Red Teaming Toolkit

This repository contains cutting-edge open-source security tools (OST) that will help you during
adversary simulation and as information intended for threat hunter can make detection and
prevention control easier. The list of tools below that could be potentially misused by threat
actors such as APT and Human-Operated Ransomware (HumOR). If you want to contribute to
this list send me a pull request.

Table of Contents

Reconnaissance
Initial Access
Delivery
Situational Awareness
Credential Dumping
Privilege Escalation
Defense Evasion
Persistence
Lateral Movement
 Exfiltration
Miscellaneous

Reconnaissance

Name Description URL

The Modern Port Scanner. Find

ports quickly (3 seconds at its
RustScan fastest). Run scripts through our https://tinyurl.com/yzm7jdhz
scripting engine (Python, Lua,
Shell supported).

In-depth Attack Surface Mapping

Amass https://tinyurl.com/y5ndjozr
and Asset Discovery

Gitleaks is a SAST tool for

detecting hardcoded secrets like
gitleaks https://tinyurl.com/y3bwm7nn
passwords, api keys, and tokens
in git repos.

Scan for open S3 buckets and

S3Scanner https://tinyurl.com/y5snjrqp
dump the contents

Multi-cloud OSINT tool.

cloud_enum Enumerate public resources in https://tinyurl.com/2olyguyl
AWS, Azure, and Google Cloud.

Open Source Intelligence

gathering tool aimed at reducing
Recon-ng https://tinyurl.com/yxj3nmhh
the time spent harvesting
information from open sources.

An advanced tool for email

buster https://tinyurl.com/2dljxosh
reconnaissance

OSINT Tool: Generate username

linkedin2username https://tinyurl.com/2cnnegek
lists for companies on LinkedIn

Web Inventory tool, takes

screenshots of webpages using
Pyppeteer (headless
WitnessMe https://tinyurl.com/26mq7ogl
 Chrome/Chromium) and provides
some extra bells & whistles to
make life easier.

pagodo (Passive Google Dork) -

pagodo Automate Google Hacking https://tinyurl.com/2n8gdxz4
Database scraping and searching

AttackSurfaceMapper is a tool
AttackSurfaceMapper that aims to automate the https://tinyurl.com/yxmn4wbt
reconnaissance process.

SpiderFoot is an open source

intelligence (OSINT) automation
tool. It integrates with just about
SpiderFoot every data source available and https://tinyurl.com/krg6svm
utilises a range of methods for
data analysis, making that data
easy to navigate.

dnscan is a python wordlist-

dnscan https://tinyurl.com/27pqj6rc
based DNS subdomain scanner.

A program that checks if a

domain can be spoofed from.
The program checks SPF and
spoofcheck https://tinyurl.com/2b39ch7f
DMARC records for weak
configurations that allow
spoofing.

LinkedInt LinkedIn Recon Tool https://tinyurl.com/29qhcae6

Initial Access

Brute Force

Name Description URL

Scripts to make password spraying

attacks against Lync/S4B, OWA & O365
SprayingToolkit https://tinyurl.com/2yzbkw8x
a lot quicker, less painful and more
efficient
 o365recon Retrieve information via O365 with a https://tinyurl.com/2yeuf5l4
valid cred

Refactored & improved CredKing

password spraying tool, uses FireProx
CredMaster https://tinyurl.com/2d9th2aa
APIs to rotate IP addresses, stay
anonymous, and beat throttling

Payload Development

Name Description URL

Ivy is a payload creation framework

for the execution of arbitrary VBA
Ivy https://tinyurl.com/2azxbnbh
(macro) source code directly in
memory.

PEzor Open-Source PE Packer https://tinyurl.com/26qzxmlt

A tool for generating .NET serialized

gadgets that can trigger .NET
GadgetToJScript assembly load/execution when https://tinyurl.com/26jmm2f4
deserialized using BinaryFormatter
from JS/VBS/VBA scripts.

Payload creation framework designed

ScareCrow https://tinyurl.com/y2467n9h
around EDR bypass.

Donut is a position-independent code

that enables in-memory execution of
Donut https://tinyurl.com/26tw6g8p
VBScript, JScript, EXE, DLL files and
dotNET assemblies.

macOS Initial Access Payload

Mystikal https://tinyurl.com/24khapxe
Generator

c++ fully undetected shellcode

charlotte https://tinyurl.com/23ev367q
launcher ;)

Proof-of-concept obfuscation toolkit

for C# post-exploitation tools. This
InvisibilityCloak https://tinyurl.com/25ocvug4
will perform the below actions for a
C# visual studio project.

Dendrobate is a framework that

 facilitates the development of
Dendrobate payloads that hook unmanaged code https://tinyurl.com/2849xfbb
through managed .NET code.

This repo provides examples of how

Offensive VBA VBA can be used for offensive
and XLS purposes beyond a simple dropper or https://tinyurl.com/26t3tq3q
Entanglement shell injector. As we develop more use
cases, the repo will be updated.

Tiny Excel BIFF8 Generator, to

xlsGen https://tinyurl.com/2axx5w65
Embedded 4.0 Macros in *.xls

darkarmour Windows AV Evasion https://tinyurl.com/2xjkpxm4

Tool for working with Direct System

InlineWhispers Calls in Cobalt Strike's Beacon Object https://tinyurl.com/27ewc7e4
Files (BOF)

A cross-platform assistant for

creating malicious MS Office
documents. Can hide VBA macros,
EvilClippy https://tinyurl.com/22yl7a3e
stomp VBA code (via P-Code) and
confuse macro analysis tools. Runs on
Linux, OSX and Windows.

VBA purge your Office documents

with OfficePurge. VBA purging
OfficePurge https://tinyurl.com/263d2ojn
removes P-code from module streams
within Office documents.

Identifies the bytes that Microsoft

ThreatCheck https://tinyurl.com/25frxtwe
Defender / AMSI Consumer flags on.

Generate CobaltStrike's cross-

CrossC2 https://tinyurl.com/298zqfth
platform payload

Ruler is a tool that allows you to

interact with Exchange servers
Ruler https://tinyurl.com/hcq6kqc
remotely, through either the
MAPI/HTTP or RPC/HTTP protocol.

Shellcode runner framework for

application whitelisting bypasses and
DueDLLigence DLL side-loading. The shellcode https://tinyurl.com/229qxfhl
included in this project spawns
calc.exe.

RuralBishop is practically a carbon

copy of UrbanBishop by b33f, but all
RuralBishop https://tinyurl.com/2ym6vkuc
P/Invoke calls have been replaced with
D/Invoke.

TikiTorch was named in homage to

CACTUSTORCH by Vincent Yiu. The
basic concept of CACTUSTORCH is
that it spawns a new process,
TikiTorch allocates a region of memory, then https://tinyurl.com/25dm9lkx
uses CreateRemoteThread to run the
desired shellcode within that target
process. Both the process and
shellcode are specified by the user.

SharpShooter is a payload creation

framework for the retrieval and
execution of arbitrary CSharp source
SharpShooter code. SharpShooter is capable of https://tinyurl.com/2aw56prh
creating payloads in a variety of
formats, including HTA, JS, VBS and
WSF.

SharpSploit is a .NET post-

SharpSploit https://tinyurl.com/2bjo8keq
exploitation library written in C#

MSBuildAPICaller MSBuild Without MSBuild.exe https://tinyurl.com/2yh26exz

macro_pack is a tool by @EmericNasi

used to automatize obfuscation and
generation of MS Office documents,
macro_pack https://tinyurl.com/ydb277y6
VB scripts, and other formats for
pentest, demo, and social engineering
assessments.

Template-Driven AV/EDR Evasion

inceptor https://tinyurl.com/2afxaor4
Framework

evasion technique to defeat and divert

mortar detection and prevention of security https://tinyurl.com/27kz99de
 products (AV/EDR/XDR)

Multi-Packer wrapper letting us daisy-

chain various packers, obfuscators
and other Red Team oriented
weaponry. Featured with artifacts
ProtectMyTooling watermarking, IOCs collection & PE https://tinyurl.com/29g9eq88
Backdooring. You feed it with your
implant, it does a lot of sneaky things
and spits out obfuscated executable.

Freeze is a payload toolkit for

bypassing EDRs using suspended
Freeze https://tinyurl.com/2djf5w9d
processes, direct syscalls, and
alternative execution methods

Delivery

Phishing

Name Description URL

o365-
attack- A toolkit to attack Office365 https://tinyurl.com/25xqt4bf
toolkit

Evilginx2 is a man-in-the-middle attack

Evilginx2 framework used for phishing credentials and https://tinyurl.com/y8a84894
session cookies of any web service.

Gophish is an open-source phishing toolkit

designed for businesses and penetration
testers. It provides the ability to quickly and
Gophish https://tinyurl.com/h5qdqxu
easily setup and execute phishing
engagements and security awareness
training.

PwnAuth a web application framework for

PwnAuth launching and managing OAuth abuse https://tinyurl.com/27pnyga8
campaigns.

Modlishka is a flexible and powerful reverse

 Modlishka proxy, that will take your ethical phishing https://tinyurl.com/ydycmr5h
campaigns to the next level.

Watering Hole Attack

Name Description URL

BeEF is short for The Browser Exploitation

BeEF Framework. It is a penetration testing tool that https://tinyurl.com/bwmgtk3
focuses on the web browser

Command and Control

Remote Access Tools (RAT)

Name Description URL

Cobalt Strike is software for Adversary

Cobalt Strike https://tinyurl.com/2yw9dkmp
Simulations and Red Team Operations.

Brute Ratel is the most advanced Red

Brute Ratel C4 Team & Adversary Simulation Software https://tinyurl.com/2ycmheog
in the current C2 Market.

Empire 5 is a post-exploitation
framework that includes a pure-
Empire PowerShell Windows agent, and https://tinyurl.com/yckfweyv
compatibility with Python 3.x Linux/OS
X agents.

PoshC2 is a proxy aware C2 framework

used to aid penetration testers with red
PoshC2 https://tinyurl.com/2xwn7vvu
teaming, post-exploitation and lateral
movement.

Koadic C3 COM Command & Control -

Koadic https://tinyurl.com/y86l7rk6
JScript RAT

Merlin is a cross-platform post-

merlin exploitation Command & Control server https://tinyurl.com/yd3836u8
and agent written in Go.

A cross-platform, post-exploit, red

 Mythic teaming framework built with python3, https://tinyurl.com/26u68uax
docker, docker-compose, and a web
browser UI.

Covenant is a .NET command and

control framework that aims to
highlight the attack surface of .NET,
Covenant make the use of offensive .NET https://tinyurl.com/2ytak3ya
tradecraft easier, and serve as a
collaborative command and control
platform for red teamers.

A post exploitation framework designed

shad0w to operate covertly on heavily https://tinyurl.com/25l8hwyz
monitored environments

Sliver is a general purpose cross-

platform implant framework that
Sliver https://tinyurl.com/y52ghpgo
supports C2 over Mutual-TLS,
HTTP(S), and DNS.

An asynchronous, collaborative post-

SILENTTRINITY exploitation agent powered by Python https://tinyurl.com/yyr8vcrf
and .NET's DLR

Pupy is an opensource, cross-platform

(Windows, Linux, OSX, Android) remote
Pupy https://tinyurl.com/p8zvzdo
administration and post-exploitation
tool mainly written in python

Havoc is a modern and malleable post-

Havoc exploitation command and control https://tinyurl.com/2d99h72h
framework, created by @C5pider.

A light first-stage C2 implant written in

NimPlant https://tinyurl.com/2xutf34p
Nim and Python

SharpC2 is a Command & Control (C2)

framework written in C#. It consists of
SharpC2 an ASP.NET Core Team Server, a .NET https://tinyurl.com/25qakora
Framework implant, and a .NET MAUI
client.

Staging
 Name Description URL

Self-deployable file hosting

service for red teamers, allowing
pwndrop to easily upload and share https://tinyurl.com/29xl2ogz
payloads over HTTP and
WebDAV.

A command line tool that

generates randomized C2
C2concealer https://tinyurl.com/252ad3k5
malleable profiles for use in
Cobalt Strike.

Search for potential frontable

FindFrontableDomains https://tinyurl.com/2aguwj5a
domains

Checks expired domains for

categorization/reputation and
Domain Hunter Archive.org history to determine https://tinyurl.com/yao3e538
good candidates for phishing and
C2 domain names

Flexible CobaltStrike Malleable

RedWarden https://tinyurl.com/25o5tget
Redirector

AzureC2Relay is an Azure
Function that validates and relays
Cobalt Strike beacon traffic by
AzureC2Relay https://tinyurl.com/2ywnzfp8
verifying the incoming requests
based on a Cobalt Strike
Malleable C2 profile.

C3 (Custom Command and

Control) is a tool that allows Red
C3 Teams to rapidly develop and https://tinyurl.com/y7noysve
utilise esoteric command and
control channels (C2).

A tool for evading Proxy

Chameleon https://tinyurl.com/27gft6mr
categorisation

Cobalt Strike
Cobalt Strike Malleable C2
Malleable C2 Design https://tinyurl.com/27u6je3b
Design and Reference Guide
and Reference Guide
 Quick and dirty dynamic
redirect.rules https://tinyurl.com/26dfhoc3
redirect.rules generator

Cobalt Strike External C2

Integration With Azure
CobaltBus Servicebus, C2 traffic via Azure https://tinyurl.com/22f4s3fn

Servicebus

SourcePoint is a C2 profile
generator for Cobalt Strike
SourcePoint https://tinyurl.com/22ye4t26
command and control servers
designed to ensure evasion.

RedGuard is a C2 front flow

RedGuard control tool,Can avoid Blue https://tinyurl.com/24ea6dud
Teams,AVs,EDRs check.

A round-trip obfuscated HTTP

skyhook file transfer setup built to bypass https://tinyurl.com/25talnbn
IDS detections.

Log Aggregation

Name Description URL

Red Team's SIEM - tool for Red Teams used for

tracking and alarming about Blue Team
RedELK https://tinyurl.com/y4xsacbw
activities as well as better usability in long term
operations.

Elastic
Repository of resources for configuring a Red
for Red https://tinyurl.com/26c4v6fx
Team SIEM using Elastic.
Teaming

RedEye is a visual analytic tool supporting Red

RedEye https://tinyurl.com/27rknale
& Blue Team operations

Situational Awareness

Host Situational Awareness

Name Description URL

 AggressiveProxy is a combination of
a .NET 3.5 binary (LetMeOutSharp)
and a Cobalt Strike aggressor script
(AggressiveProxy.cna). Once
LetMeOutSharp is executed on a
AggressiveProxy workstation, it will try to enumerate https://tinyurl.com/284u7of2
all available proxy configurations and
try to communicate with the Cobalt
Strike server over HTTP(s) using the
identified proxy configurations.

Gopher C# tool to discover low hanging fruits https://tinyurl.com/257ta5jf

Checks running processes, process

metadata, Dlls loaded into your
current process and the each DLLs
metadata, common install
directories, installed services and
SharpEDRChecker https://tinyurl.com/2cu7xwdc
each service binaries metadata,
installed drivers and each drivers
metadata, all for the presence of
known defensive products such as
AV's, EDR's and logging tools.

This Repo intends to serve two

Situational purposes. First it provides a nice set
https://tinyurl.com/2xk8w9ps
Awareness BOF of basic situational awareness
commands implemented in BOF.

Seatbelt is a C# project that

performs a number of security
Seatbelt oriented host-survey "safety checks" https://tinyurl.com/2cy2y49d
relevant from both offensive and
defensive security perspectives.

SauronEye is a search tool built to aid

SauronEye red teams in finding files containing https://tinyurl.com/2cf8y6fy
specific keywords.

Multithreaded C# .NET Assembly to

SharpShares enumerate accessible network https://tinyurl.com/24yeptls
shares in a domain
 C# port of the Get-AppLockerPolicy
PowerShell cmdlet with extended
SharpAppLocker features. Includes the ability to filter https://tinyurl.com/2b3lonkk
and search for a specific type of
rules and actions.

Printer is a modified and console

SharpPrinter https://tinyurl.com/24mxro94
version of ListNetworks

Domain Situational Awareness

Name Description URL

StandIn is a small AD post-compromise

toolkit. StandIn came about because
StandIn recently at xforcered we needed a .NET https://tinyurl.com/2c53qruj
native solution to perform resource based
constrained delegation.

An AD recon tool based on ADSI and

Recon-AD https://tinyurl.com/2982t9yw
reflective DLL’s

BloodHound Six Degrees of Domain Admin https://tinyurl.com/y2s37jeg

PowerShell toolkit for auditing Active

PSPKIAudit https://tinyurl.com/24faq6bz
Directory Certificate Services (AD CS).

C# implementation of harmj0y's
SharpView https://tinyurl.com/26vlxhql
PowerView

Rubeus is a C# toolset for raw Kerberos

interaction and abuses. It is heavily
adapted from Benjamin Delpy's Kekeo
Rubeus project (CC BY-NC-SA 4.0 license) and https://tinyurl.com/2a6ka5my
Vincent LE TOUX's
MakeMeEnterpriseAdmin project (GPL v3.0
license).

A minimalistic tool for managing Kerberos

nanorobeus https://tinyurl.com/22g5ests
tickets. Supports redteam frameworks

A PowerShell script for helping to find

Grouper vulnerable settings in AD Group Policy. https://tinyurl.com/28nvx8yj
 (deprecated, use Grouper2 instead!)

Identify the attack paths in BloodHound

ImproHound https://tinyurl.com/25zb4lm9
breaking your AD tiering

ADRecon is a tool which gathers

information about the Active Directory and
ADRecon generates a report which can provide a https://tinyurl.com/y58q9ta2
holistic picture of the current state of the
target AD environment.

A tool to escalate privileges in an active

directory network by coercing authenticate
ADCSPwn https://tinyurl.com/2bqqh3vo
from machine accounts (Petitpotam) and
relaying to the certificate service.

Credential Dumping

Name Description URL

Mimikatz is an open-source application

that allows users to view and save
Mimikatz https://tinyurl.com/qdf539r
authentication credentials like Kerberos
tickets.

LSASS memory dumper using direct

Dumpert https://tinyurl.com/25skm2fu
system calls and API unhooking.

CredBandit is a proof of concept

Beacon Object File (BOF) that uses
static x64 syscalls to perform a
CredBandit complete in memory dump of a process https://tinyurl.com/2xzh7tq9
and send that back through your
already existing Beacon communication
channel.

CloneVault allows a red team operator

to export and import entries including
CloneVault https://tinyurl.com/2aehdhwj
attributes from Windows Credential
Manager.

SharpLAPS Retrieve LAPS password from LDAP https://tinyurl.com/2bbhn38h

 SharpDPAPI is a C# port of some DPAPI
SharpDPAPI functionality from @gentilkiwi's https://tinyurl.com/287ldu65
Mimikatz project.

Allows for the extraction of KeePass

2.X key material from memory, as well
KeeThief https://tinyurl.com/2xl9j27x
as the backdooring and enumeration of
the KeePass trigger system.

SafetyKatz is a combination of slightly

modified version of @gentilkiwi's
SafetyKatz https://tinyurl.com/26fbe6v7
Mimikatz project and @subtee's .NET
PE Loader.

credential dump using forshaw

forkatz technique using https://tinyurl.com/29wvdke3
SeTrustedCredmanAccessPrivilege

Tool to bypass LSA Protection (aka

PPLKiller https://tinyurl.com/ya2ej9r7
Protected Process Light)

The LaZagne project is an open source

LaZagne application used to retrieve lots of https://tinyurl.com/m9k4zzr
passwords stored on a local computer.

AndrewSpecial, dumping lsass'

AndrewSpecial memory stealthily and bypassing https://tinyurl.com/27eujsm2
"Cilence" since 2019.

.NET implementation of Get-

GPPPassword. Retrieves the plaintext
Net-
password and other information for https://tinyurl.com/2abvhehm
GPPPassword
accounts pushed through Group Policy
Preferences.

.NET 4.0 CLR Project to retrieve

SharpChromium Chromium data, such as cookies, https://tinyurl.com/2bfknzyz
history and saved logins.

Chlonium is an application designed for

Chlonium https://tinyurl.com/27w2ftmf
cloning Chromium Cookies.

SharpCloud is a simple C# utility for

checking for the existence of credential
SharpCloud https://tinyurl.com/274l2ese
 files related to Amazon Web Services,
Microsoft Azure, and Google Compute.

Mimikatz implementation in pure

pypykatz Python. At least a part of it :) https://tinyurl.com/yxp3rds4

A Beacon Object File that creates a

nanodump https://tinyurl.com/29kwh76f
minidump of the LSASS process.

Koh is a C# and Beacon Object File

(BOF) toolset that allows for the
Koh capture of user credential material via https://tinyurl.com/23lahjkx
purposeful token/logon session
leakage.

Privilege Escalation

Name Description URL

The Elevate Kit demonstrates how to use

ElevateKit third-party privilege escalation attacks https://tinyurl.com/256p5ml6
with Cobalt Strike's Beacon payload.

Watson is a .NET tool designed to

enumerate missing KBs and suggest
Watson https://tinyurl.com/25vcv3qu
exploits for Privilege Escalation
vulnerabilities.

SharpUp is a C# port of various PowerUp

functionality. Currently, only the most
SharpUp common checks have been ported; no https://tinyurl.com/2c9e5rfo
weaponization functions have yet been
implemented.

A tool that detects the privilege escalation

vulnerabilities caused by
dazzleUP misconfigurations and missing updates in https://tinyurl.com/26d6mvzq
the Windows operating systems. dazzleUP
detects the following vulnerabilities.

Privilege Escalation Awesome Scripts

PEASS https://tinyurl.com/27s758x3
SUITE (with colors)
 A collection of various native Windows
SweetPotato privilege escalation techniques from https://tinyurl.com/26gksp5m
service accounts to SYSTEM

Another Potato to get SYSTEM via

MultiPotato https://tinyurl.com/25ykdfoc
SeImpersonate privileges

a universal no-fix local privilege escalation

in windows domain environments where
KrbRelayUp https://tinyurl.com/2746ujpv
LDAP signing is not enforced (the default
settings).

As Long as You Have the

GodPotato ImpersonatePrivilege Permission, Then https://tinyurl.com/2a3qo93f
You are the SYSTEM!

Defense Evasion

Name Description URL

RefleXXion is a utility designed to aid in

RefleXXion bypassing user-mode hooks utilised by https://tinyurl.com/2y5sjv9
AV/EPP/EDR etc.

EDRSandBlast is a tool written in C that

weaponize a vulnerable signed driver to bypass
EDRSandBlast https://tinyurl.com/yxpfjqu
EDR detections (Kernel callbacks and ETW TI
provider) and LSASS protections.

Killing your preferred antimalware by abusing

unDefender https://tinyurl.com/2cgmpq
native symbolic links and NT paths.

Backstab A tool to kill antimalware protected processes https://tinyurl.com/268u7e

Cobalt Strike BOF that spawns a sacrificial

process, injects it with shellcode, and executes
SPAWN - Cobalt payload. Built to evade EDR/UserLand hooks by
https://tinyurl.com/23uopa
Strike BOF spawning sacrificial process with Arbitrary
Code Guard (ACG), BlockDll, and PPID
spoofing.

BOF.NET is a small native BOF object combined

BOF.NET - A
with the BOF.NET managed runtime that
.NET Runtime enables the development of Cobalt Strike BOFs https://tinyurl.com/26xb9e
for Cobalt directly in .NET. BOF.NET removes the
Strike's Beacon complexity of native compilation along with the
Object Files headaches of manually importing native API.

Loads any C# binary from filepath or url,

NetLoader patching AMSI and bypassing Windows https://tinyurl.com/y82o85
Defender on runtime

A Cobalt Strike Beacon Object File (BOF)

FindObjects- project which uses direct system calls to
https://tinyurl.com/2676lyh
BOF enumerate processes for specific modules or
process handles.

C# Based Universal API Unhooker -

Automatically Unhook API Hives
SharpUnhooker https://tinyurl.com/29xqcq
(ntdll.dll,kernel32.dll,user32.dll,advapi32.dll,and
kernelbase.dll).

Apply a filter to the events being reported by

EvtMute https://tinyurl.com/2cp8nr
windows event logging

InlineExecute-Assembly is a proof of concept

Beacon Object File (BOF) that allows security
InlineExecute- professionals to perform in process .NET
https://tinyurl.com/24lowv
Assembly assembly execution as an alternative to Cobalt
Strikes traditional fork and run execute-
assembly module

Phant0m Windows Event Log Killer https://tinyurl.com/2agf2ca

A method of bypassing EDR's active projection

SharpBlock https://tinyurl.com/2xrlfhn3
DLL's by preventing entry point execution.

Example code for EDR bypassing, please use

this for testing blue team detection capabilities
NtdllUnpatcher https://tinyurl.com/2cc67t5
against this type of malware that will bypass
EDR's userland hooks.

DarkLoadLibrary LoadLibrary for offensive operations. https://tinyurl.com/29f5aa

.Net 3.5 / 4.5 Assembly to block ETW telemetry

BlockETW https://tinyurl.com/28h9oy
in a process

This repo contains a simple library which can

 firewalker be used to add FireWalker hook bypass https://tinyurl.com/24zwyd
capabilities to existing code

Beacon Object File PoC implementation of

KillDefenderBOF KillDefender https://tinyurl.com/254rgs

Mangle is a tool that manipulates aspects of

Mangle compiled executables (.exe or DLL) to avoid https://tinyurl.com/25g433
detection from EDRs

Cobalt Strike UDRL for memory scanner

AceLdr https://tinyurl.com/25lwcta
evasion.

AtomLdr CA DLL loader with advanced evasive features https://tinyurl.com/27ve8k

Inline-Execute- Execute unmanaged Windows executables in

https://tinyurl.com/28sez5
PE CobaltStrike Beacons

SigFlip is a tool for patching authenticode

SigFlip signed PE files (exe, dll, sys ..etc) without https://tinyurl.com/yelpyl9
invalidating or breaking the existing signature.

Blackout kill anti-malware protected processes (BYOVD) https://tinyurl.com/2cqp7q

Persistence

Name Description URL

.NET project for installing

SharpStay https://tinyurl.com/234qsrnb
Persistence

Windows persistence toolkit written

SharPersist https://tinyurl.com/24jrb44l
in C#.

SharpHide Tool to create hidden registry keys. https://tinyurl.com/24ow3byf

This leverages the NetUserAdd

Win32 API to create a new computer
DoUCMe account. This is done by setting the https://tinyurl.com/24vrev87
usri1_priv of the USER_INFO_1 type
to 0x1000.

A Black Path (TCP tunneling over HTTP for web

https://tinyurl.com/2ac5jszu
Toward The Sun application servers)
 pivotnacci A tool to make socks connections https://tinyurl.com/29sxnrzh
through HTTP agents

The successor to reDuh, pwn a

bastion webserver and create
reGeorg https://tinyurl.com/2edz9l8v
SOCKS proxies through the DMZ.
Pivot and pwn.

The Discretionary ACL Modification

Project: Persistence Through Host-
DAMP https://tinyurl.com/26o4elg5
based Security Descriptor
Modification.

A native backdoor module for

IIS-Raid Microsoft IIS (Internet Information https://tinyurl.com/29meqpj7
Services)

tiny and obfuscated ASP.NET

SharPyShell https://tinyurl.com/yyqc93m8
webshell for C# web applications

A C# tool with more flexibility to

customize scheduled task for both
ScheduleRunner https://tinyurl.com/2bvtmgrz
persistence and lateral movement in
red team operation

Persistence by writing/reading
SharpEventPersist https://tinyurl.com/28hnstvz
shellcode from Event Log

Kraken, a modular multi-language

Kraken https://tinyurl.com/2cgyzhrv
webshell coded by @secu_x11.

HiddenDesktop HVNC for Cobalt Strike https://tinyurl.com/28tnwo24

Lateral Movement

Name Description URL

LiquidSnake is a tool that allows

operators to perform fileless lateral
Liquid Snake https://tinyurl.com/27cwd3ep
movement using WMI Event
Subscriptions and GadgetToJScript

A PowerShell Toolkit for Attacking SQL

PowerUpSQL https://tinyurl.com/2cxk8u4g
Server
 A C# MS SQL toolkit designed for
SQLRecon offensive reconnaissance and post- https://tinyurl.com/225yh7oz
exploitation.

Fileless lateral movement tool that

SCShell relies on ChangeServiceConfigA to run https://tinyurl.com/yzwwln6h
command

Remote Desktop Protocol Console

SharpRDP Application for Authenticated https://tinyurl.com/2ayeujmq
Command Execution

Movekit is an extension of built in

Cobalt Strike lateral movement by
MoveKit leveraging the execute_assembly https://tinyurl.com/274exxr6
function with the SharpMove and
SharpRDP .NET assemblies.

File less command execution for lateral

SharpNoPSExec https://tinyurl.com/2dyyo9xa
movement.

LLMNR/NBT-NS/mDNS Poisoner and

Responder/MultiRelay https://tinyurl.com/zue3sty
NTLMv1/2 Relay.

Impacket is a collection of Python

classes for working with network
protocols. Impacket is focused on
impacket providing low-level programmatic https://tinyurl.com/yysqx7w7
access to the packets and for some
protocols (e.g. SMB1-3 and MSRPC)
the protocol implementation itself.

Farmer is a project for collecting

Farmer NetNTLM hashes in a Windows https://tinyurl.com/2yqphw5w
domain.

C# port of WMImplant which uses

either CIM or WMI to query remote
CIMplant systems. It can use provided https://tinyurl.com/2asyybbs
credentials or the current user's
session.

PowerLessShell rely on MSBuild.exe to

 remotely execute PowerShell scripts
PowerLessShell and commands without spawning https://tinyurl.com/y7x3j6gs
powershell.exe. You can also execute
raw shellcode using the same
approach.

SharpGPOAbuse is a .NET application

written in C# that can be used to take
advantage of a user's edit rights on a
SharpGPOAbuse https://tinyurl.com/2y2ql39c
Group Policy Object (GPO) in order to
compromise the objects that are
controlled by that GPO.

A tool to quickly bruteforce and

enumerate valid Active Directory
kerbrute https://tinyurl.com/y66kz8ad
accounts through Kerberos Pre-
Authentication

mssqlproxy is a toolkit aimed to

perform lateral movement in restricted
mssqlproxy https://tinyurl.com/2227m7f3
environments through a compromised
Microsoft SQL Server via socket reuse

Invoke-TheHash PowerShell Pass The Hash Utils https://tinyurl.com/27c4lb5u

.NET IPv4/IPv6 machine-in-the-middle

InveighZero https://tinyurl.com/28plsnyw
tool for penetration testers

SharpSpray a simple code set to

perform a password spraying attack
SharpSpray against all users of a domain using https://tinyurl.com/2bafaw2a
LDAP and is compatible with Cobalt
Strike.

A swiss army knife for pentesting

CrackMapExec https://tinyurl.com/ngzqxs2
networks

A C# implementation of a computer
object takeover through Resource-
Based Constrained Delegation (msDS-
SharpAllowedToAct https://tinyurl.com/29yb2ccb
AllowedToActOnBehalfOfOtherIdentity)
based on the research by
@elad_shamir.
 Sharp RDP Hijack is a proof-of-
concept .NET/C# Remote Desktop
SharpRDPHijack https://tinyurl.com/2cpqddyw
Protocol (RDP) session hijack utility for
disconnected sessions

This repository has been made basing

onto the already existing MiscTool, so
CheeseTools big shout-out to rasta-mouse for https://tinyurl.com/24oanh6m
releasing them and for giving me the
right motivation to work on them.

SharpSpray is a Windows domain

SharpSpray password spraying tool written in .NET https://tinyurl.com/29w6lkq8
C#.

This tool allows you to abuse local or

remote SCCM servers to deploy
MalSCCM https://tinyurl.com/2c8aomp5
malicious applications to hosts they
manage.

A python script to automatically coerce

a Windows server to authenticate on
Coercer https://tinyurl.com/2bgpf2qb
an arbitrary machine through 9
methods.

SharpSploit is a .NET post-exploitation

library written in C# that aims to
SharpSploit highlight the attack surface of .NET https://tinyurl.com/2bjo8keq
and make the use of offensive .NET
easier for red teamers.

Bypassing Kerberoast Detections with

orpheus Modified KDC Options and Encryption https://tinyurl.com/27xf4lkn
Types

Chisel is a fast TCP/UDP tunnel,

transported over HTTP, secured via
Chisel https://tinyurl.com/z6yl32k
SSH. Single executable including both
client and server.

frp is a fast reverse proxy that allows

frp you to expose a local server located https://tinyurl.com/joc488x
behind a NAT or firewall to the Internet.
Exfiltration

Name Description URL

Modular C# framework to exfiltrate loot

SharpExfiltrate over secure and trusted channels. https://tinyurl.com/2b92bnao

Data exfiltration over DNS request covert

DNSExfiltrator https://tinyurl.com/ybeyldvg
channel

Egress-Assess is a tool used to test

Egress-Assess https://tinyurl.com/y6zkl93s
egress data detection capabilities.

Miscellaneous

Threat-informed Defense

Name Description URL

Tidal Cyber helps enterprise organizations to

Tidal define, measure, and improve their defenses
https://tinyurl.com/22a8umc6
Cyber to address the adversary behaviors that are
most important to them.

Threat modeling aide & purple team content

repository, pointing security & intelligence
Control
teams to 10,000+ publicly-accessible
Validation https://tinyurl.com/26t5m4ss
technical and policy controls and 2,100+
Compass
offensive security tests, aligned with nearly
600 common attacker techniques

Cloud

Amazon Web Services (AWS)

Name Description URL

The AWS exploitation framework,

pacu designed for testing the security of https://tinyurl.com/y7yo3rtg
Amazon Web Services environments.
 CloudMapper helps you analyze your
CloudMapper Amazon Web Services (AWS) https://tinyurl.com/y9wjhuue
environments.

Enumerate
Enumerate the permissions associated https://tinyurl.com/yy86zgea
IAM
with AWS credential set
permissions

Azure

Name Description URL

Azure AD This toolkit offers several ways to

Connect extract and decrypt stored Azure AD
https://tinyurl.com/23gnev9q
password and Active Directory credentials from
extraction Azure AD Connect servers.

Azure Red Team tool for graphing

Storm Spotter Azure and Azure Active Directory https://tinyurl.com/25cekf4k
objects

ROADtools The Azure AD exploration framework. https://tinyurl.com/2y3rddej

MicroBurst: A
PowerShell A collection of scripts for assessing
https://tinyurl.com/27zfacq2
Toolkit for Microsoft Azure security
Attacking Azure

AADInternals PowerShell module for

AADInternals administering Azure AD and Office https://tinyurl.com/28rtsk82
365

TeamFiltration is a cross-platform
framework for enumerating, spraying,
TeamFiltration https://tinyurl.com/26pabg6g
exfiltrating, and backdooring O365
AAD accounts.

An attack tool for simple, fast &

MAAD Attack
effective security testing of M365 & https://tinyurl.com/2y53rvmy
Framework
Azure AD.

Adversary Emulation
 Name Description URL

Stratus Red Team is "Atomic Red

Stratus Red Team™" for the cloud, allowing to
https://tinyurl.com/2d5om4mg
Team emulate offensive attack techniques in a
granular and self-contained manner.

A Platform for Developer-first advanced

Prelude
security· Defend your organization by https://tinyurl.com/2cmqcehj
Operator
mimicking real adversarial attacks.

An open source IDE for authoring,

Prelude Build testing, and verifying production-ready https://tinyurl.com/27uy9br5
security tests..

An automated adversary emulation

system that performs post-compromise
Caldera https://tinyurl.com/y8jw9jc4
adversarial behavior within Windows
Enterprise networks.

A Windows Batch script that uses a set

APTSimulator of tools and output files to make a https://tinyurl.com/24hj2583
system look as if it was compromised.

Small and highly portable detection tests

Atomic Red
mapped to the Mitre ATT&CK https://tinyurl.com/yc7zduf8
Team
Framework.

flightsim is a lightweight utility used to

Network
generate malicious network traffic and
Flight https://tinyurl.com/2af233j6
help security teams to evaluate security
Simulator
controls and network visibility.

A security preparedness tool to do

Metta https://tinyurl.com/2agjmveq
adversarial simulation.

RTA provides a framework of scripts

Red Team designed to allow blue teams to test
Automation their detection capabilities against https://tinyurl.com/24uefmgl
(RTA) malicious tradecraft, modeled after
MITRE ATT&CK.

Living Off the Living Off the Land

 Name Description URL

Living Off The Land Drivers is a curated list of

Living Off
Windows drivers used by adversaries to
The Land https://tinyurl.com/24d9jlg8
bypass security controls and carry out
Drivers
attacks

GTFOBins is a curated list of Unix binaries

GTFOBins that can be used to bypass local security https://tinyurl.com/yccgv6ks
restrictions in misconfigured systems

The goal of the LOLBAS project is to

document every binary, script, and library
LOLBAS https://tinyurl.com/y6ct9yf9
that can be used for Living Off The Land
techniques

Living Off Attackers are using popular legitimate

Trusted domains when conducting phishing, C&C,
Sites exfiltration and downloading tools to evade https://tinyurl.com/2yez2man
(LOTS) detection. The list of websites below allow
Project attackers to use their domain or subdomain

Stay up-to-date with the latest file extensions

Filesec https://tinyurl.com/248sbkdm
being used by attackers.

Living Off the Orchard: macOS Binaries

(LOOBins) is designed to provide detailed
LOOBins information on various built-in macOS https://tinyurl.com/29zyqza8
binaries and how they can be used by threat
actors for malicious purposes.

WTFBin(n): a binary that behaves exactly like

malware, except, somehow, it's not? This
project aims to catalogue benign applications
WTFBins https://tinyurl.com/24snt96n
that exhibit suspicious behavior. These
binaries can emit noise and false positives in
threat hunting and automated detections.

Hijack This project provides an curated list of DLL

https://tinyurl.com/259ejgk7
Libs Hijacking candidates

Red Team Scripts

 Name Description URL

RedTeamCCode Red Team C code repo https://tinyurl.com/27wk5f92

This repo contains information about

EDRs EDRs that can be useful during red https://tinyurl.com/2agzk2rt
team exercise.

Community Kit is a central repository of

Cobalt Strike extensions written by the user
community to extend the capabilities of https://tinyurl.com/27jhmgw9
Community Kit
Cobalt Strike.

Red Team Infrastructure

Name Description URL

Red Team Wiki to collect Red Team

https://tinyurl.com/hha9dyk
Infrastructure Wiki infrastructure hardening resources

License

To the extent possible under law, Rahmat Nurfauzi "@infosecn1nja" has waived all copyright and
related or neighboring rights to this work.