mirror of
https://github.com/pe3zx/my-infosec-awesome.git
synced 2024-10-01 07:45:36 -04:00
90 KiB
90 KiB
Offensive Bookmark
This page will contain my bookmark for offensive tools, briefly categorized based on MITRE ATT&CK Enterprise Matrix. Some links and sections on README.md will be relocated to this page if it's related to offensive tactics and techniques.
Some tools can be categorized in more than one category. But because the current bookmark model doesn't support 1-to-many mapping, I will decide a tool's category based on its ultimate goal.
- Reconnaissance/Discovery
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Lateral Movement
- Collection
- Command & Control
- Exfiltration
Reconnaissance/Discovery
Link | Description |
asaurusrex/Probatorum-EDR-Userland-Hook-Checker | Project to check which Nt/Zw functions your local EDR is hooking |
boku7/whereami | Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's. |
chdav/SharpCGHunter | Receive the status of Windows Defender Credential Guard on network hosts. |
codingo/Reconnoitre | A security tool for multithreaded information gathering and service enumeration whilst building directory structures to store results, along with writing out recommendations for further testing. |
dev-2null/ADCollector | A lightweight tool to quickly extract valuable information from the Active Directory environment for both attacking and defending. |
dirkjanm/ROADtools | The Azure AD exploration framework. |
djhohnstein/SharpShares | Enumerate all network shares in the current domain. Also, can resolve names to IP addresses. |
dsnezhkov/TruffleSnout | Iterative AD discovery toolkit for offensive operations |
fashionproof/CheckSafeBoot | I used this to see if an EDR is running in Safe Mode |
GhostPack/Seatbelt | Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. |
jaredhaight/scout | A .NET assembly for performing recon against hosts on a network |
lkarlslund/adalanche | Active Directory ACL Visualizer - who's really Domain Admin? |
mdsecactivebreach/sitrep | SitRep is intended to provide a lightweight, extensible host triage alternative. |
mez-0/SharpShares | .NET 4.0 Share Hunting and ACL Mapping |
Mr-Un1k0d3r/ADHuntTool | official repo for the AdHuntTool (part of the old RedTeamCSharpScripts repo) |
nccgroup/Carnivore | Tool for assessing on-premises Microsoft servers authentication such as ADFS, Skype, Exchange, and RDWeb |
NetSPI/goddi | goddi (go dump domain info) dumps Active Directory domain information |
outflanknl/Recon-AD | Recon-AD, an AD recon tool based on ADSI and reflective DLL’s |
rasta-mouse/Watson | Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilitiesEnumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities |
rvrsh3ll/SharpPrinter | Discover Printers |
s0lst1c3/SharpFinder | Description: Searches for files matching specific criteria on readable shares within the domain. |
S3cur3Th1sSh1t/Invoke-Sharpcradle | Load C# Code from a Webserver straight to memory and execute it there. |
sophoslabs/metasploit_gather_exchange | Metasploit Post-Exploitation Gather module for Exchange Server |
stufus/reconerator | C# Targeted Attack Reconnissance Tools |
sud0woodo/DCOMrade | Powershell script for enumerating vulnerable DCOM Applications |
T0pCyber/hawk | Powershell Based tool for gathering information related to O365 intrusions and potential Breaches |
tasox/LogRM | LogRM is a post exploitation powershell script which it uses windows event logs to gather information about internal network |
tevora-threat/SharpView | C# implementation of harmj0y's PowerView |
TonyPhipps/Meerkat | A collection of PowerShell modules designed for artifact gathering and reconnaisance of Windows-based endpoints. |
tomcarver16/ADSearch | A tool to help query AD via the LDAP protocol |
vletoux/SpoolerScanner | Check if MS-RPRN is remotely available with powershell/c# |
yogeshojha/rengine | reNgine is a reconnaissance engine(framework) that does end-to-end reconnaissance with the help of highly configurable scan engines and does information gathering about the target web application. reNgine makes use of various open-source tools and makes a configurable pipeline of reconnaissance. |
ZeroPointSecurity/Domain-Enumeration-Tool | Perform Windows domain enumeration via LDAP |
Initial Access
Link | Description |
BeetleChunks/SpoolSploit | A collection of Windows print spooler exploits containerized with other utilities for practical exploitation. |
Execution
Link | Description |
0xDivyanshu/Injector | Complete Arsenal of Memory injection and other techniques for red-teaming in Windows |
aeverj/NimShellCodeLoader | Nim编写Windows平台shellcode免杀加载器 |
antonioCoco/SharPyShell | SharPyShell - tiny and obfuscated ASP.NET webshell for C# web applications |
api0cradle/LOLBAS | Living Off The Land Binaries and Scripts (and now also Libraries) |
b1tg/rust-windows-shellcode | Windows shellcode development in Rust |
bats3c/DarkLoadLibrary | LoadLibrary for offensive operations |
bohops/GhostBuild | GhostBuild is a collection of simple MSBuild launchers for various GhostPack/.NET projects |
boku7/bof-spawnSuspendedProcess | Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state |
boku7/CobaltStrikeReflectiveLoader | Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. |
bytecode77/self-morphing-csharp-binary | Executable that mutates its own code |
cdong1012/Crab-Runner | Shellcode runner in Rust |
ChadSki/SharpNeedle | Inject C# code into a running process |
checkymander/Sharp-SMBExec | SMBExec C# module |
checkymander/Zolom | C# Executable with embedded Python that can be used reflectively to run python code on systems without Python installed |
cobbr/SharpSploit | SharpSploit is a .NET post-exploitation library written in C# |
Cn33liz/p0wnedShell | p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET) |
cribdragg3r/Alaris | A protective and Low Level Shellcode Loader the defeats modern EDR systems. |
DamonMohammadbagher/NativePayload_Tinjection | Remote Thread Injection by C# |
D00MFist/Go4aRun | Shellcode runner in GO that incorporates shellcode encryption, remote process injection, block dlls, and spoofed parent process |
dtrizna/easy-hollow | Automated build for process hollowing shellcode loader. Build on top of TikiTorch and donut projects. |
EddieIvan01/memexec | A library for loading and executing PE (Portable Executable) from memory without ever touching the disk |
Flangvik/SharpCollection | Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines. |
FortyNorthSecurity/CIMplant | C# port of WMImplant which uses either CIM or WMI to query remote systems |
FortyNorthSecurity/EDD | Enumerate Domain Data is designed to be similar to PowerView but in .NET. PowerView is essentially the ultimate domain enumeration tool, and we wanted a .NET implementation that we worked on ourselves. This tool was largely put together by viewing implementations of different functionality across a wide range of existing projects and combining them into EDD. |
FuzzySecurity/PowerShell-Suite | There are great tools and resources online to accomplish most any task in PowerShell, sometimes however, there is a need to script together a util for a specific purpose or to bridge an ontological gap. This is a collection of PowerShell utilities I put together either for fun or because I had a narrow application in mind. |
GhostPack/SharpWMI | SharpWMI is a C# implementation of various WMI functionality. |
gigajew/WinXRunPE | Two C# RunPE's capable of x86 and x64 injections |
hausec/MaliciousClickOnceMSBuild | Basic C# Project that will take an MSBuild payload and run it with MSBuild via ClickOnce. |
JamesCooteUK/SharpSphere | .NET Project for Attacking vCenter |
jhalon/SharpCall | Simple PoC demonstrating syscall execution in C# |
jfmaes/SharpZipRunner | Executes position independent shellcode from an encrypted zip |
maxlandon/wiregost | Golang Implant & Post-Exploitation Framework |
mgeeky/Stracciatella | OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI, Constrained Language Mode and Script Block Logging disabled at startup |
Mr-Un1k0d3r/RedTeamCSharpScripts | C# Script used for Red Team. These binaries can be used by Cobalt Strike execute-assembly or as standalone executable. |
nccgroup/GTFOBLookup | Offline command line lookup utility for GTFOBins |
nettitude/RunPE | C# Reflective loader for unmanaged binaries. |
NVISOsecurity Marauders Map | The Marauders Map is meant to be used on assessments where you have gained GUI access to an enviornment. The Marauders Map is a DLL written in C#, enriched by the DllExport project to export functions that can serve as an entrypoint of invocation for unmanaged code such as rundll32. |
NYAN-x-CAT/Csharp-Loader | Download a .NET payload and run it on memory |
rasta-mouse/MiscTools | Miscellaneous Tools |
rek7/fireELF | fireELF - Fileless Linux Malware Framework |
ropnop/go-sharp-loader.go | Example Go program with multiple .NET Binaries embedded |
rvrsh3ll/NoMSBuild | MSBuild without MSbuild.exe |
S3cur3Th1sSh1t/Nim_CBT_Shellcode | CallBack-Techniques for Shellcode execution ported to Nim |
secdev-01/AllTheThingsExec | Executes Blended Managed/Unmanged Exports |
scythe-io/memory-module-loader | An implementation of a Windows loader that can load dynamic-linked libraries (DLLs) directly from memory |
sh4hin/GoPurple | Yet another shellcode runner consists of different techniques for evaluating detection capabilities of endpoint security solutions |
snovvcrash/peas | Modified version of PEAS client for offensive operations |
TheCruZ/kdmapper | KDMapper is a simple tool that exploits iqvw64e.sys Intel driver to manually map non-signed drivers in memory |
xforcered/InlineExecute-Assembly | InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module |
xinbailu/DripLoader | Evasive shellcode loader for bypassing event-based injection detection (PoC) |
xinbailu/DripLoader-Ops | a usable, cleaned-up version for script kiddies |
xpn/NautilusProject | A collection of weird ways to execute unmanaged code in .NET |
zerosum0x0/rcmd | Runs a command in another process |
Manipulating Binary's Internal
Link | Description |
aaaddress1/wowGrail | PoC: Rebuild A New Path Back to the Heaven's Gate (HITB 2021) |
Accenture/CLRvoyance | Managed assembly shellcode generation |
ajpc500/NimlineWhispers | A very proof-of-concept port of InlineWhispers for using syscalls in Nim projects. |
Akaion/Bleak | A Windows native DLL injection library that supports several methods of injection. |
boku7/AsmHalosGate | x64 Assembly HalosGate direct System Caller to evade EDR UserLand hooks |
boku7/halosgate-ps | Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes |
boku7/HellsGatePPID | Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe process |
boku7/HOLLOW | EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode |
boku7/spawn | Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing. |
Cybellum/DoubleAgent | DoubleAgent is a new Zero-Day technique for injecting code and maintaining persistence on a machine (i.e. auto-run). |
DarthTon/Xenos | Windows dll injector |
FalconForceTeam/SysWhispers2BOF | Script to use SysWhispers2 direct system calls from Cobalt Strike BOFs |
Flangvik/SharpDllProxy | Retrieves exported functions from a legitimate DLL and generates a proxy DLL source code/template for DLL proxy loading or sideloading |
forrest-orr/phantom-dll-hollower-poc | Phantom DLL hollowing PoC |
GetRektBoy724/JALSI | JALSI - Just Another Lame Shellcode Injector |
GoodstudyChina/APC-injection-x86-x64 | injdrv is a proof-of-concept Windows Driver for injecting DLL into user-mode processes using APC. |
jonatan1024/clrinject | Injects C# EXE or DLL Assembly into every CLR runtime and AppDomain of another process. |
jthuraisamy/SysWhispers | SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls. |
jthuraisamy/SysWhispers2 | AV/EDR evasion via direct system calls. |
kyleavery/ThirdEye | Weaponizing CLRvoyance for Post-Ex .NET Execution |
magnusstubman/dll-exports | Collection of DLL function export forwards for DLL export function proxying |
mobdk/Sigma | Execute shellcode with ZwCreateSection, ZwMapViewOfSection, ZwOpenProcess, ZwMapViewOfSection and ZwCreateThreadEx |
monoxgas/sRDI | Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode |
Moriarty2016/NimRDI | RDI implementation in Nim |
passthehashbrowns/DInvokeProcessHollowing | This repository is an implementation of process hollowing shellcode injection using DInvoke from SharpSploit. DInvoke allows operators to use unmanaged code while avoiding suspicious imports or API hooking. |
sad0p/d0zer | Elf binary infector written in Golang |
stephenfewer/ReflectiveDLLInjection | Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process |
slyd0g/UrbanBishopLocal | A port of FuzzySecurity's UrbanBishop project for inline shellcode execution. The execution vector uses a delegate vs an APC on a suspended threat at ntdll!RtlExitUserThread in UrbanBishop |
TheWover/GhostLoader | GhostLoader - AppDomainManager - Injection - 攻壳机动队 |
timwhitez/Doge-sRDI | Shellcode implementation of Reflective DLL Injection by Golang. Convert DLLs to position independent shellcode |
r3nhat/XORedReflectiveDLL | Reflective DLL Injection with obfuscated (XOR) shellcode |
Payload Generation
Link | Description |
BC-SECURITY/Empire | Empire is a PowerShell and Python post-exploitation agent. |
BC-SECURITY/Offensive-VBA-and-XLS-Entanglement | Offensive VBA and XLS Entanglement |
Binject/backdoorfactory | A from-scratch rewrite of The Backdoor Factory - a MitM tool for inserting shellcode into all types of binaries on the wire. |
BishopFox/sliver | Sliver is a general purpose cross-platform implant framework that supports C2 over Mutual-TLS, HTTP(S), and DNS. Implants are dynamically compiled with unique X.509 certificates signed by a per-instance certificate authority generated when you first run the binary. |
capt-meelo/Beaconator | A beacon generator using Cobalt Strike and PEzor. |
cedowens/Mythic-Macro-Generator | Python3 script to generate a macro to launch a Mythic payload. Author: Cedric Owens |
connormcgarr/LittleCorporal | LittleCorporal: A C# Automated Maldoc Generator |
cseroad/bypassAV | 借助Win-PS2EXE项目编写cna脚本方便快速生成免杀可执行文件 |
cytopia/kusanagi | Kusanagi is a bind and reverse shell payload generator with obfuscation and badchar support. |
D00MFist/Mystikal | macOS Initial Access Payload Generator |
damienvanrobaeys/PS1-To-EXE-Generator | PS1 to EXE Generator: Create an EXE for your PS1 scripts |
erikgeiser/govenom | govenom is a msfvenom-inspired cross-platform payload generator toolkit written in Go |
forrest-orr/artifacts-kit | Pseudo-malicious usermode memory artifact generator kit designed to easily mimic the footprints left by real malware on an infected Windows OS. |
FortyNorthSecurity/EXCELntDonut | Excel 4.0 (XLM) Macro Generator for injecting DLLs and EXEs into memory. |
FortyNorthSecurity/hot-manchego | Macro-Enabled Excel File Generator (.xlsm) using the EPPlus Library. |
frkngksl/Huan | Encrypted PE Loader Generator |
GetRektBoy724/MeterPwrShell | Automated Tool That Generate The Perfect Powershell Payload |
gen0cide/gscript | framework to rapidly implement custom droppers for all three major operating systems |
glinares/InlineShapesPayload | VBA InlineShapes Payload Generator |
Greenwolf/ntlm_theft | A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf) |
hasherezade/masm_shc | A helper utility for creating shellcodes. Cleans MASM file generated by MSVC, gives refactoring hints. |
infosecn1nja/MaliciousMacroMSBuild | Generates Malicious Macro and Execute Powershell or Shellcode via MSBuild Application Whitelisting Bypass. |
jfmaes/SharpLNKGen-UI | UI for creating LNKs |
jonaslejon/malicious-pdf | Generate a bunch of malicious pdf files with phone-home functionality. Can be used with Burp Collaborator |
l373/GIVINGSTORM | Infection vector that bypasses AV, IDS, and IPS. (For now...) |
mdsecactivebreach/SharpShooter | SharpShooter is a payload creation framework for the retrieval and execution of arbitrary CSharp source code. |
med0x2e/GadgetToJScript | A tool for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA based scripts. |
michaelweber/Macrome | Excel Macro Document Reader/Writer for Red Teamers & Analysts |
Mr-Un1k0d3r/MaliciousDLLGenerator | DLL Generator for side loading attack |
optiv/ScareCrow | ScareCrow - Payload creation framework designed around EDR bypass. |
Plazmaz/LNKUp | Generates malicious LNK file payloads for data exfiltration |
postrequest/xeca | PowerShell payload generator |
praetorian-inc/Matryoshka | Matryoshka loader is a tool that red team operators can leverage to generate shellcode for Microsoft Office document phishing payloads. |
redcanaryco/chain-reactor | Chain Reactor is an open source framework for composing executables that simulate adversary behaviors and techniques on Linux endpoints. |
redcode-labs/GoSH | Golang reverse/bind shell generator |
redcode-labs/SNOWCRASH | A polyglot payload generator |
s0lst1c3/dropengine | DropEngine provides a malleable framework for creating shellcode runners, allowing operators to choose from a selection of components and combine them to create highly sophisticated payloads within seconds.DropEngine provides a malleable framework for creating shellcode runners, allowing operators to choose from a selection of components and combine them to create highly sophisticated payloads within seconds.DropEngine provides a malleable framework for creating shellcode runners, allowing operators to choose from a selection of components and combine them to create highly sophisticated payloads within seconds. |
sevagas/macro_pack | macro_pack is a tool used to automatize obfuscation and generation of MS Office documents for pentest, demo, and social engineering assessments. The goal of macro_pack is to simplify antimalware bypass and automatize the process from vba generation to final Office document generation. |
STMSolutions/boobsnail | BoobSnail allows generating Excel 4.0 XLM macro. Its purpose is to support the RedTeam and BlueTeam in XLM macro generation. |
TheWover/donut | Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters |
trustedsec/unicorn | Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18. |
Persistence
Link | Description |
0xthirteen/SharpStay | .NET project for installing Persistence |
360-Linton-Lab/Telemetry | TELEMETRY is a C# For Windows PERSISTENCE |
airzero24/PortMonitorPersist | PoC for Port Monitor Persistence |
ben0xa/doucme | This leverages the NetUserAdd Win32 API to create a new computer account. This is done by setting the usri1_priv of the USER_INFO_1 type to 0x1000. The primary goal is to avoid the normal detection of new user created events (4720). |
CyborgSecurity/PoisonApple | Command-line tool to perform various persistence mechanism techniques on macOS. This tool was designed to be used by threat hunters for cyber threat emulation purposes. |
djhohnstein/SharpSC | Simple .NET assembly to interact with services. |
fireeye/SharPersist | Windows persistence toolkit written in C#. |
panagioto/SyscallHide | Create a Run registry key with direct system calls. Inspired by @Cneelis's Dumpert and SharpHide. |
RedSection/printjacker | Hijack Printconfig.dll to execute shellcode |
slaeryan/MIDNIGHTTRAIN | Covert Stage-3 Persistence Framework |
vivami/OutlookParasite | Outlook persistence using VSTO add-ins |
Privilege Escalation
Link | Description |
0xbadjuju/Tokenvator | A tool to elevate privilege with Windows Tokens |
411Hall/JAWS | JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7. |
antonioCoco/RemotePotato0 | Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin. |
antonioCoco/RogueWinRM | Windows Local Privilege Escalation from Service Account to System |
antonioCoco/RunasCs | RunasCs - Csharp and open version of windows builtin runas.exe |
carlospolop/privilege-escalation-awesome-scripts-suite | PEASS - Privilege Escalation Awesome Scripts SUITE (with colors) |
CCob/SweetPotato | Local Service to SYSTEM privilege escalation from Windows 7 to Windows 10 / Server 2019 |
CMatri/Gotato | Generic impersonation and privilege escalation with Golang. Like GenericPotato both named pipes and HTTP are supported. |
eladshamir/Whisker | Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding "Shadow Credentials" to the target account. |
eloypgz/certi | Utility to play with ADCS, allows to request tickets and collect information about related objects. Basically, it's the impacket copy of Certify. Thanks to @harmj0y and @tifkin_ for its great work with ADCS. |
GhostPack/ForgeCert | ForgeCert uses the BouncyCastle C# API and a stolen Certificate Authority (CA) certificate + private key to forge certificates for arbitrary users capable of authentication to Active Directory. |
GoSecure/WSuspicious | WSuspicious - A tool to abuse insecure WSUS connections for privilege escalationsWSuspicious - A tool to abuse insecure WSUS connections for privilege escalations |
gtworek/Priv2Admin | Exploitation paths allowing you to (mis)use the Windows Privileges to elevate your rights within the OS. |
hlldz/dazzleUP | A tool that detects the privilege escalation vulnerabilities caused by misconfigurations and missing updates in the Windows operating systems. |
itm4n/PrivescCheck | Privilege Escalation Enumeration Script for Windows |
liamg/traitor | Automatic Linux privesc via exploitation of low-hanging fruit e.g. gtfobins |
sailay1996/delete2SYSTEM | Weaponizing for Arbitrary Files/Directories Delete bugs to Get NT AUTHORITY\SYSTEM |
S3cur3Th1sSh1t/SharpImpersonation | A User Impersonation tool - via Token or Shellcode injection |
slyd0g/PrimaryTokenTheft | Steal a primary token and spawn cmd.exe using the stolen token |
TsukiCTF/Lovely-Potato | Automating juicy potato local privilege escalation exploit for penetration testers. |
Defense Evasion
Link | Description |
0xZDH/redirect.rules | Quick and dirty dynamic redirect.rules generator |
89luca89/pakkero | Pakkero is a binary packer written in Go made for fun and educational purpose. Its main goal is to take in input a program file (elf binary, script, even appimage) and compress it, protect it from tampering and intrusion. |
AnErrupTion/LoGiC.NET | A more advanced free and open .NET obfuscator using dnlib. |
anthemtotheego/Detect-Hooks | Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR |
api0cradle/UltimateAppLockerByPassList | The goal of this repository is to document the most common techniques to bypass AppLocker. |
Arvanaghi/CheckPlease | Sandbox evasion modules written in PowerShell, Python, Go, Ruby, C, C#, Perl, and Rust. |
asaurusrex/DoppelGate | This project is designed to provide a method of extracting syscalls dynamically directly from on-disk ntdll. Userland hooks have become prevalent in many security products these days, and bypassing these hooks is a great way for red teamers/pentesters to bypass these defenses. |
asaurusrex/EDR_Userland_Hook_Checker | Project to check which Nt/Zw functions your local EDR is hooking |
audibleblink/dummyDLL | Utility for hunting UAC bypasses or COM/DLL hijacks that alerts on the exported function that was consumed. |
AzAgarampur/byeintegrity4-uac | Bypass UAC by abusing the Windows Defender Firewall Control Panel, environment variables, and shell protocol handlers |
AzAgarampur/byeintegrity8-uac | Bypass UAC at any level by abusing the Program Compatibility Assistant with RPC, WDI, and more Windows components |
Bashfuscator/Bashfuscator | A fully configurable and extendable Bash obfuscation framework. This tool is intended to help both red team and blue team. |
bats3c/Ghost-In-The-Logs | Evade sysmon and windows event logginEvade sysmon and windows event loggingg |
BaumFX/cpp-anti-debug | anti debugging library in c++. |
BinaryScary/NET-Obfuscate | Obfuscate ECMA CIL (.NET IL) assemblies to evade Windows Defender AMSI |
bhumic/PErmutator | The goal of this project is to create a permutation engine for PE files. The engine should randomize the executable parts of the file. |
bohops/UltimateWDACBypassList | A centralized resource for previously documented WDAC bypass techniques |
boku7/injectAmsiBypass | Cobalt Strike BOF - Bypass AMSI in a remote process with code injection. |
br-sn/CheekyBlinder | Enumerating and removing kernel callbacks using signed vulnerable drivers |
c0de90e7/GhostWriting | GhostWriting Injection Technique. |
calebstewart/bypass-clm | PowerShell Constrained Language Mode Bypass |
CCob/SharpBlock | A method of bypassing EDR's active projection DLL's by preventing entry point execution. |
cipheras/obfus | Curated list of examples, tools, frameworks, etc in various languages with various techniques for obfuscation of RATs, malwares, etc. Only for learning purposes & red teaming. |
cnsimo/BypassUAC | Use ICMLuaUtil to Bypass UAC! |
cwolff411/powerob | An on-the-fly Powershell script obfuscator meant for red team engagements. Built out of necessity. |
cyberark/Evasor | A tool to be used in post exploitation phase for blue and red teams to bypass APPLICATIONCONTROL policies |
d00rt/ebfuscator | Ebfuscator: Abusing system errors for binary obfuscation |
d35ha/CallObfuscator | Obfuscate specific windows apis with different apis |
danielbohannon/Invoke-CradleCrafter | PowerShell Remote Download Cradle Generator & Obfuscator |
danielbohannon/Invoke-DOSfuscation | Cmd.exe Command Obfuscation Generator & Detection Test Harness |
DarthTon/Polychaos | PE permutation library |
dsnezhkov/zombieant | Zombie Ant Farm: Primitives and Offensive Tooling for Linux EDR evasion. |
EgeBalci/Amber | amber is a reflective PE packer for bypassing security products and mitigations. It can pack regularly compiled PE files into reflective payloads that can load and execute itself like a shellcode. |
EgeBalci/sgn | Shikata ga nai (仕方がない) encoder ported into go with several improvements |
FatRodzianko/SharpBypassUAC | C# tool for UAC bypasses |
ffuf/pencode | Complex payload encoder |
fireeye/OfficePurge | VBA purge your Office documents with OfficePurge. VBA purging removes P-code from module streams within Office documents. |
GetRektBoy724/TripleS | Syscall Stub Stealer - Freshly steal Syscall stub straight from the disk |
HackOvert/AntiDBG | A bunch of Windows anti-debugging tricks for x86 and x64. |
hlldz/Invoke-Phant0m | Windows Event Log Killer |
huntresslabs/evading-autoruns | Slides and reference material from Evading Autoruns presentation at DerbyCon 7 (September 2017) |
jason-klein/signed-nsis-exe-append-payload | Append a custom data payload to a digitally signed NSIS .exe installer |
jfmaes/LazySign | Create fake certs for binaries using windows binaries and the power of bat files |
jfmaes/SharpNukeEventLog | nuke that event log using some epic dinvoke fu |
JoelGMSec/Invoke-Stealth | Simple & Powerful PowerShell Script Obfuscator |
jthuraisamy/TelemetrySourcerer | Enumerate and disable common sources of telemetry used by AV/EDR. |
karttoon/trigen | Trigen is a Python script which uses different combinations of Win32 function calls in generated VBA to execute shellcode. |
klezVirus/chameleon | Chameleon is yet another PowerShell obfuscation tool designed to bypass AMSI and commercial antivirus solutions. |
lawiet47/STFUEDR | Silence EDRs by removing kernel callbacks |
matterpreter/DefenderCheck | Identifies the bytes that Microsoft Defender flags on. |
matterpreter/SHAPESHIFTERmatterpreter/SHAPESHIFTER | Companion PoC for the "Adventures in Dynamic Evasion" blog post |
med0x2e/SigFlip | SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys ..etc) without invalidating or breaking the existing signature. |
mdsecactivebreach/Chameleon | Chameleon: A tool for evading Proxy categorisation |
mdsecactivebreach/firewalker | This repo contains a simple library which can be used to add FireWalker hook bypass capabilities to existing code |
nccgroup/demiguise | HTA encryption tool for RedTeams |
NotPrab/.NET-Obfuscator | Lists of .NET Obfuscator (Free, Trial, Paid and Open Source ) |
OmerYa/Invisi-Shell | Hide your Powershell script in plain sight. Bypass all Powershell security features |
OsandaMalith/PE2HTML | Injects HTML/PHP/ASP to the PE |
peewpw/Invoke-PSImage | Embeds a PowerShell script in the pixels of a PNG file and generates a oneliner to execute |
PELock/JObfuscator-Python | JObfuscator is a source code obfuscator for the Java language. Protect Java source code & algorithms from hacking, cracking, reverse engineering, decompilation & technology theft. |
Pepitoh/VBad | VBA Obfuscation Tools combined with an MS office document generator |
phra/PEzor | Open-Source PE Packer |
PwnDexter/SharpEDRChecker | Checks running processes, process metadata, Dlls loaded into your current process and the each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools. |
RedCursorSecurityConsulting/PPLKiller | Tool to bypass LSA Protection (aka Protected Process Light) |
secretsquirrel/SigThief | Stealing Signatures and Making One Invalid Signature at a Time |
slyd0g/SharpCrashEventLog | C# port of LogServiceCrash |
the-xentropy/xencrypt | A PowerShell script anti-virus evasion tool |
TheWover/CertStealer | A .NET tool for exporting and importing certificates without touching disk. |
tokyoneon/chimera | Chimera is a (shiny and very hack-ish) PowerShell obfuscation script designed to bypass AMSI and commercial antivirus solutions. |
Tylous/Limelighter | A tool for generating fake code signing certificates or signing real ones |
Unknow101/FuckThatPacker | A simple python packer to easily bypass Windows Defender |
xct/morbol | Simple AV Evasion for PE Files |
Yaxser/Backstab | A tool to kill antimalware protected processes |
Yet-Zio/WusaBypassUAC | UAC bypass abusing WinSxS in "wusa.exe". |
zeroperil/HookDump | Security product hook detection |
zeroSteiner/crimson-forge | Crimson Forge intends to provide sustainable evasion capabilities for native code on the x86 and AMD64 architectures. |
Credential Access
Link | Description |
aas-n/spraykatz | Credentials gathering tool automating remote procdump and parse of lsass process. |
Arvanaghi/SessionGopher | SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally. |
b4rtik/SharpKatz | Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands |
b4rtik/SharpMiniDump | Create a minidump of the LSASS process from memory |
Barbarisch/forkatz | credential dump using foreshaw technique using SeTrustedCredmanAccessPrivilege |
blacklanternsecurity/TREVORspray | A featureful round-robin SOCKS proxy and Python O365 sprayer based on MSOLSpray which uses the Microsoft Graph API |
byt3bl33d3r/SprayingToolkit | Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient |
cube0x0/MiniDump | C# Lsass parser |
dafthack/MSOLSpray | A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled. |
danf42/GetLsaSecrets | C# implementation of Get-LSASecrets originally written in PowerShell |
DanMcInerney/icebreaker | Gets plaintext Active Directory credentials if you're on the internal network but outside the AD environment |
deepinstinct/LsassSilentProcessExit | Command line interface to dump LSASS memory to disk via SilentProcessExit |
djhohnstein/1PasswordSuite | Utilities to extract secrets from 1Password |
eladshamir/Internal-Monologue | Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS |
fireeye/ADFSpoof | A python tool to forge AD FS security tokens. |
Flangvik/BetterSafetyKatz | Fork of SafetyKatz that dynamically fetches the latest pre-compiled release of Mimikatz directly from gentilkiwi GitHub repo, runtime patches signatures and uses SharpSploit DInvoke to PE-Load into memory. |
FSecureLABS/physmem2profit | Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical memory remotely |
FSecureLABS/SharpClipHistory | SharpClipHistory is a .NET application written in C# that can be used to read the contents of a user's clipboard history in Windows 10 starting from the 1809 Build. |
G0ldenGunSec/SharpSecDump | .Net port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py |
GhostPack/SafetyKatz | SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subTee's .NET PE Loader |
GhostPack/SharpDump | SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality. |
GhostPack/Rubeus | Rubeus is a C# toolset for raw Kerberos interaction and abusesRubeus is a C# toolset for raw Kerberos interaction and abuses |
gitjdm/dumper2020 | Yet another LSASS dumper |
G0ldenGunSec/SharpSecDump | .Net port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py |
GossiTheDog/HiveNightmare | Exploit allowing you to read registry hives as non-admin |
Hackndo/lsassy | Extract credentials from lsass remotely |
HunnicCyber/SharpDomainSpray | Basic password spraying tool for internal tests and red teaming |
IlanKalendarov/SharpHook | SharpHook is inspired by the SharpRDPThief project, It uses various API hooks in order to give us the desired credentials. |
itm4n/PPLdump | Dump the memory of a PPL with a userland exploit |
jfmaes/SharpHandler | Duplicating handles to dump LSASS since 2021 |
jfmaes/SharpRDPDump | Create a minidump of TermService for clear text pw extraction |
Kevin-Robertson/Inveigh | Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool |
knavesec/CredMaster | Refactored & improved CredKing password spraying tool, uses FireProx APIs to rotate IP addresses, stay anonymous, and beat throttling |
m0rv4i/SafetyDump | Dump stuff without touching disk |
mdsecactivebreach/Farmer | Farmer is a project for collecting NetNTLM hashes in a Windows domain. Farmer achieves this by creating a local WebDAV server that causes the WebDAV Mini Redirector to authenticate from any connecting clients. |
nidem/kerberoast | Kerberoast is a series of tools for attacking MS Kerberos implementations. Below is a brief overview of what each tool does. |
oxfemale/LogonCredentialsSteal | LOCAL AND REMOTE HOOK msv1_0!SpAcceptCredentials from LSASS.exe and DUMP DOMAIN/LOGIN/PASSWORD IN CLEARTEXT to text file. |
peewpw/Invoke-WCMDump | PowerShell Script to Dump Windows Credentials from the Credential Manager |
Pickfordmatt/SharpLocker | SharpLocker helps get current user credentials by popping a fake Windows lock screen, all output is sent to Console which works perfect for Cobalt Strike. |
PorLaCola25/TransactedSharpMiniDump | Implementation of b4rtiks's SharpMiniDump using NTFS transactions to avoid writting the minidump to disk and exfiltrating it via HTTPS using sockets. |
postrequest/safetydump | MiniDump a process in memory with rust |
putterpanda/mimikittenz | A post-exploitation powershell tool for extracting juicy info from memory. |
ricardojoserf/adfsbrute | A script to test credentials against Active Directory Federation Services (ADFS), allowing password spraying or bruteforce attacks. |
ropnop/kerbrute | A tool to perform Kerberos pre-auth bruteforcing |
rvrsh3ll/SharpEdge | C# Implementation of Get-VaultCredential |
rvrsh3ll/TokenTactics | Azure JWT Token Manipulation Toolset |
rvrsh3ll/SharpSMBSpray | Spray a hash via smb to check for local administrator access |
S3cur3Th1sSh1t/RDPThiefInject | RDPThief donut shellcode inject into mstsc |
sec-consult/aggrokatz | Aggrokatz is an aggressor plugin extension for Cobalt Strike which enables pypykatz to interface with the beacons remotely and allows it to parse LSASS dump files and registry hive files to extract credentials and other secrets stored without downloading the file and without uploading any suspicious code to the beacon. |
secdev-01/Mimikore | .NET 5 Single file Application . Mimikatz or any Base64 PE Loader. |
shantanu561993/SharpLoginPrompt | This Program creates a login prompt to gather username and password of the current user. This project allows red team to phish username and password of the current user without touching lsass and having adminitrator credentials on the system. |
ShutdownRepo/smartbrute | Password spraying and bruteforcing tool for Active Directory Domain Services |
skelsec/pypykatz | Mimikatz implementation in pure Python |
SnaffCon/Snaffler | Snaffler is a tool for pentesters to help find delicious candy needles (creds mostly, but it's flexible) in a bunch of horrible boring haystacks (a massive Windows/AD environment). |
uknowsec/SharpDecryptPwd | 对密码已保存在 Windwos 系统上的部分程序进行解析,包括:Navicat,TeamViewer,FileZilla,WinSCP,Xmangager系列产品(Xshell,Xftp)。 |
ustayready/SharpHose | Asynchronous Password Spraying Tool in C# for Windows Environments |
Viralmaniar/Remote-Desktop-Caching- | This tool allows one to recover old RDP (mstsc) session information in the form of broken PNG files. These PNG files allows Red Team member to extract juicy information such as LAPS passwords or any sensitive information on the screen. |
w1u0u1/minidump | Custom implementation of DbgHelp's MiniDumpWriteDump function. Uses static syscalls to replace low-level functions like NtReadVirtualMemory. |
Lateral Movement
Link | Description |
0xcpu/winsmsd | Windows (ShadowMove) Socket Duplication |
0xthirteen/SharpMove | .NET Project for performing Authenticated Remote Execution |
0xthirteen/SharpRDP | Remote Desktop Protocol .NET Console Application for Authenticated Command Execution |
360-Linton-Lab/WMIHACKER | A Bypass Anti-virus Software Lateral Movement Command Execution Tool |
anthemtotheego/SharpExec | SharpExec is an offensive security C# tool designed to aid with lateral movement. |
bigb0sss/Bankai | Another Go Shellcode Loader |
bohops/WSMan-WinRM | A collection of proof-of-concept source code and scripts for executing remote commands over WinRM using the WSMan.Automation COM object |
byt3bl33d3r/CrackMapExec | A swiss army knife for pentesting networks |
cube0x0/SharpMapExec | A sharpen version of CrackMapExec. This tool is made to simplify penetration testing of networks and to create a swiss army knife that is made for running on Windows which is often a requirement during insider threat simulation engagements. |
cobbr/SharpSploit | SharpSploit is a .NET post-exploitation library written in C# |
cyberark/shimit | A tool that implements the Golden SAML attack |
DefensiveOrigins/PlumHound | Bloodhound for Blue and Purple Teams |
FuzzySecurity/StandIn | StandIn is a small .NET35/45 AD post-exploitation toolkit |
improsec/ImproHound | Identify the attack paths in BloodHound breaking your AD tiering |
infosecn1nja/SharpDoor | SharpDoor is alternative RDPWrap written in C# to allowed multiple RDP (Remote Desktop) sessions by patching termsrv.dll file. |
klezVirus/CheeseTools | Self-developed tools for Lateral Movement/Code Execution |
knavesec/Max | Maximizing BloodHound. Max is a good boy. |
Mr-Un1k0d3r/SCShell | Fileless lateral movement tool that relies on ChangeServiceConfigA to run command |
netero1010/ServiceMove-BOF | New lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution. |
RiccardoAncarani/TaskShell | TaskShell |
rvrsh3ll/SharpCOM | SharpCOM is a c# port of Invoke-DCOM |
ScorpionesLabs/DVS | D(COM) V(ulnerability) S(canner) AKA Devious swiss army knife - Lateral movement using DCOM Objects |
tothi/rbcd-attack | Kerberos Resource-Based Constrained Delegation Attack from Outside using Impacket |
Collection
Link | Description |
cisp/GetMail | 利用NTLM Hash读取Exchange邮件 |
djhohnstein/SharpChromium | .NET 4.0 CLR Project to retrieve Chromium data, such as cookies, history and saved logins. |
OG-Sadpanda/SharpExcelibur | Read Excel Spreadsheets (XLS/XLSX) using Cobalt Strike's Execute-Assembly |
OG-Sadpanda/SharpSword | Read the contents of DOCX files using Cobalt Strike's Execute-Assembly |
seastorm/PuttyRider | Hijack Putty sessions in order to sniff conversation and inject Linux commands. |
Command & Control
Link | Description |
3xpl01tc0d3r/Callidus | It is developed using .net core framework in C# language. Allows operators to leverage O365 services for establishing command & control communication channel. It usages Microsoft Graph APIs for communicating with O365 services. |
bats3c/shad0w | SHAD0W is a modular C2 framework designed to successfully operate on mature environments. |
blackbotinc/Atomic-Red-Team-Intelligence-C2 | ARTi-C2 is a post-exploitation framework used to execute Atomic Red Team test cases with rapid payload deployment and execution capabilities via .NET's DLR. |
byt3bl33d3r/SILENTTRINITY | An asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR |
cedowens/C2_Cradle | Tool to download, install, and run macOS capable command & control servers (i.e., C2s with macOS payloads/clients) as docker containers from a list of options. This is helpful for automating C2 server setup. |
cobbr/C2Bridge | C2Bridges allow developers to create new custom communication protocols and quickly utilize them within Covenant. |
cobbr/Covenant | Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. |
Cr4sh/MicroBackdoor | Small and convenient C2 tool for Windows targets |
cyberark/kubesploit | Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments. |
DeimosC2/DeimosC2 | DeimosC2 is a Golang command and control framework for post-exploitation. |
fbkcs/ThunderDNS | This tool can forward TCP traffic over DNS protocol. Non-compile clients + socks5 support. |
gl4ssesbo1/Nebula | Cloud C2 Framework, which at the moment offers reconnaissance, enumeration, exploitation, post exploitation on AWS, but still working to allow testing other Cloud Providers and DevOps Components. |
its-a-feature/Mythic | A collaborative, multi-platform, red teaming framework |
kgretzky/pwndrop | Self-deployable file hosting service for red teamers, allowing to easily upload and share payloads over HTTP and WebDAV. |
loseys/BlackMamba | BlackMamba is a multi client C2/post exploitation framework with some spyware features. Powered by Python 3.8.6 and QT Framework. |
mhaskar/DNSStager | DNSStager is an open-source project based on Python used to hide and transfer your payload using DNS. |
mhaskar/Octopus | Open source pre-operation C2 server based on python and powershell |
NetSPI/SQLC2 | SQLC2 is a PowerShell script for deploying and managing a command and control system that uses SQL Server as both the control server and the agent. |
nettitude/SharpSocks | Tunnellable HTTP/HTTPS socks4a proxy written in C# and deployable via PowerShell |
Ne0nd0g/merlin | Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang. |
p3nt4/Nuages | A modular C2 framework |
Project Prismatica | Project Prismatica is a focused framework for Command and Control that is dedicated to extensibility. |
pucarasec/zuthaka | Zuthaka is an open source application designed to assist red-teaming efforts, by simplifying the task of managing different APTs and other post-exploitation tools. |
r3nhat/GRAT2 | GRAT2 is a Command and Control (C2) tool written in python3 and the client in .NET 4.5 |
sensepost/goDoH | godoh - A DNS-over-HTTPS C2 |
SpiderLabs/DoHC2 | DoHC2 allows the ExternalC2 library from Ryan Hanson (https://github.com/ryhanson/ExternalC2) to be leveraged for command and control (C2) via DNS over HTTPS (DoH). |
threatexpress/mythic2modrewrite | Generate Apache mod_rewrite rules for Mythic C2 profiles |
Tylous/SourcePoint | SourcePoint is a C2 profile generator for Cobalt Strike command and control servers designed to ensure evasion. |
Exfiltration
Link | Description |
evilsocket/sg1 | A wanna be swiss army knife for data encryption, exfiltration and covert communication. |
hackerschoice/gsocket | Global Socket. Moving data from here to there. Securely, Fast and trough NAT/Firewalls |
hackerschoice/gs-transfer | Secure File Transfer via Global Socket Bounce Network |
m57/dnsteal | DNS Exfiltration tool for stealthily sending files over DNS requests. |
mdsecactivebreach/RegistryStrikesBack | RegistryStrikesBack allows a red team operator to export valid .reg files for portions of the Windows Registry via a .NET assembly that should run as a standard user. It can be useful in exfiltrating config files such as to support actions like are described in the "Segmentation Vault" article on the MDSec Blog. |
pentestpartners/PTP-RAT | Exfiltrate data over screen interfaces. For more information. |
sensepost/DET | DET (is provided AS IS), is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time. |
SySS-Research/Seth | Perform a MitM attack and extract clear text credentials from RDP connections |
veggiedefender/browsertunnel | Surreptitiously exfiltrate data from the browser over DNS |
vp777/procrustes | A bash script that automates the exfiltration of data over dns in case we have a blind command execution on a server where all outbound connections except DNS are blocked. |