my-infosec-awesome/Offensive.md

64 KiB
Raw Blame History

Offensive Bookmark

This page will contain my bookmark for offensive tools, briefly categorized based on MITRE ATT&CK Enterprise Matrix. Some links and sections on README.md will be relocated to this page if it's related to offensive tactics and techniques.

Some tools can be categorized in more than one category. But because the current bookmark model doesn't support 1-to-many mapping, I will decide a tool's category based on its ultimate goal.

Reconnaissance/Discovery

Link Description
asaurusrex/Probatorum-EDR-Userland-Hook-Checker Project to check which Nt/Zw functions your local EDR is hooking
dev-2null/ADCollector A lightweight tool to quickly extract valuable information from the Active Directory environment for both attacking and defending.
dirkjanm/ROADtools The Azure AD exploration framework.
djhohnstein/SharpShares Enumerate all network shares in the current domain. Also, can resolve names to IP addresses.
dsnezhkov/TruffleSnout Iterative AD discovery toolkit for offensive operations
GhostPack/Seatbelt Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
jaredhaight/scout A .NET assembly for performing recon against hosts on a network
mdsecactivebreach/sitrep SitRep is intended to provide a lightweight, extensible host triage alternative.
mez-0/SharpShares .NET 4.0 Share Hunting and ACL Mapping
nccgroup/Carnivore Tool for assessing on-premises Microsoft servers authentication such as ADFS, Skype, Exchange, and RDWeb
NetSPI/goddi goddi (go dump domain info) dumps Active Directory domain information
outflanknl/Recon-AD Recon-AD, an AD recon tool based on ADSI and reflective DLLs
rasta-mouse/Watson Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilitiesEnumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities
S3cur3Th1sSh1t/Invoke-Sharpcradle Load C# Code from a Webserver straight to memory and execute it there.
sophoslabs/metasploit_gather_exchange Metasploit Post-Exploitation Gather module for Exchange Server
stufus/reconerator C# Targeted Attack Reconnissance Tools
sud0woodo/DCOMrade Powershell script for enumerating vulnerable DCOM Applications
T0pCyber/hawk Powershell Based tool for gathering information related to O365 intrusions and potential Breaches
tasox/LogRM LogRM is a post exploitation powershell script which it uses windows event logs to gather information about internal network
tevora-threat/SharpView C# implementation of harmj0y's PowerView
TonyPhipps/Meerkat A collection of PowerShell modules designed for artifact gathering and reconnaisance of Windows-based endpoints.
ZeroPointSecurity/Domain-Enumeration-Tool Perform Windows domain enumeration via LDAP

Execution

Link Description
aeverj/NimShellCodeLoader Nim编写Windows平台shellcode免杀加载器
antonioCoco/SharPyShell SharPyShell - tiny and obfuscated ASP.NET webshell for C# web applications
api0cradle/LOLBAS Living Off The Land Binaries and Scripts (and now also Libraries)
b1tg/rust-windows-shellcode Windows shellcode development in Rust
bohops/GhostBuild GhostBuild is a collection of simple MSBuild launchers for various GhostPack/.NET projects
cdong1012/Crab-Runner Shellcode runner in Rust
checkymander/Zolom C# Executable with embedded Python that can be used reflectively to run python code on systems without Python installed
cobbr/SharpSploit SharpSploit is a .NET post-exploitation library written in C#
Cn33liz/p0wnedShell p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET)
cribdragg3r/Alaris A protective and Low Level Shellcode Loader the defeats modern EDR systems.
DamonMohammadbagher/NativePayload_Tinjection Remote Thread Injection by C#
D00MFist/Go4aRun Shellcode runner in GO that incorporates shellcode encryption, remote process injection, block dlls, and spoofed parent process
dtrizna/easy-hollow Automated build for process hollowing shellcode loader. Build on top of TikiTorch and donut projects.
Flangvik/SharpCollection Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines.
FortyNorthSecurity/EDD Enumerate Domain Data is designed to be similar to PowerView but in .NET. PowerView is essentially the ultimate domain enumeration tool, and we wanted a .NET implementation that we worked on ourselves. This tool was largely put together by viewing implementations of different functionality across a wide range of existing projects and combining them into EDD.
FuzzySecurity/PowerShell-Suite There are great tools and resources online to accomplish most any task in PowerShell, sometimes however, there is a need to script together a util for a specific purpose or to bridge an ontological gap. This is a collection of PowerShell utilities I put together either for fun or because I had a narrow application in mind.
GhostPack/SharpWMI SharpWMI is a C# implementation of various WMI functionality.
gigajew/WinXRunPE Two C# RunPE's capable of x86 and x64 injections
hausec/MaliciousClickOnceMSBuild Basic C# Project that will take an MSBuild payload and run it with MSBuild via ClickOnce.
JamesCooteUK/SharpSphere .NET Project for Attacking vCenter
jhalon/SharpCall Simple PoC demonstrating syscall execution in C#
jfmaes/SharpZipRunner Executes position independent shellcode from an encrypted zip
maxlandon/wiregost Golang Implant & Post-Exploitation Framework
mgeeky/Stracciatella OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI, Constrained Language Mode and Script Block Logging disabled at startup
Mr-Un1k0d3r/RedTeamCSharpScripts C# Script used for Red Team. These binaries can be used by Cobalt Strike execute-assembly or as standalone executable.
nccgroup/GTFOBLookup Offline command line lookup utility for GTFOBins
NVISOsecurity Marauders Map The Marauders Map is meant to be used on assessments where you have gained GUI access to an enviornment. The Marauders Map is a DLL written in C#, enriched by the DllExport project to export functions that can serve as an entrypoint of invocation for unmanaged code such as rundll32.
NYAN-x-CAT/Csharp-Loader Download a .NET payload and run it on memory
rasta-mouse/MiscTools Miscellaneous Tools
ropnop/go-sharp-loader.go Example Go program with multiple .NET Binaries embedded
rvrsh3ll/NoMSBuild MSBuild without MSbuild.exe
S3cur3Th1sSh1t/Nim_CBT_Shellcode CallBack-Techniques for Shellcode execution ported to Nim
scythe-io/memory-module-loader An implementation of a Windows loader that can load dynamic-linked libraries (DLLs) directly from memory
sh4hin/GoPurple Yet another shellcode runner consists of different techniques for evaluating detection capabilities of endpoint security solutions
snovvcrash/peas Modified version of PEAS client for offensive operations
xinbailu/DripLoader Evasive shellcode loader for bypassing event-based injection detection (PoC)

Manipulating Binary's Internal

Link Description
ajpc500/NimlineWhispers A very proof-of-concept port of InlineWhispers for using syscalls in Nim projects.
Akaion/Bleak A Windows native DLL injection library that supports several methods of injection.
Cybellum/DoubleAgent DoubleAgent is a new Zero-Day technique for injecting code and maintaining persistence on a machine (i.e. auto-run).
DarthTon/Xenos Windows dll injector
Flangvik/SharpDllProxy Retrieves exported functions from a legitimate DLL and generates a proxy DLL source code/template for DLL proxy loading or sideloading
/forrest-orr/phantom-dll-hollower-poc Phantom DLL hollowing PoC
GoodstudyChina/APC-injection-x86-x64 injdrv is a proof-of-concept Windows Driver for injecting DLL into user-mode processes using APC.
jonatan1024/clrinject Injects C# EXE or DLL Assembly into every CLR runtime and AppDomain of another process.
jthuraisamy/SysWhispers SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls.
jthuraisamy/SysWhispers2 AV/EDR evasion via direct system calls.
magnusstubman/dll-exports Collection of DLL function export forwards for DLL export function proxying
mobdk/Sigma Execute shellcode with ZwCreateSection, ZwMapViewOfSection, ZwOpenProcess, ZwMapViewOfSection and ZwCreateThreadEx
monoxgas/sRDI Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode
stephenfewer/ReflectiveDLLInjection Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process
slyd0g/UrbanBishopLocal A port of FuzzySecurity's UrbanBishop project for inline shellcode execution. The execution vector uses a delegate vs an APC on a suspended threat at ntdll!RtlExitUserThread in UrbanBishop
TheWover/GhostLoader GhostLoader - AppDomainManager - Injection - 攻壳机动队
timwhitez/Doge-sRDI Shellcode implementation of Reflective DLL Injection by Golang. Convert DLLs to position independent shellcode
r3nhat/XORedReflectiveDLL Reflective DLL Injection with obfuscated (XOR) shellcode

Payload Generation

Link Description
BC-SECURITY/Empire Empire is a PowerShell and Python post-exploitation agent.
Binject/backdoorfactory A from-scratch rewrite of The Backdoor Factory - a MitM tool for inserting shellcode into all types of binaries on the wire.
BishopFox/sliver Sliver is a general purpose cross-platform implant framework that supports C2 over Mutual-TLS, HTTP(S), and DNS. Implants are dynamically compiled with unique X.509 certificates signed by a per-instance certificate authority generated when you first run the binary.
cedowens/Mythic-Macro-Generator Python3 script to generate a macro to launch a Mythic payload. Author: Cedric Owens
damienvanrobaeys/PS1-To-EXE-Generator PS1 to EXE Generator: Create an EXE for your PS1 scripts
erikgeiser/govenom govenom is a msfvenom-inspired cross-platform payload generator toolkit written in Go
forrest-orr/artifacts-kit Pseudo-malicious usermode memory artifact generator kit designed to easily mimic the footprints left by real malware on an infected Windows OS.
FortyNorthSecurity/EXCELntDonut Excel 4.0 (XLM) Macro Generator for injecting DLLs and EXEs into memory.
FortyNorthSecurity/hot-manchego Macro-Enabled Excel File Generator (.xlsm) using the EPPlus Library.
GetRektBoy724/MeterPwrShell Automated Tool That Generate The Perfect Powershell Payload
gen0cide/gscript framework to rapidly implement custom droppers for all three major operating systems
glinares/InlineShapesPayload VBA InlineShapes Payload Generator
Greenwolf/ntlm_theft A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf)
hasherezade/masm_shc A helper utility for creating shellcodes. Cleans MASM file generated by MSVC, gives refactoring hints.
infosecn1nja/MaliciousMacroMSBuild Generates Malicious Macro and Execute Powershell or Shellcode via MSBuild Application Whitelisting Bypass.
l373/GIVINGSTORM Infection vector that bypasses AV, IDS, and IPS. (For now...)
mdsecactivebreach/SharpShooter SharpShooter is a payload creation framework for the retrieval and execution of arbitrary CSharp source code.
michaelweber/Macrome Excel Macro Document Reader/Writer for Red Teamers & Analysts
Mr-Un1k0d3r/MaliciousDLLGenerator DLL Generator for side loading attack
optiv/ScareCrow ScareCrow - Payload creation framework designed around EDR bypass.
Plazmaz/LNKUp Generates malicious LNK file payloads for data exfiltration
postrequest/xeca PowerShell payload generator
praetorian-inc/Matryoshka Matryoshka loader is a tool that red team operators can leverage to generate shellcode for Microsoft Office document phishing payloads.
redcanaryco/chain-reactor Chain Reactor is an open source framework for composing executables that simulate adversary behaviors and techniques on Linux endpoints.
redcode-labs/SNOWCRASH A polyglot payload generator
sevagas/macro_pack macro_pack is a tool used to automatize obfuscation and generation of MS Office documents for pentest, demo, and social engineering assessments. The goal of macro_pack is to simplify antimalware bypass and automatize the process from vba generation to final Office document generation.
s0lst1c3/dropengine DropEngine provides a malleable framework for creating shellcode runners, allowing operators to choose from a selection of components and combine them to create highly sophisticated payloads within seconds.DropEngine provides a malleable framework for creating shellcode runners, allowing operators to choose from a selection of components and combine them to create highly sophisticated payloads within seconds.DropEngine provides a malleable framework for creating shellcode runners, allowing operators to choose from a selection of components and combine them to create highly sophisticated payloads within seconds.
TheWover/donut Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters
trustedsec/unicorn Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.

Persistence

Link Description
0xthirteen/SharpStay .NET project for installing Persistence
360-Linton-Lab/Telemetry TELEMETRY is a C# For Windows PERSISTENCE
airzero24/PortMonitorPersist PoC for Port Monitor Persistence
ben0xa/doucme This leverages the NetUserAdd Win32 API to create a new computer account. This is done by setting the usri1_priv of the USER_INFO_1 type to 0x1000. The primary goal is to avoid the normal detection of new user created events (4720).
fireeye/SharPersist Windows persistence toolkit written in C#.
panagioto/SyscallHide Create a Run registry key with direct system calls. Inspired by @Cneelis's Dumpert and SharpHide.
RedSection/printjacker Hijack Printconfig.dll to execute shellcode
slaeryan/MIDNIGHTTRAIN Covert Stage-3 Persistence Framework
vivami/OutlookParasite Outlook persistence using VSTO add-ins

Privilege Escalation

Link Description
0xbadjuju/Tokenvator A tool to elevate privilege with Windows Tokens
411Hall/JAWS JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7.
antonioCoco/RemotePotato0 Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin.
antonioCoco/RogueWinRM Windows Local Privilege Escalation from Service Account to System
antonioCoco/RunasCs RunasCs - Csharp and open version of windows builtin runas.exe
carlospolop/privilege-escalation-awesome-scripts-suite PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
CCob/SweetPotato Local Service to SYSTEM privilege escalation from Windows 7 to Windows 10 / Server 2019
GoSecure/WSuspicious WSuspicious - A tool to abuse insecure WSUS connections for privilege escalationsWSuspicious - A tool to abuse insecure WSUS connections for privilege escalations
hlldz/dazzleUP A tool that detects the privilege escalation vulnerabilities caused by misconfigurations and missing updates in the Windows operating systems.
itm4n/PrivescCheck Privilege Escalation Enumeration Script for Windows
liamg/traitor Automatic Linux privesc via exploitation of low-hanging fruit e.g. gtfobins
sailay1996/delete2SYSTEM Weaponizing for Arbitrary Files/Directories Delete bugs to Get NT AUTHORITY\SYSTEM
slyd0g/PrimaryTokenTheft Steal a primary token and spawn cmd.exe using the stolen token
TsukiCTF/Lovely-Potato Automating juicy potato local privilege escalation exploit for penetration testers.

Defense Evasion

Link Description
89luca89/pakkero Pakkero is a binary packer written in Go made for fun and educational purpose. Its main goal is to take in input a program file (elf binary, script, even appimage) and compress it, protect it from tampering and intrusion.
api0cradle/UltimateAppLockerByPassList The goal of this repository is to document the most common techniques to bypass AppLocker.
Arvanaghi/CheckPlease Sandbox evasion modules written in PowerShell, Python, Go, Ruby, C, C#, Perl, and Rust.
asaurusrex/DoppelGate This project is designed to provide a method of extracting syscalls dynamically directly from on-disk ntdll. Userland hooks have become prevalent in many security products these days, and bypassing these hooks is a great way for red teamers/pentesters to bypass these defenses.
asaurusrex/EDR_Userland_Hook_Checker Project to check which Nt/Zw functions your local EDR is hooking
Bashfuscator/Bashfuscator A fully configurable and extendable Bash obfuscation framework. This tool is intended to help both red team and blue team.
bats3c/Ghost-In-The-Logs Evade sysmon and windows event logginEvade sysmon and windows event loggingg
BinaryScary/NET-Obfuscate Obfuscate ECMA CIL (.NET IL) assemblies to evade Windows Defender AMSI
bhumic/PErmutator The goal of this project is to create a permutation engine for PE files. The engine should randomize the executable parts of the file.
bohops/UltimateWDACBypassList A centralized resource for previously documented WDAC bypass techniques
br-sn/CheekyBlinder Enumerating and removing kernel callbacks using signed vulnerable drivers
c0de90e7/GhostWriting GhostWriting Injection Technique.
calebstewart/bypass-clm PowerShell Constrained Language Mode Bypass
CCob/SharpBlock A method of bypassing EDR's active projection DLL's by preventing entry point execution.
cnsimo/BypassUAC Use ICMLuaUtil to Bypass UAC!
cwolff411/powerob An on-the-fly Powershell script obfuscator meant for red team engagements. Built out of necessity.
d00rt/ebfuscator Ebfuscator: Abusing system errors for binary obfuscation
d35ha/CallObfuscator Obfuscate specific windows apis with different apis
danielbohannon/Invoke-CradleCrafter PowerShell Remote Download Cradle Generator & Obfuscator
danielbohannon/Invoke-DOSfuscation Cmd.exe Command Obfuscation Generator & Detection Test Harness
DarthTon/Polychaos PE permutation library
dsnezhkov/zombieant Zombie Ant Farm: Primitives and Offensive Tooling for Linux EDR evasion.
EgeBalci/Amber amber is a reflective PE packer for bypassing security products and mitigations. It can pack regularly compiled PE files into reflective payloads that can load and execute itself like a shellcode.
ffuf/pencode Complex payload encoder
fireeye/OfficePurge VBA purge your Office documents with OfficePurge. VBA purging removes P-code from module streams within Office documents.
hlldz/Invoke-Phant0m Windows Event Log Killer
huntresslabs/evading-autoruns Slides and reference material from Evading Autoruns presentation at DerbyCon 7 (September 2017)
JoelGMSec/Invoke-Stealth Simple & Powerful PowerShell Script Obfuscator
jthuraisamy/TelemetrySourcerer Enumerate and disable common sources of telemetry used by AV/EDR.
karttoon/trigen Trigen is a Python script which uses different combinations of Win32 function calls in generated VBA to execute shellcode.
lawiet47/STFUEDR Silence EDRs by removing kernel callbacks
matterpreter/DefenderCheck Identifies the bytes that Microsoft Defender flags on.
matterpreter/SHAPESHIFTERmatterpreter/SHAPESHIFTER Companion PoC for the "Adventures in Dynamic Evasion" blog post
mdsecactivebreach/Chameleon Chameleon: A tool for evading Proxy categorisation
mdsecactivebreach/firewalker This repo contains a simple library which can be used to add FireWalker hook bypass capabilities to existing code
nccgroup/demiguise HTA encryption tool for RedTeams
NotPrab/.NET-Obfuscator Lists of .NET Obfuscator (Free, Trial, Paid and Open Source )
OmerYa/Invisi-Shell Hide your Powershell script in plain sight. Bypass all Powershell security features
OsandaMalith/PE2HTML Injects HTML/PHP/ASP to the PE
peewpw/Invoke-PSImage Embeds a PowerShell script in the pixels of a PNG file and generates a oneliner to execute
phra/PEzor Open-Source PE Packer
PwnDexter/SharpEDRChecker Checks running processes, process metadata, Dlls loaded into your current process and the each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools.
RedCursorSecurityConsulting/PPLKiller Tool to bypass LSA Protection (aka Protected Process Light)
secretsquirrel/SigThief Stealing Signatures and Making One Invalid Signature at a Time
slyd0g/SharpCrashEventLog C# port of LogServiceCrash
the-xentropy/xencrypt A PowerShell script anti-virus evasion tool
TheWover/CertStealer A .NET tool for exporting and importing certificates without touching disk.
tokyoneon/chimera Chimera is a (shiny and very hack-ish) PowerShell obfuscation script designed to bypass AMSI and commercial antivirus solutions.
Tylous/Limelighter A tool for generating fake code signing certificates or signing real ones
xct/morbol Simple AV Evasion for PE Files
zeroperil/HookDump Security product hook detection
zeroSteiner/crimson-forge Crimson Forge intends to provide sustainable evasion capabilities for native code on the x86 and AMD64 architectures.

Credential Access

Link Description
aas-n/spraykatz Credentials gathering tool automating remote procdump and parse of lsass process.
Arvanaghi/SessionGopher SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.
b4rtik/SharpKatz Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands
b4rtik/SharpMiniDump Create a minidump of the LSASS process from memory
blacklanternsecurity/TREVORspray A featureful round-robin SOCKS proxy and Python O365 sprayer based on MSOLSpray which uses the Microsoft Graph API
byt3bl33d3r/SprayingToolkit Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient
dafthack/MSOLSpray A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled.
DanMcInerney/icebreaker Gets plaintext Active Directory credentials if you're on the internal network but outside the AD environment
deepinstinct/LsassSilentProcessExit Command line interface to dump LSASS memory to disk via SilentProcessExit
eladshamir/Internal-Monologue Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS
fireeye/ADFSpoof A python tool to forge AD FS security tokens.
Flangvik/BetterSafetyKatz Fork of SafetyKatz that dynamically fetches the latest pre-compiled release of Mimikatz directly from gentilkiwi GitHub repo, runtime patches signatures and uses SharpSploit DInvoke to PE-Load into memory.
FSecureLABS/physmem2profit Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical memory remotely
G0ldenGunSec/SharpSecDump .Net port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py
GhostPack/SafetyKatz SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subTee's .NET PE Loader
GhostPack/SharpDump SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality.
GhostPack/Rubeus Rubeus is a C# toolset for raw Kerberos interaction and abusesRubeus is a C# toolset for raw Kerberos interaction and abuses
gitjdm/dumper2020 Yet another LSASS dumper
Hackndo/lsassy Extract credentials from lsass remotely
itm4n/PPLdump Dump the memory of a PPL with a userland exploit
jfmaes/SharpHandler Duplicating handles to dump LSASS since 2021
Kevin-Robertson/Inveigh Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool
knavesec/CredMaster Refactored & improved CredKing password spraying tool, uses FireProx APIs to rotate IP addresses, stay anonymous, and beat throttling
m0rv4i/SafetyDump Dump stuff without touching disk
mdsecactivebreach/Farmer Farmer is a project for collecting NetNTLM hashes in a Windows domain. Farmer achieves this by creating a local WebDAV server that causes the WebDAV Mini Redirector to authenticate from any connecting clients.
nidem/kerberoast Kerberoast is a series of tools for attacking MS Kerberos implementations. Below is a brief overview of what each tool does.
oxfemale/LogonCredentialsSteal LOCAL AND REMOTE HOOK msv1_0!SpAcceptCredentials from LSASS.exe and DUMP DOMAIN/LOGIN/PASSWORD IN CLEARTEXT to text file.
peewpw/Invoke-WCMDump PowerShell Script to Dump Windows Credentials from the Credential Manager
PorLaCola25/TransactedSharpMiniDump Implementation of b4rtiks's SharpMiniDump using NTFS transactions to avoid writting the minidump to disk and exfiltrating it via HTTPS using sockets.
putterpanda/mimikittenz A post-exploitation powershell tool for extracting juicy info from memory.
ricardojoserf/adfsbrute A script to test credentials against Active Directory Federation Services (ADFS), allowing password spraying or bruteforce attacks.
ropnop/kerbrute A tool to perform Kerberos pre-auth bruteforcing
sec-consult/aggrokatz Aggrokatz is an aggressor plugin extension for Cobalt Strike which enables pypykatz to interface with the beacons remotely and allows it to parse LSASS dump files and registry hive files to extract credentials and other secrets stored without downloading the file and without uploading any suspicious code to the beacon.
shantanu561993/SharpLoginPrompt This Program creates a login prompt to gather username and password of the current user. This project allows red team to phish username and password of the current user without touching lsass and having adminitrator credentials on the system.
skelsec/pypykatz Mimikatz implementation in pure Python
SnaffCon/Snaffler Snaffler is a tool for pentesters to help find delicious candy needles (creds mostly, but it's flexible) in a bunch of horrible boring haystacks (a massive Windows/AD environment).
uknowsec/SharpDecryptPwd 对密码已保存在 Windwos 系统上的部分程序进行解析,包括Navicat,TeamViewer,FileZilla,WinSCP,Xmangager系列产品Xshell,Xftp)。
ustayready/SharpHose Asynchronous Password Spraying Tool in C# for Windows Environments
Viralmaniar/Remote-Desktop-Caching- This tool allows one to recover old RDP (mstsc) session information in the form of broken PNG files. These PNG files allows Red Team member to extract juicy information such as LAPS passwords or any sensitive information on the screen.

Lateral Movement

Link Description
0xcpu/winsmsd Windows (ShadowMove) Socket Duplication
0xthirteen/SharpMove .NET Project for performing Authenticated Remote Execution
0xthirteen/SharpRDP Remote Desktop Protocol .NET Console Application for Authenticated Command Execution
360-Linton-Lab/WMIHACKER A Bypass Anti-virus Software Lateral Movement Command Execution Tool
bohops/WSMan-WinRM A collection of proof-of-concept source code and scripts for executing remote commands over WinRM using the WSMan.Automation COM object
byt3bl33d3r/CrackMapExec A swiss army knife for pentesting networks
cube0x0/SharpMapExec A sharpen version of CrackMapExec. This tool is made to simplify penetration testing of networks and to create a swiss army knife that is made for running on Windows which is often a requirement during insider threat simulation engagements.
cobbr/SharpSploit SharpSploit is a .NET post-exploitation library written in C#
cyberark/shimit A tool that implements the Golden SAML attack
DefensiveOrigins/PlumHound Bloodhound for Blue and Purple Teams
infosecn1nja/SharpDoor SharpDoor is alternative RDPWrap written in C# to allowed multiple RDP (Remote Desktop) sessions by patching termsrv.dll file.
klezVirus/CheeseTools Self-developed tools for Lateral Movement/Code Execution
knavesec/Max Maximizing BloodHound. Max is a good boy.
Mr-Un1k0d3r/SCShell Fileless lateral movement tool that relies on ChangeServiceConfigA to run command
RiccardoAncarani/TaskShell TaskShell
rvrsh3ll/SharpCOM SharpCOM is a c# port of Invoke-DCOM
ScorpionesLabs/DVS D(COM) V(ulnerability) S(canner) AKA Devious swiss army knife - Lateral movement using DCOM Objects
tothi/rbcd-attack Kerberos Resource-Based Constrained Delegation Attack from Outside using Impacket

Collection

Link Description
djhohnstein/SharpChromium .NET 4.0 CLR Project to retrieve Chromium data, such as cookies, history and saved logins.

Command & Control

Link Description
3xpl01tc0d3r/Callidus It is developed using .net core framework in C# language. Allows operators to leverage O365 services for establishing command & control communication channel. It usages Microsoft Graph APIs for communicating with O365 services.
bats3c/shad0w SHAD0W is a modular C2 framework designed to successfully operate on mature environments.
blackbotinc/Atomic-Red-Team-Intelligence-C2 ARTi-C2 is a post-exploitation framework used to execute Atomic Red Team test cases with rapid payload deployment and execution capabilities via .NET's DLR.
byt3bl33d3r/SILENTTRINITY An asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR
cedowens/C2_Cradle Tool to download, install, and run macOS capable command & control servers (i.e., C2s with macOS payloads/clients) as docker containers from a list of options. This is helpful for automating C2 server setup.
cobbr/C2Bridge C2Bridges allow developers to create new custom communication protocols and quickly utilize them within Covenant.
cobbr/Covenant Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.
cyberark/kubesploit Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments.
DeimosC2/DeimosC2 DeimosC2 is a Golang command and control framework for post-exploitation.
fbkcs/ThunderDNS This tool can forward TCP traffic over DNS protocol. Non-compile clients + socks5 support.
kgretzky/pwndrop Self-deployable file hosting service for red teamers, allowing to easily upload and share payloads over HTTP and WebDAV.
loseys/BlackMamba BlackMamba is a multi client C2/post exploitation framework with some spyware features. Powered by Python 3.8.6 and QT Framework.
mhaskar/Octopus Open source pre-operation C2 server based on python and powershell
NetSPI/SQLC2 SQLC2 is a PowerShell script for deploying and managing a command and control system that uses SQL Server as both the control server and the agent.
nettitude/SharpSocks Tunnellable HTTP/HTTPS socks4a proxy written in C# and deployable via PowerShell
Ne0nd0g/merlin Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.
p3nt4/Nuages A modular C2 framework
Project Prismatica Project Prismatica is a focused framework for Command and Control that is dedicated to extensibility.
r3nhat/GRAT2 GRAT2 is a Command and Control (C2) tool written in python3 and the client in .NET 4.5
sensepost/goDoH godoh - A DNS-over-HTTPS C2
SpiderLabs/DoHC2 DoHC2 allows the ExternalC2 library from Ryan Hanson (https://github.com/ryhanson/ExternalC2) to be leveraged for command and control (C2) via DNS over HTTPS (DoH).

Exfiltration

Link Description
evilsocket/sg1 A wanna be swiss army knife for data encryption, exfiltration and covert communication.
hackerschoice/gsocket Global Socket. Moving data from here to there. Securely, Fast and trough NAT/Firewalls
hackerschoice/gs-transfer Secure File Transfer via Global Socket Bounce Network
m57/dnsteal DNS Exfiltration tool for stealthily sending files over DNS requests.
mdsecactivebreach/RegistryStrikesBack RegistryStrikesBack allows a red team operator to export valid .reg files for portions of the Windows Registry via a .NET assembly that should run as a standard user. It can be useful in exfiltrating config files such as to support actions like are described in the "Segmentation Vault" article on the MDSec Blog.
pentestpartners/PTP-RAT Exfiltrate data over screen interfaces. For more information.
sensepost/DET DET (is provided AS IS), is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time.
SySS-Research/Seth Perform a MitM attack and extract clear text credentials from RDP connections
veggiedefender/browsertunnel
vp777/procrustes A bash script that automates the exfiltration of data over dns in case we have a blind command execution on a server where all outbound connections except DNS are blocked.