. Basically, it's the impacket copy of Certify. Thanks to @harmj0y and @tifkin_ for its great work with ADCS.
EspressoCake/Toggle_Token_Privileges_BOF Syscall BOF to arbitrarily add/detract process token privilege rights.
GhostPack/Certify Active Directory certificate abuse.
GhostPack/ForgeCert ForgeCert uses the BouncyCastle C# API and a stolen Certificate Authority (CA) certificate + private key to forge certificates for arbitrary users capable of authentication to Active Directory.
GoSecure/WSuspicious WSuspicious - A tool to abuse insecure WSUS connections for privilege escalationsWSuspicious - A tool to abuse insecure WSUS connections for privilege escalations
gtworek/Priv2Admin Exploitation paths allowing you to (mis)use the Windows Privileges to elevate your rights within the OS.
hlldz/dazzleUP A tool that detects the privilege escalation vulnerabilities caused by misconfigurations and missing updates in the Windows operating systems.
itm4n/PrivescCheck Privilege Escalation Enumeration Script for Windows
itm4n/UsoDllLoader Windows - Weaponizing privileged file writes with the Update Session Orchestrator service
jacob-baines/concealed_position Bring your own print driver privilege escalation tool
liamg/traitor Automatic Linux privesc via exploitation of low-hanging fruit e.g. gtfobins
nccgroup/ncssfas - SpoolSystem SpoolSystem is a CNA script for Cobalt Strike which uses the Print Spooler named pipe impersonation trick to gain SYSTEM privileges.
ollypwn/Certipy Python implementation for Active Directory certificate abuse
ricardojba/Invoke-noPac PowerSharpPack style .Net Assembly loader for the [CVE-2021-42287 - CVE-2021-42278] Scanner & Exploiter noPac.
rxwx/spoolsystem Print Spooler Named Pipe Impersonation for Cobalt Strike
sailay1996/delete2SYSTEM Weaponizing for Arbitrary Files/Directories Delete bugs to Get NT AUTHORITY\SYSTEM
S3cur3Th1sSh1t/MultiPotato MultiPotato
S3cur3Th1sSh1t/SharpImpersonation A User Impersonation tool - via Token or Shellcode injection
slyd0g/PrimaryTokenTheft Steal a primary token and spawn cmd.exe using the stolen token
TsukiCTF/Lovely-Potato Automating juicy potato local privilege escalation exploit for penetration testers.
thehappydinoa/rootOS macOS Privilege Escalation Helper
WazeHell/sam-the-admin Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
## Defense Evasion
Link Description
0xDivyanshu/Injector Complete Arsenal of Memory injection and other techniques for red-teaming in Windows
0xpat/COFFInjector PoC MSVC COFF Object file loader/injector.
0xN3utr0n/Noteme ELF packer/crypter that aims to create hardened and stealthy troyans
0xZDH/redirect.rules Quick and dirty dynamic redirect.rules generator
3gstudent/Eventlogedit-evtx--Evolution Remove individual lines from Windows XML Event Log (EVTX) files
89luca89/pakkero Pakkero is a binary packer written in Go made for fun and educational purpose. Its main goal is to take in input a program file (elf binary, script, even appimage) and compress it, protect it from tampering and intrusion.
aaaddress1/wowGrail PoC: Rebuild A New Path Back to the Heaven's Gate (HITB 2021)
Aetsu/OffensivePipeline OffensivePipeline allows to download, compile (without Visual Studio) and obfuscate C# tools for Red Team exercises.
airzero24/WMIReg PoC to interact with local/remote registry hives through WMI
ajpc500/NimlineWhispers2 A tool for converting SysWhispers2 syscalls for use with Nim projects
AnErrupTion/LoGiC.NET A more advanced free and open .NET obfuscator using dnlib.
anthemtotheego/Detect-Hooks Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR
api0cradle/UltimateAppLockerByPassList The goal of this repository is to document the most common techniques to bypass AppLocker.
Arvanaghi/CheckPlease Sandbox evasion modules written in PowerShell, Python, Go, Ruby, C, C#, Perl, and Rust.
asaurusrex/DoppelGate This project is designed to provide a method of extracting syscalls dynamically directly from on-disk ntdll. Userland hooks have become prevalent in many security products these days, and bypassing these hooks is a great way for red teamers/pentesters to bypass these defenses.
asaurusrex/EDR_Userland_Hook_Checker Project to check which Nt/Zw functions your local EDR is hooking
audibleblink/dummyDLL Utility for hunting UAC bypasses or COM/DLL hijacks that alerts on the exported function that was consumed.
aus/gopherheaven Go implementation of the Heaven's Gate technique
AzAgarampur/byeintegrity4-uac Bypass UAC by abusing the Windows Defender Firewall Control Panel, environment variables, and shell protocol handlers
AzAgarampur/byeintegrity8-uac Bypass UAC at any level by abusing the Program Compatibility Assistant with RPC, WDI, and more Windows components
Bashfuscator/Bashfuscator A fully configurable and extendable Bash obfuscation framework. This tool is intended to help both red team and blue team.
bats3c/Ghost-In-The-Logs Evade sysmon and windows event logginEvade sysmon and windows event loggingg
BaumFX/cpp-anti-debug anti debugging library in c++.
BinaryScary/NET-Obfuscate Obfuscate ECMA CIL (.NET IL) assemblies to evade Windows Defender AMSI
bhumic/PErmutator The goal of this project is to create a permutation engine for PE files. The engine should randomize the executable parts of the file.
boku7/AsmHalosGate x64 Assembly HalosGate direct System Caller to evade EDR UserLand hooks
boku7/CobaltStrikeReflectiveLoader Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.
boku7/halosgate-ps Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes
boku7/HellsGatePPID Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe process
boku7/HOLLOW EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode
boku7/injectAmsiBypass Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.
boku7/injectEtwBypass CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)
boku7/Ninja_UUID_Dropper Module Stomping, No New Thread, HellsGate syscaller, UUID Dropper for x64 Windows 10!
boku7/spawn Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing.
bohops/UltimateWDACBypassList A centralized resource for previously documented WDAC bypass techniques
boku7/winx64-InjectAllProcessesMeterpreter-Shellcode 64bit Windows 10 shellcode that injects all processes with Meterpreter reverse shells.
br-sn/CheekyBlinder Enumerating and removing kernel callbacks using signed vulnerable drivers
burrowers/garble Obfuscate Go builds
bytecode77/self-morphing-csharp-binary Executable that mutates its own code
c0de90e7/GhostWriting GhostWriting Injection Technique.
calebstewart/bypass-clm PowerShell Constrained Language Mode Bypass
CCob/SharpBlock A method of bypassing EDR's active projection DLL's by preventing entry point execution.
ChadSki/SharpNeedle Inject C# code into a running process
Charterino/AsStrongAsFuck A console obfuscator for .NET assemblies.
checkymander/Zolom C# Executable with embedded Python that can be used reflectively to run python code on systems without Python installed
Cn33liz/p0wnedShell p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET)
cobbr/PSAmsi PSAmsi is a tool for auditing and defeating AMSI signatures.
cipheras/obfus Curated list of examples, tools, frameworks, etc in various languages with various techniques for obfuscation of RATs, malwares, etc. Only for learning purposes & red teaming.
cnsimo/BypassUAC Use ICMLuaUtil to Bypass UAC!
cwolff411/powerob An on-the-fly Powershell script obfuscator meant for red team engagements. Built out of necessity.
cyberark/Evasor A tool to be used in post exploitation phase for blue and red teams to bypass APPLICATIONCONTROL policies
czs108/PE-Packer 📦 A Windows x86 PE file packer written in C & Microsoft Assembly. The file after packing can obstruct the process of reverse engineering.
d00rt/ebfuscator Ebfuscator: Abusing system errors for binary obfuscation
d35ha/CallObfuscator Obfuscate specific windows apis with different apis
DamonMohammadbagher/NativePayload_Tinjection Remote Thread Injection by C#
danielbohannon/Invoke-CradleCrafter PowerShell Remote Download Cradle Generator & Obfuscator
danielbohannon/Invoke-DOSfuscation Cmd.exe Command Obfuscation Generator & Detection Test Harness
DarthTon/Polychaos PE permutation library
DarthTon/Xenos Windows dll injector
dndx/phantun Transforms UDP stream into (fake) TCP streams that can go through Layer 3 & Layer 4 (NAPT) firewalls/NATs.
dsnezhkov/zombieant Zombie Ant Farm: Primitives and Offensive Tooling for Linux EDR evasion.
EgeBalci/Amber amber is a reflective PE packer for bypassing security products and mitigations. It can pack regularly compiled PE files into reflective payloads that can load and execute itself like a shellcode.
EgeBalci/sgn Shikata ga nai (仕方がない) encoder ported into go with several improvements
EspressoCake/Firewall_Walker_BOF A BOF to interact with COM objects associated with the Windows software firewall.
EspressoCake/Self_Deletion_BOF BOF implementation of the research by @jonaslyk and the drafted PoC from @LloydLabs
FalconForceTeam/SysWhispers2BOF Script to use SysWhispers2 direct system calls from Cobalt Strike BOFs
FatRodzianko/SharpBypassUAC C# tool for UAC bypasses
ffuf/pencode Complex payload encoder
fireeye/OfficePurge VBA purge your Office documents with OfficePurge. VBA purging removes P-code from module streams within Office documents.
Flangvik/AMSI.fail C# Azure Function with an HTTP trigger that generates obfuscated PowerShell snippets that break or disable AMSI for the current process.
Flangvik/NetLoader Loads any C# binary in mem, patching AMSI + ETW.
Flangvik/RosFuscator YouTube/Livestream project for obfuscating C# source code using Roslyn
Flangvik/SharpDllProxy Retrieves exported functions from a legitimate DLL and generates a proxy DLL source code/template for DLL proxy loading or sideloading
forrest-orr/phantom-dll-hollower-poc Phantom DLL hollowing PoC
GetRektBoy724/JALSI JALSI - Just Another Lame Shellcode Injector
GetRektBoy724/SharpUnhooker C# Based Universal API Unhooker
GetRektBoy724/TripleS Syscall Stub Stealer - Freshly steal Syscall stub straight from the disk
GetRektBoy724/TripleS Syscall Stub Stealer - Freshly steal Syscall stub straight from the disk
GoodstudyChina/APC-injection-x86-x64 injdrv is a proof-of-concept Windows Driver for injecting DLL into user-mode processes using APC.
HackOvert/AntiDBG A bunch of Windows anti-debugging tricks for x86 and x64.
hasherezade/module_overloading A more stealthy variant of "DLL hollowing"
hasherezade/process_chameleon A process overwriting its own PEB to make an illusion that it has been loaded from a different path.
hasherezade/transacted_hollowing Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgänging
hlldz/Invoke-Phant0m Windows Event Log Killer
huntresslabs/evading-autoruns Slides and reference material from Evading Autoruns presentation at DerbyCon 7 (September 2017)
infosecn1nja/MaliciousMacroMSBuild Generates Malicious Macro and Execute Powershell or Shellcode via MSBuild Application Whitelisting Bypass.
iomoath/PowerShx Run Powershell without software restrictions.
jason-klein/signed-nsis-exe-append-payload Append a custom data payload to a digitally signed NSIS .exe installer
jfmaes/LazySign Create fake certs for binaries using windows binaries and the power of bat files
jfmaes/sharpbysentinel Kill telemetry to sentinel
jfmaes/SharpNukeEventLog nuke that event log using some epic dinvoke fu
JKornev/hidden Windows driver with usermode interface which can hide processes, file-system and registry objects, protect processes and etc
JoelGMSec/Invoke-Stealth Simple & Powerful PowerShell Script Obfuscator
jonatan1024/clrinject Injects C# EXE or DLL Assembly into every CLR runtime and AppDomain of another process.
jnastarot/furikuri (In dev)furikuri is framework for code protection
jthuraisamy/SysWhispers SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls.
jthuraisamy/SysWhispers2 AV/EDR evasion via direct system calls.
jthuraisamy/TelemetrySourcerer Enumerate and disable common sources of telemetry used by AV/EDR.
JustasMasiulis/lazy_importer library for importing functions from dlls in a hidden, reverse engineer unfriendly way
Kara-4search/FullDLLUnhooking_CSharp Unhook DLL via cleaning the DLL 's .text section
Kara-4search/HellgateLoader_CSharp Load shelcode via HELLGATE, rewrite hellgate for learning purpose.
Kara-4search/MappingInjection_CSharp MappingInjection via csharp
karttoon/trigen Trigen is a Python script which uses different combinations of Win32 function calls in generated VBA to execute shellcode.
kernelm0de/ProcessHider Hide Process From Task Manager using Usermode API Hooking
klezVirus/chameleon Chameleon is yet another PowerShell obfuscation tool designed to bypass AMSI and commercial antivirus solutions.
klezVirus/inceptor Template-Driven AV/EDR Evasion Framework
klezVirus/SharpSelfDelete C# implementation of the research by @jonaslyk and the drafted PoC from @LloydLabs
knight0x07/ImpulsiveDLLHijack C# based tool which automates the process of discovering and exploiting DLL Hijacks in target binaries. The Hijacked paths discovered can later be weaponized during Red Team Operations to evade EDR's.
l373/GIVINGSTORM Infection vector that bypasses AV, IDS, and IPS. (For now...)
last-byte/unDefender Killing your preferred antimalware by abusing native symbolic links and NT paths.
lawiet47/STFUEDR Silence EDRs by removing kernel callbacks
m0rv4i/Ridgway A quick tool for hiding a new process running shellcode.
magnusstubman/dll-exports Collection of DLL function export forwards for DLL export function proxying
matterpreter/DefenderCheck Identifies the bytes that Microsoft Defender flags on.
matterpreter/SHAPESHIFTERmatterpreter/SHAPESHIFTER Companion PoC for the "Adventures in Dynamic Evasion" blog post
mdsecactivebreach/Chameleon Chameleon: A tool for evading Proxy categorisation
mdsecactivebreach/firewalker This repo contains a simple library which can be used to add FireWalker hook bypass capabilities to existing code
med0x2e/NoAmci Using DInvoke to patch AMSI.dll in order to bypass AMSI detections triggered when loading .NET tradecraft via Assembly.Load().
med0x2e/SigFlip SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys ..etc) without invalidating or breaking the existing signature.
mgeeky/ElusiveMice Cobalt Strike User-Defined Reflective Loader with AV/EDR Evasion in mind
mgeeky/ShellcodeFluctuation An in-memory evasion technique fluctuating shellcode memory protection between RW & RX and encrypting/decrypting contents
mgeeky/Stracciatella OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI, Constrained Language Mode and Script Block Logging disabled at startup
mgeeky/ThreadStackSpoofer Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.
MinervaLabsResearch/CoffeeShot CoffeeShot: Avoid Detection with Memory Injection
mobdk/Upsilon Upsilon execute shellcode with syscalls - no API like NtProtectVirtualMemory is used
monoxgas/sRDI Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode
Moriarty2016/NimRDI RDI implementation in Nim
MRGEffitas/Ironsquirrel Encrypted exploit delivery for the masses
nccgroup/demiguise HTA encryption tool for RedTeams
netbiosX/AMSI-Provider A fake AMSI Provider which can be used for persistence.
netero1010/TrustedPath-UACBypass-BOF Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.
nephosec/bof-adios Implementation of Self Deleting Executables
nettitude/RunPE C# Reflective loader for unmanaged binaries.
NotPrab/.NET-Obfuscator Lists of .NET Obfuscator (Free, Trial, Paid and Open Source )
NtRaiseHardError/Anti-Delete Protects deletion of files with a specified extension using a kernel-mode driver.
NtRaiseHardError/NINA NINA: No Injection, No Allocation x64 Process Injection Technique
OmerYa/Invisi-Shell Hide your Powershell script in plain sight. Bypass all Powershell security features
optiv/ScareCrow ScareCrow - Payload creation framework designed around EDR bypass.
ORCA666/EVA3 using hellsgate in EVA to get the syscalls
OsandaMalith/PE2HTML Injects HTML/PHP/ASP to the PE
outflanknl/TamperETW PoC to demonstrate how CLR ETW events can be tampered.
oXis/GPUSleep Move CS beacon to GPU memory when sleeping
passthehashbrowns/DInvokeProcessHollowing This repository is an implementation of process hollowing shellcode injection using DInvoke from SharpSploit. DInvoke allows operators to use unmanaged code while avoiding suspicious imports or API hooking.
pathtofile/SealighterTI Combining Sealighter with unpatched exploits to run the Threat-Intelligence ETW Provider
peewpw/Invoke-PSImage Embeds a PowerShell script in the pixels of a PNG file and generates a oneliner to execute
PELock/JObfuscator-Python JObfuscator is a source code obfuscator for the Java language. Protect Java source code & algorithms from hacking, cracking, reverse engineering, decompilation & technology theft.
Pepitoh/VBad VBA Obfuscation Tools combined with an MS office document generator
phra/PEzor Open-Source PE Packer
plackyhacker/SuspendedThreadInjection Another meterpreter injection technique using C# that attempts to bypass Defender
PwnDexter/SharpEDRChecker Checks running processes, process metadata, Dlls loaded into your current process and the each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools.
r3nhat/XORedReflectiveDLL Reflective DLL Injection with obfuscated (XOR) shellcode
rasta-mouse/AmsiScanBufferBypass Bypass AMSI by patching AmsiScanBuffer
RedCursorSecurityConsulting/PPLKiller Tool to bypass LSA Protection (aka Protected Process Light)
reevesrs24/EvasiveProcessHollowing Evasive Process Hollowing Techniques
rmdavy/HeapsOfFun AMSI Bypass Via the Heap
RythmStick/AMSITrigger Hunting for Malicious Strings
S1ckB0y1337/TokenPlayer Manipulating and Abusing Windows Access Tokens.
S4R1N/MMFCodeInjection Code Injection via Memory Mapped Files
sad0p/d0zer Elf binary infector written in Golang
scrt/avcleaner C/C++ source obfuscator for antivirus bypass
secretsquirrel/SigThief Stealing Signatures and Making One Invalid Signature at a Time
SecIdiot/TitanLdr Titan: A crappy Reflective Loader written in C and assembly for Cobalt Strike. Redirects DNS Beacon over DoH
Sh0ckFR/InlineWhispers2 Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2
sinfulz/JustEvadeBro JustEvadeBro, a cheat sheet which will aid you through AMSI/AV evasion & bypasses.
slyd0g/SharpCrashEventLog C# port of LogServiceCrash
slyd0g/UrbanBishopLocal A port of FuzzySecurity's UrbanBishop project for inline shellcode execution. The execution vector uses a delegate vs an APC on a suspended threat at ntdll!RtlExitUserThread in UrbanBishop
SolomonSklash/SleepyCrypt A shellcode function to encrypt a running process image when sleeping.
snovvcrash/DInjector Collection of shellcode injection techniques packed in a D/Invoke weaponized DLL
stephenfewer/ReflectiveDLLInjection Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process
t3hbb/NSGenCS Extendable payload obfuscation and delivery framework
timwhitez/Doge-PX
timwhitez/Doge-sRDI Shellcode implementation of Reflective DLL Injection by Golang. Convert DLLs to position independent shellcode
the-xentropy/xencrypt A PowerShell script anti-virus evasion tool
TheWover/CertStealer A .NET tool for exporting and importing certificates without touching disk.
TheWover/GhostLoader GhostLoader - AppDomainManager - Injection - 攻壳机动队
ThomasThelen/Anti-Debugging A collection of c++ programs that demonstrate common ways to detect the presence of an attached debugger.
tomcarver16/AmsiHook AmsiHook is a project I created to figure out a bypass to AMSI via function hooking.
tokyoneon/chimera Chimera is a (shiny and very hack-ish) PowerShell obfuscation script designed to bypass AMSI and commercial antivirus solutions.
Tylous/Limelighter A tool for generating fake code signing certificates or signing real ones
Tylous/ZipExec A unique technique to execute binaries from a password protected zip
Unknow101/FuckThatPacker A simple python packer to easily bypass Windows Defender
Wra7h/Single-Dose Generate process injection binaries
wavestone-cdt/EdrSandblast EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections
xct/morbol Simple AV Evasion for PE Files
Yaxser/Backstab A tool to kill antimalware protected processes
Yet-Zio/WusaBypassUAC UAC bypass abusing WinSxS in "wusa.exe".
xforcered/InvisibilityCloak Proof-of-concept obfuscation toolkit for C# post-exploitation tools
zeroperil/HookDump Security product hook detection
zeroSteiner/crimson-forge Crimson Forge intends to provide sustainable evasion capabilities for native code on the x86 and AMD64 architectures.
## Credential Access
Link Description
aas-n/spraykatz Credentials gathering tool automating remote procdump and parse of lsass process.
alfarom256/BOF-ForeignLsass LSASS Dumping With Foreign Handles
anthemtotheego/CredBandit Proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel
antonioCoco/MalSeclogon A little tool to play with the Seclogon service
Arvanaghi/SessionGopher SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.
b4rtik/SharpKatz Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands
b4rtik/SharpMiniDump Create a minidump of the LSASS process from memory
Barbarisch/forkatz credential dump using foreshaw technique using SeTrustedCredmanAccessPrivilege
blacklanternsecurity/TREVORspray A featureful round-robin SOCKS proxy and Python O365 sprayer based on MSOLSpray which uses the Microsoft Graph API
byt3bl33d3r/SprayingToolkit Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient
CCob/lsarelayx NTLM relaying for Windows made easy
CCob/MirrorDump Another LSASS dumping tool that uses a dynamically compiled LSA plugin to grab an lsass handle and API hooking for capturing the dump in memory
codewhitesec/HandleKatz PIC lsass dumper using cloned handles
connormcgarr/tgtdelegation tgtdelegation is a Beacon Object File (BOF) to obtain a usable TGT via the "TGT delegation trick"
cube0x0/MiniDump C# Lsass parser
cube0x0/SharpSystemTriggers Collection of remote authentication triggers in C#
dafthack/MSOLSpray A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled.
danf42/GetLsaSecrets C# implementation of Get-LSASecrets originally written in PowerShell
DanMcInerney/icebreaker Gets plaintext Active Directory credentials if you're on the internal network but outside the AD environment
deepinstinct/LsassSilentProcessExit Command line interface to dump LSASS memory to disk via SilentProcessExit
djhohnstein/1PasswordSuite Utilities to extract secrets from 1Password
eladshamir/Internal-Monologue Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS
EspressoCake/HandleKatz_BOF A BOF port of the research of @thefLinkk and @codewhitesec
EspressoCake/PPLDump_BOF A faithful transposition of the key features/functionality of @itm4n's PPLDump project as a BOF.
fireeye/ADFSpoof A python tool to forge AD FS security tokens.
Flangvik/BetterSafetyKatz Fork of SafetyKatz that dynamically fetches the latest pre-compiled release of Mimikatz directly from gentilkiwi GitHub repo, runtime patches signatures and uses SharpSploit DInvoke to PE-Load into memory.
FSecureLABS/physmem2profit Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical memory remotely
FSecureLABS/SharpClipHistory SharpClipHistory is a .NET application written in C# that can be used to read the contents of a user's clipboard history in Windows 10 starting from the 1809 Build.
G0ldenGunSec/SharpSecDump .Net port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py
GhostPack/SafetyKatz SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subTee's .NET PE Loader
GhostPack/SharpDump SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality.
GhostPack/Rubeus Rubeus is a C# toolset for raw Kerberos interaction and abusesRubeus is a C# toolset for raw Kerberos interaction and abuses
gitjdm/dumper2020 Yet another LSASS dumper
GossiTheDog/HiveNightmare Exploit allowing you to read registry hives as non-admin
Greenwolf/ntlm_theft A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf)
Hackndo/lsassy Extract credentials from lsass remotely
helpsystems/nanodump Dumping LSASS has never been so stealthy
horizon3ai/vcenter_saml_login A tool to extract the IdP cert from vCenter backups and log in as Administrator
HunnicCyber/SharpDomainSpray Basic password spraying tool for internal tests and red teaming
icyguider/DumpNParse A Combination LSASS Dumper and LSASS Parser. All Credit goes to @slyd0g and @cube0x0.
IlanKalendarov/PyHook PyHook is an offensive API hooking tool written in python designed to catch various credentials within the API call.
IlanKalendarov/SharpHook SharpHook is inspired by the SharpRDPThief project, It uses various API hooks in order to give us the desired credentials.
iomoath/SharpSpray Active Directory password spraying tool. Auto fetches user list and avoids potential lockouts.
itm4n/PPLdump Dump the memory of a PPL with a userland exploit
jfmaes/SharpHandler Duplicating handles to dump LSASS since 2021
jfmaes/SharpRDPDump Create a minidump of TermService for clear text pw extraction
Kevin-Robertson/Inveigh Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool
kindtime/nosferatu Lsass NTLM Authentication Backdoor
knavesec/CredMaster Refactored & improved CredKing password spraying tool, uses FireProx APIs to rotate IP addresses, stay anonymous, and beat throttling
KoreLogicSecurity/wmkick WMkick is a TCP protocol redirector/MITM tool that targets NTLM authentication message flows in WMI (135/tcp) and Powershell-Remoting/WSMan/WinRM (5985/tcp) to capture NetNTLMv2 hashes.
LuemmelSec/SAML2Spray Python Script for SAML2 Authentication Passwordspray
m0rv4i/SafetyDump Dump stuff without touching disk
MadHatt3R-0x90/SharpPuppet Tool Allowing Keystroke Injection Into Arbitrary Window.
mdsecactivebreach/Farmer Farmer is a project for collecting NetNTLM hashes in a Windows domain. Farmer achieves this by creating a local WebDAV server that causes the WebDAV Mini Redirector to authenticate from any connecting clients.
mobdk/CopyCat Simple rapper for Mimikatz, bypass Defender
mobdk/CoreClass Mimikatz embedded as classes
mobdk/WinBoost Execute Mimikatz with different technique
nidem/kerberoast Kerberoast is a series of tools for attacking MS Kerberos implementations. Below is a brief overview of what each tool does.
oxfemale/LogonCredentialsSteal LOCAL AND REMOTE HOOK msv1_0!SpAcceptCredentials from LSASS.exe and DUMP DOMAIN/LOGIN/PASSWORD IN CLEARTEXT to text file.
peewpw/Invoke-WCMDump PowerShell Script to Dump Windows Credentials from the Credential Manager
Pickfordmatt/SharpLocker SharpLocker helps get current user credentials by popping a fake Windows lock screen, all output is sent to Console which works perfect for Cobalt Strike.
PorLaCola25/TransactedSharpMiniDump Implementation of b4rtiks's SharpMiniDump using NTFS transactions to avoid writting the minidump to disk and exfiltrating it via HTTPS using sockets.
postrequest/safetydump MiniDump a process in memory with rust
putterpanda/mimikittenz A post-exploitation powershell tool for extracting juicy info from memory.
RedCursorSecurityConsulting/SharpHashSpray An execute-assembly compatible tool for spraying local admin hashes on an Active Directory domain.
ricardojoserf/adfsbrute A script to test credentials against Active Directory Federation Services (ADFS), allowing password spraying or bruteforce attacks.
ropnop/kerbrute A tool to perform Kerberos pre-auth bruteforcing
rvrsh3ll/SharpEdge C# Implementation of Get-VaultCredential
rvrsh3ll/TokenTactics Azure JWT Token Manipulation Toolset
rvrsh3ll/SharpSMBSpray Spray a hash via smb to check for local administrator access
S3cur3Th1sSh1t/RDPThiefInject RDPThief donut shellcode inject into mstsc
sec-consult/aggrokatz Aggrokatz is an aggressor plugin extension for Cobalt Strike which enables pypykatz to interface with the beacons remotely and allows it to parse LSASS dump files and registry hive files to extract credentials and other secrets stored without downloading the file and without uploading any suspicious code to the beacon.
secdev-01/Mimikore .NET 5 Single file Application . Mimikatz or any Base64 PE Loader.
shantanu561993/SharpLoginPrompt This Program creates a login prompt to gather username and password of the current user. This project allows red team to phish username and password of the current user without touching lsass and having adminitrator credentials on the system.
ShutdownRepo/smartbrute Password spraying and bruteforcing tool for Active Directory Domain Services
skelsec/pypykatz Mimikatz implementation in pure Python
SnaffCon/Snaffler Snaffler is a tool for pentesters to help find delicious candy needles (creds mostly, but it's flexible) in a bunch of horrible boring haystacks (a massive Windows/AD environment).
swisskyrepo/SharpLAPS Retrieve LAPS password from LDAP
treebuilder/aad-sso-enum-brute-spray POC of SecureWorks' recent Azure Active Directory password brute-forcing vuln
uknowsec/SharpDecryptPwd 对密码已保存在 Windwos 系统上的部分程序进行解析,包括:Navicat,TeamViewer,FileZilla,WinSCP,Xmangager系列产品(Xshell,Xftp)。
ustayready/SharpHose Asynchronous Password Spraying Tool in C# for Windows Environments
Viralmaniar/Remote-Desktop-Caching- This tool allows one to recover old RDP (mstsc) session information in the form of broken PNG files. These PNG files allows Red Team member to extract juicy information such as LAPS passwords or any sensitive information on the screen.
VollRagm/KernelBypassSharp C# Kernel Mode Driver to read and write memory in protected processes
vyrus001/go-mimikatz A wrapper around a pre-compiled version of the Mimikatz executable for the purpose of anti-virus evasion.
w1u0u1/minidump Custom implementation of DbgHelp's MiniDumpWriteDump function. Uses static syscalls to replace low-level functions like NtReadVirtualMemory.
zcgonvh/SSMSPwd SQL Server Management Studio(SSMS) saved password dumper
## Lateral Movement
Link Description
0xcpu/winsmsd Windows (ShadowMove) Socket Duplication
0xthirteen/MoveKit Cobalt Strike kit for Lateral Movement
0xthirteen/SharpMove .NET Project for performing Authenticated Remote Execution
0xthirteen/SharpRDP Remote Desktop Protocol .NET Console Application for Authenticated Command Execution
360-Linton-Lab/WMIHACKER A Bypass Anti-virus Software Lateral Movement Command Execution Tool
anthemtotheego/SharpExec SharpExec is an offensive security C# tool designed to aid with lateral movement.
bigb0sss/Bankai Another Go Shellcode Loader
bohops/WSMan-WinRM A collection of proof-of-concept source code and scripts for executing remote commands over WinRM using the WSMan.Automation COM object
byt3bl33d3r/CrackMapExec A swiss army knife for pentesting networks
cube0x0/SharpMapExec A sharpen version of CrackMapExec. This tool is made to simplify penetration testing of networks and to create a swiss army knife that is made for running on Windows which is often a requirement during insider threat simulation engagements.
cube0x0/SharpSystemTriggers Collection of remote authentication triggers in C#
cobbr/SharpSploit SharpSploit is a .NET post-exploitation library written in C#
cyberark/shimit A tool that implements the Golden SAML attack
DefensiveOrigins/PlumHound Bloodhound for Blue and Purple Teams
FuzzySecurity/StandIn StandIn is a small .NET35/45 AD post-exploitation toolkit
Hackplayers/evil-winrm The ultimate WinRM shell for hacking/pentesting
improsec/ImproHound Identify the attack paths in BloodHound breaking your AD tiering
infosecn1nja/SharpDoor SharpDoor is alternative RDPWrap written in C# to allowed multiple RDP (Remote Desktop) sessions by patching termsrv.dll file.
iomoath/SharpStrike SharpStrike is a post-exploitation tool written in C# that uses either CIM or WMI to query remote systems. It can use provided credentials or the current user's session.
juliourena/SharpNoPSExec Get file less command execution for lateral movement.
klezVirus/CheeseTools Self-developed tools for Lateral Movement/Code Execution
knavesec/Max Maximizing BloodHound. Max is a good boy.
mez-0/CSharpWinRM .NET 4.0 WinRM API Command Execution
mez-0/winrmdll C++ WinRM API via Reflective DLL
Mr-Un1k0d3r/SCShell Fileless lateral movement tool that relies on ChangeServiceConfigA to run command
netero1010/ServiceMove-BOF New lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution.
RiccardoAncarani/LiquidSnake LiquidSnake is a tool that allows operators to perform fileless lateral movement using WMI Event Subscriptions and GadgetToJScript
RiccardoAncarani/TaskShell TaskShell
rvrsh3ll/SharpCOM SharpCOM is a c# port of Invoke-DCOM
ScorpionesLabs/DVS D(COM) V(ulnerability) S(canner) AKA Devious swiss army knife - Lateral movement using DCOM Objects
tothi/rbcd-attack Kerberos Resource-Based Constrained Delegation Attack from Outside using Impacket
theepicpowner/dcom_av_exec DCOM_AV_EXEC allows for "diskless" lateral movement to a target on the same network via DCOM. The AV_Bypass_Framework_V3 creates a .NET shellcode runner (output as DLL) which can be used with the DCOM_AV_EXEC tool to bypass antivirus solutions like Microsoft Defender as all shellcode is AES encrypted and executed in memory.
## Collection
Link Description
cisp/GetMail 利用NTLM Hash读取Exchange邮件
DallasFR/Cobalt-Clip Cobaltstrike addons to interact with clipboard
djhohnstein/SharpChromium .NET 4.0 CLR Project to retrieve Chromium data, such as cookies, history and saved logins.
OG-Sadpanda/SharpExcelibur Read Excel Spreadsheets (XLS/XLSX) using Cobalt Strike's Execute-Assembly
OG-Sadpanda/SharpSword Read the contents of DOCX files using Cobalt Strike's Execute-Assembly
seastorm/PuttyRider Hijack Putty sessions in order to sniff conversation and inject Linux commands.
## Command & Control
Link Description
3xpl01tc0d3r/Callidus It is developed using .net core framework in C# language. Allows operators to leverage O365 services for establishing command & control communication channel. It usages Microsoft Graph APIs for communicating with O365 services.
ahmedkhlief/Ninja Open source C2 server created for stealth red team operations
bashexplode/cs2webconfig Convert Cobalt Strike profiles to IIS web.config files
bats3c/shad0w SHAD0W is a modular C2 framework designed to successfully operate on mature environments.
BishopFox/sliver Sliver is a general purpose cross-platform implant framework that supports C2 over Mutual-TLS, HTTP(S), and DNS. Implants are dynamically compiled with unique X.509 certificates signed by a per-instance certificate authority generated when you first run the binary.
blackbotinc/Atomic-Red-Team-Intelligence-C2 ARTi-C2 is a post-exploitation framework used to execute Atomic Red Team test cases with rapid payload deployment and execution capabilities via .NET's DLR.
boku7/azureOutlookC2 Azure Outlook Command & Control (C2) - Remotely control a compromised Windows Device from your Outlook mailbox. Threat Emulation Tool for North Korean APT InkySquid / ScarCruft / APT37. TTP: Use Microsoft Graph API for C2 Operations.
byt3bl33d3r/SILENTTRINITY An asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR
cedowens/C2_Cradle Tool to download, install, and run macOS capable command & control servers (i.e., C2s with macOS payloads/clients) as docker containers from a list of options. This is helpful for automating C2 server setup.
cobbr/C2Bridge C2Bridges allow developers to create new custom communication protocols and quickly utilize them within Covenant.
cobbr/Covenant Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.
Cr4sh/MicroBackdoor Small and convenient C2 tool for Windows targets
cyberark/kubesploit Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments.
DeimosC2/DeimosC2 DeimosC2 is a Golang command and control framework for post-exploitation.
Dliv3/DomainBorrowing Domain Borrowing is a new method to hide your C2 traffic with CDN
echtdefault/C2-GUI-Template Template for a C2 GUI coded in C++ using Win32 API
EspressoCake/Cobalt_Strike_Ansible A project to replicate the functionality of Noah Powers' ServerSetup script, but with error handling and fixed Namecheap API support.
fbkcs/ThunderDNS This tool can forward TCP traffic over DNS protocol. Non-compile clients + socks5 support.
Flangvik/AzureC2Relay AzureC2Relay is an Azure Function that validates and relays Cobalt Strike beacon traffic by verifying the incoming requests based on a Cobalt Strike Malleable C2 profile.
geemion/Khepri 🔥🔥🔥Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++, the architecture and usage like Cobalt Strike
gl4ssesbo1/Nebula Cloud C2 Framework, which at the moment offers reconnaissance, enumeration, exploitation, post exploitation on AWS, but still working to allow testing other Cloud Providers and DevOps Components.
its-a-feature/Mythic A collaborative, multi-platform, red teaming framework
kgretzky/pwndrop Self-deployable file hosting service for red teamers, allowing to easily upload and share payloads over HTTP and WebDAV.
leonjza/tc2 Treafik fronted c2 examples
looCiprian/GC2-sheet GC2 is a Command and Control application that allows an attacker to execute commands on the target machine using Google Sheet and exfiltrate data using Google Drive.
loseys/BlackMamba BlackMamba is a multi client C2/post exploitation framework with some spyware features. Powered by Python 3.8.6 and QT Framework.
mgeeky/RedWarden Cobalt Strike C2 Reverse proxy that fends off Blue Teams, AVs, EDRs, scanners through packet inspection and malleable profile correlation
mhaskar/DNSStager DNSStager is an open-source project based on Python used to hide and transfer your payload using DNS.
mhaskar/Octopus Open source pre-operation C2 server based on python and powershell
MythicAgents/hermes Swift 5 macOS implant
NetSPI/SQLC2 SQLC2 is a PowerShell script for deploying and managing a command and control system that uses SQL Server as both the control server and the agent.
nettitude/SharpSocks Tunnellable HTTP/HTTPS socks4a proxy written in C# and deployable via PowerShell
Ne0nd0g/merlin Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.
p3nt4/Nuages A modular C2 framework
Porchetta-Industries/pyMalleableC2 Python interpreter for Cobalt Strike Malleable C2 Profiles. Allows you to parse, build and modify them programmatically.
Project Prismatica Project Prismatica is a focused framework for Command and Control that is dedicated to extensibility.
pucarasec/zuthaka Zuthaka is an open source application designed to assist red-teaming efforts, by simplifying the task of managing different APTs and other post-exploitation tools.
r3nhat/GRAT2 GRAT2 is a Command and Control (C2) tool written in python3 and the client in .NET 4.5
sensepost/goDoH godoh - A DNS-over-HTTPS C2
shadown-workers/shadow-workers Shadow Workers is a free and open source C2 and proxy designed for penetration testers to help in the exploitation of XSS and malicious Service Workers (SW)
SpiderLabs/DoHC2 DoHC2 allows the ExternalC2 library from Ryan Hanson (https://github.com/ryhanson/ExternalC2) to be leveraged for command and control (C2) via DNS over HTTPS (DoH).
thiagomayllart/Harvis Harvis is designed to automate your C2 Infrastructure.
threatexpress/mythic2modrewrite Generate Apache mod_rewrite rules for Mythic C2 profiles
threatexpress/random_c2_profile Cobalt Strike random C2 Profile generator
Tylous/SourcePoint SourcePoint is a C2 profile generator for Cobalt Strike command and control servers designed to ensure evasion.
vestjoe/cobaltstrike_services Running Cobalstrike Teamserver as a Service
X-C3LL/wfp-reader Proof of concept - Covert Channel using Windows Filtering Platform (C#)
zerosum0x0/koadic Koadic C3 COM Command & Control - JScript RAT
## Exfiltration
Link Description
ariary/QueenSono Golang binary for data exfiltration with ICMP protocol (+ ICMP bindshell, http over ICMP tunneling, ...)
evilsocket/sg1 A wanna be swiss army knife for data encryption, exfiltration and covert communication.
Flangvik/SharpExfiltrate Modular C# framework to exfiltrate loot over secure and trusted channels.
hackerschoice/gsocket Global Socket. Moving data from here to there. Securely, Fast and trough NAT/Firewalls
hackerschoice/gs-transfer Secure File Transfer via Global Socket Bounce Network
m57/dnsteal DNS Exfiltration tool for stealthily sending files over DNS requests.
mdsecactivebreach/RegistryStrikesBack RegistryStrikesBack allows a red team operator to export valid .reg files for portions of the Windows Registry via a .NET assembly that should run as a standard user. It can be useful in exfiltrating config files such as to support actions like are described in the "Segmentation Vault" article on the MDSec Blog.
pentestpartners/PTP-RAT Exfiltrate data over screen interfaces. For more information.
Plazmaz/LNKUp Generates malicious LNK file payloads for data exfiltration
sensepost/DET DET (is provided AS IS), is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time.
SySS-Research/Seth Perform a MitM attack and extract clear text credentials from RDP connections
veggiedefender/browsertunnel Surreptitiously exfiltrate data from the browser over DNS
vp777/procrustes A bash script that automates the exfiltration of data over dns in case we have a blind command execution on a server where all outbound connections except DNS are blocked.