Skip to content


Repository files navigation

Tactical Lab

A curated list of tools, papers and techniques for Windows exploitation, incident response, and defence.

Created by Mosse Security.

Table of Contents

Tactical Exploitation

Getting In

  • The Harvester - Information gathering tool utilizing public sources to gain information on a company/organization
  • Generate-Macro - Malicious Microsoft Office doc generator
  • Gitrob - GitHub organizations reconnaissance tool, hunts for sensitive data
  • THC Hydra - Login bruteforcer

Social Engineering


Man in the Middle

Web Backdoors

  • Weevely3 - Web shell
  • QuasiBot - Web shell manager
  • PhpSploit - Stealth post-exploitation framework with a focus on privilege escalation

Malware Prototyping

  • DBD Durandal's Backdoor - Portable Netcat clone with various features
  • Pupy - RAT, uses reflective dll injection on windows platforms
  • The Backdoor Factory - Patch binaries with shellcode without affecting binary execution
  • Dragon - Listens on a magic port, can be used to download binaries from source IP connecting to the port
  • File Joiner - Merges two files into one
  • Empire - PowerShell post-exploitation agent
  • Veil Evasion - Payload generator with a focus on AV evasion
  • Gcat - Backdoor that uses Gmail for C&C
  • PowerBreach - Backdoor toolkit
  • PowerPick - Powershell functionality without powershell.exe
  • Building Better Tools - Information on building penetration testing tools
  • Process Hollowing - Method to hide the presence of a process

Autoit Resources:

  • Windows Firewall
    • Enable or Disable the Windows Firewall
    • Add or Remove Authorized Applications to the Exclusions list
    • Add or Delete Ports from the Exclusions list.
    • Enable or Disable the use of Exceptions
    • Enable or Disable Notifications of blocked applications
    • Enable or Disable Existing Ports
    • List all Applications in the Exclusions List
    • List all Ports in the Exclusions List
    • List Properties of the current Firewall Configuration
    • Restore the Windows Firewall to its default configuration
  • ZIP
    • Create Zip File
    • Add file to Zip Archive
    • Add folder to Zip Archive
    • Add folder's content to Zip Archive
    • Extract all files from Zip Archive
    • Extract file from Zip Archive
    • Count items in zip
    • Count All items in the Zip Archive Including SubDirectories
    • List items in zip
    • Search a File in the Zip Archive
    • Search in each File of the Zip Archive
  • comerrorhandler
    • Catch and print COM errors
  • EventLog
    • Backup event logs
    • Clear event logs
    • Open and close event logs
    • Count event logs
    • Decode data from event logs
    • Enable applications to receieve event notifications
    • Read event logs
    • Write to event logs
  • Fast multi-client TCP server
    • Open and close TCP connections
  • HKCUReg
    • Delete keys or values from registry
    • Read keys or values from registry
    • Import previously exported reg files to registry
    • Create a key or value in registry
    • Determine each user's Profile folder, the user's SID and if the profile is loaded to the registry
  • Memory and File Compression
    • Decompress input binary data
    • Compress input data
  • Persistent Process Killer V3
    • Scan for running processes
    • Kill specific processes whenever they're started
    • Track and compare running processes over time
  • Reg
    • Load or unload registry hives
    • Restore or save to registry hive
    • Connect to remote registries
    • Read registry keys or values
    • Create or delete registry keys or values
  • SecurityEx
    • Enables or disables special privileges as required by some DllCalls
  • Services
    • Create or delete a service
    • Check for service existence
    • Retrieve a service's type
    • Start or stop a service
  • taskplanerCOM
    • Create or delete a task folder
    • Check for task folder existence
    • Check for task existence
    • Stop or start a task
    • Enable or disable a task
    • Delete a task
    • Check for task status
    • List all tasks in a given task folder
    • Create or delete a scheduled task
  • AD
    • Create users and groups
    • Add or remove users to groups
    • Get users or groups
    • List domain controllers
    • Change passwords
    • Create and delete mailboxes
    • Enable and disable password expiry

Host Reconnaissance

  • Netview - Enumeration tool for shares,sessions,users and more
  • Pass Hunt - Search drives for documents containing passwords
  • Enum Shares - Enumerates shared folders
  • NetRipper - Network traffic sniffer
  • File Server Triage - Information regarding file server data pilfering

Network Reconnaissance

Privilege Escalation


Lateral Movement

  • Veil Catapult - Payload delivery tool
  • WMIOps - Using WMI for a variety of local and remote functions
  • PAExec - Remote execution tool
  • Pivoter - Proxy tool to assist with lateral movement
  • VPN Pivoting - Using a VPN pivot
  • Making the Lateral Move - Different methods to move laterally in a network
  • SprayWMI - SprayWMI is an easy way to get mass shells on systems that support WMI




Tactical Response

Event Logs

DNS Logs

Web Logs

  • Web Server Log Analysis - Locations and information regarding web logs
  • Apache Scalp - Scalp! is a log analyzer for the Apache web server that aims to look for security problems

System Survey

Memory Analysis

Threat Intelligence

Information Feeds

Tactical Defence

Mimikatz Defence



A curated list of tools, papers and techniques for Windows exploitation and incident response.






No releases published


No packages published