Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
awesome-windows-security
List of Awesome Windows Security Resources
https://github.com/chryzsh/awesome-windows-security
Last synced: 3 days ago
JSON representation
-
[↑](#table-of-contents) [Defense Evasion](https://attack.mitre.org/tactics/TA0005/)
-
AMSI bypassing
- Article - Undetectable C# & C++ Reverse Shells
- Article - Oh No! AMSI blocked the AMSI Bypass! What now? - Works on W10 1803 - 09.11.18
- Article - AmsiScanBuffer Bypass - Part 1 - Works on W10 1803 - 01.11.18
-
[T1089 - Disabling Security Tools](https://attack.mitre.org/techniques/T1089/)
-
[T1027 - Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)
- mimikatz_obfuscator.sh - Obfuscation tool for Mimikatz.
-
Log removal
- Invoke-Phant0m - This script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
-
[T1055 - Process Injection](https://attack.mitre.org/techniques/T1055)
- SharpCradle - Download and execute .NET binaries into memory.
-
-
[↑](#table-of-contents) [Credential Access](https://attack.mitre.org/tactics/TA0006/)
-
[T1208 - Kerberoasting](https://attack.mitre.org/techniques/T1208/)
-
[T1214 - Credentials in Registry](https://attack.mitre.org/techniques/T1214)
- Procedure / Article - Extracting SSH Private Keys from Windows 10 ssh-agent
- windows_sshagent_extract - PoC code to extract private keys from Windows 10's built in ssh-agent service.
-
[T1081 - Credentials in Files](https://attack.mitre.org/techniques/T1081)
- KeeThief - Methods for attacking KeePass 2.X databases, including ing of encryption key material from memory.
- SharpCloud - C# utility for checking for the existence of credential files related to Amazon Web Services, Microsoft Azure, and Google Compute.
- credgrap_ie_edge - Extract stored credentials from Internet Explorer and Edge.
-
[T1110 - Brute Force](https://attack.mitre.org/techniques/T1110)
- MailSniper - Searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.)
- DomainPasswordSpray - PowerShell tool to perform a password spray attack against users of a domain.
- SprayingToolkit - Scripts to make password spraying attacks against Lync/S4B & OWA a lot quicker, less painful and more efficient
-
[T1003 - Credential Dumping](https://attack.mitre.org/techniques/T1003)
- poshkatz - PowerShell module for Mimikatz
- mimikatz - Dumping credentials in Windopws
- Internal-Monologue - Retrieving NTLM Hashes without Touching LSASS.
- lazykatz - Lazykatz is an automation developed to extract credentials from remote targets protected with AV and/or application whitelisting software.
- Powerdump.ps1 - Dumping SAM from Powershell
-
[T1171 - LLMNR/NBT-NS Poisoning](https://attack.mitre.org/techniques/T1171)
- Responder - Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
- Inveigh - Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool.
- InveighZero - C# LLMNR/NBNS spoofer
-
-
[↑](#table-of-contents) [Discovery](https://attack.mitre.org/tactics/TA0007/)
-
[T1082 - System Information Discovery](https://attack.mitre.org/techniques/T1082)
- Windows-Exploit-Suggester - This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.
- Watson - C# implementation for quickly finding missing software patches for local privilege escalation vulnerabilities.
-
[T1171 - LLMNR/NBT-NS Poisoning](https://attack.mitre.org/techniques/T1171)
- SharpView - C# implementation of harmj0y's PowerView
- BloodHound - Graphically map Active Directory environment.
- SharpHound - The BloodHound C# Ingestor
- PowerView Dev Branch - Enumerating AD with Powershell. The dev branch is specifically recommended for its ability to specify credentials using the `-Credential` option.
-
[T1135 - Network Share Discovery](https://attack.mitre.org/techniques/T1135)
- SmbScanner - A Smb Scanner written in powershell Extracted from PingCastle and adapted to fit in a script. Checks for SMBv1 and SMBv2 (SMBv3 is a dialect of SMBv2).
-
-
[↑](#table-of-contents) [Command and Control](https://attack.mitre.org/tactics/TA0011/)
-
Frameworks
- Cobalt Strike - Software for Adversary Simulations and Red Team Operations.
- Cobalt Strike - Software for Adversary Simulations and Red Team Operations.
- Empire - Empire is a PowerShell and Python post-exploitation agent.
- SILENTTRINITY - A post-exploitation agent powered by Python, IronPython, C#/.NET
- Procedure
- Article - Writing a basic Module for SILENTTRINITY
- Article - The Rise of C# and using Kali as a C2 Server with SILENTTRINITY
-
[T1102 - Web Service](https://attack.mitre.org/techniques/T1102/)
-
-
[↑](#table-of-contents) Defense
-
[T1102 - Web Service](https://attack.mitre.org/techniques/T1102/)
- UncoverDCShadow - Detect the use of the DCShadow attack.
- awesome-windows-domain-hardening - A curated list of awesome Security Hardening techniques for Windows.
- Seatbelt - Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
- Pingcastle - Ping Castle is a tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework.
- WindowsDefenderATP-Hunting-Queries - Sample queries for Advanced hunting in Windows Defender ATP
-
-
[↑](#table-of-contents) Red Team
-
[↑](#table-of-contents) Gitbooks
-
Exploit Development
-
-
[↑](#table-of-contents) Ebooks
-
Exploit Development
-
-
[↑](#table-of-contents) Twitter
-
[↑](#table-of-contents) [Execution](https://attack.mitre.org/tactics/TA0002/)
-
[T1047 - Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
- SharpWMI - C# implementation of various WMI functionality.
-
-
[↑](#table-of-contents) [Privilege Escalation](https://attack.mitre.org/tactics/TA0004/)
-
Uncategorized
-
[T1134 - Access Token Manipulation](https://attack.mitre.org/techniques/T1134/)
- juicy-potato - Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.
- Tokenvator - A tool to elevate privilege with Windows Tokens
- Procedure
- Article - Juicy Potato (abusing the golden privileges)
-
[T1068 - Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068/)
- alpc-diaghub - Utilizing the ALPC Flaw in combiniation with Diagnostics Hub as found in Server 2016 and Windows 10.
-
-
[↑](#table-of-contents) [Collection](https://attack.mitre.org/tactics/TA0009/)
-
[T1005 - Data from Local System](https://attack.mitre.org/techniques/T1005)
- Tool - SlackExtract - A PowerShell script to download all files, messages and user profiles that a user has access to in slack.
- Tool - mimikittenz - A post-exploitation powershell tool for extracting juicy info from memory.
-
-
[↑](#table-of-contents) [Exfiltration](https://attack.mitre.org/tactics/TA0010/)
-
[T1048 - Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)
- SharpBox - C# tool for compressing, encrypting, and exfiltrating data to using the DropBox API.
-
-
[↑](#table-of-contents) Misc
-
Post Exploitation Frameworks & Tools
- PowerSploit - A PowerShell Post-Exploitation Framework
- SharpSploit - .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers.
- SharpSploitConsole - Console Application designed to interact with SharpSploit.
- LOLBAS - every binary, script, and library that can be used for Living Off The Land techniques.
- DeathStar - Automate getting Domain Admin using Empire
- SharpAttack - A simple wrapper for C# tools. It contains commands for domain enumeration, code execution, and other fun things.
-
Exploit Development
- awesome-windows-kernel-security-development
- PowerShellArsenal - A PowerShell Module Dedicated to Reverse Engineering
- SharpCompile - SharpCompile is an aggressor script for Cobalt Strike which allows you to compile and execute C# in realtime.
- SharpGen - SharpGen is a .NET Core console application that utilizes the Rosyln C# compiler to quickly cross-compile .NET Framework console applications or libraries.
- awesome-windows-exploitation - A curated list of awesome Windows Exploitation resources, and shiny things.
-
-
[↑](#table-of-contents) [Initial Access](http://attack.mitre.org/tactics/TA0001/)
-
[T1203 - Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203)
- ruler - Gain shell through Exchange rules
-
-
[↑](#table-of-contents) [Persistence](https://attack.mitre.org/tactics/TA0003/)
-
[T1047 - Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
- WheresMyImplant - Contains the tooling nessessary to gaining and maintain access to target system. It can also be installed as WMI provider for covert long term persistence.
-
-
[↑](#table-of-contents) [Lateral Movement](https://attack.mitre.org/tactics/TA0008/)
-
[T1082 - System Information Discovery](https://attack.mitre.org/techniques/T1082)
- Tool - CrackMapExec - A swiss army knife for pentesting networks
- Procedure - Mimikatz Pass-The-Hash - `mimikatz` can perform the well-known operation 'Pass-The-Hash' to run a process under another credentials with NTLM hash of the user's password, instead of its real password.
- Article - A Red Teamer's guide to pivoting
-
-
[↑](#table-of-contents) Contributing
-
[T1234 - Name of Technique](https://attack.mitre.org/techniques/T1234/)
- github-repo - Description from repo. Copypaste is allowed.
- Procedure
- Article
-
Categories
[↑](#table-of-contents) [Credential Access](https://attack.mitre.org/tactics/TA0006/)
18
[↑](#table-of-contents) Misc
11
[↑](#table-of-contents) [Defense Evasion](https://attack.mitre.org/tactics/TA0005/)
10
[↑](#table-of-contents) [Command and Control](https://attack.mitre.org/tactics/TA0011/)
8
[↑](#table-of-contents) Twitter
7
[↑](#table-of-contents) [Discovery](https://attack.mitre.org/tactics/TA0007/)
7
[↑](#table-of-contents) [Privilege Escalation](https://attack.mitre.org/tactics/TA0004/)
7
[↑](#table-of-contents) Red Team
6
[↑](#table-of-contents) Defense
5
[↑](#table-of-contents) [Lateral Movement](https://attack.mitre.org/tactics/TA0008/)
3
[↑](#table-of-contents) Ebooks
3
[↑](#table-of-contents) Gitbooks
3
[↑](#table-of-contents) Contributing
3
[↑](#table-of-contents) [Collection](https://attack.mitre.org/tactics/TA0009/)
2
[↑](#table-of-contents) [Persistence](https://attack.mitre.org/tactics/TA0003/)
1
[↑](#table-of-contents) [Exfiltration](https://attack.mitre.org/tactics/TA0010/)
1
[↑](#table-of-contents) [Initial Access](http://attack.mitre.org/tactics/TA0001/)
1
[↑](#table-of-contents) [Execution](https://attack.mitre.org/tactics/TA0002/)
1
Sub Categories
Exploit Development
24
Frameworks
7
[T1171 - LLMNR/NBT-NS Poisoning](https://attack.mitre.org/techniques/T1171)
7
[T1102 - Web Service](https://attack.mitre.org/techniques/T1102/)
6
Post Exploitation Frameworks & Tools
6
[T1003 - Credential Dumping](https://attack.mitre.org/techniques/T1003)
5
[T1082 - System Information Discovery](https://attack.mitre.org/techniques/T1082)
5
[T1089 - Disabling Security Tools](https://attack.mitre.org/techniques/T1089/)
4
[T1134 - Access Token Manipulation](https://attack.mitre.org/techniques/T1134/)
4
[T1234 - Name of Technique](https://attack.mitre.org/techniques/T1234/)
3
AMSI bypassing
3
[T1110 - Brute Force](https://attack.mitre.org/techniques/T1110)
3
[T1081 - Credentials in Files](https://attack.mitre.org/techniques/T1081)
3
[T1208 - Kerberoasting](https://attack.mitre.org/techniques/T1208/)
2
[T1214 - Credentials in Registry](https://attack.mitre.org/techniques/T1214)
2
Uncategorized
2
[T1005 - Data from Local System](https://attack.mitre.org/techniques/T1005)
2
[T1047 - Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
2
Log removal
1
[T1135 - Network Share Discovery](https://attack.mitre.org/techniques/T1135)
1
[T1068 - Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068/)
1
[T1055 - Process Injection](https://attack.mitre.org/techniques/T1055)
1
[T1203 - Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203)
1
[T1048 - Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)
1
[T1027 - Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)
1
Keywords
pentesting
4
security
3
windows
3
redteam
2
powershell
2
mimikatz
2
security-tools
2
cobalt-strike
2
empire
2
red-teams
2
python3
2
active-directory
2
dotnet-script
1
ironpython
1
post-exploitation
1
hardening
1
csharp
1
situational-awareness
1
dotnet-dlr
1
ciso
1
dod
1
dotnet
1
hipaa
1
c-sharp
1
boolang
1
skype-for-business
1
password-spraying-attacks
1
password-spraying
1
owa
1
o365
1
lync
1
rottenpotatong
1
privilege-escalation
1
juicy-potato
1
dcom
1
clsid
1
framework
1
rootkit
1
shellcode
1
phishing
1
redteaming
1
uac
1
mitre
1
mitre-attack
1
infrastructure
1
red-team
1
redirector
1
kerberos
1
exchange
1
mapi
1