Penetration Testing Tools Part-2
Burp Suite BApps
1. LazyCSRF (A more useful CSRF PoC generator for Burp Suite).
2. burp-log4shell (Log4Shell scanner for Burp Suite).**
Web Shells
1. wsh (Web shell generator and command line interface).
2. PwnShell (PwnShell is a Powerfull RevShell Bruteforcer and Connection Handler).
3. Rome WebShell (Lightweight PHP webshell, using only vanilla JavaScript and CSS, no jQuery/Bootstrap bloat).**
SQL Server Penetration Testing
1. SQLRecon (A C# MS SQL toolkit designed for offensive reconnaissance and post-exploitation).**
Mobile Penetration Testing
1. MobSFAdhrit (Android Security Suite for in-depth reconnaissance and static bytecode analysis based on Ghera benchmarks).
2. objectionDexcalibur (Android reverse engineering platform focus on instrumentation automation).
3. Runtime Mobile Security (RMS) (Powered by Frida. Web interface that helps you to manipulate Android and iOS Apps at Runtime).
4. APKLeaks (Scanning APK file for URIs, endpoints & secrets).
5. rustyIron (Communication framework for navigating MobileIron’s MDM authentication methods).
6. iPwn (A Framework meant for the exploitation of iOS devices).**
Thick Client Penetration Testing
1. Echo MIrage (Intercept Windows thick clients).
2. mitm_relay (Hackish way to intercept and modify non-HTTP protocols through Burp & others).
3. MITM_Intercept (A little bit less hackish way to intercept and modify non-HTTP protocols through Burp & others).**
Amazon S3 Buckets
1. Bucketbunny
Kubernetes Penetration Testing
1. kube-hunterPeiratesCDKFalcokubestrikerPopeye (Scans live Kubernetes cluster and reports potential issues with deployed resources and configurations).
2. mesh-kridik (Open-source security checker that performs various security checks on a Kubernetes cluster with istio service mesh and is leveraged by OPA (Open Policy Agent) to enforce security rules).
3. Kubescape (open-source tool providing a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC visualiser and image vulnerabilities scanning).**
Cloud Penetration Testing
1. ScoutSuiteCloudSploitPurplePanda (Identify privilege escalation paths within and across different clouds).
2. Pacu (The AWS exploitation framework, designed for testing the security of Amazon Web Services environments).
3. Cloudsplaining (Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report).
4. Red-Shadow (AWS IAM Vulnerability Scanner).
5. Scour (Modern module based AWS exploitation framework written in golang, designed for red team testing and blue team analysis).
6. s3sec (Check AWS S3 instances for read/write/delete access).
7. o365creeper (Python script used to validate email accounts that belong to Office 365 tenants).
8. msmailprobe (Office 365 and Exchange user enumeration).
9. TREVORspray (O365 password spraying).
11.Spray365 (Spray365 is a password spraying tool that identifies valid credentials for Microsoft accounts (Office 365 / Azure AD)).
12. 365-Stealer (Perform illicit consent grant attacks to steal outlook mails, attachments, OneDrive files, OneNote notes and inject macros).
13. MailSniper (penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc).
14. o365recon (Retrieve information via O365 with valid credentials).
15. Go365 (perform user enumeration* and password guessing attacks on organizations that use Office365 (now/soon Microsoft365).
16. AADInternals (PowerShell module for administering Azure AD and Office 365).
17. AzureHound (BloodHound ingestor for Azure).
18. ROADtools (The Azure AD exploration framework).
19. aad-sso-enum-brute-spray (POC of SecureWorks’ recent Azure Active Directory password brute-forcing vuln).
20. Azure AD RedTeam Enumeration Script (Query all aspects of your target Azure tenant).
21. BlobHunter (Find exposed data in Azure with this public blob scanner).
22. PowerZure (PowerZure is a PowerShell project created to assess and exploit resources within Microsoft’s cloud platform, Azure).
23. Microsoft Azure AD Conditional Access ValidatorCRT (Azure AD/Microsoft Office 365).
24. Stormspotter (Azure Red Team tool for graphing Azure and Azure Active Directory objects).
25. TokenTactics (Azure JSON Web Token (“JWT”) Manipulation Toolset. Azure access tokens allow you to authenticate to certain endpoints as a user who signs in with a device code. Even if they used multi-factor authentication).
26. Nebula (Nebula is a Cloud and (hopefully) DevOps Penetration Testing framework).
27. trident (Automated password spraying tool).
28. GoMapEnum (User enumeration and password bruteforce on Azure, ADFS, OWA, O365 and gather emails on Linkedin).**
IoT Penetration Testing
1. pwndora (Massive IPv4 scanner, find and analyze internet-connected devices in minutes, create your own IoT search engine at home).
2. PENIOT**
Kiosk Breakout
1. Invoker (The goal is to use this tool when access to some Windows OS features through GUI are restricted).**
Web Servers
1. Updog (Updog is a replacement for Python’s *SimpleHTTPServer*. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use HTTP basic auth).
2. LightMe (Simple HTTP Server serving Powershell Scripts/Payloads after obfuscating them. Runs obfuscation as a service in the background in order to keep the payloads obfuscated, giving an almost new, obfuscated payload on each HTTP request.)**
Phishing
1. GophishGoPhish Notifier (Notifies Red Team members when their GoPhish campaign status has been updated. It supports both Slack and Email notification profiles by default).
2. MaskPhishSniperPhishKing PhisherPhishAPIevilginx2 (Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication).
3. PhishInSuits (OAuth Device Code Phishing with Verified Apps).
4. Domain Hunter (Checks expired domains for categorization/reputation and Archive.org history to determine good candidates for phishing and C2 domain names).**
Backdoored Document Creation – Templates/Macros
1. Marauders Map (The power of the Marauders Map is in it’s compatibility with the office suite i.e. use in macros).
2. luckystrike (A PowerShell based utility for the creation of malicious Office macro documents).
3. BadAssMacros (C# based automated Malicous Macro Generator).
4. macro_pack (Automate obfuscation and generation of Office documents, VB scripts, shortcuts, and other formats).
5. OffensiveVBA (This repo covers some code execution and AV Evasion methods for Macros in Office documents).
6. shellcode2vbscript.py (Tool to create a VBScript containing shellcode to execute).
7. Macrome (Excel Macro Document Reader/Writer for Red Teamers & Analysts).
8. Office phish templates (Tricks the target into enabling content (macros) with fake messages).**
Reverse Proxies
1. frp (A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet).
2. ngrok (Exposes local servers behind NATs and firewalls to the public internet over secure tunnels).
3. rathole (A lightweight, stable and high-performance reverse proxy for NAT traversal, written in Rust. An alternative to frp and ngrok).**
OS Shells
1. pwncat (Netcat on steroids with Firewall, IDS/IPS evasion, bind and reverse shell, self-injecting shell and port forwarding magic – and its fully scriptable with Python (PSE)).
2. PwnLnX (An advanced multi-threaded, multi-client python reverse shell for hacking linux systems).
3. ConPtyShell (Fully Interactive Reverse Shell for Windows).
4. DNS-Black-Cat(DBC) (Multi platform toolkit for an interactive DNS shell commands exfiltration, by using DNS-Cat you will be able to execute system commands in shell mode over DNS protocol).
5. XC (Netcat like reverse shell for Linux & Windows).
6. SNOWCRASH (SNOWCRASH creates a script that can be launched on both Linux and Windows machines. Payloads: command execution, reverse shell establishment, binary execution etc).**
Remote Desktop Software
1. PowerRemoteDesktop (Remote Desktop entirely coded in PowerShell).**
Remote Administration Tools
1. Pupy (Pupy is an opensource, cross-platform (Windows, Linux, OS X, Android) remote administration and post-exploitation tool mainly written in python).
2. ToRat (A Cross Platform Remote Administration tool written in Go using Tor as its transport mechanism currently supporting Windows, Linux, MacOS clients).
3. teleRAT (Telegram RAT written in Python).
4. EvilOSX (An evil RAT (Remote Administration Tool) for macOS / OS X).
5. serpentine (C++/Win32/Boost Windows RAT (Remote Administration Tool) with a multiplatform Java/Spring RESTful C2 server and Go, C++/Qt5 frontends).**
Red Teaming Frameworks
1. *CovenantMythicSliverShadowOctopusCobalt StrikeSharpC2 (Command and Control Framework written in C#).
2. Brute Ratel C4emp3r0r (Linux).BlackMambaKudzu (Go C2 platform with an emphasis on extensibility).
3. PoshC2NinjaTrevorC20xsp Mongoose REDKhepri (Free, Open Source, looks like Cobalt Strike).link (command and control framework written in rust).
4. Azure Outlook C2 (Threat Emulation Tool for North Korean APT InkySquid / ScarCruft / APT37. TTP = Abuse Microsoft Graph API for C2 Operations).
5. GC2 (GC2 is a Command and Control application that allows an attacker to execute commands on the target machine using Google Sheet and exfiltrate data using Google Drive).
6. OffensiveNotion (Notion as a platform for offensive operations).**
Cobalt Strike Profiles
1. minimal-defender-bypass.profile
Cobalt Strike Aggressor Scripts
1. CSSG (Cobalt Strike Shellcode Generator).
2. CrossC2 framework (Generate CobaltStrike’s cross-platform payload).
3. Beaconator (Aggressor script for Cobalt Strike used to generate a raw stageless shellcode and packing the generated shellcode using PEzor).
4. SpoolSystem (CNA script for Cobalt Strike which uses @itm4n’s Print Spooler named pipe impersonation trick to gain SYSTEM privileges without creating any new process or relying on cross-process shellcode injection (if the selfinject method is used).
5. BokuLoader (Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities).
6. TitanLdr (Cobalt Strike User Defined Reflective Loader (UDRL), Heap Encryption branch).
7. CVE-2021-1675-LPE (Local Privilege Escalation implementation of the CVE-2021-1675/CVE-2021-34527 (a.k.a PrintNightmare).
9. Registry-Recon (Cobalt Strike Aggressor Script that Performs System/AV/EDR Recon).
10. StayKit (Cobalt Strike kit for Persistence).**
Cobalt Strike BOFs
1. CobaltStrike BOFFindObjects-BOF (The FindModule bof can be used to identify processes which have a certain module loaded, for example the .NET runtime clr.dll or the winhttp.dll module).
2. InlineExecute-Assembly (Perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module).
3. inject-assembly (Inject .NET assemblies into an existing process).
4. Beacon Object FilesSituational Awareness BOFCobalt Strike BOF – Inject AMSI BypassSPAWN – Cobalt Strike BOFHOLLOW – Cobalt Strike BOFBOF.NET (A .NET Runtime for Cobalt Strike’s Beacon Object Files).
5. SigFlip (Tool for patching authenticode signed PE files (exe, dll, sys ..etc) without invalidating or breaking the existing signature).
6. ServiceMove (Abuse Windows Perception Simulation Service to achieve DLL hijacking code execution).
7. secinjectVisual-Studio-BOF-template (A Visual Studio template used to create Cobalt Strike BOFs).
8. CheckCert (Minimize the amount of traffic sent, while providing the ability to request SSL certificates from publicly accessible domains).
9. ChromeTap (Place a wiretap on chrome and steal secrets).
10. PPLDump BOF (Dump the memory of a Protected Process Light (PPL) i.e. lsass.exe with a userland exploit).
11. NanoDump (A flexible tool that creates a minidump of the LSASS process).
12. CredPrompt (Using CredUIPromptForWindowsCredentials to ask current user credentials).
13. SyscallPack (BOF and Shellcode for full DLL unhooking using dynamic syscalls).
14. JumpSession_BOF (Beacon Object File allowing creation of Beacons in different sessions).**
Cobalt Strike – List of Resources
1. Awesome CobaltStrikeSharpHound (BOF.NET – in-memory collection)**
Cobalt Strike Helper Tools
1. AzureC2RelayDomainBorrowingC2 (Domain Borrowing is a new method to hide C2 traffic using CDN. It is an extension for Cobalt Strike written in C# using Cobalt Strike’s External C2 spec).
2. RedWarden (Cobalt Strike C2 Reverse proxy that fends off Blue Teams, AVs, EDRs, scanners through packet inspection and malleable profile correlation).
3. Spray-AD (A Cobalt Strike tool to perform a fast Kerberos password spraying attack against Active Directory).
4. pyMalleableC2 (A Python interpreter for Cobalt Strike Malleable C2 profiles that allows you to parse, modify, build them programmatically and validate syntax).
5. SourcePoint (C2 profile generator for Cobalt Strike command and control servers designed to ensure evasion).
6. LockdExeDemo (Cobalt Strike – protect agents against memory scanning).
7. RedShell (An interactive command prompt for red teaming and pentesting. Pushes commands through proxychains via Cobalt Strike beacon socks proxies or custom proxies).
8. C2concealer (Command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike).**
Mythic Payloads
1. Mystikal (macOS payload generator integrated with Mythic).
2. Medusa (Cross-platform agent for Mythic compatible with both Python 3.8 and Python 2.7).
3. Atlas (Minimal Windows payload)
4. Apollo (Windows payload)**
Mythic Helper Tools
1. Harvis (Designed to automate your C2 Infrastructure, currently using Mythic C2).**
General Red Teaming Helper Tools
1. AppProxyC2 (This repo contains a simple POC to show how to tunnel traffic through Azure Application Proxy).
2. RedELK (Red Team’s SIEM – tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations).
3. Overlord (Red Teaming Infrastructure Automation).
4. FindFrontableDomains (Search for potential frontable domains).
5. cliProxy (Proxy Unix applications in the terminal. By using path hijacking and modification on Unix-like machines, we can achieve pseudo-keylogging functionality).
6. EDRHunt (Identify installed EDRs and AVs on Windows).
7. AppLockerBypass (Tool to bypass AppLocker).
8. PlayWithDefender (An easy tool to disable and enable windows defender protections).
9. ICMP-TransferTools (Transfer files to and from a Windows host via ICMP in restricted network environments).
10. Evasor (A tool to be used in post exploitation phase for blue and red teams to bypass APPLICATIONCONTROL policies).
11. MineSweeper (Windows user-land hooks manipulation tool).**
Red Teaming Dropbox Creation
1. nac_bypass (Script collection to bypass Network Access Control (NAC, 802.1x)).**
Payload Hosting
1. pwndrop (Self-deployable file hosting service for red teamers).**
Payload Delivery
1. SharpShooter (Payload creation framework for the retrieval and execution of arbitrary CSharp source code… capable of creating payloads in a variety of formats, including HTA, JS, VBS and WSF).
2. SharpLNKGen-UI (UI for creating LNKs).
3. DNSStager (Hide your payload in DNS).
4. EmbedInHTML (Embed and hide any file in an HTML file).
5. AutoSmuggle (Utility to craft HTML smuggled files for Red Team engagements).
6. PackMyPayload (Packages payloads into output containers to evade Mark-of-the-Web flag & demonstrate risks associated with container file formats. Supports: ZIP, 7zip, PDF, ISO, IMG, CAB, VHD, VHDX).**
LOLBins/LOLScripts
LOTS
Steganography
1. Invoke-PSImagePowerglot (Encodes offensive powershell scripts using polyglots).**
UAC Bypass
1. UAC_Exploit (Escalate as Administrator bypassing the UAC affecting administrator accounts only).
2. UACBypassJF_RpcALPC (Allows you to bypass UAC using only 2 RPC requests instead of DLL hijacking).**
AV/EDR Evasion
1. LimeLighter (A tool for generating fake code signing certificates or signing real ones. Helps evade EDR products).
2. DefenderCheck (Identifies the bytes that Microsoft Defender flags on).
3. avdebugger (This project helps to automatically recover AV signatures).
4. Chimera (Chimera is a (shiny and very hack-ish) PowerShell obfuscation script designed to bypass AMSI and commercial antivirus solutions).
5. Chameleon (PowerShell Script Obfuscator. Improved version of Chimera ported to Python).
6. PyFuscation (Obfuscate powershell scripts by replacing Function names, Variables and Parameters).
7. PowerShellArmoury (Download and store all of your favourite PowerShell scripts in a single, encrypted file… includes a bypass for AMSI, so you dont have to worry about AV).
8. PowerShx (Run Powershell without software restrictions).
9. Invisi-Shell (Hide your Powershell script in plain sight. Bypass all Powershell security features).
10. RosFuscator (Obfuscate C# source code using Roslyn).
11. InvisibilityCloak (Proof-of-concept obfuscation toolkit for C# post-exploitation tools).
12. NET-Obfuscate (Obfuscate ECMA CIL (.NET IL) assemblies to evade Windows Defender AMSI).
13. LoGiC.NET (Advanced free and open .NET obfuscator using dnlib).
14. ConfuserEx (An open-source, free protector for .NET applications).
15. PowerAssembly (Map remote .NET assemblies to memory for further invocation).
16. onelinepy (Python Obfuscator to generate One-Liners and FUD Payloads).
17. SharpBlock (A method of bypassing EDR’s active projection DLL’s by preventing entry point execution).
18. SysWhispers2 (AV/EDR evasion via direct system calls).
19. SysWhispers3 (SysWhispers on Steroids – AV/EDR evasion via direct system calls).
20. OffensivePipeline (Download, compile (without Visual Studio) and obfuscate C# tools for Red Team exercises).
21. DefensiveInjector (Shellcode Injector using direct syscalls).
22. Bad Outlook (A simple PoC which leverages the Outlook Application Interface (COM Interface) to execute shellcode on a system based on a specific trigger subject line).
23. ScareCrow (Payload creation framework designed around EDR bypass).
24. MsfManiaGoPurple (Shellcode injection techniques, aiming to streamline the process of endpoint detection evaluation).
25. BetterXencrypt (Powershell runtime crypter designed to evade AVs).
26. MeterPwrShell (Automated tool that generates a Powershell Oneliner that can create a Meterpreter Shell, bypass AMSI, bypass firewalls, bypass UAC, and bypass Any AVs).
27. Invoke-Stealth (Simple & Powerful PowerShell Script Obfuscator).
28. SharpTransactedLoad (Load .net assemblies from memory while having them appear to be loaded from an on-disk location. Bypasses AMSI).
29. PowerHub (A post exploitation tool based on a web application, focusing on bypassing endpoint protection and application whitelisting).
30. Amber (Position-independent(reflective) PE loader that enables in-memory execution of native PE files(EXE, DLL, SYS..).
31. charlotte (c++ fully undetected shellcode launcher. Tested with msfvenom -p and also cobalt strike raw format payload).
32. DripLoader POC (Evasive shellcode loader for bypassing event-based injection detection (PoC)).
33. Backstab (A tool to kill antimalware protected processes).
34. StopDefenderService (Stop Defender Service using C# via Token Impersonation).
35. KillDefender (Make Defender useless by removing its token privileges and lowering the token integrity).
36. SandboxDefender (C# code to Sandbox Defender (and most probably other AV/EDRs).
37. SandboxPPL (Golang PoC that sandboxes Defender (or other PPL) by setting its token integrity to Untrusted).
38. NetLoader (Loads any C# binary in mem, patching AMSI + ETW).
39. Sharperner (tool written in CSharp that generate .NET dropper with AES and XOR obfuscated shellcode. Generated executable can possibly bypass signature check but I cant be sure it can bypass heuristic scanning).
40. Injector (Complete Arsenal of Memory injection and other techniques for red-teaming in Windows.)
41. CallObfuscator (Obfuscate specific windows APIs with different APIs).
42. Huan (Encrypted PE Loader Generator).
43. Inceptor (Template-Driven AV/EDR Evasion Framework).
44. Invoke-DLLClone (Copy metadata and the AuthenticodeSignature from a source binary and into a target binary It also uses koppeling to clone the export table from a refference dll onto a malicious DLL post-build using NetClone).
45. RunPE (C# Reflective loader for unmanaged binaries – C/C++).
46. ImpulsiveDLLHijack (Automates the process of discovering and exploiting DLL Hijacks in target binaries. Useful for evading EDR).
47. RustSCRunner (Shellcode Runner/Injector in Rust using NTDLL functions directly with the ntapi Library).
48. Ninja UUID Dropper (Module Stomping, No New Thread, HellsGate syscaller, UUID Dropper for x64 Windows 10!).
49. LazySign (Create fake certs for binaries using windows binaries and the power of bat files).
50. Shhhloader (SysWhispers Shellcode Loader).
51. Skrull (Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel. Creates launchers that use Process Ghosting).SharpGhosting (Process Ghosting in C#).Obfuscator-LLVM (Obfuscate C/C++).Bankai (Another Go Shellcode Loader using Windows APIs).garble (Obfuscate Go builds).Denim (Automated compiler obfuscation for nim).Metsubushi (Generate droppers with encrypted payloads automatically).WinBoost (Execute Mimikatz with process injection).UUID Loader (UUID based Shellcode loader for your favorite C2).Mortar Loader (Evasion technique to defeat and divert detection and prevention of security products (AV/EDR/XDR)).Jektor (A Windows user-mode shellcode execution tool that demonstrates various techniques that malware uses).Bluffy (utility which was used in experiments to bypass Anti-Virus products (statically) by formatting shellcode into realistic looking data formats).Perun’s Fart (Another method for unhooking AV and EDR, this is my C# version).CheekyBlinder (Enumerating and removing kernel callbacks using signed vulnerable drivers).STFUEDR (Silence EDRs by removing kernel callbacks).Ivy (payload creation framework for the execution of arbitrary VBA (macro) source code directly in memory).HellsGateNim (A quick example of the Hells Gate technique in Nim).NimGetSyscallStub (Get fresh Syscalls from a fresh ntdll.dll copy).NimWhispers (NimWhispers helps with evasion by generating nim implants that can be used to make direct syscalls based on the work of SysWhispersv2).nimLoader (Load dumped Csharp binaries as assemblies and launch them in memory bypassing AMSI and ETW).NimPackt-v1 (Nim-based assembly packer and shellcode loader for opsec & profit).Nimcrypt2 (.NET, PE, & Raw Shellcode Packer/Loader Written in Nim).BreadManModuleStomping (Search for code caves within preloaded DLLs in memory, API unhooking).RefleXXion (Utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc).RecycledGate (Hellsgate + Halosgate/Tartarosgate. Ensures that all systemcalls go through ntdll.dll).EDRSandBlast (Weaponise a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring).HellsGate (Rewrote HellsGate in C#).SnD_AMSI (Start new PowerShell without etw and amsi in pure nim).Syscalls Extractor (Utility project to extract build information and syscall numbers from a host).Apophis (Bash script that leverages tools such as DotNetToJScript, ConfuserEx, Net-Obfuscator etc. to generate ‘Shellcode runners’).SigFlip (Tool for patching authenticode signed PE files (exe, dll, sys ..etc) without invalidating or breaking the existing signature).FrostByte (POC project that combines different defense evasion techniques to build better redteam payloads).**
Blue Team Evasion
**SharpNukeEventLog (nuke that event log using some epic dinvoke fu).Phant0m (Windows Event Log Killer).Windows Command-Line ObfuscationSavage (Create & exfiltrate a fileless screenshot).**
Rootkits
**r77 (Ring 3 rootkit with single file installer and fileless persistence that hides processes, files, network connections, etc).Cronos Rootkit (Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes, protect and elevate them with token manipulation).**
Other Tools
**fcrackzip (Crack encrypted ZIP archives).**
Data Exfiltration
**dnsteal (DNS Exfiltration tool for stealthily sending files over DNS requests).PacketWhisper (Stealthily exfiltrate data and defeat attribution using DNS queries and text-based steganography).AnonX (Encrypted file uploader and downloader).PyExfil (A Python Package for Data Exfiltration).rclone (Command line program to manage files on cloud storage).**
Spam/Phishing Prevention
System Hardening
**Fake Sandbox Artifacts (This script allows you to create various artifacts on a bare-metal Windows computer in an attempt to trick malware that looks for VM or analysis tools).**
Security Monitoring/EDR
**Wazuh (Free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance).Dsiem (Dsiem is a security event correlation engine for ELK stack, allowing the platform to be used as a dedicated and full-featured SIEM system).siembol (An open-source, real-time Security Information & Event Management tool based on big data technologies).ARTIS (Identify threats and malicious web traffic on the basis of IP reputation and historical data).Velociraptor (Endpoint visibility and collection tool).WHIDS (Open Source EDR for Windows).BLUESPAWN (An Active Defense and EDR software to empower Blue Teams).osquery (SQL powered operating system instrumentation, monitoring, and analytics (Windows, macOS and Linux)).**
Honeypots
**Cowrie (Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker).HoneyCreds (Network credential injection to detect responder and other network poisoners).h0neytr4p (Easy to configure and deploy honeypot for protecting against web recon and exploiting).T-Pot (The All In One Honeypot Platform).**
Detection Capability Testing
**Atomic Red Team (Small and highly portable detection tests based on MITRE’s ATT&CK).SysmonSimulator (Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams).**
Static Code Analysis
**Bughound (open-source static code analysis tool for PHP and Java, analyzes your code and sends the results to Elasticsearch and Kibana to get useful insights about the potential vulnerabilities in your code.)Findbugs (Static security code scanner for Java applications).codewarrior (C, C#, PHP, Java, Ruby, ASP, JavaScript code-searching tool and static analysis (Linux)).NodeJsScan (Static security code scanner for Node.js applications).Mininode (CLI tool to reduce the attack surface of the Node.js applications by using static analysis).**
Firmware Security
**EMBArk (The firmware security scanning environment).**
Active Directory Hardening
**PSPKIAudit (PowerShell toolkit for auditing Active Directory Certificate Services (AD CS).PlumHound (More effectively use BloodHoundAD in continual security life-cycles).**
Threat Intelligence
**Intel Owl (Analyse files, domains, IPs in multiple ways from a single API at scale).**
Incident Response/Threat Hunting
**Malwoverview (Malwoverview.py is a first response tool for threat hunting, which performs an initial and quick triage of malware samples, URLs, IP addresses, domains, malware families, IOCs and hashes).APT-HunterTHOR Lite (Free IOC and YARA Scanner)DeepBlueCLI (PowerShell Module for Threat Hunting via Windows Event Logs).epagneul (Graph Visualization for windows event logs).TheHive (Scalable, Open Source and Free Security Incident Response Platform).BeaconHunter (Cobalt Strike – Behaviour based monitoring and hunting tool built in C# tool leveraging ETW tracing).CobaltStrikeScan (Scan files or process memory for CobaltStrike beacons and parse their configuration).CobaltStrikeParser (Python parser for CobaltStrike Beacon’s configuration).BeaconEye (Hunts out CobaltStrike beacons and logs operator command output).melting-cobalt (A Cobalt Strike Scanner that retrieves detected Team Server beacons into a JSON object).C3 Relay Rumbler (A proof-of-concept tool that attempts to retrieve the configuration from the memory dump of an F-Secure C3 Relay executable.)JARM (Identify malware command and control infrastructure and other malicious servers on the Internet.)TRIDENT (PowerShell script for fast triage and collection of evidence from forensic artifacts and volatile data, aimed to assist in the identification of compromise in Windows systems.)evtx-hunter (quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files).POFR (The Penguin OS Flight Recorder collect, stores and organizes for further analysis process execution, file access and network/socket endpoint data from the Linux Operating System and derivatives.)Ciphey (Automatically decrypt encryptions without knowing the key or cipher, decode encodings, and crack hashes).Chainsaw (Rapidly Search and Hunt through Windows Event Logs).SuperMem (A python script developed to process Windows memory images based on triage type).The Memory Process File System (Easy and convenient way of viewing physical memory as files in a virtual file system).365BlueTeamKit (PowerShell scripts for Office 365 reports and investigations).AzureHunter (A Cloud Forensics Powershell module to run threat hunting playbooks on data from Azure and O365).rpcfirewall (RPC is the underlying mechanism which is used for numerous lateral movement techniques, reconnaissance, relay attacks, or simply to exploit vulnerable RPC services).GoodHound (Uses Sharphound, Bloodhound and Neo4j to produce an actionable list of attack paths for targeted remediation).Rogue Assembly Hunter (Utility for discovering ‘interesting’ .NET CLR modules in running processes).PHP Malware Finder (Detect potentially malicious PHP files).**
Malware Analysis
**PSDecode (PowerShell script for deobfuscating other encoded PowerShell scripts).CuckooDRAKVUF (DRAKVUF provides a perfect platform for stealthy malware analysis as its footprint is nearly undectebable from the malware’s perspective).**
Project Management/Reporting
**Ghostwriter (Fork that includes CVSS v3.0 scoring).BulwarkWriteHatPeTeReport (Open-source application vulnerability reporting tool).**