Skip to content
List of Awesome Windows Security Resources
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md

README.md

awesome-windows-security

Pirate List of awesome Windows security resources

This list is for anyone wishing to learn offensive Windows security. The list will for the most part consist of tools available on Github.

The tools are categorized according to Adversarial Tactics and Techniques based on Mitre ATT&CK. Some tools fit several technqiues and some doesn't quite fit anywhere. I appreciate any help with finding the right tactics and techniques.

You can contribute by sending pull requests, create issues with suggestions or write to me on Twitter @chryzsh. I have made a template for adding new tools here -> Contributing

Table of Contents


Initial Access

T1203 - Exploitation for Client Execution

  • ruler - Gain shell through Exchange rules

Execution

T1047 - Windows Management Instrumentation

  • SharpWMI - C# implementation of various WMI functionality.

Persistence

  • WheresMyImplant - Contains the tooling nessessary to gaining and maintain access to target system. It can also be installed as WMI provider for covert long term persistence.

Privilege Escalation

Uncategorized

  • PowerUp - PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.
  • SharpUp - C# port of various PowerUp functionality.

T1068 - Exploitation for Privilege Escalation

  • alpc-diaghub - Utilizing the ALPC Flaw in combiniation with Diagnostics Hub as found in Server 2016 and Windows 10.

T1134 - Access Token Manipulation

Defense Evasion

AMSI bypassing

Log removal

  • Invoke-Phant0m - This script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.

T1089 - Disabling Security Tools

T1027 - Obfuscated Files or Information

T1055 - Process Injection

  • SharpCradle - Download and execute .NET binaries into memory.

Credential Access

T1208 - Kerberoasting

T1081 - Credentials in Files

  • KeeThief - Methods for attacking KeePass 2.X databases, including ing of encryption key material from memory.
  • SharpCloud - C# utility for checking for the existence of credential files related to Amazon Web Services, Microsoft Azure, and Google Compute.
  • credgrap_ie_edge - Extract stored credentials from Internet Explorer and Edge.

T1214 - Credentials in Registry

T1110 - Brute Force

  • MailSniper - Searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.)
  • DomainPasswordSpray - PowerShell tool to perform a password spray attack against users of a domain.
  • SprayingToolkit - Scripts to make password spraying attacks against Lync/S4B & OWA a lot quicker, less painful and more efficient

T1003 - Credential Dumping

  • mimikatz - Dumping credentials in Windopws
  • Internal-Monologue - Retrieving NTLM Hashes without Touching LSASS.
  • lazykatz - Lazykatz is an automation developed to extract credentials from remote targets protected with AV and/or application whitelisting software.
  • poshkatz - PowerShell module for Mimikatz
  • Powerdump.ps1 - Dumping SAM from Powershell

T1171 - LLMNR/NBT-NS Poisoning

  • Responder - Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
  • Inveigh - Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool.
  • InveighZero - C# LLMNR/NBNS spoofer

Discovery

  • PowerView Dev Branch - Enumerating AD with Powershell. The dev branch is specifically recommended for its ability to specify credentials using the -Credential option.
  • SharpView - C# implementation of harmj0y's PowerView
  • BloodHound - Graphically map Active Directory environment.
  • SharpHound - The BloodHound C# Ingestor

T1135 - Network Share Discovery

  • SmbScanner - A Smb Scanner written in powershell Extracted from PingCastle and adapted to fit in a script. Checks for SMBv1 and SMBv2 (SMBv3 is a dialect of SMBv2).

T1082 - System Information Discovery

  • Windows-Exploit-Suggester - This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.

  • Watson - C# implementation for quickly finding missing software patches for local privilege escalation vulnerabilities.

Lateral Movement

Collection

T1005 - Data from Local System

  • Tool - mimikittenz - A post-exploitation powershell tool for extracting juicy info from memory.
  • Tool - SlackExtract - A PowerShell script to download all files, messages and user profiles that a user has access to in slack.

Exfiltration

T1048 - Exfiltration Over Alternative Protocol

  • SharpBox - C# tool for compressing, encrypting, and exfiltrating data to using the DropBox API.

Command and Control

Frameworks

T1102 - Web Service

Defense

  • awesome-windows-domain-hardening - A curated list of awesome Security Hardening techniques for Windows.
  • UncoverDCShadow - Detect the use of the DCShadow attack.
  • Seatbelt - Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
  • Pingcastle - Ping Castle is a tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework.
  • WindowsDefenderATP-Hunting-Queries - Sample queries for Advanced hunting in Windows Defender ATP

Misc

Post Exploitation Frameworks & Tools

  • PowerSploit - A PowerShell Post-Exploitation Framework
  • SharpSploit - .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers.
  • SharpSploitConsole - Console Application designed to interact with SharpSploit.
  • SharpAttack - A simple wrapper for C# tools. It contains commands for domain enumeration, code execution, and other fun things.
  • LOLBAS - every binary, script, and library that can be used for Living Off The Land techniques.
  • DeathStar - Automate getting Domain Admin using Empire

Exploit Development

Red Team

Gitbooks

Ebooks

Twitter

Contributing

If you want to contribute a technique please use the following template. You are allowed to link to multiple procedures and articles for each tool

### [T1234 - Name of Technique](https://attack.mitre.org/techniques/T1234/)
* [github-repo](https://github.com/username/github-repo) - Description from repo. Copypaste is allowed.
  * [Procedure](https://link.to.procedure.com)
  * [Article](https://link.to.article.com)

You can’t perform that action at this time.