Some tools i found on github and compiled them
| Tool Name |
Description |
Credit & Source |
| ADCollector |
ADCollector is a lightweight tool that enumerates the Active Directory environment to identify possible attack vectors. It will give you a basic understanding of the configuration/deployment of the environment as a starting point. |
dev-2null |
| EDRHunt |
EDRHunt scans Windows services, drivers, processes, registry for installed EDRs (Endpoint Detection And Response). |
FourCoreLabs |
| PingCastle |
Ping Castle is a tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework. It does not aim at a perfect evaluation but rather as an efficiency compromise. |
vletoux |
| SharpEDRChecker |
New and improved C# Implementation of Invoke-EDRChecker. Checks running processes, process metadata, Dlls loaded into your current process and each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools |
PwnDexter |
| SharpHound |
C# Data Collector for the BloodHound Project, Version 3 |
BloodHoundAD |
| SharpShares |
Multithreaded C# .NET Assembly to enumerate accessible network shares in a domain |
mitchmoser |
| SharpShares2 |
Enumerate all network shares in the current domain. Also, can resolve names to IP addresses. |
djhohnstein |
| Tool Name |
Description |
Credit & Source |
| NetworkMiner |
NetworkMiner is an open source Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files |
netresec |
| BruteShark |
BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files, but it also capable of directly live capturing from a network interface). It includes: password extracting, building a network map, reconstruct TCP sessions, extract hashes of encrypted passwords and even convert them to a Hashcat format in order to perform an offline Brute Force attack. |
odedshimon |
| Inveigh |
.NET IPv4/IPv6 machine-in-the-middle tool for penetration testers |
Kevin-Robertson |
| SharpWebServer |
Red Team oriented C# Simple HTTP & WebDAV Server with Net-NTLM hashes capture functionality |
mgeeky |
| TCPDUMP |
TCPDUMP for Windows is built with our own traffic capturectechnology Packet Sniffer SDK, which is used in EtherSensor as well. We stopped selling Packet Sniffer SDK in 2008, after the first release of EtherSensor. Currently we are increasingly receiving requests to make PSSDK open-source, but we haven't decided yet.If you want to comment on this issue, please email us. |
microolap |
| Tool Name |
Description |
Credit & Source |
| SweetPotato |
A collection of various native Windows privilege escalation techniques from service accounts to SYSTEM |
CCob |
| dazzleUP |
A tool that detects the privilege escalation vulnerabilities caused by misconfigurations and missing updates in the Windows operating systems. |
hlldz |
| Seatbelt |
Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. |
GhostPack |
| WinPEAS |
WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz |
carlospolop |
| Tool Name |
Description |
Credit & Source |
| Impacket-Windows |
Standalone binaries for Windows of Impacket's examples |
ropnop |
| SharpMapExec |
A sharpen version of CrackMapExec. This tool is made to simplify penetration testing of networks and to create a swiss army knife that is made for running on Windows which is often a requirement during insider threat simulation engagements. |
cube0x0 |
| Sysintenals_Selected |
advanced system utilities and technical information. Whether you’re an IT Pro or a developer, you’ll find Sysinternals utilities to help you manage, troubleshoot and diagnose your Windows systems and applications. |
microsoft |
| kerbrute |
A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication |
ropnop |
| SharpNoPSExec |
File less command execution for lateral movement. SharpNoPSExec will perform the lateralmovement without touching disk and without creating a new service to avoid detection |
juliourena |
| SharpRDPHijack |
Sharp RDP Hijack is a proof-of-concept .NET/C# Remote Desktop Protocol (RDP) session hijack utility for disconnected sessions |
bohops |
| SharpSpray |
Active Directory password spraying tool. Auto fetches user list and avoids potential lockouts. |
iomoath |
| Tool Name |
Description |
Credit & Source |
| Ghost-In-The-Logs |
This tool allows you to evade sysmon and windows event logging, my blog post about it can be found here |
bats3c |
| Phant0m |
Windows Event Log Killer |
hlldz |
| PowerShx |
Unmanaged PowerShell execution using DLLs or a standalone executable., PowerShx is a rewrite and expansion on the PowerShdll project. PowerShx provide functionalities for bypassing AMSI and running PS Cmdlets. |
iomoath |
| unDefender |
Killing your preferred antimalware by abusing native symbolic links and NT paths. |
APTortellini |
| nopowershell |
PowerShell rebuilt in C# for Red Teaming purposes |
bitsadmin |
| PowerShdll |
Run PowerShell with rundll32. Bypass software restrictions. |
p3nt4 |
| SandBoxDefender |
Sandboxing Defender (and probably other AV/EDRs) using Security Token manipulation.If you do use any of the code in these repositories keep it legal! |
plackyhacker |
| Tool Name |
Description |
Credit & Source |
| donut |
Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters |
TheWover |
| MacroPhishing |
Word resources for phishing with macros. Includes "Click Enable Content" bait and decoy document deployment. The bait was created by me, but inspired by cerber ransomware document samples. |
TheKevinWang |
| mortar |
red teaming evasion technique to defeat and divert detection and prevention of security products |
0xsp-SRD |
| ThreatCheck |
Identifies the bytes that Microsoft Defender / AMSI Consumer flags on. |
rasta-mouse |
| DefenderCheck |
Identifies the bytes that Microsoft Defender flags on. |
matterpreter |
| macro_pack |
macro_pack is a tool used to automatize obfuscation and generation of retro formats such as MS Office documents or VBS like format. Now it also handles various shortcuts formats.
This tool can be used for redteaming, pentests, demos, and social engineering assessments. macro_pack will simplify antimalware solutions bypass and automatize the process from vb source to final Office document or other payload type. |
sevagas |
| SigPirate |
Copy authenticode or Catalog signatures to unsigned binaries |
xorrior |
| Skrull |
Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel |
aaaddress1 |
| Tool Name |
Description |
Credit & Source |
| PR0CESS |
some gadgets about windows process and ready to use :) |
aaaddress1 |
| transacted_hollowing |
Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgänging |
hasherezade |
| RunPE-In-Memory |
Run a Exe File (PE Module) in memory (like an Application Loader) |
aaaddress1 |
| wowInjector |
PoC: Exploit 32-bit Thread Snapshot of WOW64 to Take Over $RIP & Inject & Bypass Antivirus HIPS (HITB 2021) |
aaaddress1 |
| RunPE |
C# Reflective loader for unmanaged binaries. |
nettitude |
| ThreadStackSpoofing |
PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts |
mgeeky |
| Tool Name |
Description |
Credit & Source |
| NanoDump |
Dump LSASS like you mean it |
helpsystems |
| outflanknl-Dumpert |
LSASS memory dumper using direct system calls and API unhooking. |
outflanknl |
| PPLdump |
This tool implements a userland exploit that was initially discussed by James Forshaw (a.k.a. @tiraniddo) - in this blog post - for dumping the memory of any PPL as an administrator. I wrote two blog posts about this tool. The first part is about Protected Processes concepts while the second one dicusses the bypass technique itself.
- Blog post part #1: Do You Really Know About LSA Protection (RunAsPPL)?
- Blog post part #2: Bypassing LSA Protection in Userland |
itm4n |
| ATPMiniDump |
Evading WinDefender ATP credential-theft |
b4rtik |
| CQDumpHashV2 |
Dump SAM Hashes |
BlackDiverX |
| Dump |
Simple LSASS Dumper created using C++ as an alternative to using Mimikatz memory dumper |
Hifumi1337 |
| DumpNParse |
A Combination LSASS Dumper and LSASS Parser. All Credit goes to @slyd0g and @cube0x0. |
icyguider |
| lsass-dumper |
Dump lsass.exe generating a file with the hostname and date in txt format using C++. |
ricardojoserf |
| LsassSilentProcessExit |
New method of causing WerFault.exe to dump lsass.exe process memory to disk for credentials extraction via silent process exit mechanism without crasing lsass. |
deepinstinct |
| LsassUnhooker |
Little program written in C# to bypass EDR hooks and dump the content of the lsass process |
roberreigada |
| SharoSecDump |
.Net port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py |
G0ldenGunSec |
| SharpHandler |
The tool is now live, but still in beta, I would not recommend using this in opsec heavy engagements for now :P you'll look like a fool if this tool flunks and you burn your opsec ;) |
jfmaes |
Mimikatz Style Tools
| Tool Name |
Description |
Credit & Source |
| mimikatz |
A little tool to play with Windows security + Mimikatz log parser, written in JS, hosted in a browser (Works Offline) |
gentilkiwi |
| BetterSafetyKatz |
Fork of SafetyKatz that dynamically fetches the latest pre-compiled release of Mimikatz directly from gentilkiwi GitHub repo, runtime patches signatures and uses SharpSploit DInvoke to PE-Load into memory. |
Flangvik |
| MagnusKatz |
Research project for understanding how Mimikatz work and being better at C |
magnusstubman |
| SafetyKatz |
SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subTee's .NET PE Loader |
GhostPack |
| SharpKatz |
Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands |
b4rtik |