Red Teaming Toolkit

Table of Contents
Reconnaissance
Initial Access
Delivery
Situational Awareness
Credential Dumping
Privilege Escalation
Defense Evasion
Persistence
Lateral Movement
Exfiltration
Miscellaneous

Reconnaissance
Name Description URL
The Modern Port Scanner. Find
ports quickly (3 seconds at its
RustScan fastest). Run scripts through our https://github.com/RustScan/RustScan
scripting engine (Python, Lua,
Shell supported).
In-depth Attack Surface
Amass https://github.com/OWASP/Amass
Mapping and Asset Discovery
Gitleaks is a SAST tool for
detecting hardcoded secrets like
gitleaks https://github.com/zricethezav/gitleaks
passwords, api keys, and tokens
in git repos.
Scan for open S3 buckets and
S3Scanner https://github.com/sa7mon/S3Scanner
dump the contents
Multi-cloud OSINT tool.
Enumerate public resources in
cloud_enum https://github.com/initstring/cloud_enum
AWS, Azure, and Google
Cloud.
Name Description URL
Open Source Intelligence
gathering tool aimed at
Recon-ng reducing the time spent https://github.com/lanmaster53/recon-ng
harvesting information from
open sources.
An advanced tool for email
buster https://github.com/sham00n/buster
reconnaissance
OSINT Tool: Generate
linkedin2username username lists for companies on https://github.com/initstring/linkedin2username
LinkedIn
Web Inventory tool, takes
screenshots of webpages using
Pyppeteer (headless
WitnessMe https://github.com/byt3bl33d3r/WitnessMe
Chrome/Chromium) and
provides some extra bells &
whistles to make life easier.
pagodo (Passive Google Dork) -
Automate Google Hacking
pagodo https://github.com/opsdisk/pagodo
Database scraping and
searching
AttackSurfaceMapper is a tool
AttackSurfaceMapper that aims to automate the https://github.com/superhedgy/AttackSurfaceMapper
reconnaissance process.
SpiderFoot is an open source
intelligence (OSINT)
automation tool. It integrates
with just about every data
SpiderFoot https://github.com/smicallef/spiderfoot
source available and utilises a
range of methods for data
analysis, making that data easy
to navigate.
dnscan is a python wordlist-
dnscan https://github.com/rbsec/dnscan
based DNS subdomain scanner.
spoofcheck A program that checks if a https://github.com/BishopFox/spoofcheck
Name Description URL
domain can be spoofed from.
The program checks SPF and
DMARC records for weak
configurations that allow
spoofing.
LinkedInt LinkedIn Recon Tool https://github.com/vysecurity/LinkedInt

Initial Access

Brute Force
Name Description URL
Scripts to make password spraying attacks
SprayingToolkit against Lync/S4B, OWA & O365 a lot https://github.com/byt3bl33d3r/SprayingToolkit
quicker, less painful and more efficient
Retrieve information via O365 with a
o365recon https://github.com/nyxgeek/o365recon
valid cred
Refactored & improved CredKing
password spraying tool, uses FireProx
CredMaster https://github.com/knavesec/CredMaster
APIs to rotate IP addresses, stay
anonymous, and beat throttling

Payload Development

Name Description URL

Ivy is a payload creation
framework for the execution of
Ivy https://github.com/optiv/Ivy
arbitrary VBA (macro) source
code directly in memory.
PEzor Open-Source PE Packer https://github.com/phra/PEzor
A tool for generating .NET
serialized gadgets that can trigger
GadgetToJScript https://github.com/med0x2e/GadgetToJScript
.NET assembly load/execution
when deserialized using
Name Description URL
BinaryFormatter from
JS/VBS/VBA scripts.
Payload creation framework
ScareCrow https://github.com/optiv/ScareCrow
designed around EDR bypass.
Donut is a position-independent
code that enables in-memory
Donut execution of VBScript, JScript, https://github.com/TheWover/donut
EXE, DLL files and dotNET
assemblies.
macOS Initial Access Payload
Mystikal https://github.com/D00MFist/Mystikal
Generator
c++ fully undetected shellcode
charlotte https://github.com/9emin1/charlotte
launcher ;)
Proof-of-concept obfuscation
toolkit for C# post-exploitation
InvisibilityCloak tools. This will perform the below https://github.com/xforcered/InvisibilityCloak
actions for a C# visual studio
project.
Dendrobate is a framework that
facilitates the development of
Dendrobate payloads that hook unmanaged https://github.com/FuzzySecurity/Dendrobate
code through managed .NET
code.
This repo provides examples of
how VBA can be used for
Offensive VBA and offensive purposes beyond a https://github.com/BC-SECURITY/Offensive-VBA-
XLS Entanglement simple dropper or shell injector. and-XLS-Entanglement
As we develop more use cases,
the repo will be updated.
Tiny Excel BIFF8 Generator, to
xlsGen https://github.com/aaaddress1/xlsGen
Embedded 4.0 Macros in *.xls
darkarmour Windows AV Evasion https://github.com/bats3c/darkarmour
Tool for working with Direct
InlineWhispers https://github.com/outflanknl/InlineWhispers
System Calls in Cobalt Strike's
Name Description URL
Beacon Object Files (BOF)
A cross-platform assistant for
creating malicious MS Office
documents. Can hide VBA
EvilClippy macros, stomp VBA code (via P- https://github.com/outflanknl/EvilClippy
Code) and confuse macro
analysis tools. Runs on Linux,
OSX and Windows.
VBA purge your Office
documents with OfficePurge.
OfficePurge VBA purging removes P-code https://github.com/fireeye/OfficePurge
from module streams within
Office documents.
Identifies the bytes that Microsoft
ThreatCheck Defender / AMSI Consumer flags https://github.com/rasta-mouse/ThreatCheck
on.
Generate CobaltStrike's cross-
CrossC2 https://github.com/gloxec/CrossC2
platform payload
Ruler is a tool that allows you to
interact with Exchange servers
Ruler remotely, through either the https://github.com/sensepost/ruler
MAPI/HTTP or RPC/HTTP
protocol.
Shellcode runner framework for
application whitelisting bypasses
DueDLLigence and DLL side-loading. The https://github.com/fireeye/DueDLLigence
shellcode included in this project
spawns calc.exe.
RuralBishop is practically a
carbon copy of UrbanBishop by
RuralBishop https://github.com/rasta-mouse/RuralBishop
b33f, but all P/Invoke calls have
been replaced with D/Invoke.
TikiTorch was named in homage
TikiTorch https://github.com/rasta-mouse/TikiTorch
to CACTUSTORCH by Vincent
Name Description URL
Yiu. The basic concept of
CACTUSTORCH is that it
spawns a new process, allocates a
region of memory, then uses
CreateRemoteThread to run the
desired shellcode within that
target process. Both the process
and shellcode are specified by the
user.
SharpShooter is a payload
creation framework for the
retrieval and execution of
arbitrary CSharp source code.
SharpShooter https://github.com/mdsecactivebreach/SharpShooter
SharpShooter is capable of
creating payloads in a variety of
formats, including HTA, JS, VBS
and WSF.
SharpSploit is a .NET post-
SharpSploit https://github.com/cobbr/SharpSploit
exploitation library written in C#
MSBuildAPICaller MSBuild Without MSBuild.exe https://github.com/rvrsh3ll/MSBuildAPICaller
macro_pack is a tool by
@EmericNasi used to automatize
obfuscation and generation of MS
macro_pack Office documents, VB scripts, https://github.com/sevagas/macro_pack
and other formats for pentest,
demo, and social engineering
assessments.
Template-Driven AV/EDR
inceptor https://github.com/klezVirus/inceptor
Evasion Framework
evasion technique to defeat and
divert detection and prevention of
mortar https://github.com/0xsp-SRD/mortar
security products
(AV/EDR/XDR)
ProtectMyTooling Multi-Packer wrapper letting us https://github.com/mgeeky/ProtectMyTooling
Name Description URL
daisy-chain various packers,
obfuscators and other Red Team
oriented weaponry. Featured with
artifacts watermarking, IOCs
collection & PE Backdooring.
You feed it with your implant, it
does a lot of sneaky things and
spits out obfuscated executable.
Freeze is a payload toolkit for
bypassing EDRs using suspended
Freeze https://github.com/optiv/Freeze
processes, direct syscalls, and
alternative execution methods

Delivery

Phishing
Name Description URL
o365-
https://github.com/mdsecactivebreach/o365-
attack- A toolkit to attack Office365
attack-toolkit
toolkit
Evilginx2 is a man-in-the-middle attack
Evilginx2 framework used for phishing credentials and https://github.com/kgretzky/evilginx2
session cookies of any web service.
Gophish is an open-source phishing toolkit
designed for businesses and penetration testers.
Gophish It provides the ability to quickly and easily https://github.com/gophish/gophish
setup and execute phishing engagements and
security awareness training.
PwnAuth a web application framework for
PwnAuth launching and managing OAuth abuse https://github.com/fireeye/PwnAuth
campaigns.
Modlishka is a flexible and powerful reverse
Modlishka https://github.com/drk1wi/Modlishka
proxy, that will take your ethical phishing
Name Description URL
campaigns to the next level.

Watering Hole Attack

Name Description URL

BeEF is short for The Browser Exploitation Framework. It is a
BeEF https://github.com/beefproject/beef
penetration testing tool that focuses on the web browser

Command and Control

Remote Access Tools (RAT)
Name Description URL
Cobalt Strike is software for
Cobalt Strike Adversary Simulations and Red Team https://cobaltstrike.com/
Operations.
Brute Ratel is the most advanced Red
Brute Ratel C4 Team & Adversary Simulation https://bruteratel.com/
Software in the current C2 Market.
Empire 5 is a post-exploitation
framework that includes a pure-
Empire PowerShell Windows agent, and https://github.com/BC-SECURITY/Empire
compatibility with Python 3.x
Linux/OS X agents.
PoshC2 is a proxy aware C2
framework used to aid penetration
PoshC2 https://github.com/nettitude/PoshC2
testers with red teaming, post-
exploitation and lateral movement.
Koadic C3 COM Command &
Koadic https://github.com/zerosum0x0/koadic
Control - JScript RAT
Merlin is a cross-platform post-
merlin exploitation Command & Control https://github.com/Ne0nd0g/merlin
server and agent written in Go.
A cross-platform, post-exploit, red
Mythic teaming framework built with https://github.com/its-a-feature/Mythic
python3, docker, docker-compose,
Name Description URL
and a web browser UI.
Covenant is a .NET command and
control framework that aims to
highlight the attack surface of .NET,
Covenant make the use of offensive .NET https://github.com/cobbr/Covenant
tradecraft easier, and serve as a
collaborative command and control
platform for red teamers.
A post exploitation framework
shad0w designed to operate covertly on https://github.com/bats3c/shad0w
heavily monitored environments
Sliver is a general purpose cross-
platform implant framework that
Sliver https://github.com/BishopFox/sliver
supports C2 over Mutual-TLS,
HTTP(S), and DNS.
An asynchronous, collaborative post-
SILENTTRINITY exploitation agent powered by Python https://github.com/byt3bl33d3r/SILENTTRINITY
and .NET's DLR
Pupy is an opensource, cross-platform
(Windows, Linux, OSX, Android)
Pupy remote administration and post- https://github.com/n1nj4sec/pupy
exploitation tool mainly written in
python
Havoc is a modern and malleable
post-exploitation command and
Havoc https://github.com/HavocFramework/Havoc
control framework, created by
@C5pider.
A light first-stage C2 implant written
NimPlant https://github.com/chvancooten/NimPlant
in Nim and Python
SharpC2 is a Command & Control
(C2) framework written in C#. It
SharpC2 consists of an ASP.NET Core Team https://github.com/rasta-mouse/SharpC2
Server, a .NET Framework implant,
and a .NET MAUI client.
Staging

Name Description URL

Self-deployable file hosting
service for red teamers,
pwndrop allowing to easily upload and https://github.com/kgretzky/pwndrop
share payloads over HTTP and
WebDAV.
A command line tool that
generates randomized C2
C2concealer https://github.com/FortyNorthSecurity/C2concealer
malleable profiles for use in
Cobalt Strike.
Search for potential frontable
FindFrontableDomains https://github.com/rvrsh3ll/FindFrontableDomains
domains
Checks expired domains for
categorization/reputation and
Archive.org history to
Domain Hunter https://github.com/threatexpress/domainhunter
determine good candidates for
phishing and C2 domain
names
Flexible CobaltStrike
RedWarden https://github.com/mgeeky/RedWarden
Malleable Redirector
AzureC2Relay is an Azure
Function that validates and
relays Cobalt Strike beacon
AzureC2Relay traffic by verifying the https://github.com/Flangvik/AzureC2Relay
incoming requests based on a
Cobalt Strike Malleable C2
profile.
C3 (Custom Command and
Control) is a tool that allows
C3 Red Teams to rapidly develop https://github.com/FSecureLABS/C3
and utilise esoteric command
and control channels (C2).
Name Description URL
A tool for evading Proxy
Chameleon https://github.com/mdsecactivebreach/Chameleon
categorisation
Cobalt Strike Malleable
Cobalt Strike Malleable C2
C2 Design and https://github.com/threatexpress/malleable-c2/
Design and Reference Guide
Reference Guide
Quick and dirty dynamic
redirect.rules https://github.com/0xZDH/redirect.rules
redirect.rules generator
Cobalt Strike External C2
Integration With Azure
CobaltBus https://github.com/Flangvik/CobaltBus
Servicebus, C2 traffic via
Azure Servicebus
SourcePoint is a C2 profile
generator for Cobalt Strike
SourcePoint https://github.com/Tylous/SourcePoint
command and control servers
designed to ensure evasion.
RedGuard is a C2 front flow
RedGuard control tool,Can avoid Blue https://github.com/wikiZ/RedGuard
Teams,AVs,EDRs check.

Log Aggregation

Name Description URL

Red Team's SIEM - tool for Red
Teams used for tracking and alarming
RedELK about Blue Team activities as well as https://github.com/outflanknl/RedELK
better usability in long term
operations.
Elastic for Repository of resources for
Red configuring a Red Team SIEM using https://github.com/SecurityRiskAdvisors/RedTeamSIEM
Teaming Elastic.
RedEye is a visual analytic tool
RedEye supporting Red & Blue Team https://github.com/cisagov/RedEye
operations
Situational Awareness
Host Situational Awareness

Name Description URL

AggressiveProxy is a combination
of a .NET 3.5 binary
(LetMeOutSharp) and a Cobalt
Strike aggressor script
(AggressiveProxy.cna). Once
LetMeOutSharp is executed on a
AggressiveProxy https://github.com/EncodeGroup/AggressiveProxy
workstation, it will try to enumerate
all available proxy configurations
and try to communicate with the
Cobalt Strike server over HTTP(s)
using the identified proxy
configurations.
C# tool to discover low hanging
Gopher https://github.com/EncodeGroup/Gopher
fruits
Checks running processes, process
metadata, Dlls loaded into your
current process and the each DLLs
metadata, common install
directories, installed services and
SharpEDRChecker https://github.com/PwnDexter/SharpEDRChecker
each service binaries metadata,
installed drivers and each drivers
metadata, all for the presence of
known defensive products such as
AV's, EDR's and logging tools.
This Repo intends to serve two
Situational purposes. First it provides a nice set https://github.com/trustedsec/CS-Situational-
Awareness BOF of basic situational awareness Awareness-BOF
commands implemented in BOF.
Seatbelt is a C# project that
Seatbelt https://github.com/GhostPack/Seatbelt
performs a number of security
Name Description URL
oriented host-survey "safety checks"
relevant from both offensive and
defensive security perspectives.
SauronEye is a search tool built to
SauronEye aid red teams in finding files https://github.com/vivami/SauronEye
containing specific keywords.
Multithreaded C# .NET Assembly to
SharpShares enumerate accessible network shares https://github.com/mitchmoser/SharpShares
in a domain
C# port of the Get-AppLockerPolicy
PowerShell cmdlet with extended
SharpAppLocker features. Includes the ability to filter https://github.com/Flangvik/SharpAppLocker/
and search for a specific type of
rules and actions.
Printer is a modified and console
SharpPrinter https://github.com/rvrsh3ll/SharpPrinter
version of ListNetworks

Domain Situational Awareness

Name Description URL

StandIn is a small AD post-compromise
toolkit. StandIn came about because recently
StandIn at xforcered we needed a .NET native https://github.com/FuzzySecurity/StandIn
solution to perform resource based
constrained delegation.
An AD recon tool based on ADSI and
Recon-AD https://github.com/outflanknl/Recon-AD
reflective DLL’s
BloodHound Six Degrees of Domain Admin https://github.com/BloodHoundAD/BloodHound
PowerShell toolkit for auditing Active
PSPKIAudit https://github.com/GhostPack/PSPKIAudit
Directory Certificate Services (AD CS).
SharpView C# implementation of harmj0y's PowerView https://github.com/tevora-threat/SharpView
Rubeus is a C# toolset for raw Kerberos
Rubeus interaction and abuses. It is heavily adapted https://github.com/GhostPack/Rubeus
from Benjamin Delpy's Kekeo project (CC
Name Description URL
BY-NC-SA 4.0 license) and Vincent LE
TOUX's MakeMeEnterpriseAdmin project
(GPL v3.0 license).
A PowerShell script for helping to find
Grouper vulnerable settings in AD Group Policy. https://github.com/l0ss/Grouper
(deprecated, use Grouper2 instead!)
Identify the attack paths in BloodHound
ImproHound https://github.com/improsec/ImproHound
breaking your AD tiering
ADRecon is a tool which gathers information
about the Active Directory and generates a
ADRecon report which can provide a holistic picture of https://github.com/adrecon/ADRecon
the current state of the target AD
environment.
A tool to escalate privileges in an active
directory network by coercing authenticate
ADCSPwn https://github.com/bats3c/ADCSPwn
from machine accounts (Petitpotam) and
relaying to the certificate service.

Credential Dumping
Name Description URL
Mimikatz is an open-source
application that allows users to
Mimikatz https://github.com/gentilkiwi/mimikatz
view and save authentication
credentials like Kerberos tickets.
LSASS memory dumper using
Dumpert direct system calls and API https://github.com/outflanknl/Dumpert
unhooking.
CredBandit is a proof of concept
Beacon Object File (BOF) that
uses static x64 syscalls to
CredBandit https://github.com/xforcered/CredBandit
perform a complete in memory
dump of a process and send that
back through your already
Name Description URL
existing Beacon communication
channel.
CloneVault allows a red team
operator to export and import
CloneVault https://github.com/mdsecactivebreach/CloneVault
entries including attributes from
Windows Credential Manager.
Retrieve LAPS password from
SharpLAPS https://github.com/swisskyrepo/SharpLAPS
LDAP
SharpDPAPI is a C# port of some
SharpDPAPI DPAPI functionality from https://github.com/GhostPack/SharpDPAPI
@gentilkiwi's Mimikatz project.
Allows for the extraction of
KeePass 2.X key material from
KeeThief memory, as well as the https://github.com/GhostPack/KeeThief
backdooring and enumeration of
the KeePass trigger system.
SafetyKatz is a combination of
slightly modified version of
SafetyKatz https://github.com/GhostPack/SafetyKatz
@gentilkiwi's Mimikatz project
and @subtee's .NET PE Loader.
credential dump using forshaw
technique using
forkatz https://github.com/Barbarisch/forkatz
SeTrustedCredmanAccessPrivile
ge
Tool to bypass LSA Protection https://github.com/RedCursorSecurityConsulting/PPLKil
PPLKiller
(aka Protected Process Light) ler
The LaZagne project is an open
source application used to
LaZagne https://github.com/AlessandroZ/LaZagne
retrieve lots of passwords stored
on a local computer.
AndrewSpecial, dumping lsass'
AndrewSpecial memory stealthily and bypassing https://github.com/hoangprod/AndrewSpecial
"Cilence" since 2019.
Net- .NET implementation of Get- https://github.com/outflanknl/Net-GPPPassword
Name Description URL
GPPPassword GPPPassword. Retrieves the
plaintext password and other
information for accounts pushed
through Group Policy
Preferences.
.NET 4.0 CLR Project to retrieve
SharpChromiu
Chromium data, such as cookies, https://github.com/djhohnstein/SharpChromium
m
history and saved logins.
Chlonium is an application
Chlonium designed for cloning Chromium https://github.com/rxwx/chlonium
Cookies.
SharpCloud is a simple C# utility
for checking for the existence of
SharpCloud credential files related to Amazon https://github.com/chrismaddalena/SharpCloud
Web Services, Microsoft Azure,
and Google Compute.
Mimikatz implementation in pure
pypykatz https://github.com/skelsec/pypykatz
Python. At least a part of it :)
A Beacon Object File that creates
nanodump a minidump of the LSASS https://github.com/helpsystems/nanodump
process.
Koh is a C# and Beacon Object
File (BOF) toolset that allows for
Koh the capture of user credential https://github.com/GhostPack/Koh
material via purposeful
token/logon session leakage.

Privilege Escalation
Name Description URL
The Elevate Kit demonstrates how to use
ElevateKit third-party privilege escalation attacks with https://github.com/rsmudge/ElevateKit
Cobalt Strike's Beacon payload.
Watson Watson is a .NET tool designed to enumerate https://github.com/rasta-mouse/Watson
Name Description URL
missing KBs and suggest exploits for
Privilege Escalation vulnerabilities.
SharpUp is a C# port of various PowerUp
functionality. Currently, only the most
SharpUp common checks have been ported; no https://github.com/GhostPack/SharpUp
weaponization functions have yet been
implemented.
A tool that detects the privilege escalation
vulnerabilities caused by misconfigurations
dazzleUP and missing updates in the Windows https://github.com/hlldz/dazzleUP
operating systems. dazzleUP detects the
following vulnerabilities.
Privilege Escalation Awesome Scripts SUITE
PEASS https://github.com/carlospolop/PEASS-ng
(with colors)
A collection of various native Windows
SweetPotato privilege escalation techniques from service https://github.com/CCob/SweetPotato
accounts to SYSTEM
Another Potato to get SYSTEM via
MultiPotato https://github.com/S3cur3Th1sSh1t/MultiPotato
SeImpersonate privileges
a universal no-fix local privilege escalation in
KrbRelayUp windows domain environments where LDAP https://github.com/Dec0ne/KrbRelayUp
signing is not enforced (the default settings).

Defense Evasion

Name Description URL

RefleXXion is a utility designed to aid in
RefleXXion bypassing user-mode hooks utilised by https://github.com/hlldz/RefleXXion
AV/EPP/EDR etc.
EDRSandBlast is a tool written in C that
weaponize a vulnerable signed driver to https://github.com/wavestone-
EDRSandBlast
bypass EDR detections (Kernel callbacks cdt/EDRSandblast
and ETW TI provider) and LSASS
Name Description URL
protections.
Killing your preferred antimalware by
unDefender https://github.com/APTortellini/unDefender
abusing native symbolic links and NT paths.
A tool to kill antimalware protected
Backstab https://github.com/Yaxser/Backstab
processes
Cobalt Strike BOF that spawns a sacrificial
process, injects it with shellcode, and
SPAWN - executes payload. Built to evade
Cobalt Strike EDR/UserLand hooks by spawning https://github.com/boku7/spawn
BOF sacrificial process with Arbitrary Code
Guard (ACG), BlockDll, and PPID
spoofing.
BOF.NET is a small native BOF object
BOF.NET - A combined with the BOF.NET managed
.NET Runtime runtime that enables the development of
for Cobalt Cobalt Strike BOFs directly in .NET. https://github.com/CCob/BOF.NET
Strike's Beacon BOF.NET removes the complexity of native
Object Files compilation along with the headaches of
manually importing native API.
Loads any C# binary from filepath or url,
NetLoader patching AMSI and bypassing Windows https://github.com/Flangvik/NetLoader
Defender on runtime
A Cobalt Strike Beacon Object File (BOF)
FindObjects- project which uses direct system calls to https://github.com/outflanknl/FindObjects-
BOF enumerate processes for specific modules or BOF
process handles.
C# Based Universal API Unhooker -
Automatically Unhook API Hives https://github.com/GetRektBoy724/SharpUnh
SharpUnhooker
(ntdll.dll,kernel32.dll,user32.dll,advapi32.dl ooker
l,and kernelbase.dll).
Apply a filter to the events being reported
EvtMute https://github.com/bats3c/EvtMute
by windows event logging
InlineExecute- InlineExecute-Assembly is a proof of https://github.com/xforcered/InlineExecute-
Assembly concept Beacon Object File (BOF) that Assembly
Name Description URL
allows security professionals to perform in
process .NET assembly execution as an
alternative to Cobalt Strikes traditional fork
and run execute-assembly module
Phant0m Windows Event Log Killer https://github.com/hlldz/Phant0m
A method of bypassing EDR's active
SharpBlock projection DLL's by preventing entry point https://github.com/CCob/SharpBlock
execution.
Example code for EDR bypassing, please
use this for testing blue team detection
NtdllUnpatcher https://github.com/Kharos102/NtdllUnpatcher
capabilities against this type of malware
that will bypass EDR's userland hooks.
DarkLoadLibra
LoadLibrary for offensive operations. https://github.com/bats3c/DarkLoadLibrary
ry
.Net 3.5 / 4.5 Assembly to block ETW
BlockETW https://github.com/Soledge/BlockEtw
telemetry in a process
This repo contains a simple library which
https://github.com/mdsecactivebreach/firewal
firewalker can be used to add FireWalker hook bypass
ker
capabilities to existing code
KillDefenderB Beacon Object File PoC implementation of https://github.com/Cerbersec/KillDefenderBO
OF KillDefender F
Mangle is a tool that manipulates aspects of
Mangle compiled executables (.exe or DLL) to https://github.com/optiv/Mangle
avoid detection from EDRs
Cobalt Strike UDRL for memory scanner
AceLdr https://github.com/kyleavery/AceLdr
evasion.
CA DLL loader with advanced evasive
AtomLdr https://github.com/NUL0x4C/AtomLdr
features
Inline-Execute- Execute unmanaged Windows executables https://github.com/Octoberfest7/Inline-
PE in CobaltStrike Beacons Execute-PE

Persistence
Name Description URL
SharpStay .NET project for installing Persistence https://github.com/0xthirteen/SharpStay
Windows persistence toolkit written in
SharPersist https://github.com/fireeye/SharPersist
C#.
SharpHide Tool to create hidden registry keys. https://github.com/outflanknl/SharpHide
This leverages the NetUserAdd Win32
API to create a new computer account.
DoUCMe https://github.com/Ben0xA/DoUCMe
This is done by setting the usri1_priv
of the USER_INFO_1 type to 0x1000.
A Black Path (TCP tunneling over HTTP for web
https://github.com/nccgroup/ABPTTS
Toward The Sun application servers)
A tool to make socks connections
pivotnacci https://github.com/blackarrowsec/pivotnacci
through HTTP agents
The successor to reDuh, pwn a bastion
reGeorg webserver and create SOCKS proxies https://github.com/sensepost/reGeorg
through the DMZ. Pivot and pwn.
The Discretionary ACL Modification
Project: Persistence Through Host-
DAMP https://github.com/HarmJ0y/DAMP
based Security Descriptor
Modification.
A native backdoor module for
IIS-Raid Microsoft IIS (Internet Information https://github.com/0x09AL/IIS-Raid
Services)
tiny and obfuscated ASP.NET webshell
SharPyShell https://github.com/antonioCoco/SharPyShell
for C# web applications
A C# tool with more flexibility to
customize scheduled task for both
ScheduleRunner https://github.com/netero1010/ScheduleRunner
persistence and lateral movement in red
team operation
Persistence by writing/reading
SharpEventPersist https://github.com/improsec/SharpEventPersist
shellcode from Event Log
Kraken, a modular multi-language
Kraken https://github.com/kraken-ng/Kraken
webshell coded by @secu_x11.
Lateral Movement

Name Description URL

LiquidSnake is a tool that allows
operators to perform fileless lateral https://github.com/RiccardoAncarani/LiquidSn
Liquid Snake
movement using WMI Event ake
Subscriptions and GadgetToJScript
A PowerShell Toolkit for Attacking
PowerUpSQL https://github.com/NetSPI/PowerUpSQL
SQL Server
A C# MS SQL toolkit designed for
SQLRecon offensive reconnaissance and post- https://github.com/skahwah/SQLRecon
exploitation.
Fileless lateral movement tool that
SCShell relies on ChangeServiceConfigA to https://github.com/Mr-Un1k0d3r/SCShell
run command
Remote Desktop Protocol Console
SharpRDP Application for Authenticated https://github.com/0xthirteen/SharpRDP
Command Execution
Movekit is an extension of built in
Cobalt Strike lateral movement by
MoveKit leveraging the execute_assembly https://github.com/0xthirteen/MoveKit
function with the SharpMove and
SharpRDP .NET assemblies.
File less command execution for
SharpNoPSExec https://github.com/juliourena/SharpNoPSExec
lateral movement.
Responder/MultiRel LLMNR/NBT-NS/mDNS Poisoner
https://github.com/lgandx/Responder
ay and NTLMv1/2 Relay.
Impacket is a collection of Python
classes for working with network
protocols. Impacket is focused on
impacket providing low-level programmatic https://github.com/SecureAuthCorp/impacket
access to the packets and for some
protocols (e.g. SMB1-3 and MSRPC)
the protocol implementation itself.
Name Description URL
Farmer is a project for collecting
Farmer NetNTLM hashes in a Windows https://github.com/mdsecactivebreach/Farmer
domain.
C# port of WMImplant which uses
either CIM or WMI to query remote
https://github.com/FortyNorthSecurity/CIMpla
CIMplant systems. It can use provided
nt
credentials or the current user's
session.
PowerLessShell rely on MSBuild.exe
to remotely execute PowerShell
scripts and commands without https://github.com/Mr-
PowerLessShell
spawning powershell.exe. You can Un1k0d3r/PowerLessShell
also execute raw shellcode using the
same approach.
SharpGPOAbuse is a .NET
application written in C# that can be
used to take advantage of a user's edit
https://github.com/FSecureLABS/SharpGPOA
SharpGPOAbuse rights on a Group Policy Object
buse
(GPO) in order to compromise the
objects that are controlled by that
GPO.
A tool to quickly bruteforce and
enumerate valid Active Directory
kerbrute https://github.com/ropnop/kerbrute
accounts through Kerberos Pre-
Authentication
mssqlproxy is a toolkit aimed to
perform lateral movement in restricted
mssqlproxy environments through a compromised https://github.com/blackarrowsec/mssqlproxy
Microsoft SQL Server via socket
reuse
https://github.com/Kevin-Robertson/Invoke-
Invoke-TheHash PowerShell Pass The Hash Utils
TheHash
.NET IPv4/IPv6 machine-in-the- https://github.com/Kevin-
InveighZero
middle tool for penetration testers Robertson/InveighZero
Name Description URL
SharpSpray a simple code set to
perform a password spraying attack
SharpSpray against all users of a domain using https://github.com/jnqpblc/SharpSpray
LDAP and is compatible with Cobalt
Strike.
A swiss army knife for pentesting
CrackMapExec https://github.com/byt3bl33d3r/CrackMapExec
networks
A C# implementation of a computer
object takeover through Resource-
Based Constrained Delegation
SharpAllowedToAct (msDS- https://github.com/pkb1s/SharpAllowedToAct
AllowedToActOnBehalfOfOtherIdent
ity) based on the research by
@elad_shamir.
Sharp RDP Hijack is a proof-of-
concept .NET/C# Remote Desktop
SharpRDPHijack https://github.com/bohops/SharpRDPHijack
Protocol (RDP) session hijack utility
for disconnected sessions
This repository has been made basing
onto the already existing MiscTool, so
CheeseTools big shout-out to rasta-mouse for https://github.com/klezVirus/CheeseTools
releasing them and for giving me the
right motivation to work on them.
SharpSpray is a Windows domain
SharpSpray password spraying tool written in https://github.com/iomoath/SharpSpray
.NET C#.
This tool allows you to abuse local or
remote SCCM servers to deploy
MalSCCM https://github.com/nettitude/MalSCCM
malicious applications to hosts they
manage.
A python script to automatically
coerce a Windows server to
Coercer https://github.com/p0dalirius/Coercer
authenticate on an arbitrary machine
through 9 methods.
Name Description URL
SharpSploit is a .NET post-
exploitation library written in C# that
SharpSploit aims to highlight the attack surface of https://github.com/cobbr/SharpSploit
.NET and make the use of offensive
.NET easier for red teamers.
Bypassing Kerberoast Detections with
orpheus Modified KDC Options and https://github.com/trustedsec/orpheus
Encryption Types

Exfiltration

Name Description URL

Modular C# framework to exfiltrate loot
SharpExfiltrate https://github.com/Flangvik/SharpExfiltrate
over secure and trusted channels.
Data exfiltration over DNS request covert
DNSExfiltrator https://github.com/Arno0x/DNSExfiltrator
channel
Egress-Assess is a tool used to test egress https://github.com/FortyNorthSecurity/Egress-
Egress-Assess
data detection capabilities. Assess

Miscellaneous

Threat-informed Defense
Name Description URL
Tidal Cyber helps enterprise organizations to define,
Tidal Cyber measure, and improve their defenses to address the https://app.tidalcyber.com
adversary behaviors that are most important to them.
Threat modeling aide & purple team content repository,
Control pointing security & intelligence teams to 10,000+ publicly-
Validation accessible technical and policy controls and 2,100+ https://controlcompass.github.io
Compass offensive security tests, aligned with nearly 600 common
attacker techniques
Cloud
Amazon Web Services (AWS)
Name Description URL
The AWS exploitation framework,
Pacu designed for testing the security of https://github.com/RhinoSecurityLabs/pacu
Amazon Web Services environments.
CloudMapper helps you analyze your
CloudMapper Amazon Web Services (AWS) https://github.com/duo-labs/cloudmapper
environments.
Enumerate IAM Enumerate the permissions associated with https://github.com/andresriancho/enumerate-
permissions AWS credential set iam

Azure
Name Description URL
This toolkit offers several ways to
Azure AD Connect extract and decrypt stored Azure AD
https://github.com/fox-it/adconnectdump
password extraction and Active Directory credentials from
Azure AD Connect servers.
Azure Red Team tool for graphing
Storm Spotter Azure and Azure Active Directory https://github.com/Azure/Stormspotter
objects
ROADtools The Azure AD exploration framework. https://github.com/dirkjanm/ROADtools
MicroBurst: A
A collection of scripts for assessing
PowerShell Toolkit for https://github.com/NetSPI/MicroBurst
Microsoft Azure security
Attacking Azure
AADInternals PowerShell module for
AADInternals administering Azure AD and Office https://github.com/Gerenios/AADInternals
365
TeamFiltration is a cross-platform
framework for enumerating, spraying,
TeamFiltration https://github.com/Flangvik/TeamFiltration
exfiltrating, and backdooring O365
AAD accounts.
An attack tool for simple, fast &
MAAD Attack https://github.com/vectra-ai-
effective security testing of M365 &
Framework research/MAAD-AF
Azure AD.
Adversary Emulation
Name Description URL
Stratus Red Team is "Atomic Red
Stratus Red Team™" for the cloud, allowing to
https://github.com/DataDog/stratus-red-team
Team emulate offensive attack techniques in
a granular and self-contained manner.
A Platform for Developer-first
advanced security· Defend your
Prelude Operator https://www.preludesecurity.com/products/operator
organization by mimicking real
adversarial attacks.
An open source IDE for authoring,
Prelude Build testing, and verifying production- https://www.preludesecurity.com/products/build
ready security tests..
An automated adversary emulation
system that performs post-compromise
Caldera https://github.com/mitre/caldera
adversarial behavior within Windows
Enterprise networks.
A Windows Batch script that uses a
APTSimulator set of tools and output files to make a https://github.com/NextronSystems/APTSimulator
system look as if it was compromised.
Small and highly portable detection
Atomic Red
tests mapped to the Mitre ATT&CK https://github.com/redcanaryco/atomic-red-team
Team
Framework.
flightsim is a lightweight utility used
to generate malicious network traffic
Network Flight
and help security teams to evaluate https://github.com/alphasoc/flightsim
Simulator
security controls and network
visibility.
A security preparedness tool to do
Metta https://github.com/uber-common/metta
adversarial simulation.
RTA provides a framework of scripts
Red Team
designed to allow blue teams to test
Automation https://github.com/endgameinc/RTA
their detection capabilities against
(RTA)
malicious tradecraft, modeled after
Name Description URL
MITRE ATT&CK.

Living Off the Living Off the Land

Name Description URL
Living Off The Land Drivers is a curated list of Windows
Living Off The
drivers used by adversaries to bypass security controls and https://www.loldrivers.io/
Land Drivers
carry out attacks
GTFOBins is a curated list of Unix binaries that can be used to
GTFOBins https://gtfobins.github.io
bypass local security restrictions in misconfigured systems
The goal of the LOLBAS project is to document every binary,
https://lolbas-
LOLBAS script, and library that can be used for Living Off The Land
project.github.io/
techniques
Attackers are using popular legitimate domains when
Living Off
conducting phishing, C&C, exfiltration and downloading tools
Trusted Sites https://lots-project.com
to evade detection. The list of websites below allow attackers
(LOTS) Project
to use their domain or subdomain
Stay up-to-date with the latest file extensions being used by
Filesec https://filesec.io/
attackers.
Living Off the Orchard: macOS Binaries (LOOBins) is
designed to provide detailed information on various built-in
LOOBins https://www.loobins.io/
macOS binaries and how they can be used by threat actors for
malicious purposes.
WTFBin(n): a binary that behaves exactly like malware,
except, somehow, it's not? This project aims to catalogue
WTFBins benign applications that exhibit suspicious behavior. These https://wtfbins.wtf/
binaries can emit noise and false positives in threat hunting and
automated detections.
This project provides an curated list of DLL Hijacking
Hijack Libs https://hijacklibs.net
candidates

Red Team Scripts

Name Description URL

RedTeamCCode Red Team C code repo https://github.com/Mr-
Name Description URL
Un1k0d3r/RedTeamCCode
This repo contains information about EDRs that https://github.com/Mr-
EDRs
can be useful during red team exercise. Un1k0d3r/EDRs
Community Kit is a central repository of
Cobalt Strike https://cobalt-
extensions written by the user community to
Community Kit strike.github.io/community_kit/
extend the capabilities of Cobalt Strike.

Red Team Infrastructure

Name Description URL
Red Team Wiki to collect Red Team https://github.com/bluscreenofjeff/Red-Team-
Infrastructure Wiki infrastructure hardening resources Infrastructure-Wiki