A curated list of tools, papers and techniques for Windows exploitation and incident response.
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
tactical-defence/Mimikatz Defence


Tactical Lab

A curated list of tools, papers and techniques for Windows exploitation, incident response, and defence.

Created by Mosse Security.

Table of Contents

Tactical Exploitation

Getting In

  • The Harvester - Information gathering tool utilizing public sources to gain information on a company/organization
  • Generate-Macro - Malicious Microsoft Office doc generator
  • Gitrob - GitHub organizations reconnaissance tool, hunts for sensitive data
  • THC Hydra - Login bruteforcer

Social Engineering


Man in the Middle

Web Backdoors

  • Weevely3 - Web shell
  • QuasiBot - Web shell manager
  • PhpSploit - Stealth post-exploitation framework with a focus on privilege escalation

Malware Prototyping

  • DBD Durandal's Backdoor - Portable Netcat clone with various features
  • Pupy - RAT, uses reflective dll injection on windows platforms
  • The Backdoor Factory - Patch binaries with shellcode without affecting binary execution
  • Dragon - Listens on a magic port, can be used to download binaries from source IP connecting to the port
  • File Joiner - Merges two files into one
  • Empire - PowerShell post-exploitation agent
  • Veil Evasion - Payload generator with a focus on AV evasion
  • Gcat - Backdoor that uses Gmail for C&C
  • PowerBreach - Backdoor toolkit
  • PowerPick - Powershell functionality without powershell.exe
  • Building Better Tools - Information on building penetration testing tools
  • Process Hollowing - Method to hide the presence of a process

Autoit Resources:

  • Windows Firewall
    • Enable or Disable the Windows Firewall
    • Add or Remove Authorized Applications to the Exclusions list
    • Add or Delete Ports from the Exclusions list.
    • Enable or Disable the use of Exceptions
    • Enable or Disable Notifications of blocked applications
    • Enable or Disable Existing Ports
    • List all Applications in the Exclusions List
    • List all Ports in the Exclusions List
    • List Properties of the current Firewall Configuration
    • Restore the Windows Firewall to its default configuration
  • ZIP
    • Create Zip File
    • Add file to Zip Archive
    • Add folder to Zip Archive
    • Add folder's content to Zip Archive
    • Extract all files from Zip Archive
    • Extract file from Zip Archive
    • Count items in zip
    • Count All items in the Zip Archive Including SubDirectories
    • List items in zip
    • Search a File in the Zip Archive
    • Search in each File of the Zip Archive
  • comerrorhandler
    • Catch and print COM errors
  • EventLog
    • Backup event logs
    • Clear event logs
    • Open and close event logs
    • Count event logs
    • Decode data from event logs
    • Enable applications to receieve event notifications
    • Read event logs
    • Write to event logs
  • Fast multi-client TCP server
    • Open and close TCP connections
  • HKCUReg
    • Delete keys or values from registry
    • Read keys or values from registry
    • Import previously exported reg files to registry
    • Create a key or value in registry
    • Determine each user's Profile folder, the user's SID and if the profile is loaded to the registry
  • Memory and File Compression
    • Decompress input binary data
    • Compress input data
  • Persistent Process Killer V3
    • Scan for running processes
    • Kill specific processes whenever they're started
    • Track and compare running processes over time
  • Reg
    • Load or unload registry hives
    • Restore or save to registry hive
    • Connect to remote registries
    • Read registry keys or values
    • Create or delete registry keys or values
  • SecurityEx
    • Enables or disables special privileges as required by some DllCalls
  • Services
    • Create or delete a service
    • Check for service existence
    • Retrieve a service's type
    • Start or stop a service
  • taskplanerCOM
    • Create or delete a task folder
    • Check for task folder existence
    • Check for task existence
    • Stop or start a task
    • Enable or disable a task
    • Delete a task
    • Check for task status
    • List all tasks in a given task folder
    • Create or delete a scheduled task
  • AD
    • Create users and groups
    • Add or remove users to groups
    • Get users or groups
    • List domain controllers
    • Change passwords
    • Create and delete mailboxes
    • Enable and disable password expiry

Host Reconnaissance

  • Netview - Enumeration tool for shares,sessions,users and more
  • Pass Hunt - Search drives for documents containing passwords
  • Enum Shares - Enumerates shared folders
  • NetRipper - Network traffic sniffer
  • File Server Triage - Information regarding file server data pilfering

Network Reconnaissance

Privilege Escalation


Lateral Movement

  • Veil Catapult - Payload delivery tool
  • WMIOps - Using WMI for a variety of local and remote functions
  • PAExec - Remote execution tool
  • Pivoter - Proxy tool to assist with lateral movement
  • VPN Pivoting - Using a VPN pivot
  • Making the Lateral Move - Different methods to move laterally in a network
  • SprayWMI - SprayWMI is an easy way to get mass shells on systems that support WMI




Tactical Response

Event Logs

DNS Logs

Web Logs

  • Web Server Log Analysis - Locations and information regarding web logs
  • Apache Scalp - Scalp! is a log analyzer for the Apache web server that aims to look for security problems

System Survey

Memory Analysis

Threat Intelligence

Information Feeds

Tactical Defence

Mimikatz Defence